Vendor: Amazon

Exam Code: SCS-C02

Exam Name: AWS Certified Security - Specialty (SCS-C02)

Version: DEMO
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

QUESTION 1
An international company has established a new business entity in South Korea. The company
also has established a new AWS account to contain the workload for the South Korean region.
The company has set up the workload in the new account in the ap-northeast-2 Region. The
workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that
operate in this Region must keep system logs and application logs for 7 years.
A security engineer must implement a solution to ensure that no logging data is lost for each
instance during scaling activities. The solution also must keep the logs for only the required
period of 7 years.
Which combination of steps should the security engineer take to meet these requirements?
(Choose three.)

A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto
Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required
logs to Amazon CloudWatch Logs.
B. Set the log retention for desired log groups to 7 years.
C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups
use. Configure the role to provide the necessary permissions to forward logs to Amazon
CloudWatch Logs.
D. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups
use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.
E. Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling
groups launch. Configure the log forwarding application to periodically bundle the logs and
forward the logs to Amazon S3.
F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

Answer: ABC

QUESTION 2
A company uses AWS Organizations to manage a multi-account AWS environment in a single
AWS Region. The organization's management account is named management-01. The company
has turned on AWS Config in all accounts in the organization. The company has designated an
account named security-01 as the delegated administrator for AWS Config.
All accounts report the compliance status of each account's rules to the AWS Config delegated
administrator account by using an AWS Config aggregator. Each account administrator can
configure and manage the account's own AWS Config rules to handle each account's unique
compliance requirements.
A security engineer needs to implement a solution to automatically deploy a set of 10 AWS
Config rules to all existing and future AWS accounts in the organization. The solution must turn
on AWS Config automatically during account creation.
Which combination of steps will meet these requirements? (Choose two.)

A. Create an AWS CloudFormation template that contains the 10 required AWS Config rules. Deploy
the template by using CloudFormation StackSets in the security-01 account.
B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the
conformance pack from the security-01 account.
C. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the
conformance pack from the management-01 account.
D. Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by
using CloudFormation StackSets in the security-01 account.
E. Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by
using CloudFormation StackSets in the management-01 account.

Get Latest & Actual SCS-C02 Exam's Question and Answers from Lead2pass. 2
https://www.lead2pass.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

Answer: AD

QUESTION 3
A company has a legacy application that runs on a single Amazon EC2 instance. A security audit
shows that the application has been using an IAM access key within its code to access an
Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This
access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The
company takes the application offline because the application is not compliant with the company's
security policies for accessing other AWS resources from Amazon EC2.
A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is
sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the
same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been
configured to send logs to Amazon CloudWatch Logs.
The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the
IAM access key in the past 60 days. If any objects were accessed, the company wants to know if
any of the objects that are text files (.txt extension) contained personally identifiable information
(PII).
Which combination of steps should the security engineer take to gather this information? (Choose
two.)

A. Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that
contain PII and that were available to the access key.
B. Use Amazon OpenSearch Service to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for
API calls that used the access key to access an object that contained PII.
C. Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls
that used the access key to access an object that contained PII.
D. Use AWS Identity and Access Management Access Analyzer to identify any API calls that used
the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.
E. Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII
and that were available to the access key.

Answer: AE

QUESTION 4
A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few
days later, the security engineer adds an additional statement to the bucket policy to allow read-
only access to one other employee. Even after updating the policy, the employee sill receives an
access denied message.
What is the likely cause of this access denial?

A. The ACL in the bucket needs to be updated.

B. The IAM policy does not allow the user to access the bucket.
C. It takes a few minutes for a bucket policy to take effect.
D. The allow permission is being overridden by the deny.

Answer: D

QUESTION 5
A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield
Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs
against the account.

Get Latest & Actual SCS-C02 Exam's Question and Answers from Lead2pass. 3
https://www.lead2pass.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

Which solution will meet this requirement?

A. Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to
Macie findings.
B. Use Amazon inspector to review resources and to invoke Amazon CloudWatch alarms for any
resources that are vulnerable to DDoS attacks.
C. Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS
event.
D. Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS
event.

Answer: D

QUESTION 6
A company has hundreds of AWS accounts in an organization in AWS Organizations. The
company operates out of a single AWS Region. The company has a dedicated security tooling
AWS account in the organization. The security tooling account is configured as the organization's
delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has
configured the environment to automatically enable GuardDuty and Security Hub for existing
AWS accounts and new AWS accounts.
The company is performing control tests on specific GuardDuty findings to make sure that the
company's security team can detect and respond to security events. The security team launched
an Amazon EC2 instance and attempted to run DNS requests against a test domain,
example.com, to generate a DNS finding. However, the GuardDuty finding was never created in
the Security Hub delegated administrator account.
Why was the finding was not created in the Security Hub delegated administrator account?

A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
B. The VPC where the EC2 instance was launched had the DHCP option configured for a custom
OpenDNS resolver.
C. The GuardDuty integration with Security Hub was never activated in the AWS account where the
finding was generated.
D. Cross-Region aggregation in Security Hub was not configured.

Answer: C

QUESTION 7
An ecommerce company has a web application architecture that runs primarily on containers.
The application containers are deployed on Amazon Elastic Container Service (Amazon ECS).
The container images for the application are stored in Amazon Elastic Container Registry
(Amazon ECR).
The company's security team is performing an audit of components of the application
architecture. The security team identifies issues with some container images that are stored in the
container repositories.
The security team wants to address these issues by implementing continual scanning and on-
push scanning of the container images. The security team needs to implement a solution that
makes any findings from these scans visible in a centralized dashboard. The security team plans
to use the dashboard to view these findings along with other security-related findings that they
intend to generate in the future. There are specific repositories that the security team needs to
exclude from the scanning process.
Which solution will meet these requirements?

Get Latest & Actual SCS-C02 Exam's Question and Answers from Lead2pass. 4
https://www.lead2pass.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repositories that need to
be scanned. Push Amazon Inspector findings to AWS Security Hub.
B. Use ECR basic scanning of container images. Create inclusion rules in Amazon ECR to match
repositories that need to be scanned. Push findings to AWS Security Hub.
C. Use ECR basic scanning of container images. Create inclusion rules in Amazon ECR to match
repositories that need to be scanned. Push findings to Amazon Inspector.
D. Use Amazon Inspector. Create inclusion rules in Amazon Inspector to match repositories that
need to be scanned. Push Amazon Inspector findings to AWS Config.

Answer: A

QUESTION 8
A company has a single AWS account and uses an Amazon EC2 instance to test application
code. The company recently discovered that the instance was compromised. The instance was
serving up malware. The analysis of the instance showed that the instance was compromised 35
days ago.
A security engineer must implement a continuous monitoring solution that automatically notifies
the company's security team about compromised instances through an email distribution list for
high severity findings. The security engineer must implement the solution as soon as possible.
Which combination of steps should the security engineer take to meet these requirements?
(Choose three.)

A. Enable AWS Security Hub in the AWS account.

B. Enable Amazon GuardDuty in the AWS account.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security
team's email distribution list to the topic.
D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's
email distribution list to the queue.
E. Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to
publish a message to the topic.
F. Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule
to publish a message to the queue.

Answer: BCE

QUESTION 9
A company uses identity federation to authenticate users into an identity account
(987654321987) where the users assume an IAM role named IdentityRole. The users then
assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to
perform their job functions.
A user is unable to assume the IAM role in the target account. The policy attached to the role in
the identity account is:

Get Latest & Actual SCS-C02 Exam's Question and Answers from Lead2pass. 5
https://www.lead2pass.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

What should be done to enable the user to assume the appropriate role in the target account?

A. Update the IAM policy attached to the role in the identity account to be:

B. Update the trust policy on the role in the target account to be:

Get Latest & Actual SCS-C02 Exam's Question and Answers from Lead2pass. 6
https://www.lead2pass.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

C. Update the trust policy on the role in the identity account to be:

D. Update the IAM policy attached to the role in the target account to be:

Answer: D

QUESTION 10
A company is using AWS Organizations to manage multiple AWS accounts for its human
resources, finance, software development, and production departments. All the company's
developers are part of the software development AWS account.
The company discovers that developers have launched Amazon EC2 instances that were
preconfigured with software that the company has not approved for use. The company wants to
implement a solution to ensure that developers can launch EC2 instances with only approved
software applications and only in the software development AWS account.
Which solution will meet these requirements?

A. In the software development account, create AMIs of preconfigured instances that include only
approved software. Include the AMI IDs in the condition section of an AWS CloudFormation
template to launch the appropriate AMI based on the AWS Region. Provide the developers with
the CloudFormation template to launch EC2 instances in the software development account.
B. Create an Amazon EventBridge rule that runs when any EC2 RunInstances API event occurs in
the software development account. Specify AWS Systems Manager Run Command as a target of
the rule. Configure Run Command to run a script that will install all approved software onto the
instances that the developers launch.
C. Use an AWS Service Catalog portfolio that contains EC2 products with appropriate AMIs that
include only approved software. Grant the developers permission to access only the Service
Catalog portfolio to launch a product in the software development account.
D. In the management account, create AMIs of preconfigured instances that include only approved

Get Latest & Actual SCS-C02 Exam's Question and Answers from Lead2pass. 7
https://www.lead2pass.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

software. Use AWS CloudFormation StackSets to launch the AMIs across any AWS account in
the organization. Grant the developers permission to launch the stack sets within the
management account.

Answer: A

QUESTION 11
A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring
strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP
server. A high number of clients from multiple locations contact the FTP server. GuardDuty
identifies this activity as a brute force attack because of the high number of connections that
happen every hour.
The company has flagged the finding as a false positive, but GuardDuty continues to raise the
issue. A security engineer must improve the signal-to-noise ratio without compromising the
company's visibility of potential anomalous behavior.
Which solution will meet these requirements?

A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.
B. Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the
notifications.
C. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings
that match the specified criteria.
D. Create an AWS Lambda function that has the appropriate permissions to delete the finding
whenever a new occurrence is reported.

Answer: C

QUESTION 12
A company is running internal microservices on Amazon Elastic Container Service (Amazon
ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container
Registry (Amazon ECR) private repositories.
A security engineer needs to encrypt the private repositories by using AWS Key Management
Service (AWS KMS). The security engineer also needs to analyze the container images for any
common vulnerabilities and exposures (CVEs).
Which solution will meet these requirements?

A. Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from
the ECS container instances' user data. Run an assessment with the CVE rules.
B. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the
scan report after the next push of images.
C. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS
Systems Manager Agent on the ECS container instances. Run an inventory report.
D. Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the
ECS container instances and to verify the findings against a list of current CVEs.

Answer: B

Get Latest & Actual SCS-C02 Exam's Question and Answers from Lead2pass. 8
https://www.lead2pass.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

Thank You for Trying Our Product

Lead2pass Certification Exam Features:

★ More than 99,900 Satisfied Customers Worldwide.

★ Average 99.9% Success Rate.

★ Free Update to match latest and real exam scenarios.

★ Instant Download Access! No Setup required.

★ Questions & Answers are downloadable in PDF format and

VCE test engine format.

★ Multi-Platform capabilities - Windows, Laptop, Mac, Android, iPhone, iPod, iPad.

★ 100% Guaranteed Success or 100% Money Back Guarantee.

★ Fast, helpful support 24x7.

View list of all certification exams: http://www.lead2pass.com/all-products.html

10% Discount Coupon Code: ASTR14

Get Latest & Actual SCS-C02 Exam's Question and Answers from Lead2pass. 9
https://www.lead2pass.com