Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 561:
A Development team has asked for help configuring the IAM roles and policies in a new IAM account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).
Which of the following will allow the team to manage IAM KMS permissions in IAM without the complexity of editing individual key policies?
A. The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey. B. Newly created CMKs must have a key policy that allows the root principal to perform all actions. C. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation. D. Newly created CMKs must mirror the IAM policy of the KMS key administrator.
B. Newly created CMKs must have a key policy that allows the root principal to perform all actions. https://docs.IAM.amazon.com/kms/latest/developerguide/key-policies.html#key-policy- default-allow-root-enable-iam
Question 562:
Your company has mandated that all calls to the IAM KMS service be recorded. How can this be achieved? Please select:
A. Enable logging on the KMS service B. Enable a trail in Cloudtrail C. Enable Cloudwatch logs D. Use Cloudwatch metrics
B. Enable a trail in Cloudtrail The IAM Documentation states the following IAM KMS is integrated with CloudTrail, a service that captures API calls made by or on behalf of IAM KMS in your IAM account and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the IAM KMS console or from the IAM KMS API. Using the information collected by CloudTrail, you can determine what request was made, the source IP address from which the request was made, who made the request when it was made, and so on. Option A is invalid because logging is not possible in the KMS service Option C and D are invalid because Cloudwatch cannot be used to monitor API calls For more information on logging using Cloudtrail please visit the below URL https:// docs.IAM.amazon.com/kms/latest/developerguide/loeeing-usine-cloudtrail.html The correct answer is: Enable a trail in Cloudtrail Jubmit your Feedback/Queries to our Experts
Question 563:
A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:
1.
Data must be encrypted in transit.
2.
Data must be encrypted at rest.
3.
The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Select THREE.)
A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket B. Enable default encryption with server-side encryption with IAM KMS-managed keys (SSE-KMS) on the S3 bucket. C. Add a bucket policy that includes a deny if a PutObject request does not include IAMiSecureTcanspoct. D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only. E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x- amz-sairv9r-side-enctyption: "IAM: kms". F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.
B. Enable default encryption with server-side encryption with IAM KMS-managed keys (SSE-KMS) on the S3 bucket. D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only. F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.
Question 564:
A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1. Region Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at test. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket.
The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.
After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated.
Which combination of steps should the security engineer take to remediate this issue? (Select Two.)
A. Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket. B. Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects. C. Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket. D. Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects. E. Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account. F. Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.
B. Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects. F. Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.
Question 565:
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months. What would be the BEST way to reduce the potential impact of these attacks in the future?
A. Use custom route tables to prevent malicious traffic from routing to the instances. B. Update security groups to deny traffic from the originating source IP addresses. C. Use network ACLs. D. Install intrusion prevention software (IPS) on each instance.
D. Install intrusion prevention software (IPS) on each instance. https://docs.IAM.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html NACL has limit 20 (can increase to maximum 40 rule), and more rule will make more low-latency
Question 566:
An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.
Which solution will meet these requirements MOST cost-effectively?
A. Store the client token as a secret in AWS Secrets Manager. Use th^AWS SDK to retneve the secret in the Lambda function. B. Configure a token-based Lambda authorizer in API Gateway. C. Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function. D. Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.
C. Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.
Question 567:
A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail in an regions when it opened the account
Which of the following will allow the Security Engineer 10 complete the task?
A. Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days. B. Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days. C. Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days. D. Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.
C. Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
Question 568:
A company needs complete encryption of the traffic between external users and an application. The company hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB).
How can a security engineer meet these requirements?
A. Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificate from Secrets Manager. Import the certificate into the ALB and the EC2 instances. B. Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with the ALB. Export the certificate from ACM. Install the certificate on the EC2 instances. C. Import a new third-party certificate into AWS Identity and Access Management (IAM). Export the certificate from IAM. Associate the certificate with the ALB and the EC2 instances. D. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances.
D. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances. This answer is correct because it meets the requirements of complete encryption of the traffic between external users and the application. By importing a third-party certificate into ACM, the security engineer can use it to secure the communication between the ALB and the clients. By installing the same certificate on the EC2 instances, the security engineer can also secure the communication between the ALB and the instances. This way, both the front-end and back-end connections are encrypted with SSL/TLS1. The other options are incorrect because: A. Creating a new Amazon-issued certificate in AWS Secrets Manager is not a solution, because AWS Secrets Manager is not a service for issuing certificates, but for storing and managing secrets such as database credentials and API keys2. AWS Secrets Manager does not integrate with ALB or EC2 for certificate deployment. B. Creating a new Amazon-issued certificate in AWS Certificate Manager (ACM) and exporting it from ACM is not a solution, because ACM does not allow exporting Amazon-issued certificates3. ACM only allows exporting private certificates that are issued by an AWS Private Certificate Authority (CA)4. C. Importing a new third-party certificate into AWS Identity and Access Management (IAM) is not a solution, because IAM is not a service for managing certificates, but for controlling access to AWS resources5. IAM does not integrate with ALB or EC2 for certificate deployment. References: 1: How SSL/TLS works 2: What is AWS Secrets Manager? 3: Exporting an ACM Certificate 4: Exporting Private Certificates from ACM 5: What is IAM?
Question 569:
A company has AWS accounts in an organization in AWS Organizations.
The company requires a specific software application to be installed on all new and existing Amazon EC2 instances in the organization AWS Systems Manager Agent (SSM Agent) is installed and active on all the instances.
How can the company continuously monitor the deployment status of the software application on all the instances?
A. Enable AWS Config for the entire organization. For all accounts, set up the ec2-managedinstance- applications-required AWS. Config managed rule and specify the application name. B. Enable AWS Config for the entire organization Provide new AMIs that have the required software application pre-installed Set up the approved-amis-by-id AWS Config managed rule for all accounts. C. Create a Systems Manager Distributor package for the required software application for the entire organization Install the Distributor package by using Systems Manager Run Command Review the output. D. Configure Systems Manager Application Manager to collect a current list of installed software applications in the entire organization Filter for the required application by software status.
A. Enable AWS Config for the entire organization. For all accounts, set up the ec2-managedinstance- applications-required AWS. Config managed rule and specify the application name.
Question 570:
A company is investigating controls to protect sensitive data. The company uses Amazon Simple Notification Service (Amazon SNS) topics to publish messages from application components to custom logging services.
The company is concerned that an application component might publish sensitive data that will be accidentally exposed in transaction logs and debug logs.
Which solution will protect the sensitive data in these messages from accidental exposure?
A. Use Amazon Made to scan the SNS topics for sensitive data elements in the SNS messages. Create an AWS Lambda function that masks sensitive data inside the messages when Macie records a new finding. B. Configure an inbound message data protection policy. In the policy, include the De-identify operation to mask the sensitive data inside the messages. Apply the policy to the SNS topics. C. Configure the SNS topics with an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data elements inside the messages. Grant permissions to all message publisher IAM roles to allow access to the key to encrypt data. D. Create an Amazon GuardDuty finding for sensitive data that is transmitted to the SNS topics. Create an AWS Security Hub custom remediation action to block messages that contain sensitive data from being delivered to subscribers of the SNS topics.
B. Configure an inbound message data protection policy. In the policy, include the De-identify operation to mask the sensitive data inside the messages. Apply the policy to the SNS topics.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.