Weekend Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmaspas7

Easiest Solution 2 Pass Your Certification Exams

SCS-C02 Amazon Web Services AWS Certified Security - Specialty Free Practice Exam Questions (2025 Updated)

Prepare effectively for your Amazon Web Services SCS-C02 AWS Certified Security - Specialty certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2025, ensuring you have the most current resources to build confidence and succeed on your first attempt.

Amazon Web Services SCS-C02 Premium Access     Download Demo    
Page: 6 / 7
Total 417 questions

A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)

A.

Disable termination protection for the EC2 instance if termination protection has not been disabled.

B.

Enable termination protection for the EC2 instance if termination protection has not been enabled.

C.

Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to theEC2 instance.

D.

Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

E.

Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.

F.

Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account

Which solution meets these requirements in the MOST secure way?

A.

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

B.

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

C.

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

D.

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements?

A.

B.

B. A screenshot of a computer code Description automatically generated

C.

A screenshot of a computer code Description automatically generated

D.

A screenshot of a computer code Description automatically generated

A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3bucket in the top-level account. The company's IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.

The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.

Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?

A.

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

B.

Create an SCP that grants permissions to the top-level account.

C.

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role'sARNin the policy.

D.

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Configure the S3 Block Public Access feature for the AWS account.

B.

Configure the S3 Block Public Access feature for all objects that are in the bucket.

C.

Deactivate ACLs for objects that are in the bucket.

D.

Use AWS PrivateLink for Amazon S3 to access the bucket.

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised

Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

A.

Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

B.

Respond to the notification and list the actions that have been taken to address the incident

C.

Delete all IAM users and resources in the account

D.

Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

E.

Delete the identified compromised instances and delete any associated resources that the Security team did not create.

An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.

How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

A.

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

B.

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

C.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

D.

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

A security engineer has enabled IAM Security Hub in their IAM account, and has enabled the Center for internet Security (CIS) IAM Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS IAM Foundations compliance.

Which steps should the security engineer take to meet these requirements?

A.

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

B.

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

C.

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

D.

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

A security engineer needs to create an IAM Key Management Service

Which statement in the KMS key policy will meet these requirements?

A)

B)

C)

A.

Option A

B.

Option B

C.

Option C

A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.070. The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notification if any security group is noncompliant.

A security engineer has configured AWS Config and will use the restricted-ssh managed rule to monitor the security groups.

What should the security engineer do next to meet these requirements?

A.

Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricled-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered.

B.

Configure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification.

C.

Configure AWS Config to push all its compliance notifications to Amazon CloudWatch Logs Configure a CloudWatch Logs metric filter on the AWS Config log group to look for a compliance notification change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric filter to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.

D.

Configure an Amazon CloudWatch alarm on (he CloudWatch metric for the restricted-ssh managed rule. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.

A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:

1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.

3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other

4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols

5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required

Which of the following accurately reflects the access control mechanisms the Architect should verify1?

A.

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

B.

Inbound SG configuration on database serversOutbound SG configuration on application serversInbound and outbound network ACL configuration on the database subnetInbound and outbound network ACL configuration on the application server subnet

C.

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

D.

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

A company wants to protect its website from man in-the-middle attacks by using Amazon CloudFront. Which solution will meet these requirements with the LEAST operational overhead?

A.

Use the SimpleCORS managed response headers policy.

B.

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

C.

Use the SecurityHeadersPolicy managed response headers policy.

D.

Include the X-XSS-Protection header in a custom response headers policy.

A company controls user access by using IAM users and groups in AWS accounts across an organization in AWS Organizations. The company uses an external identity provider (IdP) for workforce single sign-on (SSO). The company needs to implement a solution to provide a single management portal to access accounts within the organization. The solution must support the external IdP as a federation source.

A.

Enable AWS IAM Identity Center. Specify the external IdP as the identity source.

B.

Enable federation with AWS Identity and Access Management (IAM). Specify the external IdP as the identity source.

C.

Migrate to Amazon Verified Permissions. Implement fine-grained access to AWS by using policy-based access control (PBAC).

D.

Migrate users to AWS Directory Service. Use AWS Control Tower to centralize security across the organization.

A company has an AWS account that includes an Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all the objects at rest by using a customer managed key. The S3 bucket does not have a bucket policy.

An IAM role in the same account has an IAM policy that allows s3 List* and s3 Get' permissions for the S3 bucket. When the IAM role attempts to access an object in the S3 bucket the role receives an access denied message.

Why does the IAM rote not have access to the objects that are in the S3 bucket?

A.

The IAM rote does not have permission to use the KMS CreateKey operation.

B.

The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.

C.

The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

D.

The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specific Amazon S3 bucket. The solution must also minimize operational overhead

Which solution will meet these requirements?

A.

1 Put all users into an IAM group with an access policy granting access to the J bucket.

B.

Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.

C.

Add an SCP to the Organizations master account, allowing all principals access to the bucket.

D.

Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

A.

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

B.

Add an IAM policy for the developer, which grants $3 access.

C.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

D.

Add an allow list for the developer account for the $3 service.

A company uses a third-party identity provider and SAML-based SSO for its AWS accounts. After the third-party identity provider renewed an expired signing certificate, users saw the following message when trying to log in:

Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidldentityToken)

A security engineer needs to provide a solution that corrects the error and min-imizes operational overhead.

Which solution meets these requirements?

A.

Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.

B.

Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CU.

C.

Download the updated SAML metadata file from the identity service provid-er. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

D.

Configure the AWS identity provider entity defined in AWS Identity and Ac-cess Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.

A company needs to improve its ability to identify and prevent IAM policies that grant public access or cross-account access to resources. The company has implemented AWS Organizations and has started using AWS Identity and Access Management Access Analyzer to refine overly broad access to accounts in the organization.

A security engineer must automate a response in the company's organization for any newly created policies that are overly permissive. The automation must remediate external access and must notify the company's security team.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

A.

Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon SimpleNotification Service (Amazon SNS) topic.

B.

Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Denystatement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic.

C.

In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution.

D.

In Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.

E.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the queue to forward a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked.

F.

Create an Amazon Simple Notification Service (Amazon SNS) topic for external or cross-account access notices. Subscribe the security team's email addresses to the topic.

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket.

A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.

What is the FASTEST way to prevent the sensitive data from being exposed?

A.

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

B.

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

C.

Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

D.

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future.

Which steps would help achieve this9 (Select TWO )

A.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

B.

Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.

C.

Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.

D.

Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.

E.

Use IAM WAF to create rules to respond to such attacks

Amazon Web Services SCS-C02 Premium Access     Download Demo    
Page: 6 / 7
Total 417 questions
Copyright © 2014-2025 Solution2Pass. All Rights Reserved