Amazon SCS-C02 Practice Exam Questions Free

Prepare Amazon SCS-C02 Exam Questions 2025:

Prepare for the Amazon SCS-C02 certification exam with confidence through our highly designed SCS-C02 exam questions 2025. Our AWS Certified Security Specialty SCS-C02 practice tests are designed to reflect the actual AWS Certified Specialty SCS-C02 exam setting and help you measure your knowledge and identify what to work on.

With our free SCS-C02 practice exam questions and answers, you will feel confident enough to tackle all SCS-C02 questions and make good use of time during the exam.

At TheExamsLab, we bring you the latest SCS-C02 exam questions and answers for 2025. Don’t compromise on your success choose the best Amazon SCS-C02 exam preparation material to achieve your Amazon exam certification goals. Invest wisely, because your success is worth it!

Page: 1 / 105

Total 522 Questions | Updated On: Jan 15, 2025

Add To Cart

Question 1

A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call. Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event. The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications. Which solution will meet these requirements?

A : Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

B : Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

C : Enable CloudTrail Insights to identify unusual API activity.

D : Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

Answer: D

Question 2

A company is deploying Amazon EC2 instances into a new VPC. The instances must be scanned to detect any known software vulnerabilities. The instances should also be checked for compliance with CIS benchmarks.

Which solution addresses these requirements?

A : Use Amazon Inspector and run the “Common vulnerabilities and exposures” assessment and the “Center for Internet Security (CIS) Benchmarks” assessment.

B : Use AWS CloudTrail and monitor the “PutEventSelectors” and “PutInsightSelectors” API actions.

C : Use AWS Config and configure the “restricted-common-ports” and ‘wafv2-logging-enabled” managed rules.

D : Use Amazon Inspector and run the “Network Reachability” assessment and the “Center for Internet Security (CIS) Benchmarks” assessment.

Answer: A

Question 3

A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future. Which set of actions should the security team implement to accomplish this?

A :

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

B :

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

C :

Edit the existing trail in the Organizations master account and apply it to the organization.

D :

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Answer: C

Question 4

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager. Which solution will meet the requirements?

A : Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B : Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS.

C : Use a SecureString parameter in the CloudFormation template to reference the database credentials in Secrets Manager.

D : Use a SecureString parameter in the CloudFormation template to reference an encrypted value in AWS KMS

Answer: A

Question 5

A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from the third-party scanning solution automatically. Which solution will meet this requirement?

A :

Set up an Amazon EventBridge rule that reacts to new Security Hub find-ings. Configure an AWS Lambda function as the target for the rule to reme-diate the findings.

B :

Set up a custom action in Security Hub. Configure the custom action to call AWS Systems Manager Automation runbooks to remediate the findings.

C :

Set up a custom action in Security Hub. Configure an AWS Lambda function as the target for the custom action to remediate the findings.

D :

Set up AWS Config rules to use AWS Systems Manager Automation runbooks to remediate the findings.

Answer: A

Page: 1 / 105

Total 522 Questions | Updated On: Jan 15, 2025

Add To Cart