Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Amazon
  3. SCS-C02

Amazon AWS Certified Security - Specialty (Replaced with SCS-C03) SCS-C02 Exam Questions in PDF

Free Amazon SCS-C02 Dumps Questions (page: 5)

SCS-C02 PDF — 308 Questions

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised. The instance was serving up malware. The analysis of the instance showed that the instance was compromised 35 days ago.
A security engineer must implement a continuous monitoring solution that automatically notifies the company's security team about compromised instances through an email distribution list for high severity findings. The security engineer must implement the solution as soon as possible.
Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

  1. Enable AWS Security Hub in the AWS account.
  2. Enable Amazon GuardDuty in the AWS account.
  3. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email distribution list to the topic.
  4. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email distribution list to the queue.
  5. Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.
  6. Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Answer(s): B,C,E



A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.
A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:
What should be done to enable the user to assume the appropriate role in the target account?

  1. Update the IAM policy attached to the role in the identity account to be:
  2. Update the trust policy on the role in the target account to be:
  3. Update the trust policy on the role in the identity account to be:
  4. Update the IAM policy attached to the role in the target account to be:

Answer(s): B



A company is using AWS Organizations to manage multiple AWS accounts for its human resources, finance, software development, and production departments. All the company's developers are part of the software development AWS account.
The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not approved for use. The company wants to implement a solution to ensure that developers can launch EC2 instances with only approved software applications and only in the software development AWS account.
Which solution will meet these requirements?

  1. In the software development account, create AMIs of preconfigured instances that include only approved software. Include the AMI IDs in the condition section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFormation template to launch EC2 instances in the software development account.
  2. Create an Amazon EventBridge rule that runs when any EC2 RunInstances API event occurs in the software development account. Specify AWS Systems Manager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.
  3. Use an AWS Service Catalog portfolio that contains EC2 products with appropriate AMIs that include only approved software. Grant the developers permission to access only the Service Catalog portfolio to launch a product in the software development account.
  4. In the management account, create AMIs of preconfigured instances that include only approved software. Use AWS CloudFormation StackSets to launch the AMIs across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.

Answer(s): C



A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour.
The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the company's visibility of potential anomalous behavior.
Which solution will meet these requirements?

  1. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.
  2. Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.
  3. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.
  4. Create an AWS Lambda function that has the appropriate permissions to delete the finding whenever a new occurrence is reported.

Answer(s): C



A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.
A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).
Which solution will meet these requirements?

  1. Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances’ user data. Run an assessment with the CVE rules.
  2. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.
  3. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.
  4. Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verify the findings against a list of current CVEs.

Answer(s): B



A company's security engineer has been tasked with restricting a contractor's IAM account access to the company’s Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.
What should the security engineer do to meet these requirements?

  1. Create an inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.
  2. Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.
  3. Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.
  4. Create a IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

Answer(s): B



A company manages multiple AWS accounts using AWS Organizations. The company’s security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.
Which set of actions should the security team implement to accomplish this?

  1. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge to send notification if a trail is deleted or stopped.
  2. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
  3. Edit the existing trail in the Organizations management account and apply it to the organization.
  4. Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.

Answer(s): C



A company recently had a security audit in which the auditors identified multiple potential threats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3 API calls. The threats can come from different sources and can occur at any time. The company needs to implement a solution to continuously monitor its system and identify all these incoming threats in near-real time.
Which solution will meet these requirements?

  1. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatch Logs to manage these logs from a centralized account.
  2. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie to monitor these logs from a centralized account.
  3. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.
  4. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Answer(s): C



Viewing page 5 of 39

Share your comments for Amazon SCS-C02 exam with other users:

R
Ronke
8/18/2023 10:39:00 AM

this is simple but tiugh as well

Anonymous
C
CesarPA
7/12/2023 10:36:00 PM

questão 4, segundo meu compilador local e o site https://www.jdoodle.com/online-java-compiler/, a resposta correta é "c" !

UNITED STATES
J
Jeya
9/13/2023 7:50:00 AM

its very useful

INDIA
T
Tracy
10/24/2023 6:28:00 AM

i mastered my skills and aced the comptia 220-1102 exam with a score of 920/1000. i give the credit to for my success.

Anonymous
J
James
8/17/2023 4:33:00 PM

real questions

UNITED STATES
A
Aderonke
10/23/2023 1:07:00 PM

very helpful assessments

UNITED KINGDOM
S
Simmi
8/24/2023 7:25:00 AM

hi there, i would like to get dumps for this exam

AUSTRALIA
J
johnson
10/24/2023 5:47:00 AM

i studied for the microsoft azure az-204 exam through it has 100% real questions available for practice along with various mock tests. i scored 900/1000.

GERMANY
M
Manas
9/9/2023 1:48:00 AM

please upload 1z0-1072-23 exam dups

UNITED STATES
S
SB
9/12/2023 5:15:00 AM

i was hoping if you could please share the pdf as i’m currently preparing to give the exam.

Anonymous
J
Jagjit
8/26/2023 5:01:00 PM

i am looking for oracle 1z0-116 exam

UNITED STATES
S
S Mallik
11/27/2023 12:32:00 AM

where we can get the answer to the questions

Anonymous
P
PiPi Li
12/12/2023 8:32:00 PM

nice questions

NETHERLANDS
D
Dan
8/10/2023 4:19:00 PM

question 129 is completely wrong.

UNITED STATES
G
gayathiri
7/6/2023 12:10:00 AM

i need dump

UNITED STATES
D
Deb
8/15/2023 8:28:00 PM

love the site.

UNITED STATES
M
Michelle
6/23/2023 4:08:00 AM

can you please upload it back?

Anonymous
A
Ajay
10/3/2023 12:17:00 PM

could you please re-upload this exam? thanks a lot!

Anonymous
H
him
9/30/2023 2:38:00 AM

great about shared quiz

Anonymous
S
San
11/14/2023 12:46:00 AM

goood helping

Anonymous
W
Wang
6/9/2022 10:05:00 PM

pay attention to questions. they are very tricky. i waould say about 80 to 85% of the questions are in this exam dump.

UNITED STATES
M
Mary
5/16/2023 4:50:00 AM

wish you would allow more free questions

Anonymous
T
thomas
9/12/2023 4:28:00 AM

great simulation

Anonymous
S
Sandhya
12/9/2023 12:57:00 AM

very g inood

Anonymous
A
Agathenta
12/16/2023 1:36:00 PM

q35 should be a

Anonymous
M
MD. SAIFUL ISLAM
6/22/2023 5:21:00 AM

sap c_ts450_2021

Anonymous
S
Satya
7/24/2023 3:18:00 AM

nice questions

UNITED STATES
S
sk
5/13/2023 2:10:00 AM

ecellent materil for unserstanding

INDIA
G
Gerard
6/29/2023 11:14:00 AM

good so far

Anonymous
L
Limbo
10/9/2023 3:08:00 AM

this is way too informative

BOTSWANA
T
Tejasree
8/26/2023 1:46:00 AM

very helpfull

UNITED STATES
Y
Yolostar Again
10/12/2023 3:02:00 PM

q.189 - answers are incorrect.

Anonymous
S
Shikha Bakra
9/10/2023 5:16:00 PM

awesome job in getting these questions

AUSTRALIA
K
Kevin
10/20/2023 2:01:00 AM

i cant find aws certified practitioner clf-c01 exam in aws website but i found aws certified practitioner clf-c02 exam. can everyone please verify the difference between the two clf-c01 and clf-c02? thank you

UNITED STATES
AI Tutor 👋 I’m here to help!