SCS-C02 Exam Details

  • Exam Code
    :SCS-C02
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :851 Q&As
  • Last Updated
    :Jul 12, 2026

Amazon SCS-C02 Online Questions & Answers

  • Question 81:

    A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

    What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

    A. Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.
    B. Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
    C. Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
    D. Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.

  • Question 82:

    A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C, which of the below mentioned statements is true?

    A. The user should use the same encryption key for all versions of the same object
    B. It is possible to have different encryption keys for different versions of the same object
    C. IAM S3 does not allow the user to upload his own keys for server side encryption
    D. The SSE-C does not work when versioning is enabled

  • Question 83:

    You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket. You define the below custom bucket policy

    But when you try to apply the policy you get the error "Action does not apply to any resource(s) in statement." What should be done to rectify the error

    Please select:

    A. Change the IAM permissions by applying PutBucketPolicy permissions.
    B. Verify that the policy has the same name as the bucket name. If not. make it the same.
    C. Change the Resource section to "arn:IAM:s3:::appbucket/*'.
    D. Create the bucket "appbucket" and then apply the policy.

  • Question 84:

    You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?

    A. Enable cross region replication for the bucket
    B. Write a script to copy the objects to another bucket in the destination region
    C. Create an S3 snapshot in the destination region
    D. Enable versioning which will copy the objects to the destination region

  • Question 85:

    A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key.

    The company wants to allow AWS Lambda to use the KMS key However, the company wants to prevent Amazon EC2 from using the key.

    Which solution will meet these requirements?

    A. Create an IAM policy that explicitly denies permission to the key Attach the policy to all EC2 instance profiles Create an IAM policy that explicitly allows permission to the key Attach the policy to all Lambda function roles.
    B. Create a custom key policy for the key. Use the kms: ViaService condition key to deny access to requests from Amazon EC2 and to allow access to requests from Lambda. Use the Lambda IAM role as the principal.
    C. Create a custom key policy tor the key Use the aws Sourcelp condition key to deny access to requests from Amazon EC2 Use the aws: Authorized Service condition key to allow access to requests from Lambda Use the Lambda IAM role as the principal.
    D. Create an SCP that explicitly denies permission to the key for Amazon EC2 and explicitly allows permission to the key for Lambda Attach the SCP to the AWS account.

  • Question 86:

    A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.

    Which action should the Security Engineer take to allow communication over the public IP addresses?

    A. Associate the instances to the same security groups.
    B. Add 0.0.0.0/0 to the egress rules of the instance security groups.
    C. Add the instance IDs to the ingress rules of the instance security groups.
    D. Add the public IP addresses to the ingress rules of the instance security groups.

  • Question 87:

    You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?

    A. Generate pre-signed URLs for each user as they request access to protected S3 content
    B. Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
    C. Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials
    D. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

  • Question 88:

    A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security.

    The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306.

    Which network ACL rule set meets these requirements?

    A. Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
    B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.
    C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
    D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.

  • Question 89:

    A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.

    A. Configure Amazon CloudWatch Logs Insights
    B. Create an Amazon CloudWatch dashboard
    C. Configure AWS Security Hub integrations
    D. Query the findings by using Amazon Athena

  • Question 90:

    A company plans to create individual child accounts within an existing organization in IAM Organizations for each of its DevOps teams. IAM CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized IAM account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.

    How can the security engineer meet these requirements?

    A. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user.
    B. Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account.
    C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
    D. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.