Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > Amazon > Amazon Certifications > SCS-C02 > SCS-C02 Online Practice Questions and Answers

SCS-C02 Online Practice Questions and Answers

Questions 4

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.

Which of the following troubleshooting steps should be performed?

A. Check inbound and outbound security groups, looking for DENY rules.

B. Check inbound and outbound Network ACL rules, looking for DENY rules.

C. Review the rejected packet reason codes in the VPC Flow Logs.

D. Use IAM X-Ray to trace the end-to-end application flow

Buy Now

Correct Answer: B

Questions 5

An organization policy states that all encryption keys must be automatically rotated every 12 months.

Which IAM Key Management Service (KMS) key type should be used to meet this requirement?

A. IAM managed Customer Master Key (CMK)

B. Customer managed CMK with IAM generated key material

C. Customer managed CMK with imported key material

D. IAM managed data key

Buy Now

Correct Answer: B

Questions 6

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised. Which steps should be taken to investigate the suspected compromise? (Choose three.)

A. Detach the elastic network interface from the EC2 instance.

B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

C. Disable any Amazon Route 53 health checks associated with the EC2 instance.

D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

F. Add a rule to an IAM WAF to block access to the EC2 instance.

Buy Now

Correct Answer: BDE

https://d1.IAMstatic.com/whitepapers/IAM_security_incident_response.pdf

Questions 7

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

B. Configure a scheduled job that updates the credential in IAM Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

C. Configure automatic rotation of credentials in IAM Secrets Manager.

D. Store the credential in an encrypted string parameter in IAM Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the IAM KMS key that is used to encrypt it.

E. Configure the Java application to catch a connection failure and make a call to IAM Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Buy Now

Correct Answer: CE

Questions 8

A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.

Which IAM Services, together, can satisfy this use case? (Select two.)

A. Amazon Elasticsearch

B. Amazon Kinesis

C. Amazon SQS

D. Amazon CloudWatch

E. Amazon Athena

Buy Now

Correct Answer: AB

https://docs.aws.amazon.com/whitepapers/latest/IAM-overview/analytics.html#amazon- athena

Questions 9

Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.

What steps are necessary to identify the cause of this phenomenon? (Choose two.)

A. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.

B. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

C. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.

D. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.

E. Use IAM CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

Buy Now

Correct Answer: AB

https://acloud.guru/forums/IAM-certified-security-specialty/discussion/- Lm5A3w6_NybQPhh6tRP/Cloudwatch%20Log%20question

Questions 10

A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket? Choose 2 answers from the options given below

A. Enable versioning on the S3 bucket

B. Enable data at rest for the objects in the bucket

C. Enable MFA Delete in the bucket policy

D. Enable data in transit for the objects in the bucket

Buy Now

Correct Answer: AC

One of the IAM Security blogs mentions the followinj Versioning keeps multiple versions of an object in the same bucket. When you enable it on a bucket Amazon S3 automatically adds a unique version ID to every object stored in the bucket. At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object. If you want to permanently delete an object version, you must specify its version ID in your DELETE request. You can add another layer of protection by enabling MFA Delete on a versioned bucket. Once you do so, you must provide your IAM accounts access keys and a valid code from the account's MFA device in order to permanently delete an object version or suspend or reactivate versioning on the bucket. Option B is invalid because enabling encryption does not guarantee risk of data deletion. Option D is invalid because this option does not guarantee risk of data deletion. For more information on IAM S3 versioning and MFA please refer to the below URL: https://IAM.amazon.com/blogs/security/securing-access-to-IAM-using-mfa-part-3/ The correct answers are: Enable versioning on the S3 bucket Enable MFA Delete in the bucket policy Submit your Feedback/Queries to our Experts

Questions 11

A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the account

Which configuration caused this issue?

A. Option A

B. Option B

C. Option C

D. Option D

Buy Now

Correct Answer: B

Questions 12

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account.

The company has not monitored account activity in the past.

The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible.

Which solution will meet these requirements?

A. In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by re-source.

B. Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tion history. Set the time frame to Last 30 days. In the search area, choose the service category.

C. In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data. Parti-tion the table by event source.

D. Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage- based framework to the assessment. Configure the assessment to as-sess by resource.

Buy Now

Correct Answer: C

Questions 13

A company has many member accounts in an organization in AWS Organizations. The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization. To address this potential misuse, the company wants to ensure that even if the account root user credentials are compromised the account is still protected.

Which solution will meet this requirement?

A. Block service access by using SCPs for the root user

B. Remove the password for the root user

C. Delete access keys for the root user

D. Create an Amazon EventBridge rule to detect any AWS account root user API events

Buy Now

Correct Answer: A

Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty (SCS-C02)
Last Update: Mar 27, 2025
Questions: 816

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2025 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.