SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :Jul 12, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 811:

    A company has set up the following structure to ensure that their S3 buckets always have logging enabled

    If there are any changes to the configuration to an S3 bucket, a config rule gets checked. If logging is disabled , then Lambda function is invoked. This Lambda function will again enable logging on the S3 bucket. Now there is an issue being encoutered with the entire flow. You have verified that the Lambda function is being invoked. But when logging is disabled for the bucket, the lambda function does not enable it again. Which of the following could be an issue

    A. The IAM Config rule is not configured properly
    B. The IAM Lambda function does not have appropriate permissions for the bucket
    C. The IAM Lambda function should use Node.js instead of python.
    D. You need to also use the API gateway to invoke the lambda function

  • Question 812:

    An organization has a system in IAM that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.

    Which solution would remediate the audit finding while minimizing the effort required?

    A. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
    B. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
    C. Use IAM Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers.
    D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service's DNS record.

  • Question 813:

    Which option for the use of the IAM Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

    A. Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.
    B. Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.
    C. Change the CMK alias every 90 days, and update key-calling applications with the new key alias.
    D. Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

  • Question 814:

    You have a vendor that needs access to an IAM resource. You create an IAM user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?

    A. An IAM Managed Policy
    B. An Inline Policy
    C. A Bucket Policy
    D. A bucket ACL

  • Question 815:

    A security engineer needs to develop a process to investigate and respond to po-tential security events on a company's Amazon EC2 instances. All the EC2 in-stances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.

    The process that the security engineer is developing must comply with AWS secu-rity best practices and must meet the following requirements:

    1.

    A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.

    2.

    A compromised EC2 instance's metadata must be updated with corresponding inci-dent ticket information.

    3.

    A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

    4.

    Any investigative activity during the collection of volatile data must be cap-tured as part of the process.

    Which combination of steps should the security engineer take to meet these re-quirements with the LEAST operational overhead? (Select THREE.)

    A. Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Isolate the instance by updating the instance's secu-rity groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
    B. Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
    C. Use Systems Manager Run Command to invoke scripts that collect volatile data.
    D. Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.
    E. Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and inci-dent ticket information.
    F. Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

  • Question 816:

    A company has hired a third-party security auditor, and the auditor needs read-only access to all IAM resources and logs of all VPC records and events that have occurred on IAM. How can the company meet the auditor's requirements without comprising security in the IAM environment? Choose the correct answer from the options below

    A. Create a role that has the required permissions for the auditor.
    B. Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the IAM environment.
    C. The company should contact IAM as part of the shared responsibility model, and IAM will grant required access to th^ third-party auditor.
    D. Enable CloudTrail logging and create an IAM user who has read-only permissions to the required IAM resources, including the bucket containing the CloudTrail logs.

  • Question 817:

    Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?

    A. Use the application to rotate the keys in every 2 months via the SDK
    B. Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
    C. Delete the user associated with the keys after every 2 months. Then recreate the user again.
    D. Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.

  • Question 818:

    An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below

    A. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <
    B. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.
    C. Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
    D. Modify the IAM policy on the user to require MFA before deleting EC2 instances

  • Question 819:

    A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company's primary website. The GuardDuty finding received read:

    UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.

    The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

    What is the first step the security engineer should take?

    A. Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.
    B. Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.
    C. Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.
    D. Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

  • Question 820:

    Development teams in your organization use S3 buckets to store the log files for various applications hosted ir development environments in IAM. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this requirement?

    A. Adding a bucket policy on the S3 bucket.
    B. Configuring lifecycle configuration rules on the S3 bucket.
    C. Creating an IAM policy for the S3 bucket.
    D. Enabling CORS on the S3 bucket.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.