1. Home
  2. Amazon
  3. SCS-C02

Amazon SCS-C02 Online Practice Questions and Exam Preparation

SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :May 29, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 441:

    A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside IAM (Account 1). The threat was documented as follows:

    Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an IAM account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.

    Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.

    Which of the following options will mitigate the threat? (Choose two.)

    A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
    B. Block outbound access to public S3 endpoints on the proxy server.
    C. Configure Network ACLs on Server X to deny access to S3 endpoints.
    D. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
    E. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

  • Question 442:

    Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

    A. Default IAM Certificate Manager certificate
    B. Custom SSL certificate stored in IAM KMS
    C. Default CloudFront certificate
    D. Custom SSL certificate stored in IAM Certificate Manager
    E. Default SSL certificate stored in IAM Secrets Manager
    F. Custom SSL certificate stored in IAM IAM

  • Question 443:

    A company is developing a mechanism that will help data scientists use Amazon SageMaker to read, process, and output data to an Amazon S3 bucket. Data scientists will have access to a dedicated S3 prefix for each of their projects. The company will implement bucket policies that use the dedicated S3 prefixes to restrict access to the S3 objects. The projects can last up to 60 days.

    The company's security team mandates that data cannot remain in the S3 bucket after the end of the projects that use the data.

    Which solution will meet these requirements MOST cost-effectively?

    A. Create an AWS Lambda function to identify and delete objects in the S3 bucket that have not been accessed for 60 days. Create an Amazon EventBridge scheduled rule that runs every day to invoke the Lambda function.
    B. Create a new S3 bucket. Configure the new S3 bucket to use S3 Intelligent-Tiering. Copy the objects to the new S3 bucket.
    C. Create an S3 Lifecycle configuration for each S3 bucket prefix for each project. Set the S3 Lifecycle configurations to expire objects after 60 days.
    D. Create an AWS Lambda function to delete objects that have not been accessed for 60 days. Create an S3 event notification for S3 Intelligent-Tiering automatic archival events to invoke the Lambda function.

  • Question 444:

    A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

    What should a Security Engineer do to troubleshoot this error? (Select THREE )

    A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
    B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
    C. Ensure the CMK was created before the S3 bucket.
    D. Ensure the S3 block public access feature is enabled for the S3 bucket.
    E. Ensure that automatic key rotation is disabled for the CMK
    F. Ensure the SCPs within Organizations allow access to the S3 bucket.

  • Question 445:

    A windows machine in one VPC needs to join the AD domain in another VPC. VPC Peering has been established. But the domain join is not working. What is the other step that needs to be followed to ensure that the AD domain join can work as intended?

    A. Change the VPC peering connection to a VPN connection
    B. Change the VPC peering connection to a Direct Connect connection
    C. Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets
    D. Ensure that the AD is placed in a public subnet

  • Question 446:

    A security engineer is designing an IAM policy for a script that will use the AWS CLI. The script currently assumes an IAM role that is attached to three AWS managed IAM policies: AmazonEC2FullAccess, AmazonDynamoDBFullAccess, and AmazonVPCFullAccess.

    The security engineer needs to construct a least privilege IAM policy that will replace the AWS managed IAM policies that are attached to this role.

    Which solution will meet these requirements in the MOST operationally efficient way?

    A. In AWS CloudTrail, create a trail for management events. Run the script with the existing AWS managed IAM policies. Use IAM Access Analyzer to generate a new IAM policy that is based on access activity in the trail. Replace the existing AWS managed IAM policies with the generated IAM policy for the role.
    B. Remove the existing AWS managed IAM policies from the role. Attach the IAM Access Analyzer Role Policy Generator to the role. Run the script. Return to IAM Access Analyzer and generate a least privilege IAM policy. Attach the new IAM policy to the role.
    C. Create an account analyzer in IAM Access Analyzer. Create an archive rule that has a filter that checks whether the PrincipalArn value matches the ARN of the role. Run the script. Remove the existing AWS managed IAM policies from the role.
    D. In AWS CloudTrail, create a trail for management events. Remove the existing AWS managed IAM policies from the role. Run the script. Find the authorization failure in the trail event that is associated with the script. Create a new IAM policy that includes the action and resource that caused the authorization failure. Repeat the process until the script succeeds. Attach the new IAM policy to the role.

  • Question 447:

    A company uses AWS Organizations to manage several AWs accounts. The company processes a large volume of sensitive data. The company uses a serverless approach to microservices. The company stores all the data in either Amazon S3 or Amazon DynamoDB. The company reads the data by using either AWS lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.

    The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an AWS Key Management Service (AWS KMS) customer managed key.

    What should the company do next to meet these requirements?

    A. Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
    B. Create an IAM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.
    C. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
    D. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

  • Question 448:

    A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted

    The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead

    Which steps should the security engineer take to meet these requirements?

    A. Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.
    B. Use a customer managed IAM policy that will verify that the encryption ag of the Createvolume context is set to true. Apply this rule to all users.
    C. Create an IAM Config rule to evaluate the conguration of each EC2 instance on creation or modication. Have the IAM Cong rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted.
    D. Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

  • Question 449:

    A company is migrating container workloads from a data center to Amazon Elastic Container Service (Amazon ECS) clusters. The company must implement a solution to detect potential threats in the workloads and to improve the security posture of the container clusters.

    Which solution will meet these requirements?

    A. Configure Amazon Inspector on the VPC that is running the ECS clusters.
    B. Enable Amazon GuardDuty Runtime Monitoring on the ECS clusters.
    C. Audit Amazon ECS API access by using Amazon CloudWatch logs to identify unauthorized access.
    D. Create container clusters in the same VPC. Use VPC flow logs to centrally monitor network traffic.

  • Question 450:

    For compliance reasons, an organization limits the use of resources to three specific IAM regions. It wants to be alerted when any resources are launched in unapproved regions.

    Which of the following approaches will provide alerts on any resources launched in an unapproved region?

    A. Develop an alerting mechanism based on processing IAM CloudTrail logs.
    B. Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.
    C. Analyze Amazon CloudWatch Logs for activities in unapproved regions.
    D. Use IAM Trusted Advisor to alert on all resources being created.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.