DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Pass Your SCS-C02 Exam with Practice Tests 2024 Updated, AWS Certified Security - Specialty | SPOTO

Master your AWS Certified Security - Specialty (SCS-C02) certification with SPOTO's updated practice tests for 2024. This dumpsis your gateway to comprehensive exam preparation, featuring exam questions and answers, practice tests, and sample questions. Our exam dumps and free quizzes supplement your study materials, ensuring thorough coverage of key concepts. Prepare effectively with SPOTO's exam materials and exam simulator, designed to mimic the real exam environment. Our online exam questions and mock exams help you sharpen your exam-taking skills, enhancing your readiness for success. With SPOTO, you can practice and refine exam answers, ensuring a successful outcome in your AWS Certified Security - Specialty certification journey.
Take other online exams

Question #1
A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data. Which IAM Services, together, can satisfy this use case? (Select two.)
A. Amazon Elasticsearch
B. Amazon Kinesis
C. Amazon SQS
D. Amazon CloudWatch
E. Amazon Athena
View answer
Correct Answer: C
Question #2
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)
A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3
B. Configure a scheduled job that updates the credential in IAM Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted
C. Configure automatic rotation of credentials in IAM Secrets Manager
D. Store the credential in an encrypted string parameter in IAM Systems Manager Parameter Stor
E. Grant permission to the instance role associated with the EC2 instance to access the parameter and the IAM KMS key that is used to encrypt it
F. Configure the Java application to catch a connection failure and make a call to IAM Secrets Manager to retrieve updated credentials when the password is rotate G
View answer
Correct Answer: C
Question #3
An Amazon S3 bucket is encrypted using an IAM KMS CMK. An IAM user is unable to download objects from the S3 bucket using the IAM Management Console; however, other users can download objects from the S3 bucket. Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)
A. The CMK policy
B. The VPC endpoint policy
C. The S3 bucket policy
D. The S3 ACL
E. The IAM policy
View answer
Correct Answer: B
Question #4
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the IAM Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities. How can the Security team suppress alerts about authorized security tests while still r
A. Use a filter in IAM CloudTrail to exclude the IP addresses of the Security team’s EC2 instances
B. Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty
C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses
D. Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations
View answer
Correct Answer: BDE
Question #5
What are the MOST secure ways to protect the IAM account root user of a recently opened IAM account? (Choose two.)
A. Use the IAM account root user access keys instead of the IAM Management Console
B. Enable multi-factor authentication for the IAM IAM users with the AdministratorAccess managed policy attached to them
C. Enable multi-factor authentication for the IAM account root user
D. Use IAM KMS to encrypt all IAM account root user and IAM IAM access keys and set automatic rotation to 30 days
E. Do not create access keys for the IAM account root user; instead, create IAM IAM users
View answer
Correct Answer: B
Question #6
A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request. Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data Which solution will meet these requirements?
A. Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer-specific data
B. Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer
C. Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys
D. Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer
View answer
Correct Answer: C
Question #7
A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties Which combination of actions will meet this requirement? (Select THREE.)
A. Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)
B. Encrypt the data in Amazon S3 using server-side encryption with IAM KMS managed encryption keys (SSE-KMS)
C. Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint
D. Use the Amazon S3 Block Public Access feature
E. Configure the bucket policy to allow access from the application instances only
F. Use a NACL to filter traffic to Amazon S3
View answer
Correct Answer: C
Question #8
A company has decided to use encryption in its IAM account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16.000 B to 5 MB. The requirements are as follows: ? The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine. ? The key material must be available in multiple Regions. Which option meets these requirements?
A. Use an IAM KMS customer managed key and store the key material in IAM with replication across Regions
B. Use an IAM customer managed key, import the key material into IAM KMS using in-house IAM CloudHS
C. and store the key material securely in Amazon S3
D. Use an IAM KMS custom key store backed by IAM CloudHSM clusters, and copy backups across Regions
E. Use IAM CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data
View answer
Correct Answer: B
Question #9
An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets. How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)
A. Configure the application’s EC2 instances to use NAT gateways for all inbound traffic
B. Move the web servers to private subnets without public IP addresses
C. Configure IAM WAF to provide DDoS attack protection for the ALB
D. Require all inbound network traffic to route through a bastion host in the private subnet
E. Require all inbound and outbound network traffic to route through an IAM Direct Connect connection
View answer
Correct Answer: BC
Question #10
A company requires that SSH commands used to access its IAM instance be traceable to the user who executed each command. How should a Security Engineer accomplish this?
A. Allow inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions
B. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
C. Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions
D. Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
View answer
Correct Answer: AB
Question #11
A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements: ? A trusted forensic environment must be provisioned ? Automated response processes must be orchestrated Which IAM services should be included in the plan? {Select TWO)
A. IAM CloudFormation
B. Amazon GuardDuty
C. Amazon Inspector
D. Amazon Macie
E. IAM Step Functions
View answer
Correct Answer: C
Question #12
A company is using CloudTrail to log all IAM API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below Please select:
A. Create an S3 bucket in a dedicated log account and grant the other accounts write only acces
B. Deliver all log files from every account to this S3 bucket
C. Write a Lambda function that queries the Trusted Advisor Cloud Trail check
D. Run the function every 10 minutes
E. Enable CloudTrail log file integrity validation
F. Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs
View answer
Correct Answer: D
Question #13
A Security Engineer received an IAM Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts. Which action should the Engineer take based on this situation? (Choose three.)
A. Use IAM Artifact to capture an exact image of the state of each instance
B. Create EBS Snapshots of each of the volumes attached to the compromised instances
C. Capture a memory dump
D. Log in to each instance with administrative credentials to restart the instance
E. Revoke all network ingress and egress except for to/from a forensics workstation
F. Run Auto Recovery for Amazon EC2
View answer
Correct Answer: A
Question #14
A company has multiple production IAM accounts. Each account has IAM CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket. Which steps should be taken to troubleshoot the issue? (Choose three.)
A. Verify that the log file prefix is set to the name of the S3 bucket where the logs should go
B. Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs
C. Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket
D. Confirm in the CloudTrail Console that each trail is active and healthy
E. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket
F. Confirm in the CloudTrail Console that the S3 bucket name is set correctly
View answer
Correct Answer: BCE
Question #15
A company's security team has defined a set of IAM Config rules that must be enforced globally in all IAM accounts the company owns. What should be done to provide a consolidated compliance overview for the security team?
A. Use IAM Organizations to limit IAM Config rules to the appropriate Regions, and then consolidate the Amazon CloudWatch dashboard into one IAM account
B. Use IAM Config aggregation to consolidate the views into one IAM account, and provide role access to the security team
C. Consolidate IAM Config rule results with an IAM Lambda function and push data to Amazon SQ
D. Use Amazon SNS to consolidate and alert when some metrics are triggered
E. Use Amazon GuardDuty to load data results from the IAM Config rules compliance status, aggregate GuardDuty findings of all IAM accounts into one IAM account, and provide role access to the security team
View answer
Correct Answer: A
Question #16
An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported. Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?
A. Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
B. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy
C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData
D. Add a trust relationship to the IAM role used by the application for cloudwatch
View answer
Correct Answer: B
Question #17
A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements: Users may access the website by using an Amazon CloudFront distribution. Users may not access the website directly by using an Amazon S3 URL. Which configurations will support these requirements? (Choose two.)
A. Associate an origin access identity with the CloudFront distribution
B. Implement a “Principal”: “cloudfront
C. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents
D. Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution
E. Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC
View answer
Correct Answer: AC
Question #18
An organization is moving non-business-critical applications to IAM while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in IAM. The internet performance is unpredictable. Which configuration will ensure continued connectivity between sites MOST securely?
A. VPN and a cached storage gateway
B. IAM Snowball Edge
C. VPN Gateway over IAM Direct Connect
D. IAM Direct Connect
View answer
Correct Answer: C
Question #19
A Security Engineer manages IAM Organizations for a company. The Engineer would like to restrict IAM usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU: The next day. API calls to IAM IAM appear in IAM CloudTrail logs In an account under that OU. How should the Security Engineer resolve this issue?
A. Move the account to a new OU and deny IAM:* permissions
B. Add a Deny policy for all non-S3 services at the account level
C. Change the policy to:{“Version”: “2012-10-17”,“Statement”: [{“Sid”: “AllowS3”,"Effect": "Allow","Action": "s3:*","Resource": "*/*?}]}
D. Detach the default FullIAMAccess SCP
View answer
Correct Answer: A
Question #20
For compliance reasons, an organization limits the use of resources to three specific IAM regions. It wants to be alerted when any resources are launched in unapproved regions. Which of the following approaches will provide alerts on any resources launched in an unapproved region?
A. Develop an alerting mechanism based on processing IAM CloudTrail logs
B. Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions
C. Analyze Amazon CloudWatch Logs for activities in unapproved regions
D. Use IAM Trusted Advisor to alert on all resources being created
View answer
Correct Answer: B
Question #21
A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error "Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared. W
A. Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK
B. Allow forensics accounting principals to use the CMK by modifying its policy
C. Create an Amazon EC2 instanc
D. Attach the encrypted and suspicious EBS volum
E. Copy data from the suspicious volume to an unencrypted volum
F. Snapshot the unencrypted volume G
View answer
Correct Answer: D
Question #22
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys. Which DynamoDB feature should the Engineer use to achieve compliance'?
A. Use IAM Certificate Manager to request a certificat
B. Use that certificate to encrypt data prior to uploading it to DynamoDB
C. Enable S3 server-side encryption with the customer-provided key
D. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
E. Create a KMS master ke
F. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoD G
View answer
Correct Answer: A
Question #23
A company is setting up products to deploy in IAM Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. How should the company mitigate this concern?
A. Add a template constraint to each product in the portfolio
B. Add a launch constraint to each product in the portfolio
C. Define resource update constraints for each product in the portfolio
D. Update the IAM CloudFormalion template backing the product to include a service role configuration
View answer
Correct Answer: BDF

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: