Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 291:
A company's application team wants to replace an internal application with a new IAM architecture that consists of Amazon EC2 instances, an IAM Lambda function, and an Amazon S3 bucket in a single IAM Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in IAM Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.
Which combination of steps should the application team take to meet these requirements? (Select THREE.)
A. Create an S3 endpoint that has a full-access policy for the application's VPC. B. Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs. C. Launch the Lambda function. Enable the block public access configuration. D. Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances. E. Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances. F. Launch the Lambda function in a VPC.
A. Create an S3 endpoint that has a full-access policy for the application's VPC. D. Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances. F. Launch the Lambda function in a VPC.
Question 292:
A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances
Which combination of activities must the company implement to meet its encryption requirements'? (Select TWO )
A. Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances. C. In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances D. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances E. Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances
B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances. C. In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances
Question 293:
An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, IAM Lambda functions must issue queries to the RDS database by using the same database credentials.
The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.
What should the Security Engineer do to meet these requirements?
A. Store the database credentials in IAM Key Management Service (IAM KMS). Create an IAM role with access to IAM KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution. B. Store the database credentials in IAM KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function. C. Store the database credentials in IAM Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function. D. Store the database credentials in IAM Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
D. Store the database credentials in IAM Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Question 294:
Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.
Which approach should the team take to accomplish this task?
A. Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation B. Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings C. Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework D. Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework
C. Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework
Question 295:
Your company has been using IAM for the past 2 years. They have separate S3 buckets for logging the various IAM services that have been used. They have hired an external vendor for analyzing their log files. They have their own IAM account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below
A. Create an IAM user in the company account B. Create an IAM Role in the company account C. Ensure the IAM user has access for read-only to the S3 buckets D. Ensure the IAM Role has access for read-only to the S3 buckets
B. Create an IAM Role in the company account D. Ensure the IAM Role has access for read-only to the S3 buckets The IAM Documentation mentions the following To share log files between multiple IAM accounts, you must perform the following general steps. These steps are explained in detail later in this section. Create an IAM role for each account that you want to share log files with. For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with. Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files. Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor is a direct 'NO' practise from a security perspective. For more information on sharing cloudtrail logs files, please visit the following URL https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-sharine-loes.htmll The correct answers are: Create an IAM Role in the company account Ensure the IAM Role has access for read-only to the S3 buckets Submit your Feedback/Queries to our Experts
Question 296:
A company runs a custom online gaming application. The company uses Amazon Cognito for user authentication and authorization.
A security engineer wants to use AWS to implement fine-grained authorization on resources in the custom application. The security engineer must implement a solution that uses the user attributes that exist in Cognito. The company has
already set up a user pool and an identity pool in Cognito.
Which solution will meet these requirements?
A. Create a set of IAM roles and IAM policies. Configure the Cognito identity pool to assign users to the IAM roles. B. Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source. Map Cognito access tokens to the Verified Permissions schema. C. Create customer managed permissions by using AWS Resource Access Manager (AWS RAM). Configure the Cognito identity pool to assign users to the customer managed permissions. D. Create a set of IAM users and IAM policies. Configure the Cognito user pool to assign users to the IAM users.
B. Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source. Map Cognito access tokens to the Verified Permissions schema. Explanation Explanation/Reference:Amazon Verified Permissions provides fine-grained authorization by enabling policy-based access control, which can use attributes from Amazon Cognito as input to define access rules. By configuring Cognito as the identity source in Verified Permissions and mapping Cognito access tokens to Verified Permissions, the security engineer can implement detailed authorization rules based on user attributes in Cognito.
Question 297:
A company hosts data in S3. There is a requirement to control access to the S3 buckets. Which are the 2 ways in which this can be achieved?
A. Use Bucket policies B. Use the Secure Token service C. Use IAM user policies D. Use IAM Access Keys
A. Use Bucket policies C. Use IAM user policies The IAM Documentation mentions the following Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies. For example, bucket policies and access control lists (ACLs) are resource-based policies. You can also attach access policies to users in your account. These are called user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources. Option B and D are invalid because these cannot be used to control access to S3 buckets For more information on S3 access control, please refer to the below Link: https://docs.IAM.amazon.com/AmazonS3/latest/dev/s3-access-control.htmll The correct answers are: Use Bucket policies. Use IAM user policies Submit your Feedback/Queries to our Experts
Question 298:
A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an IAM CloudFormation template. The Engineer notices instances terminating right after they are launched. What could be causing these terminations?
A. The IAM user launching those instances is missing ec2:Runinstances permission. B. The AMI used as encrypted and the IAM does not have the required IAM KMS permissions. C. The instance profile used with the EC2 instances in unable to query instance metadata. D. IAM currently does not have sufficient capacity in the Region.
B. The AMI used as encrypted and the IAM does not have the required IAM KMS permissions. Explanation Explanation/Reference:https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/troubleshooting- launch.html
Question 299:
You currently have an S3 bucket hosted in an IAM Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.
A. Ensure an IAM role is created which can be assumed by the partner account. B. Ensure an IAM user is created which can be assumed by the partner account. C. Ensure the partner uses an external id when making the request D. Provide the ARN for the role to the partner account E. Provide the Account Id to the partner account F. Provide access keys for your account to the partner account
A. Ensure an IAM role is created which can be assumed by the partner account. C. Ensure the partner uses an external id when making the request D. Provide the ARN for the role to the partner account Option B is invalid because Roles are assumed and not IAM users Option E is invalid because you should not give the account ID to the partner Option F is invalid because you should not give the access keys to the partner The below diagram from the IAM documentation showcases an example on this wherein an IAM role and external ID is us> access an IAM account resources For more information on creating roles for external ID'S please visit the following URL: The correct answers are: Ensure an IAM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account Submit your Feedback/Queries to our Experts
Question 300:
A company has two IAM accounts within IAM Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an IAM KMS key A Security Engineer needs to ensure that the service- linked role can launch instances with these encrypted volumes
Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)
A. Allow Account-1 to access the KMS key in Account-2 using a key policy B. Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt C. Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt D. Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy. E. Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.
C. Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt D. Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.