Was :
$90
Today :
$50
Was :
$108
Today :
$60
Was :
$126
Today :
$70
Why Should You Prepare For Your AWS Certified Security - Specialty With MyCertsHub?
At MyCertsHub, we go beyond standard study material. Our platform provides authentic Amazon SCS-C02 Exam Dumps, detailed exam guides, and reliable practice exams that mirror the actual AWS Certified Security - Specialty test. Whether you’re targeting Amazon certifications or expanding your professional portfolio, MyCertsHub gives you the tools to succeed on your first attempt.
Verified SCS-C02 Exam Dumps
Every set of exam dumps is carefully reviewed by certified experts to ensure accuracy. For the SCS-C02 AWS Certified Security - Specialty , you’ll receive updated practice questions designed to reflect real-world exam conditions. This approach saves time, builds confidence, and focuses your preparation on the most important exam areas.
Realistic Test Prep For The SCS-C02
You can instantly access downloadable PDFs of SCS-C02 practice exams with MyCertsHub. These include authentic practice questions paired with explanations, making our exam guide a complete preparation tool. By testing yourself before exam day, you’ll walk into the Amazon Exam with confidence.
Smart Learning With Exam Guides
Our structured SCS-C02 exam guide focuses on the AWS Certified Security - Specialty's core topics and question patterns. You will be able to concentrate on what really matters for passing the test rather than wasting time on irrelevant content. Pass the SCS-C02 Exam – Guaranteed
We Offer A 100% Money-Back Guarantee On Our Products.
After using MyCertsHub's exam dumps to prepare for the AWS Certified Security - Specialty exam, we will issue a full refund. That’s how confident we are in the effectiveness of our study resources.
Try Before You Buy – Free Demo
Still undecided? See for yourself how MyCertsHub has helped thousands of candidates achieve success by downloading a free demo of the SCS-C02 exam dumps.
MyCertsHub – Your Trusted Partner For Amazon Exams
Whether you’re preparing for AWS Certified Security - Specialty or any other professional credential, MyCertsHub provides everything you need: exam dumps, practice exams, practice questions, and exam guides. Passing your SCS-C02 exam has never been easier thanks to our tried-and-true resources.
Amazon SCS-C02 Sample Question Answers
Question # 1
A company hosts a web application on an Apache web server. The application runs onAmazon EC2 instances that are in an Auto Scaling group. The company configured theEC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs groupthat the company has configured to expire after 1 year.Recently, the company discovered in the Apache web server logs that a specific IP addressis sending suspicious requests to the web application. A security engineer wants to analyzethe past week of Apache web server logs to determine how many requests that the IPaddress sent and the corresponding URLs that the IP address requested.What should the security engineer do to meet these requirements with the LEAST effort?
A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query thelogs for the specific IP address and the requested URLs. B. Configure a CloudWatch Logs subscription to stream the log group to an Am-azonOpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specificIP address and the requested URLs. C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatchlogs for the specific IP address and the requested URLs. D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to viewthe results.
Answer: C
Question # 2
A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBSvolumes which is used to store critical information. There is a business continuityrequirement to ensure high availability for the EBS volumes. How can you achieve this?
A. Use lifecycle policies for the EBS volumes B. Use EBS Snapshots C. Use EBS volume replication D. Use EBS volume encryption
Answer: B
Explanation: Data stored in Amazon EBS volumes is redundantly stored in multiple
physical locations as part of normal operation of those services and at no additional
charge. However, Amazon EBS replication is stored within the same availability zone, not
across multiple zones; therefore, it is highly recommended that you conduct regular
snapshots to Amazon S3 for long-term data durability Option A is invalid because there is
no lifecycle policy for EBS volumes Option C is invalid because there is no EBS volume
replication Option D is invalid because EBS volume encryption will not ensure business
continuity For information on security for Compute Resources, please visit the below URL:
A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instancesthat run in private subnets. The company wants all remote administration to be performedas securely as possible in the AWS Cloud.Which solution will meet these requirements?
A. Do not use SSH-RSA private keys during the launch of new instances. Implement AWSSystems Manager Session Manager. B. Generate new SSH-RSA private keys for existing instances. Implement AWS SystemsManager Session Manager. C. Do not use SSH-RSA private keys during the launch of new instances. Configure EC2Instance Connect. D. Generate new SSH-RSA private keys for existing instances. Configure EC2 InstanceConnect.
Answer: A
Explanation: AWS Systems Manager Session Manager is a fully managed service that
allows you to securely and remotely administer your EC2 instances without the need to
open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager
provides an interactive browser-based shell or CLI access to your instances, as well as port
forwarding and auditing capabilities. Session Manager works with both Linux and Windows
instances, and supports hybrid environments and edge devices.
EC2 Instance Connect is a feature that allows you to use SSH to connect to your Linux instances using short-lived keys that are generated on demand and delivered securely
through the AWS metadata service. EC2 Instance Connect does not require any additional
software installation or configuration on the instance, but it does require you to use SSHRSA
keys during the launch of new instances.
The correct answer is to use Session Manager, as it provides more security and flexibility
than EC2 Instance Connect, and does not require SSH-RSA keys or inbound ports.
Session Manager also works with Windows instances, while EC2 Instance Connect does
A security engineer must troubleshoot an administrator's inability to make an existingAmazon S3 bucket public in an account that is part of an organization n IAM Organizations.The administrator switched the role from the master account to a member account andthen attempted to make one S3 bucket public. This action was immediately deniedWhich actions should the security engineer take to troubleshoot the permissions issue?(Select TWO.)
A. Review the cross-account role permissions and the S3 bucket policy Verify that theAmazon S3 block public access option in the member account is deactivated. B. Review the role permissions m the master account and ensure it has sufficient privilegesto perform S3 operations C. Filter IAM CloudTrail logs for the master account to find the original deny event andupdate the cross-account role m the member account accordingly Verify that the AmazonS3 block public access option in the master account is deactivated. D. Evaluate the SCPs covering the member account and the permissions boundary of therole in the member account for missing permissions and explicit denies. E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action forthe role m the member account
Answer: D,E
Explanation:
A is incorrect because reviewing the cross-account role permissions and the S3
bucket policy is not enough to troubleshoot the permissions issue. You also need
to verify that the Amazon S3 block public access option in the member account is
deactivated, as well as the permissions boundary and the SCPs of the role in the
member account.
D is correct because evaluating the SCPs and the permissions boundary of the
role in the member account can help you identify any missing permissions or
explicit denies that could prevent the administrator from making the S3 bucket
public.
E is correct because ensuring that the S3 bucket policy explicitly allows the s3
PutBucketPublicAccess action for the role in the member account can help you
override any block public access settings that could prevent the administrator from
making the S3 bucket public.
Question # 5
A team is using AWS Secrets Manager to store an application database password. Only alimited number of IAM principals within the account can have access to the secret. The principals who require access to the secret change frequently. A security engineer mustcreate a solution that maximizes flexibility and scalability.Which solution will meet these requirements?
A. Use a role-based approach by creating an IAM role with an inline permissions policy thatallows access to the secret. Update the IAM principals in the role trust policy as required. B. Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy thatspecifies the IAM principals that are allowed to access the secret. Update the list of IAMprincipals as required. C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to thesecret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAMcondition keys to control access. D. Use a deny-by-default approach by using IAM policies to deny access to the secretexplicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group.Remove principals from the group when they need access. Add the principals to the groupagain when access is no longer allowed.
Answer: C
Question # 6
A company has several workloads running on AWS. Employees are required toauthenticate using on-premises ADFS and SSO to access the AWS ManagementConsole. Developers migrated an existing legacy web application to an Amazon EC2instance. Employees need to access this application from anywhere on the internet, butcurrently, there is no authentication system built into the application.How should the Security Engineer implement employee-only access to this system withoutchanging the application?
A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognitoas authentication for the ALB. Define a SAML-based Amazon Cognito user pool andconnect it to ADFS. B. Implement AWS SSO in the master account and link it to ADFS as an identity provider.Define the EC2 instance as a managed resource, then apply an IAM policy on theresource. C. Define an Amazon Cognito identity pool, then install the connector on the ActiveDirectory server. Use the Amazon Cognito SDK on the application instance to authenticatethe employees using their Active Directory user names and passwords. D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy onAmazon EC2. Ensure the security group on Amazon EC2 only allows access from theLambda function.
An AWS account that is used for development projects has a VPC that contains twosubnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24assigned. The other subnet is named private-subnet-2 and has the CIDR block192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances.Each subnet is currently using the VPC's default network ACL. The security groups that theEC2 instances in these subnets use have rules that allow traffic between each instancewhere required. Currently, all network traffic flow is working as expected between the EC2instances that are using these subnets.A security engineer creates a new network ACL that is named subnet-2-NACL with defaultentries. The security engineer immediately configures private-subnet-2 to use the newnetwork ACL and makes no other changes to the infrastructure. The security engineerstarts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2cannot communicate with each other.Which combination of steps should the security engineer take to allow the EC2 instancesthat are running in these two subnets to communicate again? (Select TWO.)
A. Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL. B. Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL. C. Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL. D. Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL. E. Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
Answer: C,E
Explanation: The AWS documentation states that you can add an outbound allow rule for
192.168.2.0/24 in subnet-2-NACL and add an outbound allow rule for 192.168.1.0/24 in
subnet-2-NACL. This will allow the EC2 instances that are running in these two subnets to communicate again.
References: : Amazon VPC User Guide
Question # 8
A Security Engineer has been tasked with enabling IAM Security Hub to monitor AmazonEC2 instances fix CVE in a single IAM account The Engineer has already enabled IAMSecurity Hub and Amazon Inspector m the IAM Management Console and has installed meAmazon Inspector agent on an EC2 instances that need to be monitored.Which additional steps should the Security Engineer lake 10 meet this requirement?
A. Configure the Amazon inspector agent to use the CVE rule package B. Configure the Amazon Inspector agent to use the CVE rule package Configure SecurityHub to ingest from IAM inspector by writing a custom resource policy C. Configure the Security Hub agent to use the CVE rule package Configure IAM Inspectorlo ingest from Security Hub by writing a custom resource policy D. Configure the Amazon Inspector agent to use the CVE rule package Install an additionalIntegration library Allow the Amazon Inspector agent to communicate with Security Hub
Answer: D
Explanation: you need to configure the Amazon Inspector agent to use the CVE rule
package, which is a set of rules that check for vulnerabilities and exposures on your EC2
instances5. You also need to install an additional integration library that enables
communication between the Amazon Inspector agent and Security Hub6. Security Hub is a
service that provides you with a comprehensive view of your security state in AWS and
helps you check your environment against security industry standards and best practices7.
The other options are either incorrect or incomplete for meeting the requirement.
Question # 9
An ecommerce company has a web application architecture that runs primarily oncontainers. The application containers are deployed on Amazon Elastic Container Service(Amazon ECS). The container images for the application are stored in Amazon ElasticContainer Registry (Amazon ECR).The company's security team is performing an audit of components of the application architecture. The security team identifies issues with some container images that arestored in the container repositories.The security team wants to address these issues by implementing continual scanning andon-push scanning of the container images. The security team needs to implement asolution that makes any findings from these scans visible in a centralized dashboard. Thesecurity team plans to use the dashboard to view these findings along with other securityrelatedfindings that they intend to generate in the future.There are specific repositories that the security team needs to exclude from the scanningprocess.Which solution will meet these requirements?
A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repos-itoriesthat need to be scanned. Push Amazon Inspector findings to AWS Se-curity Hub. B. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to AWS Security Hub. C. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to Amazon Inspector. D. Use Amazon Inspector. Create inclusion rules in Amazon Inspector to matchrepositories that need to be scanned. Push Amazon Inspector findings to AWS Config.
Answer: A
Question # 10
A company uses AWS Organizations and has production workloads across multiple AWSaccounts. A security engineer needs to design a solution that will proactively monitor forsuspicious behavior across all the accounts that contain production workloads.The solution must automate remediation of incidents across the production accounts. Thesolution also must publish a notification to an Amazon Simple Notification Service (AmazonSNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account.Which solution will meet these requirements?
A. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account. Remediate incidentsby configuring GuardDuty to directly invoke an AWS Lambda function. Configure theLambda function to also publish notifications to the SNS topic. B. Activate AWS security Hub in each production account. In a dedicated logging account.aggregate all security Hub findings from each production account. Remediate incidents byustng AWS Config and AWS Systems Manager. Configure Systems Manager to alsopub11Sh notifications to the SNS topic. C. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account Remediate incidentsby using Amazon EventBridge to invoke a custom AWS Lambda function from theGuardDuty findings. Configure the Lambda function to also publish notifications to the SNStopic. D. Activate AWS Security Hub in each production account. In a dedicated logging account.aggregate all Security Hub findings from each production account. Remediate incidents byusing Amazon EventBridge to invoke a custom AWS Lambda function from the SecurityHub findings. Configure the Lambda function to also publish notifications to the SNS topic.
Answer: D
Question # 11
A company's security engineer has been tasked with restricting a contractor's IAM accountaccess to the company's Amazon EC2 console without providing access to any other IAMservices The contractors IAM account must not be able to gain access to any other IAMservice, even it the IAM account rs assigned additional permissions based on IAM groupmembership What should the security engineer do to meet these requirements''
A. Create an mime IAM user policy that allows for Amazon EC2 access for the contractor'sIAM user B. Create an IAM permissions boundary policy that allows Amazon EC2 access Associatethe contractor's IAM account with the IAM permissions boundary policy C. Create an IAM group with an attached policy that allows for Amazon EC2 accessAssociate the contractor's IAM account with the IAM group D. Create a IAM role that allows for EC2 and explicitly denies all other services Instruct thecontractor to always assume this role
Answer: B
Explanation: To restrict the contractor’s IAM account access to the EC2 console without
providing access to any other AWS services, the security engineer should do the following:
Create an IAM permissions boundary policy that allows EC2 access. This is a
policy that defines the maximum permissions that an IAM entity can have.
Associate the contractor’s IAM account with the IAM permissions boundary policy.
This means that even if the contractor’s IAM account is assigned additional
permissions based on IAM group membership, those permissions are limited by
the permissions boundary policy.
Question # 12
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its onpremisesservers. The company has an existing IAM Direct Connect connectionestablished between its on-premises data center and an IAM Region Security policy statesthat the company's on-premises firewall should only have specific IP addresses added tothe allow list and not a CIDR range. The company also wants to restrict access so that onlycertain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A. Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the datacenter firewall Install the IAM CLI on the data center-based servers to mount the EFS filesystem in the EFS security group add the data center IP range to the allow list Mount theEFS using the EFS file system name B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allowlist for the data center firewall Install the IAM CLI on the data center-based servers tomount the EFS file system In the EFS security group, add the IP addresses of the datacenter servers to the allow list Mount the EFS using the Elastic IP address C. Add the EFS file system mount target IP addresses to the allow list for the data centerfirewall In the EFS security group, add the data center server IP addresses to the allow listUse the Linux terminal to mount the EFS file system using the IP address of one of themount targets D. Assign a static range of IP addresses for the EFS file system by contacting IAM SupportIn the EFS security group add the data center server IP addresses to the allow list Use theLinux terminal to mount the EFS file system using one of the static IP addresses
Answer: B
Explanation:
To implement the solution, the security engineer should do the following:
Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the
allow list for the data center firewall. This allows the security engineer to use a
specific IP address for the EFS file system that can be added to the firewall rules,
instead of a CIDR range or a URL.
Install the AWS CLI on the data center-based servers to mount the EFS file
system. This allows the security engineer to use the mount helper provided by
AWS CLI to mount the EFS file system with encryption in transit.
In the EFS security group, add the IP addresses of the data center servers to the
allow list. This allows the security engineer to restrict access to the EFS file system
to only certain data center-based servers.
Mount the EFS using the Elastic IP address. This allows the security engineer to
use the Elastic IP address as the DNS name for mounting the EFS file system.
Question # 13
A Network Load Balancer (NLB) target instance is not entering the InService state. Asecurity engineer determines that health checks are failing.Which factors could cause the health check failures? (Select THREE.)
A. The target instance's security group does not allow traffic from the NLB. B. The target instance's security group is not attached to the NLB. C. The NLB's security group is not attached to the target instance. D. The target instance's subnet network ACL does not allow traffic from the NLB. E. The target instance's security group is not using IP addresses to allow traffic from theNLB. F. The target network ACL is not attached to the NLB.
Answer: A,C,D
Question # 14
A security engineer recently rotated the host keys for an Amazon EC2 instance. Thesecurity engineer is trying to access the EC2 instance by using the EC2 Instance. Connectfeature. However, the security engineer receives an error (or failed host key validation.Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2instance.What should the security engineer do to resolve this error?
A. Import the key material into AWS Key Management Service (AWS KMS). B. Manually upload the new host key to the AWS trusted host keys database. C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2instance profile. D. Create a new SSH key pair for the EC2 instance.
Answer: B
Explanation: To set up a CloudFront distribution for an S3 bucket that hosts a static
website, and to allow only specified IP addresses to access the website, the following steps
are required:
Create a CloudFront origin access identity (OAI), which is a special CloudFront
user that you can associate with your distribution. An OAI allows you to restrict
access to your S3 content by using signed URLs or signed cookies. For more
information, see Using an origin access identity to restrict access to your Amazon
S3 content.
Create the S3 bucket policy so that only the OAI has access. This will prevent
users from accessing the website directly by using S3 URLs, as they will receive
an Access Denied error. To do this, use the AWS Policy Generator to create a
bucket policy that grants s3:GetObject permission to the OAI, and attach it to the
S3 bucket. For more information, see Restricting access to Amazon S3 content by
using an origin access identity.
Create an AWS WAF web ACL and add an IP set rule. AWS WAF is a web
application firewall service that lets you control access to your web applications.
An IP set is a condition that specifies a list of IP addresses or IP address ranges
that requests originate from. You can use an IP set rule to allow or block requests
based on the IP addresses of the requesters. For more information, see Working
with IP match conditions.
Associate the web ACL with the CloudFront distribution. This will ensure that the web ACL filters all requests for your website before they reach your origin. You
can do this by using the AWS WAF console, API, or CLI. For more information,
see Associating or disassociating a web ACL with a CloudFront distribution.
This solution will meet the requirements of allowing only specified IP addresses to access
the website and preventing direct access by using S3 URLs.
The other options are incorrect because they either do not create a CloudFront distribution
A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet isunder an SFTP brute force attack from a specific IP address, which is a known maliciousbot. What should the Security Engineer do to block the malicious bot?
A. Add a deny rule to the public VPC security group to block the malicious IP B. Add the malicious IP to IAM WAF backhsted IPs C. Configure Linux iptables or Windows Firewall to block any traffic from the malicious IPD. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for themalicious IP
Answer: D
Explanation: what the Security Engineer should do to block the malicious bot. SFTP is a
protocol that allows secure file transfer over SSH. EC2 is a service that provides virtual
servers in the cloud. A public subnet is a subnet that has a route to an internet gateway,
which allows it to communicate with the internet. A brute force attack is a type of attack that
tries to guess passwords or keys by trying many possible combinations. A malicious bot is
a software program that performs automated tasks for malicious purposes. Route 53 is a
service that provides DNS resolution and domain name registration. A DNS sinkhole is a
technique that redirects malicious or unwanted traffic to a different destination, such as a
black hole server or a honeypot. By modifying the hosted zone in Route 53 and creating a
DNS sinkhole for the malicious IP, the Security Engineer can block the malicious bot from
Question # 16
You work at a company that makes use of IAM resources. One of the key security policiesis to ensure that all data i encrypted both at rest and in transit. Which of the following is oneof the right ways to implement this.Please select:
A. Use S3 SSE and use SSL for data in transit B. SSL termination on the ELB C. Enabling Proxy Protocol D. Enabling sticky sessions on your load balancer
Answer: A
Explanation: By disabling SSL termination, you are leaving an unsecure connection from
the ELB to the back end instances. Hence this means that part of the data transit is not
being encrypted.
Option B is incorrect because this would not guarantee complete encryption of data in
transit
Option C and D are incorrect because these would not guarantee encryption
For more information on SSL Listeners for your load balancer, please visit the below URL:
The correct answer is: Use S3 SSE and use SSL for data in transit
Submit your Feedback/Queries to our Experts
Question # 17
A company discovers a billing anomaly in its AWS account. A security consultantinvestigates the anomaly and discovers that an employee who left the company 30 daysago still has access to the account.The company has not monitored account activity in the past.The security consultant needs to determine which resources have been deployed orreconfigured by the employee as quickly as possible.Which solution will meet these requirements?
A. In AWS Cost Explorer, filter chart data to display results from the past 30 days. Exportthe results to a data table. Group the data table by re-source. B. Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tionhistory. Set the time frame to Last 30 days. In the search area, choose the servicecategory. C. In AWS CloudTrail, filter the event history to display results from the past 30 days.Create an Amazon Athena table that contains the data. Parti-tion the table by event source. D. Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usagebasedframework to the assessment. Configure the assessment to as-sess by resource.
Answer: C
Question # 18
While securing the connection between a company's VPC and its on-premises data center,a Security Engineer sent a ping command from an on-premises host(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). Theping command did not return a response. The flow log in the VPC showed the following:2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 14329170271432917142 ACCEPT OK2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 14329170941432917142 REJECT OKWhat action should be performed to allow the ping to work?
A. In the security group of the EC2 instance, allow inbound ICMP traffic. B. In the security group of the EC2 instance, allow outbound ICMP traffic. C. In the VPC's NACL, allow inbound ICMP traffic. D. In the VPC's NACL, allow outbound ICMP traffic.
Answer: D
Question # 19
A company has deployed Amazon GuardDuty and now wants to implement automation forpotential threats. The company has decided to start with RDP brute force attacks that comefrom Amazon EC2 instances in the company’s AWS environment. A security engineerneeds to implement a solution that blocks the detected communication from a suspiciousinstance until investigation and potential remediation can occur.Which solution will meet these requirements?
A. Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process theevent with an Amazon Kinesis Data Analytics for Apache Flink application that sends anotification to the company through Amazon Simple Notification Service (Amazon SNS).Add rules to the network ACL to block traffic to and from the suspicious instance. B. Configure GuardDuty to send the event to Amazon EventBridge (Amazon CloudWatchEvents). Deploy an AWS WAF web ACL. Process the event with an AWS Lambda functionthat sends a notification to the company through Amazon Simple Notification Service(Amazon SNS) and adds a web ACL rule to block traffic to and from the suspiciousinstance. C. Enable AWS Security Hub to ingest GuardDuty findings and send the event to AmazonEventBridge (Amazon CloudWatch Events). Deploy AWS Network Firewall. Process theevent with an AWS Lambda function that adds a rule to a Network Firewall firewall policy toblock traffic to and from the suspicious instance. D. Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesisdata stream as an event destination for Security Hub. Process the event with an AWSLambda function that replaces the security group of the suspicious instance with a securitygroup that does not allow any connections.
A security engineer needs to see up an Amazon CloudFront distribution for an Amazon S3bucket that hosts a static website. The security engineer must allow only specified IPaddresses to access the website. The security engineer also must prevent users fromaccessing the website directly by using S3 URLs.Which solution will meet these requirements?
A. Generate an S3 bucket policy. Specify cloudfront amazonaws com as the principal. Usethe aws Sourcelp condition key to allow access only if the request conies from the specifiedIP addresses. B. Create a CloudFront origin access identity (OAl). Create the S3 bucket policy so thatonly the OAl has access. Create an AWS WAF web ACL and add an IP set rule. Associatethe web ACL with the CloudFront distribution. C. Implement security groups to allow only the specified IP addresses access and torestrict S3 bucket access by using the CloudFront distribution. D. Create an S3 bucket access point to allow access from only the CloudFront distribution.Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with theCloudFront distribution.
Answer: B
Question # 21
A company needs to follow security best practices to deploy resources from an AWSCloudFormation template. The CloudFormation template must be able to configuresensitive database credentials.The company already uses AWS Key Management Service (AWS KMS) and AWS SecretsManager.Which solution will meet the requirements?
A. Use a dynamic reference in the CloudFormation template to reference the databasecredentials in Secrets Manager. B. Use a parameter in the CloudFormation template to reference the database credentials.Encrypt the CloudFormation template by using AWS KMS. C. Use a SecureString parameter in the CloudFormation template to reference thedatabase credentials in Secrets Manager. D. Use a SecureString parameter in the CloudFormation template to reference anencrypted value in AWS KMS
Answer: A
Explanation:
Option A: This option meets the requirements of following security best practices
and configuring sensitive database credentials in the CloudFormation template. A
dynamic reference is a way to specify external values that are stored and
managed in other services, such as Secrets Manager, in the stack
templates1. When using a dynamic reference, CloudFormation retrieves the value
of the specified reference when necessary during stack and change set
operations1. Dynamic references can be used for certain resources that support
them, such as AWS::RDS::DBInstance1. By using a dynamic reference to reference the database credentials in Secrets Manager, the company can leverage
the existing integration between these services and avoid hardcoding the secret
information in the template. Secrets Manager is a service that helps you protect
secrets needed to access your applications, services, and IT resources2. Secrets
Manager enables you to rotate, manage, and retrieve database credentials, API
keys, and other secrets throughout their lifecycle2.
Question # 22
A company wants to monitor the deletion of AWS Key Management Service (AWS KMS)customer managed keys. A security engineer needs to create an alarm that will notify thecompany before a KMS key is deleted. The security engineer has configured theintegration of AWS CloudTrail with Amazon CloudWatch.What should the security engineer do next to meet these requirements?
A. Specify the deletion time of the key material during KMS key creation. Create a customAWS Config rule to assess the key's scheduleddeletion. Configure the rule to trigger upon a configuration change. Send a message to anAmazon Simple Notification Service (Amazon SNS) topic if the key is scheduled fordeletion. B. Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlias. Create anAWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS)message to the company. Add the Lambda function as the target of the EventBridge rule. C. Create an Amazon EventBridge rule to detect KMS API calls of DisableKey andScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon SimpleNotification Service (Amazon SNS) message to the company. Add the Lambda function asthe target of the EventBridge rule. D. Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS APIcalls of RevokeGrant and ScheduleKeyDeletion.Create an AWS Lambda function to generate the alarm and send the notification to thecompany. Add the Lambda function as the target of the SNS policy.
Answer: C
Explanation: The AWS documentation states that you can create an Amazon EventBridge
rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. You can then create
an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS)
message to the company. You can add the Lambda function as the target of the
EventBridge rule. This method will meet the requirements.
References: : AWS KMS Developer Guide
Question # 23
A company that uses AWS Organizations is migrating workloads to AWS. The compa-nysapplication team determines that the workloads will use Amazon EC2 instanc-es, AmazonS3 buckets, Amazon DynamoDB tables, and Application Load Balancers. For eachresource type, the company mandates that deployments must comply with the followingrequirements:• All EC2 instances must be launched from approved AWS accounts.• All DynamoDB tables must be provisioned with a standardized naming convention.• All infrastructure that is provisioned in any accounts in the organization must be deployedby AWS CloudFormation templates.Which combination of steps should the application team take to meet these re-quirements?(Select TWO.)
A. Create CloudFormation templates in an administrator AWS account. Share the stacksets with an application AWS account. Restrict the template to be used specifically by theapplication AWS account. B. Create CloudFormation templates in an application AWS account. Share the output withan administrator AWS account to review compliant resources. Restrict output to only theadministrator AWS account. C. Use permissions boundaries to prevent the application AWS account from provisioningspecific resources unless conditions for the internal compli-ance requirements are met. D. Use SCPs to prevent the application AWS account from provisioning specific resourcesunless conditions for the internal compliance requirements are met. E. Activate AWS Config managed rules for each service in the application AWS account.
Answer: A,D
Question # 24
A company maintains an open-source application that is hosted on a public GitHubrepository. While creating a new commit to the repository, an engineer uploaded their IAMaccess key and secret access key. The engineer reported the mistake to a manager, andthe manager immediately disabled the access key.The company needs to assess the impact of the exposed access key. A security engineermust recommend a solution that requires the least possible managerial overhead.Which solution meets these requirements?
A. Analyze an IAM Identity and Access Management (IAM) use report from IAM TrustedAdvisor to see when the access key was last used. B. Analyze Amazon CloudWatch Logs for activity by searching for the access key. C. Analyze VPC flow logs for activity by searching for the access key D. Analyze a credential report in IAM Identity and Access Management (IAM) to see whenthe access key was last used.
Answer: A
Explanation: To assess the impact of the exposed access key, the security engineer
should recommend the following solution: Analyze an IAM use report from AWS Trusted Advisor to see when the access key
was last used. This allows the security engineer to use a tool that provides
information about IAM entities and credentials in their account, and check if there
was any unauthorized activity with the exposed access key.
Question # 25
A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the developmentaccount. A new application hosted on an Amazon EC2 instance in the developer accountrequires read access to the archived documents stored in an Amazon S3 bucket in theproduction account.How should access be granted?
A. Create an IAM role in the production account and allow EC2 instances in thedevelopment account to assume that role using the trust policy. Provide read access for therequired S3 bucket to this role. B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3bucket. C. Create a temporary IAM user for the application to use in the production account. D. Create a temporary IAM user in the production account and provide read access toAmazon S3. Generate the temporary IAM user's access key and secret key and storethese on the EC2 instance used by the application in the development account.
Feedback That Matters: Reviews of Our Amazon SCS-C02 Dumps
Rowan RogersApr 25, 2026
The SCS-C02 dumps PDF from MyCertsHub was a game-changer for me! The material was so well-structured and easy to follow. My scores on the practice tests increased significantly after I went over the questions and answers multiple times. The real exam had many similar exam questions, which made me feel confident. Strongly recommended!
Alan MayApr 24, 2026
Thanks to MyCertsHub's practice tests, I was able to pass the SCS-C02 exam on my first attempt! Spot-on content!
Gregory MurphyApr 24, 2026
The MyCertsHub SCS-C02 practice exams were extremely similar to the actual exam. The format, difficulty level, and even time constraints were all spot-on. I particularly liked how the exam questions covered all important subjects. A few more explanations for tricky answers would make it even better!
Brantley PetersonApr 23, 2026
The section with the practice questions and answers was my go-to source. Clear, concise, and super helpful for last-minute revisions. Thanks to this, I passed the exam!
Jacob WilliamsApr 23, 2026
Loved the PDF dumps, but it would be perfect if there were more scenarios-based exam questions. Still, it helped me pass!
Henry MillerApr 22, 2026
I loved using the score dumps feature to keep track of my progress. I was motivated by seeing my progress over time!
Aarif KapurApr 22, 2026
MyCertsHub's practice tests and dumps PDF are a must-try if you're preparing for SCS-C02!
Rowan Rogers
Jacob Williams
Henry Miller
Aarif Kapur