Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 191:
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage. B. Implement a rate-based rule with IAM WAF C. Use IAM Shield to limit the originating traffic hit rate. D. Implement the GeoLocation feature in Amazon Route 53.
B. Implement a rate-based rule with IAM WAF AWS WAF is tightly integrated with Amazon CloudFront, the Application Load Balancer (ALB), Amazon API Gateway, and AWS AppSync
Question 192:
Your company hosts critical data in an S3 bucket. There is a requirement to ensure that all data is encrypted. There is also metadata about the information stored in the bucket that needs to be encrypted as well. Which of the below measures would you take to ensure that the metadata is encrypted?
A. Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption. B. Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption. C. Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time. D. Put thp metadata in thp S3 hurkpf itself.
C. Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time. Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table Important All GET and PUT requests for an object protected by IAM KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS encryption for S3, please refer to below URL: 1 https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html The correct answer is: Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time. Submit your Feedback/Queries to our Experts
Question 193:
A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead.
What should a security engineer recommend to meet these requirements?
A. Create an IAM Config rule defining the patch as a required configuration for EC2 instances. B. Use the IAM Systems Manager Run Command to patch affected instances. C. Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances. D. Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.
B. Use the IAM Systems Manager Run Command to patch affected instances.
Question 194:
You are building a large-scale confidential documentation web server on IAMand all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below
A. Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User. B. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl. C. Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront. D. Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
B. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl. If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies, for example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access content. In addition, if user's access objects both through CloudFront and directly by using Amazon S3 URLs, CloudFront ace logs are less useful because they're incomplete. Option A is invalid because you need to create a Origin Access Identity for Cloudfront and not an IAM user Option C and D are invalid because using policies will not help fulfil the requirement For more information on Origin Access Identity please see the below Link: http://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content- restrictine-access-to-s3.htmll The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI. ( Submit your Feedback/Queries to our Experts
Question 195:
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances
There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)
A. The route tables and the outbound rules on the appropriate private subnet security group B. The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet C. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet D. The rules on any host-based firewall that may be applied on the Amazon EC2 instances E. The Security Group applied to the Application Load Balancer and NAT gateway F. That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet
C. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet E. The Security Group applied to the Application Load Balancer and NAT gateway F. That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet
Question 196:
A developer is receiving AccessDenied errors when the developer invokes API calls to AWS services from a workstation. The developer previously configured environment variables and configuration files on the workstation to use multiple roles with other AWS accounts.
A security engineer needs to help the developer configure authentication. The current credentials must be evaluated without conflicting with other credentials that were previously configured on the workstation.
Where should these credentials be configured to meet this requirement?
A. In the local AWS CLI configuration file B. As environment variables on the local workstation C. As variables in the AWS CLI command line options D. In the AWS shared configuration file
C. As variables in the AWS CLI command line options By specifying credentials directly in the AWS CLI command line options, the developer can use specific credentials for each command invocation without conflicting with other credentials that are already configured in environment variables or configuration files on the workstation. This allows for testing and using different roles or accounts without affecting the global or default credentials configuration.
Question 197:
A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must en-sure that objects cannot be overwritten or deleted by any user, including the AWS account root user.
Which solution will meet these requirements?
A. Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets. B. Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the Vault Lock process. Place objects in the S3 buckets. C. Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets. D. Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.
A. Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.
Question 198:
A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon POS cluster a recent report suggests this software platform is vulnerable to SQL injection attacks. with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The secure, engineer's solution involve the least amount of effort and maintain normal operations during implementation.
What should the security engineer do to meet these requirements?
A. Create an Application Load Balancer with the existing EC2 instances as a target group Create an IAM WAF web ACL containing rules mat protect the application from this attach. then apply it to the ALB Test to ensure me vulnerability has been mitigated, then redirect thee Route 53 records to point to the ALB Update security groups on the EC 2 instances to prevent direct access from the internet B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin Create an IAM WAF web ACL containing rules that protect the application from this attack, then apply it to me distribution Test to ensure the vulnerability has mitigated, then redirect the Route 53 records to point to CloudFront C. Obtain me latest source code for the platform and make ire necessary updates Test me updated code to ensure that the vulnerability has been irrigated, then deploy me patched version of the platform to the EC2 instances D. Update the security group mat is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database Create an IAM WAF web ACL containing rules mat protect me application from this attack, men apply it to the EC2 instances Test to ensure me vulnerability has been mitigated. then restore the security group to me onginal setting
A. Create an Application Load Balancer with the existing EC2 instances as a target group Create an IAM WAF web ACL containing rules mat protect the application from this attach. then apply it to the ALB Test to ensure me vulnerability has been mitigated, then redirect thee Route 53 records to point to the ALB Update security groups on the EC 2 instances to prevent direct access from the internet The fastest and most effective way to protect an internet-facing application against SQL injection attacks is to use AWS WAF with preconfigured rules designed to mitigate SQL injection. By placing an Application Load Balancer (ALB) in front of the EC2 instances, the security engineer can apply an AWS WAF web ACL to filter out malicious requests, including SQL injection attempts, without making changes to the application code or disrupting service. This approach also: 1. Prevents direct internet access to the EC2 instances by using the ALB as the entry point. 2. Provides the option to quickly redirect Route 53 records to the ALB, ensuring minimal downtime. 3. Allows for rapid implementation, meeting the 24-hour requirement with minimal operational disruption.
Question 199:
You have a 2 tier application hosted in IAM. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db- 345).
Which combination of the following security group rules will allow the application to be secure and functional? Choose 2 answers from the options given below.
A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0 B. db-345 - Allow port 1433 from wg-123 C. wg-123 - Allow port 1433 from wg-123 D. db-345 -Allow ports 1433 from 0.0.0.0/0
A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0 B. db-345 - Allow port 1433 from wg-123 The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet. The database security group should just allow access from the web security group from port 1433. Option C is invalid because this is not a valid configuration Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL: https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/usins-network-security.htmll The correct answers are: wg-123 - Allow ports 80 and 443 from 0.0.0.0/0, db-345 - Allow port 1433 from wg-123 Submit your Feedback/Queries to our Experts
Question 200:
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?
A. Remove the instance from the load balancer and terminate it. B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group. C. Reboot the instance and check for any Amazon CloudWatch alarms. D. Stop the instance and make a snapshot of the root EBS volume.
B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group. https://d1.IAMstatic.com/whitepapers/IAM_security_incident_response.pdf
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.