SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :Jul 12, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 71:

    What is the function of the following IAM Key Management Service (KMS) key policy attached to a customer master key (CMK)?

    A. The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
    B. The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and IAM.
    C. The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
    D. The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.

  • Question 72:

    An application uses Amazon Cognito to manage end users' permissions when directly accessing IAM resources, including Amazon DynamoDB. A new feature request reads as follows:

    Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.

    The priorities are to reduce complexity and avoid potential for future security issues.

    Which approach will meet these requirements and priorities?

    A. Create a new database field "suspended_status" and modify the application logic to validate that field when processing requests.
    B. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
    C. Use Amazon Cognito Sync to push out a "suspension_status" parameter and split the lAM policy into normal users and suspended users.
    D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

  • Question 73:

    During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs. Which steps can the Security Engineer take to troubleshoot this issue? (Select two.)

    A. Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
    B. Log in to the IAM account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the "Alerting" state and restart them using the EC2 console.
    C. Verify that the EC2 instances have a route to the public IAM API endpoints.
    D. Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
    E. Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.

  • Question 74:

    A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with IAM Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

    Which combination of steps should the security engineer perform? (Select THREE.)

    A. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
    B. Enable the advanced-instances tier in Systems Manager.
    C. Create a managed-instance activation for the on-premises servers.
    D. Reconfigure the Systems Manager Agent with the activation code and ID.
    E. Assign an IAM role to all of the on-premises servers.
    F. Initiate an inventory collection with Systems Manager on the on-premises servers

  • Question 75:

    A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.

    Which combination of AWS services and features will provide protection in this scenario? (Choose three.)

    A. Amazon Route 53
    B. AWS Certificate Manager (ACM)
    C. Amazon S3
    D. AWS Shield
    E. Network Load Balancer
    F. Amazon GuardDuty

  • Question 76:

    A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS

    service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly.

    How should the security engineer build the MOST secure solution?

    A. Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header
    B. Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.
    C. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.
    D. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

  • Question 77:

    A company needs to analyze access logs for an Application Load Balancer (ALB). The ALB directs traffic to the company's online login portal. The company needs to use visualizations to identify login attempts by bots from a list of known IP sources.

    Which solution will meet these requirements?

    A. Configure the ALB to send logs directly to Amazon CloudWatch Logs. Analyze and visualize the logs by using CloudWatch Logs Insights.
    B. Configure the ALB to send logs directly to Amazon Redshift. Analyze the logs by using SQL queries. Visualize the logs by using custom reports.
    C. Configure the ALB to send logs directly to Amazon OpenSearch Service. Analyze the logs by using OpenSearch dashboards. Visualize the logs by using custom OpenSearch dashboards.
    D. Configure the ALB to send logs directly to an Amazon S3 bucket. Analyze the logs by using Amazon Athena. Visualize the logs by using Amazon QuickSight.

  • Question 78:

    Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

    A. Use the containers to automate security deployments.
    B. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
    C. Segregate containers by host, function, and data classification.
    D. Use Docker Notary framework to sign task definitions.
    E. Enable container breakout at the host kernel.

  • Question 79:

    A company has a multi-account strategy that uses an organization in AWS Organizations with all features enabled. The company has enabled trusted access for AWS Account Management. New accounts are provisioned through AWS

    Control Tower Account Factory.

    The company must ensure that all new accounts in the organization become AWS Security Hub member accounts.

    Which solution will meet these requirements with the LEAST development effort?

    A. Enable Security Hub in the organization's management account. Create an AWS Step Functions workflow. Create an Amazon EventBridge rule to invoke the workflow when a CreateAccount event occurs.
    B. Enable Security Hub in the organization's management account. Wait for all new accounts to complete automatic onboarding.
    C. Enable Security Hub in the organization's management account. Create an AWS Lambda function to enable Security Hub for new accounts. Invoke the Lambda function by using an AWS Control Tower lifecycle event that occurs when a new account is provisioned.
    D. Use the organization's management account to designate a Security Hub delegated administrator account. In the delegated administrator account, create a configuration policy to enable Security Hub. Associate the configuration policy with the organization root.

  • Question 80:

    Your development team has started using IAM resources for development purposes. The IAM account has just been created. Your IT Security team is worried about possible leakage of IAM keys.

    What is the first level of measure that should be taken to protect the IAM account.

    A. Delete the IAM keys for the root account
    B. Create IAM Groups
    C. Create IAM Roles
    D. Restrict access using IAM policies

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.