DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Master SCS-C02 Exams with Exam Questions & Study Materials, AWS Certified Security - Specialty | SPOTO

Achieve mastery in the AWS Certified Security - Specialty (SCS-C02) exam with SPOTO's comprehensive study materials and exam questions. This certification showcases your skills in designing and deploying robust security solutions within the AWS Cloud environment. It also validates your knowledge of professional data classification, AWS data protection mechanisms, data encryption techniques, secure Internet protocols, and their implementation in AWS. Access our curated collection of exam questions, practice tests, and exam dumps to enhance your preparation. Our study materials cover key topics and provide in-depth insights to help you grasp complex concepts. Prepare with confidence using SPOTO's exam simulator and online exam questions, ensuring you're ready to excel in the SCS-C02 exam. Boost your preparation and achieve success with SPOTO's trusted resources.
Take other online exams

Question #1
A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process. What should the Security Engineer use to accomplish this?
A. Server-side encryption with Amazon S3-managed keys (SSE-S3)
B. Server-side encryption with IAM KMS-managed keys (SSE-KMS)
C. Server-side encryption with customer-provided keys (SSE-C)
D. Client-side encryption with an IAM KMS-managed CMK
View answer
Correct Answer: C

View The Updated SCS-C02 Exam Questions

SPOTO Provides 100% Real SCS-C02 Exam Questions for You to Pass Your SCS-C02 Exam!

Question #2
A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error. What should a Security Engineer do to troubleshoot this error? (Select THREE )
A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
C. Ensure the CMK was created before the S3 bucket
D. Ensure the S3 block public access feature is enabled for the S3 bucket
E. Ensure that automatic key rotation is disabled for the CMK
F. Ensure the SCPs within Organizations allow access to the S3 bucket
View answer
Correct Answer: B
Question #3
A company has an existing IAM account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below. Please select:
A. Change the access keys for all IAM users
B. Delete all custom created IAM policies
C. Delete the access keys for the root account
D. Confirm MFAtoa secure device
E. Change the password for the root account
F. Change the password for all IAM users
View answer
Correct Answer: A
Question #4
A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to IAM and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest. Which application flow would meet the data protection requirements on IAM?
A. Digitized files -> Amazon Kinesis Data Analytics
B. Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena
C. Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena
D. Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch
View answer
Correct Answer: B
Question #5
Your company has defined a number of EC2 Instances over a period of 6 months. They want to know if any of the security groups allow unrestricted access to a resource. What is the best option to accomplish this requirement? Please select:
A. Use IAM Inspector to inspect all the security Groups
B. Use the IAM Trusted Advisor to see which security groups have compromised access
C. Use IAM Config to see which security groups have compromised access
D. Use the IAM CLI to query the security groups and then filter for the rules which have unrestricted accessd
View answer
Correct Answer: C
Question #6
An IAM account includes two S3 buckets: bucket1 and bucket2. The bucket2 does not have a policy defined, but bucket1 has the following bucket policy: In addition, the same account has an IAM User named “alice”, with the following IAM policy. Which buckets can user “alice” access?
A. Bucket1 only
B. Bucket2 only
C. Both bucket1 and bucket2
D. Neither bucket1 nor bucket2
View answer
Correct Answer: B
Question #7
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An IAM WAF web ACL is associated with the ALB. IAM CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occu
A. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch
B. Configure the CloudWatch agent on the ALB Configure the agent to send application logs to CloudWatch Update the instance role to allow CloudWatch Logs acces
C. Export the logs to CloudWatch Search for the new-user-creation
D. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation
E. Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket Use Amazon Athena to query the logs and find the new-user-creation php occurrences
View answer
Correct Answer: B
Question #8
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes What should the security engineer recommend?
A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is create
B. When the instance is terminated, the EBS volume can be reattached to another instance for log review
C. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system
D. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling grou
E. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review
F. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS)
View answer
Correct Answer: A
Question #9
A company has five IAM accounts and wants to use IAM CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs. Which of the following steps will implement these requirements? (Choose three.)
A. Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails
B. Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails
C. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails
D. Use unique log file prefixes for trails in each IAM account
E. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket
F. Enable encryption of the log files by using IAM Key Management Service
View answer
Correct Answer: B
Question #10
Every application in a company's portfolio has a separate IAM account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality? Please select:
A. Create a Service Control Policy that denies access to the service
B. Assemble all production accounts in an organizational uni
C. Apply the policy to that organizational unit
D. Create a Service Control Policy that denies access to the service
E. Apply the policy to the root account
F. Create an IAM policy that denies access to the service G
View answer
Correct Answer: C
Question #11
A company is outsourcing its operational support 1o an external company. The company’s security officer must implement an access solution fen delegating operational support that minimizes overhead. Which approach should the security officer take to meet these requirements?
A. implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management Allow the external company to federate through its identity provider
B. Federate IAM identity and Access Management (IAM) with the external company's identity provider Create an IAM role and attach a policy with the necessary permissions
C. Create an IAM group for me external company Add a policy to the group that denies IAM modifications Securely provide the credentials to the eternal company
D. Use IAM SSO with the external company's identity provide
E. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions
View answer
Correct Answer: AE
Question #12
One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below Please select:
A. Remove the role applied to the Ec2 Instance
B. Create a separate forensic instance
C. Ensure that the security groups only allow communication to this forensic instance
D. Terminate the instance
View answer
Correct Answer: B
Question #13
A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit. When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)
A. Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead
B. Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret
C. Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables
D. Add the following statement to the container instance IAM role policy
E. Add the following statement to the execution role policy
F. Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variable G
View answer
Correct Answer: B
Question #14
You have enabled Cloudtrail logs for your company's IAM account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved? Please select:
A. Enable SSL certificates for the Cloudtrail logs
B. There is no need to do anything since the logs will already be encrypted
C. Enable Server side encryption for the trail
D. Enable Server side encryption for the destination S3 bucket
View answer
Correct Answer: CE
Question #15
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the IAM account was compromised and Amazon EBS snapshots were deleted. All EBS snapshots are encrypted using an IAM KMS CMK. Which solution would solve this problem?
A. Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucke
B. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion
C. Use IAM Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3
D. Create a new IAM account with limited privilege
E. Allow the new account to access the IAM KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis
F. Use IAM Backup to copy EBS snapshots to Amazon S3
View answer
Correct Answer: B
Question #16
A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly. The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the i
A. Verify that the 0
B. Verify which Security Group is applied to the particular web server’s elastic network interface (ENI)
C. Verify that the 0
D. Verify the registered targets in the ALB
E. Verify that the 0
View answer
Correct Answer: CD
Question #17
A company uses IAM Organization to manage 50 IAM accounts. The finance staff members log in as IAM IAM users in the FinanceDept IAM account. The staff members need to read the consolidated billing information in the MasterPayer IAM account. They should not be able to view any other resources in the MasterPayer IAM account. IAM access to billing has been enabled in the MasterPayer account. Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary
A. Create an IAM group for the finance users in the FinanceDept account, then attach the IAM managed ReadOnlyAccess IAM policy to the group
B. Create an IAM group for the finance users in the MasterPayer account, then attach the IAM managed ReadOnlyAccess IAM policy to the group
C. Create an IAM IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role
D. Create an IAM IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role
View answer
Correct Answer: AD
Question #18
A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same IAM KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company. The company’s Developer Operations department learns about this only after the CMK has been deleted. Which steps must be taken to address this situation?
A. Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance
B. Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key
C. Make a request to IAM Support to recover the S3 encrypted data
D. Make a request to IAM Support to restore the deleted CMK, and use it to recover the data
View answer
Correct Answer: B
Question #19
An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below Please select:
A. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production ta
B. <
C. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call
D. Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
E. Modify the IAM policy on the user to require MFA before deleting EC2 instances
View answer
Correct Answer: B
Question #20
A Security Engineer who was reviewing IAM Key Management Service (IAM KMS) key policies found this statement in each key policy in the company IAM account. What does the statement allow?
A. All principals from all IAM accounts to use the key
B. Only the root user from account 111122223333 to use the key
C. All principals from account 111122223333 to use the key but only on Amazon S3
D. Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key
View answer
Correct Answer: C
Question #21
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months. What would be the BEST way to reduce the potential impact of these attacks in the future?
A. Use custom route tables to prevent malicious traffic from routing to the instances
B. Update security groups to deny traffic from the originating source IP addresses
C. Use network ACLs
D. Install intrusion prevention software (IPS) on each instance
View answer
Correct Answer: C
Question #22
A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2" 16 objects Any encryption key must be generated on a FlPS-validated hardware security module (HSM). The company is cost-conscious, as plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers When approach MOST efficiently meets the company's needs?
A. Use the IAM Encryption SDK and set the maximum age to 10 days and the minimum number of messages encrypted to 3" 16
B. Use IAM Key Management Service (IAM KMS) to generate an IAM managed CM
C. Then use Amazon S3 client-side encryption configured to automatically rotate with every object
D. Use IAM CloudHSM to generate the master key and data key
E. Then use Boto 3 and Python to locally encrypt data before uploading the object Rotate the data key every 10 days or after 2" 16 objects have been Uploaded to Amazon 33
F. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate
View answer
Correct Answer: D
Question #23
What is the result of the following bucket policy? Choose the correct Answer Please select:
A. It will allow all access to the bucket mybucket
B. It will allow the user mark from IAM account number 111111111 all access to the bucket but deny everyone else all access to the bucket
C. It will deny all access to the bucket mybucket
D. None of these
View answer
Correct Answer: D

View The Updated AWS Exam Questions

SPOTO Provides 100% Real AWS Exam Questions for You to Pass Your AWS Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: