SCS-C02 Amazon Web Services AWS Certified Security - Specialty Free Practice Exam Questions (2025 Updated)

To avoid AccessDeniedExceptions when users first attempt to encrypt using the CMK, the security specialist should recommend the following solution:

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. This allows the engineering team to use the grant token as a form of temporary authorization for the grant.

Instruct users to use that grant token in their call to encrypt. This allows the users to use the grant token as a proof that they have permission to use the CMK, and to avoid any eventual consistency issues with the grant creation.

because this is a solution that can monitor each S3 bucket for unrestricted public write access and use IAM managed services. S3 is a service that provides object storage in the cloud. Systems Manager is a service that helps you automate and manage your AWS resources. You can use Systems Manager to monitor S3 bucket policies for public write access by using a State Manager association that runs a predefined document called AWS-FindS3BucketWithPublicWriteAccess. This document checks each S3 bucket in an account and reports any bucket that has public write access enabled. The other options are either not suitable or not feasible for meeting the requirements.

To support answer B, use the referencehttps://d1.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf

"For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account."

To configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances with the least operational effort, the most appropriate solution would be to use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption.

 AWS Certificate Manager - Amazon Web Services : Elastic Load Balancing - Amazon Web Services : Amazon Elastic Compute Cloud - Amazon Web Services : AWS Certificate Manager - Amazon Web Services

Comprehensive and Detailed Explanation From Exact Extract:

Service Control Policies (SCPs) are applied at the AWS Organizations level to manage what permissions are available across accounts. SCPs do not grant permissions themselves but restrict them.

In this case, the existing SCP denies resource sharing with external accounts across the organization. To allow an exception for the marketing team, the correct solution is to edit the existing SCP and apply a Condition that excludes the marketing team’s account. This is typically done using the StringNotEquals condition with the aws:PrincipalAccount or aws:PrincipalOrgID key.

By using a condition statement, you can tailor the SCP to deny access only to accounts other than the marketing account. This method ensures granular control without having to restructure the Organizational Unit (OU) or write an entirely separate policy.

Reference from AWS Certified Security - Specialty Official Guide:

This scenario is covered under the Identity and Access Management domain, where SCP exceptions and conditions are used to precisely control permission inheritance across accounts in an organization.

the most secure way to meet the requirements. TLS is a protocol that provides encryption and authentication for data in transit. ALB is a service that distributes incoming traffic across multiple EC2 instances. HIDS is a system that monitors and detects malicious activity on a host. ECDHE is a type of cipher suite that supports perfect forward secrecy, which is a property that ensures that past and current TLS traffic stays secure even if the certificate private key is leaked. By creating a listener on the ALB that does not enable PFS cipher suites, and using encrypted connections to the servers using ECDHE cipher suites, you can ensure that the HIDS agents can capture the traffic of the EC2 instance without compromising the privacy of the users. The other options are either less secure or less compatible with the third-party solution.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#eni-basics Source/destination checking "You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls."

The correct answer is C. Disable the Network Source/Destination check on the security appliance’s elastic network interface.

This answer is correct because disabling the Network Source/Destination check allows the virtual security appliance to route traffic that is not addressed to or from itself. By default, this check is enabled on all EC2 instances, and it prevents them from forwarding traffic that does not match their own IP or MAC addresses.However, for a virtual security appliance that acts as a router or a firewall, this check needs to be disabled, otherwise it will drop the traffic that it is supposed to route12.

The other options are incorrect because:

A. Disabling network ACLs is not a solution, because network ACLs are optional layers of security for the subnets in a VPC.They can be used to allow or deny traffic based on IP addresses and ports, but they donot affect the routing behavior of the virtual security appliance3.

B. Configuring the security appliance’s elastic network interface for promiscuous mode is not a solution, because promiscuous mode is a mode for a network interface that causes it to pass all traffic it receives to the CPU, rather than passing only the frames that it is programmed to receive.Promiscuous mode is normally used for packet sniffing or monitoring, but it does not enable the network interface to route traffic4.

D. Placing the security appliance in the public subnet with the internet gateway is not a solution, because it does not address the routing issue of the virtual security appliance.Thesecurity appliance can be placed in either a public or a private subnet, depending on the network design and security requirements, but it still needs to have the Network Source/Destination check disabled to route traffic properly5.

The correct answer is A, C, and E because they provide the most secure and efficient way to implement private connectivity to AWS services. Using interface VPC endpoints for Amazon SQS and gateway VPC endpoints for Amazon S3 allows the application to access these services without using public IP addresses or internet gateways. Modifying the endpoint policies on all VPC endpoints enables the security engineer to specify the SQS and S3 resources that the application uses and restrict access to other resources.

The other options are incorrect because they do not provide private connectivity to AWS services or they introduce unnecessary complexity or cost. Option B is incorrect because AWS Transit Gateway is used to connect multiple VPCs and on-premises networks, not to connect to AWS services. Option D is incorrect because modifying the IAM role applied to the EC2 instances is not sufficient to allow outbound traffic to the interface endpoints. The security group and route table associated with the interface endpoints also need to be configured. Option F is incorrect because AWS Firewall Manager is used to centrally manage firewall rules across multiple accounts and resources, not to connect to AWS services.

Comprehensive and Detailed Explanation From Exact Extract:

Using AWS WAF with an Application Load Balancer (ALB) allows you to mitigate SQL injection attacks quickly by deploying managed rule groups designed for common web exploits. This method allows the existing EC2 instances to continue operating without changes, minimizing disruption.

By fronting the EC2 instances with an ALB, you can then:

Apply WAF rules

Redirect DNS records from Route 53 to the ALB

Restrict direct EC2 access via security groups

This approach is rapid, low effort, and preserves availability, making it ideal for critical, time-sensitive security mitigations.

To rotate database credentials every 30 days, the most secure and efficient solution is to store the database credentials in AWS Secrets Manager and configure automatic credential rotation for every 30 days. Secrets Manager can handle the rotation of the credentials in both the secret and the database, and it can use AWS KMS to encrypt the credentials. Option B is incorrect because it requires creating a custom Lambda function to rotate the credentials, which is more effort than using Secrets Manager. Option C is incorrect because it stores the database credentials in an environment file or a configuration file, which is less secure than using Secrets Manager. Option D is incorrect because it combines the drawbacks of option B and option C. Verified References:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html

Comprehensive Detailed Explanation with all AWS References

The simplest and most efficient way to enforce a data retention policy in Amazon S3 is by usingS3 Lifecycle rules:

S3 Lifecycle Rule:

Lifecycle rules allow you to automatically delete objects based on their age or last-modified date.

Specify a rule to delete objects after 45 days to meet the retention policy.

For a company using AWS Organizations that requires centralized management and automatic activation of Amazon GuardDuty across all current and future AWS accounts, setting up a delegated administrator account for GuardDuty is the optimal solution. By enabling GuardDuty in a new account and designating it as the delegated administrator, the company can centrally manage GuardDuty findings and automatically enroll new AWS accounts into GuardDuty as they are created within the organization. This approach ensures consistent threat detection and continuous monitoring across all accounts, aligning with best security practices.

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another IAM account within a single region.

Options B and C are invalid because you need to use VPC Peering

Option D is invalid because VPC Peering is available

For more information on VPC Peering please see the below Link:

http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html

The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs. Submit your Feedback/Queries to our Experts

The correct answer is C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

According to the AWS documentation1, a bucket policy is a resource-based policy that you can use to grant access permissions to your Amazon S3 bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner.

When you create a trail in CloudTrail, you can specify an existing S3 bucket or create a new one to store your log files. CloudTrail automatically creates a bucket policy for your S3 bucket that grants CloudTrail write-only access to deliver log files to your bucket. The bucket policy also grants read-only access to AWS services that you can use to view and analyze your log data, such as Amazon Athena, Amazon CloudWatch Logs, and Amazon QuickSight.

If you want to update the log file prefix for an existing trail, you must also update the existing bucket policy in the S3 console with the new log file prefix. The log file prefix is part of the resource ARN that identifies the objects in your bucket that CloudTrail canaccess. If you don’t update the bucket policy with the new log file prefix, CloudTrail will not be able to deliver log files to your bucket, and you will receive an error message when you try to save the change in the CloudTrail console.

The other options are incorrect because:

A. Creating a new trail with the updated log file prefix, and then deleting the original trail is not necessary and may cause data loss or inconsistency. You can simply update the existing trail and its associated bucket policy with the new log file prefix.

B. Updating the existing bucket policy in the S3 console to allow the Security Engineer’s Principal to perform PutBucketPolicy is not relevant to this issue. The PutBucketPolicy action allows you to create or replace a policy on a bucket, but it does not affect CloudTrail’s ability to deliver log files to your bucket. You still need to update the existing bucket policy with the new log file prefix.

D. Updating the existing bucket policy in the S3 console to allow the Security Engineer’s Principal to perform GetBucketPolicy is not relevant to this issue. The GetBucketPolicy action allows you to retrieve a policy on a bucket, but it does not affect CloudTrail’s ability to deliver log files to your bucket. You still need to update the existing bucket policy with the new log file prefix.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html