New Year Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 4

Questions 31

A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.

Which solution will meet these requirements?

Options:
A.

Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.

B.

Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.

C.

Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.

D.

Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

Amazon Web Services SCS-C02 Premium Access
Questions 32

A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3bucket in the top-level account. The company's IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.

The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.

Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?

Options:
A.

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

B.

Create an SCP that grants permissions to the top-level account.

C.

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role'sARNin the policy.

D.

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

Questions 33

A company's security engineer wants to receive an email alert whenever Amazon GuardDuty, AWS Identity and Access Management Access Analyzer, or Amazon Made generate a high-severity security finding. The company uses AWS Control Tower to govern all of its accounts. The company also uses AWS Security Hub with all of the AWS service integrations turned on.

Which solution will meet these requirements with the LEAST operational overhead?

Options:
A.

Set up separate AWS Lambda functions for GuardDuty, 1AM Access Analyzer, and Macie to call each service's public API to retrieve high-severity findings. Use Amazon Simple Notification Service (Amazon SNS) to send the email alerts. Create an Amazon EventBridge rule to invoke the functions on a schedule.

B.

Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

C.

Create an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

D.

Host an application on Amazon EC2 to call the GuardDuty, 1AM Access Analyzer, and Macie APIs. Within the application, use the Amazon Simple Notification Service (Amazon SNS) API to retrieve high-severity findings and to send the findings to an SNS topic. Subscribe the desired email addresses to the SNS topic.

Questions 34

A company runs workloads on Amazon EC2 instances. The company needs to continually scan the EC2 instances for software vulnerabilities and unintended network exposure.

Which solution will meet these requirements?

Options:
A.

Use Amazon Inspector. Set the scan mode to hybrid scanning.

B.

Use Amazon GuardDuty. Enable the Malware Protection feature.

C.

Use Amazon Inspector. Enable the Malware Protection feature.

D.

Use Amazon GuardDuty. Enable the Runtime Monitoring feature.

Questions 35

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material Company policy requires all encryption keys to be rotated every year

What should a security engineer do to meet this requirement for this customer managed key?

Options:
A.

Enable automatic key rotation annually for the existing customer managed key

B.

Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually

C.

Import new key material to the existing customer managed key Manually rotate the key

D.

Create a new customer managed key Import new key material to the new key Point the key alias to the new key

Questions 36

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

SCS-C02 Question 36

What should be done to enable the user to assume the appropriate role in the target account?

SCS-C02 Question 36

SCS-C02 Question 36

SCS-C02 Question 36

Options:
A.

Option A

B.

Option B

C.

Option C

D.

Option D

Questions 37

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1).

What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?

Options:
A.

Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.

B.

Create an Amazon CloudWatch dashboard Verify that the EC2MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.

C.

Create a security group that blocks access to HTTP for the IMDSv1 endpoint Attach the security group to all EC2 instances.

D.

Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used Create a metric filter and an Amazon CloudWatch dashboard Track the metric in the dashboard.

Questions 38

A medical company recently completed an acquisition and inherited an existing AWS environment. The company has an upcoming audit and is concerned about the compliance posture of its acquisition.

The company must identify personal health information inside Amazon S3 buckets and must identify S3 buckets that are publicly accessible. The company needs to prepare for the audit by collecting evidence in the environment.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)

Options:
A.

Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONALJNFORMATION managed data identifier.

B.

Use AWS Glue with the Detect Pll transform to identify sensitive data and to mask the sensitive data.

C.

Enable AWS Audit Manager. Create an assessment by using a supported framework.

D.

Enable Amazon GuardDuty S3 Protection Document any findings that are related to suspicious access of S3 buckets.

E.

Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.

F.

Enable AWS Config Set up the s3-bucket-public-write-prohibited AWS Config managed rule.

Questions 39

A security engineer needs to suppress AWS. Security Hub findings automatically for resources that have a specific tag attached.

Which solution will meet this requirement?

Options:
A.

Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED.

B.

Select each Security Hub control that needs to be suppressed. Add an exception to each control to suppress any findings that contain the specific tag value if the resource contains the specific resource tag.

C.

Send each Security Hub finding to Amazon Detective Create an automated rule in Detective to suppress any findings that contain the specific resource tag and the specific tag value

D.

Send each Security Hub finding to Amazon Inspector. Configure a suppression rule to suppress any findings that contain the specific resource tag and the specific tag value.

Questions 40

A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key

Which solution will meet these requirements?

Options:
A.

Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key

B.

Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3

C.

Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3

D.

Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3

Exam Code: SCS-C02
Certification Provider: Amazon Web Services
Exam Name: AWS Certified Security - Specialty
Last Update: Dec 14, 2025
Questions: 467

How to Pass SCS-C02 Exams

PDF + Testing Engine
$164.99
$49.5
Add to Cart
Testing Engine
$124.99
$37.5
Add to Cart
PDF (Q&A)
$104.99
$31.5
Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam
How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam
How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam
CLF-C02 - AWS Certified Cloud Practitioner
Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)
SAP-C02 - AWS Certified Solutions Architect - Professional
AIF-C01 - AWS Certified AI Practitioner Exam
SOA-C03 - AWS Certified CloudOps Engineer - Associate
SOA-C01 - AWS Certified SysOps Administrator - Associate
GDP-C01 - AWS Certified Generative AI Developer - Professional
SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)
MLA-C01 - AWS Certified Machine Learning Engineer-Associate
DVA-C02 - AWS Certified Developer - Associate
DOP-C02 - AWS Certified DevOps Engineer - Professional
Amazon Web Services Free Access
Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.