Name: AWS Certified Security - Specialty
Brand: ValidExamDumps
SKU: SCS-C02
Price: 20 USD
Availability: InStock
Rating: 4.8 (405 reviews)

Free Amazon SCS-C02 Exam Actual Questions

The questions for SCS-C02 were last updated On Dec 14, 2025

At ValidExamDumps, we consistently monitor updates to the Amazon SCS-C02 exam questions by Amazon. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the Amazon AWS Certified Security - Specialty exam on their first attempt without needing additional materials or study guides.

Other certification materials providers often include outdated or removed questions by Amazon in their Amazon SCS-C02 exam. These outdated questions lead to customers failing their Amazon AWS Certified Security - Specialty exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the Amazon SCS-C02 exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.

Question No. 1

[Identity and Access Management]

To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.

What policy should the Engineer implement?

AOption A

BOption B

COption C

DOption D

Show Answer

Correct Answer: C

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html

Question No. 2

[Identity and Access Management]

A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.

Which CMK-related problems possibly account for the error? (Select two.)

AThe CMK is used in the attempt does not exist.

BThe CMK is used in the attempt needs to be rotated.

CThe CMK is used in the attempt is using the CMKs key ID instead of the CMK ARN.

DThe CMK is used in the attempt is not enabled.

EThe CMK is used in the attempt is using an alias.

Show Answer

Correct Answer: A, D

https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter-store.html#parameter-store-cmk-fail

Question No. 3

[Data Protection]

A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.

Which solution meets these requirements?

AUse IAM Systems Manager Parameter Store to store the database credentiais. Configureautomatic rotation of the credentials.

BUse IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

CStore the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

DStore the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

Show Answer

Correct Answer: A

Question No. 4

A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key. The company wants to allow AWS Lambda to use the KMS key However, the company wants to prevent Amazon EC2 from using the key.

Which solution will meet these requirements?

ACreate an 1AM policy that explicitly denies permission to the key Attach the policy to all EC2 instance profiles Create an 1AM policy that explicitly allows permission to the key Attach the policy to all Lambda function roles.

BCreate a custom key policy for the key. Use the kms: ViaService condition key to deny access to requests from Amazon EC2 and to allow access to requests from Lambda. Use the Lambda 1AM role as the principal.

CCreate a custom key policy tor the key Use the aws Sourcelp condition key to deny access to requests from Amazon EC2 Use the aws: Authorized Service condition key to allow access to requests from Lambda Use the Lambda 1AM role as the principal.

DCreate an SCP that explicitly denies permission to the key for Amazon EC2 and explicitly allows permission to the key for Lambda Attach the SCP to the AWS account.

Show Answer

Correct Answer: B

Question No. 5

[Infrastructure Security]

A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account

Which solution meets these requirements in the MOST secure way?

AConfigure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

BDeploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

CDeploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

DPeer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Show Answer

Correct Answer: C

The AWS documentation states that you can deploy the Lambda functions inside the VPC and attach a security group to the Lambda functions. You can then provide outbound rule access to the VPC CIDR range only and update the DB instance security group to allow traffic from the Lambda security group. This method is the most secure way to meet the requirements.

References: :AWS Lambda Developer Guide