AWS SCS-C02 Practice Test: TLS Termination and Security

Questions and Answers

What is the company's requirement for the TLS traffic to the Classic Load Balancer?

• It should use the latest IAM predefined ELBSecurityPolicy-TLS-1-2017-01 security policy
• It should use a TCP listener with a custom security policy
• It should use a certificate managed by Amazon Certification Manager
• It should use a custom security policy that allows only perfect forward secrecy cipher suites (correct)

What type of listener should be used for the Classic Load Balancer according to the requirements?

• HTTPS listener with a custom security policy that allows only perfect forward secrecy cipher suites (correct)
• TCP listener with a custom security policy that allows only perfect forward secrecy cipher suites
• HTTP listener with the latest IAM predefined ELBSecurityPolicy-TLS-1-2017-01 security policy
• HTTPS listener with a certificate managed by Amazon Certification Manager

What is the purpose of using perfect forward secrecy cipher suites in this scenario?

• To ensure secure TLS traffic even if the certificate private key is leaked (correct)
• To allow only TCP traffic through the load balancer
• To use the latest IAM predefined ELBSecurityPolicy-TLS-1-2017-01 security policy
• To manage certificates using Amazon Certification Manager

Which type of security policy should be used for the listener on the Classic Load Balancer?

A security policy allowing only perfect forward secrecy cipher suites (D)

What is the purpose of a Classic Load Balancer's HTTPS listener in this scenario?

To terminate TLS connections using a custom security policy (D)

Why should the company use a custom security policy for the HTTPS listener on the Classic Load Balancer?

To ensure secure TLS traffic even if the certificate private key is leaked (B)

What is the purpose of a custom security policy for the HTTPS listener on the Classic Load Balancer?

To ensure that only perfect forward secrecy cipher suites are supported (D)

What does an HTTPS listener using a custom security policy do for a Classic Load Balancer?

Checks for unrestricted public write access in Amazon S3 buckets (D)

What should a Security Engineer do to ensure that newly acquired IAM accounts follow the corporation's security best practices?

Set up IAM Systems Manager to monitor S3 bucket policies for public write access (D)

What is the purpose of using Amazon Macie in the company's AWS account?

To continuously check the configuration of all S3 buckets (D)

What does AWS Firewall Manager primarily help with in the company's AWS account?

Managing security policies and automating enforcement across AWS accounts (B)

What is the main function of Amazon Inspector in the company's AWS account?

Reviewing resources and invoking CloudWatch alarms for vulnerable resources (D)

How does an HTTPS listener using a custom security policy help ensure secure traffic to a Classic Load Balancer?

By supporting only perfect forward secrecy cipher suites (A)

What does Amazon Shield Advanced primarily provide protection against in the company's AWS account?

Active DDoS events targeting the AWS account (B)

How can an IAM role within an Amazon EC2 instance contribute to monitoring S3 buckets?

By checking the status of all S3 buckets through a cron job (B)