Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:May 29, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 741:
A Security Engineer accidentally deleted the imported key material in an IAM KMS CMK. What should the Security Engineer do to restore the deleted key material?
A. Create a new CMK. Download a new wrapping key and a new import token to import the original key material B. Create a new CMK Use the original wrapping key and import token to import the original key material. C. Download a new wrapping key and a new import token Import the original key material into the existing CMK. D. Use the original wrapping key and import token Import the original key material into the existing CMK
C. Download a new wrapping key and a new import token Import the original key material into the existing CMK.
Question 742:
A company plans to move most of its IT infrastructure to IAM. The company wants to leverage its existing on-premises Active Directory as an identity provider for IAM.
Which steps should be taken to authenticate to IAM services using the company's on- premises Active Directory? (Choose three).
A. Create IAM roles with permissions corresponding to each Active Directory group. B. Create IAM groups with permissions corresponding to each Active Directory group. C. Create a SAML provider with IAM. D. Create a SAML provider with Amazon Cloud Directory. E. Configure IAM as a trusted relying party for the Active Directory F. Configure IAM as a trusted relying party for Amazon Cloud Directory.
A. Create IAM roles with permissions corresponding to each Active Directory group. C. Create a SAML provider with IAM. E. Configure IAM as a trusted relying party for the Active Directory https://IAM.amazon.com/blogs/security/IAM-federated-authentication-with- active-directory-federation-services-ad-fs/
Question 743:
Your company has a requirement to monitor all root user activity by notification.
How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution
A. Create a Cloudwatch Events Rule s B. Create a Cloudwatch Logs Rule C. Use a Lambda function D. Use Cloudtrail API call
A. Create a Cloudwatch Events Rule s C. Use a Lambda function Below is a snippet from the IAM blogs on a solution Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following URL: https://IAM.amazon.com/blogs/mt/monitor-and-notify-on-IAM-account-root-user-activityy The correct answers are: Create a Cloudwatch Events Rule, Use a Lambda function Submit your Feedback/Queries to our Experts
Question 744:
In order to encrypt data in transit for a connection to an IAM RDS instance, which of the following would you implement?
A. Transparent data encryption B. SSL from your application C. Data keys from IAM KMS D. Data Keys from CloudHSM
B. SSL from your application This is mentioned in the IAM Documentation You can use SSL from your application to encrypt a connection to a DB instance running MySQL MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL. Option A is incorrect since Transparent data encryption is used for data at rest and not in transit Options C and D are incorrect since keys can be used for encryption of data at rest For more information on working with RDS and SSL, please refer to below URL: https://docs.IAM.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html The correct answer is: SSL from your application Submit your Feedback/Queries to our Experts
Question 745:
A development team is creating an open source toolset to manage a company's software as a service (SaaS) application. The company stores the code in a public repository so that anyone can view and download the toolset's code.
The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company's AWS environment
A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials.
Which combination of steps will meet these requirements? (Choose two.)
A. Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them. B. Deactivate the exposed IAM access key from the user's IAM account. C. Create a rule in Amazon GuardDuty to block the access key in the source code from being used. D. Create a new IAM access key and secret key for the user whose credentials were exposed. E. Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.
A. Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them. B. Deactivate the exposed IAM access key from the user's IAM account.
Question 746:
You need to have a requirement to store objects in an S3 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose?
A. IAM KMS B. IAM S3 Server side encryption C. IAM Customer Keys D. IAM Cloud HSM
B. IAM S3 Server side encryption The IAM Documentation mentions the following Server-side encryption protects data at rest. Server-side encryption with Amazon S3- managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES- 256), to encrypt your data. All other options are invalid since here you need to ensure the keys are manually rotated since you manage the entire key set Using IAM S3 Server side encryption, IAM will manage the rotation of keys automatically. For more information on Server side encryption, please visit the following URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsineServerSideEncryption.htmll The correct answer is: IAM S3 Server side encryption Submit your Feedback/Queries to our Experts
Question 747:
Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the IAM Account?
A. Use IAM Inspector to inspect all S3 buckets and enable logging for those where it is not enabled B. Use IAM Config Rules to check whether logging is enabled for buckets C. Use IAM Cloudwatch metrics to check whether logging is enabled for buckets D. Use IAM Cloudwatch logs to check whether logging is enabled for buckets
B. Use IAM Config Rules to check whether logging is enabled for buckets This is given in the IAM Documentation as an example rule in IAM Config Example rules with triggers Example rule with configuration change trigger 1. You add the IAM Config managed rule, S3_BUCKET_LOGGING_ENABLED, to your account to check whether your Amazon S3 buckets have logging enabled. 2. The trigger type for the rule is configuration changes. IAM Config runs the evaluations for the rule when an Amazon S3 bucket is created, changed, or deleted. 3. When a bucket is updated, the configuration change triggers the rule and IAM Config evaluates whether the bucket is compliant against the rule. Option A is invalid because IAM Inspector cannot be used to scan all buckets Option C and D are invalid because Cloudwatch cannot be used to check for logging enablement for buckets. For more information on Config Rules please see the below Link: https://docs.IAM.amazon.com/config/latest/developerguide/evaluate-config- rules.html The correct answer is: Use IAM Config Rules to check whether logging is enabled for buckets Submit your Feedback/Queries to our Experts
Question 748:
A financial institution has the following security requirements:
Cloud-based users must be contained in a separate authentication domain. Cloud-based users cannot access on-premises systems.
As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.
How would the organization manage its resources in the MOST secure manner? (Choose two.)
A. Configure an IAM Managed Microsoft AD to manage the cloud resources. B. Configure an additional on-premises Active Directory service to manage the cloud resources. C. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service. D. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service. E. Establish a two-way trust between the new and existing Active Directory services.
A. Configure an IAM Managed Microsoft AD to manage the cloud resources. D. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service. Explanation Explanation/Reference:Deploy a new forest/domain on IAM with one-way trust. If you are planning on leveraging credentials from an on-premises AD on IAM member servers, you must establish at least a one-way trust to the Active Directory running on IAM. In this model, the IAM domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain. Ref: https://d1.IAMstatic.com/whitepapers/adds-on- IAM.pdf https://docs.IAM.amazon.com/ directoryservice/latest/admin- guide/directory_microsoft_ad.html
Question 749:
A company's developers are using AWS Lambda function URLs to invoke functions directly. The company must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.
Which solution will meet these requirements?
A. Require the developers to configure all function URL to support cross-origin resource sharing (CORS) when the functions are called from a different domain. B. Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions. C. Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM. D. Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.
D. Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE. Explanation Explanation/Reference:Using Service Control Policies (SCPs) in AWS Organizations to deny the lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions with the lambda:FunctionUrlAuthType condition key set to NONE will prevent the deployment of unauthenticated Lambda function URLs in production accounts. By enforcing this policy at the organization level, developers are automatically restricted from deploying unauthenticated functions, requiring no additional configuration or oversight from them. This solution effectively meets the security requirement without adding operational overhead.
Question 750:
A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to IAM Certificate Manager. Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)
A. Call UploadServerCertificate with /cloudfront/dev/ in the path parameter. B. Import the certificate with a 4,096-bit RSA public key. C. Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded. D. Import the certificate in the us-east-1 (N. Virginia) Region. E. Ensure that the certificate, private key, and certificate chain are PEM-encoded.
D. Import the certificate in the us-east-1 (N. Virginia) Region. E. Ensure that the certificate, private key, and certificate chain are PEM-encoded.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.