Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:Jan 07, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 1:
A company has an application that processes personally identifiable information (Pll). The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company's security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any Pll in plaintext.
Which solutions could a security engineer use to meet these requirements'? (Select TWO )
A. Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances. B. Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure an SSL listener and TCP passthrough to receive client connections Terminate HTTPS traffic from the NLB on the EC2 instances. C. Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure TCP passthrough to receive client connections Terminate SSL from the NLB on the EC2 instances D. Configure a Network Load Balancer (NLB) with TCP passthrough to receive client connections Terminate SSL on the existing ALB. E. Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances Terminate SSL from the ALB on the EC2 instances.
A. Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances. B. Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure an SSL listener and TCP passthrough to receive client connections Terminate HTTPS traffic from the NLB on the EC2 instances.
Question 2:
A company has several Amazon S3 buckets thai do not enforce encryption in transit A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets. Which solution will meet these requirements'?
A. Enable AWS Config Create a proactive AWS. Config Custom Policy rule Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation. B. Enable AWS Config Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid Create an AWS Systems Manager. Automation runbook that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Configure automatic remediation Set the runbook as the target of the rule. C. Enable Amazon Inspector Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Set the Lambda function as the target of the rule. D. Create an AWS CloudTrail trail Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.
B. Enable AWS Config Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid Create an AWS Systems Manager. Automation runbook that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Configure automatic remediation Set the runbook as the target of the rule.
Question 3:
To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region. What policy should the Engineer implement?
A. B. A computer code with black text Description automatically generated B. A computer code with black text Description automatically generated C. A computer code with text Description automatically generated
C. A computer code with text Description automatically generated
Question 4:
An audit reveals that a company has multiple applications that are susceptible to SQL injection attacks.
The company wants a formal penetration testing program as soon as possible to identify future risks in applications that are deployed on AWS.
The company's legal department is concerned that such testing might create AWS abuse notifications and violate the AWS Acceptable Use policy.
The company must ensure compliance in these areas.
Which testing procedures are allowed on AWS as part of a penetration testing strategy? (Select TWO.)
A. Port scanning inside the company's VPC B. Brute force test of the Amazon S3 bucket namespace C. Use of a SQL injection tool on the company's web application against an Amazon RDS for PostgreSQL DB instance D. Packet flooding of the company's web application E. DNS zone walking through Amazon Route 53 hosted zones
A. Port scanning inside the company's VPC C. Use of a SQL injection tool on the company's web application against an Amazon RDS for PostgreSQL DB instance
Question 5:
A company wants to deploy a continuous security threat-detection service at scale to automatically analyze all the company's member accounts in AWS Organizations within the ap-east-1 Region.
The company's organization includes a management account, a security account, and many member accounts.
When the company creates a new member account, the threat-detection service should automatically analyze the new account so that the company can review any findings from the security account.
Which solution uses AWS security best practices and meets these requirements with the LEAST effort?
A. Activate Amazon GuardDuty in ap-east-1. Designate the secunty account as the GuardDuty delegated administrator by using the console. B. Activate Amazon GuardDuty in ap-east-1 with trusted access toAWS Organizations Designate the management account as the GuardDuty organization administrator. C. Activate AWS Security Hub in ap-east-1 Designate the management account as the Security Hub delegated administrator by using the console. D. Activate AWS Control Tower in ap-east-1 with trusted access to AWS Organizations Designate the security account as the organization administrator.
B. Activate Amazon GuardDuty in ap-east-1 with trusted access toAWS Organizations Designate the management account as the GuardDuty organization administrator.
Question 6:
A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account.
The company's developers have been using an IAM role in the account for the last 3 months.
A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access.
Which solution will meet this requirement with the LEAST effort?
A. Implement AWS IAM Access Analyzer policy generation on the role. B. Implement AWS IAM Access Analyzer policy validation on the role. C. Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions. D. Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.
A. Implement AWS IAM Access Analyzer policy generation on the role.
Question 7:
A company has an application that is accessed through an Application Load Balancer (ALB).
The application has run for more than 6 months in production and uses Amazon CloudWatch for metrics.
A security engineer must implement a solution to detect surges in traffic.
The solution must notify an existing Amazon Simple Notification Service (Amazon SNS) topic when these surges occur.
Which solution will meet these requirements?
A. Enable CloudWatch Anomaly Detection for the appropriate ALB metrics Create alarms based on metric anomaly detection. Configure the alarms to notify the SNS topic when the alarms are in ALARM state. B. Implement CloudWatch Contributor Insights Create a Contributor Insights rule that searches for values that are higher than normal for the appropriate metrics for the ALB Configure the rule to notify the SNS topic if the values are detected. C. Create an AWS WAF web ACL for the ALB Include a rate-based rule that counts the requests and compares the number to the previous highest number of requests per second Configure the rate-based rule action to target the SNS topic when the rule is matched. D. Enable Amazon GuardDuty Create an Amazon EventBridge rule that runs when GuardDuty detects a finding that the ALB has exceeded its normal traffic patterns Configure the SNS topic as the target of the rule.
A. Enable CloudWatch Anomaly Detection for the appropriate ALB metrics Create alarms based on metric anomaly detection. Configure the alarms to notify the SNS topic when the alarms are in ALARM state.
Question 8:
A security engineer needs to centralize logging from VPC Flow Logs and AWS CloudTrail.
The security engineer also needs to query the log data after an incident occurs.
Which solution will meet these requirements?
A. Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a metric filter. B. Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a subscription filter. C. Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon DynamoDB Use the DynamoDB Query API operation to query items based on their primary key values. D. Configure VPC Flow Logs and CloudTrail to send the log data directly to an Amazon S3 bucket Use Amazon Athena to query the log data.
D. Configure VPC Flow Logs and CloudTrail to send the log data directly to an Amazon S3 bucket Use Amazon Athena to query the log data.
Question 9:
A security engineer needs to suppress AWS. Security Hub findings automatically for resources that have a specific tag attached. Which solution will meet this requirement?
A. Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED. B. Select each Security Hub control that needs to be suppressed. Add an exception to each control to suppress any findings that contain the specific tag value if the resource contains the specific resource tag. C. Send each Security Hub finding to Amazon Detective Create an automated rule in Detective to suppress any findings that contain the specific resource tag and the specific tag value D. Send each Security Hub finding to Amazon Inspector. Configure a suppression rule to suppress any findings that contain the specific resource tag and the specific tag value.
A. Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED.
Question 10:
A company uses Amazon GuardDuty.
The company's security engineer needs lo receive an email notification for every GuardDuty finding that is a High severity level.
Which solution will meet this requirement?
A. Create a verified identity for the email address in Amazon Simple Email Service (Amazon SES) Create an Amazon EventBridge rule that has the SES verified identity as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High seventy findings. B. Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings. C. Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Security Hub automation rules to publish High severity GuardDuty findings to the SNS topic. D. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Secunty Hub automation rules to create a custom rule. Configure the custom rule to detect High seventy GuardDuty findings and to send a notification to the email address.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.