Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 461:
A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use IAM. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary
What solution should the Engineer use to implement the appropriate access restrictions for the application?
A. Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances B. Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group. C. Create an IAM PrivateLink endpoint service in the parent company account attached to the NLB. Create an IAM security group for the instances to allow access on TCP port 443 from the IAM PrivateLink endpoint. Use IAM PrivateLink interface endpoints in the 1,500 subsidiary IAM accounts to connect to the data processing application. D. Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
D. Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
Question 462:
A company has deployed a custom DNS server in IAM. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?
A. Deny access to the Amazon DNS IP within all security groups. B. Add a rule to all network access control lists that deny access to the Amazon DNS IP. C. Add a route to all route tables that black holes traffic to the Amazon DNS IP. D. Disable DNS resolution within the VPC configuration.
D. Disable DNS resolution within the VPC configuration. https://docs.IAM.amazon.com/vpc/latest/userguide/vpc-dns.html
Question 463:
Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service?
A. The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys. B. The master keys encrypts the database key. The database key encrypts the data encryption keys. C. The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key D. The master keys encrypts the cluster key, database key and data encryption keys
A. The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys. This is mentioned in the IAM Documentation Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key. Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key. These keys are encrypted by using the database key for the cluster. The database key encrypts data encryption keys in the cluster. The database key is a randomly-generated AES-256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and passed to the cluster across a secure channel. The cluster key encrypts the database key for the Amazon Redshift cluster. Option B is incorrect because the master key encrypts the cluster key and not the database key Option C is incorrect because the master key encrypts the cluster key and not the data encryption keys Option D is incorrect because the master key encrypts the cluster key only For more information on how keys are used in Redshift, please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developereuide/services-redshift.html The correct answer is: The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys. Submit your Feedback/Queries to our Experts
Question 464:
Your company has an EC2 Instance hosted in IAM. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?
A. Use the VPC Flow Logs. B. Use a network monitoring tool provided by an IAM partner. C. Use another instance. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packets. D. Use Cloudwatch metric
B. Use a network monitoring tool provided by an IAM partner.
Question 465:
A security engineer is configuring account-based access control (ABAC) to allow only specific principals to put objects into an Amazon S3 bucket. The principals already have access to Amazon S3.
The security engineer needs to configure a bucket policy that allows principals to put objects into the S3 bucket only if the value of the Team tag on the object matches the value of the Team tag that is associated with the principal. During testing, the security engineer notices that a principal can still put objects into the S3 bucket when the tag values do not match.
Which combination of factors are causing the PutObject operation to succeed when the tag values are different? (Select TWO.)
A. The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions. B. The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow. C. The S3 bucket's resource policy does not deny access to put objects. D. The S3 bucket's resource policy cannot allow actions to the principal. E. The bucket policy does not apply to principals in the same zone of trust.
A. The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions. B. The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow. The correct answer is A and B. The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions, and the principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow. The reason is that when evaluating access requests, AWS uses a combination of resource- based policies (such as bucket policies) and identity-based policies (such as IAM user policies) to determine whether to allow or deny the action. According to the AWS documentation1, "If an explicit allow exists in either the resource-based policy or the identity-based policy, then AWS allows access to the resource." Therefore, even if the bucket policy has a condition that checks the tag values, it will not be effective if the principal's identity-based policy has an explicit allow for the PutObject action without any conditions. The explicit allow in the identity-based policy will override the condition in the bucket policy and grant access to the principal. The other options are incorrect because: C. The S3 bucket's resource policy does not deny access to put objects. This is not a factor that causes the PutObject operation to succeed when the tag values are different. The bucket policy can either allow or deny access based on conditions, but it cannot prevent an explicit allow in the identity-based policy from taking effect. D. The S3 bucket's resource policy cannot allow actions to the principal. This is not true. The bucket policy can allow actions to specific principals by using the Principal element in the policy statement. According to the AWS documentation2, "The Principal element specifies the user (IAM user, federated user, or assumed- role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource." E. The bucket policy does not apply to principals in the same zone of trust. This is not true. The bucket policy applies to any principal that is specified in the Principal element, regardless of whether they are in the same zone of trust or not. A zone of trust is a logical boundary that defines who can access a resource and under what conditions. According to the AWS documentation3, "A zone of trust can be as small as a single resource (for example, an Amazon S3 object) or as large as an entire AWS account."
Question 466:
A company has used AWS Lambda functions to build an application on AWS. The company's security engineer implemented Amazon Inspector and activated Lambda standard scanning and Lambda code scanning.
The security engineer reviews the Amazon Inspector console and learns that Amazon Inspector is not scanning some of the Lambda functions. The provided reason is that the scan eligibility expired.
What should the security engineer do to investigate the reason that the scans are failing?
A. Validate that the AmazonInspector2ServiceRolePolicy AWS managed policy grants permissions to access Lambda. B. Increase the timeout value of the Lambda functions to complete the scans successfully while the code is running. C. Build a custom runtime for the unscanned Lambda functions. Include the Amazon Inspector agent in the runtime. D. Determine whether the unscanned Lambda functions have been invoked in the last 90 days.
D. Determine whether the unscanned Lambda functions have been invoked in the last 90 days. Amazon Inspector will only scan Lambda functions that have been invoked at least once in the last 90 days. If the Lambda function is not being actively used, the eligibility for scanning may expire. Therefore, to investigate why certain functions are not being scanned, the security engineer should verify whether these Lambda functions have been invoked recently.
Question 467:
A company uses IAM Organization to manage 50 IAM accounts. The finance staff members log in as IAM IAM users in the FinanceDept IAM account. The staff members need to read the consolidated billing information in the MasterPayer IAM account. They should not be able to view any other resources in the MasterPayer IAM account. IAM access to billing has been enabled in the MasterPayer account.
Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?
A. Create an IAM group for the finance users in the FinanceDept account, then attach the IAM managed ReadOnlyAccess IAM policy to the group. B. Create an IAM group for the finance users in the MasterPayer account, then attach the IAM managed ReadOnlyAccess IAM policy to the group. C. Create an IAM IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role. D. Create an IAM IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.
D. Create an IAM IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role. IAM Region that You Request a Certificate In (for IAM Certificate Manager) If you want to require HTTPS between viewers and CloudFront, you must change the IAM region to US East (N. Virginia) in the IAM Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any region. https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and- https-requirements.html
Question 468:
A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.
During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is
entered for an individual.
Which combination of options can the company use to meet these requirements? (Select TWO.)
A. Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance. B. Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance. C. Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS. D. Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS. E. Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.
C. Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS. E. Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.
Question 469:
A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account. What is the MOST secure way to provide this access?
A. Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access. B. Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources. C. Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources. D. Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
D. Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account- with-roles.html
Question 470:
The IAM Systems Manager Parameter Store is being used to store database passwords used by an IAM Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an IAM KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.
Which of the following actions will resolve the access denied error?
A. Update the ssm.amazonIAM.com principal in the KMS key policy to allow kms: Decrypt. B. Update the Lambda configuration to launch the function in a VPC. C. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key. D. Add lambda.amazonIAM.com as a trusted entity on the IAM role that the Lambda function uses.
C. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key. Explanation Explanation/Reference:https://docs.amazonIAM.cn/en_us/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Inte grating.Authorizing.IAM.KMSCreatePolicy.html
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.