Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 581:
A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. What should the Security Engineer do to block the malicious bot?
A. Add a deny rule to the public VPC security group to block the malicious IP B. Add the malicious IP to IAM WAF backhsted IPs C. Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP D. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP
D. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP
Question 582:
Which of the below services can be integrated with the IAM Web application firewall service? Choose 2 answers from the options given below
A. IAM Cloudfront B. IAM Lambda C. IAM Application Load Balancer D. IAM Classic Load Balancer
A. IAM Cloudfront C. IAM Application Load Balancer The IAM documentation mentions the following on the Application Load Balancer IAM WAF can be deployed on Amazon CloudFront and the Application Load Balancer (ALB). As part of Amazon CloudFront it car be part of your Content Distribution Network (CDN) protecting your resources and content at the Edge locations and as part of the Application Load Balancer it can protect your origin web servers running behind the ALBs. Options B and D are invalid because only Cloudfront and the Application Load Balancer services are supported by IAM WAF. For more information on the web application firewall please refer to the below URL: https://IAM.amazon.com/waf/faq; The correct answers are: IAM Cloudfront IAM Application Load Balancer Submit your Feedback/Queries to our Experts
Question 583:
A company has hundreds of AWS accounts and uses AWS Organizations. The company plans to create many different IAM roles and policies for its product team, security team, and platform team. Some IAM policies will be shared across
teams.
A security engineer needs to implement a solution to logically group together the IAM roles of each team. The solution must allow only the platform team to delegate IAM permissions to AWS services.
Which solution will meet these requirements?
A. Set up an IAM path with the IAM roles for each team. Deploy an SCP that denies the iam:PassRole permission to all entities except the IAM path of the platform team. B. Apply different tags for each team to the IAM roles. Deploy an SCP that denies the sts:AssumeRole permission to all entities except the roles of the platform team. C. Apply different tags for each team to the IAM policies. Deploy an SCP that denies the iam:PassRole permission to all entities except the policies of the platform team. D. Set up an IAM path with the IAM roles for each team. Use IAM permissions boundaries to deny the sts:AssumeRole permission to the IAM roles for the product team and the security team.
A. Set up an IAM path with the IAM roles for each team. Deploy an SCP that denies the iam:PassRole permission to all entities except the IAM path of the platform team. Explanation Explanation/Reference:Using IAM paths allows you to organize and logically group IAM roles by team, making it easier to manage permissions. By creating IAM paths specific to each team (e.g., /product-team/, /security-team/, /platform-team/), you can apply a Service Control Policy (SCP) that restricts the iam:PassRole permission to only roles within the platform team's path. This approach allows the platform team to delegate IAM permissions to AWS services while preventing other teams from doing so, meeting both organizational and delegation requirements.
Question 584:
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.
What should the Security Engineer do to meet these requirements?
A. Configure Amazon Macie to continuously check the configuration of all S3 buckets. B. Enable IAM Config to check the configuration of each S3 bucket. C. Set up IAM Systems Manager to monitor S3 bucket policies for public write access. D. Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.
C. Set up IAM Systems Manager to monitor S3 bucket policies for public write access.
Question 585:
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running In Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns
Which solution would have the MOST scalability and LOWEST latency?
A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers
A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
Question 586:
A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour.
The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the companys visibility of potential anomalous behavior.
Which solution will meet these requirements?
A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed. B. Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications. C. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria. D. Create an AWS Lambda function that has the appropriate permissions to de-lete the finding whenever a new occurrence is reported.
C. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria. "When you create an Amazon GuardDuty filter, you choose specific filter criteria, name the filter and can enable the auto-archiving of findings that the filter matches. This allows you to further tune GuardDuty to your unique environment, without degrading the ability to identify threats. With auto-archive set, all findings are still generated by GuardDuty, so you have a complete and immutable history of all suspicious activity."
Question 587:
A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS>-based storage The instance is making connections to known malicious addresses
The instance is in a development account within a VPC that is in the us-east-1 Region The VPC contains an internet gateway and has a subnet in us-east-1a and us-easMb Each subnet is associate with a route table that uses the internet gateway as a default route Each subnet also uses the default network ACL The suspicious EC2 instance runs within the us-east-1 b subnet. During an initial investigation a security engineer discovers that the suspicious instance is the only instance that runs in the subnet
Which response will immediately mitigate the attack and help investigate the root cause?
A. Log in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance C. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation D. Create an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance
B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance This option suggests updating the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule, replacing the security group with a new one that only allows connections from a diagnostics security group, and launching a new EC2 instance with diagnostic tools to investigate the suspicious instance. This option will immediately mitigate the attack and provide the necessary tools for investigation.
Question 588:
A company has hundreds of IAM accounts, and a centralized Amazon S3 bucket used to collect IAM CloudTrail for all of these accounts. A security engineer wants to create a solution that will enable the company to run ad hoc queues against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company's IAM account.
How should the company accomplish this with the least amount of administrative overhead?
A. Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails. B. Use the events history/feature of the CloudTrail console to query the CloudTrail trails. C. Write an IAM Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket. D. Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.
D. Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.
Question 589:
A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.
How can a security engineer meet this requirement?
A. Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM). B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS). C. Create an HTTPS listener that uses the Server Order Preference security feature. D. Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).
B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).
Question 590:
A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less
Which IAM Key Management Service (IAM KMS) key solution will allow the security engineer to meet these requirements?
A. Use Imported key material with CMK B. Use an IAM KMS CMK C. Use an IAM managed CMK. D. Use an IAM KMS customer managed CMK
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.