Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 6

Name: How to Pass SCS-C02 Exams
Brand: Examstrack
SKU: scs-c02
Price: 36.75 USD
Availability: InStock

Questions 51

A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company's security team recently received a report about common vulnerability identifiers on the instances.

A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches.

What should the security engineer do to meet these requirements?

Options:

Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.

Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.

Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.

Amazon Web Services SCS-C02 Premium Access

Cristopher

13-Jun-2025

The 24/7 support team at examstrack.com is exceptional. Their SCS-C02 study materials and real exam questions guarantee success. Highly recommend!

Arata

06-Jul-2025

I can't thank examstrack.com enough for my SCS-C02 success. Their materials are the best you can get.

Julian

12-Jun-2025

The 24/7 support team at examstrack.com is exceptional. They provided swift assistance during my SCS-C02 prep.

Kelvin

16-Jun-2025

examstrack.com's testing engine is a must-try for SCS-C02 prep. It's like the real thing.

Questions 52

A company used AWS Organizations to set up an environment with multiple AWS accounts. The company's organization currently has two AWS accounts, and the companyexpects to add more than 50 AWS accounts during the next 12 months The company will require all existing and future AWS accounts to use Amazon GuardDuty. Eachexisting AWS account has GuardDuty active. The company reviews GuardDuty findings by logging into each AWS account individually.

The company wants a centralized view of the GuardDuty findings for the existing AWS accounts and any future AWS accounts. The company also must ensure that anynew AWS account has GuardDuty automatically turned on.

Which solution will meet these requirements?

Options:

Enable AWS Security Hub in the organization’s management account. Configure GuardDuty within the management account to send all GuardDuty findings toSecurity Hub.

Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account forGuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization

Create a new AWS account in the organization. Enable GuardDuty in the new account. Enable AWS Security Hub in each account. Select the option toautomatically add new AWS accounts to the organization.

Enable AWS Security Hub in the organization's management account. Designate the management account as the delegated administrator account for SecurityHub. Add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization. Send all Security Hub findingsto the organization's GuardDuty account.

Questions 53

Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?

Please select:

Options:

Use the application to rotate the keys in every 2 months via the SDK

Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

Delete the user associated with the keys after every 2 months. Then recreate the user again.

Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.

Questions 54

A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account.

Which solutions will provide the Lambda function this access? (Select TWO.)

Options:

Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function with the ac-cess key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during communication with Amazon S3.

Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Man-ager. Modify the Lambda function to retrieve the private key from Secrets Manager and to use the private key during communication with Amazon S3.

Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.

Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the princi-pal.

Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket through the se-curity group ID.

Questions 55

A company runs workloads on Amazon EC2 instances. The company needs to continually monitor the EC2 instances for software vulnerabilities and must display the findings in AWS Security Hub. The company must not install agents on the EC2 instances.

Options:

Enable Amazon Inspector. Set the scan mode to hybrid scanning. Enable the integration for Amazon Inspector in Security Hub.

Use Security Hub to enable the AWS Foundational Security Best Practices standard.Wait for Security Hub to generate the findings.

Enable Amazon GuardDuty. Initiate on-demand malware scans by using GuardDuty Malware Protection. Enable the integration for GuardDuty in Security Hub.

Use AWS Config managed rules to detect EC2 software vulnerabilities. Ensure that Security Hub has the AWS Config integration enabled.

Questions 56

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.

THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution

Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

Options:

Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

Create an origin access identity (OAI) for the S3 origin

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Questions 57

A company has hundreds of AWS accounts and uses AWS Organizations. The company plans to create many different IAM roles and policies for its product team, security team, and platform team. Some IAM policies will be shared across teams.

A security engineer needs to implement a solution to logically group together the IAM roles of each team. The solution must allow only the platform team to delegate IAM permissions to AWS services.

Which solution will meet these requirements?

Options:

Set up an IAM path with the IAM roles for each team. Deploy an SCP that denies the iam:PassRole permission to all entities except the IAM path of the platform team.

Apply different tags for each team to the IAM roles. Deploy an SCP that denies the sts:AssumeRole permission to all entities except the roles of the platform team.

Set up an IAM path with the IAM roles for each team. Use IAM permissions boundaries to deny the sts:AssumeRole permission to the IAM roles for the product team and the security team.

Questions 58

A company's Security Engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.

What should the Security Engineer do to meet these requirements?

Options:

Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.

Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.

Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.

Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

Questions 59

A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPC

A security engineer determines that the Aurora database uses a security group rule that allows connections from the NAT gateway IP address that the Lambda functions use. The company's security policy states that no database should be publicly accessible.

What is the MOST secure way that the security engineer can provide the Lambda functions with access to the Aurora database?

Options:

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Auroradatabase's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

Questions 60

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon

EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days.

Which solution meets these criteria?

Options:

A customer managed CMK that uses customer provided key material

A customer managed CMK that uses AWS provided key material

An AWS managed CMK

Operation system-native encryption that uses GnuPG

Answer:

Explanation:

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/import-key-material.html

aws kms import-key-material \

--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \

--encrypted-key-material fileb://EncryptedKeyMaterial.bin \

--import-token fileb://ImportToken.bin \

--expiration-model KEY_MATERIAL_EXPIRES \

--valid-to 2021-09-21T19:00:00Z

The correct answer is A. A customer managed CMK that uses customer provided key material.

A customer managed CMK is a KMS key that you create, own, and manage in your AWS account. You have full control over the key configuration, permissions, rotation, and deletion.You can use a customer managed CMK to encrypt and decrypt data in AWS services that are integrated with AWS KMS, such as Amazon EBS1.

A customer managed CMK can use either AWS provided key material or customer provided key material. AWS provided key material is generated by AWS KMS and never leaves the service unencrypted. Customer provided key material is generated outside of AWS KMS and imported into a customer managed CMK.You can specify an expiration date for the imported key material, after which the CMK becomes unusable until you reimport new key material2.

To meet the criteria of automatically expiring the key material in 90 days, you need to use customer provided key material and set the expiration date accordingly. This way, you can ensure that the data encrypted with the CMK will not be accessible after 90 days unless you reimport new key material and re-encrypt the data.

The other options are incorrect for the following reasons:

B. A customer managed CMK that uses AWS provided key material does not expire automatically. You can enable automatic rotation of the key material every year, but this does not prevent access to the data encrypted with the previous key material.You would need to manually delete the CMK and its backing key material to make the data inaccessible3.

C. An AWS managed CMK is a KMS key that is created, owned, and managed by an AWS service on your behalf. You have limited control over the key configuration, permissions, rotation, and deletion. You cannot use an AWS managed CMK to encrypt data in other AWS services or applications.You also cannot set an expiration date for the key material of an AWS managed CMK4.

D. Operation system-native encryption that uses GnuPG is not a solution that uses AWS KMS. GnuPG is a command line tool that implements the OpenPGP standard for encrypting and signing data. It does not integrate with Amazon EBS or other AWS services.It also does not provide a way toautomatically expire the key material used for encryption5.

[References:, 1:Customer Managed Keys - AWS Key Management Service2: [Importing Key Material inAWS Key Management Service (AWS KMS) - AWS Key Management Service]3: [Rotating Customer Master Keys - AWS Key Management Service]4: [AWS Managed Keys - AWS Key Management Service]5:The GNU Privacy Guard, , , , , ]

Exam Code: SCS-C02

Certification Provider: Amazon Web Services

Exam Name: AWS Certified Security - Specialty

Last Update: Jul 13, 2025

Questions: 417

How to Pass SCS-C02 Exams

PDF + Testing Engine
~~$164.99~~ $57.75 Add to Cart

Testing Engine
~~$124.99~~ $43.75 Add to Cart

PDF (Q&A)
~~$104.99~~ $36.75 Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam

How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam

How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam

SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

MLA-C01 - AWS Certified Machine Learning Engineer - Associate

CLF-C02 - AWS Certified Cloud Practitioner

SAP-C02 - AWS Certified Solutions Architect - Professional

AIF-C01 - AWS Certified AI Practitioner Exam(AI1-C01)

DOP-C02 - AWS Certified DevOps Engineer - Professional

SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

DVA-C02 - AWS Certified Developer - Associate

Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)

SOA-C01 - AWS Certified SysOps Administrator - Associate

Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.

Weekend Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

Navigation:

examstrack logo

Hot Vendors:

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 6

How to Pass SCS-C02 Exams

Amazon Web Services Related Exams

Amazon Web Services Free Exams