Pass
Certspots
Success
AWS Certified
Security - Specialty
(SCS-C02) Dumps
https://www.certspots.com/exam/scs-c02/
AWS SCS-C02 Exam Dumps
1. A developer at a company uses an SSH key to access multiple Amazon EC2 instances.
The company discovers that the SSH key has been posted on a public GitHub repository.
A security engineer verifies that the key has not been used recently.
How should the security engineer prevent unauthorized access to the EC2 instances?
A. Delete the key pair from the EC2 console. Create a new key pair.
B. Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance
that is using the key.
C. Restrict SSH access in the security group to only known corporate IP addresses.
D. Update the key pair in any AMI that is used to launch the EC2 instances. Restart the
EC2 instances.
Answer: C
AWS SCS-C02 Exam Dumps
2. Which of the following are valid configurations for using SSL certificates with
Amazon CloudFront? (Select THREE)
A. Default AWS Certificate Manager certificate
B. Custom SSL certificate stored in AWS KMS
C. Default CloudFront certificate
D. Custom SSL certificate stored in AWS Certificate Manager
E. Default SSL certificate stored in AWS Secrets Manager
F. Custom SSL certificate stored in AWS IAM
Answer: A B C
AWS SCS-C02 Exam Dumps
3. A security engineer is using AWS Organizations and wants to optimize SCPs.
The security engineer needs to ensure that the SCPs conform to best practices.
Which approach should the security engineer take to meet this requirement?
A. Use AWS IAM Access Analyzer to analyze the policies. View the findings from
policy validation checks.
B. Review AWS Trusted Advisor checks for all accounts in the organization.
C. Set up AWS Audit Manager. Run an assessment for all AWS Regions for all
accounts.
D. Ensure that Amazon Inspector agents are installed on all Amazon EC2 instances in all accounts.
Answer: A
AWS SCS-C02 Exam Dumps
4. A Security Engineer receives alerts that an Amazon EC2 instance on a public
subnet is under an SFTP brute force attack from a specific IP address, which is a
known malicious bot.
What should the Security Engineer do to block the malicious bot?
A. Add a deny rule to the public VPC security group to block the malicious IP
B. Add the malicious IP to IAM WAF backhsted IPs
C. Configure Linux iptables or Windows Firewall to block any traffic from the
malicious IP
D. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for
the malicious IP
Answer: D
AWS SCS-C02 Exam Dumps
5. A security engineer is configuring a new website that is named example.com.
The security engineer wants to secure communications with the website by
requiring users to connect to example.com through HTTPS.
Which of the following is a valid option for storing SSL/TLS certificates?
A. Custom SSL certificate that is stored in AWS Key Management Service (AWS
KMS)
B. Default SSL certificate that is stored in Amazon CloudFront.
C. Custom SSL certificate that is stored in AWS Certificate Manager (ACM)
D. Default SSL certificate that is stored in Amazon S3
Answer: C
AWS SCS-C02 Exam Dumps
6. A company has a large fleet of Linux Amazon EC2 instances and Windows EC2
instances that run in private subnets. The company wants all remote administration to be
performed as securely as possible in the AWS Cloud.
Which solution will meet these requirements?
A. Do not use SSH-RSA private keys during the launch of new instances. Implement AWS
Systems Manager Session Manager.
B. Generate new SSH-RSA private keys for existing instances. Implement AWS Systems
Manager Session Manager.
C. Do not use SSH-RSA private keys during the launch of new instances. Configure EC2
Instance Connect.
D. Generate new SSH-RSA private keys for existing instances. Configure EC2 Instance
Connect.
Answer: A
AWS SCS-C02 Exam Dumps
7. You work at a company that makes use of IAM resources. One of the key
security policies is to ensure that all data i encrypted both at rest and in transit.
Which of the following is one of the right ways to implement this.
A. Use S3 SSE and use SSL for data in transit
B. SSL termination on the ELB
C. Enabling Proxy Protocol
D. Enabling sticky sessions on your load balancer
Answer: A
AWS SCS-C02 Exam Dumps
8. A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs
Due to regulatory requirements the keys must be rotated every year. The company's
Security Engineer has enabled automatic key rotation for the CMKs; however the
company wants to verity that the rotation has occurred.
What should the Security Engineer do to accomplish this?
A. Filter IAM CloudTrail logs for KeyRotaton events
B. Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
C. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id
parameter to check the CMK rotation date
D. Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter
Generate New Key events
Answer: C
AWS SCS-C02 Exam Dumps
9. A company deployed Amazon GuardDuty In the us-east-1 Region. The
company wants all DNS logs that relate to the company's Amazon EC2
instances to be inspected.
What should a security engineer do to ensure that the EC2 instances are logged?
A. Use IPv6 addresses that are configured for hostnames.
B. Configure external DNS resolvers as internal resolvers that are visible only to
IAM.
C. Use IAM DNS resolvers for all EC2 instances.
D. Configure a third-party DNS resolver with logging for all EC2 instances.
Answer: C
AWS SCS-C02 Exam Dumps
10. A company uses Amazon API Gateway to present REST APIs to users. An API
developer wants to analyze API access patterns without the need to parse the log files.
Which combination of steps will meet these requirements with the LEAST effort? (Select
TWO.)
A. Configure access logging for the required API stage.
B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters
on the userldentity, userAgent, and sourcelPAddress fields.
C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena
queries to analyze API access information.
D. Use Amazon CloudWatch Logs Insights to analyze API access information.
E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.
Answer: C D