DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

SCS-C02 Exam Practice Made Easy: Latest Mock Exams, AWS Certified Security - Specialty | SPOTO

Elevate your preparation for the AWS Certified Security - Specialty exam with SPOTO's latest mock exams. As a certification that validates your expertise in AWS security solutions, it's crucial to have comprehensive practice tests that mirror the actual exam environment. Our mock exams cover a range of topics including exam questions, sample questions, and exam dumps, providing you with a thorough understanding of key concepts. Access free quizzes and exam materials to enhance your learning experience. SPOTO's exam simulator allows you to practice exam questions and answers in a simulated environment, helping you build confidence and readiness for the certification exam. With our easy-to-use platform and up-to-date resources, mastering the SCS-C02 exam has never been more accessible.
Take other online exams

Question #1
Your application currently use IAM Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively? Please select:
A. Create different cognito endpoints, one for the readers and the other for the contributors
B. Create different cognito groups, one for the readers and the other for the contributors
C. You need to manage this within the application itself
D. This needs to be managed via Web security tokens
View answer
Correct Answer: BE
Question #2
Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks. Which of the following methods will ensure that the data is unrea
A. Change the volume encryption on the EBS volume to use a different encryption mechanis
B. Then, release the EBS volumes back to IAM
C. Release the volumes back to IA
D. IAM immediately wipes the disk after it is deprovisioned
E. Delete the encryption key used to encrypt the EBS volum
F. Then, release the EBS volumes back to IAM
View answer
Correct Answer: D
Question #3
A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are: -Storage is accessible by using only VPCs. -Service has tamper-evident controls. -Access logging is enabled. -Storage has high availability. Which of the following services meets these requirements?
A. Amazon S3 with default encryption
B. IAM CloudHSM
C. Amazon DynamoDB with server-side encryption
D. IAM Systems Manager Parameter Store
View answer
Correct Answer: A
Question #4
Your company has just started using IAM and created an IAM account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers fro the options given below Please select:
A. Delete the root access account
B. Create an Admin IAM user with the necessary permissions
C. Change the password for the root account
D. Delete the root access keys
View answer
Correct Answer: B
Question #5
A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs. How can this be accomplished? (Choose two.)
A. Deploy a pre-authorized scanning engine from the IAM Marketplace into VPC B, and use it to scan instances in all three VPC
B. Do not complete the penetration test request form
C. Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VP
D. Do not complete the penetration test request form
E. Create a VPN connection from the data center to VPC
F. Use an on-premises scanning engine to scan the instances in all three VPC G
View answer
Correct Answer: BC
Question #6
A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext. Which action would provide the required functionality?
A. Pass the key alias to IAM KMS when calling Encrypt and Decrypt API actions
B. Use IAM policies to restrict access to Encrypt and Decrypt API actions
C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK
D. Use key policies to restrict access to the appropriate IAM groups
View answer
Correct Answer: C
Question #7
In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an IAM Auto Scaling group, your instances are constantly being re-created. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below Please select:
A. Give only the necessary access to the Apache servers so that the developers can gain access to the log files
B. Give root access to your Apache servers to the developers
C. Give read-only access to your developers to the Apache servers
D. Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access
View answer
Correct Answer: AB
Question #8
A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers: -Content Security-Policy -X-Frame-Options -X-XSS-Protection The Engineer does not have access to the source code of the legacy web application. Which of the following approaches would meet this requirement?
A. Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole
B. Implement an IAM Lambda@Edge origin response function that inserts the required headers
C. Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution
D. Construct an IAM WAF rule to replace existing HTTP headers with the required security headers by using regular expressions
View answer
Correct Answer: D
Question #9
A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution. Which combination of steps should the security engineer recommend? (Select TWO )
A. Edit the existing VPC Flow Log
B. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format
C. Delete and recreate the existing VPC Flow Log
D. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format
E. Change the destination to Amazon CloudWatch Logs
F. Include the pkt-srcaddr and pkt-dstaddr fields in the log format
View answer
Correct Answer: BDF
Question #10
An organization policy states that all encryption keys must be automatically rotated every 12 months. Which IAM Key Management Service (KMS) key type should be used to meet this requirement?
A. IAM managed Customer Master Key (CMK)
B. Customer managed CMK with IAM generated key material
C. Customer managed CMK with imported key material
D. IAM managed data key
View answer
Correct Answer: BCE
Question #11
An application outputs logs to a text file. The logs must be continuously monitored for security incidents. Which design will meet the requirements with MINIMUM effort?
A. Create a scheduled process to copy the component’s logs into Amazon S3
B. Set up CloudWatch alerts based on the metrics
C. Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instanc
D. Create a CloudWatch metric filter to monitor the application log
E. Set up CloudWatch alerts based on the metrics
F. Create a scheduled process to copy the application log files to IAM CloudTrai G
View answer
Correct Answer: B
Question #12
A company's Security Officer is concerned about the risk of IAM account root user logins and has assigned a Security Engineer to implement a notification solution for near-real-time alerts upon account root user logins. How should the Security Engineer meet these requirements?
A. Create a cron job that runs a script lo download the IAM IAM security credentials W
B. parse the file for account root user logins and email the Security team's distribution 1st
C. Run IAM CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an IAM Lambda function to send an Amazon SNS notification to the Security team's distribution list
D. Save IAM CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events
E. Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: