New Year Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 7

Questions 61

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns.

Which solution would have the MOST scalability and LOWEST latency?

Options:
A.

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

B.

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

C.

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

D.

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Amazon Web Services SCS-C02 Premium Access
Questions 62

A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.

Options:
A.

Configure Amazon CloudWatch Logs Insights

B.

Create an Amazon CloudWatch dashboard

C.

Configure AWS Security Hub integrations

D.

Query the findings by using Amazon Athena

Questions 63

An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53

The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers Thedistribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time

Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

Options:
A.

Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure

B.

Send an email message to the domain administrators to request vacation of the domains for ACM

C.

Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone

D.

Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections

E.

Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections

F.

Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Questions 64

A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.

Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

Options:
A.

Delete the access keys for the account root user in every account.

B.

Create an admin IAM user with administrative privileges and delete the account root user in every account.

C.

Implement a strong password to help protect account-level access to the IAM Management Console by the account root user.

D.

Enable multi-factor authentication (MFA) on every account root user in all accounts.

E.

Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.

F.

Attach an IAM role to the account root user to make use of the automated credential rotation in IAM STS.

Questions 65

A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs.

How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

Options:
A.

Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.

B.

Implement a rate-based rule with AWS WAF.

C.

Use AWS Shield to limit the originating traffic hit rate.

D.

Implement the GeoLocation feature in Amazon Route 53.

Questions 66

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.

What is the likely cause of this access denial?

Options:
A.

The ACL in the bucket needs to be updated

B.

The IAM policy does not allow the user to access the bucket

C.

It takes a few minutes for a bucket policy to take effect

D.

The allow permission is being overridden by the deny

Questions 67

A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization.

A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations.

A security engineer must implement a solution that detects EC2 instances ttjat do not have the required software. The solution also must automatically install the software if the software is not present.

Which solution will meet these requirements?

Options:
A.

Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.

B.

Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.

C.

Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.

D.

Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.

Questions 68

Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?

Please select:

Options:
A.

Use short but complex password on the root account and any administrators.

B.

Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.

C.

Use MFA on all users and accounts, especially on the root account.

D.

Don't write down or remember the root account password after creating the IAM account.

Questions 69

A company hosts an application on Amazon EC2 instances. The application also uses Amazon S3 and Amazon Simple Queue Service (Amazon SQS). The application is behind an Application Load Balancer (ALB) and scales with AWS Auto Scaling.

The company’s security policy requires the use of least privilege access, which has been applied to all existing AWS resources. A security engineer needs to implement private connectivity to AWS services.

Which combination of steps should the security engineer take to meet this requirement? (Select THREE.)

Options:
A.

Use an interface VPC endpoint for Amazon SQS

B.

Configure a connection to Amazon S3 through AWS Transit Gateway.

C.

Use a gateway VPC endpoint for Amazon S3.

D.

Modify the 1AM role applied to the EC2 instances in the Auto Scaling group to allow outbound traffic to the interface endpoints.

E.

Modify the endpoint policies on all VPC endpoints. Specify the SQS and S3 resources that the application uses

F.

Configure a connection to Amazon S3 through AWS Firewall Manager

Questions 70

A development team is creating an open source toolset to manage a company's SaaS application. The company stores the code in a public repository so that anyone can view and download the toolset's code.

The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company's AWS environment.

A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials.

Which combination of steps will meet these requirements? (Select TWO.)

Options:
A.

Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.

B.

Deactivate the exposed IAM access key from the user's IAM account.

C.

Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

D.

Create a new IAM access key and secret key for the user whose credentials were exposed.

E.

Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

Exam Code: SCS-C02
Certification Provider: Amazon Web Services
Exam Name: AWS Certified Security - Specialty
Last Update: Dec 14, 2025
Questions: 467

How to Pass SCS-C02 Exams

PDF + Testing Engine
$164.99
$49.5
Add to Cart
Testing Engine
$124.99
$37.5
Add to Cart
PDF (Q&A)
$104.99
$31.5
Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam
How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam
How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam
SAP-C02 - AWS Certified Solutions Architect - Professional
SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)
DOP-C02 - AWS Certified DevOps Engineer - Professional
SOA-C03 - AWS Certified CloudOps Engineer - Associate
AIF-C01 - AWS Certified AI Practitioner Exam
GDP-C01 - AWS Certified Generative AI Developer - Professional
MLA-C01 - AWS Certified Machine Learning Engineer-Associate
Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)
SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)
SOA-C01 - AWS Certified SysOps Administrator - Associate
DVA-C02 - AWS Certified Developer - Associate
Amazon Web Services Free Access
Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.