1. Home
  2. Amazon
  3. SCS-C02

Amazon SCS-C02 Online Practice Questions and Exam Preparation

SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :May 29, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 501:

    A company has set up EC2 instances on the IAM Cloud. There is a need to see all the IP addresses which are accessing the EC2 Instances. Which service can help achieve this?

    A. Use the IAM Inspector service
    B. Use IAM VPC Flow Logs
    C. Use Network ACL's
    D. Use Security Groups

  • Question 502:

    An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:

    After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

    A. Change the value of IAM MultiFactorAuthPresent to true.
    B. Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication --serial-number and -token-code parameters. Use these resulting values to make API/CLI calls
    C. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
    D. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.

  • Question 503:

    A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.

    Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

    A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
    B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
    C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
    D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
    E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

  • Question 504:

    A company that uses GitHub Actions needs to use a workflow to deploy AWS services.

    A security engineer must set up authentication between the GitHub Actions workflow and the company's AWS account.

    The solution must involve no static credentials and no long-lived credentials for access to AWS Additionally, the workflow must be able to run without requiring any manual changes.

    Which solution will meet these requirements?

    A. Create an IAM user Attach an IAM policy to the IAM user Use the AWS CLI to generate temporary credentials for the IAM user Use the access key, secret key, and session token to authenticate to AWS from the workflow.
    B. Enable AWS IAM Identity Center and configure it to use a local directory. Create a new service user in the IAM Identity Center directory. Use the AWS CLI to generate temporary credentials for the service user Use the user ID and session token to authenticate to AWS from the workflow.
    C. Create an OpenID Connect (OIDC) identity provider (IdP) in IAM Use GitHub as the provider. Create an IAM role Attach the role to a trust policy that contains condition keys to restrict the GitHub repositones that will run the workflow. Use the role ARN to authenticate to AWS from the workflow.
    D. Configure Amazon Cognito and create an identity pool. Configure the identity pool for a SAML identity provider (IdP) Use GitHub as the provider. Create an IAM role Attach the role to a trust policy that allows the sts AssumeRole action for Cognito Configure the workflow in GitHub to authenticate against the SAML IdP.

  • Question 505:

    A company's Security Officer is concerned about the risk of IAM account root user logins and has assigned a Security Engineer to implement a notification solution for near-real-time alerts upon account root user logins. How should the Security Engineer meet these requirements?

    A. Create a cron job that runs a script lo download the IAM IAM security credentials We. parse the file for account root user logins and email the Security team's distribution 1st
    B. Run IAM CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an IAM Lambda function to send an Amazon SNS notification to the Security team's distribution list.
    C. Save IAM CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events
    D. Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

  • Question 506:

    After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from IAM stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised.

    How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?

    A. Give consent to the IAM Security team to dump the memory core on the compromised instance and provide it to IAM Support for analysis.
    B. Review memory dump data that the IAM Systems Manager Agent sent to Amazon CloudWatch Logs.
    C. Download and run the EC2Rescue for Windows Server utility from IAM.
    D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.

  • Question 507:

    A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

    A. Ensure CloudTrail log file validation is turned on
    B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long- term storage
    C. Use an S3 bucket with tight access controls that exists in a separate account
    D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
    E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
    F. Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)

  • Question 508:

    A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes The software engineering team needs to make changes that will address the audit findings.

    Which set of steps should the software engineering team take?

    A. Use an IAM Key Management Service (IAM KMS) CMK. Encrypt the data at rest.
    B. Use IAM Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.
    C. Use a DynamoDB encryption client. Use client-side encryption and sign the table items
    D. Use the IAM Encryption SDK. Use client-side encryption and sign the table items.

  • Question 509:

    A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material. How can the Engineer perform the key rotation process MOST efficiently?

    A. Create a new CMK, and redirect the existing Key Alias to the new CMK
    B. Select the option to auto-rotate the key
    C. Upload new key material into the existing CMK.
    D. Create a new CMK, and change the application to point to the new CMK

  • Question 510:

    You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard?

    A. IAM Cloudwatch
    B. IAM EC2
    C. IAM Trusted Advisor
    D. IAM SNS

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.