Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:Jul 12, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 41:
A company has contracted with a third party to audit several IAM accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)
A. The external ID used by the Auditor is missing or incorrect. B. The Auditor is using the incorrect password. C. The Auditor has not been granted sts:AssumeRole for the role in the destination account. D. The Amazon EC2 role used by the Auditor must be set to the destination account role. E. The secret key used by the Auditor is missing or incorrect. F. The role ARN used by the Auditor is missing or incorrect.
A. The external ID used by the Auditor is missing or incorrect. C. The Auditor has not been granted sts:AssumeRole for the role in the destination account. F. The role ARN used by the Auditor is missing or incorrect. Using IAM to grant access to a Third-Party Account 1) Create a role to provide access to the require resources 1.1) Create a role policy that specifies the IAM Account ID to be accessed, "sts:AssumeRole" as action, and "sts:ExternalID" as condition 1.2) Create a role using the role policy just created 1.3) Assign a resouce policy to the role. This will provide permission to access resource ARNs to the auditor 2) Repeat steps 1 and 2 on all IAM accounts 3) The auditor connects to the IAM account IAM Security Token Service (STS). The auditor must provide its ExternalID from step 1.2, the ARN of the role he is trying to assume from step 1.3, sts:ExternalID 4) STS provide the auditor with temporary credentials that provides the role access from step 1 https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_create_for- user_externalid.html https://IAM.amazon.com/blogs/security/how-to-audit-cross-account- roles-using-IAM-cloudtrail-and-amazon-cloudwatch-events/
Question 42:
A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database.
The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has become a burden for the company's customer service team.
The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password resets and login assistance while securely protecting each player's credentials. Which solution will meet these requirements?
A. When a new player signs up, use an AWS Lambda function to automatically create an IAM access key and a secret access key. Program the Lambda function to store the credentials on the player's device. Create IAM keys for existing players. B. Migrate the player credentials from the Aurora database to AWS Secrets Manager. When a new player signs up. create a key-value pair in Secrets Manager for the player's user ID and password. C. Configure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs Migrate the game's authentication mechanism to Cognito. D. Instead of using usernames and passwords for authentication, issue API keys to new and existing players. Create an Amazon API Gateway API to give the game client access to the game's functionality.
C. Configure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs Migrate the game's authentication mechanism to Cognito. The best solution to meet the company's requirements of offering an alternative login method while securely protecting player credentials and reducing the burden of password resets is to use Amazon Cognito with user pools. Amazon Cognito provides a fully managed service that facilitates the authentication, authorization, and user management for web and mobile applications. By configuring Amazon Cognito user pools to federate access with third-party Identity Providers (IdPs), such as social media platforms or Google, the company can allow users to sign in through these external IdPs, thereby eliminating the need for traditional username and password logins. This not only enhances user convenience but also offloads the responsibility of managing user credentials and the associated challenges like password resets to Amazon Cognito, thereby reducing the burden on the company's customer service team. Additionally, Amazon Cognito integrates seamlessly with other AWS services and follows best practices for security and compliance, ensuring that the player's credentials are protected.
Question 43:
A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.
What would resolve the connectivity issue?
A. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range. B. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port. C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range. D. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.
C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range. https://docs.IAM.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Question 44:
A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on- premises data center for compliance reasons. The database is
sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.
Which combination of AWS solutions will meet these requirements? (Choose two.)
A. AWS Site-to-Site VPN B. AWS Direct Connect C. AWS VPN CloudHub D. VPC peering E. NAT gateway
A. AWS Site-to-Site VPN B. AWS Direct Connect The correct combination of AWS solutions that will meet these requirements is A. AWS Site-to-Site VPN and B. AWS Direct Connect. A. AWS Site-to-Site VPN is a service that allows you to securely connect your on-premises data center to your AWS VPC over the internet using IPsec encryption. This solution meets the requirement of encrypting the data in transit between the on-premises data center and AWS. B. AWS Direct Connect is a service that allows you to establish a dedicated network connection between your on-premises data center and your AWS VPC. This solution meets the requirement of reducing network latency between the on- premises data center and AWS. C. AWS VPN CloudHub is a service that allows you to connect multiple VPN connections from different locations to the same virtual private gateway in your AWS VPC. This solution is not relevant for this scenario, as there is only one on- premises data center involved. D. VPC peering is a service that allows you to connect two or more VPCs in the same or different regions using private IP addresses. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for VPCs. E. NAT gateway is a service that allows you to enable internet access for instances in a private subnet in your AWS VPC. This solution does not meet the requirement of connecting an on- premises data center to AWS, as it only works for outbound traffic from your VPC.
Question 45:
A company uses AWS Organizations and has many AWS accounts. The company has a new requirement to use server-side encryption with customer-provided keys (SSE-C) on all new object uploads to Amazon S3 buckets.
A security engineer is creating an SCP that includes a Deny effect for the s3:PutObject action.
Which condition must the security engineer add to the SCP to enforce the new SSE-C requirement?
A. Option A B. Option B C. Option C D. Option D
A. Option A
Question 46:
A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatch
What should the security engineer do next to meet this requirement?
A. Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443 B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port D. Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443
A. Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
Question 47:
A company uses Amazon CloudWatch to monitor application metrics. A security engineer needs to centralize the metrics from several AWS accounts.
The security engineer also must create a dashboard to securely share the metrics with customers.
Which solution will meet these requirements?
A. Set up a designated monitoring account. Configure the necessary permissions in CloudWatch for source accounts to send metrics to the monitoring account. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure Amazon Cognito as the SSO provider. B. Set up a designated monitoring account Configure the necessary permissions for a CloudWatch wizard to query the metrics from source accounts. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure AWS IAM Identity Center as the SSO provider. C. Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account. Create a CloudWatch dashboard that includes the metncs Share the dashboard by using SSO Configure AWS IAM Identity Center as the SSO provider. D. Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account Create a CloudWatch dashboard that includes the metrics. Share the dashboard Specify the email addresses of users who can use a password to view the dashboard.
A. Set up a designated monitoring account. Configure the necessary permissions in CloudWatch for source accounts to send metrics to the monitoring account. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure Amazon Cognito as the SSO provider.
Question 48:
A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses.
The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1b. Each subnet is associate with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet.
Which response will immediately mitigate the attack and help investigate the root cause?
A. Log in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance. B. Update the outbound network ACL for the subnet in us-east-1 b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1 b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance. C. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation. D. Create an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.
B. Update the outbound network ACL for the subnet in us-east-1 b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1 b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance.
Question 49:
Users report intermittent availability of a web application hosted on IAM. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)
A. Deploy IAM WAF to block all unsecured web applications from accessing the internet. B. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic. C. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software. D. Create Amazon CloudFront distribution and configure IAM WAF rules to protect the web applications from malicious traffic. E. Use the default Amazon VPC for externakfacing systems to allow IAM to actively block malicious network traffic affecting Amazon EC2 instances.
B. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic. D. Create Amazon CloudFront distribution and configure IAM WAF rules to protect the web applications from malicious traffic. Explanation Explanation/Reference:
Question 50:
A security engineer needs to centralize logging from VPC Flow Logs and AWS CloudTrail.
The security engineer also needs to query the log data after an incident occurs.
Which solution will meet these requirements?
A. Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a metric filter. B. Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a subscription filter. C. Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon DynamoDB Use the DynamoDB Query API operation to query items based on their primary key values. D. Configure VPC Flow Logs and CloudTrail to send the log data directly to an Amazon S3 bucket Use Amazon Athena to query the log data.
D. Configure VPC Flow Logs and CloudTrail to send the log data directly to an Amazon S3 bucket Use Amazon Athena to query the log data.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.