Free Practice Questions for Amazon Web Services SCS-C02 Exam

To secure the images to limit their distribution, the company should take the following actions:

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI). This allows the company to use a special CloudFront user that can access objects in their S3 bucket, and prevent anyone else from accessing them directly.

Add a CloudFront geo restriction deny list of countries where the company lacks a license. This allows the company to use a feature that controls access to their content based on the geographic location of their viewers, and block requests from countries where they do not have a distribution license.

To allow an IAM user in one AWS account to access resources in another AWS account using IAM roles, the following steps are required:

Create a role in the AWS account that contains the resources (the trusting account) and specify the AWS account that contains the IAM user (the trusted account) as a trusted entity in the role’s trust policy. This allows users from the trusted account to assume the role and access resources in the trusting account.

Attach a policy to the IAM user in the trusted account that allows the user to assume the role in the trusting account. The policy must specify the ARN of the role that was created in the trusting account.

The IAM user can then switch roles or use temporary credentials to access the resources in the trusting account.

Verified References:

https://repost.aws/knowledge-center/cross-account-access-iam

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Answer: C

The correct answer is A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

The reason is that this is the simplest and most effective way to enforce the data retention policy.According to theAWS documentation1, “To manage your objects so that they are stored cost effectively throughout their lifecycle, configure their Amazon S3 Lifecycle. An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects.There are two types of actions: Transition actionsand Expiration actions.” The documentation1also states that “Expiration actions define when objects expire. Amazon S3 deletes expired objects on your behalf.” Therefore, by configuring an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days, the security engineer can ensure that the data is removed from the S3 bucket according to the company’s policy.

The other options are incorrect because:

B. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation. This option is not optimal because it requires deploying and maintaining a Lambda function, which adds complexity and cost. Moreover, it does not guarantee that the data is deleted exactly after 45 days, since the Lambda function is triggered only when a new object is put into the S3 bucket. If there are no new objects for a long period of time, the Lambda function will not run and the data will not be deleted.

C. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month. This option is not optimal because it requires deploying and maintaining a Lambda function, which adds complexity and cost. Moreover, it does not guarantee that the data is deleted exactly after 45 days, since the Lambda function is triggered only once a month. If the data is older than 45 days but less than a month, it will not be deleted until the next month.

D. Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class. This option is not sufficient to enforce the data retention policy, because it does not delete the data from the S3 bucket. It only moves the data to a less expensive storage class based on access patterns.According to the AWS documentation2, “S3 Intelligent-Tiering optimizes storage costs by automatically moving data between two access tiers, frequent access and infrequent access, when access patterns change.” However, this feature does not expire or delete the data after a certain period of time.

The correct answer is B because it preserves the forensic evidence from the instance in the correct order. The first step is to take a memory snapshot of the instance and store it in an S3 bucket, as memory data is volatile and can be lost when the instance is stopped. The second step is to stop the instance, which will prevent any further changes to the EBS volume. The third step is to take an EBS volume snapshot of the instance and store it in an S3 bucket, which will capture the disk state of the instance. The last two steps are to detach the instance from the Auto Scaling group and deregister it from the ALB, which will isolate the instance from the rest of the application.

The other options are incorrect because they do not preserve the forensic evidence in the correct order. Option A takes the EBS volume snapshot before the memory snapshot, which can result in inconsistent data. Option C detaches and deregisters the instance before taking any snapshots, which can affect the availability of the application. Option D stops the instance before taking the memory snapshot, which can cause the loss of memory data.

because these are the steps that can ensure that the service-linked role can launch instances with encrypted volumes. A service-linked role is a type of IAM role that is linked to an AWS service and allows the service to perform actions on your behalf. A KMS grant is a mechanism that allows you to delegate permissions to use a customer master key (CMK) to a principal such as a service-linked role.A KMS grant specifies the actions that the principal can perform, such as encrypting and decrypting data. By creating a KMS grant for the service-linked role with the specified actions, you can allow the service-linked role to use the CMK in Account-2 to launch instances with encrypted volumes. By attaching an IAM policy to the role attached to the EC2 instances with KMS actions and then allowing Account-1 in the KMS key policy, you can also enable cross-account access to the CMK and allow the EC2 instances to use the encrypted volumes. The other options are either incorrect or unnecessary for meeting the requirement.

you need to configure the Amazon Inspector agent to use the CVE rule package, which is a set of rules that check for vulnerabilitiesand exposures on your EC2 instances5. You also need to install an additional integration library that enables communication between the Amazon Inspector agent and Security Hub6. Security Hub is a service that provides you with a comprehensive view of your securitystate in AWS and helps you check your environment against security industry standards and best practices7. The other options are either incorrect or incomplete for meeting the requirement.