Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 14

Name: How to Pass SCS-C02 Exams
Brand: Examstrack
SKU: scs-c02
Price: 36.75 USD
Availability: InStock

Questions 131

A company wants to monitor the deletion of AWS Key Management Service (AWS KMS) customer managed keys. A security engineer needs to create an alarm that will notify the company before a KMS key is deleted. The security engineer has configured the integration of AWS CloudTrail with Amazon CloudWatch.

What should the security engineer do next to meet these requirements?

Options:

Specify the deletion time of the key material during KMS key creation. Create a custom AWS Config rule to assess the key's scheduleddeletion. Configure the rule to trigger upon a configuration change. Send a message to an Amazon Simple Notification Service (Amazon SNS) topic if the key is scheduled for deletion.

Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlias. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.

Create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.

Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS API calls of RevokeGrant and ScheduleKeyDeletion.Create an AWS Lambda function to generate the alarm and send the notification to the company. Add the Lambda function as the target of the SNS policy.

Amazon Web Services SCS-C02 Premium Access

Cristopher

26-Oct-2025

The 24/7 support team at examstrack.com is exceptional. Their SCS-C02 study materials and real exam questions guarantee success. Highly recommend!

Arata

22-Oct-2025

I can't thank examstrack.com enough for my SCS-C02 success. Their materials are the best you can get.

Julian

28-Oct-2025

The 24/7 support team at examstrack.com is exceptional. They provided swift assistance during my SCS-C02 prep.

Kelvin

14-Oct-2025

examstrack.com's testing engine is a must-try for SCS-C02 prep. It's like the real thing.

Questions 132

A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company’s AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.

Which solution will meet these requirements?

Options:

Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to the network ACL to block traffic to and from the suspicious instance.

Configure GuardDuty to send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy an AWS WAF web ACL. Process the event with an AWS Lambda functionthat sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to block traffic to and from the suspicious instance.

Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.

Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub. Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does not allow any connections.

Questions 133

A security engineer configures VPC Flow Logs and the associated IAM role to log all VPC traffic to a log group in Amazon CloudWatch Logs. After a wait of 10 minutes, no logs are appearing in the log group. The security engineer confirms that traffic is being sent to the VPC.

After additional debugging, the security engineer isolates the problem to the role that is associated with the VPC flow logs.

What could be the reason that the logs are not appearing in CloudWatch Logs?

Options:

The logs:GetLogEvents permission is not granted in the role.

The security engineer does not have permission to assume the role.

The principal vpc-flow-logs.amazonaws.com does not have permission to assume the role.

The role does not have permission to tag a CloudWatch Logs stream.

Questions 134

A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.

What configuration is necessary to allow the virtual security appliance to route the traffic?

Options:

Disable network ACLs.

Configure the security appliance's elastic network interface for promiscuous mode.

Disable the Network Source/Destination check on the security appliance's elastic network interface

Place the security appliance in the public subnet with the internet gateway

Answer:

Explanation:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#eni-basics Source/destination checking "You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls."

The correct answer is C. Disable the Network Source/Destination check on the security appliance’s elastic network interface.

This answer is correct because disabling the Network Source/Destination check allows the virtual security appliance to route traffic that is not addressed to or from itself. By default, this check is enabled on all EC2 instances, and it prevents them from forwarding traffic that does not match their own IP or MAC addresses.However, for a virtual security appliance that acts as a router or a firewall, this check needs to be disabled, otherwise it will drop the traffic that it is supposed to route12.

The other options are incorrect because:

A. Disabling network ACLs is not a solution, because network ACLs are optional layers of security for the subnets in a VPC.They can be used to allow or deny traffic based on IP addresses and ports, but they donot affect the routing behavior of the virtual security appliance3.

B. Configuring the security appliance’s elastic network interface for promiscuous mode is not a solution, because promiscuous mode is a mode for a network interface that causes it to pass all traffic it receives to the CPU, rather than passing only the frames that it is programmed to receive.Promiscuous mode is normally used for packet sniffing or monitoring, but it does not enable the network interface to route traffic4.

D. Placing the security appliance in the public subnet with the internet gateway is not a solution, because it does not address the routing issue of the virtual security appliance.Thesecurity appliance can be placed in either a public or a private subnet, depending on the network design and security requirements, but it still needs to have the Network Source/Destination check disabled to route traffic properly5.

[References:, 1:Enabling or disablingsource/destination checks - Amazon Elastic Compute Cloud2:Virtual security appliance - Wikipedia3: Network ACLs - Amazon Virtual Private Cloud4:Promiscuous mode - Wikipedia5:NAT instances - Amazon Virtual Private Cloud, , , , , ]

Questions 135

A company receives a notification from the AWS Abuse team about an AWS account The notification indicates that a resource in the account is compromised The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application The compromised EC2 instance is part of an EC2 Auto Scaling group

The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an 1AM access key and secret key The 1AM access key and secret key are stored inside the AMI that is specified in the Auto Scaling group's launch configuration The company is concerned that the credentials that are stored in the AMI might also have been exposed

The company must implement a solution that remediates the security concerns without causing downtime for the application The solution must comply with security best practices

Which solution will meet these requirements'?

Options:

Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh

Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentiallycompromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh.

Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh

Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh

Questions 136

A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.

A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.

Which solution should the security engineer recommend?

Options:

Add an aws:MultiFactorAuthPresent condition to therole's permissions policy.

Add an aws:MultiFactorAuthPresent condition to therole's trust policy.

Add an aws:MultiFactorAuthPresent condition to thesession policy.

Add an aws:MultiFactorAuthPresent condition to theS3 bucket policies.

Questions 137

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer's solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

Options:

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Questions 138

A company runs a cron job on an Amazon EC2 instance on a predefined schedule The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) customer managed key with a key policy. The key policy and the EC2 instance rote have the necessary configuration for this job.

Which process should the bash script use to encrypt the file?

Options:

Use the aws kms encrypt command to encrypt the file by using the existing KMS key.

Use the aws kms create-grant command to generate a grant for the existing KMS key.

Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.

Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

Questions 139

A company is using AWS WAF to protect a customized public API service that is based on Amazon EC2 instances. The API uses an Application Load Balancer.

The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL.

The security engineer needs to immediately return the application to service, resolve the issue, and ensure that logging is not turned off in the future. The security engineer turns on logging for the web ACL and specifies Amazon Cloud-Watch Logs as the destination.

Which additional set of steps should the security engineer take to meet the re-quirements?

Options:

Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the log-ging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the log-ging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.

Questions 140

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.

What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select TWO.)

Options:

Verify thattheS3 bucket policy allows CloudTrail to write objects.

Verify thatthe1AM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 Glacier Flexible Retrieval.

Verify thattheS3 bucket defined in CloudTrail exists.

Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Exam Code: SCS-C02

Certification Provider: Amazon Web Services

Exam Name: AWS Certified Security - Specialty

Last Update: Nov 15, 2025

Questions: 467

How to Pass SCS-C02 Exams

PDF + Testing Engine
~~$164.99~~ $57.75 Add to Cart

Testing Engine
~~$124.99~~ $43.75 Add to Cart

PDF (Q&A)
~~$104.99~~ $36.75 Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam

How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam

How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam

AIF-C01 - AWS Certified AI Practitioner Exam

SOA-C01 - AWS Certified SysOps Administrator - Associate

CLF-C02 - AWS Certified Cloud Practitioner

DOP-C02 - AWS Certified DevOps Engineer - Professional

SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)

SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

DVA-C02 - AWS Certified Developer - Associate

MLA-C01 - AWS Certified Machine Learning Engineer-Associate

GDP-C01 - AWS Certified Generative AI Developer - Professional

SOA-C03 - AWS Certified CloudOps Engineer - Associate

Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.

Big 11.11 Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

Navigation:

examstrack logo

Hot Vendors:

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 14

How to Pass SCS-C02 Exams

Amazon Web Services Related Exams

Amazon Web Services Free Exams