SCS-C02 dumps
5 Star


Customer Rating & Feedbacks
98%


Exactly Questions Came From Dumps

Amazon SCS-C02 Question Answers

AWS Certified Security - Specialty Dumps July 2026

discount banner
PDF + Test Engine $139  $97
Test Engine
$119  $83
PDF $99  $69

Here are Amazon SCS-C02 PDF available features:

467 questions with answers Updation Date : 16 Jul, 2026
1 day study required to pass exam 100% Passing Assurance
100% Money Back Guarantee Free 3 Months Updates
Amazon SCS-C02 Sample Questions

Question # 41

An ecommerce company has a web application architecture that runs primarily on containers. The application containers are deployed on Amazon Elastic Container Service (Amazon ECS). The container images for the application are stored in Amazon Elastic Container Registry (Amazon ECR). The company's security team is performing an audit of components of the application architecture. The security team identifies issues with some container images that are stored in the container repositories. The security team wants to address these issues by implementing continual scanning and on-push scanning of the container images. The security team needs to implement a solution that makes any findings from these scans visible in a centralized dashboard. The security team plans to use the dashboard to view these findings along with other securityrelated findings that they intend to generate in the future. There are specific repositories that the security team needs to exclude from the scanning process. Which solution will meet these requirements? 

A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repos-itoriesthat need to be scanned. Push Amazon Inspector findings to AWS Se-curity Hub.
B. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to AWS Security Hub.
C. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to Amazon Inspector.
D. Use Amazon Inspector. Create inclusion rules in Amazon Inspector to matchrepositories that need to be scanned. Push Amazon Inspector findings to AWS Config.


Question # 42

A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution that will proactively monitor for suspicious behavior across all the accounts that contain production workloads. The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account. Which solution will meet these requirements? 

A. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account. Remediate incidentsby configuring GuardDuty to directly invoke an AWS Lambda function. Configure theLambda function to also publish notifications to the SNS topic.
B. Activate AWS security Hub in each production account. In a dedicated logging account.aggregate all security Hub findings from each production account. Remediate incidents byustng AWS Config and AWS Systems Manager. Configure Systems Manager to alsopub11Sh notifications to the SNS topic.
C. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account Remediate incidentsby using Amazon EventBridge to invoke a custom AWS Lambda function from theGuardDuty findings. Configure the Lambda function to also publish notifications to the SNStopic.
D. Activate AWS Security Hub in each production account. In a dedicated logging account.aggregate all Security Hub findings from each production account. Remediate incidents byusing Amazon EventBridge to invoke a custom AWS Lambda function from the SecurityHub findings. Configure the Lambda function to also publish notifications to the SNS topic.


Question # 43

A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised. Which combination of controls should the security engineer propose? (Select THREE.) A)

 

A. Option A
B. Option B
C. Option C
D. Option D
E. Option E
F. Option F


Question # 44

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership What should the security engineer do to meet these requirements'' 

A. Create an mime IAM user policy that allows for Amazon EC2 access for the contractor'sIAM user
B. Create an IAM permissions boundary policy that allows Amazon EC2 access Associatethe contractor's IAM account with the IAM permissions boundary policy
C. Create an IAM group with an attached policy that allows for Amazon EC2 accessAssociate the contractor's IAM account with the IAM group
D. Create a IAM role that allows for EC2 and explicitly denies all other services Instruct thecontractor to always assume this role


Question # 45

A company Is planning to use Amazon Elastic File System (Amazon EFS) with its onpremises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution'' 

A. Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the datacenter firewall Install the IAM CLI on the data center-based servers to mount the EFS filesystem in the EFS security group add the data center IP range to the allow list Mount theEFS using the EFS file system name
B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allowlist for the data center firewall Install the IAM CLI on the data center-based servers tomount the EFS file system In the EFS security group, add the IP addresses of the datacenter servers to the allow list Mount the EFS using the Elastic IP address
C. Add the EFS file system mount target IP addresses to the allow list for the data centerfirewall In the EFS security group, add the data center server IP addresses to the allow listUse the Linux terminal to mount the EFS file system using the IP address of one of themount targets
D. Assign a static range of IP addresses for the EFS file system by contacting IAM SupportIn the EFS security group add the data center server IP addresses to the allow list Use theLinux terminal to mount the EFS file system using one of the static IP addresses


Question # 46

A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. Which factors could cause the health check failures? (Select THREE.) 
 

A. The target instance's security group does not allow traffic from the NLB.
B. The target instance's security group is not attached to the NLB.
C. The NLB's security group is not attached to the target instance.
D. The target instance's subnet network ACL does not allow traffic from the NLB.
E. The target instance's security group is not using IP addresses to allow traffic from theNLB.
F. The target network ACL is not attached to the NLB.


Question # 47

A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error? 

A. Import the key material into AWS Key Management Service (AWS KMS).
B. Manually upload the new host key to the AWS trusted host keys database.
C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2instance profile.
D. Create a new SSH key pair for the EC2 instance.


Question # 48

A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. What should the Security Engineer do to block the malicious bot? 
 

A. Add a deny rule to the public VPC security group to block the malicious IP
B. Add the malicious IP to IAM WAF backhsted IPs
C. Configure Linux iptables or Windows Firewall to block any traffic from the malicious IPD. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for themalicious IP


Question # 49

You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this. Please select: 
 

A. Use S3 SSE and use SSL for data in transit
B. SSL termination on the ELB
C. Enabling Proxy Protocol
D. Enabling sticky sessions on your load balancer


Question # 50

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account. The company has not monitored account activity in the past. The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible. Which solution will meet these requirements? 

A. In AWS Cost Explorer, filter chart data to display results from the past 30 days. Exportthe results to a data table. Group the data table by re-source.
B. Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tionhistory. Set the time frame to Last 30 days. In the search area, choose the servicecategory.
C. In AWS CloudTrail, filter the event history to display results from the past 30 days.Create an Amazon Athena table that contains the data. Parti-tion the table by event source.
D. Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usagebasedframework to the assessment. Configure the assessment to as-sess by resource.


12345678910111213141516

Download All 467 Questions Check Customers Feedbacks