Most Recent Amazon SCS-C02 Exam Questions & Answers

Prepare for the Amazon AWS Certified Security - Specialty exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the Amazon SCS-C02 exam and achieve success.

The questions for SCS-C02 were last updated on Jan 21, 2025.

Viewing page 1 out of 74 pages.
Viewing questions 1-5 out of 372 questions

Get All 372 Questions & Answers

Question No. 1

A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athen

a. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?

AApply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

BUse S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

CDefine an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

DGrant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Show Answer

Correct Answer: A

Question No. 2

To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.

What policy should the Engineer implement?

AOption A

BOption B

COption C

DOption D

Show Answer

Correct Answer: C

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html

Question No. 3

A security engineer is designing an IAM policy for a script that will use the AWS CLI. The script currently assumes an IAM role that is attached to three AWS managed IAM policies: AmazonEC2FullAccess, AmazonDynamoDBFullAccess, and Ama-zonVPCFullAccess.

The security engineer needs to construct a least privilege IAM policy that will replace the AWS managed IAM policies that are attached to this role.

Which solution will meet these requirements in the MOST operationally efficient way?

AIn AWS CloudTrail, create a trail for management events. Run the script with the existing AWS managed IAM policies. Use IAM Access Analyzer to generate a new IAM policy that is based on access activity in the trail. Replace the existing AWS managed IAM policies with the generated IAM poli-cy for the role.

BRemove the existing AWS managed IAM policies from the role. Attach the IAM Access Analyzer Role Policy Generator to the role. Run the script. Return to IAM Access Analyzer and generate a least privilege IAM policy. Attach the new IAM policy to the role.

CCreate an account analyzer in IAM Access Analyzer. Create an archive rule that has a filter that checks whether the PrincipalArn value matches the ARN of the role. Run the script. Remove the existing AWS managed IAM poli-cies from the role.

DIn AWS CloudTrail, create a trail for management events. Remove the exist-ing AWS managed IAM policies from the role. Run the script. Find the au-thorization failure in the trail event that is associated with the script. Create a new IAM policy that includes the action and resource that caused the authorization failure. Repeat the process until the script succeeds. Attach the new IAM policy to the role.

Show Answer

Correct Answer: A

Question No. 4

A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.

The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.

Which solution meets these requirements?

ACreate an AWS WAF rate-based rule, and attach it to the ALB.

BUpdate the security group that is attached to the ALB to block the attacking IP addresses.

CUpdate the ALB subnet's network ACL to block the attacking client IP addresses.

DCreate a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.

Show Answer

Correct Answer: A

Question No. 5

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised

Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

AOpen a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

BRespond to the notification and list the actions that have been taken to address the incident

CDelete all IAM users and resources in the account

DDetach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

EDelete the identified compromised instances and delete any associated resources that the Security team did not create.

Show Answer

Correct Answer: D, E

these are the recommended actions to take when you receive an abuse notice from AWS8. You should review the abuse notice to see what content or activity was reported and detach the internet gateway from the VPC to isolate the affected instances from the internet. You should also remove any rules that allow inbound traffic from 0.0.0.0/0 from the security groups and create a network access control list (NACL) rule to deny all traffic inbound from the internet. You should then delete the compromised instances and any associated resources that you did not create. The other options are either inappropriate or unnecessary for responding to the abuse notice.

Unlock All Questions for Amazon SCS-C02 Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 372 Questions & Answers