New Year Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 6

Questions 51

A company is running its application on AWS. The company has a multi-environment setup, and each environment is isolated in a separate AWS account. The company has an organization in AWS Organizations to manage the accounts. There is a single dedicated security account for the organization.

The company must create an inventory of all sensitive data that is stored in Amazon S3 buckets across the organization's accounts. The findings must be visible from a single location.

Which solution will meet these requirements?

Options:
A.

Set the security account as the delegated administrator for Amazon Macie and AWS Security Hub. Enable and configure Macie to publish sensitive data findings to Security Hub.

B.

Set the security account as the delegated administrator for AWS Security Hub. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Publish sensitive data findings to Security Hub.

C.

In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Enable Amazon Inspector integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.

D.

In each account, enable and configure Amazon Macie to detect sensitive data. Enable Macie integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.

Amazon Web Services SCS-C02 Premium Access
Questions 52

A company stores sensitive data in AWS Secrets Manager A security engineer needs to design a solution to generate a notification email when anomalous GetSecretValue API calls occur The security engineer has configured an Amazon EventBndge rule for all Secrets Manager events that AWS CloudTrail delivers.

Which solution will meet these requirements?

Options:
A.

Configure CloudTrail as the target of the EventBndge rule Set up an attribute filter on the IncommgBytes attribute and enable anomaly detection Create an Amazon Simple Notification Service (Amazon SNS) topic Configure a CloudTrail alarm that uses the SNS topic to send the notification.

B.

Configure CloudTrail as the target of the EventBndge rule Set up an attribute filter on the IncommgBytes attribute and enable anomaly detection Create an Amazon Simple Queue Service (Amazon SQS) queue Configure a CloudTrail alarm that uses the SQS queue to send the notification.

C.

Configure Amazon CloudWatch Logs as the target of the EventBndge rule Set up a metnc filter on the IncommgBytes metric and enable anomaly detection Create an AmazonSimple Notification Service (Amazon SNS) topic Configure a CloudWatch alarm that uses the SNS topic to send the notification.

D.

Configure Amazon CloudWatch Logs as the target of the EventBndge rule Use CloudWatch Logs Insights query syntax to search for anomalous GetSecretValue API calls Create an Amazon Simple Queue Service (Amazon SQS) queue Configure a CloudWatch alarm that uses the SQS queue to send the notification.

Questions 53

An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years.

A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

Options:
A.

Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.

B.

Set the log retention for desired log groups to 7 years.

C.

Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.

D.

Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.

E.

Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.

F.

Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

Questions 54

An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.

Which solution meets these requirements with the MOST operational efficiency?

Options:
A.

Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any vio

B.

Use the restricted-ssh IAM Config managed rule that is invoked by security group configuration changes that are not compliant. Use the IAM Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

C.

Configure VPC Flow Logs for the VPC. and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an IAM Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).

D.

Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any

Questions 55

A security engineer needs to develop a process to investigate and respond to po-tential security events on a company's Amazon EC2 instances. All the EC2 in-stances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.

The process that the security engineer is developing must comply with AWS secu-rity best practices and must meet the following requirements:

• A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.

• A compromised EC2 instance's metadata must be updated with corresponding inci-dent ticket information.

• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

• Any investigative activity during the collection of volatile data must be cap-tured as part of the process.

Which combination of steps should the security engineer take to meet these re-quirements with the LEAST operational overhead? (Select THREE.)

Options:
A.

Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Isolate the instance by updating the instance's secu-rity groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

B.

Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

C.

Use Systems Manager Run Command to invoke scripts that collect volatile data.

D.

Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.

E.

Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and inci-dent ticket information.

F.

Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

Questions 56

A company has an application that processes personally identifiable information (Pll). The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company's security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any Pll in plaintext.

Which solutions could a security engineer use to meet these requirements'? (Select TWO )

Options:
A.

Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.

B.

Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure an SSL listener and TCP passthrough to receive client connections Terminate HTTPS traffic from the NLB on the EC2 instances.

C.

Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure TCP passthrough to receive client connections Terminate SSL from the NLB on the EC2 instances

D.

Configure a Network Load Balancer (NLB) with TCP passthrough to receive client connections Terminate SSL on the existing ALB.

E.

Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances Terminate SSL from the ALB on the EC2 instances.

Questions 57

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.

Which solution will provide the application with AWS credentials to make S3 API calls?

Options:
A.

Integrate the application with Amazon Cognito identity pools. Use the GetId API operation to obtain AWS credentials to make authenticated calls to the S3 API.

B.

Integrate the application with Amazon Cognito identity pools. Use the AssumeRoleWithWebIdentity API operation to obtain AWS credentials to make authenticated calls to the S3 API.

C.

Integrate the application with Amazon Cognito user pools. Use the ID token to obtain AWS credentials to make authenticated calls to the S3 API.

D.

Integrate the application with Amazon Cognito user pools. Use the access token to obtain AWS credentials to make authenticated calls to the S3 API.

Questions 58

An AWS account includes two S3 buckets: bucket1 and bucket2. The bucket2 does not have a policy defined, but bucket1 has the following bucket policy:

SCS-C02 Question 58

In addition, the same account has an IAM User named "alice", with the following IAM policy.

SCS-C02 Question 58

Which buckets can user "alice" access?

Options:
A.

bucket1 only

B.

bucket2 only

C.

Both bucket1 and bucket2

D.

Neither bucket1 nor bucket2

Questions 59

A company's network security policy requires encryption for all data in transit. The company must encrypt data that is sent between Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes.

Options:
A.

Configure Amazon EC2 to enable encryption in the EC2 network interface properties.

B.

Configure Amazon EBS to enable volume encryption with AWS Key Management Service (AWS KMS) for data at rest.

C.

Configure Amazon EBS to enable TLS encryption in the volume configuration properties.

D.

Configure Amazon EC2 to enable TLS encryption with certificates that are stored in AWS Certificate Manager (ACM).

Questions 60

A company is using AWS Organizations to manage multiple AWS accounts for its hu-man resources, finance, software development, and production departments. All the company's developers are part of the software development AWS account.

The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not approved for use. Thecompany wants to implement a solution to ensure that developers can launch EC2 instances with only approved software applications and only in the software de-velopment AWS account.

Which solution will meet these requirements?

Options:
A.

In the software development account, create AMIS of preconfigured instanc-es that include only approved software. Include the AMI IDs in the condi-tion section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFor-mation template to launch EC2 instances in the software development ac-count.

B.

Create an Amazon EventBridge rule that runs when any EC2 Runlnstances API event occurs in the software development account. Specify AWS Systems Man-ager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.

C.

Use an AWS Service Catalog portfolio that contains EC2 products with ap-propriate AMIS that include only approved software. Grant the developers permission to portfolio access only the Service Catalog to launch a prod-uct in the software development account.

D.

In the management account, create AMIS of preconfigured instances that in-clude only approved software. Use AWS CloudFormation StackSets to launch the AMIS across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.

Exam Code: SCS-C02
Certification Provider: Amazon Web Services
Exam Name: AWS Certified Security - Specialty
Last Update: Dec 14, 2025
Questions: 467

How to Pass SCS-C02 Exams

PDF + Testing Engine
$164.99
$49.5
Add to Cart
Testing Engine
$124.99
$37.5
Add to Cart
PDF (Q&A)
$104.99
$31.5
Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam
How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam
How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam
SOA-C01 - AWS Certified SysOps Administrator - Associate
SOA-C03 - AWS Certified CloudOps Engineer - Associate
MLA-C01 - AWS Certified Machine Learning Engineer-Associate
GDP-C01 - AWS Certified Generative AI Developer - Professional
SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)
SAP-C02 - AWS Certified Solutions Architect - Professional
Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)
SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)
DOP-C02 - AWS Certified DevOps Engineer - Professional
AIF-C01 - AWS Certified AI Practitioner Exam
DVA-C02 - AWS Certified Developer - Associate
Amazon Web Services Free Access
Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.