1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Topic 1 - Exam A

Question #1 Topic 1

A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to

an Amazon S3 bucket in the same AWS account.

Which solutions will provide the Lambda function this access? (Choose two.)

A. Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function

with the access key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during

communication with Amazon S3.

B. Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Manager. Modify the Lambda function to retrieve the private key

from Secrets Manager and to use the private key during communication with Amazon S3.

C. Create an IAM role for the Lambda function. Attach an IAM policy that allows access to the S3 bucket. Most Voted

D. Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the

principal. Most Voted

E. Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket

through the security group ID.

Correct Answer: CD

Community vote distribution

CD (100%)

Question #2 Topic 1

A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the

website by requiring users to connect to example.com through HTTPS.

Which of the following is a valid option for storing SSL/TLS certificates?

A. Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)

B. Default SSL certificate that is stored in Amazon CloudFront

C. Custom SSL certificate that is stored in AWS Certificate Manager (ACM) Most Voted

D. Default SSL certificate that is stored in Amazon S3

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 1/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #3 Topic 1

A security engineer needs to develop a process to investigate and respond to potential security events on a company's Amazon EC2 instances. All

the EC2 instances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2

instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.

The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:

A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.

A compromised EC2 instance's metadata must be updated with corresponding incident ticket information.

A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

Any investigative activity during the collection of volatile data must be captured as part of the process.

Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Choose three.)

A. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the

instance's security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister

the instance from any Elastic Load Balancing (ELB) resources. Most Voted

B. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet

that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto

Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

C. Use Systems Manager Run Command to invoke scripts that collect volatile data. Most Voted

D. Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect

volatile data.

E. Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant

metadata and incident ticket information. Most Voted

F. Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the

instance with any relevant metadata and incident ticket information.

Correct Answer: ACE

Community vote distribution

ACE (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 2/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #4 Topic 1

A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy

various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers,

Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS)

clusters.

Currently, the company’s developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD

pipeline in a shared services AWS account deploys each CloudFormation stack.

The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources

that do not comply with the internal standards, the security team must receive notification to take appropriate action. The security team must

implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have.

Which solution will meet these requirements in the MOST operationally efficient way?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create

a custom AWS Lambda function that will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates

before the build stage in the CI/CD pipeline. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.

B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create

custom rules in CloudFormation Guard for each resource configuration. In the CI/CD pipeline, before the build stage, configure a Docker image

to run the cfn-guard command on the CloudFormation template. Configure the CI/CD pipeline to publish a notification to the SNS topic if any

issues are found. Most Voted

C. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe

the security team's email addresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWS account. Include an event

notification to publish to the SQS queue when new objects are added to the S3 bucket. Require the developers to put their CloudFormation

templates in the S3 bucket. Launch EC2 instances that automatically scale based on the SQS queue depth. Configure the EC2 instances to use

CloudFormation Guard to scan the templates and deploy the templates if there are no issues. Configure the CI/CD pipeline to publish a

notification to the SNS topic if any issues are found.

D. Create a centralized CloudFormation stack set that includes a standard set of resources that the developers can deploy in each AWS

account. Configure each CloudFormation template to meet the security requirements. For any new resources or configurations, update the

CloudFormation template and send the template to the security team for review. When the review is completed, add the new CloudFormation

stack to the repository for the developers to use.

Correct Answer: B

Community vote distribution

B (68%) A (32%)

Question #5 Topic 1

A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the

database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data

that travels between the on-premises data center and AWS must have IPsec encryption.

Which combination of AWS solutions will meet these requirements? (Choose two.)

A. AWS Site-to-Site VPN Most Voted

B. AWS Direct Connect Most Voted

C. AWS VPN CloudHub

D. VPC peering

E. NAT gateway

Correct Answer: AB

Community vote distribution

AB (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 3/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #6 Topic 1

A company has an application that uses dozens of Amazon DynamoDB tables to store data. Auditors find that the tables do not comply with the

company's data protection policy.

The company's retention policy states that all data must be backed up twice each month: once at midnight on the 15th day of the month and again

at midnight on the 25th day of the month. The company must retain the backups for 3 months.

Which combination of steps should a security engineer take to meet these requirements? (Choose two.)

A. Use the DynamoDB on-demand backup capability to create a backup plan. Configure a lifecycle policy to expire backups after 3 months.

B. Use AWS DataSync to create a backup plan. Add a backup rule that includes a retention period of 3 months.

C. Use AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months. Most Voted

D. Set the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan. Most Voted

E. Set the backup frequency by using a rate schedule expression. Assign each DynamoDB table to the backup plan.

Correct Answer: CD

Community vote distribution

CD (88%) 13%

Question #7 Topic 1

A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should

not introduce additional user-managed architectural components. Native AWS features should be used as much as possible. The security engineer

has set up AWS Organizations with all features activated and AWS IAM Identity Center (AWS Single Sign-On) enabled.

Which additional steps should the security engineer take to complete the task?

A. Use AD Connector to create users and groups for all employees that require access to AWS accounts. Assign AD Connector groups to AWS

accounts and link to the IAM roles in accordance with the employees’ job functions and access requirements. Instruct employees to access

AWS accounts by using the AWS Directory Service user portal.

B. Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Assign

groups to AWS accounts and link to permission sets in accordance with the employees’ job functions and access requirements. Instruct

employees to access AWS accounts by using the IAM Identity Center user portal. Most Voted

C. Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Link IAM

Identity Center groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access AWS accounts by

using the IAM Identity Center user portal.

D. Use AWS Directory Service for Microsoft Active Directory to create users and groups for all employees that require access to AWS

accounts. Enable AWS Management Console access in the created directory and specify IAM Identity Center as a source of information for

integrated accounts and permission sets. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 4/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #8 Topic 1

A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start

with RDP brute force attacks that come from Amazon EC2 instances in the company's AWS environment. A security engineer needs to implement

a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.

Which solution will meet these requirements?

A. Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for

Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to

the network ACL to block traffic to and from the suspicious instance.

B. Configure GuardDuty to send the event to Amazon EventBridge. Deploy an AWS WAF web ACL. Process the event with an AWS Lambda

function that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to

block traffic to and from the suspicious instance.

C. Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge. Deploy AWS Network Firewall. Process

the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious

instance. Most Voted

D. Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub.

Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does

not allow any connections.

Correct Answer: C

Community vote distribution

C (72%) D (28%)

Question #9 Topic 1

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has

detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this

security incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

A. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were

used. Use the IAM console to add a DenyAll policy to the IAM principal.

B. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding.

Use Amazon Detective to review the API calls in context. Most Voted

C. Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were

used. Use the IAM console to add a DenyAll policy to the IAM principal.

D. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding.

Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 5/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #10 Topic 1

Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named

Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3

bucket in Account B.

After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access

any files in the S3 bucket.

Which solution will resolve this issue?

A. In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.

B. In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.

C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B. Most Voted

D. In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.

Correct Answer: C

Community vote distribution

C (100%)

Question #11 Topic 1

A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture

that supports this functionality.

Which solution will meet the requirement?

A. Create an AWS Lambda function to identify critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS)

topic as the target of the Lambda function. Subscribe an email endpoint to the SNS topic to receive published messages.

B. Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge

rule that has a filter to detect critical Security Hub findings. Configure the delivery stream to send the findings to an email address.

C. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS)

topic as the target of the EventBridge rule. Subscribe an email endpoint to the SNS topic to receive published messages. Most Voted

D. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Email Service (Amazon SES) topic as

the target of the EventBridge rule. Use the Amazon SES API to format the message. Choose an email address to be the recipient of the

message.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 6/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #12 Topic 1

An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain

the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload

consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application

logs for 7 years.

A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also

must keep the logs for only the required period of 7 years.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a

CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs. Most Voted

B. Set the log retention for desired log groups to 7 years. Most Voted

C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the

necessary permissions to forward logs to Amazon CloudWatch Logs. Most Voted

D. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the

necessary permissions to forward logs to Amazon S3.

E. Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log

forwarding application to periodically bundle the logs and forward the logs to Amazon S3.

F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

Correct Answer: ABC

Community vote distribution

ABC (75%) ACF (25%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 7/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #13 Topic 1

A security engineer is designing an IAM policy to protect AWS API operations. The policy must enforce multi-factor authentication (MFA) for IAM

users to access certain services in the AWS production account. Each session must remain valid for only 2 hours. The current version of the IAM

policy is as follows:

Which combination of conditions must the security engineer add to the IAM policy to meet these requirements? (Choose two.)

A. "Bool": {"aws:MultiFactorAuthPresent": "true"} Most Voted

B. "Bool": {"aws:MultiFactorAuthPresent": "false"}

C. "NumericLessThan": {"aws:MultiFactorAuthAge": "7200"} Most Voted

D. "NumericGreaterThan": {"aws:MultiFactorAuthAge": "7200"}

E. "NumericLessThan": {"MaxSessionDuration": "7200"}

Correct Answer: AC

Community vote distribution

AC (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 8/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #14 Topic 1

A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution

that will proactively monitor for suspicious behavior across all the accounts that contain production workloads.

The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon

Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security

incident logs to a dedicated account.

Which solution will meet these requirements?

A. Activate Amazon GuardDuty in each production account. In a dedicated logging account, aggregate all GuardDuty logs from each

production account. Remediate incidents by configuring GuardDuty to directly invoke an AWS Lambda function. Configure the Lambda

function to also publish notifications to the SNS topic.

B. Activate AWS Security Hub in each production account. In a dedicated logging account, aggregate all Security Hub findings from each

production account. Remediate incidents by using AWS Config and AWS Systems Manager. Configure Systems Manager to also publish

notifications to the SNS topic.

C. Activate Amazon GuardDuty in each production account. In a dedicated logging account, aggregate all GuardDuty logs from each

production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty

findings. Configure the Lambda function to also publish notifications to the SNS topic. Most Voted

D. Activate AWS Security Hub in each production account. In a dedicated logging account, aggregate all Security Hub findings from each

production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the Security Hub

findings. Configure the Lambda function to also publish notifications to the SNS topic.

Correct Answer: C

Community vote distribution

C (86%) 14%

Question #15 Topic 1

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity

Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so

that each AWS account allows access to only specific AWS services.

Which solution will meet these requirements with the LEAST operational overhead?

A. Use IAM Identity Center to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction

elements to allow access to only the Regions and services that are needed.

B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.

C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are

needed. Most Voted

D. For each AWS account, create tailored identity-based policies for IAM Identity Center. Use statements that include the Condition, Resource,

and NotAction elements to allow access to only the Regions and services that are needed.

Correct Answer: C

Community vote distribution

C (80%) A (20%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 9/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #16 Topic 1

A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For

compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and

minimizes cost.

Which solution meets these requirements?

A. Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2

instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable

encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances. Most Voted

B. Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure

that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application

data.

C. Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the

database client software uses a TLS connection to Amazon RDS. Use the encryption keys from CloudHSM for client-side encryption of

application data.

D. Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses

a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the

data is stored in the RDS database.

Correct Answer: A

Community vote distribution

A (100%)

Question #17 Topic 1

A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in

an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.

The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an

external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications

with the external payment provider are not interrupted as the environment scales.

Which combination of actions should the security engineer recommend to meet these requirements? (Choose three.)

A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use. Most Voted

B. Place the DB instance in a public subnet.

C. Place the DB instance in a private subnet. Most Voted

D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.

E. Configure the Auto Scaling group to place the EC2 instances in a private subnet. Most Voted

F. Deploy the ALB in a private subnet.

Correct Answer: ACE

Community vote distribution

ACE (61%) CE (33%) 6%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 10/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #18 Topic 1

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application

development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However,

other team members can deploy the stacks successfully.

The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of

the team members. All team members have permissions to perform operations on the stacks.

Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Choose three.)

A. Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to

allow the sts:AssumeRole action.

B. Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole

action. Most Voted

C. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation

stack in the resource field of each policy.

D. For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs

the permissions in the resource field of the corresponding policy. Most Voted

E. Update each stack to use the service role.

F Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role. Most Voted

Correct Answer: BDE

Community vote distribution

BDE (39%) BD (27%) BE (18%) Other

Question #19 Topic 1

A company used a lift-and-shift approach to migrate from its on-premises data centers to the AWS Cloud. The company migrated on-premises

VMs to Amazon EC2 instances. Now the company wants to replace some of components that are running on the EC2 instances with managed

AWS services that provide similar functionality.

Initially, the company will transition from load balancer software that runs on EC2 instances to AWS Elastic Load Balancers. A security engineer

must ensure that after this transition, all the load balancer logs are centralized and searchable for auditing. The security engineer must also

ensure that metrics are generated to show which ciphers are in use.

Which solution will meet these requirements?

A. Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the CloudWatch Logs

console to search the logs. Create CloudWatch Logs filters on the logs for the required metrics.

B. Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in

the S3 bucket. Create Amazon CloudWatch filters on the S3 log files for the required metrics.

C. Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in

the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch. Most Voted

D. Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the AWS Management

Console to search the logs. Create Amazon Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.

Correct Answer: C

Community vote distribution

C (65%) A (30%) 5%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 11/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #20 Topic 1

A company uses AWS Organizations to manage a multi-account AWS environment in a single AWS Region. The organization's management

account is named management-01. The company has turned on AWS Config in all accounts in the organization. The company has designated an

account named security-01 as the delegated administrator for AWS Config.

All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config

aggregator. Each account administrator can configure and manage the account's own AWS Config rules to handle each account's unique

compliance requirements.

A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in

the organization. The solution must turn on AWS Config automatically during account creation.

Which combination of steps will meet these requirements? (Choose two.)

A. Create an AWS CloudFormation template that contains the 10 required AWS Config rules. Deploy the template by using CloudFormation

StackSets in the security-01 account.

B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.

Most Voted

C. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the management-01

account.

D. Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the

security-01 account.

E. Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the

management-01 account. Most Voted

Correct Answer: BE

Community vote distribution

BE (95%) 5%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 12/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #21 Topic 1

A company has a legacy application that runs on a single Amazon EC2 instance. A security audit shows that the application has been using an

IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This access

key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is

not compliant with the company’s security policies for accessing other AWS resources from Amazon EC2.

A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-

EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been configured to

send logs to Amazon CloudWatch Logs.

The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects

were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information

(PII).

Which combination of steps should the security engineer take to gather this information? (Choose two.)

A. Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the

access key.

B. Use Amazon OpenSearch Service to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access

an object that contained PII.

C. Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object

that contained PII. Most Voted

D. Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that

contained PII in DOC-EXAMPLE-BUCKET1.

E. Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Most Voted

Correct Answer: CE

Community vote distribution

CE (94%) 6%

Question #22 Topic 1

A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional

statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee sill receives an

access denied message.

What is the likely cause of this access denial?

A. The ACL in the bucket needs to be updated.

B. The IAM policy does not allow the user to access the bucket.

C. It takes a few minutes for a bucket policy to take effect.

D. The allow permission is being overridden by the deny. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 13/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #23 Topic 1

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants

to receive alerts if a DDoS attack occurs against the account.

Which solution will meet this requirement?

A. Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.

B. Use Amazon inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS

attacks.

C. Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.

D. Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #24 Topic 1

A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group.

The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has

configured to expire after 1 year.

Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application.

A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the

corresponding URLs that the IP address requested.

What should the security engineer do to meet these requirements with the LEAST effort?

A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested

URL.

B. Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to

analyze the logs for the specific IP address and the requested URLs.

C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested

URLs. Most Voted

D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the

specific IP address. Use AWS Glue to view the results.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 14/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #25 Topic 1

While securing the connection between a company’s VPC and its on-premises data center, a security engineer sent a ping command from an on-

premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response.

The flow log in the VPC showed the following:

What action should be performed to allow the ping to work?

A. In the security group of the EC2 instance, allow inbound ICMP traffic.

B. In the security group of the EC2 instance, allow outbound ICMP traffic.

C. In the VPC’s NACL, allow inbound ICMP traffic.

D. In the VPC’s NACL, allow outbound ICMP traffic. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #26 Topic 1

A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification Service (Amazon SNS), and Amazon

DynamoDB. An external application puts objects into the company's S3 bucket and tags the objects with date and time. A Lambda function

periodically pulls data from the company's S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for further

processing.

The data includes personally identifiable information (PII). The company must remove data that is older than 30 days from the S3 bucket and the

DynamoDB table.

Which solution will meet this requirement with the MOST operational efficiency?

A. Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days

by using the TTL S3 flag.

B. Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the

DynamoDB table. Enable TTL on the DynamoDB table to expire entries that are older than 30 days based on the TTL attribute. Most Voted

C. Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda

function to delete entries that are older than 30 days.

D. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete

entries that are older than 30 days.

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 15/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #27 Topic 1

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

A. Use the AWS account root user access keys instead of the AWS Management Console.

B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them.

C. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days.

D. Do not create access keys for the AWS account root user; instead, create AWS IAM users. Most Voted

E. Enable multi-factor authentication for the AWS account root user. Most Voted

Correct Answer: DE

Community vote distribution

DE (100%)

Question #28 Topic 1

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application

for that store. Each store's application will have a non-production environment and a production environment. Each environment will be deployed

in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team

follows the company's deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the

developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

What should the security engineer do next to meet the requirements in the MOST secure way?

A. Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the

template to the portfolio's product list. Share the portfolio with the OU. Most Voted

B. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the

CloudFormation registry. Publish the extension. In the OU, create an SCP that allows access to the extension.

C. Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the

template to the portfolio's product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in

the OU accounts. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.

D. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the

CloudFormation registry. Publish the extension. Share the extension with the OU.

Correct Answer: A

Community vote distribution

A (79%) D (21%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 16/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #29 Topic 1

A team is using AWS Secrets Manager to store an application database password. Only a limited number of IAM principals within the account can

have access to the secret. The principals who require access to the secret change frequently. A security engineer must create a solution that

maximizes flexibility and scalability.

Which solution will meet these requirements?

A. Use a role-based approach by creating an IAM role with an inline permissions policy that allows access to the secret. Update the IAM

principals in the role trust policy as required.

B. Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy that specifies the IAM principals that are allowed to

access the secret. Update the list of IAM principals as required.

C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the

aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access. Most Voted

D. Use a deny-by-default approach by using IAM policies to deny access to the secret explicitly. Attach the policies to an IAM group. Add all

IAM principals to the IAM group. Remove principals from the group when they need access. Add the principals to the group again when

access is no longer allowed.

Correct Answer: C

Community vote distribution

C (86%) 14%

Question #30 Topic 1

A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the

target of a DoS attack. Application logging shows that requests are coming from a small number of client IP addresses, but the addresses change

regularly.

The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.

Which solution meets these requirements?

A. Create an AWS WAF rate-based rule, and attach it to the ALB. Most Voted

B. Update the security group that is attached to the ALB to block the attacking IP addresses.

C. Update the ALB subnet's network ACL to block the attacking client IP addresses.

D. Create an AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 17/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #31 Topic 1

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The

company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's

delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable

GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.

The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to

security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to

generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.

Why was the finding was not created in the Security Hub delegated administrator account?

A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B. The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver. Most Voted

C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D. Cross-Region aggregation in Security Hub was not configured.

Correct Answer: B

Community vote distribution

B (90%) 10%

Question #32 Topic 1

An ecommerce company has a web application architecture that runs primarily on containers. The application containers are deployed on Amazon

Elastic Container Service (Amazon ECS). The container images for the application are stored in Amazon Elastic Container Registry (Amazon ECR).

The company's security team is performing an audit of components of the application architecture. The security team identifies issues with some

container images that are stored in the container repositories.

The security team wants to address these issues by implementing continual scanning and on-push scanning of the container images. The security

team needs to implement a solution that makes any findings from these scans visible in a centralized dashboard. The security team plans to use

the dashboard to view these findings along with other security-related findings that they intend to generate in the future. There are specific

repositories that the security team needs to exclude from the scanning process.

Which solution will meet these requirements?

A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push Amazon Inspector

findings to AWS Security Hub. Most Voted

B. Use ECR basic scanning of container images. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push

findings to AWS Security Hub.

C. Use ECR basic scanning of container images. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push

findings to Amazon Inspector.

D. Use Amazon Inspector. Create inclusion rules in Amazon Inspector to match repositories that need to be scanned. Push Amazon Inspector

findings to AWS Config.

Correct Answer: A

Community vote distribution

A (88%) 13%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 18/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #33 Topic 1

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the

instance was compromised. The instance was serving up malware. The analysis of the instance showed that the instance was compromised 35

days ago.

A security engineer must implement a continuous monitoring solution that automatically notifies the company's security team about compromised

instances through an email distribution list for high severity findings. The security engineer must implement the solution as soon as possible.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

A. Enable AWS Security Hub in the AWS account.

B. Enable Amazon GuardDuty in the AWS account. Most Voted

C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email distribution list to the topic.

Most Voted

D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email distribution list to the queue.

E. Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic. Most Voted

F. Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Correct Answer: BCE

Community vote distribution

BCE (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 19/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #34 Topic 1

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named

IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job

functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

What should be done to enable the user to assume the appropriate role in the target account?

A. Update the IAM policy attached to the role in the identity account to be:

B. Update the trust policy on the role in the target account to be:

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 20/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Most Voted

C. Update the trust policy on the role in the identity account to be:

D. Update the IAM policy attached to the role in the target account to be:

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 21/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #35 Topic 1

A company is using AWS Organizations to manage multiple AWS accounts for its human resources, finance, software development, and

production departments. All the company's developers are part of the software development AWS account.

The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not

approved for use. The company wants to implement a solution to ensure that developers can launch EC2 instances with only approved software

applications and only in the software development AWS account.

Which solution will meet these requirements?

A. In the software development account, create AMIs of preconfigured instances that include only approved software. Include the AMI IDs in

the condition section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers

with the CloudFormation template to launch EC2 instances in the software development account.

B. Create an Amazon EventBridge rule that runs when any EC2 RunInstances API event occurs in the software development account. Specify

AWS Systems Manager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software

onto the instances that the developers launch.

C. Use an AWS Service Catalog portfolio that contains EC2 products with appropriate AMIs that include only approved software. Grant the

developers permission to access only the Service Catalog portfolio to launch a product in the software development account. Most Voted

D. In the management account, create AMIs of preconfigured instances that include only approved software. Use AWS CloudFormation

StackSets to launch the AMIs across any AWS account in the organization. Grant the developers permission to launch the stack sets within

the management account.

Correct Answer: C

Community vote distribution

C (100%)

Question #36 Topic 1

A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts

an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty

identifies this activity as a brute force attack because of the high number of connections that happen every hour.

The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-

to-noise ratio without compromising the company's visibility of potential anomalous behavior.

Which solution will meet these requirements?

A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.

B. Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.

C. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.

Most Voted

D. Create an AWS Lambda function that has the appropriate permissions to delete the finding whenever a new occurrence is reported.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 22/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #37 Topic 1

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company

is using Amazon Elastic Container Registry (Amazon ECR) private repositories.

A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also

needs to analyze the container images for any common vulnerabilities and exposures (CVEs).

Which solution will meet these requirements?

A. Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances’ user data. Run

an assessment with the CVE rules.

B. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

Most Voted

C. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container

instances. Run an inventory report.

D. Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verify the

findings against a list of current CVEs.

Correct Answer: B

Community vote distribution

B (100%)

Question #38 Topic 1

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company’s Amazon EC2 console without

providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the

IAM account is assigned additional permissions based on IAM group membership.

What should the security engineer do to meet these requirements?

A. Create an inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.

B. Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM

permissions boundary policy. Most Voted

C. Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM

group.

D. Create a IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

Correct Answer: B

Community vote distribution

B (94%) 6%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 23/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #39 Topic 1

A company manages multiple AWS accounts using AWS Organizations. The company’s security team notices that some member accounts are not

sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured

for all existing accounts and for any account that is created in the future.

Which set of actions should the security team implement to accomplish this?

A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge to send notification if a trail is deleted or

stopped.

B. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

C. Edit the existing trail in the Organizations management account and apply it to the organization. Most Voted

D. Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.

Correct Answer: C

Community vote distribution

C (100%)

Question #40 Topic 1

A company recently had a security audit in which the auditors identified multiple potential threats. These potential threats can cause usage

pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3 API calls. The

threats can come from different sources and can occur at any time. The company needs to implement a solution to continuously monitor its

system and identify all these incoming threats in near-real time.

Which solution will meet these requirements?

A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatch Logs to manage these logs from a centralized account.

B. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie to monitor these logs from a centralized account.

C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Most Voted

D. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 24/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #41 Topic 1

A company that uses AWS Organizations is using AWS IAM Identity Center (AWS Single Sign-On) to administer access to AWS accounts. A

security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts.

An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative

permissions and is operating in the management account.

When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the

assignment fails.

What should the security engineer do to resolve this failure?

A. Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same

name and same permissions in each account. Most Voted

B. Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that

includes the removed policy. Apply the permission sets separately to the user.

C. Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before

deployment.

D. Do not add the new permission set to the user. Instead, edit the user's existing permission set to include the AWS managed policy and the

customer managed policy.

Correct Answer: A

Community vote distribution

A (78%) C (22%)

Question #42 Topic 1

A company has thousands of AWS Lambda functions. While reviewing the Lambda functions, a security engineer discovers that sensitive

information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information

are only a few characters long.

What is the MOST cost-effective way to address this security issue?

A. Set up IAM policies from the Lambda console to hide access to the environment variables.

B. Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict

access to the environment variables to only the Lambda functions that require access.

C. Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the

secrets to only the Lambda functions that require access.

D. Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use

IAM permissions to restrict access to the parameters to only the Lambda functions that require access. Most Voted

Correct Answer: D

Community vote distribution

D (86%) 14%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 25/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #43 Topic 1

A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best

practices.

Which approach should the security engineer take to meet this requirement?

A. Use AWS IAM Access Analyzer to analyze the polices. View the findings from policy validation checks. Most Voted

B. Review AWS Trusted Advisor checks for all accounts in the organization.

C. Set up AWS Audit Manager. Run an assessment for all AWS Regions for all accounts.

D. Ensure that Amazon Inspector agents are installed on all Amazon EC2 instances in all accounts.

Correct Answer: A

Community vote distribution

A (90%) 10%

Question #44 Topic 1

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not

compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are

encrypted using server-side encryption and that any future deviations from the policy are detected.

Which combination of steps should the security engineer take to accomplish this? (Choose two.)

A. Create an AWS Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge rule to trigger on the AWS

Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Most Voted

B. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge rule to

track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes

active, promote it into a standalone database instance and terminate the unencrypted database instance.

D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the

database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance. Most Voted

E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database.

Correct Answer: AD

Community vote distribution

AD (93%) 7%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 26/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #45 Topic 1

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. The company

uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt all Amazon Elastic Block Store (Amazon EBS) snapshots.

The company performs a gap analysis of its disaster recovery procedures and backup strategies. A security engineer needs to implement a

solution so that the company can recover the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted.

Which solution will meet this requirement?

A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Use lifecycle policies to move

snapshots to the S3 Glacier Instant Retrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots.

B. Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3.

C. Create a new AWS account that has limited privileges. Allow the new account to access the KMS key that encrypts the EBS snapshots.

Copy the encrypted snapshots to the new account on a recurring basis. Most Voted

D. Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock to prevent deletion of the snapshots.

Correct Answer: C

Community vote distribution

C (79%) 14% 7%

Question #46 Topic 1

A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security

engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics

team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet

can contain multiple instances.

The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate

access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give

the forensics team access to the target instance on port 22.

After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping

command to the public IP address of the target instance, the ping command is blocked.

What should the security engineer do to isolate the target instance?

A. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow

traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.

B. Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so

that the forensics team can access the target instance. Most Voted

C. Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic

from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.

D. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the

document on the target instance.

Correct Answer: B

Community vote distribution

B (47%) C (42%) 11%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 27/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #47 Topic 1

A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS CloudTrail

trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI.

Because of expansion, the company adds resources in multiple Regions. The security engineer notices that the logs from the new Regions are not

reaching the S3 bucket.

What should the security engineer do to fix this issue with the LEAST amount of operational overhead?

A. Create a new CloudTrail trail. Select the new Regions where the company added resources.

B. Change the S3 bucket to receive notifications to track all actions from all Regions.

C. Create a new CloudTrail trail that applies to all Regions.

D. Change the existing CloudTrail trail so that it applies to all Regions. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #48 Topic 1

A company's public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue, the company deployed Amazon

CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.

The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.

Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)

A. Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.

B. Configure CloudFront to add a custom HTTP header to requests that CloudFront sends to the ALB. Most Voted

C. Configure the ALB to forward only requests that contain the custom HTTP header. Most Voted

D. Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.

E. Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).

Correct Answer: BC

Community vote distribution

BC (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 28/29
1/15/25, 5:58 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #49 Topic 1

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who

left the company 30 days ago still has access to the account. The company has not monitored account activity in the past.

The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible.

Which solution will meet these requirements?

A. In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by

resource.

B. Use AWS Cost Anomaly Detection to create a cost monitor. Access the detection history. Set the time frame to Last 30 days. In the search

area, choose the service category.

C. In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data.

Partition the table by event source. Most Voted

D. Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage-based framework to the assessment. Configure the

assessment to assess by resource.

Correct Answer: C

Community vote distribution

C (100%)

Question #50 Topic 1

A security engineer is checking an AWS CloudFormation template for vulnerabilities. The security engineer finds a parameter that has a default

value that exposes an application's API key in plaintext. The parameter is referenced several times throughout the template. The security engineer

must replace the parameter while maintaining the ability to reference the value in the template.

Which solution will meet these requirements in the MOST secure way?

A. Store the API key value as a SecureString parameter in AWS Systems Manager Parameter Store. In the template, replace all references to

the value with {{resolve:ssm:MySSMParameterName:1}}.

B. Store the API key value in AWS Secrets Manager. In the template, replace all references to the value with

{{resolve:secretsmanager:MySecretId:SecretString}}. Most Voted

C. Store the API key value in Amazon DynamoDB. In the template, replace all references to the value with

{{resolve:dynamodb:MyTableName:MyPrimaryKey}}.

D. Store the API key value in a new Amazon S3 bucket. In the template, replace all references to the value with

{{resolve:s3:MyBucketName:MyObjectName}}.

Correct Answer: B

Community vote distribution

B (100%)

Browse atleast 50% to increase passing rate

Viewing page 1 out of 1 pages.

Viewing questions 1-50 out of 297 questions

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 29/29