DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

SCS-C02 Exam Questions 2024 Updated: Get Ready for Exams, AWS Certified Security - Specialty | SPOTO

Prepare for success in the AWS Certified Security - Specialty (SCS-C02) exam with SPOTO's 2024 updated exam questions. This certification showcases your proficiency in devising and executing security solutions within the AWS Cloud environment. It also affirms your grasp of professional data classification, AWS data protection mechanisms, encryption methods, and secure Internet protocols. SPOTO offers a range of resources to ensure your readiness, including exam questions and answers, practice tests, exam dumps, sample questions, and free quizzes. Our exam materials are meticulously crafted to align with the latest exam trends, enabling you to practice effectively and enhance your exam preparation. With SPOTO's exam simulator and online exam questions, you'll gain hands-on experience and confidence to tackle the SCS-C02 exam successfully. Prepare with SPOTO and excel in AWS security.
Take other online exams

Question #1
Your company is planning on developing an application in IAM. This is a web based application. The application user will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this. Please select:
A. Create an OlDC identity provider in IAM
B. Create a SAML provider in IAM
C. Use IAM Cognito to manage the user profiles
D. Use IAM users to manage the user profiles
View answer
Correct Answer: B
Question #2
A Development team has asked for help configuring the IAM roles and policies in a new IAM account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs). Which of the following will allow the team to manage IAM KMS permissions in IAM without the complexity of editing individual key policies?
A. The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey
B. Newly created CMKs must have a key policy that allows the root principal to perform all actions
C. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation
D. Newly created CMKs must mirror the IAM policy of the KMS key administrator
View answer
Correct Answer: D
Question #3
Which of the below services can be integrated with the IAM Web application firewall service. Choose 2 answers from the options given below Please select:
A. IAM Cloudfront
B. IAM Lambda
C. IAM Application Load Balancer
D. IAM Classic Load Balancer
View answer
Correct Answer: A
Question #4
You have a vendor that needs access to an IAM resource. You create an IAM user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use? Please select:
A. An IAM Managed Policy
B. An Inline Policy
C. A Bucket Policy
D. A bucket ACL
View answer
Correct Answer: B
Question #5
A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture: ? Data must be encrypted in transit. ? Data must be encrypted at rest. ? The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Select THREE.)
A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket
B. Enable default encryption with server-side encryption with IAM KMS-managed keys (SSE-KMS) on the S3 bucket
C. Add a bucket policy that includes a deny if a PutObject request does not include IAMiSecureTcanspoct
D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only
E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-sairv9r-side-enctyption: "IAM: kms"
F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket
View answer
Correct Answer: ABE
Question #6
Your company has a set of EBS volumes defined in IAM. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account. Please select:
A. Use IAM Inspector to inspect all the EBS volumes
B. Use IAM Config to check for unencrypted EBS volumes
C. Use IAM Guard duty to check for the unencrypted EBS volumes
D. Use IAM Lambda to check for the unencrypted EBS volumes
View answer
Correct Answer: ACE
Question #7
A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur. What should the Security Engineer do to meet these requirements?
A. Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuratio
B. Send notifications using Amazon SNS
C. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty finding
D. Send email notifications using Amazon SNS
E. Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected
F. Use Amazon Inspector to automatically detect security issue G
View answer
Correct Answer: B
Question #8
A company is planning on extending their on-premise IAM Infrastructure to the IAM Cloud. They need to have a solution that would give core benefits of traffic encryption and ensure latency is kept to a minimum. Which of the following would help fulfil this requirement? Choose 2 answers from the options given below Please select:
A. IAM VPN
B. IAM VPC Peering
C. IAM NAT gateways
D. IAM Direct Connect
View answer
Correct Answer: A
Question #9
A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in IAM Systems Manager Parameter Store When the application tries to access the secure string key value, it fails. Which factors could be the cause of this failure? (Select TWO.)
A. The EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret
B. The EC2 instance role does not have read permissions to read the parameters In Parameter Store
C. Parameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter
D. The EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret
E. The EC2 instance does not have any tags associated
View answer
Correct Answer: BE
Question #10
The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s IAM account to help optimize costs. The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. IAM resources. The Engineer has created an IAM role and granted permission to AnyCompany's IAM account to assume this role. When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is con
A. Create an IAM user and generate a set of long-term credential
B. Provide the credentials to AnyCompany
C. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy
D. Require two-factor authentication by adding a condition to the role's trust policy with IAM:MultiFactorAuthPresent
E. Request an IP range from AnyCompany and add a condition with IAM:SourceIp to the role's trust policy
View answer
Correct Answer: BD
Question #11
You company has mandated that all data in IAM be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below Please select:
A. Use Windows bit locker for EBS volumes on Windows instances
B. Use TrueEncrypt for EBS volumes on Linux instances
C. Use IAM Systems Manager to encrypt the existing EBS volumes
D. Boot EBS volume can be encrypted during launch without using custom AMI
View answer
Correct Answer: B
Question #12
A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead. What should a security engineer recommend to meet t
A. Create an IAM Config rule defining the patch as a required configuration for EC2 instances
B. Use the IAM Systems Manager Run Command to patch affected instances
C. Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances
D. Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch
View answer
Correct Answer: A
Question #13
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from IAM stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?
A. Give consent to the IAM Security team to dump the memory core on the compromised instance and provide it to IAM Support for analysis
B. Review memory dump data that the IAM Systems Manager Agent sent to Amazon CloudWatch Logs
C. Download and run the EC2Rescue for Windows Server utility from IAM
D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump
View answer
Correct Answer: C
Question #14
You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard? Please select:
A. IAM Cloudwatch
B. IAM EC2
C. IAM Trusted Advisor
D. IAM SNS
View answer
Correct Answer: B
Question #15
Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service Please select:
A. The master keys encrypts the cluster ke
B. The cluster key encrypts the database ke
C. The database key encrypts the data encryption keys
D. The master keys encrypts the database ke
E. The database key encrypts the data encryption keys
F. The master keys encrypts the data encryption key G
View answer
Correct Answer: AB
Question #16
You have a set of Keys defined using the IAM KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage. Please select:
A. Delete the keys since anyway there is a 7 day waiting period before deletion
B. Disable the keys
C. Set an alias for the key
D. Change the key material for the key
View answer
Correct Answer: BEF
Question #17
A customer has an instance hosted in the IAM Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished. Please select:
A. Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator'sWorkstation
B. Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
D. Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation
View answer
Correct Answer: AD
Question #18
A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old. Which of the following options should the Security Engineer use?
A. In the IAM Console, choose the IAM service and select “Users”
B. Define an IAM policy that denies access if the key age is more than three months and apply to all users
C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs
D. Create an Amazon CloudWatch alarm to detect aged access keys and use an IAM Lambda function to disable the keys older than 90 days
View answer
Correct Answer: B
Question #19
A company has a requirement to create a DynamoDB table. The company's software architect has provided the following CLI command for the DynamoDB table Which of the following has been taken of from a security perspective from the above command? Please select:
A. Since the ID is hashed, it ensures security of the underlying table
B. The above command ensures data encryption at rest for the Customer table
C. The above command ensures data encryption in transit for the Customer table
D. The right throughput has been specified from a security perspective
View answer
Correct Answer: B
Question #20
A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances Which combination of activities must the company implement to meet its encryption requirem
A. Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS
B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances
C. In the AL
D. select the default encryption to encrypt the traffic between the ALB and the EC2 instances
E. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances
F. Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances
View answer
Correct Answer: BD
Question #21
You have a 2 tier application hosted in IAM. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below. Plea
A. wg-123 -Allow ports 80 and 443 from 0
B. db-345 - Allow port 1433 from wg-123
C. wg-123 - Allow port 1433 from wg-123
D. db-345 -Allow ports 1433 from 0
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: