Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 671:
How can you ensure that instance in an VPC does not use IAM DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?
A. Change the existing DHCP options set B. Create a new DHCP options set and replace the existing one. C. Change the route table for the VPC D. Change the subnet configuration to allow DNS requests from the new DNS Server
B. Create a new DHCP options set and replace the existing one. In order to use your own DNS server, you need to ensure that you create a new custom DHCP options set with the IP of th custom DNS server. You cannot modify the existing set, so you need to create a new one. Option A is invalid because you cannot make changes to an existing DHCP options Set. Option C is invalid because this can only be used to work with Routes and not with a custom DNS solution. Option D is invalid because this needs to be done at the VPC level and not at the Subnet level For more information on DHCP options set, please visit the following url https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC DHCP Options.html The correct answer is: Create a new DHCP options set and replace the existing one. Submit your Feedback/Queries to our Experts
Question 672:
An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.
Which solution meets these requirements with the MOST operational efficiency?
A. Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic. B. Use the restricted-ssh IAM Config managed rule that is invoked by security group configuration changes that are not compliant. Use the IAM Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. C. Configure VPC Flow Logs for the VPC. and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an IAM Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS). D. Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
A. Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
Question 673:
A company is investigating an increase in its AWS monthly bill. The company discovers that bad actors compromised some Amazon EC2 instances and served webpages for a large email phishing campaign.
A security engineer must implement a solution to monitor for cost increases in the future to help detect malicious activity.
Which solution will offer the company the EARLIEST detection of cost increases?
A. Create an Amazon EventBridge rule that invokes an AWS Lambda function hourly. Program the Lambda function to download an AWS usage report from AWS Data Exports about usage of all services. Program the Lambda function to analyze the report and to send a notification when anomalies are detected. B. Create a cost monitor in AWS Cost Anomaly Detection. Configure an individual alert to notify an Amazon Simple Notification Service (Amazon SNS) topic when the percentage above the expected cost exceeds a threshold. C. Review AWS Cost Explorer daily to detect anomalies in cost from prior months Review the usage of any services that experience a significant cost increase from prior months. D. Capture VPC flow logs from the VPC where the EC2 instances run. Use a third-party network analysis tool to analyze the flow logs and to detect anomalies in network traffic that might increase cost.
B. Create a cost monitor in AWS Cost Anomaly Detection. Configure an individual alert to notify an Amazon Simple Notification Service (Amazon SNS) topic when the percentage above the expected cost exceeds a threshold. AWS Cost Anomaly Detection: Steps to Implement: Advantages: Other Options: References: AWS Cost Anomaly Detection Documentation Creating SNS Alerts for Cost Anomalies
Question 674:
Your company is planning on developing an application in IAM. This is a web based application. The application user will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this?
A. Create an OlDC identity provider in IAM B. Create a SAML provider in IAM C. Use IAM Cognito to manage the user profiles D. Use IAM users to manage the user profiles
C. Use IAM Cognito to manage the user profiles The IAM Documentation mentions the following A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Facebook or Amazon, and through SAML identity providers. Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK. User pools provide: Sign-up and sign-in services. A built-in, customizable web Ul to sign in users. Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool. User directory management and user profiles. Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. Customized workflows and user migration through IAM Lambda triggers. Options A and B are invalid because these are not used to manage users Option D is invalid because this would be a maintenance overhead For more information on Cognito User Identity pools, please refer to the below Link: https://docs.IAM.amazon.com/coenito/latest/developerguide/cognito-user-identity- pools.html The correct answer is: Use IAM Cognito to manage the user profiles Submit your Feedback/Queries to our Experts
Question 675:
Your company is planning on using bastion hosts for administering the servers in IAM. Which of the following is the best description of a bastion host from a security perspective?
A. A Bastion host should be on a private subnet and never a public subnet due to security concerns B. A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network C. Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources. D. A Bastion host should maintain extremely tight security and monitoring as it is available to the public
C. Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources. A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. In IAM, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. Options A and B are invalid because the bastion host needs to sit on the public network. Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL: https://docsIAM.amazon.com/quickstart/latest/linux-bastion/architecture.htl The correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session to SSH into internal network to access private subnet resources. Submit your Feedback/Queries to our Experts
Question 676:
Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?
A. Grant public access for the bucket via the bucket policy B. Use the IAM:Referer key in the condition clause for the bucket policy C. Use the IAM:sites key in the condition clause for the bucket policy D. Grant a role that can be assumed by the web site
B. Use the IAM:Referer key in the condition clause for the bucket policy An example of this is given intheIAM Documentatioi Restricting Access to a Specific HTTP Referrer Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket examplebucket. By default, all the S3 resources are private, so only the IAM account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the IAM:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the IAM:Referer condition key. Option A is invalid because giving public access is not a secure way to provide access Option C is invalid because IAM:sites is not a valid condition key Option D is invalid because IAM roles will not be assigned to web sites For more information on example bucket policies please visit the below Link: 1 https://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html The correct answer is: Use the IAM:Referer key in the condition clause for the bucket policy Submit your Feedback/Queries to our Experts
Question 677:
A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket.
How should the Lambda function be given access to the DynamoDB table?
A. Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC. B. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table. C. Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables. D. Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
D. Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function. The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function The IAM Documentation additionally mentions the following Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what IAM Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role: If your Lambda function code accesses other IAM resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), IAM Lambda polls these streams on your behalf. IAM Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role. Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS, but not IAM Lambda Option C is invalid because IAM Roles should be used and not IAM Users For more information on the Lambda permission model, please visit the below URL: https://docs.IAM.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function. Submit your Feedback/Queries to our Exp
Question 678:
A company is deploying a new web application on IAM. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.
A. Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses. B. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic. C. Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic. D. Use CloudFront and IAM WAF to prevent malicious traffic from reaching the application E. Enable GuardDuty to block malicious traffic from reaching the application
B. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic. D. Use CloudFront and IAM WAF to prevent malicious traffic from reaching the application The below diagram from IAM shows the best case scenario for avoiding DDos attacks using services such as IAM Cloudfro WAF, ELB and Autoscaling Option A is invalid because by default security groups don't allow access Option C is invalid because IAM Inspector cannot be used to examine traffic Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from IAM, please visit the below URL: https://IAM.amazon.com/answers/networking/IAM-ddos-attack-mitieationi The correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic., Use CloudFront and IAM WAF to prevent malicious traffic from reaching the application Submit your Feedback/Queries to our Experts
Question 679:
Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.
Which of the following solutions will meet these requirements?
A. Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances. B. Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances. C. Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer. D. Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.
B. Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances. https://IAM.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to- your-container-using-the-network-load-balancer-with-amazon-ecs/
Question 680:
To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region. What policy should the Engineer implement?
A. B. A computer code with black text Description automatically generated B. A computer code with black text Description automatically generated C. A computer code with text Description automatically generated
C. A computer code with text Description automatically generated
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.