Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 301:
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead
Which solution meets these requirements?
A. Use the IAM Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only. B. Use IAM Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only. C. Use the IAM Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only D. Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
D
Question 302:
An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets. How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)
A. Configure the application's EC2 instances to use NAT gateways for all inbound traffic. B. Move the web servers to private subnets without public IP addresses. C. Configure IAM WAF to provide DDoS attack protection for the ALB. D. Require all inbound network traffic to route through a bastion host in the private subnet. E. Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.
B. Move the web servers to private subnets without public IP addresses. C. Configure IAM WAF to provide DDoS attack protection for the ALB.
Question 303:
A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. All network traffic for requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet.
The security team is unable to get objects from the S3 bucket
Which factors could cause this issue? (Select THREE.)
A. The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts. B. The I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts. C. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN. D. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN. E. The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443. F. The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.
A. The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts. D. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN. E. The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443. https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html To get objects from an S3 bucket that are encrypted with a KMS customer managed key, the security team needs to have the following factors in place: The IAM instance profile that is attached to the EC2 instance must allow the s3:GetObject action to the S3 bucket or object in the AWS account. This permission is required to read the object from S3. Option A is incorrect because it specifies the s3:ListBucket action, which is only required to list the objects in the bucket, not to get them. The KMS key policy that encrypts the object in the S3 bucket must allow the kms:Decrypt action to the EC2 instance profile ARN. This permission is required to decrypt the object using the KMS key. Option D is correct. The security group that is attached to the EC2 instance must have an outbound rule to the S3 managed prefix list over port 443. This rule is required to allow HTTPS traffic from the EC2 instance to S3 within the AWS infrastructure. Option E is correct. Option B is incorrect because it specifies the s3:ListParts action, which is only required for multipart uploads, not for getting objects. Option C is incorrect because it specifies the kms:ListKeys action, which is not required for getting objects. Option F is incorrect because it specifies an inbound rule from the S3 managed prefix list, which is not required for getting objects. Verified References: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.ht ml https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
Question 304:
You need to ensure that the cloudtrail logs which are being delivered in your IAM account is encrypted. How can this be achieved in the easiest way possible?
A. Don't do anything since CloudTrail logs are automatically encrypted. B. Enable S3-SSE for the underlying bucket which receives the log files C. Enable S3-KMS for the underlying bucket which receives the log files D. Enable KMS encryption for the logs which are sent to Cloudwatch
A. Don't do anything since CloudTrail logs are automatically encrypted. The IAM Documentation mentions the following By default the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3) Option B,C and D are all invalid because by default all logs are encrypted when they sent by Cloudtrail to S3 buckets For more information on IAM Cloudtrail log encryption, please visit the following URL: https://docs.IAM.amazon.com/IAMcloudtrail/latest/usereuide/encryptine-cloudtrail-loe-files- with-IAM-kms.htmll The correct answer is: Don't do anything since CloudTrail logs are automatically encrypted. Submit your Feedback/Queries to our Experts
Question 305:
A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership
What should the security engineer do to meet these requirements?
A. Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user B. Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy C. Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group D. Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role
B. Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy
Question 306:
Your company is planning on using IAM EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met? Choose 2 answers from the options below.
A. Ensure the load balancer listens on port 80 B. Ensure the load balancer listens on port 443 C. Ensure the HTTPS listener sends requests to the instances on port 443 D. Ensure the HTTPS listener sends requests to the instances on port 80
B. Ensure the load balancer listens on port 443 C. Ensure the HTTPS listener sends requests to the instances on port 443 The IAM Documentation mentions the following You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted, if the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted. Option A is invalid because there is a need for secure traffic, so port 80 should not be used Option D is invalid because for the HTTPS listener you need to use port 443 For more information on HTTPS with ELB, please refer to the below Link: https://docs.IAM.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load- balancer.htmll The correct answers are: Ensure the load balancer listens on port 443, Ensure the HTTPS listener sends requests to the instances on port 443 Submit your Feedback/Queries to our Experts
Question 307:
Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?
A. Use the request parameters for authorization B. Use a Lambda authorizer C. Use the gateway authorizer D. Use CORS on the API gateway
B. Use a Lambda authorizer The IAM Documentation mentions the following An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters. Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway For more information on using the API gateway Lambda authorizer please visit the URL: https://docs.IAM.amazon.com/apisateway/latest/developerguide/apieateway-use-lambda- authorizer.htmll The correct answer is: Use a Lambda authorizer Submit your Feedback/Queries to our Experts
Question 308:
The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault. What is the MOST cost-effective way to correct this?
A. Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again. B. Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data. C. Update the policy, keeping the vault lock in place. D. Update the policy and call initiate-vault-lock again to apply the new policy.
A. Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again. Explanation Explanation/Reference:Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in- progress state and returns a lock ID. While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires. Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API. https://docs.IAM.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html
Question 309:
You have a set of application , database and web servers hosted in IAM. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?
A. Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group B. Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group C. Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group D. Check the Outbound security rules for the database security group Check the both the Inbound and Outbound security rules for the application security group
A. Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group Here since the communication would be established inward to the database server and outward from the application server, you need to ensure that just the Outbound rules for application server security groups are checked. And then just the Inbound rules for database server security groups are checked. Option B can't be the correct answer. It says that we need to check the outbound security group which is not needed. We need to check the inbound for DB SG and outbound of Application SG. Because, this two group need to communicate with each other to function properly. Option C is invalid because you don't need to check for Outbound security rules for the database security group Option D is invalid because you don't need to check for Inbound security rules for the application security group For more information on Security Groups, please refer to below URL: The correct answer is: Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group Submit your Feedback/Queries to our Experts
Question 310:
A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account.
Which solution meets these requirements in the MOST secure way?
A. Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region B. Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0/0 C. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group D. Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
C. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group This solution ensures that the Lambda functions are deployed inside the VPC and can communicate with the Amazon RDS DB instance securely. The security group attached to the Lambda functions only allows outbound traffic to the VPC CIDR range, and the DB instance security group only allows traffic from the Lambda security group. This solution ensures that the Lambda functions can communicate with the DB instance securely and that the DB instance is not exposed to the public internet.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.