DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

SCS-C02 Exam Prep: Study Materials & Mock Tests, AWS Certified Security - Specialty | SPOTO

AWS Certified Security - Specialty (SCS-C02) is a prestigious certification that validates your expertise in designing and implementing security solutions within the AWS Cloud environment. This certification is ideal for professionals involved in data protection, encryption methods, and secure Internet protocols in AWS. SPOTO offers comprehensive study materials and mock tests to help you prepare effectively for the SCS-C02 exam. Our resources include exam questions and answers, practice tests, exam dumps, sample questions, and free quizzes, ensuring thorough preparation. With SPOTO's exam materials, you'll gain in-depth knowledge of AWS security mechanisms, data classification, encryption methods, and more. Our exam answers and practice materials are designed to simulate the real exam experience, while our exam simulator and online exam questions prepare you for various scenarios. Prepare with SPOTO to pass the SCS-C02 exam successfully and advance your career in AWS security.
Take other online exams

Question #1
A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards. The mail application should be configured to connect to which of the following endpoints and corresponding ports?
A. email
B. email-pop3
C. email-smtp
D. email-imap
View answer
Correct Answer: ACF

View The Updated SCS-C02 Exam Questions

SPOTO Provides 100% Real SCS-C02 Exam Questions for You to Pass Your SCS-C02 Exam!

Question #2
The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault. What is the MOST cost-effective way to correct this?
A. Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again
B. Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data
C. Update the policy, keeping the vault lock in place
D. Update the policy and call initiate-vault-lock again to apply the new policy
View answer
Correct Answer: ADF
Question #3
A company has an IAM account and allows a third-party contractor who uses another IAM account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts What should the company do to accomplish this? A) B) C) D)
A. Option A
B. Option B
C. Option C
D. Option D
View answer
Correct Answer: B
Question #4
A Developer’s laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan. How can the Security Engineer further protect currently running instances?
A. Delete the key-pair key from the EC2 console, then create a new key pair
B. Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key
C. Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key
D. Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances
View answer
Correct Answer: B
Question #5
The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data. Pattern: "randomID_datestamp_PII.csv" Example: "1234567_12302017_000-00-0000 csv" The bucket where these objects are being stored is using server-side encryption (SSE). Which solution is the most secure and cost-effective option to protect the sensitive data?
A. Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata
B. Add an S3 bucket policy that denies the action s3:GetObject
C. Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes
D. Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance
View answer
Correct Answer: D
Question #6
The Security Engineer created a new IAM Key Management Service (IAM KMS) key with the following key policy: What are the effects of the key policy? (Choose two.)
A. The policy allows access for the IAM account 111122223333 to manage key access though IAM policies
B. The policy allows all IAM users in account 111122223333 to have full access to the KMS key
C. The policy allows the root user in account 111122223333 to have full access to the KMS key
D. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key
E. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key
View answer
Correct Answer: ABF
Question #7
A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download. Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?
A. Move all the files to an Amazon S3 bucke
B. Have the web server serve the files from the S3 bucket
C. Launch a second Amazon EC2 instance in a new subne
D. Launch an Application Load Balancer in front of both instances
E. Launch an Application Load Balancer in front of the EC2 instanc
F. Create an Amazon CloudFront distribution in front of the Application Load Balancer
View answer
Correct Answer: BDE
Question #8
A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material. How can the Engineer perform the key rotation process MOST efficiently?
A. Create a new CMK, and redirect the existing Key Alias to the new CMK
B. Select the option to auto-rotate the key
C. Upload new key material into the existing CMK
D. Create a new CMK, and change the application to point to the new CMK
View answer
Correct Answer: DEF
Question #9
A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee Even after updating the policy the employee still receives an access denied message. What is the likely cause of this access denial?
A. The ACL in the bucket needs to be updated
B. The IAM policy does not allow the user to access the bucket
C. It takes a few minutes for a bucket policy to take effect
D. The allow permission is being overridden by the deny
View answer
Correct Answer: B
Question #10
A company is using IAM Organizations to manage multiple IAM member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's IAM Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill A security engineer discovers that a compromised Amazon EC2 instance is being used to mine crypto currency. The Security Operations Center did not receive a GuardDuty finding in the central secu
A. Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an IAM Lambda function as a target to raise findings
B. Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an IAM Lambda function as a target to raise findings in IAM Security Hub
C. Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an IAM Lambda function to periodically check for GuardDuty findings
D. Use the IAM GuardDuty get-members IAM CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings
View answer
Correct Answer: C
Question #11
A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose? Please select:
A. Use KMS and the normal KMS encryption keys
B. Use KMS and use an external key material
C. Use S3 Server Side encryption
D. Use Cloud HSM
View answer
Correct Answer: BD
Question #12
A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer. Assuming that IAM Certificate Manager is used, how many certificates will need to
A. One in the US West (Oregon) region and one in the US East (Virginia) region
B. Two in the US West (Oregon) region and none in the US East (Virginia) region
C. One in the US West (Oregon) region and none in the US East (Virginia) region
D. Two in the US East (Virginia) region and none in the US West (Oregon) region
View answer
Correct Answer: B
Question #13
A financial institution has the following security requirements: Cloud-based users must be contained in a separate authentication domain. Cloud-based users cannot access on-premises systems. As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances. How would the organization
A. Configure an IAM Managed Microsoft AD to manage the cloud resources
B. Configure an additional on-premises Active Directory service to manage the cloud resources
C. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service
D. Establish a one-way trust relationship from the new Active Directory to the existing Active Directoryservice
E. Establish a two-way trust between the new and existing Active Directory services
View answer
Correct Answer: D
Question #14
A Developer who is following IAM best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using IAM KMS. What is the simplest and MOST secure way to decrypt this data when required?
A. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data
B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policie
C. Query DynamoDB to retrieve the data key to decrypt the data
D. Use the Encrypt API to store an encrypted version of the data key with another customer managed key
E. Store the encrypted data key alongside the encrypted dat
F. Use the Decrypt API to retrieve the data key to decrypt the data when required
View answer
Correct Answer: C
Question #15
Your company has defined privileged users for their IAM Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished? Please select:
A. Enable MFA for these user accounts
B. Enable versioning for these user accounts
C. Enable accidental deletion for these user accounts
D. Disable root access for the users
View answer
Correct Answer: D
Question #16
A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements: ? HTTPS needs to be enforced for all data in transit with specific ciphers. ? The CloudFront distribution needs to be accessible from the internet only. Which solution will meet these requirements?
A. Set up an S3 bucket policy with the IAMsecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific cipher
B. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with IAM WAF to allow access from the CloudFront IP ranges
C. Set up an S3 bucket policy with the IAM:securetransport ke
D. Configure the CloudFront origin access identity (OAI) with the S3 bucke
E. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers
F. Modify the CloudFront distribution to use IAM WA G
View answer
Correct Answer: B
Question #17
A company's development team is designing an application using IAM Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's IAM services. The so
A. Enable IAM CloudTrai
B. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team
C. Create a managed IAM policy for the permissions require
D. Reference the IAM policy as a permissions boundary within the development team's IAM role
E. Enable IAM Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team
F. Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development tea G
View answer
Correct Answer: B
Question #18
When you enable automatic key rotation for an existing CMK key where the backing key is managed by IAM, after how long is the key rotated? Please select:
A. After 30 days
B. After 128 days
C. After 365 days
D. After 3 years
View answer
Correct Answer: B
Question #19
An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses IAM WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game. The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following stri
A. Create a rule in IAM WAF rules with conditions that block requests based on the presence of ExampleGame/1
B. Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
C. Create a rate-based rule in IAM WAF to limit the total number of requests that the web application services
D. Create an IP-based blacklist in IAM WAF to block the IP addresses that are originating from requests that contain ExampleGame/1
View answer
Correct Answer: AD
Question #20
A company has contracted with a third party to audit several IAM accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts. Which of the following may be causing this problem? (Choose three.)
A. The external ID used by the Auditor is missing or incorrect
B. The Auditor is using the incorrect password
C. The Auditor has not been granted sts:AssumeRole for the role in the destination account
D. The Amazon EC2 role used by the Auditor must be set to the destination account role
E. The secret key used by the Auditor is missing or incorrect
F. The role ARN used by the Auditor is missing or incorrect
View answer
Correct Answer: B
Question #21
A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour. The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improv
A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
B. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
C. Use GuardDuty filters with auto archiving enabled to close the findings
D. Create an IAM Lambda function that closes the finding whenever a new occurrence is reported
View answer
Correct Answer: B
Question #22
The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website. What is causing this situation?
A. Application Load Balancers do not support older web browsers
B. The Perfect Forward Secrecy settings are not configured correctly
C. The intermediate certificate is installed within the Application Load Balancer
D. The cipher suites on the Application Load Balancers are blocking connections
View answer
Correct Answer: B
Question #23
A company wants to control access to its IAM resources by using identities and groups that are defined in its existing Microsoft Active Directory. What must the company create in its IAM account to map permissions for IAM services to Active Directory user attributes?
A. IAM IAM groups
B. IAM IAM users
C. IAM IAM roles
D. IAM IAM access keys
View answer
Correct Answer: A
Question #24
A security engineer needs to configure monitoring and auditing for IAM Lambda. Which combination of actions using IAM services should the security engineer take to accomplish this goal? (Select TWO.)
A. Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations
B. Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda
C. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda
D. Use IAM Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations
E. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function
View answer
Correct Answer: AE
Question #25
You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .a mazonIAM.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this? Please select:
A. Enable CORS for the bucket
B. Enable versioning for the bucket
C. Enable MFA for the bucket
D. Enable CRR for the bucket
View answer
Correct Answer: B
Question #26
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing. Which steps should be taken to troubleshoot the issue? (Choose two.)
A. Use an EC2 run command to confirm that the “IAMlogs” service is running on all instances
B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events
C. Check whether any application log entries were rejected because of invalid time stamps by reviewing/var/cwlogs/rejects
D. Check that the trust relationship grants the service “cwlogs
E. Verify that the time zone on the application servers is in UTC
View answer
Correct Answer: D
Question #27
After a recent security audit involving Amazon S3, a company has asked assistance reviewing its S3 buckets to determine whether data is properly secured. The first S3 bucket on the list has the following bucket policy. Is this bucket policy sufficient to ensure that the data is not publicity accessible?
A. Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured
B. Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured
C. No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible
D. No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible
View answer
Correct Answer: AB
Question #28
A Security Engineer is setting up a new IAM account. The Engineer has been asked to continuously monitor the company's IAM account using automated compliance checks based on IAM best practices and Center for Internet Security (CIS) IAM Foundations Benchmarks How can the Security Engineer accomplish this using IAM services?
A. Enable IAM Config and set it to record all resources in all Regions and global resource
B. Then enable IAM Security Hub and confirm that the CIS IAM Foundations compliance standard is enabled
C. Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmark
D. Then enable IAM Security Hub and configure it to ingest theAmazon Inspector findings
E. Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmark
F. Then enable IAM Shield in all Regions to protect the account from DDoS attacks
View answer
Correct Answer: D
Question #29
A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals. While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?
A. Enable IAM Shield Advanced and IAM WA
B. Configure an IAM WAF custom filter for egress traffic on port 5353
C. Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 ope
D. Update the NACLs to block port 5353 outbound
E. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353
F. Use Amazon Athena to query IAM CloudTrail logs in Amazon S3 and look for any traffic on port 5353
View answer
Correct Answer: BDF
Question #30
A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the togging server but the web server never receives a reply Which of the following actions could fix this issue1?
A. Add an inbound rule to the security group associated with the logging server that allows requests from the web server
B. Add an outbound rule to the security group associated with the web server that allows requests to the logging server
C. Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection
D. Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection
View answer
Correct Answer: B

View The Updated AWS Exam Questions

SPOTO Provides 100% Real AWS Exam Questions for You to Pass Your AWS Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: