1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #151 Topic 1

A security engineer is configuring AWS Config for an AWS account that uses a new IAM entity. When the security engineer tries to configure AWS

Config rules and automatic remediation options, errors occur. In the AWS CloudTrail logs, the security engineer sees the following error message:

“Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is ‘null’.”

Which combination of steps should the security engineer take to remediate this issue? (Choose two.)

A. Check the Amazon S3 bucket policy. Verify that the policy allows the config amazonaws,com service to write to the target bucket.

Most Voted

B. Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the

target bucket. Most Voted

C. Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to

write to the target bucket.

D. Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the

target bucket.

E. Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the

GetResourceConfigHistory action and s3:PutObject* operation.

Correct Answer: AB

Community vote distribution

AB (100%)

Question #152 Topic 1

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.

Which combination of AWS services and features will provide protection in this scenario? (Choose three.)

A. Amazon Route 53 Most Voted

B. AWS Certificate Manager (ACM)

C. Amazon S3

D. AWS Shield Most Voted

E. Network Load Balancer Most Voted

F. Amazon GuardDuty

Correct Answer: ADE

Community vote distribution

ADE (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 1/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #153 Topic 1

A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon

ECR). The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances. All the company's AWS accounts are in one

organization in AWS Organizations. The company will analyze the workloads for software vulnerabilities and unintended network exposure. The

company will push any findings to AWS Security Hub, which the company has configured for the organization.

The company must deploy the solution to all member accounts, including new accounts, automatically. When new workloads come online, the

solution must scan the workloads.

Which solution will meet these requirements?

A. Use SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.

B. Configure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of

ECR containers

C. Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.

Most Voted

D. Configure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR

containers.

Correct Answer: C

Community vote distribution

C (100%)

Question #154 Topic 1

A company uses AWS Organizations to manage several AWS accounts. The company processes a large volume of sensitive data. The company

uses a serverless approach to microservices. The company stores all the data in either Amazon S3 or Amazon DynamoDB. The company reads the

data by using either AWS Lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon

EKS) on AWS Fargate.

The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an

AWS Key Management Service (AWS KMS) customer managed key.

What should the company do next to meet these requirements?

A. Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3

buckets and DynamoDB tables that are not encrypted with the key.

B. Create an IAM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy

to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

C. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that

denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key. Most Voted

D. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config

rule to send alerts for resources that are not encrypted with the key.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 2/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #155 Topic 1

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was

produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

Which of the following explains why the logs are not available?

A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs. Most Voted

B. The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the

logs.

D. The version of the Lambda function that was invoked was not current.

Correct Answer: A

Community vote distribution

A (100%)

Question #156 Topic 1

A company is worried about potential DDoS attacks. The company has a web application that runs on Amazon EC2 instances. The application

uses Amazon S3 to serve static content such as images and videos.

A security engineer must create a resilient architecture that can withstand DDoS attacks.

Which solution will meet these requirements MOST cost-effectively?

A. Create an Amazon CloudWatch alarm that invokes an AWS Lambda function when an EC2 instance’s CPU utilization reaches 90%. Program

the Lambda function to update security groups that are attached to the EC2 instance to deny inbound ports 80 and 443.

B. Put the EC2 instances into an Auto Scaling group behind an Elastic Load Balancing (ELB) load balancer. Use Amazon CioudFront with

Amazon S3 as an origin. Most Voted

C. Set up a warm standby disaster recovery (DR) environment. Fail over to the warm standby DR environment if a DDoS attack is detected on

the application.

D. Subscribe to AWS Shield Advanced. Configure permissions to allow the Shield Response Team to manage resources on the company's

behalf during a DDoS event.

Correct Answer: B

Community vote distribution

B (63%) D (38%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 3/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #157 Topic 1

A company uses an organization in AWS Organizations to manage hundreds of AWS accounts. Some of the accounts provide access to external

AWS principals through cross-account IAM roles and Amazon S3 bucket policies.

The company needs to identify which external principals have access to which accounts.

Which solution will provide this information?

A. Enable AWS Identity and Access Management Access Analyzer for the organization. Configure the organization as a zone of trust. Filter

findings by AWS account ID. Most Voted

B. Create a custom AWS Config rule to monitor IAM roles in each account. Deploy an AWS Config aggregator to a central account. Filter

findings by AWS account ID.

C. Activate Amazon Inspector. Integrate Amazon Inspector with AWS Security Hub. Filter findings by AWS account ID for the IAM role resource

type and the S3 bucket policy resource type.

D. Configure the organization to use Amazon GuardDuty. Filter findings by AWS account ID for the Discovery:IAMUser/AnomalousBehavior

finding type.

Correct Answer: A

Community vote distribution

A (100%)

Question #158 Topic 1

A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all

Amazon EC2 instances for all the accounts in the organization.

A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching

operations.

A security engineer must implement a solution that detects EC2 instances that do not have the required software. The solution also must

automatically install the software if the software is not present.

Which solution will meet these requirements?

A. Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required

software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2

instances.

B. Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved

packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.

C. Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts. Create an Amazon

EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems

Manager Run Command to install the required software. Most Voted

D. Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in

the different accounts. Install the software by using Systems Manager Run Command.

Correct Answer: C

Community vote distribution

C (92%) 8%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 4/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #159 Topic 1

A development team is creating an open source toolset to manage a company's software as a service (SaaS) application. The company stores the

code in a public repository so that anyone can view and download the toolset's code.

The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company’s AWS

environment

A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also

must prevent any additional usage of the exposed credentials.

Which combination of steps will meet these requirements? (Choose two.)

A. Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used

them. Most Voted

B. Deactivate the exposed IAM access key from the user’s IAM account. Most Voted

C. Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

D. Create a new IAM access key and secret key for the user whose credentials were exposed.

E. Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

Correct Answer: AB

Community vote distribution

AB (100%)

Question #160 Topic 1

A company needs to create a centralized solution to analyze log files. The company uses an organization in AWS Organizations to manage its

AWS accounts.

The solution must aggregate and normalize events from the following sources:

• The entire organization in Organizations

• All AWS Marketplace offerings that run in the company’s AWS accounts

• The company's on-premises systems

Which solution will meet these requirements?

A. Configure a centralized Amazon S3 bucket for the logs. Enable VPC Flow Logs, AWS CloudTrail. and Amazon Route 53 logs in all accounts.

Configure all accounts to use the centralized S3 bucket. Configure AWS Glue crawlers to parse the log files. Use Amazon Athena to query the

log data.

B. Configure log streams in Amazon CloudWatch Logs for the sources that need monitoring Create log subscription filters for each log stream.

Forward the messages to Amazon OpenSearch Service for analysis.

C. Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization.

Add the accounts that need monitoring. Use Amazon Athena to query the log data. Most Voted

D. Apply an SCP to configure all member accounts and services to deliver log files to a centralized Amazon S3 bucket. Use Amazon

OpenSearch Service to query the centralized S3 bucket for log entries.

Correct Answer: C

Community vote distribution

C (86%) 14%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 5/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #161 Topic 1

A company uses AWS Organizations. The company has more than 100 AWS accounts and will increase the number of accounts. The company

also uses an external corporate identity provider (IdP).

The company needs to provide users with role-based access to the accounts. The solution must maximize scalability and operational efficiency.

Which solution will meet these requirements?

A. In each account, create a set of dedicated IAM users. Ensure that all users assume these IAM users through federation with the existing

IdP.

B. Deploy an IAM role in a central identity account. Allow users to assume the role through federation with the existing IdP. In each account,

deploy a set of IAM roles that match the desired access patterns. Include a trust policy that allows access from the central identity account.

Edit the permissions policy for the role in each account to match user access requirements.

C. Enable AWS IAM Identity Center. Integrate IAM Identity Center with the company's existing IdP. Create permission sets that match the

desired access patterns. Assign permissions to match user access requirements. Most Voted

D. In each account, deploy a set of IAM roles that match the desired access patterns. Create a trust policy with the existing IdP. Update each

role's permissions policy to use SAML-based IAM condition keys that are based on user access requirements.

Correct Answer: C

Community vote distribution

C (80%) B (20%)

Question #162 Topic 1

A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing

attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent

string of a known mobile device emulator.

A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the

application.

Which solution will meet these requirements?

A. Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string Add an Amazon Simple

Notification Service (Amazon SNS) topic to the alarm.

B. Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.

C. Create an AWS WAF web ACL for the ALB Create a custom rule that blocks requests that contain the user agent string of the device

emulator. Most Voted

D. Create an AWS WAF web ACL for the ALB. Create a custom rule that allows requests from legitimate user agent strings.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 6/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #163 Topic 1

A company is investigating controls to protect sensitive data. The company uses Amazon Simple Notification Service (Amazon SNS) topics to

publish messages from application components to custom logging services.

The company is concerned that an application component might publish sensitive data that will be accidentally exposed in transaction logs and

debug logs.

Which solution will protect the sensitive data in these messages from accidental exposure?

A. Use Amazon Made to scan the SNS topics for sensitive data elements in the SNS messages. Create an AWS Lambda function that masks

sensitive data inside the messages when Macie records a new finding.

B. Configure an inbound message data protection policy. In the policy, include the De-identify operation to mask the sensitive data inside the

messages. Apply the policy to the SNS topics. Most Voted

C. Configure the SNS topics with an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data elements inside the

messages. Grant permissions to all message publisher IAM roles to allow access to the key to encrypt data.

D. Create an Amazon GuardDuty finding for sensitive data that is transmitted to the SNS topics. Create an AWS Security Hub custom

remediation action to block messages that contain sensitive data from being delivered to subscribers of the SNS topics.

Correct Answer: B

Community vote distribution

B (100%)

Question #164 Topic 1

A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances.

The Lambda functions need to collect relevant artifacts, such as instance ID and security group configuration. The Lambda functions must then

write a summary to an Amazon S3 bucket.

The company runs its workloads in a VPC that uses public subnets and private subnets. The public subnets use an internet gateway to access the

internet. The private subnets use a NAT gateway to access the internet.

All network traffic to Amazon S3 that is related to the incident response process must use the AWS network. This traffic must not travel across the

internet.

Which solution will meet these requirements?

A. Deploy the Lambda functions to a private subnet in the VPC. Configure the Lambda functions to access the S3 service through the NAT

gateway.

B. Deploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service. Most Voted

C. Deploy the S3 bucket and the Lambda functions in the same private subnet. Configure the Lambda functions to use the default endpoint for

the S3 service.

D. Deploy an Amazon Simple Queue Service (Amazon SQS) queue and the Lambda functions in the same private subnet. Configure the

Lambda functions to send data to the SQS queue. Configure the SQS queue to send data to the S3 bucket.

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 7/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #165 Topic 1

A company uses an organization in AWS Organizations to manage its AWS accounts. The company has implemented an SCP in the root account

to prevent resources from being shared with external accounts.

The company now needs to allow applications in its marketing team's AWS account to share resources with external accounts. The company must

continue to prevent all the other accounts in the organization from sharing resources with external accounts. All the accounts in the organization

are members of the same OU.

Which solution will meet these requirements?

A. Create a new SCP in the marketing team's account Configure the SCP to explicitly allow resource sharing.

B. Edit the existing SCP to add a Condition statement that excludes the marketing team's account. Most Voted

C. Edit the existing SCP to include an Allow statement that specifies the marketing team's account.

D. Create an IAM permissions boundary policy to explicitly allow resource sharing Attach the policy to IAM users in the marketing team's

account.

Correct Answer: B

Community vote distribution

B (100%)

Question #166 Topic 1

A security administrator has enabled AWS Security Hub for all the AWS accounts in an organization in AWS Organizations. The security team

wants near-real-time response and remediation for deployed AWS resources that do not meet security standards. All changes must be centrally

logged for auditing purposes.

The organization has reached the quotas for the number of SCPs attached to an OU and SCP document size. The team wants to avoid making any

changes to any of the SCPs. The solution must maximize scalability and cost-effectiveness.

Which combination of actions should the security administrator take to meet these requirements? (Choose three.)

A. Create an AWS Config custom rule to detect configuration changes to AWS resources. Create an AWS Lambda function to remediate the

AWS resources in the delegated administrator AWS account. Most Voted

B. Use AWS Systems Manager Change Manager to track configuration changes to AWS resources. Create a Systems Manager document to

remediate the AWS resources in the delegated administrator AWS account.

C. Create a Security Hub custom action to reference in an Amazon EventBridge event rule in the delegated administrator AWS account.

Most Voted

D. Create an Amazon EventBridge event rule to Invoke an AWS Lambda function that will take action on AWS resources. Most Voted

E. Create an Amazon EventBridge event rule to invoke an AWS Lambda function that will evaluate AWS resource configuration for a set of API

requests and create a finding for noncompllant AWS resources.

F. Create an Amazon EventBridge event rule to invoke an AWS Lambda function on a schedule to assess specific AWS Config rules.

Correct Answer: ACD

Community vote distribution

ACD (67%) ADE (33%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 8/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #167 Topic 1

A security engineer must Implement monitoring of a company's Amazon Aurora MySQL DB instances. The company wants to receive email

notifications when unknown users try to log in to the database endpoint.

Which solution will meet these requirements with the LEAST operational overhead?

A. Enable Amazon GuardDuty. Enable the Amazon RDS Protection feature in GuardDuty to detect login attempts by unknown users. Create an

Amazon EventBridge rule to filter GuardDuty findings. Send email notifications by using Amazon Simple Notification Service (Amazon SNS).

Most Voted

B. Enable the server_audit_logglng parameter on the Aurora MySQL DB instances. Use AWS Lambda to periodically scan the delivered log files

for login attempts by unknown users. Send email notifications by using Amazon Simple Notification Service (Amazon SNS).

C. Create an Amazon RDS Custom AMI. Include a third-party security agent in the AMI to detect login attempts by unknown users. Deploy RDS

Custom DB instances. Migrate data from the existing installation to the RDS Custom DB instances. Configure email notifications from the

third-party agent.

D. Write a stored procedure to detect login attempts by unknown users. Schedule a recurring job inside the database engine. Configure Aurora

MySQL to use Amazon Simple Notification Service (Amazon SNS) to send email notifications.

Correct Answer: A

Community vote distribution

A (75%) B (25%)

Question #168 Topic 1

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The

company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

Which solution will meet these requirements MOST cost-effectively?

A. Create an AWS WAF web ACL with an IP match condition to deny the countries' IP ranges. Associate the web ACL with the CloudFront

distribution.

B. Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront

distribution.

C. Use the geo restriction feature in CloudFront to deny the specific countries. Most Voted

D. Use geolocation headers in CloudFront to deny the specific countries.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 9/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #169 Topic 1

A company deploys its application as a service on an Amazon Elastic Container Service (Amazon ECS) cluster with theAWS Fargate launch type. A

security engineer suspects that some incoming requests are malicious. The security engineer needs to inspect the running container by retrieving

log files and memory dump flies.

Which solution will meet these requirements with the LEAST operational effort?

A. Migrate the application to an ECS cluster with the Amazon EC2 launch type. Configure the EC2 instances with proper remote access. Log in

and inspect the container.

B. Update the application to dump the required data to STDOUT. Use the awslogs log driver to pass the logs to Amazon CloudWatch Logs.

Examine the log files in CloudWatch Logs.

C. Turn on Amazon CloudWatch Container Insights for the ECS cluster. Send the log data to Amazon CloudWatch Logs by using AWS Distro for

OpenTelemetry. Examine the log data in CloudWatch Logs.

D. Update the ECS task role with AWS Systems Manager permissions. Enable the ECS Exec feature for the ECS service. Use ECS Exec to

inspect the container. Most Voted

Correct Answer: D

Community vote distribution

D (64%) B (36%)

Question #170 Topic 1

A company uses AWS Organizations and has many AWS accounts. The company has a new requirement to use server-side encryption with

customer-provided keys (SSE-C) on all new object uploads to Amazon S3 buckets.

A security engineer is creating an SCP that includes a Deny effect for the s3:PutObject action.

Which condition must the security engineer add to the SCP to enforce the new SSE-C requirement?

A.

Most Voted

B.

C.

D.

Correct Answer: A

Community vote distribution

A (88%) 13%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 10/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #171 Topic 1

A company wants to deny a specific federated user named Bob access to an Amazon S3 bucket named DOC-EXAMPLE-BUCKET. The company

wants to meet this requirement by using a bucket policy. The company also needs to ensure that this bucket policy affects Bob's S3 permissions

only. Any other permissions that Bob has must remain intact.

Which policy should the company use to meet these requirements?

A.

B.

Most Voted

C.

D.

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 11/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #172 Topic 1

A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon

Aurora database.

The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has

become a burden for the company's customer service team.

The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password

resets and login assistance while securely protecting each player's credentials.

Which solution will meet these requirements?

A. When a new player signs up, use an AWS Lambda function to automatically create an IAM access key and a secret access key. Program the

Lambda function to store the credentials on the player's device. Create IAM keys for existing players.

B. Migrate the player credentials from the Aurora database to AWS Secrets Manager. When a new player signs up, create a key-value pair in

Secrets Manager for the player’s user ID and password.

C. Configure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs. Migrate

the game’s authentication mechanism to Cognito. Most Voted

D. Instead of using usernames and passwords for authentication, issue API keys to new and existing players. Create an Amazon API Gateway

API to give the game client access to the game’s functionality.

Correct Answer: C

Community vote distribution

C (100%)

Question #173 Topic 1

A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The

company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging

for all of its AWS accounts.

A security engineer must determine if the credentials were used to access the company's resources from an external account.

Which solution will provide this information?

A. Review GuardDuty findings to find InstanceCredentialExfiltration events. Most Voted

B. Review assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.

C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside

the company.

D. Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from

outside the company.

Correct Answer: A

Community vote distribution

A (63%) C (38%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 12/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #174 Topic 1

A security engineer needs to run an AWS CloudFormation script. The CloudFormation script builds AWS infrastructure to support a stack that

includes web servers and a MySQL database. The stack has been deployed in pre-production environments and is ready for production.

The production script must comply with the principle of least privilege. Additionally, separation of duties must exist between the security

engineer’s IAM account and CloudFormation.

Which solution will meet these requirements?

A. Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation script to run and manage the stack. Attach

the policy to a new IAM role. Modify the security engineer's IAM permissions to be able to pass the new role to CloudFormation.

B. Create an IAM policy that allows ec2:* and rds:* permissions. Attach the policy to a new IAM role. Modify the security engineer's IAM

permissions to be able to assume the new role.

C. Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation script to run and manage the stack. Modify

the security engineer's IAM permissions to be able to run the CloudFormation script.

D. Create an IAM policy that allows ec2:* and rds:* permissions. Attach the policy to a new IAM role. Use the IAM policy simulator to confirm

that the policy allows the AWS API calls that are necessary to build the stack. Modify the security engineer's IAM permissions to be able to

pass the new role to CloudFormation.

Correct Answer: A

Community vote distribution

A (100%)

Question #175 Topic 1

A company that uses AWS Organizations is migrating workloads to AWS. The company's application team determines that the workloads will use

Amazon EC2 instances, Amazon S3 buckets, Amazon DynamoDB tables, and Application Load Balancers. For each resource type, the company

mandates that deployments must comply with the following requirements:

• All EC2 instances must be launched from approved AWS accounts.

• All DynamoDB tables must be provisioned with a standardized naming convention.

• All infrastructure that is provisioned in any accounts in the organization must be deployed by AWS CloudFormation templates.

Which combination of steps should the application team take to meet these requirements? (Choose two.)

A. Create CloudFormation templates in an administrator AWS account. Share the stack sets with an application AWS account. Restrict the

template to be used specifically by the application AWS account.

B. Create CloudFormation templates in an application AWS account. Share the output with an administrator AWS account ta review compliant

resources. Restrict output to only the administrator AWS account.

C. Use permissions boundaries to prevent the application AWS account from provisioning specific resources unless conditions for the internal

compliance requirements are met.

D. Use SCPs to prevent the application AWS account from provisioning specific resources unless conditions for the internal compliance

requirements are met.

E. Activate AWS Config managed rules for each service in the application AWS account.

Correct Answer: AD

Community vote distribution

AD (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 13/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #176 Topic 1

A company has a batch-processing system that uses Amazon S3, Amazon EC2, and AWS Key Management Service (AWS KMS). The system uses

two AWS accounts: Account A and Account B.

Account A hosts an S3 bucket that stores the objects that will be processed. The S3 bucket also stores the results of the processing. All the S3

bucket objects are encrypted by a KMS key that is managed in Account A.

Account B hosts a VPC that has a fleet of EC2 instances that access the S3 bucket in Account A by using statements in the bucket policy. The

VPC was created with DNS hostnames enabled and DNS resolution enabled.

A security engineer needs to update the design of the system without changing any of the system's code. No AWS API calls from the batch-

processing EC2 instances can travel over the internet.

Which combination of steps will meet these requirements? (Choose two.)

A. In the Account B VPC, create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows

the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket. Most Voted

B. In the Account B VPC, create an interface VPC endpoint for Amazon S3. For the interface VPC endpoint, create a resource policy that allows

the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket.

C. In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows

the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned on for the endpoint.

Most Voted

D. In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows

the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned off for the endpoint.

E. In the Account B VPC, verify that the S3 bucket policy allows the s3:PutObjectAcl action for cross-account use. In the Account B VPC,

create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows the s3:GetObject,

s3:ListBucket, and s3:PutObject actions for the S3 bucket.

Correct Answer: AC

Community vote distribution

AC (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 14/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #177 Topic 1

A security engineer is designing an IAM policy for a script that will use the AWS CLI. The script currently assumes an IAM role that is attached to

three AWS managed IAM policies: AmazonEC2FullAccess, AmazonDynamoDBFullAccess, and AmazonVPCFullAccess.

The security engineer needs to construct a least privilege IAM policy that will replace the AWS managed IAM policies that are attached to this

role.

Which solution will meet these requirements in the MOST operationally efficient way?

A. In AWS CloudTrail, create a trail for management events. Run the script with the existing AWS managed IAM policies. Use IAM Access

Analyzer to generate a new IAM policy that is based on access activity in the trail. Replace the existing AWS managed IAM policies with the

generated IAM policy for the role.

B. Remove the existing AWS managed IAM policies from the role. Attach the IAM Access Analyzer Role Policy Generator to the role. Run the

script. Return to IAM Access Analyzer and generate a least privilege IAM policy. Attach the new IAM policy to the role.

C. Create an account analyzer in IAM Access Analyzer. Create an archive rule that has a filter that checks whether the PrincipalArn value

matches the ARN of the role. Run the script. Remove the existing AWS managed IAM policies from the role.

D. In AWS CloudTrail, create a trail for management events. Remove the existing AWS managed IAM policies from the role. Run the script. Find

the authorization failure in the trail event that is associated with the script. Create a new IAM policy that includes the action and resource that

caused the authorization failure. Repeat the process until the script succeeds. Attach the new IAM policy to the role.

Correct Answer: A

Community vote distribution

A (100%)

Question #178 Topic 1

A security engineer is designing a cloud architecture to support an application. The application runs on Amazon EC2 instances and processes

sensitive information, including credit card numbers.

The application will send the credit card numbers to a component that is running in an isolated environment. The component will encrypt, store,

and decrypt the numbers. The component then will issue tokens to replace the numbers in other parts of the application.

The component of the application that manages the tokenization process will be deployed on a separate set of EC2 instances. Other components

of the application must not be able to store or access the credit card numbers.

Which solution will meet these requirements?

A. Use EC2 Dedicated Instances for the tokenization component of the application.

B. Place the EC2 instances that manage the tokenization process into a partition placement group.

C. Create a separate VPDeploy new EC2 instances into the separate VPC to support the data tokenization.

D. Deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.

Correct Answer: D

Community vote distribution

D (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 15/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #179 Topic 1

A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to

upload sensitive documents to Amazon S3 buckets in Account A.

A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security

engineer must recommend a solution that meets this requirement with minimum risk and effort.

Which solution should the security engineer recommend?

A. Add an aws:MultiFactorAuthPresent condition to the role's permissions policy.

B. Add an aws MultiFactorAuthPresent condition to the role’s trust policy. Most Voted

C. Add an aws:MultiFactorAuthPresent condition to the session policy.

D. Add an aws:MultiFactorAuthPresent condition to the S3 bucket policies.

Correct Answer: B

Community vote distribution

B (100%)

Question #180 Topic 1

A company wants to receive automated email notifications when AWS access keys from developer AWS accounts are detected on code repository

sites.

Which solution will provide the required email notifications?

A. Create an Amazon EventBridge rule to send Amazon Simple Notification Service (Amazon SNS) email notifications for Amazon GuardDuty

UnauthorizedAccess:IAMUser/lnstanceCredentialExfiltration.OutsideAWS findings.

B. Change the AWS account contact information for the Operations type to a separate email address. Periodically poll this email address for

notifications.

C. Create an Amazon EventBridge rule that reacts to AWS Health events that have a value of Risk for the service category. Configure email

notifications by using Amazon Simple Notification Service (Amazon SNS).

D. Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configure monitoring for ConsoleLogin events in the AWS

Management Console. Configure email notifications from the anomaly detection software.

Correct Answer: A

Community vote distribution

A (67%) C (33%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 16/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #181 Topic 1

A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number

of requests over an open TCP port from an external source. The TCP port remains open for long periods of time.

The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being

compromised. The application must remain available to other users.

Which solution will meet these requirements?

A. Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the

source IP addresses. Most Voted

B. Update the elastic network interface security group that is attached to the EC2 instance to remove the port from the inbound rule list.

C. Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the

port and the source IP addresses.

D. Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.

Correct Answer: A

Community vote distribution

A (100%)

Question #182 Topic 1

A company has secured the AWS account root user for its AWS account by following AWS best practices. The company also has enabled AWS

CloudTrail, which is sending its logs to Amazon S3. A security engineer wants to receive notification in near-real time if a user uses the AWS

account root user credentials to sign in to the AWS Management Console

Which solutions will provide this notification? (Choose two.)

A. Use AWS Trusted Advisor and its security evaluations for the root account. Configure an Amazon EventBridge event rule that is invoked by

the Trusted Advisor API. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe any required

endpoints to the SNS topic so that these endpoints can receive notification.

B. Use AWS IAM Access Analyzer. Create an Amazon Cloud Watch Logs metric filter to evaluate log entries from Access Analyzer that detect a

successful root account login. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred. Configure the

CloudWatch alarm to notify an Amazon Simple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe

any required endpoints to this SNS topic so that these endpoints can receive notification.

C. Configure AWS CloudTrail to send its logs to Amazon CloudWatch Logs. Configure a metric filter on the CloudWatch Logs log group used by

CloudTrail to evaluate log entries for successful root account logins. Create an Amazon CloudWatch alarm that monitors whether a root login

has occurred. Configure the CloudWatch alarm to notify an Amazon Simple Notification Service (Amazon SNS) topic when the alarm enters

the ALARM state. Subscribe any required endpoints to this SNS topic so that these endpoints can receive notification. Most Voted

D. Configure AWS CloudTrail to send log notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda

function that parses the CloudTrail notification for root login activity and notifies a separate SNS topic that contains the endpoints that should

receive notification. Subscribe the Lambda function to the SNS topic that is receiving log notifications from CloudTrail.

E. Configure an Amazon EventBridge event rule that runs when Amazon CloudWatch API calls are recorded for a successful root login.

Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic so

that these endpoints can receive notification. Most Voted

Correct Answer: CE

Community vote distribution

CE (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 17/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #183 Topic 1

A company has AWS accounts that are in an organization in AWS Organizations. A security engineer needs to set up AWS Security Hub in a

dedicated account for security monitoring.

The security engineer must ensure that Security Hub automatically manages all existing accounts and all new accounts that are added to the

organization. Security Hub also must receive findings from all AWS Regions.

Which combination of actions will meet these requirements with the LEAST operational overhead? (Choose two.)

A. Configure a finding aggregation Region for Security Hub. Link the other Regions to the aggregation Region. Most Voted

B. Create an AWS Lambda function that routes events from other Regions to the dedicated Security Hub account. Create an Amazon

EventBridge rule to invoke the Lambda function.

C. Turn on the option to automatically enable accounts for Security Hub. Most Voted

D. Create an SCP that denies the securityhub:DisableSecurityHub permission. Attach the SCP to the organization’s root account.

E. Configure services in other Regions to write events to an AWS CloudTrail organization trail. Configure Security Hub to read events from the

trail.

Correct Answer: AC

Community vote distribution

AC (67%) CD (33%)

Question #184 Topic 1

A security engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly.

The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete

the encryption keys.

Which solution meets these requirements?

A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if

necessary.

B. Use KMS with AWS imported key material and then use the DeleteImportedKeyMaterial API to remove the key material if necessary.

Most Voted

C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

D. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the keys if necessary.

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 18/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #185 Topic 1

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon

Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the

configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

A. Replace the KSK with a zone-signing key (ZSK).

B. Deactivate and then activate the KSK.

C. Create a Delegation Signer (DS) record in the parent hosted zone. Most Voted

D. Create a Delegation Signer (DS) record in the subdomain.

Correct Answer: C

Community vote distribution

C (100%)

Question #186 Topic 1

A company used AWS Organizations to set up an environment with multiple AWS accounts. The company's organization currently has two AWS

accounts, and the company expects to add more than 50 AWS accounts during the next 12 months. The company will require all existing and

future AWS accounts to use Amazon GuardDuty. Each existing AWS account has GuardDuty active. The company reviews GuardDuty findings by

logging into each AWS account individually.

The company wants a centralized view of the GuardDuty findings for the existing AWS accounts and any future AWS accounts. The company also

must ensure that any new AWS account has GuardDuty automatically turned on.

Which solution will meet these requirements?

A. Enable AWS Security Hub in the organization's management account. Configure GuardDuty within the management account to send all

GuardDuty findings to Security Hub.

B. Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated

administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically

add new AWS accounts to the organization.

C. Create a new AWS account in the organization. Enable GuardDuty in the new account. Enable AWS Security Hub in each account. Select the

option to automatically add new AWS accounts to the organization.

D. Enable AWS Security Hub in the organization's management account. Designate the management account as the delegated administrator

account for Security Hub. Add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the

organization. Send all Security Hub findings to the organization's GuardDuty account.

Correct Answer: B

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 19/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #187 Topic 1

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the

same IAM instance profile. However, three individuals who have IAM user accounts will need to access these instances by using an SSH session

to perform critical duties.

How can a security engineer provide the access to meet these requirements?

A. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user

accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Inventory to select

the EC2 instance and connect.

B. Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command. Remove the SSH keys

from the EC2 instances. Use Run Command to open an SSH connection to the EC2 instance.

C. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user

accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Session Manager to

select the EC2 instance and connect.

D. Assign an IAM policy to the IAM user accounts to provide permission to use the EC2 service in the AWS Management Console. Remove the

SSH keys from the EC2 instances. Connect to the EC2 instance as the ec2-user through the AWS Management Console’s EC2 SSH client

method.

Correct Answer: C

Question #188 Topic 1

A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-

vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.

What is the MOST cost-effective way to correct this error?

A. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

B. Copy the vault data to a new S3 bucket. Delete the vault Create a new vault with the data.

C. Update the policy to keep the vault lock in place.

D. Update the policy. Call the initiate-vault-lock operation again to apply the new policy.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 20/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #189 Topic 1

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video

content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours,

the total video is made up of thousands of chunks.

The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the

paying users against an internal repository and a CloudFront key pair that is already issued.

What is the simplest and MOST effective way to protect the content?

A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content. Most Voted

B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content.

D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

Correct Answer: B

Community vote distribution

B (50%) A (50%)

Question #190 Topic 1

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any

multi-Region resources. The company needs to replicate its workloads and infrastructure to the us-west-1 Region.

A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key

Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is

available.

The security engineer uses Secrets Manager to create the secrets in us-east-1.

What should the security engineer do next to meet the requirements?

A. Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by

using a new AWS managed KMS key in us-west-1.

B. Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint

in us-east-1.

C. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager

endpoint in us-east-1.

D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1

by using the customer managed KMS key from us-east-1. Most Voted

Correct Answer: D

Community vote distribution

D (60%) A (40%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 21/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #191 Topic 1

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an

Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private

subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a

dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and

outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

A. Make the following changes to NACL3:

• Add a rule that allows inbound traffic on port 5432 from NACL2.

• Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.

• Remove the default rules that allow all inbound and outbound traffic.

B. Make the following changes to NACL3:

• Add a rule that allows inbound traffic on port 5432 from the Cl DR blocks of the application instance subnets.

• Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.

• Remove the default rules that allow all inbound and outbound traffic.

C. Make the following changes to NACL2:

• Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.

• Remove the default rules that allow all inbound and outbound traffic.

D. Make the following changes to NACL2:

• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.

• Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

Correct Answer: B

Community vote distribution

C (50%) B (50%)

Question #192 Topic 1

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as

expected.

What initial actions should be taken to allow delivery of CloudTrail events to S3? (Choose two.)

A. Verify that the S3 bucket policy allows CloudTrail to write objects. Most Voted

B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

C. Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 Glacier Flexible Retrieval.

D. Verify that the S3 bucket defined in CloudTrail exists. Most Voted

E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Correct Answer: AD

Community vote distribution

AD (83%) AE (17%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 22/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #193 Topic 1

A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or

managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by

email when a certificate is approaching its expiration date.

What is the MOST operationally efficient way to meet this requirement?

A. Create an AWS Lambda function to list all certificates and to go through each certificate to describe the certificate by using the AWS SDK.

Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge rate expression to schedule the Lambda function

to run daily.

B. Create an Amazon CloudWatch alarm. Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metric.

Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the

DaysToExpiry metric is less than or equal to 31.

C. Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practices standard with integrated ACM to send findings. Configure

and use a custom action by creating a rule to match the pattern from the ACM findings on the NotBefore attribute as the event source. Create

an Amazon Simple Notification Service (Amazon SNS) topic as the target.

D. Create an Amazon EventBridge rule by using a predefined pattern for ACM Choose the metric in the ACM Certificate Approaching Expiration

event as the event pattern. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target.

Correct Answer: D

Community vote distribution

D (100%)

Question #194 Topic 1

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded

and retained in a centralized location for both current and future AWS regions.

What is the SIMPLEST way to meet these requirements?

A. Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions.

B. Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later

analysis.

C. Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage

location.

D. Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later

analysis.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 23/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #195 Topic 1

A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer

noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of

log data. All logs must be kept for a minimum of 1 year for auditing purposes.

What should the security engineer recommend?

A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an

EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

B. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch

template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an

instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

C. Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to

Amazon CloudWatch Logs for review.

D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle

notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to

allow manual review of the security logs prior to instance termination.

Correct Answer: C

Community vote distribution

C (100%)

Question #196 Topic 1

A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon

EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music.

The company has implemented a security architecture on AWS to prevent, identify, and isolate potential ransomware attacks. The company now

wants to further reduce risk.

A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and

detective controls. The solution must meet an RPO of 1 hour.

Which solution will meet these requirements?

A. Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate

existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.

Most Voted

B. Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data

lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.

C. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated

response. Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that

replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration

code.

D. Create EBS snapshots every 4 hours. Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most

recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 24/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #197 Topic 1

A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon

EC2 Auto Scaling group and are attached to Amazon Elastic Block Store (Amazon EBS) volumes.

A security engineer needs to preserve all forensic evidence from one of the instances.

Which order of steps should the security engineer use to meet this requirement?

A. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance

and store the snapshot in an S3 bucket Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Stop the

instance.

B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot

of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the

ALB.

C. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Take an EBS volume snapshot of the instance and

store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Stop the

instance. Most Voted

D. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB Stop the instance. Take a memory snapshot of the

instance and store the snapshot in an Amazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshot in an S3

bucket.

Correct Answer: C

Community vote distribution

C (35%) B (29%) D (24%) 12%

Question #198 Topic 1

An application team wants to use AWS Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The

domains that are being used are not currently hosted on Amazon Route 53.

The application team wants to use an AWS managed distribution and caching solution to optimize requests to its systems and provide better

points of presence to customers. The distribution solution will use a primary domain name that is customized. The distribution solution also will

use several alternative domain names. The certificates must renew automatically over an indefinite period of time.

Which combination of steps should the application team take to deploy this architecture? (Choose three.)

A. Request a certificate from ACM in the us-west-2 Region. Add the domain names that the certificate will secure.

B. Send an email message to the domain administrators to request validation of the domains for ACM.

C. Request validation of the domains for ACM through DNS. Insert CNAME records into each domain's DNS zone.

D. Create an Application Load Balancer for the caching solution. Select the newly requested certificate from ACM to be used for secure

connections.

E. Create an Amazon CloudFront distribution for the caching solution. Enter the main CNAME record as the Origin Name. Enter the subdomain

names or alternate names in the Alternate Domain Names Distribution Settings. Select the newly requested certificate from ACM to be used

for secure connections.

F. Request a certificate from ACM in the us-east-1 Region. Add the domain names that the certificate will secure.

Correct Answer: CEF

Community vote distribution

CEF (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 25/26
1/15/25, 6:14 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #199 Topic 1

A company’s security engineer wants to receive an email alert whenever Amazon GuardDuty, AWS Identity and Access Management Access

Analyzer, or Amazon Macie generate a high-severity security finding. The company uses AWS Control Tower to govern all of its accounts. The

company also uses AWS Security Hub with all of the AWS service integrations turned on.

Which solution will meet these requirements with the LEAST operational overhead?

A. Set up separate AWS Lambda functions for GuardDuty, IAM Access Analyzer, and Macie to call each service's public API to retrieve high-

severity findings. Use Amazon Simple Notification Service (Amazon SNS) to send the email alerts. Create an Amazon EventBridge rule to

invoke the functions on a schedule.

B. Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. Configure the rule to send

the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

C. Create an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severity. Configure the rule to send the

findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

D. Host an application on Amazon EC2 to call the GuardDuty. IAM Access Analyzer, and Macie APIs. Within the application, use the Amazon

Simple Notification Service (Amazon SNS) API to retrieve high-severity findings and to send the findings to an SNS topic. Subscribe the

desired email addresses to the SNS topic.

Correct Answer: B

Community vote distribution

B (100%)

Question #200 Topic 1

A company hosts an application on Amazon EC2 instances. The application also uses Amazon S3 and Amazon Simple Queue Service (Amazon

SQS). The application is behind an Application Load Balancer (ALB) and scales with AWS Auto Scaling.

The company's security policy requires the use of least privilege access, which has been applied to all existing AWS resources. A security

engineer needs to implement private connectivity to AWS services.

Which combination of steps should the security engineer take to meet this requirement? (Choose three.)

A. Use an interface VPC endpoint for Amazon SQS.

B. Configure a connection to Amazon S3 through AWS Transit Gateway.

C. Use a gateway VPC endpoint for Amazon S3.

D. Modify the IAM role applied to the EC2 instances in the Auto Scaling group to allow outbound traffic to the interface endpoints.

E. Modify the endpoint policies on all VPC endpoints. Specify the SQS and S3 resources that the application uses.

F. Configure a connection to Amazon S3 through AWS Firewall Manager.

Correct Answer: ACE

Community vote distribution

ACE (100%)

Browse atleast 50% to increase passing rate

Viewing page 1 out of 1 pages.

Viewing questions 1-50 out of 297 questions

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 26/26