Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:Jul 12, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 791:
A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket example bucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?
A. Use envelope encryption with the IAM-managed CMK IAM/s3. B. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${IAM:username}" variable. C. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy. D. Change the applicable IAM policy to grant S3 access to "Resource": "arn:IAM:s3:::examplebucket/${IAM:username}/*"
B. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${IAM:username}" variable. Explanation Explanation/Reference:https://IAM.amazon.com/premiumsupport/knowledge-center/iam-s3-user- specific-folder/
Question 792:
You have a set of Customer keys created using the IAM KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this?
A. You have not explicitly given access via the key policy B. You have not explicitly given access via the IAM policy C. You have not given access via the IAM roles D. You have not explicitly given access via IAM users
A. You have not explicitly given access via the key policy By default, keys created in KMS are created with the default key policy. When features are added to KMS, you need to explii update the default key policy for these keys. Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys For more information on upgrading key policies please visit the following URL: https://docs.IAM.ama20n.com/kms/latest/developerguide/key-policy-upgrading.html ( The correct answer is: You have not explicitly given access via the key policy Submit your Feedback/Queries to our Experts
Question 793:
A security engineer needs to analyze Apache web server access logs that are stored in an Amazon S3 bucket. Amazon EC2 instance web servers generated the logs. The EC2 instances have the Amazon CloudWatch agent installed and configured to report their access logs.
The security engineer needs to use a query in Amazon Athena to analyze the logs. The query must identify IP addresses that have attempted and failed to access restricted web server content held at the /admin URL path. The query also must identify the URLs that the IP addresses attempted to access.
Which query will meet these requirements?
A. SELECT client_ip, client_request FROM logs WHERE client_request LIKE '%/admin%!' AND server_status = '403' B. SELECT client_ip FROM logs WHERE client_request CONTAINS '%/admin%' AND server_status = '401' GROUP BY client_ip C. SELECT DISTINCT (client_ip), client_request, client_id FROM logs WHERE server status = `403' LIMIT 1000 D. SELECT DISTINCT (client_ip), client_request FROM logs WHERE user_id `admin' AND server_status = `401!'
A. SELECT client_ip, client_request FROM logs WHERE client_request LIKE '%/admin%!' AND server_status = '403' This query identifies the IP addresses (client_ip) that attempted to access restricted content (i.e., the /admin URL path) by checking the client_request field for requests that contain /admin. The query also filters by server_status = '403', which indicates that the access was forbidden (meaning the request was made but access was denied, typically due to permission issues). The query retrieves both the client_ip (to identify the source of the failed attempts) and client_request (to identify the URLs that the IPs attempted to access). This approach directly satisfies the requirement to find failed access attempts to the /admin URL path and the associated attempted URLs.
Question 794:
A company uses AWS Organizations to manage an organization that consists of three workload OUs. Production, Development, and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs. Different SCPs are attached to each workload OU.
The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in.an account in the Production OU, the update fails. The error message reports insufficient IAM permissions.
What is the FIRST step that a security engineer should take to troubleshoot this issue?
A. Review the AWS CloudTrail logs in the account in the Production OU. Search for any failed API calls from CloudFormation during the deployment attempt. B. Remove all the SCPs that are attached to the Production OU. Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls. C. Confirm that the role used by CloudFormation has sufficient permissions to create, update, and delete the resources that are referenced in the CloudFormation template. D. Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.
A. Review the AWS CloudTrail logs in the account in the Production OU. Search for any failed API calls from CloudFormation during the deployment attempt. Explanation Explanation/Reference:Reviewing AWS CloudTrail logs is the first step to determine which specific API calls failed due to insufficient permissions. CloudTrail logs will show which actions were attempted by AWS CloudFormation and which permissions were denied. This information will help identify if the issue is caused by a restrictive Service Control Policy (SCP) or an IAM role permission issue, providing a clear path for troubleshooting.
Question 795:
A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs)
Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)
A. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs. B. Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment. C. Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment. D. Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances E. Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.
C. Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment. D. Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
Question 796:
A consultant agency needs to perform a security audit for a company's production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account.
The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.
Which solution will provide the consultant agency with access that meets these requirements?
A. Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant. B. Configure Amazon Cognito on the company's production account to authenticate against the consultant agency's identity provider (IdP). Add MFA to a Cognito user pool. C. Create an IAM role in the consultant agency's AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company's production account as the principal. Attach the trust policy to the role. D. Create an IAM role in the company's production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency's AWS account as the principal. Attach the trust policy to the role.
D. Create an IAM role in the company's production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency's AWS account as the principal. Attach the trust policy to the role. Explanation Explanation/Reference:To allow consultants from an external AWS account to access the production account while enforcing MFA and avoiding long-term credentials, you should create an IAM role in the production account and establish a trust relationship with the consultant's AWS account. This trust policy will require MFA, and the role can be assumed by users in the consultant agency's account.
Question 797:
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions
Because the video events last for several hours, the total video is made up of thousands of chunks
The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?
A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content. B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content. C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content D. Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated.
B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
Question 798:
An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.
What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)
A. Configure and assign an MFA device to the role used by the instances. B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances. C. Verify that the access key attached to the role used by the instances is active. D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances. E. Verify that the role attached to the instances contains policies that allow access to the queue.
B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances. E. Verify that the role attached to the instances contains policies that allow access to the queue.
Question 799:
You have a requirement to conduct penetration testing on the IAM Cloud for a couple of EC2 Instances. How could you go about doing this? Choose 2 right answers from the options given below.
A. Get prior approval from IAM for conducting the test B. Use a pre-approved penetration testing tool. C. Work with an IAM partner and no need for prior approval request from IAM D. Choose any of the IAM instance type
A. Get prior approval from IAM for conducting the test B. Use a pre-approved penetration testing tool. You can use a pre-approved solution from the IAM Marketplace. But till date the IAM Documentation still mentions that you have to get prior approval before conducting a test on the IAM Cloud for EC2 Instances. Option C and D are invalid because you have to get prior approval first. IAM Docs Provides following details: "For performing a penetration test on IAM resources first of all we need to take permission from IAM and complete a requisition form and submit it for approval. The form should contain information about the instances you wish to test identify the expected start and end dates/times of your test and requires you to read and agree to Terms and Conditions specific to penetration testing and to the use of appropriate tools for testing. Note that the end date may not be more than 90 days from the start date." ( At this time, our policy does not permit testing small or micro RDS instance types. Testing of ml .small, t1 .micro or t2.nano EC2 instance types is not permitted. For more information on penetration testing please visit the following URL: https://IAM.amazon.eom/security/penetration-testine/l The correct answers are: Get prior approval from IAM for conducting the test Use a pre- approved penetration testing tool. Submit your Feedback/Queries to our Experts
Question 800:
A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these IAM CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.
Which of the following troubleshooting steps should the Analyst perform?
A. Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's IAM account. B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action. C. Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes. D. Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.
B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action. MetricFilter: Type: 'IAM::Logs::MetricFilter' Properties: LogGroupName: '' FilterPattern: >{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) } MetricTransformations: -MetricValue: '1' MetricNamespace: CloudTrailMetrics MetricName: SecurityGroupEventCount
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.