SCS-C02 Exam Questions
470 real SCS-C02 exam questions with expert-verified answers and explanations. Page 4 of 10.
- Question #156
A company recently adopted new compliance standards that require all user actions in AWS to be logged. The user actions must be logged for all accounts that belong to an organizati...
- Question #157Security Logging and Monitoring
A company wants to create a log analytics solution for logs generated from its on-premises devices. The logs are collected from the devices onto a server on premises. The company w...
Log AnalyticsStreaming DataHybrid Cloud LoggingAWS Kinesis - Question #158
A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as secu...
- Question #159
A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When...
- Question #160
A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminat...
- Question #161Infrastructure Security
Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate...
NACLsVPC TroubleshootingNetwork ConnectivityInfrastructure Security - Question #162Identity and Access Management
A company has an application that needs to get objects from an Amazon S3 bucket. The application runs on Amazon EC2 instances. All the objects in the S3 bucket are encrypted with a...
IAM PoliciesS3 Bucket PoliciesKMS EncryptionVPC Endpoint Security - Question #163
A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources. The company needs to r...
- Question #164
A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account. The company's security team wants the ability to cha...
- Question #165Infrastructure Security
A security engineer needs to set up an Amazon CloudFront distribution for an Amazon S3 bucket that hosts a static website. The security engineer must allow only specified IP addres...
CloudFront SecurityS3 Bucket PolicyOrigin Access ControlIP Restrictions - Question #166Data Protection
A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A security engineer discovers that this sensitive information is viewable by...
Secrets ManagementEC2 BootstrappingSystems Manager Parameter StoreData Encryption - Question #167
A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to...
- Question #168
A company has two AWS accounts: Account A and Account B. Each account has a VPC. An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account
- Question #169Threat Detection and Incident Response
A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance...
Network ACLsIncident ResponseEC2 SecurityNetwork Security - Question #170Incident Response
An online media company has an application that customers use to watch events around the world. The application is hosted on a fleet of Amazon EC2 instances that run Amazon Linux 2...
AWS Systems ManagerPatch ManagerIncident ResponseVulnerability Management - Question #171Identity and Access Management
A developer operations team uses AWS Identity and Access Management (IAM) to manage user permissions. The team created an Amazon EC2 instance profile role that uses an AWS managed...
IAM permissionsS3 encryptionKMSAccessDenied troubleshooting - Question #172
A company uses AWS Organizations and has Amazon Elastic Kubernetes Service (Amazon EKS) clusters in many AWS accounts. A security engineer integrates Amazon EKS with AWS CloudTrail...
- Question #173
A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off. What is the MOST efficient way to implement this...
- Question #174
An ecommerce company is developing new architecture for an application release. The company needs to implement TLS for incoming traffic to the application. Traffic for the applicat...
- Question #175
A company needs a solution to protect critical data from being permanently deleted. The data is stored in Amazon S3 buckets. The company needs to replicate the S3 objects from the...
- Question #176
A company in France uses Amazon Cognito with the Cognito Hosted UI as an identity broker for sign-in and sign-up processes. The company is marketing an application and expects that...
- Question #177
A security engineer is configuring AWS Config for an AWS account that uses a new IAM entity. When the security engineer tries to configure AWS Config rules and automatic remediatio...
- Question #178Infrastructure Security
A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS. Which combination of AWS services and features will provide protection in this scenario...
DDoS ProtectionAWS ShieldNetwork Load BalancerRoute 53 - Question #179
A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR). The company has deployed AWS Systems Man...
- Question #180Data Protection
A company uses AWS Organizations to manage several AWS accounts. The company processes a large volume of sensitive data. The company uses a serverless approach to microservices. Th...
AWS KMSKey PoliciesData EncryptionLeast Privilege Access - Question #181Security Logging and Monitoring
An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs cre...
AWS LambdaCloudWatch LogsIAM PermissionsLogging - Question #182Infrastructure Security
A company is worried about potential DDoS attacks. The company has a web application that runs on Amazon EC2 instances. The application uses Amazon S3 to serve static content such...
DDoS ProtectionAWS Shield AdvancedResilienceSecurity Architecture - Question #183Identity and Access Management
A company uses an organization in AWS Organizations to manage hundreds of AWS accounts. Some of the accounts provide access to external AWS principals through cross-account IAM rol...
IAM Access AnalyzerAWS OrganizationsExternal AccessResource Policies - Question #184
A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in th...
- Question #185Threat Detection and Incident Response
A development team is creating an open source toolset to manage a company's software as a service (SaaS) application. The company stores the code in a public repository so that any...
Exposed credentialsIncident responseIAM access keysAccess Analyzer - Question #186
A company needs to create a centralized solution to analyze log files. The company uses an organization in AWS Organizations to manage its AWS accounts. The solution must aggregate...
- Question #187Identity and Access Management
A company uses AWS Organizations. The company has more than 100 AWS accounts and will increase the number of accounts. The company also uses an external corporate identity provider...
Identity FederationMulti-account AccessIAM RolesAWS Organizations - Question #188
A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many faile...
- Question #189
A company is investigating controls to protect sensitive data. The company uses Amazon Simple Notification Service (Amazon SNS) topics to publish messages from application componen...
- Question #190Incident Response
A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances. The Lambda functions need to collect relev...
VPC EndpointsS3 Gateway EndpointPrivate NetworkingIncident Response Automation - Question #191
A company uses an organization in AWS Organizations to manage its AWS accounts. The company has implemented an SCP in the root account to prevent resources from being shared with e...
- Question #192Threat Detection and Incident Response
A security administrator has enabled AWS Security Hub for all the AWS accounts in an organization in AWS Organizations. The security team wants near-real-time response and remediat...
Automated RemediationAWS ConfigEvent-driven SecuritySecurity Logging and Auditing - Question #193
A security engineer must Implement monitoring of a company's Amazon Aurora MySQL DB instances. The company wants to receive email notifications when unknown users try to log in to...
- Question #194
A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic fr...
- Question #195Threat Detection and Incident Response
A company deploys its application as a service on an Amazon Elastic Container Service (Amazon ECS) cluster with theAWS Fargate launch type. A security engineer suspects that some i...
Fargate LoggingIncident ResponseCloudWatch LogsApplication Diagnostics - Question #197Identity and Access Management - Implement and manage IAM policies, resource-based policies, and federated access controls to enforce least-privilege permissions
A company wants to deny a specific federated user named Bob access to an Amazon S3 bucket named DOC-EXAMPLE-BUCKET. The company wants to meet this requirement by using a bucket pol...
S3 Bucket PoliciesIAM Federated UsersAWS STSExplicit Deny - Question #198
A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database. The number of users has gr...
- Question #199
A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit...
- Question #200
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a s...
- Question #201
A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances...
- Question #202
A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to...
- Question #203
A company hosts an application on Amazon EC2 instances. The application also uses Amazon S3 and Amazon Simple Queue Service (Amazon SQS). The application is behind an Application L...
- Question #204
A security analyst attempted to troubleshoot the monitoring of suspicious security group changes. The analyst was told that there is an Amazon CloudWatch alarm in place for these A...
- Question #205Data Protection
An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software- as-a-service (SaaS) platform. A unique client token is generated in the SaaS platfo...
Secrets ManagementData at Rest EncryptionAWS Systems Manager Parameter StoreCost Optimization - Question #206
A company is using an Amazon CloudFront distribution to deliver content from two origins. One origin is a dynamic application that is hosted on Amazon EC2 instances. The other orig...