Weekend Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 10

Questions 91

A company needs to retain data that is stored in Amazon CloudWatch Logs log groups The company must retain this data for 90 days. The company must receive notification in AWS Security Hub when log group retention is not compliant with this requirement.

Which solution will provide the appropriate notification?

Options:
A.

Create a Security Hub custom action to assess the log group retention period.

B.

Create a data protection policy in CloudWatch Logs to assess the log group retention period.

C.

Create a Security Hub automation rule Configure the automation rule to assess the log group retention period.

D.

Use the AWS Config managed rule that assesses the log group retention period Ensure that AWS Config integration is enabled in Security Hub.

Amazon Web Services SCS-C02 Premium Access
Questions 92

A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User=1, User2. and User3. These IAM user accounts are members of the AuthorizedPeople IAM group.The security engineer drafts the following S3 bucket policy:

SCS-C02 Question 92

When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principal." The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1. User2, and User3.Which solution meets these requirements?

A)

SCS-C02 Question 92

B)

SCS-C02 Question 92

C)

SCS-C02 Question 92

D)

SCS-C02 Question 92

Options:
A.

Option A

B.

Option B

C.

Option C

D.

Option D

Questions 93

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

Options:
A.

Replace the KSK with a zone-signing key (ZSK).

B.

Deactivate and then activate the KSK.

C.

Create a Delegation Signer (DS) record in the parent hosted zone.

D.

Create a Delegation Signer (DS) record in the subdomain.

Questions 94

A company runs workloads on Amazon EC2 instances. The company needs to continually scan the EC2 instances for software vulnerabilities and unintended network exposure.

Which solution will meet these requirements?

Options:
A.

Use Amazon Inspector. Set the scan mode to hybrid scanning.

B.

Use Amazon GuardDuty. Enable the Malware Protection feature.

C.

Use Amazon Inspector. Enable the Malware Protection feature.

D.

Use Amazon GuardDuty. Enable the Runtime Monitoring feature.

Questions 95

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”.

The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.

Which combination of steps will meet these requirements? (Choose two.)

Options:
A.

Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.

B.

Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.

C.

Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance.

D.

Ensure that the security engineer’s IAM role has the s3:PutObject permission for the S3 bucket.

E.

Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket.

Questions 96

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAMLambda function into each account that copies the relevant log files to the centralized S3 bucket.

The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

SCS-C02 Question 96

The centralized S3 bucket policy looks like this:

SCS-C02 Question 96

Why is the Security Engineer unable to access the log files?

Options:
A.

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

B.

The object ACLs are not being updated to allow the users within the centralized account to access the objects

C.

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

D.

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Questions 97

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company's primary website. The GuardDuty finding read:

UnauthorizedAccess: IAMUser/InstanceCredentialExfiltration.

The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

What is the first step the security engineer should take?

Options:
A.

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

B.

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

C.

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

D.

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

Questions 98

A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.

What should the security engineer recommend?

Options:
A.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an IAM Lambda function to rotate database credentials. Set up TLS for the connection to the database.

B.

Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in IAM CloudHSM with automatic rotation. Set up TLS for the connection to the database.

C.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in IAM Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

D.

Set up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys. Set up Amazon RDS encryption using IAM KMS to encrypt the database. Store database credentials in the IAM Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Questions 99

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements?

Options:
A.

B.

B. A screenshot of a computer code Description automatically generated

C.

A screenshot of a computer code Description automatically generated

D.

A screenshot of a computer code Description automatically generated

Questions 100

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

Options:
A.

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret Use this secret to encrypt the snapshot in us-west-1.

B.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

C.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify am aws kms us-west-1 " as the principal.

D.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn aws rds us-west-1. * as the principal.

Exam Code: SCS-C02
Certification Provider: Amazon Web Services
Exam Name: AWS Certified Security - Specialty
Last Update: Jul 20, 2025
Questions: 417

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam
How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam
How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam
Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)
AIF-C01 - AWS Certified AI Practitioner Exam(AI1-C01)
SOA-C01 - AWS Certified SysOps Administrator - Associate
DVA-C02 - AWS Certified Developer - Associate
SAP-C02 - AWS Certified Solutions Architect - Professional
SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)
DOP-C02 - AWS Certified DevOps Engineer - Professional
SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)
CLF-C02 - AWS Certified Cloud Practitioner
MLA-C01 - AWS Certified Machine Learning Engineer - Associate
Amazon Web Services Free Access
Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.