Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:Jul 12, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 61:
An ecommerce company is developing new architecture for an application release. The company needs to implement TLS for incoming traffic to the application. Traffic for the application will originate from the internet TLS does not have to be implemented in an end- to-end configuration because the company is concerned about impacts on performance. The incoming traffic types will be HTTP and HTTPS The application uses ports 80 and 443.
What should a security engineer do to meet these requirements?
A. Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 443. B. Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 80. C. Create a public Network Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Set the protocol for the listener on port 443 to TLS. D. Create a public Network Load Balancer. Create a listener on port 443. Create one target group. Create a rule to forward traffic from port 443 to the target group. Set the protocol for the listener on port 443 to TLS.
A. Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 443. An Application Load Balancer (ALB) is a type of load balancer that operates at the application layer (layer 7) of the OSI model. It can distribute incoming traffic based on the content of the request, such as the host header, path, or query parameters. An ALB can also terminate TLS connections and decrypt requests from clients before sending them to the targets. To implement TLS for incoming traffic to the application, the following steps are required: Create a public ALB in a public subnet and register the EC2 instances as targets in a target group. Create two listeners for the ALB, one on port 80 for HTTP traffic and one on port 443 for HTTPS traffic. Create a rule for the listener on port 80 to redirect HTTP requests to HTTPS using the same host, path, and query parameters. Provision a public TLS certificate in AWS Certificate Manager (ACM) for the domain name of the application. ACM is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. Attach the certificate to the listener on port 443 and configure the security policy to negotiate secure connections between clients and the ALB. Configure the security groups for the ALB and the EC2 instances to allow inbound traffic on ports 80 and 443 from the internet and outbound traffic on any port to the EC2 instances. This solution will meet the requirements of implementing TLS for incoming traffic without impacting performance or requiring end-to-end encryption. The ALB will handle the TLS termination and decryption, while forwarding unencrypted requests to the EC2 instances. Verified References: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.h tml https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
Question 62:
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.
Which of the following solutions would provide the MOST scalable solution?
A. Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts. C. Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly D. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
Question 63:
DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a "WAF sandwich." Which of the following statements best describes what a "WAF sandwich" is? Choose the correct answer from the options below
A. The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet. B. The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway. C. The EC2 instance running your WAF software is placed between your public subnets and your private subnets. D. The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
D. The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers. The below diagram shows how a WAF sandwich is created. Its the concept of placing the Ec2 instance which hosts the WAF software in between 2 elastic load balancers. Option A.B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group For more information on a WAF sandwich please refer to the below Link: https://www.cloudaxis.eom/2016/11/2l/waf-sandwich/l The correct answer is: The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers. Submit your Feedback/Queries to our Experts
Question 64:
A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.
How can the security engineer provide the developer with Amazon $3 access without affecting other account?
A. Move the SCP to the root OU of organization to remove the restriction to access Amazon $3. B. Add an IAM policy for the developer, which grants $3 access. C. Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU. D. Add an allow list for the developer account for the $3 service.
C. Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.
Question 65:
A company wants to create a log analytics solution for logs generated from its on-premises devices. The logs are collected from the devices onto a server on premises. The company wants to use AWS services to perform near real-time log analysis. The company also wants to store these logs for 365 days for pattern matching and substring search capabilities later.
Which solution will meet these requirements with the LEAST development overhead?
A. Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon DynamoDB. Configure an AWS Lambda trigger on DynamoDB streams to perform near real-time log analysis. Export the DynamoDB data to Amazon S3 periodically. Run Amazon Athena queries for pattern matching and substring search. Set up S3 Lifecycle policies to delete the log data after 365 days. B. Install Amazon Managed Streaming for Apache Kafka (Amazon MSK) on the on-premises server. Create an MSK cluster to collect the streaming data and analyze the data in real time. Set the data retention period to 365 days to store the logs persistently for pattern matching and substring search. C. Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon Kinesis Data Firehose. Configure Amazon Managed Service for Apache Flink (previously known as Amazon Kinesis Data Analytics) as the destination for real-time processing. Store the logs in Amazon OpenSearch Service for pattern matching and substring search. Configure an OpenSearch Service Index State Management (ISM) policy to delete the data after 365 days. D. Use Amazon API Gateway and AWS Lambda to write the logs from the on-premises server to Amazon DynamoDB. Configure a Lambda trigger on DynamoDB streams to perform near real-time log analysis. Run Amazon Athena federated queries on DynamoDB data for pattern matching and substring search. Set up TTL to delete data after 365 days.
C. Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon Kinesis Data Firehose. Configure Amazon Managed Service for Apache Flink (previously known as Amazon Kinesis Data Analytics) as the destination for real-time processing. Store the logs in Amazon OpenSearch Service for pattern matching and substring search. Configure an OpenSearch Service Index State Management (ISM) policy to delete the data after 365 days.
Question 66:
A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team. However, an audit revealed that an API key is stored with the source code of an AWS Lambda function in an AWS CodeCommit repository in the DevOps account.
How should the security team securely store the API key?
A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) for encryption. Require the development team to migrate the Lambda source code to this repository. B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key. Create a presigned URL for the S3 key, and specify the URL in a Lambda environmental variable in the AWS CloudFormation template. Update the Lambda function code to retrieve the key using the URL and call the API. C. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API. D. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime.
C. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API.
Question 67:
A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3).
A security engineer must prevent any modifications to the data in the S3 bucket.
Which solution will meet this requirement?
A. Configure S3 bucket policies to deny DELETE and PUT object permissions. B. Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled. C. Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys. D. Configure the S3 bucket with multi-factor authentication (MFA) delete protection.
B. Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled. Explanation Explanation/Reference:S3 Object Lock in compliance mode prevents any modifications or deletions to objects during a specified retention period, ensuring data immutability. Enabling Object Lock in compliance mode along with bucket versioning effectively meets the requirement to prevent any modifications to the data in the S3 bucket.
Question 68:
You have an instance setup in a test environment in IAM. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?
A. Shutdown the instance B. Remove the rule for incoming traffic on port 22 for the Security Group C. Change the AMI for the instance D. Change the Instance type for the instance
B. Remove the rule for incoming traffic on port 22 for the Security Group In the test environment the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed. Option A, C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22. For more information on authorizing access to an instance, please visit the below URL: https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/authorizing-access-to-an- instance.htmll The correct answer is: Remove the rule for incoming traffic on port 22 for the Security Group Submit your Feedback/Queries to our Experts
Question 69:
Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.
Which of the following methods will ensure that the data is unreadable by anyone else?
A. Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM. B. Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned. C. Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM. D. Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.
D. Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM. Amazon EBS volumes are presented to you as raw unformatted block devices that have been wiped prior to being made available for use. Wiping occurs immediately before reuse so that you can be assured that the wipe process completed. If you have procedures requiring that all data be wiped via a specific method, such as those detailed in NIST 800- 88 ("Guidelines for Media Sanitization"), you have the ability to do so on Amazon EBS. You should conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements. https://d0.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf
Question 70:
A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance. What combination of actions should the Engineer take? (Choose two.)
A. Create an IAM Lambda function that determines whether Flow Logs are enabled for a given VPC. B. Create an IAM Config configuration item for each VPC in the company IAM account. C. Create an IAM Config managed rule with a resource type of IAM:: Lambda:: Function. D. Create an Amazon CloudWatch Event rule that triggers on events emitted by IAM Config. E. Create an IAM Config custom rule, and associate it with an IAM Lambda function that contains the evaluating logic.
A. Create an IAM Lambda function that determines whether Flow Logs are enabled for a given VPC. E. Create an IAM Config custom rule, and associate it with an IAM Lambda function that contains the evaluating logic. Explanation Explanation/Reference:https://medium.com/mudita-misra/how-to-audit-your-aws-resources-for- security-compliance-by-using-custom-IAM-config-rules-2e53b09006de
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.