SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :Jul 12, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 11:

    A company plans to use AWS Key Management Service (AWS KMS) to implement an encryption strategy to protect data at rest. The company requires client-side encryption for company projects. The company is currently conducting multiple projects to test the company's use of AWS KMS. These tests have led to a sudden increase in the company's AWS resource consumption. The test projects include applications that issue multiple requests each second to KMS endpoints for encryption activities.

    The company needs to develop a solution that does not throttle the company's ability to use AWS KMS. The solution must improve key usage for client-side encryption and must be cost optimized.

    Which solution will meet these requirements?

    A. Use keyrings with the AWS Encryption SDK. Use each keyring individually or combine keyrings into a multi-keyring. Decrypt the data by using a keyring that has the primary key in the multi-keyring.
    B. Use data key caching. Use the local cache that the AWS Encryption SDK provides with a caching cryptographic materials manager.
    C. Use KMS key rotation. Use a local cache in the AWS Encryption SDK with a caching cryptographic materials manager.
    D. Use keyrings with the AWS Encryption SDK. Use each keyring individually or combine keyrings into a multi-keyring. Use any of the wrapping keys in the multi-keyring to decrypt the data.

  • Question 12:

    A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener

    Which configuration steps should the security engineer take to accomplish this task?

    A. Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.
    B. Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway
    C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.
    D. Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

  • Question 13:

    You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?

    A. Enable IAM Guard Duty for the Instance
    B. Use IAM Trusted Advisor
    C. Use IAM inspector
    D. UseIAMMacie

  • Question 14:

    A web application gives users the ability to log in verify their membership's validity and browse artifacts that are stored in an Amazon S3 bucket. When a user attempts to download an object, the application must verify the permission to access the object and allow the user to download the object from a custom domain name such as example com.

    What is the MOST secure way for a security engineer to implement this functionality?

    A. Configure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.
    B. Implement an IAM policy to give the user read access to the S3 bucket.
    C. Create an S3 presigned URL Provide the S3 presigned URL to the user through the application.
    D. Create an Amazon CloudFront signed URL. Provide the CloudFront signed URL to the user through the application.

  • Question 15:

    While analyzing a company's security solution, a Security Engineer wants to secure the IAM account root user.

    What should the Security Engineer do to provide the highest level of security for the account?

    A. Create a new IAM user that has administrator permissions in the IAM account. Delete the password for the IAM account root user.
    B. Create a new IAM user that has administrator permissions in the IAM account. Modify the permissions for the existing IAM users.
    C. Replace the access key for the IAM account root user. Delete the password for the IAM account root user.
    D. Create a new IAM user that has administrator permissions in the IAM account. Enable multi-factor authentication for the IAM account root user.

  • Question 16:

    A company wants to have an Intrusion detection system available for their VPC in IAM. They want to have complete control over the system. Which of the following would be ideal to implement? Please select:

    A. Use IAM WAF to catch all intrusions occurring on the systems in the VPC
    B. Use a custom solution available in the IAM Marketplace
    C. Use VPC Flow logs to detect the issues and flag them accordingly.
    D. Use IAM Cloudwatch to monitor all traffic

  • Question 17:

    A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties

    Which combination of actions will meet this requirement? (Select THREE.)

    A. Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)
    B. Encrypt the data in Amazon S3 using server-side encryption with IAM KMS managed encryption keys (SSE-KMS)
    C. Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint
    D. Use the Amazon S3 Block Public Access feature.
    E. Configure the bucket policy to allow access from the application instances only
    F. Use a NACL to filter traffic to Amazon S3

  • Question 18:

    A security engineer is checking an AWS CloudFormation template for vulnerabilities. The security engineer finds a parameter that has a default value that exposes an application's API key in plaintext. The parameter is referenced several times throughout the template.

    The security engineer must replace the parameter while maintaining the ability to reference the value in the template.

    Which solution will meet these requirements in the MOST secure way? {resolve:s3:MyBucketName:MyObjectName}}.

    A. Store the API key value as a SecureString parameter in AWS Systems Manager Parameter Store. In the template, replace all references to the value with {{resolve:ssm:MySSMParameterName:I}}.
    B. Store the API key value in AWS Secrets Manager. In the template, replace all references to the value with { {resolve:secretsmanager:MySecretId:SecretString}}.
    C. Store the API key value in Amazon DynamoDB. In the template, replace all references to the value with {{resolve:dynamodb:MyTableName:MyPrimaryKey}}.
    D. Store the API key value in a new Amazon S3 bucket. In the template, replace all references to the value with {

  • Question 19:

    A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An IAM WAF web ACL is associated with the ALB. IAM CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs.

    The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user- creation.php file. The operations team needs to view log information to determine if the company is being attacked.

    Which set of actions will identify the suspect attacker's IP address for future occurrences?

    A. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
    B. Configure the CloudWatch agent on the ALB Configure the agent to send application logs to CloudWatch Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch Search for the new-user-creation.php occurrences in CloudWatch.
    C. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences.
    D. Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket Use Amazon Athena to query the logs and find the new-user- creation php occurrences.

  • Question 20:

    A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.

    An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.

    Which solution meets these requirements?

    A. Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.
    B. Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.
    C. Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.
    D. Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.