100% Free Amazon SCS-C02 Practice Test Questions

Question 1

A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from the third-party scanning solution automatically. Which solution will meet this requirement?

A :

Set up an Amazon EventBridge rule that reacts to new Security Hub find-ings. Configure an AWS Lambda function as the target for the rule to reme-diate the findings.

B :

Set up a custom action in Security Hub. Configure the custom action to call AWS Systems Manager Automation runbooks to remediate the findings.

C :

Set up a custom action in Security Hub. Configure an AWS Lambda function as the target for the custom action to remediate the findings.

D :

Set up AWS Config rules to use AWS Systems Manager Automation runbooks to remediate the findings.

Answer: A

Question 2

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

A : Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

B : Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

C : Configure automatic rotation of credentials in AWS Secrets Manager.

D : Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.

E : Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Answer: C,E

Question 3

A developer who recently left a company was found to have published many access keys IDs to a public source code repository. A list of the exposed access key IDs has been created. A security engineer needs to quickly identify which users the access key IDs belong to so the credentials can be immediately rotated. The company uses multiple accounts in an AWS Organization.

Which approach should the security engineer take?

A : Generate a credential report in the root account in the Organization. Identify the users the access key IDs belong to. Rotate the access key IDs

B : Generate an IAM Access Analyzer report in each account in the Organization. Consolidate the reports and identify the users the access key IDs belong to. Rotate the access key IDs.

C : Generate a credential report in each account in the Organization. Consolidate the reports and identify the users the access key IDs belong to. Rotate the access key IDs.

D : Generate an IAM Access Analyzer report in the root account in the Organization. Identify the users the access key IDs belong to. Rotate the access key IDs.

Answer: C

Question 4

A company has a guideline that mandates the encryption of all Amazon S3 bucket data in transit. A security engineer must implement an S3 bucket policy that denies any S3 operations if data is not encrypted. Which S3 bucket policy will meet this requirement?

A :

B :

C :

D : A screenshot of a computer code Description automatically generated

Answer: B

Question 5

A company wants to start processing sensitive data on Amazon EC2 instances. The company will use Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances. The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a solution that prevents the developers from viewing the sensitive data The solution must automatically apply to any new log groups that are created in the account in the future. Which solution will meet these requirements?

A : Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

B : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

C : Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

D : Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission

Answer: A

Free Practice Amazon SCS-C02 Exam Questions 2025