SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :Jul 12, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 821:

    Your company is hosting a set of EC2 Instances in IAM. They want to have the ability to detect if any port scans occur on their IAM EC2 Instances. Which of the following can help in this regard?

    A. Use IAM inspector to consciously inspect the instances for port scans
    B. Use IAM Trusted Advisor to notify of any malicious port scans
    C. Use IAM Config to notify of any malicious port scans
    D. Use IAM Guard Duty to monitor any malicious port scans

  • Question 822:

    A company is planning on extending their on-premise IAM Infrastructure to the IAM Cloud. They need to have a solution that would give core benefits of traffic encryption and ensure latency is kept to a minimum. Which of the following would help fulfil this requirement? Choose 2 answers from the options given below

    A. IAM VPN
    B. IAM VPC Peering
    C. IAM NAT gateways
    D. IAM Direct Connect

  • Question 823:

    An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below

    Please select:

    A. Add the EC2 instance role as a trusted service to the SSM service role.
    B. Add permission to use the KMS key to decrypt to the SSM service role.
    C. Add permission to read the SSM parameter to the EC2 instance role. .
    D. Add permission to use the KMS key to decrypt to the EC2 instance role
    E. Add the SSM service role as a trusted service to the EC2 instance role.

  • Question 824:

    A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices. Which approach should the security engineer take to meet this requirement?

    A. Use AWS IAM Access Analyzer to analyze the policies. View the findings from policy validation checks.
    B. Review AWS Trusted Advisor checks for all accounts in the organization.
    C. Set up AWS Audit Manager. Run an assessment for all AWS Regions for all accounts.
    D. Ensure that Amazon Inspector agents are installed on all Amazon EC2 in-stances in all accounts.

  • Question 825:

    A Security Engineer is setting up a new IAM account. The Engineer has been asked to continuously monitor the company's IAM account using automated compliance checks based on IAM best practices and Center for Internet Security (CIS) IAM Foundations Benchmarks

    How can the Security Engineer accomplish this using IAM services?

    A. Enable IAM Config and set it to record all resources in all Regions and global resources. Then enable IAM Security Hub and confirm that the CIS IAM Foundations compliance standard is enabled
    B. Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Security Hub and configure it to ingest the Amazon Inspector findings
    C. Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Shield in all Regions to protect the account from DDoS attacks.
    D. Enable IAM Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS IAM Foundations Benchmarks using IAM Config rules.

  • Question 826:

    A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download. Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

    A. Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.
    B. Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.
    C. Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.
    D. Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

  • Question 827:

    An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised. Which steps should be taken to investigate the suspected compromise? (Choose three.)

    A. Detach the elastic network interface from the EC2 instance.
    B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
    C. Disable any Amazon Route 53 health checks associated with the EC2 instance.
    D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
    E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
    F. Add a rule to an IAM WAF to block access to the EC2 instance.

  • Question 828:

    A company's network security policy requires encryption for all data in transit. The company must encrypt data that is sent between Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes. Which solution will meet this requirement?

    A. Configure Amazon EC2 to enable encryption in the EC2 network interface properties.
    B. Configure Amazon EBS to enable volume encryption with AWS Key Management Service (AWS KMS) for data at rest.
    C. Configure Amazon EBS to enable TLS encryption in the volume configuration properties.
    D. Configure Amazon EC2 to enable TLS encryption with certificates that are stored in AWS Certificate Manager (ACM).

  • Question 829:

    You have a web site that is sitting behind IAM Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:

    A. IAM Trusted Advisor
    B. IAM WAF
    C. IAM Inspector
    D. IAM Config

  • Question 830:

    A company has decided to use encryption in its IAM account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16.000 B to 5 MB. The requirements are as follows:

    The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine. The key material must be available in multiple Regions.

    Which option meets these requirements?

    A. Use an IAM KMS customer managed key and store the key material in IAM with replication across Regions
    B. Use an IAM customer managed key, import the key material into IAM KMS using in- house IAM CloudHSM. and store the key material securely in Amazon S3.
    C. Use an IAM KMS custom key store backed by IAM CloudHSM clusters, and copy backups across Regions
    D. Use IAM CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.