Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 221:
A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server.
The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2 instance.
Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Choose two.)
A. Allow port 22 from source 0.0.0.0/0. B. Allow port 443 from source 0.0 0 0/0. C. Allow port 22 from 192.168.100.0/24. D. Allow port 22 from 10.0.1.0/24. E. Allow port 443 from 10.0.1.0/24.
B. Allow port 443 from source 0.0 0 0/0. C. Allow port 22 from 192.168.100.0/24.
Question 222:
A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. The company needs to implement a solution that provides end-to-end data protection and the ability to detect unauthorized data changes.
Which solution will meet these requirements?
A. Use an AWS Key Management Service (AWS KMS) customer managed key. Encrypt the data at rest. B. Use AWS Private Certificate Authority. Encrypt the data in transit. C. Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items. D. Use the AWS Encryption SDK. Use client-side encryption. Sign the table items.
C. Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items. Explanation The DynamoDB Encryption Client provides end-to-end data protection by encrypting data on the client side before it is stored in DynamoDB and decrypting it when retrieved. This ensures that sensitive data remains protected both at rest and in transit. Additionally, the client allows you to digitally sign items, which provides integrity verification and enables detection of unauthorized changes to the data.
Question 223:
Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
A. On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume B. Configure an IAM Config rule lo run on a recurring basis 'or volume encryption C. Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume
B. Configure an IAM Config rule lo run on a recurring basis 'or volume encryption To support answer B, use the reference https://d1.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf "For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account."
Question 224:
You have a set of Keys defined using the IAM KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage?
A. Delete the keys since anyway there is a 7 day waiting period before deletion B. Disable the keys C. Set an alias for the key D. Change the key material for the key
B. Disable the keys Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back from the deletion process. Option C and D are invalid because these will not check to see if the keys are being used or not The IAM Documentation mentions the following Deleting a customer master key (CMK) in IAM Key Management Service (IAM KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK. For more information on deleting keys from KMS, please visit the below URL: https://docs.IAM.amazon.com/kms/latest/developereuide/deleting-keys.html The correct answer is: Disable the keys Submit your Feedback/Queries to our Experts
Question 225:
Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don't have any critical security flIAM. Which of the following can be done to ensure this? Choose 2 answers from the options given below.
A. Use IAM Config to ensure that the servers have no critical flIAM. B. Use IAM inspector to ensure that the servers have no critical flIAM. C. Use IAM inspector to patch the servers D. Use IAM SSM to patch the servers
B. Use IAM inspector to ensure that the servers have no critical flIAM. D. Use IAM SSM to patch the servers The IAM Documentation mentions the following on IAM Inspector Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on IAM. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API. Option A is invalid because the IAM Config service is not used to check the vulnerabilities on servers Option C is invalid because the IAM Inspector service is not used to patch servers For more information on IAM Inspector, please visit the following URL: https://IAM.amazon.com/inspector> Once you understand the list of servers which require critical updates, you can rectify them by installing the required patches via the SSM tool. For more information on the Systems Manager, please visit the following URL: https://docs.IAM.amazon.com/systems-manager/latest/APIReference/Welcome.html The correct answers are: Use IAM Inspector to ensure that the servers have no critical flIAM.. Use IAM SSM to patch the servers (
Question 226:
A company is implementing a new application in a new IAM account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network.
How can the security engineer implement this solution?
A. Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access. B. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access. C. Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VPC. Attach the application security group to the application instances that need database access, and attach the database security group to the database instances. D. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC. Attach the new security group to the application instances that need database access.
C. Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VPC. Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.
Question 227:
A company uses multiple IAM accounts managed with IAM Organizations Security engineers have created a standard set of security groups for all these accounts. The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only.
A recent security audit found that the security groups are inconsistency implemented across accounts and that unauthorized changes have been made to the security groups. A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future.
Which solution should the security engineer recommend?
A. Use IAM Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only. B. Create an IAM CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur C. Use IAM Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation D. Use IAM Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users
B. Create an IAM CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur
Question 228:
You need to inspect the running processes on an EC2 Instance that may have a security issue. How can you achieve this in the easiest way possible? Also you need to ensure that the process does not interfere with the continuous running of the instance.
A. Use IAM Cloudtrail to record the processes running on the server to an S3 bucket. B. Use IAM Cloudwatch to record the processes running on the server C. Use the SSM Run command to send the list of running processes information to an S3 bucket. D. Use IAM Config to see the changed process information on the server
C. Use the SSM Run command to send the list of running processes information to an S3 bucket. The SSM Run command can be used to send OS specific commands to an Instance. Here you can check and see the running processes on an instance and then send the output to an S3 bucket. Option A is invalid because this is used to record API activity and cannot be used to record running processes. Option B is invalid because Cloudwatch is a logging and metric service and cannot be used to record running processes. Option D is invalid because IAM Config is a configuration service and cannot be used to record running processes. For more information on the Systems Manager Run command, please visit the following URL: https://docs.IAM.amazon.com/systems-manaEer/latest/usereuide/execute-remote- commands.htmll The correct answer is: Use the SSM Run command to send the list of running processes information to an S3 bucket. Submit your Feedback/Queries to our Experts
Question 229:
An application makes calls to IAM services using the IAM SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.
Which combination of steps should the Administrator take to troubleshoot this issue? (Select three.)
A. Confirm that the EC2 instance's security group authorizes S3 access. B. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle. C. Check the S3 bucket policy for statements that deny access to objects. D. Confirm that the EC2 instance is using the correct key pair. E. Confirm that the IAM role associated with the EC2 instance has the proper privileges. F. Confirm that the instance and the S3 bucket are in the same Region.
B. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle. C. Check the S3 bucket policy for statements that deny access to objects. E. Confirm that the IAM role associated with the EC2 instance has the proper privileges.
Question 230:
A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection. How should a security engineer resolve these issues?
A. Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources. B. Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources. C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources. D. Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.
D. Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources. Explanation Explanation/Reference:https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/best-practices- security.html "For an ongoing record of events in your IAM account, you must create a trail. Although CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify." https://IAM.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource- configurations-using-IAM-config/
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.