DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

2024 SCS-C02 Exam Prep: Practice Tests & Study Materials, AWS Certified Security - Specialty | SPOTO

Prepare effectively for the 2024 SCS-C02 exam with SPOTO's comprehensive practice tests and study materials. As an AWS Certified Security - Specialty certification candidate, you'll benefit from our updated resources designed to enhance your understanding and mastery of AWS security solutions. Our exam preparation materials include a wide range of resources such as exam questions, sample questions, and exam dumps, all meticulously curated to align with the exam objectives. Access free quizzes and exam materials to reinforce your knowledge and readiness. With SPOTO's exam simulator, you can simulate real exam scenarios, practice exam questions and answers, and assess your performance to identify areas for improvement. Our platform is designed to support your exam practice, ensuring you're well-prepared to excel in the SCS-C02 certification exam.
Take other online exams

Question #1
A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised. What immediate action should the security engineer take? What immediate action should the security engineer take?
A. Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis
B. Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic
C. Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that IAM account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan
D. Take a snapshot of the suspicious EC2 instanc
E. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis
View answer
Correct Answer: C

View The Updated SCS-C02 Exam Questions

SPOTO Provides 100% Real SCS-C02 Exam Questions for You to Pass Your SCS-C02 Exam!

Question #2
Which of the following is the most efficient way to automate the encryption of IAM CloudTrail logs using a Customer Master Key (CMK) in IAM KMS?
A. Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated
B. Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs
C. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs
D. Use encrypted API endpoints so that all IAM API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call
View answer
Correct Answer: BC
Question #3
A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key. Which of the following requires the LEAST amount of configuration when implementing this approach?
A. Place each file into a different S3 bucke
B. Set the default encryption of each bucket to use a different IAM KMS customer managed key
C. Put all the files in the same S3 bucke
D. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys
E. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
F. Place all the files in the same S3 bucke G
View answer
Correct Answer: B
Question #4
A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7 All of the company's IAM applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53 Which solution will meet these requirements?
A. Use IAM WAF with an upgrade to the IAM Business support plan
B. Use IAM Certificate Manager with an Application Load Balancer configured with an origin access identity
C. Use IAM Shield Advanced
D. Use IAM WAF to protect IAM Lambda functions encrypted with IAM KMS and a NACL restricting all Ingress traffic
View answer
Correct Answer: A
Question #5
A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair. How can this task be accomplished?
A. Obtain the list of instances by directly querying Amazon EC2 using: IAM ec2 describe-instances--fi1ters "Name=key-name,Values=KEYNAMEHERE"
B. Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in the Amazon Inspector logs
C. Obtain the output from the EC2 instance metadata using: curl http://169
D. Obtain the fingerprint for the key pair from the IAM Management Console, then search for thefingerprint in Amazon CloudWatch Logs using: IAM logs filter-log- events
View answer
Correct Answer: BDF
Question #6
A company has multiple IAM accounts that are part of IAM Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's IAM accounts are unable to access the company's Amazon S3 buckets How should this be accomplished?
A. UseSCPs
B. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles
C. Use an S3 bucket policy
D. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3
View answer
Correct Answer: A
Question #7
A company has a serverless application for internal users deployed on IAM. The application uses IAM Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC The company uses IAM Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues The Lambda function has internet access. The relational database is publicly accessible. The database credentials are not stored in an encrypted state. W
A. Disable public access to the RDS database inside the VPC
B. Move all the Lambda functions inside the VPC
C. Edit the IAM role used by Lambda to restrict internet access
D. Create a VPC endpoint for Systems Manage
E. Store the credentials as a string paramete
F. Change the parameter type to an advanced parameter
View answer
Correct Answer: ABE
Question #8
A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it. What is the MOST secure way to protect the sensitive information used to bootstrap the instances?
A. Store the scripts in the AMI and encrypt the sensitive data using IAM KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data
B. Store the sensitive data in IAM Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role
C. Externalize the bootstrap scripts in Amazon S3 and encrypt them using IAM KM
D. Remove the scripts from the instance and clear the logs after the instance is configured
E. Block user access of the EC2 instance's metadata service using IAM policie
F. Remove all scripts and clear the logs after execution
View answer
Correct Answer: CE
Question #9
A company's information security team want to do near-real-time anomaly detection on Amazon EC2 performance and usage statistics. Log aggregation is the responsibility of a security engineer. To do the study, the Engineer needs gather logs from all of the company's IAM accounts in a single place. How should the Security Engineer go about doing this?
A. Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account
B. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source accoun
C. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer
D. Set up an IAM Config aggregator to collect IAM configuration data from multiple sources
E. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each accoun
F. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account
View answer
Correct Answer: D
Question #10
A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection. How should a security engineer resolve these issues?
A. Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 day
B. Configure Amazon Inspector to provide a notification when a policy change is made to resources
C. Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources
D. Configure Amazon CloudWatch to export log groups to Amazon S3
E. Create an IAM CloudTrail trail that stores audit logs in Amazon S3
View answer
Correct Answer: A
Question #11
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running In Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns Which solution would have the MOST scalability and LOWEST latency?
A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers
D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers
View answer
Correct Answer: B
Question #12
A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials. An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?
A. Use IAM Systems Manager to store the credentials as Secure Strings Parameter
B. Secure by using an IAM KMS key
C. Use IAM Key Management System to store a master key, which is used to encrypt the credential
D. The encrypted credentials are stored in an Amazon RDS instance
E. Use IAM Secrets Manager to store the credentials
F. Store the credentials in a JSON file on Amazon S3 with server-side encryption
View answer
Correct Answer: AE
Question #13
A Developer signed in to a new account within an IAM Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP: How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?
A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3
B. Add an IAM policy for the Developer, which grants S3 access
C. Create a new OU without applying the SCP restricting S3 acces
D. Move the Developer account to this new OU
E. Add an allow list for the Developer account for the S3 service
View answer
Correct Answer: D
Question #14
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions Because the video events last for several hours, the total video is made up of thousands of chunks The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal r
A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content
B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content
C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content
D. Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated
View answer
Correct Answer: B
Question #15
A security engineer has created an Amazon Cognito user pool. The engineer needs to manually verify the ID and access token sent by the application for troubleshooting purposes What is the MOST secure way to accomplish this?
A. Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool
B. Search for the public key with a key ID that matches the key ID In the header of the toke
C. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date
D. Verify that the token is not expire
E. Then use the token_use claim function In Amazon Cognito to validate the key IDs
F. Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem fil G
View answer
Correct Answer: A
Question #16
A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses. Which action should the Security Engineer take to allow communication over the public IP addresses?
A. Associate the instances to the same security groups
B. Add 0
C. Add the instance IDs to the ingress rules of the instance security groups
D. Add the public IP addresses to the ingress rules of the instance security groups
View answer
Correct Answer: D
Question #17
A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following: ? Set up the proxy software on the EC2 instances. ? Modified the route tables on the private subnets to use the proxy EC2 instances as the defau
A. Put all the proxy EC2 instances in a cluster placement group
B. Disable source and destination checks on the proxy EC2 instances
C. Open all inbound ports on the proxy EC2 instance security group
D. Change the VPC's DHCP domain-name-server’s options set to the IP addresses of proxy EC2 instances
View answer
Correct Answer: BC
Question #18
A company wants to have an Intrusion detection system available for their VPC in IAM. They want to have complete control over the system. Which of the following would be ideal to implement? Please select:
A. Use IAM WAF to catch all intrusions occurring on the systems in the VPC
B. Use a custom solution available in the IAM Marketplace
C. Use VPC Flow logs to detect the issues and flag them accordingly
D. Use IAM Cloudwatch to monitor all traffic
View answer
Correct Answer: C
Question #19
Which of the following minimizes the potential attack surface for applications?
A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level
B. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific IAM resource
C. Use IAM Direct Connect for secure trusted connections between EC2 instances within private subnets
D. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats
View answer
Correct Answer: D
Question #20
A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an IAM CloudFormation template. The Engineer notices instances terminating right after they are launched. What could be causing these terminations?
A. The IAM user launching those instances is missing ec2:Runinstances permission
B. The AMI used as encrypted and the IAM does not have the required IAM KMS permissions
C. The instance profile used with the EC2 instances in unable to query instance metadata
D. IAM currently does not have sufficient capacity in the Region
View answer
Correct Answer: B
Question #21
A security engineer is responsible for providing secure access to IAM resources for thousands of developer in a company’s corporate identity provider (idp). The developers access a set of IAM services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concer
A. Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer
B. Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources
C. Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises
D. Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time
View answer
Correct Answer: A
Question #22
An employee accidentally exposed an IAM access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key. How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)
A. Analyze IAM CloudTrail for activity
B. Analyze Amazon CloudWatch Logs for activity
C. Download and analyze the IAM Use report from IAM Trusted Advisor
D. Analyze the resource inventory in IAM Config for IAM user activity
E. Download and analyze a credential report from IAM
View answer
Correct Answer: A
Question #23
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage
B. Implement a rate-based rule with IAM WAF
C. Use IAM Shield to limit the originating traffic hit rate
D. Implement the GeoLocation feature in Amazon Route 53
View answer
Correct Answer: C
Question #24
Which of the following is used as a secure way to log into an EC2 Linux Instance? Please select:
A. IAM User name and password
B. Key pairs
C. IAM Access keys
D. IAM SDK keys
View answer
Correct Answer: D
Question #25
An Amazon EC2 instance is denied access to a newly created IAM KMS CMK used for decrypt actions. The environment has the following configuration: The instance is allowed the kms:Decrypt action in its IAM role for all resources The IAM KMS CMK status is set to enabled The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?
A. The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role
B. The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN
C. The kms:Encrypt permission is missing from the EC2 IAM role
D. The KMS CMK key policy that enables IAM user permissions is missing
View answer
Correct Answer: A
Question #26
A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys. Which solution meets these requirements?
A. Use IAM KMS with IAM managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary
B. Use KMS with IAM imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary
C. Use IAM CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary
D. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary
View answer
Correct Answer: B
Question #27
A company’s security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance. What combination of actions should the Engineer take? (Choose two.)
A. Create an IAM Lambda function that determines whether Flow Logs are enabled for a given VPC
B. Create an IAM Config configuration item for each VPC in the company IAM account
C. Create an IAM Config managed rule with a resource type of IAM:: Lambda:: Function
D. Create an Amazon CloudWatch Event rule that triggers on events emitted by IAM Config
E. Create an IAM Config custom rule, and associate it with an IAM Lambda function that contains the evaluating logic
View answer
Correct Answer: D

View The Updated AWS Exam Questions

SPOTO Provides 100% Real AWS Exam Questions for You to Pass Your AWS Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: