Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Amazon
  3. SCS-C02

Amazon AWS Certified Security - Specialty (Replaced with SCS-C03) SCS-C02 Exam Questions in PDF

Free Amazon SCS-C02 Dumps Questions (page: 2)

SCS-C02 PDF — 308 Questions

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.
Which solution will meet these requirements MOST quickly?

  1. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.
  2. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.
  3. Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.
  4. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Answer(s): B



Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3 bucket in Account B.
After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.
Which solution will resolve this issue?

  1. In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.
  2. In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account
  3. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.
  4. In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.

Answer(s): C



A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality.
Which solution will meet the requirement?

  1. Create an AWS Lambda function to identify critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the Lambda function. Subscribe an email endpoint to the SNS topic to receive published messages.
  2. Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect critical Security Hub findings. Configure the delivery stream to send the findings to an email address.
  3. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rule. Subscribe an email endpoint to the SNS topic to receive published messages.
  4. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule. Use the Amazon SES API to format the message. Choose an email address to be the recipient of the message.

Answer(s): C



An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years.
A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years.
Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

  1. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.
  2. Set the log retention for desired log groups to 7 years.
  3. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.
  4. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.
  5. Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.
  6. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

Answer(s): A,B,C



A security engineer is designing an IAM policy to protect AWS API operations. The policy must enforce multi-factor authentication (MFA) for IAM users to access certain services in the AWS production account. Each session must remain valid for only 2 hours. The current version of the IAM policy is as follows:
Which combination of conditions must the security engineer add to the IAM policy to meet these requirements? (Choose two.)

  1. "Bool": {"aws:MultiFactorAuthPresent": "true"}
  2. "Bool": {"aws:MultiFactorAuthPresent": "false"}
  3. "NumericLessThan": {"aws:MultiFactorAuthAge": "7200"}
  4. "NumericGreaterThan": {"aws:MultiFactorAuthAge": "7200"}
  5. "NumericLessThan": {"MaxSessionDuration": "7200"}

Answer(s): A,C



A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution that will proactively monitor for suspicious behavior across all the accounts that contain production workloads.
The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account.
Which solution will meet these requirements?

  1. Activate Amazon GuardDuty in each production account. In a dedicated logging account, aggregate all GuardDuty logs from each production account. Remediate incidents by configuring GuardDuty to directly invoke an AWS Lambda function. Configure the Lambda function to also publish notifications to the SNS topic.
  2. Activate AWS Security Hub in each production account. In a dedicated logging account, aggregate all Security Hub findings from each production account. Remediate incidents by using AWS Config and AWS Systems Manager. Configure Systems Manager to also publish notifications to the SNS topic.
  3. Activate Amazon GuardDuty in each production account. In a dedicated logging account, aggregate all GuardDuty logs from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.
  4. Activate AWS Security Hub in each production account. In a dedicated logging account, aggregate all Security Hub findings from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the Security Hub findings. Configure the Lambda function to also publish notifications to the SNS topic.

Answer(s): C



A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

  1. Use IAM Identity Center to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  2. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
  3. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  4. For each AWS account, create tailored identity-based policies for IAM Identity Center. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Answer(s): C



A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost.
Which solution meets these requirements?

  1. Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.
  2. Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.
  3. Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys from CloudHSM for client-side encryption of application data.
  4. Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.

Answer(s): A



Viewing page 2 of 39

Share your comments for Amazon SCS-C02 exam with other users:

T
Tamer Barakat
12/7/2023 5:17:00 PM

nice questions

Anonymous
D
Daryl
8/1/2022 11:33:00 PM

i really like the support team in this website. they are fast in communication and very helpful.

UNITED KINGDOM
C
Curtis Nakawaki
6/29/2023 9:13:00 PM

a good contemporary exam review

UNITED STATES
X
x-men
5/23/2023 1:02:00 AM

q23, its an array, isnt it? starts with [ and end with ]. its an array of objects, not object.

UNITED STATES
A
abuti
7/21/2023 6:24:00 PM

cool very helpfull

Anonymous
K
Krishneel
3/17/2023 10:34:00 AM

i just passed. this exam dumps is the same one from prepaway and examcollection. it has all the real test questions.

INDIA
R
Regor
12/4/2023 2:01:00 PM

is this a valid prince2 practitioner dumps?

UNITED KINGDOM
A
asl
9/14/2023 3:59:00 PM

all are relatable questions

CANADA
S
Siyya
1/19/2024 8:30:00 PM

might help me to prepare for the exam

Anonymous
T
Ted
6/21/2023 11:11:00 PM

just paid and downlaod the 2 exams using the 50% sale discount. so far i was able to download the pdf and the test engine. all looks good.

GERMANY
P
Paul K
11/27/2023 2:28:00 AM

i think it should be a,c. option d goes against the principle of building anything custom unless there are no work arounds available

INDIA
P
ph
6/16/2023 12:41:00 AM

very legible

Anonymous
S
sephs2001
7/31/2023 10:42:00 PM

is this exam accurate or helpful?

Anonymous
A
ash
7/11/2023 3:00:00 AM

please upload dump, i have exam in 2 days

INDIA
S
Sneha
8/17/2023 6:29:00 PM

this is useful

CANADA
S
sachin
12/27/2023 2:45:00 PM

question 232 answer should be perimeter not netowrk layer. wrong answer selected

Anonymous
T
tomAws
7/18/2023 5:05:00 AM

nice questions

BRAZIL
R
Rahul
6/11/2023 2:07:00 AM

hi team, could you please provide this dump ?

INDIA
T
TeamOraTech
12/5/2023 9:49:00 AM

very helpful to clear the exam and understand the concept.

Anonymous
C
Curtis
7/12/2023 8:20:00 PM

i think it is great that you are helping people when they need it. thanks.

UNITED STATES
S
sam
7/17/2023 6:22:00 PM

cannot evaluate yet

Anonymous
N
nutz
7/20/2023 1:54:00 AM

a laptops wireless antenna is most likely located in the bezel of the lid

UNITED STATES
R
rajesh soni
1/17/2024 6:53:00 AM

good examplae to learn basic

INDIA
T
Tanya
10/25/2023 7:07:00 AM

this is useful information

Anonymous
N
Nasir Mahmood
12/11/2023 7:32:00 AM

looks usefull

Anonymous
J
Jason
9/30/2023 1:07:00 PM

question 81 should be c.

CANADA
T
TestPD1
8/10/2023 12:22:00 PM

question 18 : response isnt a ?

EUROPEAN UNION
A
ally
8/19/2023 5:31:00 PM

plaese add questions

TURKEY
D
DIA
10/7/2023 5:59:00 AM

is dumps still valid ?

FRANCE
A
Annie
7/7/2023 8:33:00 AM

thanks for this

EUROPEAN UNION
A
arnie
9/17/2023 6:38:00 AM

please upload questions

Anonymous
T
Tanuj Rana
7/22/2023 2:33:00 AM

please upload the question dump for professional machinelearning

Anonymous
F
Future practitioner
8/10/2023 1:26:00 PM

question 4 answer is c. this site shows the correct answer as b. "adopt a consumption model" is clearly a cost optimization design principle. looks like im done using this site to study!!!

Anonymous
A
Ace
8/3/2023 10:37:00 AM

number 52 answer is d

UNITED STATES
AI Tutor 👋 I’m here to help!