DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your Certification Prep with SCS-C02 Mock Tests, AWS Certified Security - Specialty | SPOTO

Prepare to excel in your AWS Certified Security - Specialty (SCS-C02) exam with SPOTO's comprehensive mock tests. These tests are designed to enhance your certification preparation by simulating real exam scenarios. As an AWS Certified Security - Specialty holder, you demonstrate your ability to develop and execute robust security solutions within the AWS Cloud environment. This certification signifies your proficiency in professional data classification, AWS data protection mechanisms, data encryption methods, and secure Internet protocols, all crucial aspects of cloud security. Access our SCS-C02 mock tests, along with exam questions, practice tests, and exam materials, to refine your skills and boost your confidence for the exam. Prepare effectively with SPOTO's proven strategies and resources for exam success.
Take other online exams

Question #1
A global company that deals with International finance is investing heavily in cryptocurrencies and wants to experiment with mining technologies using IAM. The company's security team has enabled Amazon GuardDuty and is concerned by the number of findings being generated by the accounts. The security team wants to minimize the possibility of GuardDuty finding false negatives for compromised instances that are performing mining How can the security team continue using GuardDuty while meeting these requiremen
A. In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option
B. Create a custom IAM Lambda function to process newly detected GuardDuty alerts Process the CryptoCurrency EC2/BitcoinTool BIDNS alert and filter outthe high-severity finding types only
C. When creating a new Amazon EC2 Instance, provide the instance with a specific tag that indicates it is performing mining operations Create a custom IAM Lambda function to process newly detected GuardDuty alerts and filter for the presence of this tag
D. When GuardDuty produces a cryptocurrency finding, process the finding with a custom IAM Lambda function to extract the instance ID from the finding Then use the IAM Systems Manager Run Command to check for a running process performing mining operations
View answer
Correct Answer: D
Question #2
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet. What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)
A. Use IAM Certificate Manager to encrypt all traffic between the client and application servers
B. Review the application security groups to ensure that only the necessary ports are open
C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption
D. Use Amazon Inspector to periodically scan the backend instances
E. Use IAM Key Management Services to encrypt all the traffic between the client and application servers
View answer
Correct Answer: BDF
Question #3
What is the function of the following IAM Key Management Service (KMS) key policy attached to a customer master key (CMK)?
A. The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account
B. The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and IAM
C. The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region
D. The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account
View answer
Correct Answer: C
Question #4
A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?
A. Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate
B. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation
C. Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance
D. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate
View answer
Correct Answer: BC
Question #5
A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances: ? Block traffic from documented known bad IP addresses ? Detect known software vulnerabilities and CIS Benchmarks compliance. Which solution addresses these requirements?
A. Launch the EC2 instances with an IAM role attache
B. Include a user data script that uses the IAM CLIto retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance
C. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
D. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inboun
E. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
F. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance
View answer
Correct Answer: C
Question #6
Your company has defined a set of S3 buckets in IAM. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved? Please select:
A. Enable VPC flow logs to know the source IP addresses
B. Monitor the S3 API calls by using Cloudtrail logging
C. Monitor the S3 API calls by using Cloudwatch logging
D. Enable IAM Inspector for the S3 bucket
View answer
Correct Answer: B
Question #7
A company is planning to run a number of Admin related scripts using the IAM Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner. Please select:
A. Use Cloudwatch metrics and logs to watch for errors
B. Use Cloudtrail to monitor for errors
C. Use the IAM Config service to monitor for errors
D. Use the IAM inspector service to monitor for errors
View answer
Correct Answer: A
Question #8
A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack? Please select:
A. Change the Inbound Security Groups to deny access from the suspecting IP
B. Change the Outbound Security Groups to deny access from the suspecting IP
C. Change the Inbound NACL to deny access from the suspecting IP
D. Change the Outbound NACL to deny access from the suspecting IP
View answer
Correct Answer: ADF
Question #9
You have a set of Customer keys created using the IAM KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this. Please select:
A. You have not explicitly given access via the key policy
B. You have not explicitly given access via the IAM policy
C. You have not given access via the IAM roles
D. You have not explicitly given access via IAM users
View answer
Correct Answer: ACE
Question #10
You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the following methods can help fulfil this requirement, keeping security in perspective Please select:
A. Use a VPC endpoint
B. Attach an Internet gateway to the subnet
C. Attach a VPN connection to the VPC
D. Use VPC Peering
View answer
Correct Answer: C
Question #11
A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables. Which of the following are required for this configuration to work? (Select TWO.)
A. The developer must configure Lambda access to the VPC using the --vpc-config parameter
B. The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy
C. The KMS key policy must allow permissions for the developer to use the KMS key
D. The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added
E. The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy
View answer
Correct Answer: A
Question #12
Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the IAM Account? Please select:
A. Use IAM Inspector to inspect all S3 buckets and enable logging for those where it is not enabled
B. Use IAM Config Rules to check whether logging is enabled for buckets
C. Use IAM Cloudwatch metrics to check whether logging is enabled for buckets
D. Use IAM Cloudwatch logs to check whether logging is enabled for buckets
View answer
Correct Answer: B
Question #13
You are planning on using the IAM KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below Please select:
A. Image Objects
B. Large files
C. Password
D. RSA Keys
View answer
Correct Answer: D
Question #14
A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future What are some ways the Engineer could achieve this? (Select THREE )
A. Use IAM X-Ray to inspect the traffic going 10 the EC2 instances
B. Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution
C. Change the security group configuration to block the source of the attack traffic
D. Use IAM WAF security rules to inspect the inbound traffic
E. Use Amazon inspector assessment templates to inspect the inbound traffic
F. Use Amazon Route 53 to distribute traffic
View answer
Correct Answer: A
Question #15
An application has a requirement to be resilient across not only Availability Zones within the application’s primary region but also be available within another region altogether. Which of the following supports this requirement for IAM resources that are encrypted by IAM KMS?
A. Copy the application’s IAM KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region
B. Configure IAM KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region
C. Use IAM services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key
D. Configure the target region’s IAM service to communicate with the source region’s IAM KMS so that it can decrypt the resource in the target region
View answer
Correct Answer: D
Question #16
A security engineer has been tasked with implementing a solution that allows the company's development team to have interactive command line access to Amazon EC2 Linux instances using the IAM Management Console. Which steps should the security engineer take to satisfy this requirement while maintaining least privilege?
A. Enable IAM Systems Manager in the IAM Management Console and configure for access to EC2 instances using the default AmazonEC2RoleforSSM rol
B. Install the Systems Manager Agent on all EC2 Linux instances that need interactive acces
C. Configure IAM user policies to allow development team access to the Systems Manager Session Manager and attach to the team's IAM users
D. Enable console SSH access in the EC2 consol
E. Configure IAM user policies to allow development team access to the IAM Systems Manager Session Manager and attach to the development team's IAM users
F. Enable IAM Systems Manager in the IAM Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM rol G
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: