Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 8

Name: How to Pass SCS-C02 Exams
Brand: Examstrack
SKU: scs-c02
Price: 31.5 USD
Availability: InStock

Questions 71

A company is evaluating its security posture. In the past, the company has observed issues with specific hosts and host header combinations that affected

the company's business. The company has configured AWS WAF web ACLs as an initial step to mitigate these issues.

The company must create a log analysis solution for the AWS WAF web ACLs to monitor problematic activity. The company wants to process all the AWS WAF logs in a central location. The company must have the ability to filter out requests based on specific hosts.

A security engineer starts to enable access logging for the AWS WAF web ACLs.

What should the security engineer do next to meet these requirements with the MOST operational efficiency?

Options:

Specify Amazon Redshift as the destination for the access logs. Deploy the Amazon Athena Redshift connector. Use Athena to query the data from Amazon Redshift and to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Use Amazon CloudWatch Logs Insights to design a query to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Export the CloudWatch logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Use Amazon Redshift Spectrum to query the logs and to filter the logs by host.

Amazon Web Services SCS-C02 Premium Access

Answer:

Explanation:

The correct answer is C. Specify Amazon CloudWatch as the destination for the access logs. Export the CloudWatch logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and to filter the logs by host.

According to the AWS documentation1, AWS WAF offers logging for the traffic that your web ACLs analyze. The logs include information such as the time that AWS WAF received the request from your protected AWS resource, detailed information about the request, and the action setting for the rule that the request matched. You can send yourlogs to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose.

To create a log analysis solution for the AWS WAF web ACLs, you can use Amazon Athena, which is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL2. You can use Athena to query and filter the AWS WAF logs by host or any other criteria. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

To use Athena with AWS WAF logs, you need to export the CloudWatch logs to an S3 bucket.You can do this by creating a subscription filter that sends your log events to a Kinesis Data Firehose delivery stream, which then delivers the data to an S3 bucket3.Alternatively, you can use AWS DMS to migrate your CloudWatch logs to S34.

After you have exported your CloudWatch logs to S3, you can create a table in Athena that points to your S3 bucket and use the AWS service log format that matches your log schema5. For example, if you are using format for your AWS WAF logs, you can use the AWSSerDe serde. Then you can run SQL queries on your Athena table and filter the results by host or any other field in your log data.

Therefore, this solution meets the requirements of creating a log analysis solution for the AWS WAF web ACLs with the most operational efficiency. This solution does not require setting up any additional infrastructure or services, and it leverages the existing capabilities of CloudWatch, S3, and Athena.

The other options are incorrect because:

A. Specifying Amazon Redshift as the destination for the access logs is not possible, because AWS WAF does not support sending logs directly to Redshift. You would need to use an intermediate service such as Kinesis Data Firehose or AWS DMS to load the data from CloudWatch or S3 to Redshift.Deploying the Amazon Athena Redshift connector is not necessary, because you can query Redshift data directly from Athena without using a connector6. This solution would also incur additional costs and operational overhead of managing a Redshift cluster.

B. Specifying Amazon CloudWatch as the destination for the access logs is possible, but using Amazon CloudWatch Logs Insights to design a query to filter the logs by host is not efficient or scalable.CloudWatch Logs Insights is a feature that enables you to interactively search and analyze your log data in CloudWatch Logs7.However, CloudWatch Logs Insights has somelimitations, such as a maximum query duration of 20 minutes, a maximum of 20 log groups per query, and a maximum retention period of 24 months8. These limitations may affect your ability to perform complex and long-running analysis on your AWS WAF logs.

D. Specifying Amazon CloudWatch as the destination for the access logs is possible, but using Amazon Redshift Spectrum to query the logs and filter them by host is not efficient or cost-effective.Redshift Spectrum is a feature of Amazon Redshift that enables you to run queries against exabytes of data in S3 without loading or transforming any data9. However, Redshift Spectrum requires a Redshift cluster to process the queries, which adds additional costs and operational overhead.Redshift Spectrum also charges you based on the number ofbytes scanned by each query, which can be expensive if you have large volumes of log data10.

[References:, 1:Logging AWS WAF web ACL traffic - AmazonWeb Services2:What Is Amazon Athena? - Amazon Athena3:Streaming CloudWatch Logs Data to Amazon S3 - Amazon CloudWatch Logs4:Migrate data from CloudWatch Logs using AWS Database Migration Service - AWS Database Migration Service5:Querying AWS service logs - Amazon Athena6:Querying data from Amazon Redshift - Amazon Athena7:Analyzing log data with CloudWatch LogsInsights - Amazon CloudWatch Logs8:CloudWatch Logs Insights quotas - Amazon CloudWatch9:Querying external data using Amazon Redshift Spectrum - Amazon Redshift10:Amazon Redshift Spectrum pricing - Amazon Redshift, , , , , ]

Cristopher

27-Nov-2025

The 24/7 support team at examstrack.com is exceptional. Their SCS-C02 study materials and real exam questions guarantee success. Highly recommend!

Arata

23-Nov-2025

I can't thank examstrack.com enough for my SCS-C02 success. Their materials are the best you can get.

Julian

07-Nov-2025

The 24/7 support team at examstrack.com is exceptional. They provided swift assistance during my SCS-C02 prep.

Kelvin

21-Nov-2025

examstrack.com's testing engine is a must-try for SCS-C02 prep. It's like the real thing.

Questions 72

A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.

Which factors could cause the health check failures? (Select THREE.)

Options:

The target instance's security group does not allow traffic from the NLB.

The target instance's security group is not attached to the NLB.

The NLB's security group is not attached to the target instance.

The target instance's subnet network ACL does not allow traffic from the NLB.

The target instance's security group is not using IP addresses to allow traffic from the NLB.

The target network ACL is not attached to the NLB.

Questions 73

A company has AWS accounts in an organization in AWS Organizations. The company has enabled Amazon GuardDuty in its production, support, and test accounts. The company runs important workloads in the production account and centrally stores logs in an Amazon S3 bucket in the support account.

A security engineer must implement a solution to elevate security findings for the production account and the S3 bucket. The solution must automatically elevate findings of HIGH severity to CRITICAL severity.

Which solution will meet these requirements?

Options:

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Create automation rules to elevate findings for the production account and the S3 bucket.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Use Amazon EventBridge to create a custom rule to elevate findings for the production account and the S3 bucket.

Use the GuardDuty administrator account to configure a threat list that includes the production account and the S3 bucket. Use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to elevate findings from the threat list.

Use the GuardDuty administrator account to enable S3 protection for the support account that contains the S3 bucket. Configure GuardDuty to elevate findings for the production account and the S3 bucket.

Questions 74

A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1. Region Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at test. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket.

The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.

After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated.

Which combination of steps should the security engineer take to remediate this issue? (Select THREE.)

Options:

Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.

Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.

Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.

Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.

Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.

Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.

Questions 75

A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. All network traffic for requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet.

The security team is unable to get objects from the S3 bucket

Which factors could cause this issue? (Select THREE.)

Options:

The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts.

The I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN.

The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.

The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Questions 76

A company has secured the AWS account root user for its AWS account by following AWS best practices. The company also has enabled AWS CloudTrail, which issending its logs to Amazon S3. A security engineer wants to receive notification in near-real time if a user uses the AWS account root user credentials to sign in to theAWS Management Console.

Which solutions will provide this notification? (Select TWO.)

Options:

Use AWS Trusted Advisor and its security evaluations for the root account. Configure an Amazon EventBridge event rule that is invoked by the TrustedAdvisor API. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic sothat these endpoints can receive notification.

Use AWS IAM Access Analyzer. Create an Amazon CloudWatch Logs metric filter to evaluate log entries from Access Analyzer that detect a successful rootaccount login. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred. Configure the CloudWatch alarm to notify an AmazonSimple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints to this SNS topic so that t

Configure AWS CloudTrail to send its logs to Amazon CloudWatch Logs. Configure a metric filter on the CloudWatch Logs log group used by CloudTrail toevaluate log entries for successful root account logins. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred Configure theCloudWatch alarm to notify an Amazon Simple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any requir

Configure AWS CloudTrail to send log notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda function thatparses the CloudTrail notification for root login activity and notifies a separate SNS topic that contains the endpoints that should receive notification.Subscribe the Lambda function to the SNS topic that is receiving log notifications from CloudTrail.

Configure an Amazon EventBridge event rule that runs when Amazon CloudWatch API calls are recorded for a successful root login. Configure the rule totarget an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic so that these endpoints can receivenotification.

Questions 77

A company uses Amazon Cognito for external user authentication for a web application. External users report that they can no longer log in to the application. What is the FIRST step that a security engineer should take to troubleshoot the problem?

Options:

Review AWS CloudTrail togs to identify authentication errors that relate to Cognito users.

Use AWS Identity and Access Management Access Analyzer to delete all unused 1AM roles and users

Review any recent changes in Cognito configuration, 1AM policies, and role trust policies to identify issues.

Write a script that uses CLI commands to reset all user passwords in the Cognito user pool.

Questions 78

A company wants to create a log analytics solution for logs generated from its on-premises devices. The logs are collected from the devices onto a server on premises. The company wants to use AWS services to perform near real-time log analysis. The company also wants to store these logs for 365 days for pattern matching and substring search capabilities later.

Which solution will meet these requirements with the LEAST development overhead?

Options:

Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon DynamoDB. Configure an AWS Lambda trigger on DynamoDB streams to perform near real-time log analysis. Export the DynamoDB data to Amazon S3 periodically. Run Amazon Athena queries for pattern matching and substring search. Set up S3 Ufecycle policies to delete the log data after 365 days.

Install Amazon Managed Streaming for Apache Kafka (Amazon MSK) on the on-premises server. Create an MSK cluster to collect the streaming data and analyze the data in real time. Set the data retention period to 365 days to store the logs persistently for pattern matching and substring search.

Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon Data Firehose. Configure Amazon Managed Service for Apache Flink (previously known as Amazon Kinesis Data Analytics) as the destination for real-time processing. Store the logs in Amazon OpenSearch Service for pattern matching and substring search. Configure an OpenSearch Service Index State Management (ISM) policy to delete the data after 365 days.

Use Amazon API Gateway and AWS Lambda to write the logs from the on-premises server to Amazon DynamoDB. Configure a Lambda trigger on DynamoDB streams to perform near real-time log analysis. Run Amazon Athena federated queries on DynamoDB data for pattern matching and substring search. Set up TTL to delete data after 365 days.

Questions 79

A security engineer is working with a development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data in Amazon S3.

The inventory data in Amazon S3 will be shared with hundreds of vendors. All vendors will use AWS principals from their own AWS accounts to access the data in Amazon S3. The vendor list might change weekly.

The security engineer needs to find a solution that supports cross-account access.

Which solution is the MOST operationally efficient way to manage access control for the customer managed key?

Options:

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Questions 80

A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named my Function.

When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an “error loading Log Streams" message appears.

The IAM policy for the Lambda function's execution role contains the following:

SCS-C02 Question 80

How should the security engineer correct the error?

Options:

Move the logs:CreateLogGroup action to the second Allow statement.

Add the logs:PutDestination action to the second Allow statement.

Add the logs:GetLogEvents action to the second Allow statement.

Add the logs:CreateLogStream action to the second Allow statement.

Exam Code: SCS-C02

Certification Provider: Amazon Web Services

Exam Name: AWS Certified Security - Specialty

Last Update: Dec 14, 2025

Questions: 467

How to Pass SCS-C02 Exams

PDF + Testing Engine
~~$164.99~~ $49.5 Add to Cart

Testing Engine
~~$124.99~~ $37.5 Add to Cart

PDF (Q&A)
~~$104.99~~ $31.5 Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam

How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam

How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam

Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)

SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

SOA-C03 - AWS Certified CloudOps Engineer - Associate

DOP-C02 - AWS Certified DevOps Engineer - Professional

MLA-C01 - AWS Certified Machine Learning Engineer-Associate

DVA-C02 - AWS Certified Developer - Associate

SAP-C02 - AWS Certified Solutions Architect - Professional

CLF-C02 - AWS Certified Cloud Practitioner

SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

SOA-C01 - AWS Certified SysOps Administrator - Associate

GDP-C01 - AWS Certified Generative AI Developer - Professional

Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.

New Year Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Navigation:

examstrack logo

Hot Vendors:

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 8

How to Pass SCS-C02 Exams

Amazon Web Services Related Exams

Amazon Web Services Free Exams