Lead4Pass SCS-C02 dumps help you prepare for the AWS Certified Security – Specialty(SCS-C02) certification exam!

Overview of Lead4Pass SCS-C02 dumps:

Lead4Pass SCS-C02 dumps provide complete SCS-C02 exam preparation materials and are guaranteed to be actually useful!

AWS Certified Security – Specialty(scs-c02) Exam Overview: https://aws.amazon.com/certification/certified-security-specialty/ (Specific details of the SCS-C02 exam, including exam time, registration method, price…)

Exam preparation:

Understand the SCS-C02 exam and exam question types

The AWS Certified Security – Specialty (SCS-C02) exam is intended for individuals who
perform a security role. The exam validates a candidate’s ability to effectively
demonstrate knowledge about securing AWS products and services.

The exam also validates whether a candidate has the following:

• An understanding of specialized data classifications and AWS data protection
  mechanisms
• An understanding of data-encryption methods and AWS mechanisms to
  implement them
• An understanding of secure internet protocols and AWS mechanisms to
  implement them
• A working knowledge of AWS security services and features of services to
  provide a secure production environment
• Competency from 2 or more years of production deployment experience in
  using AWS security services and features
• The ability to make tradeoff decisions regarding cost, security, and deployment
  complexity to meet a set of application requirements
• An understanding of security operations and risks

The target candidate should have the equivalent of 3–5 years of experience in
designing and implementing security solutions. Additionally, the target candidate
should have a minimum of 2 years of hands-on experience in securing AWS
workloads.

Response types

There are two types of questions on the exam:

• Multiple choice: Has one correct response and three incorrect responses
  (distractors)
• Multiple responses: Has two or more correct responses out of five or more
  response options

Select one or more responses that best complete the statement or answer the
question. Distractors, or incorrect answers, are response options that a candidate with
incomplete knowledge or skill might choose. Distractors are generally plausible
responses that match the content area.

Unanswered questions are scored as incorrect; there is no penalty for guessing. The
exam includes 50 questions that affect your score. Get More>>

Understand the exam topics

AWS Security Fundamentals

Course Objectives:

• Identify the security benefits and responsibilities when using the AWS Cloud
• Describe the access control and management features of AWS
• Understand the different data encryption methods to secure sensitive data
• Describe how to secure network access to your AWS resources
• Determine which AWS services can be used for security logging and monitoring

Course Outline:

• Introduction to AWS Security Fundamentals
• Security of the Cloud
  • AWS Global Infrastructure
  • Data Center Security
  • Compliance and Governance
  • DDoS Mitigation

• Entry points on AWS
  • Identity and Access Management
  • Detective Controls
  • Infrastructure Protection
  • Data Protection
  • Incident Response

• Well-Architected Tool Overview
• End of Course Assessment

Prepare and evaluate your preparation for the exam

Practice the latest AWS Certified Security – Specialty (SCS-C02) exam questions online for free

Question 1:

A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

A. Create an AWS Config-managed rule to detect unencrypted ROS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

B. Create an AWS Config-managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Correct Answer: A

https://docs.aws.amazon.com/config/latest/developerguide/rds-storage-encrypted.html

Question 2:

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised. The instance was serving up malware. The analysis of the instance showed that the instance was compromised 35 days ago.

A security engineer must implement a continuous monitoring solution that automatically notifies the company\’s security team about compromised instances through an email distribution list for high-severity findings. The security engineer must implement the solution as soon as possible.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

A. Enable AWS Security Hub in the AWS account.

B. Enable Amazon GuardDuty in the AWS account.

C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe to the security team\’s email distribution list for the topic.

D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team\’s email distribution list to the queue.

E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for GuardDuty findings of high severity. Configure the rule to publish a message on the topic.

F. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Correct Answer: BCE

Question 3:

A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company\’s security team recently received a report about common vulnerability identifiers on the instances.

A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk and must implement a solution to

automatically update those instances with the applicable patches.

What should the security engineer do to meet these requirements?

A. Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.

B. Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.

C. Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

D. Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

Correct Answer: A

https://aws.amazon.com/about-aws/whats-new/2020/10/now-use-aws-systems-manager-to-view-vulnerability-identifiers-for-missing-patches-on-your-linux-instances/

Question 4:

A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained What Is the MOST secure and cost-effective solution to meet these requirements?

A. Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

B. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

C. Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

D. Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Correct Answer: B

Question 5:

A company uses Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution

Which solution will meet these requirements MOST securely?

A. Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

B. Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

C. Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

D. Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trial data

Correct Answer: C

To meet the requirements of securing access management and implementing a centralized logging solution, the most secure solution would be to:

Install a bastion host in the management account.

Reconfigure all SSH and RDP to allow access only from the bastion host.

Install AWS Systems Manager Agent (SSM Agent) on the bastion host.

Attach the AmazonSSMManagedlnstanceCore role to the bastion host.

Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

This solution provides the following security benefits:

It uses AWS Systems Manager Session Manager instead of traditional SSH and RDP protocols, which provides a secure method for accessing EC2 instances without requiring inbound firewall rules or open ports. It provides audit trails by configuring Session Manager logging to Amazon CloudWatch Logs and creating a separate logging account to audit the log data.

It uses the AWS Systems Manager Agent to automate common administrative tasks and improve the security posture of the instances.

The separate logging account with cross-account permissions provides better data separation and improves security posture.

https://aws.amazon.com/solutions/implementations/centralized-logging/

Question 6:

There are currently multiple applications hosted in a VPC. During monitoring, it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours.

Which of the following is the best method to quickly and temporarily deny access from the specified IP Address\’s?

A. Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

C. Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

D. Modify the Windows Firewall settings on all AMIs \’S that your organization uses in that VPC to deny access from the IP address block.

Correct Answer: B

NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances.

Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges.

The lowest rule number has more precedence over a rule that has a higher number.

The IAM Documentation mentions the following as best practices for IAM users

For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs).

With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their username and password) and the OTP.

The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

Options C is invalid because these options are not available

Option D is invalid because there is no root access for users

For more information on IAM best practices, please visit the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html

The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Question 7:

A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.

An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.

Which solution meets these requirements?

A. Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

B. Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.

C. Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.

D. Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

Correct Answer: A

Question 8:

A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named my Function.

When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an “error loading Log Streams” message appears.

The IAM policy for the Lambda function\’s execution role contains the following:

How should the security engineer correct the error?

A. Move the logs: CreateLogGroup action to the second Allow statement.

B. Add the logs: PutDestination action to the second Allow statement.

C. Add the logs: GetLogEvents action to the second Allow statement.

D. Add the logs: CreateLogStream action to the second Allow statement.

Correct Answer: D

Question 9:

A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance.

Which combination of steps will meet this requirement? (Choose two.)

A. Stop the instance. Detach the root volume. Generate a new key pair.

B. Keep the instance running. Detach the root volume. Generate a new key pair.

C. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.

D. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.

E. When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance that is running.

Correct Answer: AC

If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume, and attach it to another instance as a data volume, modify the authorized_keys file with a new public key, move the volume back to the original instance, and restart the instance. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#replacing-lost-key-pai

Question 10:

A company has a legacy application that runs on a single Amazon EC2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLEBUCKET1 in the same AWS account.

This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the company\’s security policies for accessing other AWS resources from Amazon EC2.

A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLEBUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.

The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).

Which combination of steps should the security engineer take to gather this information? (Choose two.)

A. Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

B. Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

C. Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PII.

D. Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII.

E. Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.

Correct Answer: AD

Question 11:

A company created an IAM account for its developers to use for testing and learning purposes Because the MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

Developers were Instructed to tag all their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.

Which additional configuration steps should the security engineer take to complete the task?

A. Option A

B. Option B

C. Option C

D. Option D

Correct Answer: A

Question 12:

An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future

Which controls should the company implement to achieve this? (Select TWO.)

A. Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

B. Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

C. Add the following bucket policy to the company\’s IAM CloudTrail bucket to prevent log tampering { “Version”: “2012-10-17-, “Statement”: { “Effect”: “Deny”, “Action”: “s3:PutObject”, “Principal”: “-“, “Resource”: “arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*” } } Create an Amazon S3 data event for a PutObject attempt, which sends notifications to an Amazon SNS topic.

D. Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

E. Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule\’s target

Correct Answer: AE

Question 13:

A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.

Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.

Which solution meets these requirements?

A. Use the IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

B. Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

C. Use the IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

D. Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Correct Answer: C

Question 14:

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.

Which solution will meet this requirement in the MOST operationally efficient way?

A. Use AWS CloudTrail to detect configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls

B. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

C. Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

D. Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

Correct Answer: B

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

To evaluate configuration changes to a specific AWS resource and ensure that it meets compliance standards, the security engineer should use AWS Config to detect the configuration changes and record the latest configuration in case of multiple configuration changes. This will allow the security engineer to view the current state of the resource and its compliance status, as well as its configuration history and timeline.

AWS Config records configuration changes as ConfigurationItems, which are point-in-time snapshots of the resource\’s attributes, relationships, and metadata. If multiple configuration changes occur within a short period of time, AWS Config records only the latest ConfigurationItem for that resource. This indicates the cumulative impact of the set of changes on the resource\’s configuration.

This solution will meet the requirement in the most operationally efficient way, as it leverages AWS Config\’s features to monitor, record, and evaluate resource configurations without requiring additional tools or services.

The other options are incorrect because they either do not record the latest configuration in case of multiple configuration changes (A, C) or do not use a valid service for evaluating resource configurations (D).

Question 15:

A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.

Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests the IP address sent and the corresponding URLs that the IP address requested.

What should the security engineer do to meet these requirements with the LEAST effort?

A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.

B. Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.

C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP address. Use AWS Glue to view the results.

Correct Answer: C

Lead4Pass SCS-C02 dumps provide complete exam preparation materials including 251 latest exam questions and answers, guaranteed to be practical and useful, as well as PDF and VCE exam practice tools to help you easily prepare for the AWS Certified Security – Specialty (scs-c02) exam!

SCS-C02 Exam Key Frequently Asked Questions

What certifications are required before taking the SCS-C02 exam?

You do not need to obtain any specific certification before preparing for this certification. However, candidates typically earn the AWS Certified Solutions Architect – Associate and/or AWS Certified Solutions Architect – Professional level before taking the AWS Certified Security – Professional exam.

SCS-C02 VS SCS-C01

The latest AWS Certified Security Specialty SCS-C02 exam has some similarities with its previous version, but it also introduces a plethora of new knowledge areas, services, domains, and features. One notable change is the brand new “Management & Security Governance” domain. This new addition checks your know-how in developing a strategy to centrally deploy and manage AWS accounts, implementing a secure and consistent deployment strategy for cloud resources, and evaluating the compliance of AWS resources, among others.

How will AWS Certified Security – Specialty help my career development?

AWS Certified Security – Specialty certification will expand your career scope, build your credibility, and establish a trustworthy connection with your collaborators. Holding this certification can meet the requirements of those with relevant needs! What’s more important is to increase your career options and make your career plans richer!