Amazon SCS-C02 Online Practice
Questions and Exam Preparation
SCS-C02 Exam Details
Exam Code
:SCS-C02
Exam Name
:AWS Certified Security - Specialty (SCS-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:851 Q&As
Last Updated
:Jul 12, 2026
Amazon SCS-C02 Online Questions &
Answers
Question 81:
A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.
What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?
A. Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint. B. Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint. C. Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint. D. Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.
C. Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint. In an AWS environment where a VPC has no internet access and requires communication with AWS services such as Secrets Manager, the most secure method is to use an interface VPC endpoint (AWS PrivateLink). This allows private connectivity to services like Secrets Manager, enabling AWS Lambda functions and other resources within the VPC to access Secrets Manager without requiring an internet gateway, NAT gateway, or VPN connection. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. This option is more secure than creating a NAT gateway because it doesn't expose the resources to the internet and adheres to the principle of least privilege by providing direct access to only the required service.
Question 82:
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C, which of the below mentioned statements is true?
A. The user should use the same encryption key for all versions of the same object B. It is possible to have different encryption keys for different versions of the same object C. IAM S3 does not allow the user to upload his own keys for server side encryption D. The SSE-C does not work when versioning is enabled
B. It is possible to have different encryption keys for different versions of the same object anaging your own encryption keys, y You can encrypt the object and send it across to S3 Option A is invalid because ideally you should use different encryption keys Option C is invalid because you can use you own encryption keys Option D is invalid because encryption works even if versioning is enabled For more information on client side encryption please visit the below Link: ""Keys.html https://docs.IAM.ama2on.com/AmazonS3/latest/dev/UsingClientSideEncryption.html The correct answer is: It is possible to have different encryption keys for different versions of the same object Submit your Feedback/Queries to our Experts
Question 83:
You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket. You define the below custom bucket policy
But when you try to apply the policy you get the error "Action does not apply to any resource(s) in statement." What should be done to rectify the error
Please select:
A. Change the IAM permissions by applying PutBucketPolicy permissions. B. Verify that the policy has the same name as the bucket name. If not. make it the same. C. Change the Resource section to "arn:IAM:s3:::appbucket/*'. D. Create the bucket "appbucket" and then apply the policy.
C. Change the Resource section to "arn:IAM:s3:::appbucket/*'. When you define access to objects in a bucket you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case, the * can be used to assign the permission to all objects in the bucket Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll The correct answer is: Change the Resource section to "arn:IAM:s3:::appbucket/" Submit your Feedback/Queries to our Experts
Question 84:
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
A. Enable cross region replication for the bucket B. Write a script to copy the objects to another bucket in the destination region C. Create an S3 snapshot in the destination region D. Enable versioning which will copy the objects to the destination region
A. Enable cross region replication for the bucket Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The IAM Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different IAM Regions. For more information on Cross region replication in the Simple Storage Service, please visit the below URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/crr.html The correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queries to our Experts
Question 85:
A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key.
The company wants to allow AWS Lambda to use the KMS key However, the company wants to prevent Amazon EC2 from using the key.
Which solution will meet these requirements?
A. Create an IAM policy that explicitly denies permission to the key Attach the policy to all EC2 instance profiles Create an IAM policy that explicitly allows permission to the key Attach the policy to all Lambda function roles. B. Create a custom key policy for the key. Use the kms: ViaService condition key to deny access to requests from Amazon EC2 and to allow access to requests from Lambda. Use the Lambda IAM role as the principal. C. Create a custom key policy tor the key Use the aws Sourcelp condition key to deny access to requests from Amazon EC2 Use the aws: Authorized Service condition key to allow access to requests from Lambda Use the Lambda IAM role as the principal. D. Create an SCP that explicitly denies permission to the key for Amazon EC2 and explicitly allows permission to the key for Lambda Attach the SCP to the AWS account.
B. Create a custom key policy for the key. Use the kms: ViaService condition key to deny access to requests from Amazon EC2 and to allow access to requests from Lambda. Use the Lambda IAM role as the principal.
Question 86:
A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.
Which action should the Security Engineer take to allow communication over the public IP addresses?
A. Associate the instances to the same security groups. B. Add 0.0.0.0/0 to the egress rules of the instance security groups. C. Add the instance IDs to the ingress rules of the instance security groups. D. Add the public IP addresses to the ingress rules of the instance security groups.
D. Add the public IP addresses to the ingress rules of the instance security groups. Explanation Explanation/Reference:https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/security-group-rules- reference.html#sg-rules-other-instances
Question 87:
You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?
A. Generate pre-signed URLs for each user as they request access to protected S3 content B. Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user C. Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials D. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user
A. Generate pre-signed URLs for each user as they request access to protected S3 content All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able upload a specific object to your bucket but you don't require them to have IAM security credentials or permissions. When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time. The pre-signed URLs are valid only for the specified duration. Option B is invalid because this would be too difficult to implement at a user level. Option C is invalid because this is not possible Option D is invalid because this is used to serve private content via Cloudfront For more information on pre-signed urls, please refer to the Link: http://docs.IAM.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit your Feedback/Queries to our Experts
Question 88:
A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security.
The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306.
Which network ACL rule set meets these requirements?
A. Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443. B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443. C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443. D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.
B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443. In a network ACL, rules are processed in order, so the numbering of the rules is important. The solution requires: Outbound traffic on port 443 (TLS) to reach an internet service. Inbound traffic on port 3306 (MySQL) to be denied. The correct rule set: Inbound rule 100 denies traffic on TCP port 3306 to block MySQL access. Inbound rule 200 allows TCP port range 1024-65535, which is required for ephemeral ports used in response to outbound connections on port 443. Outbound rule 100 allows TCP port 443, permitting the required outbound traffic. This configuration meets the requirements by ensuring that only traffic initiated outbound on port 443 can receive responses on ephemeral ports, and inbound MySQL traffic on port 3306 is denied.
Question 89:
A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.
A. Configure Amazon CloudWatch Logs Insights B. Create an Amazon CloudWatch dashboard C. Configure AWS Security Hub integrations D. Query the findings by using Amazon Athena
C. Configure AWS Security Hub integrations Comprehensive Detailedwith all AWS References To achieve centralized visibility of security findings from Amazon GuardDuty detectors in multiple AWS accounts under an AWS Organization, the best approach is to integrate GuardDuty with AWS Security Hub. AWS Security Hub Overview: eference: AWS Security Hub Integration Guide Steps to Configure: Enable AWS Security Hub in the management account. Integrate GuardDuty with Security Hub by enabling the integration in each member account. Security Hub will automatically aggregate and centralize findings from all accounts in the organization. Managing Findings Across AWS Accounts Why Not Other Options? Option A (CloudWatch Logs Insights): While CloudWatch Logs Insights can analyze logs, it does not provide a centralized dashboard for GuardDuty findings across accounts. Option B (CloudWatch Dashboard): Dashboards are primarily for metrics visualization, not GuardDuty findings. Option D (Amazon Athena): Athena can query findings stored in Amazon S3, but it does not provide real-time centralized visibility or a security-specific interface like Security Hub.
Question 90:
A company plans to create individual child accounts within an existing organization in IAM Organizations for each of its DevOps teams. IAM CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized IAM account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.
How can the security engineer meet these requirements?
A. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user. B. Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account. C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations. D. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.
C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.