Most Recent Amazon SCS-C02 Exam Dumps

Prepare for the Amazon AWS Certified Security - Specialty (old) exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the Amazon SCS-C02 exam and achieve success.

The questions for SCS-C02 were last updated on Apr 21, 2026.

Viewing page 1 out of 93 pages.
Viewing questions 1-5 out of 467 questions

Get All 467 Questions & Answers

Question No. 1

[Logging and Monitoring]

A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.

Which solution will meet this requirement with the LEAST operational effort?

AUse Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

BImport a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

CDeploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

DImport a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Show Answer

Correct Answer: A

To configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances with the least operational effort, the most appropriate solution would be to use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption.

AWS Certificate Manager - Amazon Web Services:Elastic Load Balancing - Amazon Web Services:Amazon Elastic Compute Cloud - Amazon Web Services:AWS Certificate Manager - Amazon Web Services

Question No. 2

[Infrastructure Security]

A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.

Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

AConfigure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

BConfigure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

CConfigure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

DCreate focal database users for each module

EConfigure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

Show Answer

Correct Answer: C, D

To grant appropriate access to the application modules, the security engineer should do the following:

Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call. This allows the application modules to use temporary credentials to access the database with the permissions of the specified user.

Create local database users for each module. This allows the security engineer to create separate users for read/write and read-only functionality, and to assign them different privileges on the database tables.

Question No. 3

A company uses Amazon GuardDuty. The company's security engineer needs lo receive an email notification for every GuardDuty finding that is a High severity level. Which solution will meet this requirement?

ACreate a verified identity for the email address in Amazon Simple Email Service (Amazon SES) Create an Amazon EventBridge rule that has the SES verified identity as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High seventy findings.

BCreate an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings.

CCreate an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Security Hub automation rules to publish High severity GuardDuty findings to the SNS topic.

DEnable AWS Security Hub Integrate Security Hub with GuardDuty. Use Secunty Hub automation rules to create a custom rule. Configure the custom rule to detect High seventy GuardDuty findings and to send a notification to the email address.

Show Answer

Correct Answer: B

Question No. 4

[Logging and Monitoring]

A company uses Amazon Elastic Kubernetes Service (Amazon EKS) clusters to run its Kubernetes-based applications. The company uses Amazon GuardDuty to protect the applications. EKS Protection is enabled in GuardDuty. However, the corresponding GuardDuty feature is not monitoring the Kubernetes-based applications.

AEnable VPC flow logs for the VPC that hosts the EKS clusters.

BAssign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.

CEnsure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role.

DEnable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.

Show Answer

Correct Answer: D

Comprehensive Detailed Explanation with all AWS References

To enable GuardDuty to monitor Kubernetes-based applications:

Enable Control Plane Logs:

GuardDuty uses control plane logs to detect malicious or unauthorized activity in Amazon EKS.

Enable EKS control plane logs (API, audit, authenticator) and ingest them into CloudWatch.

Incorrect Options:

A:VPC flow logs are used for network traffic analysis, not specific to EKS protection.

B:CloudWatchEventsFullAccess is unrelated to EKS or GuardDuty functionality.

C:The GuardDuty service role already has required permissions when EKS Protection is enabled.

Question No. 5

A company has an external web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB) within a VPC. The web application stores data in an Amazon RDS for MySQL DB instance. The company uses a Linux bastion host to apply schema updates to the database Administrators connect to the bastion host through SSH from their corporate workstations. The following security groups are applied to the infrastructure.

* sgLB associated with the ALB

* sgWeb associated with the EC2 instances

* sgDB associated with the DB instance

* sgBastion associated with the bastion host

Which security group configuration will meet these requirements MOST securely?

A* sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0
* sgWeb Allow port 80 traffic and port 443 traffic from sgLB
* sgDB Allow port 3306 traffic from sgWeb and sgBastion
* sgBastion Allow port 22 traffic from the corporate IP address range

B* sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0
* sgWeb Allow port 80 traffic and port 443 traffic from sgLB
* sgDB Allow port 3306 traffic from sgWeb and sgLB
* sgBastion Allow port 22 traffic from the VPC IP address range

C* sgLB Allow port 80 traffic and port 443 traffic from 0 0 0 0/0
* sgWeb Allow port 80 traffic and port 443 traffic from sgLB
* sgDB Allow port 3306 traffic from sgWeb and sgBastion
* sgBastion Allow port 22 traffic from the VPC IP address range

D* sgLB: Allow port 80 traffic and port 443 traffic from 0.0.0.0/0
* sgWeb: Allow port 80 traffic and port 443 traffic from 0.0.0.0/0
* sgDB: Allow port 3306 traffic from sgWeb and sgBastion
* sgBastion: Allow port 22 traffic from the corporate IP address range

Show Answer

Correct Answer: A

Unlock All Questions for Amazon SCS-C02 Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 467 Questions & Answers