Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 9

Name: How to Pass SCS-C02 Exams
Brand: Examstrack
SKU: scs-c02
Price: 42 USD
Availability: InStock

Questions 81

A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances

There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity

Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

Options:

The route tables and the outbound rules on the appropriate private subnet security group

The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet

The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

The rules on any host-based firewall that may be applied on the Amazon EC2 instances

The Security Group applied to the Application Load Balancer and NAT gateway

That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

Amazon Web Services SCS-C02 Premium Access

Cristopher

13-Jun-2025

The 24/7 support team at examstrack.com is exceptional. Their SCS-C02 study materials and real exam questions guarantee success. Highly recommend!

Arata

06-Jul-2025

I can't thank examstrack.com enough for my SCS-C02 success. Their materials are the best you can get.

Julian

12-Jun-2025

The 24/7 support team at examstrack.com is exceptional. They provided swift assistance during my SCS-C02 prep.

Kelvin

16-Jun-2025

examstrack.com's testing engine is a must-try for SCS-C02 prep. It's like the real thing.

Questions 82

A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.

Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

Options:

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create focal database users for each module

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

Questions 83

A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization's AWS account.

Which combination of steps must the company perform to meet this requirement? (Select TWO.)

Options:

Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.

Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.

Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.

Establish a trust relationship between the IAM user and the AWS account that contains the resources.

Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.

Questions 84

A company is using AWS WAF to protect a customized public API service that is based on Amazon EC2 instances. The API uses an Application Load Balancer.

The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL.

The security engineer needs to immediately return the application to service, resolve the issue, and ensure that logging is not turned off in the future. The security engineer turns on logging for the web ACL and specifies Amazon Cloud-Watch Logs as the destination.

Which additional set of steps should the security engineer take to meet the re-quirements?

Options:

Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the log-ging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the log-ging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.

Questions 85

An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.

How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

Options:

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Questions 86

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an

Impact lAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this secunty incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

Options:

Log in to the AWS account by using read-only credentials Review the GuardDuty finding for details about the 1AM credentials that were used. Use the 1AM console to add a DenyAII policy to the 1AM pnncipal.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use Amazon Detective to review the API calls in context.

Log in to the AWS account by using administrator credentials Review the GuardDuty finding for details about the 1AM credentials that were used Use the 1AM console to add a DenyAII policy to the 1AM principal.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Questions 87

A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance.

Which combination of steps will meet this requirement? (Choose two.)

Options:

Stop the instance. Detach the root volume. Generate a new key pair.

Keep the instance running. Detach the root volume. Generate a new key pair.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.

Questions 88

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions.

What is the SIMPLEST way to meet these requirements?

Options:

Enable AWS Trusted Advisor security checks in the AWS Console, tsnd report all security incidents for all regions.

Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

Questions 89

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables

The application must

• Include migration to a different IAM Region in the application disaster recovery plan.

• Provide a full audit trail of encryption key administration events

• Allow only company administrators to administer keys.

• Protect data at rest using application layer encryption

A Security Engineer is evaluating options for encryption key management

Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

Options:

The key administration event logging generated by CloudHSM is significantly moreextensive than IAM KMS.

CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys

The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS

CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

Questions 90

A company wants to protect its website from man in-the-middle attacks by using Amazon CloudFront. Which solution will meet these requirements with the LEAST operational overhead?

Options:

Use the SimpleCORS managed response headers policy.

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

Use the SecurityHeadersPolicy managed response headers policy.

Include the X-XSS-Protection header in a custom response headers policy.

Exam Code: SCS-C02

Certification Provider: Amazon Web Services

Exam Name: AWS Certified Security - Specialty

Last Update: Jul 15, 2025

Questions: 417

How to Pass SCS-C02 Exams

PDF + Testing Engine
~~$164.99~~ $66 Add to Cart

Testing Engine
~~$124.99~~ $50 Add to Cart

PDF (Q&A)
~~$104.99~~ $42 Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam

How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam

How to pass Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty Exam

CLF-C02 - AWS Certified Cloud Practitioner

DVA-C02 - AWS Certified Developer - Associate

SOA-C01 - AWS Certified SysOps Administrator - Associate

SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

SAP-C02 - AWS Certified Solutions Architect - Professional

SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)

DOP-C02 - AWS Certified DevOps Engineer - Professional

MLA-C01 - AWS Certified Machine Learning Engineer - Associate

AIF-C01 - AWS Certified AI Practitioner Exam(AI1-C01)

Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.

Summer Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Navigation:

examstrack logo

Hot Vendors:

Free Amazon Web Services SCS-C02 Practice Exam with Questions & Answers | Set: 9

How to Pass SCS-C02 Exams

Amazon Web Services Related Exams

Amazon Web Services Free Exams