DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Pass Your SCS-C02 Certification Questions & Practice Tests, AWS Certified Security - Specialty | SPOTO

Achieve success in your AWS Certified Security - Specialty (SCS-C02) certification with SPOTO's comprehensive exam resources. Our "Pass Your SCS-C02 Certification Questions & Practice Tests" title offers a tailored approach to exam preparation, featuring exam questions and answers, practice tests, and sample questions. Our exam dumps and free quizzes supplement your study materials, ensuring thorough coverage of key concepts. Prepare with confidence using SPOTO's exam materials and exam simulator, which simulate the real exam environment. Our online exam questions and mock exams help you refine your exam-taking skills, enhancing your readiness for success. With SPOTO, you can practice and master exam answers, ensuring a successful outcome in your AWS Certified Security - Specialty certification journey.

Take other online exams
Question #1
A company is collecting IAM CloudTrail log data from multiple IAM accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account. After CloudTrail introduced support for IAM Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its IAM accounts. The company's security engineer created an IAM Organizations trail in the master accou
A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key
B. The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key
C. The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail
D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail
E. The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations
View answer
Correct Answer: CD
Question #2
A company has deployed a custom DNS server in IAM. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS. How can the Security Engineer block access to the Amazon-provided DNS in the VPC?
A. Deny access to the Amazon DNS IP within all security groups
B. Add a rule to all network access control lists that deny access to the Amazon DNS IP
C. Add a route to all route tables that black holes traffic to the Amazon DNS IP
D. Disable DNS resolution within the VPC configuration
View answer
Correct Answer: D
Question #3
An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication: After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?
A. Change the value of IAM MultiFactorAuthPresent to true
B. Instruct users to run the IAM sts get-session-token CLI command and pass the multi-factor authentication —serial-number and —token-code parameter
C. Use these resulting values to make API/CLI calls
D. Implement federated API/CLI access using SAML 2
E. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and —token-code parameters Store the resulting values in environment variable
F. Add sts:AssumeRole to NotAction in the policy
View answer
Correct Answer: A
Question #4
A company plans to move most of its IT infrastructure to IAM. The company wants to leverage its existing on-premises Active Directory as an identity provider for IAM. Which steps should be taken to authenticate to IAM services using the company's on-premises Active Directory? (Choose three).
A. Create IAM roles with permissions corresponding to each Active Directory group
B. Create IAM groups with permissions corresponding to each Active Directory group
C. Create a SAML provider with IAM
D. Create a SAML provider with Amazon Cloud Directory
E. Configure IAM as a trusted relying party for the Active Directory
F. Configure IAM as a trusted relying party for Amazon Cloud Directory
View answer
Correct Answer: B
Question #5
The Security team believes that a former employee may have gained unauthorized access to IAM resources sometime in the past 3 months by using an identified access key. What approach would enable the Security team to find out what the former employee may have done within IAM?
A. Use the IAM CloudTrail console to search for user activity
B. Use the Amazon CloudWatch Logs console to filter CloudTrail data by user
C. Use IAM Config to see what actions were taken by the user
D. Use Amazon Athena to query CloudTrail logs stored in Amazon S3
View answer
Correct Answer: D
Question #6
A company has hired a third-party security auditor, and the auditor needs read-only access to all IAM resources and logs of all VPC records and events that have occurred on IAM. How can the company meet the auditor's requirements without comprising security in the IAM environment? Choose the correct answer from the options below Please select:
A. Create a role that has the required permissions for the auditor
B. Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the IAM environment
C. The company should contact IAM as part of the shared responsibility model, and IAM will grant required access to th^ third-party auditor
D. Enable CloudTrail logging and create an IAM user who has read-only permissions to the required IAM resources, including the bucket containing the CloudTrail logs
View answer
Correct Answer: D
Question #7
An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers: ? IAM IAM federated with on-premises Active Directory ? Amazon Cognito user pools to accessing an IAM Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)
A. Update the password length policy In the on-premises Active Directory configuration
B. Update the password length policy In the IAM configuration
C. Enforce an IAM policy In Amazon Cognito and IAM IAM with a minimum password length condition
D. Update the password length policy in the Amazon Cognito configuration
E. Create an SCP with IAM Organizations that enforces a minimum password length for IAM IAM and Amazon Cognito
View answer
Correct Answer: AD
Question #8
A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket. How should the Lambda function be given access to the DynamoDB table? Please select:
A. Create a VPC endpoint for DynamoDB within a VP
B. Configure the Lambda function to access resources in the VPC
C. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table
D. Create an IAM user with permissions to write to the DynamoDB tabl
E. Store an access key for that userin the Lambda environment variables
F. Create an IAM service role with permissions to write to the DynamoDB tabl G
View answer
Correct Answer: BD
Question #9
You have a set of application , database and web servers hosted in IAM. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take? Please select:
A. Check the Inbound security rules for the database security group Check the Outbound security rules forthe application security group
B. Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group
C. Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
D. Check the Outbound security rules for the database security groupCheck the both the Inbound and Outbound security rules for the application security group
View answer
Correct Answer: A
Question #10
Development teams in your organization use S3 buckets to store the log files for various applications hosted ir development environments in IAM. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this requirement? Please select:
A. Adding a bucket policy on the S3 bucket
B. Configuring lifecycle configuration rules on the S3 bucket
C. Creating an IAM policy for the S3 bucket
D. Enabling CORS on the S3 bucket
View answer
Correct Answer: B
Question #11
An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets. Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below Please select:
A. A network ACL with a rule that allows outgoing traffic on port 443
B. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
C. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443
D. A security group with a rule that allows outgoing traffic on port 443
E. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
F. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443
View answer
Correct Answer: AB
Question #12
A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with IAM Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers. Which combination of steps should the security engineer perform?
A. Open inbound port 22 to 0 0
B. Enable the advanced-instances tier in Systems Manager
C. Create a managed-instance activation for the on-premises servers
D. Reconfigure the Systems Manager Agent with the activation code and ID
E. Assign an IAM role to all of the on-premises servers
F. Initiate an inventory collection with Systems Manager on the on-premises servers
View answer
Correct Answer: B
Question #13
A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved? Please select:
A. Encrypt the EBS volumes of the underlying EC2 Instances
B. Use IAM KMS Customer Default master key
C. Use SSL/TLS for encrypting the data
D. Use S3 Encryption
View answer
Correct Answer: C
Question #14
Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured IAM Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid. Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)
A. Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets
B. Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets
C. Attach the AmazonS3ReadOnryAccess managed policy to the IAM user
D. Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions
E. Assign the IAMConfigRole managed policy to the IAM Config role
View answer
Correct Answer: BE
Question #15
Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )
A. Default IAM Certificate Manager certificate
B. Custom SSL certificate stored in IAM KMS
C. Default CloudFront certificate
D. Custom SSL certificate stored in IAM Certificate Manager
E. Default SSL certificate stored in IAM Secrets Manager
F. Custom SSL certificate stored in IAM IAM
View answer
Correct Answer: ACD
Question #16
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised. Which steps should be taken to investigate the suspected compromise? (Choose three.)
A. Detach the elastic network interface from the EC2 instance
B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance
C. Disable any Amazon Route 53 health checks associated with the EC2 instance
D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group
E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance
F. Add a rule to an IAM WAF to block access to the EC2 instance
View answer
Correct Answer: B
Question #17
Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers. Please select:
A. Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
B. Use IAM Shield Advanced to protect the EC2 Instances
C. Use IAM Inspector to protect the EC2 Instances
D. Use IAM Trusted Advisor to protect the EC2 Instances
View answer
Correct Answer: A
Question #18
A company uses SAML federation with IAM Identity and Access Management (IAM) to provide internal users with SSO for their IAM accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in: "Error: Response Signature Invalid (Service: IAMSecuntyTokenService; Status Code: 400; Error Code: InvalidldentltyToken)" A security engineer needs to address the immediate issue and ensure that it wil
A. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entit
B. Upload the new metadata file to the new IAM identity provider entity
C. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provide
D. Generate a new metadata file and upload it to the IAM identity provider entit
E. Perform automated or manual rotation of the certificate when required
F. Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question
View answer
Correct Answer: A
Question #19
The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs. Which architecture should the Security Engineer use to meet these requirements?
A. Use IAM Shield to scan inbound traffic for web exploit
B. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs
C. Use IAM Shield to scan inbound traffic for web exploit
D. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs
E. Use IAM WAF to scan inbound traffic for web exploit
F. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs
View answer
Correct Answer: C
Question #20
A Security Engineer is setting up an IAM CloudTrail trail for all regions in an IAM account. For added security, the logs are stored using server-side encryption with IAM KMS-managed keys (SSE-KMS) and have log integrity validation enabled. While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?
A. The log files fail integrity validation and automatically are marked as unavailable
B. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it
C. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files
D. An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket
View answer
Correct Answer: B
Question #21
Your company has a set of resources defined in the IAM Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner? Please select:
A. Create a powershell script using the IAM CL
B. Query for all resources with the tag of production
C. Create a bash shell script with the IAM CL
D. Query for all resources in all region
E. Store the results in an S3 bucket
F. Use Cloud Trail to get the list of all resources G
View answer
Correct Answer: BD
Question #22
Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message: Network error: Connection timed out. What could be responsible for the connection failure? (Select THREE )
A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
B. The internet gateway of the VPC has been reconfigured
C. The security group denies outbound traffic on ephemeral ports
D. The route table is missing a route to the internet gateway
E. The NACL denies outbound traffic on ephemeral ports
F. The host-based firewall is denying SSH traffic
View answer
Correct Answer: D
Question #23
A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an IAM KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use IAM principals from their own IAM accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access. What is the MOST e
A. Use KMS grants to manage key acces
B. Programmatically create and revoke grants to manage vendor access
C. Use an IAM role to manage key acces
D. Programmatically update the IAM role policies to manage vendor access
E. Use KMS key policies to manage key acces
F. Programmatically update the KMS key policies to manage vendor access
View answer
Correct Answer: B
Question #24
A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements? Please select:
A. Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers
B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ server
C. Use Systems Manager Patch Manger to install the missing patches
D. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers
E. Use Trusted Advisor to generate the report of out of compliance instances/server
F. Use Systems Manger Patch Manger to install the missing patches
View answer
Correct Answer: DEF
Question #25
You need to have a requirement to store objects in an S3 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose? Please select:
A. IAM KMS
B. IAM S3 Server side encryption
C. IAM Customer Keys
D. IAM Cloud HSM
View answer
Correct Answer: C
Question #26
A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs) Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)
A. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs
B. Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment
C. Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment
D. Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
E. Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software
View answer
Correct Answer: CD
Question #27
An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages. What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)
A. Configure and assign an MFA device to the role used by the instances
B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances
C. Verify that the access key attached to the role used by the instances is active
D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances
E. Verify that the role attached to the instances contains policies that allow access to the queue
View answer
Correct Answer: B
Question #28
Which technique can be used to integrate IAM IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service? Please select:
A. Use an IAM policy that references the LDAP account identifiers and the IAM credentials
B. Use SAML (Security Assertion Markup Language) to enable single sign-on between IAM and LDAP
C. Use IAM Security Token Service from an identity broker to issue short-lived IAM credentials
D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated
View answer
Correct Answer: C
Question #29
A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its IAM accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution. When coma nation of the following would satisfy these requirements? (Select TWO)
A. Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM
B. Establish network connectivity between on-premises and the user's VPC
C. Use Amazon Cognito user pools for application authentication
D. Use AD Connector tor application authentication
E. Set up federated sign-in to IAM through ADFS and SAML
View answer
Correct Answer: A
Question #30
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using IAM CloudFormation templates with EC2 Auto Scaling groups: -Have the EC2 instances bootstrapped to connect to a backend database. -Ensure that the database credentials are handled securely. -Ensure that retrievals of database credentials are logged. Which of the following is the MOST efficient way to meet these requirements?
A. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to tru
B. Ensure that the instance is configured to log to Amazon CloudWatch Logs
C. Store database passwords in IAM Systems Manager Parameter Store by using SecureString parameters
D. Create an IAM Lambda that ingests the database password and persists it to Amazon S3 with server-side encryptio
E. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog
F. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance
View answer
Correct Answer: A
Question #31
Your company has a set of EC2 Instances defined in IAM. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below Please select:
A. Use a host based intrusion detection system
B. Use a third party firewall installed on a central EC2 instance
C. Use VPC Flow logs
D. Use Network Access control lists logging
View answer
Correct Answer: BDE
Question #32
A company is designing the securely architecture (or a global latency-sensitive web application it plans to deploy to IAM. A Security Engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection. Which solution meets these requirements?
A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Regio
B. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio
C. Create an AmazonCloudFront distribution that uses the ALB as its origi
D. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution
E. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Regio
F. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Regio G
View answer
Correct Answer: CEF

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.