Month End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

SCS-C02 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Question # 14

A company uses Amazon CloudWatch to monitor application metrics. A security engineer needs to centralize the metrics from several AWS accounts. The security engineer also must create a dashboard to securely share the metrics with customers.

Which solution will meet these requirements?

Options:

A.

Set up a designated monitoring account. Configure the necessary permissions in CloudWatch for source accounts to send metrics to the monitoring account. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure Amazon Cognito as the SSO provider.

B.

Set up a designated monitoring account Configure the necessary permissions for a CloudWatch wizard to query the metrics from source accounts. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure AWS 1AM Identity Center as the SSO provider.

C.

Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account. Create a CloudWatch dashboard that includes the metncs Share the dashboard by using SSO Configure AWS 1AM Identity Center as the SSO provider.

D.

Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account Create a CloudWatch dashboard that includes the metrics. Share the dashboard Specify the email addresses of users who can use a password to view the dashboard.

Buy Now
Question # 15

A company that uses AWS Organizations is migrating workloads to AWS. The compa-nys application team determines that the workloads will use Amazon EC2 instanc-es, Amazon S3 buckets, Amazon DynamoDB tables, and Application Load Balancers. For each resource type, the company mandates that deployments must comply with the following requirements:

• All EC2 instances must be launched from approved AWS accounts.

• All DynamoDB tables must be provisioned with a standardized naming convention.

• All infrastructure that is provisioned in any accounts in the organization must be deployed by AWS CloudFormation templates.

Which combination of steps should the application team take to meet these re-quirements? (Select TWO.)

Options:

A.

Create CloudFormation templates in an administrator AWS account. Share the stack sets with an application AWS account. Restrict the template to be used specifically by the application AWS account.

B.

Create CloudFormation templates in an application AWS account. Share the output with an administrator AWS account to review compliant resources. Restrict output to only the administrator AWS account.

C.

Use permissions boundaries to prevent the application AWS account from provisioning specific resources unless conditions for the internal compli-ance requirements are met.

D.

Use SCPs to prevent the application AWS account from provisioning specific resources unless conditions for the internal compliance requirements are met.

E.

Activate AWS Config managed rules for each service in the application AWS account.

Buy Now
Question # 16

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM.

Which combination of IAM services and features will provide protection in this scenario? (Select THREE).

Options:

A.

Amazon Route 53

B.

IAM Certificate Manager (ACM)

C.

Amazon S3

D.

IAM Shield

E.

Elastic Load Balancer

F.

Amazon GuardDuty

Buy Now
Question # 17

A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource purposes.

How can the security administrator restrict usage of member root user accounts across the organization?

Options:

A.

Disable the use of the root user account at the organizational root. Enable multi-factor authentication (MFA) of the root user account for each organization member account.

B.

Configure 1AM user policies to restrict root account capabilities for each organization member account.

C.

Create an OU in Organizations, and attach an SCP that controls usage of the root user. Add all member accounts to the new OU.

D.

Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs Create a metric filter for RootAccountUsage.

Buy Now
Question # 18

A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification Service (Amazon SNS), and Amazon DynamoDB. An external application puts objects into the company's S3 bucket and tags the objects with date and time. A Lambda function periodically pulls data from the company's S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for further processing.

The data includes personally identifiable information (Pll). The company must remove data that is older than 30 days from the S3 bucket and the DynamoDB table.

Which solution will meet this requirement with the MOST operational efficiency?

Options:

A.

Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using the TTL S3 flag.

B.

Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entires that are older than 30 days based on the TTL attribute.

C.

Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda function to delete entries that are older than 30 days.

D.

Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete entries that are older than 30 days.

Buy Now
Question # 19

A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.

The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.

Which solution will meet these requirements?

Options:

A.

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.

B.

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.

C.

Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.

D.

Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Buy Now
Question # 20

There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

Please select:

Options:

A.

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

B.

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

C.

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

D.

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

Buy Now
Question # 21

A company has hundreds of AWS accounts and uses AWS Organizations. The company plans to create many different IAM roles and policies for its product team, security team, and platform team. Some IAM policies will be shared across teams.

A security engineer needs to implement a solution to logically group together the IAM roles of each team. The solution must allow only the platform team to delegate IAM permissions to AWS services.

Which solution will meet these requirements?

Options:

A.

Set up an IAM path with the IAM roles for each team. Deploy an SCP that denies the iam:PassRole permission to all entities except the IAM path of the platform team.

B.

Apply different tags for each team to the IAM roles. Deploy an SCP that denies the sts:AssumeRole permission to all entities except the roles of the platform team.

C.

Set up an IAM path with the IAM roles for each team. Use IAM permissions boundaries to deny the sts:AssumeRole permission to the IAM roles for the product team and the security team.

Buy Now
Question # 22

A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.

An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.

Which solution meets these requirements?

Options:

A.

Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

B.

Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.

C.

Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.

D.

Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

Buy Now
Question # 23

A company's developers are using AWS Lambda function URLs to invoke functions directly. The company must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

Options:

A.

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

B.

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

C.

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

D.

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Buy Now
Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty
Last Update: Jan 29, 2026
Questions: 467
SCS-C02 pdf

SCS-C02 PDF

$25.5  $84.99
 Add to Cart
SCS-C02 Engine

SCS-C02 Testing Engine

$28.5  $94.99
 Add to Cart
SCS-C02 PDF + Engine

SCS-C02 PDF + Testing Engine

$40.5  $134.99
 Add to Cart