Download AWS Certified Security - Specialty.SCS-C02.Dump4Pass.2025-06-06.316q.vcex

Vendor: Amazon
Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty
Date: Jun 06, 2025
File Size: 4 MB
Download Exam

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase
Coupon: TAURUSSIM_20OFF

Discount: 20%

ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator

Demo Questions

Question 1
A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows:
The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ?>.' actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through the AWS Management Console.
 
Which change must a security engineer implement so that the developers can access Amazon SES?
  1. Add a resource policy that allows each member of the group to access Amazon SES.
  2. Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev").
  3. Remove the AWS Control Tower control (guardrail) that restricts access to Amazon SES.
  4. Remove Amazon SES from the root SCP.
Correct answer: D
Question 2
A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution that will proactively monitor for suspicious behavior across all the accounts that contain production workloads.
The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account
Which solution will meet these requirements?
  1. Activate Amazon GuardDuty in each production account in a dedicated logging account, aggregate allGuardDuty logs from each production account. Remediate Incidents by configuring GuardDuty to directly invoke an AWS Lambda function. Configure the Lambda function to also publish notifications to the SNS topic,
  2. Activate AWS Security Hub in each production account. In a dedicated logging account, aggregate allSecurity Hub findings from each production account. Remediate incidents by using AWS Config and AWS Systems Manager Configure Systems Manager to also publish notifications to the SNS topic.
  3. Activate Amazon GuardDuty in each production account in a dedicated logging account, aggregate allGuardDuty logs from each production account. Remediate Incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.
  4. Activate AWS Security Hub in each production account. In a dedicated logging account, aggregate allSecurity Hub findings from each production account. Remediate Incidents by using Amazon EventBridge to Invoke a custom AWS Lambda function from the Security Hub findings. Configure the Lambda function to also publish notifications to the SNS topic.
Correct answer: C
Question 3
A company uses Amazon Elastic Container Service (Amazon ECS) containers that have the Fargate launch type. The containers run web and mobile applications that are written in Java and Node.js. To meet network segmentation requirements, each of the company's business units deploys applications in Its own dedicated AWS account. Each business unit stores container mages In an Amazon Elastic Container Registry (Amazon ECR) private registry in Its own account.
A security engineer must recommend a solution to scan ECS containers and ECR registries for vulnerabilities in operating systems and programming language libraries. The company's audit team must be able to identify potential vulnerabilities that exist in any of the accounts where applications are deployed.
Which solution will meet these requirements?
  1. In each account, update the ECR registry to use Amazon Inspector instead of the default scanningservice. Configure Amazon Inspector to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.
  2. In each account, configure AWS Config to monitor the configuration of the ECS containers and theECR registry. Configure AWS Config conformance packs for vulnerability scanning. Create an AWS Config aggregator in a central account to collect configuration and compliance details from all accounts.
    Provide the audit team with access to AWS Config In the account where the aggregator is configured.
  3. In each account, configure AWS Audit Manager to scan the ECS containers and the ECR registryConfigure Audit Manager to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.
  4. In each account, configure Amazon GuardDuty to scan the ECS containers and the ECR registry.Configure GuardDuty to forward vulnerability findings to AWS Security Hub in a central security account Provide access for the audit team to use Security Hub to review the findings.
Correct answer: A
Question 4
An ecommerce company has a web application architecture that runs primarily on containers. The application containers are deployed on Amazon Elastic Container Service (Amazon ECS). The container images for the application are stored in Amazon Elastic Container Registry (Amazon ECR). 
The company's security team IS performing an audit of components of the application architecture. The security team Identifies Issues With some container Images that are stored in the container repositories.
The security team wants to address these issues by Implementing continual scanning and on-push scanning of the container images. The security team needs to implement a solution that makes any findings from these scans visible In a centralized dashboard. The security team plans to use the dashboard to View these findings along with other security-related findings that they intend to generate in the future There are specific repositories that the security team needs to exclude from the scanning process.
Which solution will meet these requirements?
  1. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repositories that need to bescanned. Push Amazon Inspector findings to AWS Security Hub.
  2. Use ECR basic scanning of container mages. Create Inclusion rules In Amazon ECR to matchrepositories that need to be scanned Push findings to AWS Security Hub
  3. Use ECR basic scanning of container images. Create inclusion rules in Amazon ECR to matchrepositories that need to be scanned. Push findings to Amazon Inspector.
  4. Use Amazon Inspector. Create Inclusion rules in Amazon Inspector to match repositories that need tobe scanned. Push Amazon Inspector findings to AWS Config.
Correct answer: A
Question 5
A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of Its S3 buckets. The security engineer must ensure that objects cannot be overwritten or deleted by any user, including the AWS account root user.
Which solution Will meet these requirements?
  1. Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3buckets.
  2. Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to completethe Vault Lock process. Place objects In the S3 buckets.
  3. Create new S3 buckets with S3 Object Lock enabled in governance mode Place objects in the S3buckets.
  4. Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3buckets. Place objects in the S3 buckets.
Correct answer: A
Question 6
A company that uses AWS Organizations is migrating workloads to AWS. The company's application team determines that the workloads will use Amazon EC2 instances, Amazon S3 buckets, Amazon DynamoDB tables, and Application Load Balancers. For each resource type, the company mandates that deployments must comply with the following requirements:
  • All EC2 instances must be launched from approved AWS accounts
  • All DynamoDB tables must be provisioned with a standardized naming convention
  • All infrastructure that is provisioned in any accounts in the organization must be deployed by AWS CloudFormation templates.
Which combination of steps should the application team take to meet these requirements? (Select TWO)
  1. Create CloudFormation templates in an administrator AWS account. Share the stack sets with anapplication AWS account. Restrict the template to be used specifically by the application AWS account.
  2. Create CloudFormation templates in an application AWS account Share the output with anadministrator AWS account to review compliant resources. Restrict output to only the administrator AWS account.
  3. Use permissions boundaries to prevent the application AWS account from provisioning specificresources unless conditions for the internal compliance requirements are met.
  4. Use SCPs to prevent the application AWS account from provisioning specific resources unlessconditions for the Internal compliance requirements are met.
  5. Activate AWS Config managed rules for each service in the application AWS account.
Correct answer: AD
Question 7
A company used a lift-and-shift approach to migrate from its on-premises data centers to the AWS Cloud.
The company migrated on-premises VMS to Amazon EC2 instances. Now the company wants to replace some of components that are running on the EC2 instances with managed AWS services that provide similar functionality.
Initially, the company will transition from load balancer software that runs on EC2 instances to AWS Elastic Load Balancers. A security engineer must ensure that after this transition, all the load balancer logs are centralized and searchable for auditing. The security engineer must also ensure that metrics are generated to show which ciphers are in use.
Which solution will meet these requirements?
  1. Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the loggroup. Use the CloudWatch Logs console to search the logs. Create CloudWatch Logs filters on the logs for the required metrics.
  2. Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. UseAmazon Athena to search the logs that are in the S3 bucket. Create Amazon CloudWatch filters on the S3 log files for the required metrics.
  3. Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. UseAmazon Athena to search the logs that are in the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.
  4. Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the loggroup. Use the AWS Management Console to search the logs. Create Amazon Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.
Correct answer: C
Question 8
A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are deployed in a private subnet of a VPC that does not have internet access. The EC2 instances and the S3 buckets are in the same AWS account.
The EC2 instances access the S3 buckets through an S3 gateway endpoint that has the default access policy Each EC2 Instance is associated with an Instance profile role that has a policy that explicitly allows the s3 GetObject action and the s3 PutObject action for only the required S3 buckets.
The company learns that one or more of the EC2 instances are compromised and are exfiltrating data to an S3 bucket that is outside the company's organization in AWS Organizations. A security engineer must implement a solution to stop this exfiltration of data and to keep the EC2 processing Job functional.
Which solution will meet these requirements?
  1. Update the policy on the S3 gateway endpoint to allow the S3 actions only if the values of theawsResourceOrglD and awsPrincipalOrglD condition keys match the company's values.
  2. Update the policy on the instance profile role to allow the S3 actions only if the value of theawsResourceOrglD condition key matches the company's value.
  3. Add a network ACL rule to the subnet of the EC2 instances to block outgoing connections on port 443.
  4. Apply an SCP on the AWS account to allow the S3 actions only if the values of the aws:ResourceOrglDand awsPrincipalOrglD condition keys match the company's values.
Correct answer: D
Question 9
A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file.
However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 Instance.
What should the security engineer do next to resolve the issue?
  1. Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail insteadof CloudWatch.
  2. Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the customlogs to an S3 bucket that CloudWatch can use to ingest the logs.
  3. Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of theCloudWatch agent to collect the custom logs.
  4. Attach the CloudWatchAgentServerPollcy AWS managed policy to the EC2 Instance role.
Correct answer: D
Question 10
A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target Instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 Instances are deployed in subnets of a VPC. A subnet can contain multiple Instances.
The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target Instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.
After these changes, the security engineer notices that the SSH connection is still active and usable.
When the security engineer runs a Ping command to the public IP address of the target Instance, the ping command is blocked.
What should the security engineer do to isolate the target instance?
  1. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outboundrule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then Immediately delete these rules.
  2. Remove the port 22 security group rule. Attach an instance role policy that allows AWS SystemsManager Session Manager connections so that the forensics team can access the target instance.
  3. Create a network ACL that is associated with the target instance's subnet Add a rule at the top of theinbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0 000/0.
  4. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inboundtraffic and outbound traffic. Run the document on the target instance.
Correct answer: B
Question 11
A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.
The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.
Why was the finding was not created In the Security Hub delegated administrator account?
  1. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
  2. The VPC where the EC2 instance was launched had the DHCP option configured for a customOpenDNS resolver.
  3. The GuardDuty Integration with Security Hub was never activated in the AWS account where thefinding was generated.
  4. Cross-Region aggregation in Security Hub was not configured.
Correct answer: B
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!