1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #251 Topic 1

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution to prevent CloudTrail from being disabled.

Which solution will meet this requirement?

A. Enable CloudTrail log file integrity validation from the organization’s management account.

B. Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent

decryption of the logs.

C. Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.

Most Voted

D. Create IAM policies for all the company’s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus

action.

Correct Answer: C

Community vote distribution

C (100%)

Question #252 Topic 1

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and

Amazon Aurora The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic

detection of security-related issues.

Which solution will meet these requirements with the LEAST operational effort?

A. Designate an Amazon GuardDuty administrator account in the organization’s management account. Enable GuardDuty for all accounts.

Enable EKS Protection and RDS Protection in the GuardDuty administrator account. Most Voted

B. Designate a monitoring account. Share Amazon CloudWatch logs from all accounts with the monitoring account. Configure Aurora to

publish all logs to CloudWatch. Use Amazon Inspector in the monitoring account to evaluate the CloudWatch logs.

C. Create a central Amazon S3 bucket in the organization’s management account. Configure AWS CloudTrail in all AWS accounts to deliver

CloudTrail logs to the S3 bucket. Configure Aurora to publish all logs to CloudTrail. Use Amazon Athena to query the CloudTrail logs in the S3

bucket for security issues.

D. Designate a monitoring account. Share Amazon CloudWatch logs from all accounts with the monitoring account. Subscribe an Amazon

Kinesis data stream to the CloudWatch logs. Create AWS Lambda functions to process log records in the data stream to detect security

issues.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 1/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #253 Topic 1

A security engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound

connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the development team has implemented

Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the

internet flow through the virtual security appliance.

The security engineer has verified the following:

1. The rule set in the security groups is correct.

2. The rule set in the network ACLs is correct.

3. The rule set in the virtual appliance is correct.

Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.

B. Verify which security group is applied to the particular web server’s elastic network interface (ENI).

C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance. Most Voted

D. Verify the registered targets in the ALB. Most Voted

E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Correct Answer: CD

Community vote distribution

CD (50%) BD (50%)

Question #254 Topic 1

A company has a strict policy against using root credentials. The company’s security team wants to be alerted as soon as possible when root

credentials are used to sign in to the AWS Management Console.

How should the security team achieve this goal?

A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service

(Amazon SNS).

B. Use Amazon EventBridge to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS). Most Voted

C. Use Amazon Athena to query AWS IAM Identity Center logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for

root login events.

D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon

SNS).

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 2/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #255 Topic 1

A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt

the S3 bucket. The company’s operations team manages access to the company’s S3 buckets. The company’s security team manages access to

encryption keys.

The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise

the data by granting unauthorized access to plaintext data.

Which solution will meet this requirement?

A. Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3

managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.

B. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS)

that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

C. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys

(SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.

D. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided

encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS).

Ensure that the security team creates a key policy that controls access to the encryption keys.

Correct Answer: B

Question #256 Topic 1

A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security

engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances.

Which solution will meet this requirement?

A. Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.

Most Voted

B. Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall

and antivirus software.

C. Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs

for anomalies.

D. Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems

Manager Patch Manager.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 3/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #257 Topic 1

A company stores sensitive data in AWS Secrets Manager. A security engineer needs to design a solution to generate a notification email when

anomalous GetSecretValue API calls occur. The security engineer has configured an Amazon EventBridge rule for all Secrets Manager events that

AWS CloudTrail delivers.

Which solution will meet these requirements?

A. Configure CloudTrail as the target of the EventBridge rule. Set up an attribute filter on the IncomingBytes attribute and enable anomaly

detection. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudTrail alarm that uses the SNS topic to send

the notification.

B. Configure CloudTrail as the target of the EventBridge rule. Set up an attribute filter on the IncomingBytes attribute and enable anomaly

detection. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure a CloudTrail alarm that uses the SQS queue to send the

notification.

C. Configure Amazon CloudWatch Logs as the target of the EventBridge rule. Set up a metric filter on the IncomingBytes metric and enable

anomaly detection. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudWatch alarm that uses the SNS

topic to send the notification. Most Voted

D. Configure Amazon CloudWatch Logs as the target of the EventBridge rule. Use CloudWatch Logs Insights query syntax to search for

anomalous GetSecretValue API calls. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure a CloudWatch alarm that uses

the SQS queue to send the notification.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 4/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #258 Topic 1

A company is using AWS Organizations with the default SCP. The company needs to restrict AWS usage for all AWS accounts that are in a specific

OU.

Except for some desired global services, the AWS usage must occur only in the eu-west-1 Region for all accounts in the OU. A security engineer

must create an SCP that applies the restriction to existing accounts and any new accounts in the OU.

Which SCP will meet these requirements?

A.

B.

C.

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 5/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

D.

Correct Answer: C

Question #259 Topic 1

A company is planning to migrate its applications to AWS in a single AWS Region. The company’s applications will use a combination of Amazon

EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as

possible. All the applications must meet the following requirements:

• Data must be encrypted at rest.

• Data must be encrypted in transit.

• Endpoints must be monitored for anomalous network traffic.

Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Choose three.)

A. Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.

B. Enable Amazon GuardDuty in all AWS accounts.

C. Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.

D. Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.

E. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a

condition for x-amz-meta-side-encryption.

F. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a

condition for x-amz-server-side-encryption.

Correct Answer: BDF

Community vote distribution

BDF (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 6/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #260 Topic 1

A security engineer is working with a development team to design a supply chain application that stores sensitive inventory data in an Amazon S3

bucket. The application will use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data in Amazon S3.

The inventory data in Amazon S3 will be shared with hundreds of vendors. All vendors will use AWS principals from their own AWS accounts to

access the data in Amazon S3. The vendor list might change weekly. The security engineer needs to find a solution that supports cross-account

access.

Which solution is the MOST operationally efficient way to manage access control for the customer managed key?

A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access. Most Voted

B. Use am IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

C. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

D. Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to

manage cross-account vendor access.

Correct Answer: A

Community vote distribution

A (100%)

Question #261 Topic 1

A company runs an application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer needs to

provide secure access to the application without requiring the use of a VPN. Users should be able to access the application only when they meet

specific security conditions, including a defined device posture.

Which solution will meet these requirements?

A. Create an AWS WAF web ACL. Configure a custom response to block traffic that does not align with the defined device posture.

B. Configure AWS Verified Access. Add the application by creating an endpoint for the ALB. Most Voted

C. Configure Amazon Verified Permissions. Use a policy-based access control (PBAC) policy to perform authorization.

D. Configure Amazon Verified Permissions. Add the application by creating an endpoint for the ALB.

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 7/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #262 Topic 1

A company needs to retain data that is stored in Amazon CloudWatch Logs log groups. The company must retain this data for 90 days. The

company must receive notification in AWS Security Hub when log group retention is not compliant with this requirement.

Which solution will provide the appropriate notification?

A. Create a Security Hub custom action to assess the log group retention period.

B. Create a data protection policy in CloudWatch Logs to assess the log group retention period.

C. Create a Security Hub automation rule. Configure the automation rule to assess the log group retention period.

D. Use the AWS Config managed rule that assesses the log group retention period. Ensure that AWS Config integration is enabled in Security

Hub. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #263 Topic 1

A company needs to prevent Amazon S3 objects from being shared with IAM identities outside of the company’s organization in AWS

Organizations. A security engineer is creating and deploying an SCP to accomplish this goal. The company has enabled the S3 Block Public

Access feature on all of its S3 buckets.

What should the SCP do to meet these requirements?

A. Deny the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:ResourceOrgID, and a value of

S{aws PrincipalOrgID}.

B. Deny the S3:PutAccountPublicAccessBlock action with a Condition element that comprises an operator of StringLike, a key of

aws:PrincipalArn, and the values of the external IAM principals.

C. Allow the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:PrincipalOrgID, and a value of

S{aws:PrincipalOrgID}.

D. Deny the S3:* action with a Condition element that comprises an operator of StringLike, a key of aws:PrincipalArn, and the values of the

external IAM principals

Correct Answer: A

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 8/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #264 Topic 1

A security engineer is implementing authentication for a multi-account environment by using federated access with SAML 2.0. The security

engineer has configured AWS IAM Identity Center as an identity provider (IdP). The security engineer also has created IAM roles to grant access to

the AWS accounts.

A federated user reports an authentication failure when the user attempts to authenticate with the new system.

What should the security engineer do to troubleshoot this issue in the MOST operationally efficient way?

A. Review the SAML IdP logs to identify errors. Check AWS CloudTrail to verify the API calls that the user made.

B. Review the SAML IdP logs to identify errors. Use the IAM policy simulator to validate access to the IAM roles.

C. Use IAM access advisor to review recent service access. Use the IAM policy simulator to validate access to the IAM roles.

D. Recreate the SAML IdP in a separate account to confirm the behavior that the user is experiencing.

Correct Answer: A

Question #265 Topic 1

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3

managed keys (SSE-S3).

A security engineer must prevent any modifications to the data in the S3 bucket.

Which solution will meet this requirement?

A. Configure S3 bucket policies to deny DELETE and PUT object permissions.

B. Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C. Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D. Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Correct Answer: B

Community vote distribution

B (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 9/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #266 Topic 1

A company is developing a new serverless application that uses AWS Lambda functions. The company uses AWS CloudFormation to deploy the

Lambda functions.

The company’s developers are trying to debug a Lambda function that is deployed. The developers cannot debug the Lambda function because

the Lambda function is not logging its output to Amazon CloudWatch Logs.

Which combination of steps should a security engineer take to resolve this issue? (Choose two.)

A. Check the role that is defined in the CloudFormation template and is passed to the Lambda function. Ensure that the role has a trust policy

that allows the sts:AssumeRole action by the service principal lambda amazonaws.com.

B. Check the execution role that is configured in the CloudFormation template for the Lambda function. Ensure that the execution role has the

necessary permissions to write to CloudWatch Logs.

C. Check the Lambda function configuration in the CloudFormation template. Ensure that the Lambda function has an AWS X-Ray tracing

configuration that is set to Active mode or PassThrough mode.

D. Check the resource policy that is configured in the CloudFormation template for the Lambda function. Ensure that the resource policy has

the necessary permissions to write to CloudWatch Logs.

E. Check the role that the developers use to debug the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole

action by the service principal lambda.amazonaws.com.

Correct Answer: AB

Question #267 Topic 1

A company uses a collaboration application. A security engineer needs to configure automated alerts from AWS Security Hub in the us-west-2

Region for the application. The security engineer wants to receive an alert in a channel in the application every time Security Hub receives a new

finding.

The security engineer creates an AWS Lambda function to convert the message to the format that the application requires. The Lambda function

also sends the message to the application’s API. The security engineer configures a corresponding Amazon EventBridge rule that specifies the

Lambda function as the target.

After the EventBridge rule is implemented, the channel begins to constantly receive alerts from Security Hub. Many of the alerts are Amazon

Inspector alerts that do not require any action. The security engineer wants to stop the Amazon Inspector alerts.

Which solution will meet this requirement with the LEAST operational effort?

A. Update the Lambda function code to find pattern matches of events from Amazon Inspector and to suppress the findings.

B. Create a Security Hub custom action that automatically sends findings from all services except Amazon Inspector to the EventBridge event

bus.

C. Modify the value of the ProductArn attribute in the event pattern of the EventBridge rule to “anything-but”: [“arn:aws:securityhub:us-west-

2::product/aws/inspector”].

D. Create an Amazon Simple Notification Service (Amazon SNS) topic to send messages to the application. Set a filter policy on the topic

subscriptions to reject any messages that contain the product/aws/inspector string.

Correct Answer: C

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 10/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #268 Topic 1

A company has an organization in AWS Organizations. The organization consists of multiple OUs. The company must prevent IAM principals from

outside the organization from accessing the organization’s Amazon S3 buckets. The solution must not affect the existing access that the OUs

have to the S3 buckets.

Which solution will meet these requirements?

A. Configure S3 Block Public Access for all S3 buckets.

B. Configure S3 Block Public Access for all AWS accounts.

C. Deploy an SCP that includes the “aws:ResourceOrgPaths”: “${aws:PrincipalOrgPaths}” condition.

D. Deploy an SCP that includes the “aws:ResourceOrgID”: “${aws:PrincipalOrgID}" condition.

Correct Answer: D

Question #269 Topic 1

A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the

snapshots.

The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.

Which solution will meet these requirements?

A. Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

B. Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.

C. Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.

D. Create a backup plan in AWS Backup. Configure a 5-year retention period.

Correct Answer: D

Question #270 Topic 1

A company’s security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of

the company’s AWS accounts. VPC flow logs are enabled for all VPCs.

A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet.

Which solution will meet these requirements?

A. Monitor CloudTrail logs for API calls to non-standard time servers.

B. Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.

C. Monitor VPC flow logs for traffic to non-standard time servers.

D. Monitor VPC flow logs for traffic to the Amazon Time Sync Service.

Correct Answer: C

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 11/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #271 Topic 1

A company has a multi-account strategy that uses an organization in AWS Organizations with all features enabled. The company has enabled

trusted access for AWS Account Management. New accounts are provisioned through AWS Control Tower Account Factory.

The company must ensure that all new accounts in the organization become AWS Security Hub member accounts.

Which solution will meet these requirements with the LEAST development effort?

A. Enable Security Hub in the organization’s management account. Create an AWS Step Functions workflow. Create an Amazon EventBridge

rule to invoke the workflow when a CreateAccount event occurs.

B. Enable Security Hub in the organization’s management account. Wait for all new accounts to complete automatic onboarding.

C. Enable Security Hub in the organization’s management account. Create an AWS Lambda function to enable Security Hub for new accounts.

Invoke the Lambda function by using an AWS Control Tower lifecycle event that occurs when a new account is provisioned.

D. Use the organization’s management account to designate a Security Hub delegated administrator account. In the delegated administrator

account, create a configuration policy to enable Security Hub. Associate the configuration policy with the organization root. Most Voted

Correct Answer: D

Community vote distribution

D (57%) B (43%)

Question #272 Topic 1

A company uses Amazon Elastic Kubernetes Service (Amazon EKS) clusters to run its Kubernetes-based applications. The company uses Amazon

GuardDuty to protect the applications.

EKS Protection is enabled in GuardDuty. However, the corresponding GuardDuty feature is not monitoring the Kubernetes-based applications.

Which solution will cause GuardDuty to monitor the Kubernetes-based applications?

A. Enable VPC flow logs for the VPC that hosts the EKS clusters.

B. Assign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.

C. Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role.

D. Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.

Correct Answer: D

Community vote distribution

D (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 12/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #273 Topic 1

A company needs to log object-level activity in its Amazon S3 buckets. The company also needs to validate the integrity of the log file by using a

digital signature.

Which solution will meet these requirements?

A. Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type. Most Voted

B. Create a new S3 bucket for S3 server access logs. Configure the existing S3 buckets to send their S3 server access logs to the new S3

bucket.

C. Create an Amazon CloudWatch Logs log group. Configure the existing S3 buckets to send their S3 server access logs to the log group.

D. Create a new S3 bucket for S3 server access logs with log file validation enabled. Enable data events. Specify Amazon S3 as the data event

type.

Correct Answer: A

Community vote distribution

A (80%) D (20%)

Question #274 Topic 1

A company has a new web-based account management system for an online game. Players create a unique username and password to log in to

the system.

The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on

the Application Load Balancer that serves the system.

The company’s security team finds that the system was the target of a credential stuffing attack. Credentials that were exposed in other breaches

were used to try to log in to the system.

The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future. The solution also must

minimize impact on legitimate users of the system.

Which combination of actions will meet these requirements? (Choose two.)

A. Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address. Most Voted

B. Add the account takeover prevention (ATP) AWS managed rule group to the web ACL. Configure the rule group to inspect login requests to

the system. Block any requests that have the awswaf:managed:aws:atp:signal:credential_compromised label. Most Voted

C. Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in.

D. Implement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses. Block any IP

addresses that generate many successful logins.

E. Create a custom block response that redirects users to a secure workflow to reset their password inside the system.

Correct Answer: AB

Community vote distribution

AB (56%) BE (33%) 11%

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 13/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #275 Topic 1

A company is running workloads on AWS. The workloads are in separate AWS accounts for development, testing, and production. All the

company’s developers can access the development account. A subset of the developers can access the testing account and the production

account.

The company is spending too much time managing individual credentials for every developer across every environment. A security engineer must

implement a more scalable solution that the company can use when a developer needs different access. The solution must allow developers to

access resources across multiple accounts. The solution also must minimize credential sharing.

Which solution will meet these requirements?

A. Use AWS Identity and Access Management Access Analyzer to identify the permissions that the developers need on each account.

Configure IAM Access Analyzer to automatically provision the correct access for each developer.

B. Create an Amazon Simple Workflow Service (Amazon SWF) workflow. Instruct the developers to use the workflow to request access to

other accounts when additional access is necessary.

C. Create IAM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create

IAM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust

policy on the new roles in the testing and production accounts.

D. Create service accounts in the testing environment and production environment. Give the access keys for the service accounts to

developers who require access to the testing account and the production account. Rotate the access keys for the service accounts

periodically.

Correct Answer: C

Question #276 Topic 1

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security

updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that

connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks

provided. The company’s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer’s

solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

A. Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that

protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53

records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that

protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the

Route 53 records to point to CloudFront.

C. Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has

been mitigated, then deploy the patched version of the platform to the EC2 instances.

D. Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL

database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test

to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Correct Answer: A

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 14/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #277 Topic 1

A company runs an application that sends logs to a log group in Amazon CloudWatch Logs. The email addresses of the application users are in

the logs.

The company’s developers need to view the logs in CloudWatch Logs. A security engineer must ensure that the developers who access the log

group cannot see the user email addresses.

Which solution will meet this requirement?

A. Use Amazon Macie to scan the log group. Configure Macie to use a custom data identifier that uses a regular expression to identify an

email address pattern. Activate automated data discovery in Macie.

B. Create an AWS Key Management Service (AWS KMS) key. Configure the log group to use the key to encrypt the logs. Configure the key

policy to deny access to the IAM role that the developers assume to use CloudWatch Logs.

C. Create a subscription filter for the log group. Configure the log subscription to send the log data to an AWS Lambda function. Program the

Lambda function to parse the log entries and to mask values that are email addresses.

D. Configure a data protection policy for the log group. Specify the AWS managed data identifier of EmailAddress for the type of data to mask.

Activate data protection for the log group.

Correct Answer: D

Question #278 Topic 1

A security engineer is implementing a logging solution for a company’s AWS environment. The security engineer has configured an AWS CloudTrail

trail in the company’s AWS account. The logs are stored in an Amazon S3 bucket for a third-party service provider to monitor. The service provider

has a designated IAM role to access the S3 bucket.

The company requires all logs to be encrypted at rest with a customer managed key. The security engineer uses AWS Key Management Service

(AWS KMS) to create the customer managed key and key policy. The security engineer also configures CloudTrail to use the key to encrypt the

trail.

When the security engineer implements this configuration, the service provider no longer can read the logs.

What should the security engineer do to allow the service provider to read the logs?

A. Ensure that the S3 bucket policy allows access to the service provider’s role to decrypt objects.

B. Add a statement to the key policy to allow the service provider’s role the kms:Decrypt action for the key.

C. Add the AWSKeyManagementServicePowerUser AWS managed policy to the service provider’s role.

D. Migrate the key to AWS Certificate Manager (ACM) to create a shared endpoint for access to the key.

Correct Answer: B

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 15/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #279 Topic 1

A company runs workloads on Amazon EC2 instances. The company needs to continually monitor the EC2 instances for software vulnerabilities

and must display the findings in AWS Security Hub. The company must not install agents on the EC2 instances.

Which solution will meet these requirements?

A. Enable Amazon Inspector. Set the scan mode to hybrid scanning. Enable the integration for Amazon Inspector in Security Hub. Most Voted

B. Use Security Hub to enable the AWS Foundational Security Best Practices standard. Wait for Security Hub to generate the findings.

C. Enable Amazon GuardDuty. Initiate on-demand malware scans by using GuardDuty Malware Protection. Enable the integration for

GuardDuty in Security Hub.

D. Use AWS Config managed rules to detect EC2 software vulnerabilities. Ensure that Security Hub has the AWS Config integration enabled.

Correct Answer: A

Community vote distribution

A (100%)

Question #280 Topic 1

A company runs a custom online gaming application. The company uses Amazon Cognito for user authentication and authorization.

A security engineer wants to use AWS to implement fine-grained authorization on resources in the custom application. The security engineer must

implement a solution that uses the user attributes that exist in Cognito. The company has already set up a user pool and an identity pool in

Cognito.

Which solution will meet these requirements?

A. Create a set of IAM roles and IAM policies. Configure the Cognito identity pool to assign users to the IAM roles.

B. Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source. Map Cognito access tokens to the Verified

Permissions schema.

C. Create customer managed permissions by using AWS Resource Access Manager (AWS RAM). Configure the Cognito identity pool to assign

users to the customer managed permissions.

D. Create a set of IAM users and IAM policies. Configure the Cognito user pool to assign users to the IAM users.

Correct Answer: B

Community vote distribution

A (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 16/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #281 Topic 1

A company wants to automate the creation of a security report. The company has an AWS Lambda function that gathers data from Amazon

Inspector findings stored in AWS Security Hub in the us-west-2 Region. The Lambda function then needs to create a daily report by using an

Amazon EventBridge schedule.

A security engineer discovers that the Lambda function is failing to create the report. The security engineer must implement a solution that

corrects the issue and provides least privilege permissions.

Which solution will meet these requirements?

A. Create a resource-based policy that allows Security Hub access to the ARN of the Lambda function.

B. Attach the AWSSecurityHubReadOnlyAccess AWS managed policy to the Lambda function’s execution role. Most Voted

C. Grant the Lambda function’s execution role read-only permissions to access Amazon Inspector and Security Hub.

D. Create a custom IAM policy that grants the Security Hub Get*, List*, Batch*, and Describe* permissions on the arn:aws:securityhub:us-

west-2::product/aws/inspector/* resource. Attach the policy to the Lambda function’s execution role.

Correct Answer: B

Community vote distribution

B (46%) C (31%) D (23%)

Question #282 Topic 1

A company must retain backup copies of Amazon RDS DB instances and Amazon Elastic Block Store (Amazon EBS) volumes. The company must

retain the backup copies in data centers that are several hundred miles apart.

Which solution will meet these requirements with the LEAST operational overhead?

A. Configure AWS Backup to create the backups according to the needed schedule. In the backup plan, specify multiple Availability Zones as

backup destinations.

B. Configure Amazon Data Lifecycle Manager to create the backups. Configure the Amazon Data Lifecycle Manager policy to copy the backups

to an Amazon S3 bucket. Enable replication on the S3 bucket.

C. Configure AWS Backup to create the backups according to the needed schedule. Create a destination backup vault in a different AWS

Region. Configure AWS Backup to copy the backups to the destination backup vault. Most Voted

D. Configure Amazon Data Lifecycle Manager to create the backups. Create an AWS Lambda function to copy the backups to a different AWS

Region. Use Amazon EventBridge to invoke the Lambda function on a schedule.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 17/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #283 Topic 1

A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the

Application Load Balancer’s access logs.

How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.

B. Implement a rate-based rule with AWS WAF.

C. Use AWS Shield to limit the originating traffic hit rate.

D. Implement the GeoLocation feature in Amazon Route 53.

Correct Answer: B

Community vote distribution

B (100%)

Question #284 Topic 1

A company runs workloads that are spread across hundreds of Amazon EC2 instances. During a recent security incident, an EC2 instance was

compromised and ran malware code until the company manually terminated the instance.

The company is now using Amazon GuardDuty to detect malware on EC2 instances. A security engineer needs to implement a solution that

automates a response when GuardDuty determines that an instance is infected. The solution must mitigate the incident and must comply with the

AWS Well-Architected Framework guidance for incident response.

Which solution will meet these requirements?

A. Configure AWS Systems Manager Run Command to run when a GuardDuty scan determines that an instance is infected. Use Run Command

to remove all network adapters from the operating system of the infected instance. Use Run Command to also add a tag of “Infected” to the

instance.

B. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to

delete all elastic network interfaces that are associated with the instance. Program the Lambda function to also add a tag of “Infected” to the

instance.

C. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to

detach all Amazon Elastic Block Store (Amazon EBS) volumes from the instance. Program the Lambda function to also add a tag of “Infected”

to the EBS volumes and to terminate the instance afterward. Most Voted

D. Define a separate VPC to isolate EC2 instances. Define a security group that does not allow any network traffic. Create an AWS Lambda

function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to move the instance into the

separate VPC and to assign the security group to the instance.

Correct Answer: C

Community vote distribution

D (50%) C (50%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 18/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #285 Topic 1

A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to

improve the subnet security.

The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is

destined for MySQL port 3306.

Which network ACL rule set meets these requirements?

A. Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to

allow traffic on TCP port 443.

B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound

rule 100 to allow traffic on TCP port 443.

C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound

rule 100 to allow traffic on TCP port 443.

D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to

allow traffic on TCP port 443. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #286 Topic 1

A company is investigating actions that an IAM role performed. The company must find out when the role last accessed AWS Security Hub and

when the role last used the DeleteInsight action in Security Hub.

Which solution will provide this information?

A. Use the checks for the security category in AWS Trusted Advisor. Search for the role and examine the actions taken.

B. Use the Access Advisor tab in AWS Identity and Access Management (IAM). Search for Security Hub and the actions taken.

C. Use AWS Identity and Access Management (IAM) to generate a credential report. Search the report for Security Hub activity.

D. Create an analyzer in AWS Identity and Access Management Access Analyzer. Examine the findings for the role’s actions in Security Hub.

Correct Answer: B

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 19/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #287 Topic 1

A company hosts its microservices application on Amazon Elastic Kubernetes Service (Amazon EKS). The company has set up continuous

deployments to update the application on demand.

A security engineer must implement a solution to provide automatic detection of anomalies in application logs in near real time. The solution also

must send notifications about these anomalies to the security team.

Which solution will meet these requirements?

A. Configure Amazon CloudWatch Container Insights to collect and aggregate EKS application logs. Create a CloudWatch alarm to monitor for

anomalies. Configure the alarm to launch an AWS Lambda function to alert the security team when anomalies are detected.

B. Configure Amazon EKS to send application logs to Amazon CloudWatch. Create a CloudWatch alarm based on a log group metric filter.

Specify anomaly detection as the threshold type. Configure the alarm to use Amazon Simple Notification Service (Amazon SNS) to alert the

security team.

C. Configure Amazon EKS to export logs to Amazon S3. Use Amazon Athena queries to analyze the logs for anomalies. Use Amazon

QuickSight to visualize and monitor user access requests for anomalies. Configure Amazon Simple Notification Service (Amazon SNS)

notifications to alert the security team.

D. Configure AWS App Mesh to monitor the traffic to the microservices in Amazon EKS. Integrate App Mesh with AWS CloudTrail for logging.

Use Amazon Detective to analyze the logs for anomalies and to alert the security team when anomalies are detected.

Correct Answer: B

Question #288 Topic 1

A company is migrating container workloads from a data center to Amazon Elastic Container Service (Amazon ECS) clusters. The company must

implement a solution to detect potential threats in the workloads and to improve the security posture of the container clusters.

Which solution will meet these requirements?

A. Configure Amazon Inspector on the VPC that is running the ECS clusters.

B. Enable Amazon GuardDuty Runtime Monitoring on the ECS clusters.

C. Audit Amazon ECS API access by using Amazon CloudWatch logs to identify unauthorized access.

D. Create container clusters in the same VPC. Use VPC flow logs to centrally monitor network traffic.

Correct Answer: B

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 20/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #289 Topic 1

A security engineer needs to implement a solution to determine whether a company’s Amazon EC2 instances are being used to mine

cryptocurrency. The solution must provide notifications of cryptocurrency-related activity to an Amazon Simple Notification Service (Amazon SNS)

topic.

Which solution will meet these requirements?

A. Create AWS Config custom rules by using Guard custom policy. Configure the AWS Config rules to detect when an EC2 instance queries a

DNS domain name that is associated with cryptocurrency-related activity. Configure AWS Config to initiate alerts to the SNS topic.

B. Enable Amazon GuardDuty. Create an Amazon EventBridge rule to send alerts to the SNS topic when GuardDuty creates a finding that is

associated with cryptocurrency-related activity.

C. Enable Amazon Inspector. Create an Amazon EventBridge rule to send alerts to the SNS topic when Amazon Inspector creates a finding that

is associated with cryRtocurrency-related activity.

D. Enable VPC flow logs. Send the flow logs to an Amazon S3 bucket. Set up a query in Amazon Athena to detect when an EC2 instance

queries a DNS domain name that is associated with cryptocurrency-related activity. Configure the Athena query to initiate alerts to the SNS

topic.

Correct Answer: B

Question #290 Topic 1

A company controls user access by using IAM users and groups in AWS accounts across an organization in AWS Organizations. The company

uses an external identity provider (IdP) for workforce single sign-on (SSO).

The company needs to implement a solution to provide a single management portal to access accounts within the organization. The solution

must support the external IdP as a federation source.

Which solution will meet these requirements?

A. Enable AWS IAM Identity Center. Specify the external IdP as the identity source.

B. Enable federation with AWS Identity and Access Management (IAM). Specify the external IdP as the identity source.

C. Migrate to Amazon Verified Permissions. Implement fine-grained access to AWS by using policy-based access control (PBAC).

D. Migrate users to AWS Directory Service. Use AWS Control Tower to centralize security across the organization.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 21/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #291 Topic 1

A company must create annual snapshots of Amazon Elastic Block Store (Amazon EBS) volumes. The company must retain the snapshots for 10

years. The company will use AWS Key Management Service (AWS KMS) to encrypt the EBS volumes and snapshots.

The encryption keys must be rotated automatically every year. Snapshots that were created in previous years must be readable after rotation of

the encryption keys.

Which type of KMS keys should the company use for encryption to meet these requirements?

A. Asymmetric AWS managed KMS keys with key material created by AWS KMS

B. Symmetric customer managed KMS keys with key material created by AWS KMS

C. Symmetric customer managed KMS keys with custom imported key material

D. Asymmetric AWS managed KMS keys with custom imported key material

Correct Answer: B

Question #292 Topic 1

A company has hundreds of AWS accounts and uses AWS Organizations. The company plans to create many different IAM roles and policies for

its product team, security team, and platform team. Some IAM policies will be shared across teams.

A security engineer needs to implement a solution to logically group together the IAM roles of each team. The solution must allow only the

platform team to delegate IAM permissions to AWS services.

Which solution will meet these requirements?

A. Set up an IAM path with the IAM roles for each team. Deploy an SCP that denies the iam:PassRole permission to all entities except the IAM

path of the platform team.

B. Apply different tags for each team to the IAM roles. Deploy an SCP that denies the sts:AssumeRole permission to all entities except the

roles of the platform team.

C. Apply different tags for each team to the IAM policies. Deploy an SCP that denies the iam:PassRole permission to all entities except the

policies of the platform team.

D. Set up an IAM path with the IAM roles for each team. Use IAM permissions boundaries to deny the sts:AssumeRole permission to the IAM

roles for the product team and the security team.

Correct Answer: A

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 22/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #293 Topic 1

A company’s developers are using AWS Lambda function URLs to invoke functions directly. The company must ensure that developers cannot

configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations.

The solution must not require additional work for the developers.

Which solution will meet these requirements?

A. Require the developers to configure all function URL to support cross-origin resource sharing (CORS) when the functions are called from a

different domain.

B. Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts,

based on the OU of accounts that are using the functions.

C. Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a

lambda:FunctionUrlAuthType condition key value of AWS_IAM.

D. Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a

lambda:FunctionUrlAuthType condition key value of NONE.

Correct Answer: D

Question #294 Topic 1

A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not

use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate

an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB

cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

A. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to

an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as

subscribers. Configure the Lambda function to delete the unencrypted resource.

B. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda

function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the

unencrypted resource.

C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters.

Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function

and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters.

Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification

Service (Amazon SNS) topic and to delete the unencrypted resource.

Correct Answer: A

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 23/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #295 Topic 1

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards.

However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick

succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of

changes.

Which solution will meet this requirement in the MOST operationally efficient way?

A. Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to

indicate the cumulative impact of multiple calls.

B. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

C. Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to

indicate the cumulative impact of multiple calls.

D. Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the

latest state by using a sliding time window.

Correct Answer: B

Question #296 Topic 1

A company uses AWS Organizations to manage an organization that consists of three workload OUs. Production, Development, and Testing. The

company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs.

Different SCPs are attached to each workload OU.

The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company

uses the same CloudFormation template to deploy the stack update in.an account in the Production OU, the update fails. The error message

reports insufficient IAM permissions.

What is the FIRST step that a security engineer should take to troubleshoot this issue?

A. Review the AWS CloudTrail logs in the account in the Production OU. Search for any failed API calls from CloudFormation during the

deployment attempt. Most Voted

B. Remove all the SCPs that are attached to the Production OU. Rerun the CloudFormation stack update to determine if the SCPs were

preventing the CloudFormation API calls.

C. Confirm that the role used by CloudFormation has sufficient permissions to create, update, and delete the resources that are referenced in

the CloudFormation template.

D. Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 24/25
1/15/25, 6:22 PM AWS Certified Security - Specialty SCS-C02 Exam - Free Exam Q&As, Page 1 | ExamTopics

Question #297 Topic 1

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. The company needs to

implement a solution that provides end-to-end data protection and the ability to detect unauthorized data changes.

Which solution will meet these requirements?

A. Use an AWS Key Management Service (AWS KMS) customer managed key. Encrypt the data at rest.

B. Use AWS Private Certificate Authority. Encrypt the data in transit.

C. Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items.

D. Use the AWS Encryption SDK. Use client-side encryption. Sign the table items.

Correct Answer: C

Browse atleast 50% to increase passing rate

Viewing page 1 out of 1 pages.

Viewing questions 1-47 out of 297 questions

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty-scs-c02/view/ 25/25