1. Home
  2. Amazon
  3. SCS-C02

Amazon SCS-C02 Online Practice Questions and Exam Preparation

SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :May 29, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 651:

    A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off. What is the MOST efficient way to implement this solution?

    A. Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.
    B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAM Lambda function to call the StartLogging API.
    C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event source and a StopLogging event name to trigger an IAM Lambda function to call the StartLogging API.
    D. Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.

  • Question 652:

    A company uses a third-party identity provider and SAML-based SSO for its IAM accounts After the third-party identity provider renewed an expired signing certificate users saw the following message when trying to log in:

    A security engineer needs to provide a solution that corrects the error and minimizes operational overhead Which solution meets these requirements?

    A. Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.
    B. Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.
    C. Download the updated SAML metadata file from the identity service provider. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.
    D. Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.

  • Question 653:

    Your company has the following setup in IAM:

    A. A set of EC2 Instances hosting a web application
    B. An application load balancer placed in front of the EC2 Instances There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?
    C. Use Security Groups to block the IP addresses
    D. Use VPC Flow Logs to block the IP addresses
    E. Use IAM inspector to block the IP addresses
    F. Use IAM WAF to block the IP addresses

  • Question 654:

    A company's cloud operations team is responsible for building effective security for IAM cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:

    Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

    A. Ask the developers to change their password and use a different web browser.
    B. Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.
    C. Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.
    D. Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.
    E. Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

  • Question 655:

    A company is setting up products to deploy in IAM Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. How should the company mitigate this concern?

    A. Add a template constraint to each product in the portfolio.
    B. Add a launch constraint to each product in the portfolio.
    C. Define resource update constraints for each product in the portfolio.
    D. Update the IAM CloudFormalion template backing the product to include a service role configuration.

  • Question 656:

    The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an IAM KMS customer managed key (CMK). Which CMK-related issues could be responsible? (Choose two.)

    A. The CMK specified in the application does not exist.
    B. The CMK specified in the application is currently in use.
    C. The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.
    D. The CMK specified in the application is not enabled.
    E. The CMK specified in the application is using an alias.

  • Question 657:

    A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other IAM account resources by using the EC2 instance metadata service.

    What can the Administrator do to protect against this potential attack?

    A. Disable the EC2 instance metadata service.
    B. Log all student SSH interactive session activity.
    C. Implement ip tables-based restrictions on the instances.
    D. Install the Amazon Inspector agent on the instances.

  • Question 658:

    A company has resources hosted in their IAM Account. There is a requirement to monitor all API activity for all regions. The audit needs to be applied for future regions as well. Which of the following can be used to fulfil this requirement?

    A. Ensure Cloudtrail for each region. Then enable for each future region.
    B. Ensure one Cloudtrail trail is enabled for all regions.
    C. Create a Cloudtrail for each region. Use Cloudformation to enable the trail for all future regions.
    D. Create a Cloudtrail for each region. Use IAM Config to enable the trail for all future regions.

  • Question 659:

    A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.

    The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.

    Why was the finding was not created in the Security Hub delegated administrator account?

    A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
    B. The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.
    C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
    D. Cross-Region aggregation in Security Hub was not configured.

  • Question 660:

    A company has an IAM account and allows a third-party contractor who uses another IAM account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts

    What should the company do to accomplish this?

    A. Add the following condition to the IAM policy attached to all IAM roles: "Effect": "Deny", "Condition" : { "BoolItExists" : { "aws:MultiFactorAuthPresent" : false } }
    B. Add the following condition to the IAM policy attached to all IAM roles: "Effect": "Deny", "Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : false } }
    C. Add the following condition to the IAM policy attached to all IAM roles: "Effect": "Allow", "Condition" : { "Null" : { "aws:MultiFactorAuthPresent" : false } }
    D. Add the following condition to the IAM policy attached to all IAM roles: "Effect": "Allow", "Condition" : { "BoolItExists" : { "aws:MultiFactorAuthPresent" : false } }

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.