Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 131:
A company is using an Amazon CloudFront distribution to deliver content from two origins. One origin is a dynamic application that is hosted on Amazon EC2 instances. The other origin is an Amazon S3 bucket for static assets.
A security analysis shows that HTTPS responses from the application do not comply with a security requirement to provide an X-Frame-Options HTTP header to prevent frame-related cross-site scripting attacks. A security engineer must ipake the full stack compliant by adding the missing HTTP header to the responses.
Which solution will meet these requirements?
A. Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront origin response event. B. Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront viewer request event. C. Update the CloudFront distribution by adding X-Frame-Options to custom headers in the origin settings. D. D. Customize the EC2 hosted application to add the X-Frame-Options header to the responses that are returned to CloudFront.
A. Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront origin response event. The correct answer is A because it allows the security engineer to add the X-Frame- Options header to the HTTPS responses from the application origin without modifying the origin itself. A Lambda@Edge function is a Lambda function that runs in response to CloudFront events, such as viewer request, origin request, origin response, or viewer response. By configuring the function to run in response to the origin response event, the security engineer can modify the response headers that CloudFront receives from the origin before sending them to the viewer1. The function can include code to add the X- Frame-Options header with the desired value, such as DENY or SAMEORIGIN, to prevent frame-related cross-site scripting attacks2. The other options are incorrect because they are either less efficient or less secure than option A. Option B is incorrect because configuring the Lambda@Edge function to run in response to the viewer request event is not optimal, as it adds latency to the request processing and does not modify the response headers that CloudFront receives from the origin. Option C is incorrect because adding X-Frame-Options to custom headers in the origin settings does not affect the response headers that CloudFront sends to the viewer. Custom headers are only used to send additional information to the origin when CloudFront forwards a request3. Option D is incorrect because customizing the EC2 hosted application to add the X-Frame-Options header to the responses requires changing the origin code, which may not be feasible or desirable for the security engineer. Reference: Lambda@Edge, Configuring X-Frame-Options Response Header on AWS CloudFront and S3, Custom Headers
Question 132:
A company uses AWS Signer with all of the company's AWS Lambda functions. A developer recently stopped working for the company. The company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions.
Which solution will meet this requirement?
A. Revoke all versions of the signing profile assigned to the developer. B. Examine the developer's IAM roles. Remove all permissions that grant access to Signer. C. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key. D. Use Amazon CodeGuru to profile all the code that the Lambda functions use.
A. Revoke all versions of the signing profile assigned to the developer. The correct answer is A. Revoke all versions of the signing profile assigned to the developer. According to the AWS documentation1, AWS Signer is a fully managed code-signing service that helps you ensure the trust and integrity of your code. You can use Signer to sign code artifacts, such as Lambda deployment packages, with code-signing certificates that you control and manage. A signing profile is a collection of settings that Signer uses to sign your code artifacts. A signing profile includes information such as the following: The type of signature that you want to create (for example, a code-signing signature). The signing algorithm that you want Signer to use to sign your code. The code-signing certificate and its private key that you want Signer to use to sign your code. You can create multiple versions of a signing profile, each with a different code-signing certificate. You can also revoke a version of a signing profile if you no longer want to use it for signing code artifacts. In this case, the company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions. One way to achieve this is to revoke all versions of the signing profile that was assigned to the developer. This will prevent Signer from using that signing profile to sign any new code artifacts, and also invalidate any existing signatures that were created with that signing profile. This way, the company can ensure that only trusted and authorized code can be deployed to the Lambda functions. The other options are incorrect because: B. Examining the developer's IAM roles and removing all permissions that grant access to Signer may not be sufficient to prevent the deployment of the developer's code. The developer may have already signed some code artifacts with a valid signing profile before leaving the company, and those signatures may still be accepted by Lambda unless the signing profile is revoked. C. Re-encrypting all source code with a new AWS Key Management Service (AWS KMS) key may not be effective or practical. AWS KMS is a service that lets you create and manage encryption keys for your data. However, Lambda does not require encryption keys for deploying code artifacts, only valid signatures from Signer. Therefore, re-encrypting the source code may not prevent the deployment of the developer's code if it has already been signed with a valid signing profile. Moreover, re-encrypting all source code may be time-consuming and disruptive for other developers who are working on the same code base. D. Using Amazon CodeGuru to profile all the code that the Lambda functions use may not help with preventing the deployment of the developer's code. Amazon CodeGuru is a service that provides intelligent recommendations to improve your code quality and identify an application's most expensive lines of code. However, CodeGuru does not perform any security checks or validations on your code artifacts, nor does it interact with Signer or Lambda in any way. Therefore, using CodeGuru may not prevent unauthorized or untrusted code from being deployed to the Lambda functions.
Question 133:
A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring additional cost?
A. Configure IAM WAF rules to implement the required rules. B. Use the operating system built-in, host-based firewall to implement the required rules. C. Use a NAT gateway to control ingress and egress according to the requirements. D. Launch an EC2-based firewall product from the IAM Marketplace, and implement the required rules in that product.
B. Use the operating system built-in, host-based firewall to implement the required rules.
Question 134:
You company has mandated that all data in IAM be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below
A. Use Windows bit locker for EBS volumes on Windows instances B. Use TrueEncrypt for EBS volumes on Linux instances C. Use IAM Systems Manager to encrypt the existing EBS volumes D. Boot EBS volume can be encrypted during launch without using custom AMI
A. Use Windows bit locker for EBS volumes on Windows instances B. Use TrueEncrypt for EBS volumes on Linux instances EBS encryption can also be enabled when the volume is created and not for existing volumes. One can use existing tools for OS level encryption. Option C is incorrect. IAM Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems. Option D is incorrect You cannot choose to encrypt a non-encrypted boot volume on instance launch. To have encrypted boot volumes during launch , your custom AMI must have it's boot volume encrypted before launch. For more information on the Security Best practices, please visit the following URL: com/whit Security Practices. The correct answers are: Use Windows bit locker for EBS volumes on Windows instances. Use TrueEncrypt for EBS volumes on Linux instances Submit your Feedback/Queries to our Experts
Question 135:
A company stores signed legal contracts for loans in an Amazon S3 bucket that has versioning enabled. Each contract must be stored until the loan is paid back or for 10 years if the loan is not paid back.
The company needs a solution that allows only users with special permissions to delete or modify the contracts before the 10 years. Pass. After 10 years, the contracts must be deleted automatically.
Which solution will meet these requirements'?
A. Configure S3 Object Lock on the bucket with a retention penod of 10 years Specify governance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years. B. Configure S3 Object Lock on the bucket with a retention period of 10 years Specify compliance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years. C. Configure S3 Object Lock on the bucket with a retention penod of 10 years Place a legal hold on the objects. Create an S3 Lifecycle policy that will remove versionmg for the objects and expire objects after 10 years. D. Configure S3 Object Lock on the bucket Specify compliance mode as the retention mode Place a legal hold on the objects. Create an S3 Lifecycle policy that will expire the objects after 10 years.
A. Configure S3 Object Lock on the bucket with a retention penod of 10 years Specify governance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.
Question 136:
A company has AWS accounts in an organization in AWS Organizations.
The company has enabled Amazon GuardDuty in its production, support, and test accounts.
The company runs important workloads in the production account and centrally stores logs in an Amazon S3 bucket in the support account.
A security engineer must implement a solution to elevate security findings for the production account and the S3 bucket.
The solution must automatically elevate findings of HIGH severity to CRITICAL severity.
Which solution will meet these requirements?
A. Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Create automation rules to elevate findings for the production account and the S3 bucket. B. Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Use Amazon EventBridge to create a custom rule to elevate findings for the production account and the S3 bucket. C. Use the GuardDuty administrator account to configure a threat list that includes the production account and the S3 bucket. Use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to elevate findings from the threat list. D. Use the GuardDuty administrator account to enable S3 protection for the support account that contains the S3 bucket. Configure GuardDuty to elevate findings for the production account and the S3 bucket.
A. Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Create automation rules to elevate findings for the production account and the S3 bucket.
Question 137:
You have several S3 buckets defined in your IAM account. You need to give access to external IAM accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below
A. IAM policies B. Buckets ACL's C. IAM users D. Bucket policies
B. Buckets ACL's D. Bucket policies The IAM Security whitepaper gives the type of access control and to what level the control can be given Options A and C are incorrect since for external access to buckets, you need to use either Bucket policies or Bucket ACL's or more information on Security for storage services role please refer to the below URL: https://d1.IAMstatic.com/whitepapers/Security/Security Storage Services Whitepaper.pdf The correct answers are: Buckets ACL's, Bucket policies Submit your Feedback/Queries to our Experts
Question 138:
A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed. B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use. C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed. D. For each AWS account, create tailored identity-based policies for AWS SSO. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_ syntax.html#scp-elements-table
Question 139:
A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overhead
Which solution will meet these requirements?
A. 1 Put all users into an IAM group with an access policy granting access to the J bucket. B. Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only. C. Add an SCP to the Organizations master account, allowing all principals access to the bucket. D. Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.
D. Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.
Question 140:
Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.
A. Apply Multi-AZ for the underlying 53 bucket B. Copy the data to an EBS Volume in another Region C. Create a snapshot of the S3 bucket and copy it to another region D. Enable Cross region replication for the S3 bucket
D. Enable Cross region replication for the S3 bucket This is mentioned clearly as a use case for S3 cross-region replication You might configure cross-region replication on a bucket for various reasons, including the following: ?Compliance requirements - Although, by default Amazon S3 stores your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store data at even further distances. Cross-region replication allows you to replicate data between distant IAM Regions to satisfy these compliance requirements. Option A is invalid because Multi-AZ cannot be used to S3 buckets Option B is invalid because copying it to an EBS volume is not a recommended practice Option C is invalid because creating snapshots is not possible in S3 For more information on S3 cross-region replication, please visit the following URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/crr.htmll The correct answer is: Enable Cross region replication for the S3 bucket Submit your Feedback/Queries to our Experts
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.