Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 721:
An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.
Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below
A. A network ACL with a rule that allows outgoing traffic on port 443. B. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports C. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443. D. A security group with a rule that allows outgoing traffic on port 443 E. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports. F. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
B. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports D. A security group with a rule that allows outgoing traffic on port 443 Since here the traffic needs to flow outbound from the Instance to a web service on Port 443, the outbound rules on both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on ephermal ports for the Operating System on the Instance to allow a connection to be established on any desired or available port. Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on ephemeral ports Option C is invalid because need to ensure incoming traffic on ephemeral ports and not only port 443 Option E and F are invalid since here you are allowing additional ports on Security groups which are not required For more information on VPC Security Groups, please visit the below URL: https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC_SecurityGroups.htmll The correct answers are: A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports, A security group with a rule that allows outgoing traffic on port 443 Submit your Feedback/Queries to our Experts
Question 722:
An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?
A. Expose the data with a public HTTPS endpoint. B. A VPN between the VPC and the data center over a Direct Connect connection C. A VPN between the VPC and the data center. D. A Direct Connect connection between the VPC and data center
B. A VPN between the VPC and the data center over a Direct Connect connection Since this is required over a consistency low latency connection, you should use Direct Connect. For encryption, you can make use of a VPN Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center. Option C is invalid because low latency is a key requirement Option D is invalid because only Direct Connect will not suffice For more information on the connection options please see the below Link: https://IAM.amazon.com/answers/networking/IAM-multiple-vpc-vpn-connection-sharint The correct answer is: A VPN between the VPC and the data center over a Direct Connect connection Submit your Feedback/Queries to our Experts
Question 723:
Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?
A. Use short but complex password on the root account and any administrators. B. Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city. C. Use MFA on all users and accounts, especially on the root account. D. Don't write down or remember the root account password after creating the IAM account.
C. Use MFA on all users and accounts, especially on the root account. Multi-factor authentication can add one more layer of security to your IAM account Even when you go to your Security Credentials dashboard one of the items is to enable MFA on your root account Option A is invalid because you need to have a good password policy Option B is invalid because there is no IAM Geo-Lock Option D is invalid because this is not a recommended practices For more information on MFA, please visit the below URL http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials mfa.htmll The correct answer is: Use MFA on all users and accounts, especially on the root account. Submit your Feedback/Queries to our Experts
Question 724:
A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2. The solution must perform real-time analytics on the logs, must support the replay of messages, and must persist the logs.
Which AWS services should be used to meet these requirements? (Choose two.)
A. Amazon Athena B. Amazon Kinesis C. Amazon SQS D. Amazon OpenSearch Service E. Amazon EMR
B. Amazon Kinesis D. Amazon OpenSearch Service
Question 725:
A company is designing the securely architecture (or a global latency-sensitive web application it plans to deploy to IAM. A Security Engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?
A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution. B. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution. C. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate IAM WAF ACLs and enable them on the ALB. D. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate IAM WAF ACLs and enable them on the ALB.
A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution.
Question 726:
Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement?
A. Set up VPC peering between the central server VPC and each of the teams VPCs. B. Set up IAM DirectConnect between the central server VPC and each of the teams VPCs. C. Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs. D. None of the above options will work.
A. Set up VPC peering between the central server VPC and each of the teams VPCs. A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another IAM account within a single region. Options B and C are invalid because you need to use VPC Peering Option D is invalid because VPC Peering is available For more information on VPC Peering please see the below Link: http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs. Submit your Feedback/Queries to our Experts
Question 727:
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Select TWO.)
A. Use the AWS account root user access keys instead of the AWS Management Console. B. Enable multi-factor authentication for the AWS IAM users with the Adminis-tratorAccess managed policy attached to them. C. Enable multi-factor authentication for the AWS account root user. D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days. E. Do not create access keys for the AWS account root user; instead, create AWS IAM users.
C. Enable multi-factor authentication for the AWS account root user. E. Do not create access keys for the AWS account root user; instead, create AWS IAM users.
Question 728:
A company has AWS accounts in an organization in AWS Organizations. The organization includes a dedicated security account.
All AWS account activity across all member accounts must be logged and reported to the dedicated security account. The company must retain all the activity logs in a secure storage location within the dedicated security account for 2 years.
No changes or deletions of the logs are allowed.
Which combination of steps will meet these requirements with the LEAST operational overhead? (Select TWO.)
A. In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's management account to write to the S3 bucket. B. In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's member accounts to write to the S3 bucket. C. In the dedicated security account, create an Amazon S3 bucket that has an S3 Lifecycle configuration that expires objects after 2 years. Set the bucket policy to allow the organization's member accounts to write to the S3 bucket. D. Create an AWS Cloud Trail trail for the organization. Configure logs to be delivered to the logging Amazon S3 bucket in the dedicated security account. E. Turn on AWS CloudTrail in each account. Configure logs to be delivered to an Amazon S3 bucket that is created in the organization's management account. Forward the logs to the S3 bucket in the dedicated security account by using AWS Lambda and Amazon Kinesis Data Firehose.
B. In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's member accounts to write to the S3 bucket. D. Create an AWS Cloud Trail trail for the organization. Configure logs to be delivered to the logging Amazon S3 bucket in the dedicated security account. The correct answer is B and D. In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's member accounts to write to the S3 bucket. Create an AWS CloudTrail trail for the organization. Configure logs to be delivered to the logging Amazon S3 bucket in the dedicated security account. According to the AWS documentation, AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To use CloudTrail with multiple AWS accounts and regions, you need to enable AWS Organizations with all features enabled. This allows you to centrally manage your accounts and apply policies across your organization. You can also use CloudTrail as a service principal for AWS Organizations, which lets you create an organization trail that applies to all accounts in your organization. An organization trail logs events for all AWS Regions and delivers the log files to an S3 bucket that you specify. To create an organization trail, you need to use an administrator account, such as the organization's management account or a delegated administrator account. You can then configure the trail to deliver logs to an S3 bucket in the dedicated security account. This will ensure that all account activity across all member accounts and regions is logged and reported to the security account. According to the AWS documentation, Amazon S3 is an object storage service that offers scalability, data availability, security, and performance. You can use S3 to store and retrieve any amount of data from anywhere on the web. You can also use S3 features such as lifecycle management, encryption, versioning, and replication to optimize your storage. To use S3 with CloudTrail logs, you need to create an S3 bucket in the dedicated security account that will store the logs from the organization trail. You can then configure S3 Object Lock on the bucket to prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. You can also enable compliance mode on the bucket, which prevents any user, including the root user in your account, from deleting or modifying a locked object until it reaches its retention date. To set a retention period of 2 years on the S3 bucket, you need to create a default retention configuration for the bucket that specifies a retention mode (either governance or compliance) and a retention period (either a number of days or a date). You can then set the bucket policy to allow the organization's member accounts to write to the S3 bucket. This will ensure that all logs are retained in a secure storage location within the security account for 2 years and no changes or deletions are allowed. Option A is incorrect because setting the bucket policy to allow the organization's management account to write to the S3 bucket is not sufficient, as it will not grant access to the other member accounts in the organization. Option C is incorrect because using an S3 Lifecycle configuration that expires objects after 2 years is not secure, as it will allow users to delete or modify objects before they expire. Option E is incorrect because using Lambda and Kinesis Data Firehose to forward logs from one S3 bucket to another is not necessary, as CloudTrail can directly deliver logs to an S3 bucket in another account. It also introduces additional operational overhead and complexity.
Question 729:
A company is investigating actions that an IAM role performed. The company must find out when the role last accessed AWS Security Hub and when the role last used the DeleteInsight action in Security Hub.
Which solution will provide this information?
A. Use the checks for the security category in AWS Trusted Advisor. Search for the role and examine the actions taken. B. Use the Access Advisor tab in AWS Identity and Access Management (IAM). Search for Security Hub and the actions taken. C. Use AWS Identity and Access Management (IAM) to generate a credential report. Search the report for Security Hub activity. D. Create an analyzer in AWS Identity and Access Management Access Analyzer. Examine the findings for the role's actions in Security Hub.
B. Use the Access Advisor tab in AWS Identity and Access Management (IAM). Search for Security Hub and the actions taken. The Access Advisor feature in IAM provides information about the services that an IAM role or user has accessed and the last time they accessed each service. This feature shows when the IAM role last accessed AWS Security Hub. To find specific actions like DeleteInsight, you can review CloudTrail logs, but Access Advisor is the first step to quickly see the last access to the service.
Question 730:
A company hosts an application on Amazon EC2 instances. The application also uses Amazon S3 and Amazon Simple Queue Service (Amazon SQS). The application is behind an Application Load Balancer (ALB) and scales with AWS Auto Scaling.
The company's security policy requires the use of least privilege access, which has been applied to all existing AWS resources. A security engineer needs to implement private connectivity to AWS services.
Which combination of steps should the security engineer take to meet this requirement? (Select THREE.)
A. Use an interface VPC endpoint for Amazon SQS B. Configure a connection to Amazon S3 through AWS Transit Gateway. C. Use a gateway VPC endpoint for Amazon S3. D. Modify the IAM role applied to the EC2 instances in the Auto Scaling group to allow outbound traffic to the interface endpoints. E. Modify the endpoint policies on all VPC endpoints. Specify the SQS and S3 resources that the application uses F. Configure a connection to Amazon S3 through AWS Firewall Manager
A. Use an interface VPC endpoint for Amazon SQS C. Use a gateway VPC endpoint for Amazon S3. E. Modify the endpoint policies on all VPC endpoints. Specify the SQS and S3 resources that the application uses The correct answer is A, C, and E because they provide the most secure and efficient way to implement private connectivity to AWS services. Using interface VPC endpoints for Amazon SQS and gateway VPC endpoints for Amazon S3 allows the application to access these services without using public IP addresses or internet gateways. Modifying the endpoint policies on all VPC endpoints enables the security engineer to specify the SQS and S3 resources that the application uses and restrict access to other resources. The other options are incorrect because they do not provide private connectivity to AWS services or they introduce unnecessary complexity or cost. Option B is incorrect because AWS Transit Gateway is used to connect multiple VPCs and on-premises networks, not to connect to AWS services. Option D is incorrect because modifying the IAM role applied to the EC2 instances is not sufficient to allow outbound traffic to the interface endpoints. The security group and route table associated with the interface endpoints also need to be configured. Option F is incorrect because AWS Firewall Manager is used to centrally manage firewall rules across multiple accounts and resources, not to connect to AWS services. Reference: AWS PrivateLink, VPC Endpoints, Endpoint Policies for Interface Endpoints
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.