Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 381:
A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the snapshots.
The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.
Which solution will meet these requirements?
A. Use AWS Backup to apply a 5-year retention tag to the RDS snapshots. B. Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period. C. Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots. D. Create a backup plan in AWS Backup. Configure a 5-year retention period.
D. Create a backup plan in AWS Backup. Configure a 5-year retention period. Explanation Explanation/Reference:AWS Backup allows you to create backup plans that include defined retention periods for managing the lifecycle of RDS snapshots. By configuring a 5-year retention period in the AWS Backup plan, the company can ensure that RDS snapshots are retained for the required duration. AWS Backup can also handle moving backups to Amazon S3 for long-term archival storage as specified in the backup plan.
Question 382:
A company has an application that needs to read objects from an Amazon S3 bucket. The company configures an IAM policy and attaches the policy to an IAM role that the application uses. When the application tries to read objects from the
S3 bucket, the application receives AccessDenied errors.
A security engineer must resolve this problem without decreasing the security of the S3 bucket or the application.
Which solution will meet these requirements?
A. Attach a resource policy to the S3 bucket to grant read access to the role. B. Launch a new deployment of the application in a different AWS Region. Attach the role to the application. C. Review the IAM policy by using AWS Identity and Access Management Access Analyzer to ensure that the policy grants the right permissions. Validate that the application is assuming the role correctly. D. Ensure that the S3 Block Public Access feature is disabled on the S3 bucket. Review AWS CloudTrail logs to validate that the application is assuming the role correctly.
C. Review the IAM policy by using AWS Identity and Access Management Access Analyzer to ensure that the policy grants the right permissions. Validate that the application is assuming the role correctly. Explanation Explanation/Reference:Comprehensive Detailedwith all AWS References To resolve AccessDenied errors: IAM Policy Validation: IAM Policy Simulator and Access Analyzer Troubleshooting Steps: Check the bucket policy for explicit deny statements. Ensure the application assumes the correct role with valid permissions. Troubleshooting Access Denied Errors Incorrect Options: Option A: Attaching a resource policy might expose the bucket more broadly, reducing security. Option B: Deploying the application in a different region is unnecessary and unrelated to the issue. Option D: Disabling Block Public Access is irrelevant unless public access is required, which is not stated.
Question 383:
An organization is using IAM CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?
A. In CloudTrail, verify that the trail logging bucket has a log prefix configured. B. In Amazon SNS, determine whether the "Account spend limit" has been reached for this alert. C. In SNS, ensure that the subscription used by these alerts has not been deleted. D. In CloudWatch, verify that the alarm threshold "consecutive periods" value is equal to, or greater than 1.
C. In SNS, ensure that the subscription used by these alerts has not been deleted.
Question 384:
Your company has an EC2 Instance that is hosted in an IAM VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution
Please select:
A. Stream the log files to a separate Cloudtrail trail B. Stream the log files to a separate Cloudwatch Log group C. Create an IAM policy that gives the desired level of access to the Cloudtrail trail D. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group
B. Stream the log files to a separate Cloudwatch Log group D. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an IAM policy. Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement For more information on Log Groups and Log Streams, please visit the following URL: * https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/Workinj For more information on Access to Cloudwatch logs, please visit the following URL: * https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control- cwl.html The correct answers are: Stream the log files to a separate Cloudwatch Log group. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group Submit your Feedback/Queries to our Experts
Question 385:
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days.
Which solution meets these criteria?
A. A customer managed CMK that uses customer provided key material B. A customer managed CMK that uses AWS provided key material C. An AWS managed CMK D. Operating system encryption that uses GnuPG
A. A customer managed CMK that uses customer provided key material
Question 386:
A security administrator has enabled AWS Security Hub for all the AWS accounts in an organization in AWS Organizations. The security team wants near-real-time response and remediation for deployed AWS resources that do not meet security standards. All changes must be centrally logged for auditing purposes.
The organization has reached the quotas for the number of SCPs attached to an OU and SCP document size. The team wants to avoid making any changes to any of the SCPs. The solution must maximize scalability and cost-effectiveness.
Which combination of actions should the security administrator take to meet these requirements? (Choose three.)
A. Create an AWS Config custom rule to detect configuration changes to AWS resources. Create an AWS Lambda function to remediate the AWS resources in the delegated administrator AWS account. B. Use AWS Systems Manager Change Manager to track configuration changes to AWS resources. Create a Systems Manager document to remediate the AWS resources in the delegated administrator AWS account. C. Create a Security Hub custom action to reference in an Amazon EventBridge event rule in the delegated administrator AWS account. D. Create an Amazon EventBridge event rule to Invoke an AWS Lambda function that will take action on AWS resources. E. Create an Amazon EventBridge event rule to invoke an AWS Lambda function that will evaluate AWS resource configuration for a set of API requests and create a finding for noncompllant AWS resources. F. Create an Amazon EventBridge event rule to invoke an AWS Lambda function on a schedule to assess specific AWS Config rules.
A. Create an AWS Config custom rule to detect configuration changes to AWS resources. Create an AWS Lambda function to remediate the AWS resources in the delegated administrator AWS account. C. Create a Security Hub custom action to reference in an Amazon EventBridge event rule in the delegated administrator AWS account. D. Create an Amazon EventBridge event rule to Invoke an AWS Lambda function that will take action on AWS resources.
Question 387:
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:
1.
Encryption in transit
2.
Encryption at rest
3.
Logging of all object retrievals in IAM CloudTrail
Which of the following meet these security requirements? (Choose three.)
A. Specify "IAM:SecureTransport": "true" within a condition in the S3 bucket policy. B. Enable a security group for the S3 bucket that allows port 443, but not port 80. C. Set up default encryption for the S3 bucket. D. Enable Amazon CloudWatch Logs for the IAM account. E. Enable API logging of data events for all S3 objects. F. Enable S3 object versioning for the S3 bucket.
A. Specify "IAM:SecureTransport": "true" within a condition in the S3 bucket policy. C. Set up default encryption for the S3 bucket. E. Enable API logging of data events for all S3 objects.
Question 388:
A company uses an organization in AWS Organizations to manage hundreds of AWS accounts. Some of the accounts provide access to external AWS principals through cross-account IAM roles and Amazon S3 bucket policies.
The company needs to identify which external principals have access to which accounts.
Which solution will provide this information?
A. Enable AWS Identity and Access Management Access Analyzer for the organization. Configure the organization as a zone of trust. Filter findings by AWS account ID. B. Create a custom AWS Config rule to monitor IAM roles in each account. Deploy an AWS Config aggregator to a central account. Filter findings by AWS account ID. C. Activate Amazon Inspector. Integrate Amazon Inspector with AWS Security Hub. Filter findings by AWS account ID for the IAM role resource type and the S3 bucket policy resource type. D. Configure the organization to use Amazon GuardDuty. Filter findings by AWS account ID for the Discovery:IAMUser/AnomalousBehavior finding type.
A. Enable AWS Identity and Access Management Access Analyzer for the organization. Configure the organization as a zone of trust. Filter findings by AWS account ID.
Question 389:
A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved?
A. Use IAM Access keys to encrypt the data B. Use SSL certificates to encrypt the data C. Enable server side encryption on the S3 bucket D. Enable MFA on the S3 bucket
C. Enable server side encryption on the S3 bucket The IAM Documentation mentions the following Server-side encryption is about data encryption at rest--that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Options A and B are invalid because neither Access Keys nor SSL certificates can be used to encrypt data. Option D is invalid because MFA is just used as an extra level of security for S3 buckets For more information on S3 server side encryption, please refer to the below Link: https://docs.IAM.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html Submit your Feedback/Queries to our Experts
Question 390:
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.
What should the Security Engineer do to accomplish this?
A. Filter IAM CloudTrail logs for KeyRotaton events B. Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events C. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date D. Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
C. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.