SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :Jul 12, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 801:

    A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on IAM must be continually monitored for security related messages.

    What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement?

    A. Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
    B. Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.
    C. Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.
    D. Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

  • Question 802:

    A company's Director of information Security wants a daily email report from IAM that contains recommendations for each company account to meet IAM Security best practices. Which solution would meet these requirements?

    A. in every IAM account, configure IAM Lambda to query me IAM Support API tor IAM Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.
    B. Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
    C. Use Amazon Athena and Amazon QuickSight to build reports off of IAM CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
    D. Use IAM Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

  • Question 803:

    A Security Engineer is setting up an IAM CloudTrail trail for all regions in an IAM account. For added security, the logs are stored using server-side encryption with IAM KMS- managed keys (SSE-KMS) and have log integrity validation enabled.

    While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

    A. The log files fail integrity validation and automatically are marked as unavailable.
    B. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
    C. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
    D. An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

  • Question 804:

    A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are:

    1.

    Storage is accessible by using only VPCs.

    2.

    Service has tamper-evident controls.

    3.

    Access logging is enabled.

    4.

    Storage has high availability.

    Which of the following services meets these requirements?

    A. Amazon S3 with default encryption
    B. IAM CloudHSM
    C. Amazon DynamoDB with server-side encryption
    D. IAM Systems Manager Parameter Store

  • Question 805:

    A security engineer has created an Amazon Cognito user pool. The engineer needs to manually verify the ID and access token sent by the application for troubleshooting purposes What is the MOST secure way to accomplish this?

    A. Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool
    B. Search for the public key with a key ID that matches the key ID In the header of the token. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date
    C. Verify that the token is not expired. Then use the token_use claim function In Amazon Cognito to validate the key IDs
    D. Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem file. Then use the file to validate the original JWT.

  • Question 806:

    A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.

    Currently, the company's developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline in a shared services AWS account deploys each CloudFormation stack.

    The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do not comply with the internal standards, the security team must receive notification to

    take appropriate action. The security team must implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have.

    Which solution will meet these requirements in the MOST operationally efficient way?

    A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create a custom AWS Lambda function that will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
    B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create custom rules in CloudFormation Guard for each resource configuration. In the CI/CD pipeline, before the build stage, configure a Docker image to run the cfn-guard command on the CloudFormation template. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
    C. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email addresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWS account. Include an event notification to publish to the SQS queue when new objects are added to the S3 bucket. Require the developers to put their CloudFormation templates in the S3 bucket. Launch EC2 instances that automatically scale based on the SQS queue depth. Configure the EC2 instances to use CloudFormation Guard to scan the templates and deploy the templates if there are no issues. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
    D. Create a centralized CloudFormation stack set that includes a standard set of resources that the developers can deploy in each AWS account. Configure each CloudFormation template to meet the security requirements. For any new resources or configurations, update the CloudFormation template and send the template to the security team for review. When the review is completed, add the new CloudFormation stack to the repository for the developers to use.

  • Question 807:

    You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below

    A. Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.
    B. Create an HSM client certificate in Redshift and authenticate using this certificate.
    C. Create a Redshift read-only access policy in IAM and embed those credentials in the application.
    D. Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

  • Question 808:

    A Devops team is currently looking at the security aspect of their CI/CD pipeline. They are making use of IAM resource? for their infrastructure. They want to ensure that the EC2 Instances don't have any high security vulnerabilities. They want to ensure a complete DevSecOps process. How can this be achieved?

    A. Use IAM Config to check the state of the EC2 instance for any sort of security issues.
    B. Use IAM Inspector API's in the pipeline for the EC2 Instances
    C. Use IAM Trusted Advisor API's in the pipeline for the EC2 Instances
    D. Use IAM Security Groups to ensure no vulnerabilities are present

  • Question 809:

    A company is using AWS WAF to protect a customized public API service that is based on Amazon EC2 instances. The API uses an Application Load Balancer.

    The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL.

    The security engineer needs to immediately return the application to service, resolve the issue, and ensure that logging is not turned off in the future. The security engineer turns on logging for the web ACL and specifies Amazon Cloud-Watch Logs as the destination.

    Which additional set of steps should the security engineer take to meet the re-quirements?

    A. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the log-ging configuration for any AWS WAF web ACLs.
    B. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the log-ging configuration for any AWS WAF web ACLs.
    C. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
    D. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.

  • Question 810:

    Your company has a set of resources defined in the IAM Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?

    A. Create a powershell script using the IAM CLI. Query for all resources with the tag of production.
    B. Create a bash shell script with the IAM CLI. Query for all resources in all regions. Store the results in an S3 bucket.
    C. Use Cloud Trail to get the list of all resources
    D. Use IAM Config to get the list of all resources

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.