Month End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

SCS-C02 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Question # 104

A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances

There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity

Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

Options:

A.

The route tables and the outbound rules on the appropriate private subnet security group

B.

The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet

C.

The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

D.

The rules on any host-based firewall that may be applied on the Amazon EC2 instances

E.

The Security Group applied to the Application Load Balancer and NAT gateway

F.

That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

Buy Now
Question # 105

A security engineer needs to suppress AWS. Security Hub findings automatically for resources that have a specific tag attached.

Which solution will meet this requirement?

Options:

A.

Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED.

B.

Select each Security Hub control that needs to be suppressed. Add an exception to each control to suppress any findings that contain the specific tag value if the resource contains the specific resource tag.

C.

Send each Security Hub finding to Amazon Detective Create an automated rule in Detective to suppress any findings that contain the specific resource tag and the specific tag value

D.

Send each Security Hub finding to Amazon Inspector. Configure a suppression rule to suppress any findings that contain the specific resource tag and the specific tag value.

Buy Now
Question # 106

A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.

When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation."

Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)

Options:

A.

Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac-meAuditFactoryRole.

B.

Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached.

C.

Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.

D.

Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service.

E.

Ensure that the sts:AssumeRole API call is being issued to the us-east-I Region endpoint.

Buy Now
Question # 107

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.

What is the likely cause of this access denial?

Options:

A.

The ACL in the bucket needs to be updated

B.

The IAM policy does not allow the user to access the bucket

C.

It takes a few minutes for a bucket policy to take effect

D.

The allow permission is being overridden by the deny

Buy Now
Question # 108

A company uses AWS Lambda as part of an online game. The company needs to scan all existing and new Lambda functions for code vulnerabilities.

Which solution will meet these requirements?

Options:

A.

Copy all the Lambda code into Amazon S3. Use Amazon Macie to scan the code.

B.

Enable Amazon Inspector. Activate Lambda standard scanning and Lambda code scanning in Amazon Inspector.

C.

Enable Amazon GuardDuty and AWS Security Hub. Review the findings in Security Hub that are labeled as critical.

D.

Enable Amazon GuardDuty. Enable Lambda Protection in GuardDuty.

Buy Now
Question # 109

A developer operations team uses AWS Identity and Access Management (1AM) to manage user permissions The team created an Amazon EC2 instance profile role that uses an AWS managed Readonly Access policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error.

The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file.

What should the administrator do to fix the 1AM access issue?

Options:

A.

Edit the ReadOnlyAccess policy to add kms:Decrypt actions.

B.

Add the EC2 1AM role as the authorized Principal to the S3 bucket policy.

C.

Attach an inline policy with kms Decrypt permissions to the 1AM role

D.

Attach an inline policy with S3: * permissions to the 1AM role.

Buy Now
Question # 110

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group

Which solution will meet this requirement?

Options:

A.

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

B.

Download and configure the CloudWatch agent on the container instances

C.

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

D.

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Buy Now
Question # 111

A security engineer wants to use Amazon Simple Notification Service (Amazon SNS) to send email alerts to a company's security team for Amazon GuardDuty findings

that have a High severity level. The security engineer also wants to deliverthese findings to a visualization tool for further examination.

Which solution will meet these requirements?

Options:

A.

Set up GuardDuty to send notifications to an Amazon CloudWatch alarm with two targets in CloudWatch. From CloudWatch, stream the findings throughAmazon Kinesis Data Streams into an Amazon OpenSearch Service domain as the first target for delivery. Use Amazon QuickSight to visualize the findings.Use OpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for the CloudW

B.

Set up GuardDuty to send notifications to AWS CloudTrail with two targets in CloudTrail. From CloudTrail, stream the findings through Amazon Kinesis DataFirehose into an Amazon OpenSearch Service domain as the first target for delivery. Use OpenSearch Dashboards to visualize the findings. UseOpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for CloudTraiI. Use e

C.

Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge, stream the findings through Amazon Kinesis DataFirehose into an Amazon OpenSearch Service domain as the first target for delivery. Use OpenSearch Dashboards to visualize the findings. UseOpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridge. Use eventpatt

D.

Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge, stream the findings through Amazon Kinesis DataStreams into an Amazon OpenSearch Service domain as the first target for delivery. Use Amazon QuickSight to visualize the findings. Use OpenSearchqueries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridge. Use event patternm

Buy Now
Question # 112

Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket.

The administrators need to give a user from Account A full access to the S3 bucket in Account B.

After the administrators adjust the IAM permissions for the user in AccountA to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.

Which solution will resolve this issue?

Options:

A.

In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.

B.

In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.

C.

In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.

D.

In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.

Buy Now
Question # 113

A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances. The Lambda functions need to collect relevant artifacts, such as instance ID and security group configuration. The Lambda functions must then write a summary to an Amazon S3 bucket.

The company runs its workloads in a VPC that uses public subnets and private subnets. The public subnets use an internet gateway to access the internet. The private subnets use a NAT gateway to access the internet.

All network traffic to Amazon S3 that is related to the incident response process must use the AWS network. This traffic must not travel across the internet.

Which solution will meet these requirements?

Options:

A.

Deploy the Lambda functions to a private subnet in the VPC. Configure the Lambda functions to access the S3 service through the NAT gateway.

B.

Deploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service.

C.

Deploy the S3 bucket and the Lambda functions in the same private subnet. Configure the Lambda functions to use the default endpoint for the S3 service.

D.

Deploy an Amazon Simple Queue Service (Amazon SOS) queue and the Lambda functions in the same private subnet. Configure the Lambda functions to send data to the SQS queue. Configure the SOS queue to send data to the S3 bucket.

Buy Now
Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty
Last Update: Jan 29, 2026
Questions: 467
SCS-C02 pdf

SCS-C02 PDF

$25.5  $84.99
 Add to Cart
SCS-C02 Engine

SCS-C02 Testing Engine

$28.5  $94.99
 Add to Cart
SCS-C02 PDF + Engine

SCS-C02 PDF + Testing Engine

$40.5  $134.99
 Add to Cart