Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:Jul 12, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 821:
Your company is hosting a set of EC2 Instances in IAM. They want to have the ability to detect if any port scans occur on their IAM EC2 Instances. Which of the following can help in this regard?
A. Use IAM inspector to consciously inspect the instances for port scans B. Use IAM Trusted Advisor to notify of any malicious port scans C. Use IAM Config to notify of any malicious port scans D. Use IAM Guard Duty to monitor any malicious port scans
D. Use IAM Guard Duty to monitor any malicious port scans The IAM blogs mention the following to support the use of IAM GuardDuty GuardDuty voraciously consumes multiple data streams, including several threat intelligence feeds, staying aware of malicious addresses, devious domains, and more importantly, learning to accurately identify malicious or unauthorized behavior in your IAM accounts. In combination with information gleaned from your VPC Flow Logs, IAM CloudTrail Event Logs, and DNS logs, th allows GuardDuty to detect many different types of dangerous and mischievous behavior including probes for known vulnerabilities, port scans and probes, and access from unusual locations. On the IAM side, it looks for suspicious IAM account activity such as unauthorized deployments, unusual CloudTrail activity, patterns of access to IAM API functions, and attempts to exceed multiple service limits. GuardDuty will also look for compromised EC2 instances talking to malicious entities or services, data exfiltration attempts, and instances that are mining cryptocurrency. Options A, B and C are invalid because these services cannot be used to detect port scans For more information on IAM Guard Duty, please refer to the below Link: https://IAM.amazon.com/blogs/IAM/amazon-guardduty-continuous-security-monitoring- threat-detection; ( The correct answer is: Use IAM Guard Duty to monitor any malicious port scans Submit your Feedback/Queries to our Experts
Question 822:
A company is planning on extending their on-premise IAM Infrastructure to the IAM Cloud. They need to have a solution that would give core benefits of traffic encryption and ensure latency is kept to a minimum. Which of the following would help fulfil this requirement? Choose 2 answers from the options given below
A. IAM VPN B. IAM VPC Peering C. IAM NAT gateways D. IAM Direct Connect
A. IAM VPN D. IAM Direct Connect The IAM Document mention the following which supports the requirement Option B is invalid because VPC peering is only used for connection between VPCs and cannot be used to connect On-premise infrastructure to the IAM Cloud. Option C is invalid because NAT gateways is used to connect instances in a private subnet to the internet For more information on VPN Connections, please visit the following url https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/pn-connections.html The correct answers are: IAM VPN, IAM Direct Connect Submit your Feedback/Queries to our Experts
Question 823:
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below
Please select:
A. Add the EC2 instance role as a trusted service to the SSM service role. B. Add permission to use the KMS key to decrypt to the SSM service role. C. Add permission to read the SSM parameter to the EC2 instance role. . D. Add permission to use the KMS key to decrypt to the EC2 instance role E. Add the SSM service role as a trusted service to the EC2 instance role.
C. Add permission to read the SSM parameter to the EC2 instance role. . D. Add permission to use the KMS key to decrypt to the EC2 instance role The below example policy from the IAM Documentation is required to be given to the EC2 Instance in order to read a secure string from IAM KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret. Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role. Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL: https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter-store.htmll The correct answers are: Add permission to read the SSM parameter to the EC2 instance role., Add permission to use the KMS key to decrypt to the EC2 instance role Submit your Feedback/Queries to our Experts
Question 824:
A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices. Which approach should the security engineer take to meet this requirement?
A. Use AWS IAM Access Analyzer to analyze the policies. View the findings from policy validation checks. B. Review AWS Trusted Advisor checks for all accounts in the organization. C. Set up AWS Audit Manager. Run an assessment for all AWS Regions for all accounts. D. Ensure that Amazon Inspector agents are installed on all Amazon EC2 in-stances in all accounts.
A. Use AWS IAM Access Analyzer to analyze the policies. View the findings from policy validation checks.
Question 825:
A Security Engineer is setting up a new IAM account. The Engineer has been asked to continuously monitor the company's IAM account using automated compliance checks based on IAM best practices and Center for Internet Security (CIS) IAM Foundations Benchmarks
How can the Security Engineer accomplish this using IAM services?
A. Enable IAM Config and set it to record all resources in all Regions and global resources. Then enable IAM Security Hub and confirm that the CIS IAM Foundations compliance standard is enabled B. Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Security Hub and configure it to ingest the Amazon Inspector findings C. Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Shield in all Regions to protect the account from DDoS attacks. D. Enable IAM Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS IAM Foundations Benchmarks using IAM Config rules.
A. Enable IAM Config and set it to record all resources in all Regions and global resources. Then enable IAM Security Hub and confirm that the CIS IAM Foundations compliance standard is enabled Explanation Explanation/Reference:https://docs.IAM.amazon.com/securityhub/latest/userguide/securityhub- standards-cis-config-resources.html
Question 826:
A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download. Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?
A. Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket. B. Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances. C. Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer. D. Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.
D. Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server. Explanation Explanation/Reference:https://docs.IAM.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html
Question 827:
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised. Which steps should be taken to investigate the suspected compromise? (Choose three.)
A. Detach the elastic network interface from the EC2 instance. B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance. C. Disable any Amazon Route 53 health checks associated with the EC2 instance. D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group. E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance. F. Add a rule to an IAM WAF to block access to the EC2 instance.
B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance. D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group. E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance. Explanation Explanation/Reference:https://d1.IAMstatic.com/whitepapers/IAM_security_incident_response.pdf
Question 828:
A company's network security policy requires encryption for all data in transit. The company must encrypt data that is sent between Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes. Which solution will meet this requirement?
A. Configure Amazon EC2 to enable encryption in the EC2 network interface properties. B. Configure Amazon EBS to enable volume encryption with AWS Key Management Service (AWS KMS) for data at rest. C. Configure Amazon EBS to enable TLS encryption in the volume configuration properties. D. Configure Amazon EC2 to enable TLS encryption with certificates that are stored in AWS Certificate Manager (ACM).
D. Configure Amazon EC2 to enable TLS encryption with certificates that are stored in AWS Certificate Manager (ACM). Explanation Explanation/Reference:Comprehensive Detailedwith all AWS References To ensure encryption for all data in transit between EC2 instances and EBS volumes, TLS encryption must be implemented. While EBS volume encryption secures data at rest, the requirement here is to secure data in transit. TLS Encryption with ACM Certificates: AWS TLS Encryption Documentation Incorrect Options: Option A: Encryption in the EC2 network interface properties is not a valid configuration. Option B: EBS volume encryption secures data at rest, not in transit. Option C: TLS encryption cannot be configured in EBS volume properties.
Question 829:
You have a web site that is sitting behind IAM Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:
A. IAM Trusted Advisor B. IAM WAF C. IAM Inspector D. IAM Config
B. IAM WAF Explanation Explanation/Reference:The IAM Documentation mentions the following IAM WAF is a web application firewall that helps detect and block malicious web requests targeted at your web applications. IAM WAF allows you to create rules that can help protect against common web exploits like SQL injection and cross-site scripting. With IAM WAF you first identify the resource (either an Amazon CloudFront distribution or an Application Load Balancer) that you need to protect. Option A is invalid because this will only give advise on how you can better the security in your IAM account but not protect against threats mentioned in the question. Option C is invalid because this can be used to scan EC2 Instances for vulnerabilities but not protect against threats mentioned in the question. Option D is invalid because this can be used to check config changes but not protect against threats mentioned in the quest For more information on IAM WAF, please visit the following URL: https://IAM.amazon.com/waf/details; The correct answer is: IAM WAF Submit your Feedback/Queries to our Experts
Question 830:
A company has decided to use encryption in its IAM account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16.000 B to 5 MB. The requirements are as follows:
The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine. The key material must be available in multiple Regions.
Which option meets these requirements?
A. Use an IAM KMS customer managed key and store the key material in IAM with replication across Regions B. Use an IAM customer managed key, import the key material into IAM KMS using in- house IAM CloudHSM. and store the key material securely in Amazon S3. C. Use an IAM KMS custom key store backed by IAM CloudHSM clusters, and copy backups across Regions D. Use IAM CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.
D. Use IAM CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.