SCS-C02 dumps
5 Star


Customer Rating & Feedbacks
98%


Exactly Questions Came From Dumps

Amazon SCS-C02 Question Answers

AWS Certified Security - Specialty Dumps July 2026

discount banner
PDF + Test Engine $139  $97
Test Engine
$119  $83
PDF $99  $69

Here are Amazon SCS-C02 PDF available features:

467 questions with answers Updation Date : 16 Jul, 2026
1 day study required to pass exam 100% Passing Assurance
100% Money Back Guarantee Free 3 Months Updates
Amazon SCS-C02 Sample Questions

Question # 121

A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. All network traffic for requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet. The security team is unable to get objects from the S3 bucket Which factors could cause this issue? (Select THREE.) 

A. The IAM instance profile that is attached to the EC2 instance does not allow the s3ListBucket action to the S3: bucket in the AWS accounts.
B. The I AM instance profile that is attached to the EC2 instance does not allow the s3ListParts action to the S3; bucket in the AWS accounts.
C. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms;ListKeys action to the EC2 instance profile ARN.
D. The KMS key policy that encrypts the object in the S3 bucket does not allow the kmsDecrypt action to the EC2 instance profile ARN.
E. The security group that is attached to the EC2 instance is missing an outbound rule tothe S3 managed prefix list over port 443.
F. The security group that is attached to the EC2 instance is missing an inbound rule fromthe S3 managed prefix list over port 443.


Question # 122

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories. A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs). Which solution will meet these requirements? 
 

A. Enable KMS encryption on the existing ECR repositories. Install Amazon InspectorAgent from the ECS container instances’ user data. Run an assessment with the CVErules.
B. Recreate the ECR repositories with KMS encryption and ECR scanning enabled.Analyze the scan report after the next push of images.
C. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. InstallAWS Systems Manager Agent on the ECS container instances. Run an inventory report.
D. Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor tocheck the ECS container instances and to verily the findings against a list of current CVEs.


Question # 123

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected. Which combination of steps should the security engineer take to accomplish this? (Select TWO.) 

A. Create an IAM Config rule to detect the creation of unencrypted RDS databases. Createan Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Configrules compliance state change and use Amazon Simple Notification Service (Amazon SNS)to notify the security operations team.
B. Use IAM System Manager State Manager to detect RDS database encryptionconfiguration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule totrack state changes and use Amazon Simple Notification Service (Amazon SNS) to notifythe security operations team.
C. Create a read replica for the existing unencrypted RDS database and enable replicaencryption in the process. Once the replica becomes active, promote it into a standalonedatabase instance and terminate the unencrypted database instance.
D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enablesnapshot encryption in the process. Restore the database instance from the newly createdencrypted snapshot. Terminate the unencrypted database instance.
E. Enable encryption for the identified unencrypted RDS instance by changing theconfigurations of the existing database


Question # 124

A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named my Function. When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an “error loading Log Streams" message appears. The IAM policy for the Lambda function's execution role contains the following:

 
How should the security engineer correct the error?

A. Move the logs:CreateLogGroup action to the second Allow statement.
B. Add the logs:PutDestination action to the second Allow statement.
C. Add the logs:GetLogEvents action to the second Allow statement.
D. Add the logs:CreateLogStream action to the second Allow statement.


Question # 125

A security engineer has enabled IAM Security Hub in their IAM account, and has enabled the Center for internet Security (CIS) IAM Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS IAM Foundations compliance. Which steps should the security engineer take to meet these requirements? 

A. Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it toperform the CIS compliance evaluation
B. Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hubservice role has permissions to retrieve the Trusted Advisor security-related recommendedactions
C. Ensure that IAM Config. is enabled in the account, and that the required IAM Configrules have been created for the CIS compliance evaluation
D. Ensure that the correct trail in IAM CloudTrail has been configured for monitoring bySecurity Hub and that the Security Hub service role has permissions to perform theGetObject operation on CloudTrails Amazon S3 bucket


Question # 126

A company's application team wants to replace an internal application with a new IAM architecture that consists of Amazon EC2 instances, an IAM Lambda function, and an Amazon S3 bucket in a single IAM Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in IAM Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways. Which combination of steps should the application team take to meet these requirements? (Select THREE.) 

A. Create an S3 endpoint that has a full-access policy for the application's VPC.
B. Create an S3 access point for the S3 bucket. Include a policy that restricts the networkorigin to VPCs.
C. Launch the Lambda function. Enable the block public access configuration.
D. Create a security group that has an outbound rule over port 443 with a destination of theS3 endpomt. Associate the security group with the EC2 instances.
E. Create a security group that has an outbound rule over port 443 with a destination of theS3 access point. Associate the security group with the EC2 instances.
F. Launch the Lambda function in a VPC.


Question # 127

A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account. What is the MOST secure way to provide this access? 
 

A. Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.
B. Create cross-account access with an IAM role in the developer account. Grant theappropriate permissions to this role. Allow users in the developer account to assume thisrole to access the production resources.
C. Create cross-account access with an IAM user account in the production account. Grantthe appropriate permissions to this user account. Allow users in the developer account touse this user account to access the production resources.
D. Create cross-account access with an IAM role in the production account. Grant theappropriate permissions to this role. Allow users in the developer account to assume thisrole to access the production resources.


Question # 128

An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the apnortheast- 2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.) 

A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that theAuto Scaling groups launch. Generate a CloudWatch agent configuration file to forward therequired logs to Amazon CloudWatch Logs.
B. Set the log retention for desired log groups to 7 years.
C. Attach an IAM role to the launch configuration or launch template that the Auto Scalinggroups use. Configure the role to provide the necessary permissions to forward logs toAmazon CloudWatch Logs.
D. Attach an IAM role to the launch configuration or launch template that the Auto Scalinggroups use. Configure the role to provide the necessary permissions to forward logs toAmazon S3.
E. Ensure that a log forwarding application is installed on all the EC2 instances that theAuto Scaling groups launch. Configure the log forwarding application to periodically bundlethe logs and forward the logs to Amazon S3.
F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after7 years.


Question # 129

Your company uses IAM to host its resources. They have the following requirements 1) Record all API calls and Transitions 2) Help in understanding what resources are there in the account 3) Facility to allow auditing credentials and logins Which services would suffice the above requirements Please select: 

A. IAM Inspector, CloudTrail, IAM Credential Reports
B. CloudTrail. IAM Credential Reports, IAM SNS
C. CloudTrail, IAM Config, IAM Credential Reports
D. IAM SQS, IAM Credential Reports, CloudTrail


Question # 130

A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing. The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received. What should the Security Engineer do to troubleshoot this issue? A) Add the following statement to the IAM managed CMKs:

 

A. Option A
B. Option B
C. Option C
D. Option D


12345678910111213141516

Download All 467 Questions Check Customers Feedbacks