AWS SCS-C02 Free Practice Questions — Page 2

Correct Answers: C. Use AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months.; D. Set the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan.

Why C is correct: AWS Backup is the native AWS service designed for centralized backup management across multiple AWS services, including DynamoDB. It supports backup plans with retention policies (3 months requirement), automated scheduling, and lifecycle management. This is the recommended approach for enterprise backup requirements. Why D is correct: Cron schedule expressions in AWS Backup allow precise scheduling, such as "0 0 15 * ? *" for midnight on the 15th and "0 0 25 * ? *" for midnight on the 25th of each month. Cron expressions provide the exact timing control needed to meet the specific backup schedule requirement. All DynamoDB tables can be assigned to the backup plan using resource assignment. Why A is wrong: DynamoDB on-demand backups are manual, point-in-time backups that don't support automated scheduling. While you could create a Lambda function to trigger these, it's not a native scheduling solution. Additionally, on-demand backups don't have built-in lifecycle policies for expiration—you'd need additional automation for retention management. Why B is wrong: AWS DataSync is designed for data transfer and migration between on-premises storage, AWS storage services, and edge locations. It's not a backup service and doesn't support DynamoDB as a source or target. DataSync is used for file system and object storage synchronization, not database backups. Why E is wrong: Rate expressions (like "rate(15 days)") specify intervals between backups, not specific dates/times. A rate expression cannot be configured to run specifically on the 15th and 25th of each month. Rate expressions are for regular intervals like "rate(1 day)" or "rate(12 hours)", which doesn't meet the specific scheduling requirement.

Correct Answer: B. Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Assign groups to AWS accounts and link to permission sets in accordance with the employees' job functions and access requirements. Instruct employees to access AWS accounts by using the IAM Identity Center user portal.

Why B is correct: This is the correct implementation of AWS IAM Identity Center (formerly AWS SSO) for multi-account authentication. The default directory is a built-in user directory in IAM Identity Center specifically designed for this purpose. Creating users and groups in the default directory, assigning groups to AWS accounts, and linking to permission sets (which define what actions users can perform) follows AWS best practices. The IAM Identity Center user portal provides a single sign-on experience for accessing multiple AWS accounts. This solution uses native AWS features without additional architectural components, meeting the requirement. Why A is wrong: AD Connector requires an existing on-premises Active Directory infrastructure, which introduces "additional user-managed architectural components" that the question explicitly states should not be introduced. AD Connector is a proxy service that connects to on-premises AD, not a standalone authentication solution. This violates the requirement to use native AWS features. Why C is wrong: IAM Identity Center groups should not be linked directly to IAM users. This approach creates confusion between IAM Identity Center principles and traditional IAM users. Permission sets in IAM Identity Center define permissions, not inheritance from existing IAM users. This mixing of IAM Identity Center and IAM users is not the correct architecture and doesn't leverage IAM Identity Center properly. Why D is wrong: AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) is a managed AD service that requires managing domain controllers and directory infrastructure, which counts as "additional user-managed architectural components." While it's managed by AWS, it's more complex than necessary when IAM Identity Center's default directory can handle the requirements natively.

Correct Answer: C. Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.

Why C is correct: This solution provides proper event-driven automation for GuardDuty findings. AWS Security Hub aggregates findings from GuardDuty and other services, then forwards them to EventBridge for event-driven processing. AWS Network Firewall can block traffic at the VPC level by adding rules to its firewall policy, effectively isolating the suspicious instance. Lambda processes the event, adds the blocking rule, and sends SNS notifications. This architecture follows AWS best practices for security automation and provides proper network-level blocking. Why A is wrong: Network ACLs are stateless and operate at the subnet level, which means they would affect all instances in the subnet, not just the suspicious one. Additionally, using Kinesis Data Analytics for Apache Flink is overly complex for this use case—simple event processing doesn't require stream analytics. The question asks to block a specific suspicious instance, not an entire subnet. Why B is wrong: AWS WAF is designed to protect web applications from Layer 7 (HTTP/HTTPS) attacks, not to block traffic to/from EC2 instances. WAF works with CloudFront, ALB, and API Gateway, not EC2 instances directly. GuardDuty detected RDP brute force attacks (Layer 4), which WAF cannot address. This is the wrong service for the requirement. Why D is wrong: Replacing the security group on a production EC2 instance could disrupt legitimate application functionality. Security groups are often carefully configured for application requirements, and replacing them entirely is too aggressive. Additionally, using Kinesis data streams adds unnecessary complexity when EventBridge can directly process Security Hub findings.

Correct Answer: B. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

Why B is correct: This is the fastest and most appropriate approach for investigation. Using read-only credentials ensures the investigation doesn't affect the application or alter evidence. Amazon Detective is specifically designed for security investigation—it automatically collects and analyzes GuardDuty findings along with VPC Flow Logs, CloudTrail logs, and other data sources to provide visual analytics and context about API calls and user behavior. Detective's built-in analysis graphs show relationships and patterns, making it much faster to investigate the anomalous behavior than manually reviewing logs. Why A is wrong: Adding a DenyAll policy immediately blocks the IAM principal, which affects the application before investigation is complete. The question explicitly requires collecting and analyzing information "without affecting the application." Taking immediate action without investigation could cause unnecessary downtime if the finding is a false positive or needs context before remediation. Why C is wrong: Using administrator credentials violates the principle of least privilege for investigation. Administrator access is unnecessary for read-only investigation and increases risk. Additionally, like option A, immediately applying a DenyAll policy affects the application before investigation is complete, violating the requirement to not affect the application during investigation. Why D is wrong: While CloudTrail Insights can identify unusual API activity, and CloudTrail Lake allows SQL queries on CloudTrail data, this approach is slower and requires manual query construction compared to Amazon Detective. Detective is purpose-built for security investigations with pre-built visualizations and automatic correlation of findings, making it significantly faster for the "MOST quickly" requirement.

Correct Answer: C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B

Why C is correct: Cross-account S3 access requires both IAM permissions (identity-based policy) in the source account AND a bucket policy (resource-based policy) in the destination account. Even though Account A's user has IAM permissions to access the S3 bucket in Account B, the bucket in Account B must explicitly allow access through a bucket policy that specifies the user's ARN as a principal. This is how AWS implements the "dual authorization" requirement for cross-account access—both sides must grant permission. Why A is wrong: Bucket ACLs are a legacy access control mechanism that AWS recommends against using. ACLs operate at the bucket level but have limited granularity and don't support the same condition keys and features as bucket policies. More importantly, ACLs alone cannot grant full cross-account access as effectively as bucket policies—bucket policies are the modern, recommended approach for this scenario. Why B is wrong: Object ACLs would need to be applied to every individual object in the bucket, which is operationally impractical and doesn't scale. Additionally, object ACLs don't grant access to bucket-level operations (like listing objects), only to specific objects. The question states the user needs "full access to the S3 bucket," which requires bucket-level permissions, not object-level ACLs. Why D is wrong: There is no such thing as a "user policy" in Account B that grants access to a user from Account A. IAM policies are attached to principles (users, roles, groups) within the same account. Cross-account access requires resource-based policies (like bucket policies) that can specify principles from other accounts, not identity-based policies in the resource account.