Free Amazon SCS-C02 Exam Questions

Become Amazon Certified with updated SCS-C02 exam questions and correct answers

Page: 1 / 114

Total 569 Questions | Updated On: Nov 26, 2025

Add To Cart

Question 1

An online gaming company has a network of Amazon EC2 instances that are frequently targeted by rogue bots. The security team needs to implement an automated system to block traffic from identified malicious sources. The system needs to respond in near real-time and the security team decided to use AWS Step Functions to orchestrate this solution.Which solution should the security engineer implement to meet these requirements?

A : Use AWS CloudTrail to monitor for malicious traffic. Store the identified IP addresses in a DynamoDB table. Utilize Lambda to update the DynamoDB table and modify a WAF web ACL rule to block the traffic

B : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify a Security Group rule to block the traffic from these IP addresses.

C : Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

D : Use AWS WAF to detect malicious traffic. Use DynamoDB to store the identified IP addresses. Utilize Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

Answer: C

Question 2

A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors.

A : Configure Amazon CloudWatch Logs Insights

B : Create an Amazon CloudWatch dashboard

C : Configure AWS Security Hub integrations

D : Query the findings by using Amazon Athena

Answer: C

Question 3

A security engineer is working with the development team to design an application that encrypts data using an AWS KMS key. Various users with accounts in AWS IAM will need to be provided with temporary access to decrypt data using the KMS key.

What is the MOST efficient way to manage access control for the KMS key?

A : an IAM group. Programmatically add and remove users from the group and attach a policy that grants key access

B : an IAM role. Programmatically update the IAM role policies to manage access

C : KMS grants. Programmatically create and revoke grants to manage access.

D : KMS key policies. Programmatically update the KMS key policies to manage access

Answer: C

Question 4

An application running on Amazon EC2 instances reads secrets stored in AWS Systems Manager Parameter Store. The application issued GetParameter API calls for secure string parameters and the calls failed.

Which factors could be the cause of this failure? (Select TWO.)

A : IAM role assigned to the EC2 instance profile does not have encrypt permissions on the AWS KMS key used to encrypt the parameter

B : tems Manager Parameter Store does not have decrypt permissions on the AWS KMS key used to encrypt the parameter.

C : IAM role assigned to the EC2 instance profile does not have decrypt permissions on the AWS KMS key used to encrypt the parameter.

D : tems Manager Parameter Store does not have encrypt permissions on the AWS KMS key used to encrypt the parameter.

E : IAM role assigned to the EC2 instance profile does not have permissions to retrieve parameters in Systems Manager Parameter Store.

Answer: A,C

Question 5

An AWS Lambda function has started to cause errors in an application and a security engineer must check the output of the function. The engineer checked Amazon CloudWatch Logs but could not find any log files for the Lambda function.What is the best explanation for why the logs are not available?

A : The Lambda function does not have monitoring enabled to execution output is not being logged.

B : The log output is stored in AWS X-Ray so the security engineer must check there instead

C : The Lambda function execution role does not have permissions to write to Amazon S3.

D : The Lambda function execution role does not have permissions to write to CloudWatch Logs.

Answer: D

Page: 1 / 114

Total 569 Questions | Updated On: Nov 26, 2025

Add To Cart