SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :Jul 12, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 31:

    A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to IAM and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest.

    Which application flow would meet the data protection requirements on IAM?

    A. Digitized files -> Amazon Kinesis Data Analytics
    B. Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena
    C. Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena
    D. Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch

  • Question 32:

    A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution. Which combination of steps should the security engineer recommend? (Select TWO )

    A. Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
    B. Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
    C. Change the destination to Amazon CloudWatch Logs.
    D. Include the pkt-srcaddr and pkt-dstaddr fields in the log format.
    E. Include the subnet-id and instance-id fields in the log format.

  • Question 33:

    A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the following requirements:

    Each object must be encrypted using a unique key. Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.

    IAM KMS must automatically rotate encryption keys annually.

    Which of the following meets these requirements?

    A. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the "Restricted" CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
    B. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
    C. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
    D. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the "Restricted" key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

  • Question 34:

    A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store The application has separate modules for readwrite and read-only functionality The modules need their own database users for compliance reasons

    Which combination of steps should a security engineer implement to grant appropriate access? (Select TWO.)

    A. Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite
    B. Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
    C. Configure an IAM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call
    D. Create local database users for each module
    E. Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

  • Question 35:

    A company's development team is designing an application using IAM Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's IAM services. The solution must minimize management overhead.

    How should the security team prevent privilege escalation for both teams?

    A. Enable IAM CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
    B. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.
    C. Enable IAM Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team
    D. Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.

  • Question 36:

    A company hosts a critical web application on the IAM Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack.

    What should be done in this regard?

    A. Consider using the IAM Shield Service
    B. Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
    C. Consider using the IAM Shield Advanced Service
    D. Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.

  • Question 37:

    You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this?

    A. Use S3 SSE and use SSL for data in transit
    B. SSL termination on the ELB
    C. Enabling Proxy Protocol
    D. Enabling sticky sessions on your load balancer

  • Question 38:

    A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

    When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

    A. Option A
    B. Option B
    C. Option C
    D. Option D
    E. Option E
    F. Option F

  • Question 39:

    A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Blodfc Store (Amazon EBS) volumes.

    A security engineer needs to preserve all forensic evidence from one of the instances.

    Which order of steps should the security engineer use to meet this requirement?

    A. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Stop the instance.
    B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.
    C. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Stop the instance
    D. Detach the instance from the Auto Scaling group Deregister the instance from the ALB. Stop the instance. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket.

  • Question 40:

    A company has AWS accounts that are in an organization in AWS Organizations. A security engineer needs to set up AWS Security Hub in a dedicated account for security monitoring.

    The security engineer must ensure that Security Hub automatically manages all existing accounts and all new accounts that are added to the organization. Security Hub also must receive findings from all AWS Regions.

    Which combination of actions will meet these requirements with the LEAST operational overhead? (Select TWO.)

    A. Configure a finding aggregation Region for Security Hub. Link the other Regions to the aggregation Region.
    B. Create an AWS Lambda function that routes events from other Regions to the dedicated Security Hub account. Create an Amazon EventBridge rule to invoke the Lambda function.
    C. Turn on the option to automatically enable accounts for Security Hub.
    D. Create an SCP that denies the securityhub:DisableSecurityHub permission. Attach the SCP to the organization’s root account.
    E. Configure services in other Regions to write events to an AWS CloudTrail organization trail. Configure Security Hub to read events from the trail.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.