SCS-C02 Amazon Web Services AWS Certified Security

AWS Certified Security - Specialty

Last Update 13 hours ago Total Questions : 467

The AWS Certified Security - Specialty content is now fully updated, with all current exam questions added 13 hours ago. Deciding to include SCS-C02 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SCS-C02 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C02 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security - Specialty practice test comfortably within the allotted time.

Question # 111

A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?

Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Question # 112

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group

Which solution will meet this requirement?

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

Download and configure the CloudWatch agent on the container instances

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Question # 113

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO )

There is no API operation to retrieve an S3 object in its encrypted form.

Encryption of S3 objects is performed within the secure boundary of the KMS service.

S3 uses KMS to generate a unique data key for each individual object.

Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out

Question # 114

A company uses AWS Organizations to manage an organization that consists of three workload OUs Producbon Development and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs Different SCPs are attached to each workload OU.

The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in an account in the Production OU the update fails The error message reports insufficient 1AM permissions.

What is the FIRST step that a security engineer should take to troubleshoot this issue?

Review the AWS CloudTrail logs in the account in the Production OU Search for any failed API calls from CloudFormation during the deployment attempt.

Remove all the SCPs that are attached to the Production OU Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.

Confirm that the role used by CloudFormation has sufficient permissions to create update and delete the resources that are referenced in the CloudFormation template.

Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

Question # 115

A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. All network traffic for requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet.

The security team is unable to get objects from the S3 bucket

Which factors could cause this issue? (Select THREE.)

The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts.

The I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN.

The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.

The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Question # 116

A team is using AWS Secrets Manager to store an application database password. Only a limited number of IAM principals within the account can have access to the secret. The principals who require access to the secret change frequently. A security engineer must create a solution that maximizes flexibility and scalability.

Which solution will meet these requirements?

Use a role-based approach by creating an IAM role with an inline permissions policy that allows access to the secret. Update the IAM principals in the role trust policy as required.

Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy that specifies the IAM principals that are allowed to access the secret. Update the list of IAM principals as required.

Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.

Use a deny-by-default approach by using IAM policies to deny access to the secret explicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group. Remove principals from the group when they need access. Add the principals to the group again when access is no longer allowed.

Question # 117

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.

Please select:

Set up VPC peering between the central server VPC and each of the teams VPCs.

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

None of the above options will work.

Question # 118

A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.

Which of the following solutions would provide the MOST scalable solution?

Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

Question # 119

A company is using IAM Organizations. The company wants to restrict IAM usage to the eu-west-1 Region for all accounts under an OU that is named "development." The solution must persist restrictions to existing and new IAM accounts under the development OU.

Option A

Option B

Option C

Option D

Question # 120

A company uses AWS Key Management Service (AWS KMS). During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails. The company discovers that a customer managed key has become unusable because the key material for the key was deleted. The company needs the data that is on the EBS volume.

A security engineer must recommend a solution to decrypt the EBS volume's encrypted data key. The solution must also attach the volume to the EC2 instance.

Which solution will meet these requirements?

Import new key material into the key. Attach the EBS volume.

Restore the EBS volume from a snapshot that was taken before the deletion of the key material.

Reimport the same key material lhat originally was imported into the key. Attach the EBS volume.

Create a new key. Import new key material. Attach the EBS volume.