SCS-C02 Amazon Web Services AWS Certified Security - Specialty Free Practice Exam Questions (2025 Updated)

Prepare effectively for your Amazon Web Services SCS-C02 AWS Certified Security - Specialty certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2025, ensuring you have the most current resources to build confidence and succeed on your first attempt.

Amazon Web Services SCS-C02 Premium Access Download Demo

Page: 7 / 7
Total 417 questions

Question # 126

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.

What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

Use AWS Certificate Manager to encrypt all traffic between the client and application servers.

Review the application security groups to ensure that only the necessary ports are open.

Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

Use Amazon Inspector to periodically scan the backend instances.

Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Question # 127

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from NACL2.• Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.• Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL2:• Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL2:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.• Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

Question # 128

A company hired an external consultant who needs to use a laptop to access the company's VPCs Specifically, the consultant needs access to two VPCs that are peered together in the same AWS Region. The company wants to provide the consultant with access to these VPCs without also providing any unnecessary access to other network resources.

Which solution will meet these requirements?

Create an AWS Site-to-Site VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule. Create an AWS account Use the VPC sharing feature through AWS Resource Access Manager to allow the consultant to access the VPCs.

Create an AWS Client VPN endpoint in the same Region as the B. VPCs. Configure access through an appropriate subnet and authorization rule.

Create a gateway VPC endpoint in the same Region as the VPCs. D. Configure access through an appropriate subnet and authorization rule.

Question # 129

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon

EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days.

Which solution meets these criteria?

A customer managed CMK that uses customer provided key material

A customer managed CMK that uses AWS provided key material

An AWS managed CMK

Operation system-native encryption that uses GnuPG

Explanation:

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/import-key-material.html

aws kms import-key-material \

--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \

--encrypted-key-material fileb://EncryptedKeyMaterial.bin \

--import-token fileb://ImportToken.bin \

--expiration-model KEY_MATERIAL_EXPIRES \

--valid-to 2021-09-21T19:00:00Z

The correct answer is A. A customer managed CMK that uses customer provided key material.

A customer managed CMK is a KMS key that you create, own, and manage in your AWS account. You have full control over the key configuration, permissions, rotation, and deletion.You can use a customer managed CMK to encrypt and decrypt data in AWS services that are integrated with AWS KMS, such as Amazon EBS1.

A customer managed CMK can use either AWS provided key material or customer provided key material. AWS provided key material is generated by AWS KMS and never leaves the service unencrypted. Customer provided key material is generated outside of AWS KMS and imported into a customer managed CMK.You can specify an expiration date for the imported key material, after which the CMK becomes unusable until you reimport new key material2.

To meet the criteria of automatically expiring the key material in 90 days, you need to use customer provided key material and set the expiration date accordingly. This way, you can ensure that the data encrypted with the CMK will not be accessible after 90 days unless you reimport new key material and re-encrypt the data.

The other options are incorrect for the following reasons:

B. A customer managed CMK that uses AWS provided key material does not expire automatically. You can enable automatic rotation of the key material every year, but this does not prevent access to the data encrypted with the previous key material.You would need to manually delete the CMK and its backing key material to make the data inaccessible3.

C. An AWS managed CMK is a KMS key that is created, owned, and managed by an AWS service on your behalf. You have limited control over the key configuration, permissions, rotation, and deletion. You cannot use an AWS managed CMK to encrypt data in other AWS services or applications.You also cannot set an expiration date for the key material of an AWS managed CMK4.

D. Operation system-native encryption that uses GnuPG is not a solution that uses AWS KMS. GnuPG is a command line tool that implements the OpenPGP standard for encrypting and signing data. It does not integrate with Amazon EBS or other AWS services.It also does not provide a way toautomatically expire the key material used for encryption5.

[References:, 1:Customer Managed Keys - AWS Key Management Service2: [Importing Key Material inAWS Key Management Service (AWS KMS) - AWS Key Management Service]3: [Rotating Customer Master Keys - AWS Key Management Service]4: [AWS Managed Keys - AWS Key Management Service]5:The GNU Privacy Guard, , , , , ]

Question # 130

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership

What should the security engineer do to meet these requirements''

Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

Amazon Web Services SCS-C02 Premium Access Download Demo

Page: 7 / 7
Total 417 questions

Weekend Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmaspas7

SCS-C02 Amazon Web Services AWS Certified Security - Specialty Free Practice Exam Questions (2025 Updated)

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation: