SCS-C02 Amazon Web Services AWS Certified Security

AWS Certified Security - Specialty

Last Update 13 hours ago Total Questions : 467

The AWS Certified Security - Specialty content is now fully updated, with all current exam questions added 13 hours ago. Deciding to include SCS-C02 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SCS-C02 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C02 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security - Specialty practice test comfortably within the allotted time.

Question # 121

A company is building an application on AWS that will store sensitive information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.

What should the security engineer recommend?

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.

Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Question # 122

A company has a requirement that none of its Amazon RDS resources can be publicly accessible. A security engineer needs to set up monitoring for this requirement and must receive a near-real-time notification if any RDS resource is noncompliant.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

Configure RDS event notifications on each RDS resource Target an AWS Lambda function that notifies AWS Config of a change to the RDS public access setting.

Configure the rds-mstance-public-access-check AWS Config managed rule to monitor the RDS resources.

Configure the Amazon EventBridge rule to target an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.

Configure RDS event notifications to post events to an Amazon Simple Queue Service (Amazon SQS) queue Subscribe the SQS queue to an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.

Configure an Amazon EventBridge rule that is invoked by a compliance change event from the rds-instance-public-access-check rule.

Configure an Amazon EventBridge rule that is invoked when the AWS Lambda function notifies AWS Config of an RDS event change.

Question # 123

A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption witha client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented

Which statement should the security specialist include in the policy?

E. Option A

Option B

Option C

Question # 124

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company'ssecurity team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account

How should the security learn securely store the API key?

Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Question # 125

A company wants to deploy a continuous security threat-detection service at scale to automatically analyze all the company's member accounts in AWS Organizations within the ap-east-1 Region. The company's organization includes a management account, a security account, and many member accounts. When the company creates a new member account, the threat-detection service should automatically analyze the new account so that the company can review any findings from the security account.

Which solution uses AWS security best practices and meets these requirements with the LEAST effort?

Activate Amazon GuardDuty in ap-east-1. Designate the secunty account as the GuardDuty delegated administrator by using the console.

Activate Amazon GuardDuty in ap-east-1 with trusted access toAWS Organizations Designate the management account as the GuardDuty organization administrator.

Activate AWS Security Hub in ap-east-1 Designate the management account as the Security Hub delegated administrator by using the console.

Activate AWS Control Tower in ap-east-1 with trusted access to AWS Organizations Designate the security account as the organization administrator.

Question # 126

Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket.

The administrators need to give a user from Account A full access to the S3 bucket in Account B.

After the administrators adjust the IAM permissions for the user in AccountA to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.

Which solution will resolve this issue?

In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.

In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.

In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.

In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.

Question # 127

A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance.

Which combination of steps will meet this requirement? (Choose two.)

Stop the instance. Detach the root volume. Generate a new key pair.

Keep the instance running. Detach the root volume. Generate a new key pair.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.

Question # 128

A consultant agency needs to perform a security audit for a company's production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account.

The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.

Which solution will provide the consultant agency with access that meets these requirements?

Create an 1AM group. Create an 1AM user for each consultant. Add each user to the group. Turn on MFAfor each consultant.

Configure Amazon Cognito on the company's production account to authenticate against the consultant agency's identity provider (IdP). Add MFAto a Cognito user pool.

Create an 1AM role in the consultant agency's AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company's production account as the principal. Attach the trust policy to the role.

Create an 1AM role in the company's production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency's AWS account as the principal. Attach the trust policy to the role.

Question # 129

A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.

Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.

Which solution meets these requirements?

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies theAttach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Question # 130

A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help

Mitigate this risk in the future.

What are some ways the engineer could achieve this (Select THREE)?

Use IAM X-Ray to inspect the trafﬁc going to the EC2 instances.

Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.

Change the security group conﬁguration to block the source of the attack trafﬁc

Use IAM WAF security rules to inspect the inbound trafﬁc.

Use Amazon Inspector assessment templates to inspect the inbound traffic.

Use Amazon Route 53 to distribute trafﬁc.