Last Attempt SCS-C02 Questions

Page: 2 / 24

Question 8

A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows:

The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through the AWS Management Console.

Which change must a security engineer implement so that the developers can access Amazon SES?

Options:

Add a resource policy that allows each member of the group to access Amazon SES.

Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev"}.

Remove the AWS Control Tower control (guardrail) that restricts access to Amazon SES.

Remove Amazon SES from the root SCP.

Answer:

Explanation:

The correct answer is D. Remove Amazon SES from the root SCP.

This answer is correct because the root SCP is the most restrictive policy that applies to all accounts in the organization. The root SCP explicitly denies access to Amazon SES by using the NotAction element, which means that any action that is not listed in the element is denied. Therefore, removing Amazon SES from the root SCP will allow the developers to access it, as long as there are no other SCPs or IAM policies that deny it.

The other options are incorrect because:

A. Adding a resource policy that allows each member of the group to access Amazon SES is not a solution, because resource policies are not supported by Amazon SES1. Resource policies are policies that are attached to AWS resources, such as S3 buckets or SNS topics, to control access to those resources2. Amazon SES does not have any resources that can have resource policies attached to them.
B. Adding a resource policy that allows “Principal”: {“AWS”: “arn:aws:iam::account-number:group/Dev”} is not a solution, because resource policies do not support IAM groups as principals3. Principals are entities that can perform actions on AWS resources, such as IAM users, roles, or AWS accounts4. IAM groups are not principals, but collections of IAM users that share the same permissions5.
C. Removing the AWS Control Tower control (guardrail) that restricts access to Amazon SES is not a solution, because AWS Control Tower does not have any guardrails that restrict access to Amazon SES6. Guardrails are high-level rules that govern the overall behavior of an organization’s accounts7. AWS Control Tower provides a set of predefined guardrails that cover security, compliance, and operations domains8.

References:

1: Amazon Simple Email Service endpoints and quotas 2: Resource-based policies and IAM policies 3: Specifying a principal in a policy 4: Policy elements: Principal 5: IAM groups 6: AWS Control Tower guardrails reference 7: AWS Control Tower concepts 8: AWS Control Tower guardrails

Question 9

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group

Which solution will meet this requirement?

Options:

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

Download and configure the CloudWatch agent on the container instances

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Question 10

A company that uses AWS Organizations is migrating workloads to AWS. The compa-nys application team determines that the workloads will use Amazon EC2 instanc-es, Amazon S3 buckets, Amazon DynamoDB tables, and Application Load Balancers. For each resource type, the company mandates that deployments must comply with the following requirements:

• All EC2 instances must be launched from approved AWS accounts.

• All DynamoDB tables must be provisioned with a standardized naming convention.

• All infrastructure that is provisioned in any accounts in the organization must be deployed by AWS CloudFormation templates.

Which combination of steps should the application team take to meet these re-quirements? (Select TWO.)

Options:

Create CloudFormation templates in an administrator AWS account. Share the stack sets with an application AWS account. Restrict the template to be used specifically by the application AWS account.

Create CloudFormation templates in an application AWS account. Share the output with an administrator AWS account to review compliant resources. Restrict output to only the administrator AWS account.

Use permissions boundaries to prevent the application AWS account from provisioning specific resources unless conditions for the internal compli-ance requirements are met.

Use SCPs to prevent the application AWS account from provisioning specific resources unless conditions for the internal compliance requirements are met.

Activate AWS Config managed rules for each service in the application AWS account.

Question 11

A security engineer is designing an IAM policy to protect AWS API operations. The policy must enforce multi-factor authentication (MFA) for IAM users to access certain services in the AWS production account. Each session must remain valid for only 2 hours. The current version of the IAM policy is as follows:

Which combination of conditions must the security engineer add to the IAM policy to meet these requirements? (Select TWO.)

Options:

"Bool " : " aws : Multi FactorAuthPresent": "true" }

"B001 " : " aws : MultiFactorAuthPresent": "false" }

"NumericLessThan" : { " aws : Multi FactorAuthAge" : "7200"}

"NumericGreaterThan" : { " aws : MultiFactorAuthAge " : "7200"

"NumericLessThan" : { "MaxSessionDuration " : "7200"}

Answer:

A, C

Explanation:

The correct combination of conditions to add to the IAM policy is A and C. These conditions will ensure that IAM users must use MFA to access certain services in the AWS production account, and that each session will expire after 2 hours.

Option A: “Bool” : { “aws:MultiFactorAuthPresent” : “true” } is a valid condition that checks if the principal (the IAM user) has authenticated with MFA before making the request. This condition will enforce MFA for the IAM users to access the specified services. This condition key is supported by all AWS services that support IAM policies1.
Option B: “Bool” : { “aws:MultiFactorAuthPresent” : “false” } is the opposite of option A. This condition will allow access only if the principal has not authenticated with MFA, which is not the desired requirement. This condition key is supported by all AWS services that support IAM policies1.
Option C: “NumericLessThan” : { “aws:MultiFactorAuthAge” : “7200” } is a valid condition that checks if the time since the principal authenticated with MFA is less than 7200 seconds (2 hours). This condition will enforce the session duration limit for the IAM users. This condition key is supported by all AWS services that support IAM policies1.
Option D: “NumericGreaterThan” : { “aws:MultiFactorAuthAge” : “7200” } is the opposite of option C. This condition will allow access only if the time since the principal authenticated with MFA is more than 7200 seconds (2 hours), which is not the desired requirement. This condition key is supported by all AWS services that support IAM policies1.
Option E: “NumericLessThan” : { “MaxSessionDuration” : “7200” } is not a valid condition key. MaxSessionDuration is a property of an IAM role, not a condition key. It specifies the maximum session duration (in seconds) for the role, which can be between 3600 and 43200 seconds (1 to 12 hours). This property can be set when creating or modifying a role, but it cannot be used as a condition in a policy2.

Page: 2 / 24