Big 11.11 Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 9

Questions 81

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store's application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company's

deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

What should the security engineer do next to meet the requirements in the MOST secure way?

Options:
A.

Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to theportfolio's product list. Share the portfolio with the OIJ.

B.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormationregistry. Publish the extension. In the OU, create an SCP that allows access to the extension.

C.

Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to theportfolio's product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in the OU accounts. Attach theAWSServiceCatalogEndUserFullAccess managed policy to the role.

D.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormationregistry. Publish the extension. Share the extension with the OU

Amazon Web Services SCS-C02 Premium Access
Questions 82

A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.

Which encryption method will meet these requirements?

Options:
A.

Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)

B.

Use server-side encryption with customer-provided keys (SSE-C)

C.

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

D.

Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Questions 83

A company has an external web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB) within a VPC. The web application stores data in an Amazon RDS for MySQL DB instance. The company uses a Linux bastion host to apply schema updates to the database Administrators connect to the bastion host through SSH from their corporate workstations. The following security groups are applied to the infrastructure.

• sgLB associated with the ALB

• sgWeb associated with the EC2 instances

• sgDB associated with the DB instance

• sgBastion associated with the bastion host

Which security group configuration will meet these requirements MOST securely?

Options:
A.

• sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0

• sgWeb Allow port 80 traffic and port 443 traffic from sgLB

• sgDB Allow port 3306 traffic from sgWeb and sgBastion

• sgBastion Allow port 22 traffic from the corporate IP address range

B.

• sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0

• sgWeb Allow port 80 traffic and port 443 traffic from sgLB

• sgDB Allow port 3306 traffic from sgWeb and sgLB

• sgBastion Allow port 22 traffic from the VPC IP address range

C.

• sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0

• sgWeb Allow port 80 traffic and port 443 traffic from sgLB

• sgDB Allow port 3306 traffic from sgWeb and sgBastion

• sgBastion Allow port 22 traffic from the VPC IP address range

D.

* sgLB: Allow port 80 traffic and port 443 traffic from 0.0.0.0/0

* sgWeb: Allow port 80 traffic and port 443 traffic from 0.0.0.0/0

* sgDB: Allow port 3306 traffic from sgWeb and sgBastion

* sgBastion: Allow port 22 traffic from the corporate IP address range

Questions 84

A company uses an organization in AWS Organizations to manage its AWS accounts. The company has implemented an SCP in the root account to prevent resources from being shared with external accounts.

The company now needs to allow applications in its marketing team's AWS account to share resources with external accounts. The company must continue to prevent all the other accounts in the organization from sharing resources with external accounts. All the accounts in the organization are members of the same OU.

Which solution will meet these requirements?

Options:
A.

Create a new SCP in the marketing team's account. Configure the SCP to explicitly allow resource sharing.

B.

Edit the existing SCP to add a Condition statement that excludes the marketing team's account.

C.

Edit the existing SCP to include an Allow statement that specifies the marketing team's account.

D.

Create an IAM permissions boundary policy to explicitly allow resource sharing. Attach the policy to IAM users in the marketing team's account.

Questions 85

A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)

Options:
A.

Disable termination protection for the EC2 instance if termination protection has not been disabled.

B.

Enable termination protection for the EC2 instance if termination protection has not been enabled.

C.

Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to theEC2 instance.

D.

Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

E.

Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.

F.

Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

Questions 86

A company runs a web application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is associated with an AWS WAF web ACL that includes several AWS managed rules in Block mode The ALB and the web ACL are configured to send togs to Amazon S3 Additionally, the web application sends requests to a log group in Amazon CloudWatch Logs.

The web ACL is blocking a specific request to the web application. A security engineer must determine which web ACL rule is blocking the request

Which solution will provide this information?

Options:
A.

Use Amazon Athena to query the ALB logs by the request ID of the blocked request.

B.

Use Amazon Athena to query the web ACL logs by the request ID of the blocked request.

C.

Use CloudWatch Logs Insights to query the application logs by the request ID of the blocked request.

D.

Use CloudWatch Logs Instghts to query the web ACL logs by the request ID of the blocked request.

Questions 87

A company needs to improve its ability to identify and prevent IAM policies that grant public access or cross-account access to resources. The company has implemented AWS Organizations and uses AWS IAM Access Analyzer. A security engineer must automate a response for newly created overly permissive policies to remediate access and notify the security team.

Select THREE:

Options:
A.

Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon SNS topic.

B.

Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Deny statement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon SNS topic.

C.

In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution.

D.

In Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.

E.

Create an Amazon SQS queue. Configure the queue to forward a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked.

F.

Create an Amazon SNS topic for external or cross-account access notices. Subscribe the security team's email addresses to the topic.

Questions 88

A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification Service (Amazon SNS), and Amazon DynamoDB. An external application puts objects into the company's S3 bucket and tags the objects with date and time. A Lambda function periodically pulls data from the company's S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for further processing.

The data includes personally identifiable information (Pll). The company must remove data that is older than 30 days from the S3 bucket and the DynamoDB table.

Which solution will meet this requirement with the MOST operational efficiency?

Options:
A.

Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using the TTL S3 flag.

B.

Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entires that are older than 30 days based on the TTL attribute.

C.

Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda function to delete entries that are older than 30 days.

D.

Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete entries that are older than 30 days.

Questions 89

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host

(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

Options:
A.

In the security group of the EC2 instance, allow inbound ICMP traffic.

B.

In the security group of the EC2 instance, allow outbound ICMP traffic.

C.

In the VPC's NACL, allow inbound ICMP traffic.

D.

In the VPC's NACL, allow outbound ICMP traffic.

Questions 90

A company uses AWS Key Management Service (AWS KMS). During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails. The company discovers that a customer managed key has become unusable because the key material for the key was deleted. The company needs the data that is on the EBS volume.

A security engineer must recommend a solution to decrypt the EBS volume's encrypted data key. The solution must also attach the volume to the EC2 instance.

Which solution will meet these requirements?

Options:
A.

Import new key material into the key. Attach the EBS volume.

B.

Restore the EBS volume from a snapshot that was taken before the deletion of the key material.

C.

Reimport the same key material lhat originally was imported into the key. Attach the EBS volume.

D.

Create a new key. Import new key material. Attach the EBS volume.

Exam Code: SCS-C02
Certification Provider: Amazon Web Services
Exam Name: AWS Certified Security - Specialty
Last Update: Nov 15, 2025
Questions: 467

How to Pass SCS-C02 Exams

PDF + Testing Engine
$164.99
$57.75
Add to Cart
Testing Engine
$124.99
$43.75
Add to Cart
PDF (Q&A)
$104.99
$36.75
Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam
How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam
How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam
MLA-C01 - AWS Certified Machine Learning Engineer-Associate
DVA-C02 - AWS Certified Developer - Associate
DOP-C02 - AWS Certified DevOps Engineer - Professional
CLF-C02 - AWS Certified Cloud Practitioner
SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)
AIF-C01 - AWS Certified AI Practitioner Exam
SAP-C02 - AWS Certified Solutions Architect - Professional
SOA-C01 - AWS Certified SysOps Administrator - Associate
SOA-C03 - AWS Certified CloudOps Engineer - Associate
GDP-C01 - AWS Certified Generative AI Developer - Professional
SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)
Amazon Web Services Free Access
Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.