Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 421:
A company wants to monitor the deletion of AWS Key Management Service (AWS KMS) customer managed keys. A security engineer needs to create an alarm that will notify the company before a KMS key is deleted. The security engineer has configured the integration of AWS CloudTrail with Amazon CloudWatch.
What should the security engineer do next to meet these requirements?
A. Specify the deletion time of the key material during KMS key creation. Create a custom AWS Config rule to assess the key's scheduled deletion. Configure the rule to trigger upon a configuration change. Send a message to an Amazon Simple Notification Service (Amazon SNS) topic if the key is scheduled for deletion. B. Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlias. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule. C. Create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule. D. Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS API calls of RevokeGrant and ScheduleKeyDeletion. Create an AWS Lambda function to generate the alarm and send the notification to the company. Add the Lambda function as the target of the SNS policy.
C. Create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule. The AWS documentation states that you can create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. You can then create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. You can add the Lambda function as the target of the EventBridge rule. This method will meet the requirements. References: : AWS KMS Developer Guide
Question 422:
Your company has defined privileged users for their IAM Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished?
A. Enable MFA for these user accounts B. Enable versioning for these user accounts C. Enable accidental deletion for these user accounts D. Disable root access for the users
A. Enable MFA for these user accounts Explanation Explanation/Reference:The IAM Documentation mentions the following as a best practices for IAM users. For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Option B,C and D are invalid because no such security options are available in IAM For more information on IAM best practices, please visit the below URL https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html The correct answer is: Enable MFA for these user accounts Submit your Feedback/Queries to our Experts
Question 423:
A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.
Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)
A. Disable termination protection for the EC2 instance if termination protection has not been disabled. B. Enable termination protection for the EC2 instance if termination protection has not been enabled. C. Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance. D. Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance. E. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine. F. Immediately remove any entries in the EC2 instance metadata that contain sensitive information.
B. Enable termination protection for the EC2 instance if termination protection has not been enabled. C. Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance. E. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine. Enable termination protection for the EC2 instance if termination protection has not been enabled.Enabling termination protection ensures that the EC2 instance is not accidentally terminated, which helps preserve the instance and its state for investigation. Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.Taking snapshots of the EBS volumes ensures that the data is preserved in its current state, allowing for forensic analysis without altering the original data. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.Capturing the instance metadata and tagging it as quarantined helps document the instance for further investigation and prevents other operations from being performed on it unintentionally. These steps ensure that data is preserved, the instance is protected from accidental termination, and important metadata is captured for investigation, all of which are crucial before investigating the cause of the high CPU usage. https://d1.awsstatic.com/WWPS/pdf/aws_security_incident_response.pdf
Question 424:
A company wants to use Cloudtrail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below
A. Create one Cloudtrail log group for data events B. Create one trail that logs data events to an S3 bucket C. Create another trail that logs management events to another S3 bucket D. Create another Cloudtrail log group for management events
B. Create one trail that logs data events to an S3 bucket C. Create another trail that logs management events to another S3 bucket The IAM Documentation mentions the following You can configure multiple trails differently so that the trails process and log only the events that you specify. For example, one trail can log read-only data and management events, so that all read-only events are delivered to one S3 bucket. Another trail can log only write-only data and management events, so that all write-only events are delivered to a separate S3 bucket Options A and D are invalid because you have to create a trail and not a log group For more information on managing events with cloudtrail, please visit the following URL: https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/loHEing-manasement-and- data-events-with-cloudtrai The correct answers are: Create one trail that logs data events to an S3 bucket. Create another trail that logs management events to another S3 bucket Submit your Feedback/Queries to our Experts
Question 425:
Your company has defined a number of EC2 Instances over a period of 6 months. They want to know if any of the security groups allow unrestricted access to a resource. What is the best option to accomplish this requirement?
A. Use IAM Inspector to inspect all the security Groups B. Use the IAM Trusted Advisor to see which security groups have compromised access. C. Use IAM Config to see which security groups have compromised access. D. Use the IAM CLI to query the security groups and then filter for the rules which have unrestricted accessd
B. Use the IAM Trusted Advisor to see which security groups have compromised access. The IAM Trusted Advisor can check security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). If you go to IAM Trusted Advisor, you can see the details Option A is invalid because IAM Inspector is used to detect security vulnerabilities in instances and not for security groups. Option C is invalid because this can be used to detect changes in security groups but not show you security groups that have compromised access. Option Dis partially valid but would just be a maintenance overhead For more information on the IAM Trusted Advisor, please visit the below URL: https://IAM.amazon.com/premiumsupport/trustedadvisor/best-practices; The correct answer is: Use the IAM Trusted Advisor to see which security groups have compromised access. Submit your Feedback/Queries to our Experts
Question 426:
A company is developing a new serverless application that uses AWS Lambda functions. The company uses AWS CloudFormation to deploy the Lambda functions.
The company's developers are trying to debug a Lambda function that is deployed. The developers cannot debug the Lambda function because the Lambda function is not logging its output to Amazon CloudWatch Logs.
Which combination of steps should a security engineer take to resolve this issue? (Choose two.)
A. Check the role that is defined in the CloudFormation template and is passed to the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole action by the service principal lambda amazonaws.com. B. Check the execution role that is configured in the CloudFormation template for the Lambda function. Ensure that the execution role has the necessary permissions to write to CloudWatch Logs. C. Check the Lambda function configuration in the CloudFormation template. Ensure that the Lambda function has an AWS X-Ray tracing configuration that is set to Active mode or PassThrough mode. D. Check the resource policy that is configured in the CloudFormation template for the Lambda function. Ensure that the resource policy has the necessary permissions to write to CloudWatch Logs. E. Check the role that the developers use to debug the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole action by the service principal lambda.amazonaws.com.
A. Check the role that is defined in the CloudFormation template and is passed to the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole action by the service principal lambda amazonaws.com. B. Check the execution role that is configured in the CloudFormation template for the Lambda function. Ensure that the execution role has the necessary permissions to write to CloudWatch Logs. Explanation Explanation/Reference:For a Lambda function to run, the execution role assigned to it must have a trust policy that allows AWS Lambda (lambda.amazonaws.com) to assume the role. This ensures that the Lambda service can use the permissions associated with that role. The execution role also needs explicit permissions to write logs to Amazon CloudWatch Logs. Without these permissions, the Lambda function cannot create or update log streams in CloudWatch, which is necessary for logging output.
Question 427:
What are the MOST secure ways to protect the IAM account root user of a recently opened IAM account? (Choose two.)
A. Use the IAM account root user access keys instead of the IAM Management Console B. Enable multi-factor authentication for the IAM IAM users with the AdministratorAccess managed policy attached to them C. Enable multi-factor authentication for the IAM account root user D. Use IAM KMS to encrypt all IAM account root user and IAM IAM access keys and set automatic rotation to 30 days E. Do not create access keys for the IAM account root user; instead, create IAM IAM users
C. Enable multi-factor authentication for the IAM account root user E. Do not create access keys for the IAM account root user; instead, create IAM IAM users
Question 428:
A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Select TWO.)
A. Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team. B. Use IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team. C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance. D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance. E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database
A. Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team. D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
Question 429:
A large organization is planning on IAM to host their resources. They have a number of autonomous departments that wish to use IAM. What could be the strategy to adopt for managing the accounts?
A. Use multiple VPCs in the account each VPC for each department B. Use multiple IAM groups, each group for each department C. Use multiple IAM roles, each group for each department D. Use multiple IAM accounts, each account for each department
D. Use multiple IAM accounts, each account for each department A recommendation for this is given in the IAM Security best practices Option A is incorrect since this would be applicable for resources in a VPC Options B and C are incorrect since operationally it would be difficult to manage For more information on IAM Security best practices please refer to the below URL https://d1.IAMstatic.com/whitepapers/Security/IAM Security Best Practices.pdl The correct answer is: Use multiple IAM accounts, each account for each department Submit your Feedback/Queries to our Experts
Question 430:
You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this?
A. Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first. B. Use the IAM Encryption CLI to encrypt the data first C. Use a Lambda function to encrypt the data before sending it to the S3 bucket. D. Enable client encryption for the bucket
B. Use the IAM Encryption CLI to encrypt the data first One can use the IAM Encryption CLI to encrypt the data before sending it across to the S3 bucket. Options A and C are invalid because this would still mean that data is transferred in plain text Option D is invalid because you cannot just enable client side encryption for the S3 bucket For more information on Encrypting and Decrypting data, please visit the below URL: https://IAM.amazonxom/blogs/securirv/how4o-encrvpt-and-decrypt-your-data-with-the-IAM- encryption-cl The correct answer is: Use the IAM Encryption CLI to encrypt the data first Submit your Feedback/Queries to our Experts
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.