Free Amazon SCS-C02 Exam Questions
Try our Free Demo Practice Tests for Comprehensive SCS-C02 Exam Preparation
-
Amazon SCS-C02 Exam Questions
-
Provided By: Amazon
- Exam: AWS Certified Security Specialty
- Certification: AWS Certified Specialty
-
Total Questions: 522
-
Updated On: Mar 28, 2025
-
Rated: 4.9 |
-
Online Users: 1044
-
Question 1
-
A company has two AWS accounts. One account is for development workloads. The other account is for production workloads. For compliance reasons the production account contains all the AWS Key Management. Service (AWS KMS) keys that the company uses for encryption. The company applies an IAM role to an AWS Lambda function in the development account to allow secure access to AWS resources. The Lambda function must access a specific KMS customer managed key that exists in the production account to encrypt the Lambda function's data. Which combination of steps should a security engineer take to meet these requirements? (Select TWO.)
Answer: B,E
-
-
Question 2
-
A company needs to delect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS)
clusters. The company needs a solution that requires no additional configuration ot the existing EKS
deployment.
Which solution will meet these requirements with the LEAST operational effort?
Answer: D
-
A company needs to delect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS)
clusters. The company needs a solution that requires no additional configuration ot the existing EKS
deployment.
Which solution will meet these requirements with the LEAST operational effort?
-
Question 3
-
A security engineer is investigating a malware infection that has spread across a set of Amazon EC2
instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and
control hosts on the internet.
The security engineer creates a network ACL rule that denies the identified outbound traffic. The security
engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify
any EC2 instances that are trying to communtcate on TCP port 2905.
Which solution will identify the affected EC2 instances with the LEAST operational effort?
Answer: B
-
A security engineer is investigating a malware infection that has spread across a set of Amazon EC2
instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and
control hosts on the internet.
The security engineer creates a network ACL rule that denies the identified outbound traffic. The security
engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify
any EC2 instances that are trying to communtcate on TCP port 2905.
Which solution will identify the affected EC2 instances with the LEAST operational effort?
-
Question 4
-
A company wants to start processing sensitive data on Amazon EC2 instances. The company will use
Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances.
The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a
solution that prevents the developers from viewing the sensitive data The solution must automatically apply to
any new log groups that are created in the account in the future.
Which solution will meet these requirements?
Answer: A
-
A company wants to start processing sensitive data on Amazon EC2 instances. The company will use
Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances.
The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a
solution that prevents the developers from viewing the sensitive data The solution must automatically apply to
any new log groups that are created in the account in the future.
Which solution will meet these requirements?
-
Question 5
-
A company wants to start processing sensitive data on Amazon EC2 instances. The company will use
Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances.
The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a
solution that prevents the developers from viewing the sensitive data The solution must automatically apply to
any new log groups that are created in the account in the future.
Which solution will meet these requirements?
Answer: A
-
A company wants to start processing sensitive data on Amazon EC2 instances. The company will use
Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances.
The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a
solution that prevents the developers from viewing the sensitive data The solution must automatically apply to
any new log groups that are created in the account in the future.
Which solution will meet these requirements?