SCS-C02 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Question # 84

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?

Options:

Configure S3 bucket policies to deny DELETE and PUT object permissions.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Buy Now

Question # 85

A security engineer configures VPC Flow Logs and the associated IAM role to log all VPC traffic to a log group in Amazon CloudWatch Logs. After a wait of 10 minutes, no logs are appearing in the log group. The security engineer confirms that traffic is being sent to the VPC.

After additional debugging, the security engineer isolates the problem to the role that is associated with the VPC flow logs.

What could be the reason that the logs are not appearing in CloudWatch Logs?

Options:

The logs:GetLogEvents permission is not granted in the role.

The security engineer does not have permission to assume the role.

The principal vpc-flow-logs.amazonaws.com does not have permission to assume the role.

The role does not have permission to tag a CloudWatch Logs stream.

Buy Now

Question # 86

A security engineer is configuring AWS. Config for an AWS account that uses a new 1AM entity When the security engineer tries to configure AWS. Config rules and automatic remediation options, errors occur in the AWS CloudTrail logs the security engineer sees the following error message "Insufficient delivery policy to s3 bucket DOC-EXAMPLE-BUCKET, unable to write to bucket provided s3 key prefix is 'null'."

Which combination of steps should the security engineer take to remediate this issue? (Select TWO.)

Options:

Check the Amazon S3 bucket policy Verify that the policy allows the config amazon aws com service to write to the target bucket.

Verify that the 1AM entity has the permissions necessary to perform the s3 GetBucketAc1 and s3 PutObjecj operations to write to the target bucket.

Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3: GetBucketAcl and s3 PutObject" operations to write to the target bucket.

Check the policy that is associated with the 1AM entity Verify that the policy allows the config amazonaws com service to write to the target bucket.

Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3 PutObject" operation.

Buy Now

Question # 87

A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.

Which solution will meet this requirement with the LEAST operational effort?

Options:

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Buy Now

Question # 88

A company is planning to create an organization by using AWS Organizations. The company needs to integrate user management with the company's external identity provider (IdP). The company also needs to centrally manage access to all of its AWS accounts and applications from the organization's management account.

Which solution will meet these requirements?

Options:

Configure AWS Directory Service with the external IdP Create 1AM policies and associate them with users from the external IdP

Enable AWS 1AM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using 1AM Identity Center.

Configure AWS Identity and Access Management (1AM) to use the external IdP as an IdP Create 1AM policies and associate them with users from the externa IdP

Enable Amazon Cognito in the organization's management account. Create an identity pool and associate it with the external IdP Create 1AM roles and associate them with the identity pool.

Buy Now

Question # 89

A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs

the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file.

However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance.

What should the security engineer do next to resolve the issue?

Options:

Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.

Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.

Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.

Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

Buy Now

Answer:

Explanation:

The correct answer is D. Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

According to the AWS documentation1, the CloudWatch agent is a software agent that you can install on your EC2 instances to collect system-level metrics and logs. To use the CloudWatch agent, you need to attach an IAM role or user to the EC2 instance thatgrants permissions for the agent to perform actions on your behalf.The CloudWatchAgentServerPolicy is an AWS managed policy that provides the necessary permissions for the agent to write metrics and logs to CloudWatch2. By attaching this policy to the EC2 instance role, the security engineer can resolve the issue of CloudWatch not receiving the custom application-security logs.

The other options are incorrect for the following reasons:

A.Adding AWS CloudTrail to the trust policy of the EC2 instance is not relevant, because CloudTrail is a service that records API activity in your AWS account, not custom application logs3. Sending the custom logs to CloudTrail instead of CloudWatch would not meet the requirement of forwarding them to CloudWatch.

B.Adding Amazon S3 to the trust policy of the EC2 instance is not necessary, because S3 is a storage service that does not require any trust relationship with EC2 instances4. Configuring the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs would be an alternative solution, but it would be more complex and costly than using the CloudWatch agent directly.

C.Adding Amazon Inspector to the trust policy of theEC2 instance is not helpful, because Inspector is a service that scans EC2 instances for software vulnerabilities and unintended network exposure, not custom application logs5. Using Amazon Inspector instead of the CloudWatch agent would not meet the requirement of forwarding them to CloudWatch.

[References:, 1:Collect metrics, logs, and traces with the CloudWatch agent - Amazon CloudWatch2:CloudWatchAgentServerPolicy - AWS Managed Policy3:What Is AWS CloudTrail? - AWS CloudTrail4:Amazon S3 FAQs - Amazon Web Services5:Automated Software Vulnerability Management - Amazon Inspector - AWS, , , , , ]

Question # 90

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

Options:

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

Buy Now

Question # 91

A company's security engineer has been asked to monitor and report all AWS account root user activities.

Which of the following would enable the security engineer to monitor and report all root user activities'? (Select TWO.)

Options:

Configuring AWS Organizations to monitor root user API calls on the paying account

Creating an Amazon EventBndge rule that will run when any API call from the root user is reported.

Configuring Amazon Inspector to scan the AWS account for any root user activity

Configunng AWS Trusted Advisor to send an email to the security team when the root user logs in to the console

Using Amazon SNS to notify the target group

Buy Now

Question # 92

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.

A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).

Which solution will meet these requirements?

Options:

Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances’ user data. Run an assessment with the CVE rules.

Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.

Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.

Buy Now

Question # 93

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubemetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues.

Which solution will meet these requirements with the LEAST operational effort?

Options:

Designate an Amazon GuardDuty administrator account in the organization's management account Enable GuardDuty for all accounts Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

Designate a monitoring account Share Amazon CloudWatch logs from all accounts with the monitoring account Configure Aurora to publish all logs to CloudWatch Use Amazon Inspector in the monitoring account to evaluate the CloudWatch logs.

Create a central Amazon S3 bucket in the organization's management account Configure AWS CloudTrail in all AWS accounts to deliver CloudTrail logs to the S3 bucket Configure Aurora to publish all logs to CloudTrail Use Amazon Athena to query the CloudTrail logs in the S3 bucket for secunty issues.

Designate a monitoring account Share Amazon CloudWatch logs from all accounts with the monitoring account Subscnbe an Amazon Kinesis data stream to the CloudWatch logs Create AWS Lambda functions to process log records in the data stream to detect security issues.

Buy Now

Exam Code: SCS-C02

Exam Name: AWS Certified Security - Specialty

Last Update: Jan 29, 2026

Questions: 467

SCS-C02 PDF

$25.5 ~~$84.99~~

Add to Cart

SCS-C02 Testing Engine

$28.5 ~~$94.99~~

Add to Cart

SCS-C02 PDF + Testing Engine

$40.5 ~~$134.99~~

Add to Cart

Month End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

certsboard certification exams

Navigation:

SCS-C02 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

SCS-C02 PDF

SCS-C02 Testing Engine

SCS-C02 PDF + Testing Engine

Quick Links

Recently New Released Certification Exams

Site Secure