AWS Certified Security - Specialty

Here you have the best Amazon SCS-C02 practice exam questions

  • You have 307 total questions across 62 pages (5 per page)
  • These questions were last updated on February 8, 2026
  • This site is not affiliated with or endorsed by Amazon.
Question 1 of 307
A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account.
Which solutions will provide the Lambda function this access? (Choose two.)
Suggested Answer: C, D

To provide AWS Lambda with access to an Amazon S3 bucket, the best solutions involve using IAM roles. Creating an IAM role for the Lambda function and attaching an IAM policy that allows access to the S3 bucket ensures that the Lambda function has the necessary permissions without exposing any secrets or keys. Additionally, attaching a bucket policy to the S3 bucket that specifies the IAM role as the principal provides a clear and secure way to control access through the IAM role.

Community votes

No votes yet

Question 2 of 307
A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS.
Which of the following is a valid option for storing SSL/TLS certificates?
Suggested Answer: C

AWS Certificate Manager (ACM) is specifically designed for managing and deploying SSL/TLS certificates on AWS services. It simplifies the process of provisioning, managing, and deploying SSL/TLS certificates. Using a custom SSL certificate that is stored in ACM is a valid and recommended option for securing communications with the website through HTTPS.

Community votes

No votes yet

Question 3 of 307
A security engineer needs to develop a process to investigate and respond to potential security events on a company's Amazon EC2 instances. All the EC2 instances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.
The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:
A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.
A compromised EC2 instance's metadata must be updated with corresponding incident ticket information.
A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
Any investigative activity during the collection of volatile data must be captured as part of the process.
Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Choose three.)
Suggested Answer: A, C, E

To develop a process to investigate and respond to potential security events while complying with AWS best practices, the security engineer should take the following steps. First, gather any relevant metadata for the compromised EC2 instance, enable termination protection, isolate the instance by updating its security groups to restrict access, and detach the instance from any Auto Scaling groups it is part of to prevent it from being terminated or replaced. This ensures the instance remains online but isolated. Second, use Systems Manager Run Command to invoke scripts that collect volatile data. This method is optimal as it minimizes operational overhead and ensures all activities during data collection are captured. Third, create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations and tag the instance with any relevant metadata and incident ticket information. Creating a snapshot preserves the compromised instance's non-volatile memory for forensic purposes. Together, these steps effectively manage the investigation with minimal operational overhead while preserving both volatile and non-volatile data.

Community votes

No votes yet

Question 4 of 307
A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.
Currently, the company’s developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline in a shared services AWS account deploys each CloudFormation stack.
The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do not comply with the internal standards, the security team must receive notification to take appropriate action. The security team must implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have.
Which solution will meet these requirements in the MOST operationally efficient way?
Suggested Answer: B

To meet the company's requirements of notifying the security team while maintaining the same overall delivery speed, the most operationally efficient solution is to use Amazon Simple Notification Service (SNS) and CloudFormation Guard. Creating a custom rule in CloudFormation Guard allows compliance checks for resource configurations. This ensures that any non-compliant resources are identified before deployment, and the CI/CD pipeline can notify the security team via SNS. The use of CloudFormation Guard is more effective for compliance checks compared to aws cloudformation validate-template, which only checks for syntax errors. This approach integrates seamlessly into the existing CI/CD pipeline, ensuring no delay in the delivery speed.

Community votes

No votes yet

Question 5 of 307
A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.
Which combination of AWS solutions will meet these requirements? (Choose two.)
Suggested Answer: A, B

To meet the requirements of migrating the application server to AWS while keeping the database on-premises with low latency and IPsec encryption, a combination of AWS Site-to-Site VPN and AWS Direct Connect is appropriate. AWS Site-to-Site VPN provides IPsec encryption for secure data transfer, while AWS Direct Connect offers a dedicated network connection for minimizing network latency, making this combination suitable for the scenario.

Community votes

No votes yet

About the Amazon SCS-C02 Certification Exam

About the Exam

The Amazon SCS-C02 (AWS Certified Security - Specialty) validates your knowledge and skills. Passing demonstrates proficiency and can boost your career prospects in the field.

How to Prepare

Work through all 307 practice questions across 62 pages. Focus on understanding the reasoning behind each answer rather than memorizing responses to be ready for any variation on the real exam.

Why Practice Exams?

Practice exams help you familiarize yourself with the question format, manage your time, and reduce anxiety on the test day. Our SCS-C02 questions are regularly updated to reflect the latest exam objectives.