Amazon SCS-C02 Exam Questions

Exam Name: AWS Certified Security – Specialty (old)

Exam Code: SCS-C02

Related Certification(s): Amazon Specialty Certification

Certification Provider: Amazon

Actual Exam Duration: 170 Minutes

Number of SCS-C02 Practice Questions: 467 (updated: )

Expected SCS-C02 Exam Topics, as suggested by Amazon:
Topic 1: Threat Detection and Incident Response
In this topic, AWS Security specialists gain expertise in crafting incident response plans and detecting security threats and anomalies using AWS services. It delves into effective strategies for responding to compromised resources and workloads, ensuring readiness to manage security incidents. Mastering these concepts is critical for handling scenarios assessed in the SCS-C02 exam.
Topic 2: Security Logging and Monitoring
This topic prepares AWS Security specialists to design and implement robust monitoring and alerting systems for addressing security events. It emphasizes troubleshooting logging solutions and analyzing logs to enhance threat visibility.
Topic 3: Infrastructure Security
Aspiring AWS Security specialists are trained to implement and troubleshoot security controls for edge services, networks, and compute workloads under this topic. Emphasis is placed on ensuring resilience and mitigating risks across AWS infrastructure. This section aligns closely with the exam’s focus on safeguarding critical AWS services and environments.
Topic 4: Identity and Access Management
The topic equips AWS Security specialists with skills to design, implement, and troubleshoot authentication and authorization mechanisms for AWS resources. By emphasizing secure identity management practices, this area addresses foundational competencies required for effective access control, a vital aspect of the certification exam.
Topic 5: Data Protection
AWS Security specialists learn to ensure data confidentiality and integrity for data in transit and at rest. Topics include lifecycle management of data at rest, credential protection, and cryptographic key management. These capabilities are central to managing sensitive data securely, reflecting the exam’s focus on advanced data protection strategies.
Topic 6: Management and Security Governance
This topic teaches AWS Security specialists to develop centralized strategies for AWS account management and secure resource deployment. It includes evaluating compliance and identifying security gaps through architectural reviews and cost analysis, essential for implementing governance aligned with certification standards.
Free AWS SCS-C02 Exam Actual Questions
Note: AWS SCS-C02 Premium Questions were last updated on

Question #1
[Data Protection]

A company stores sensitive data in an Amazon S3 bucket.
The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3).
A security engineer must prevent any modifications to the data in the S3 bucket.

Which solution will meet this requirement?

Question #2

A security engineer configures VPC Flow Logs and the associated IAM role to log all VPC traffic to a log group in Amazon CloudWatch Logs.
After a wait of 10 minutes, no logs are appearing in the log group.
The security engineer confirms that traffic is being sent to the VPC.
After additional debugging, the security engineer isolates the problem to the role that is associated with the VPC flow logs.

What could be the reason that the logs are not appearing in CloudWatch Logs?

Question #3
[Infrastructure Security]

A company uses AWS Organizations to run workloads in multiple AWS accounts.
Currently team members access EC2 instances using SSH or RDP.
The company has no audit trails and security groups are sometimes open.
The company must secure access management and implement centralized logging.

Which solution will meet these requirements MOST securely?

Question #4
[Identity and Access Management]

A company’s engineering team is developing a new application that creates IAM KMS CMK grants for users.
Immediately after a grant is created users must encrypt a 512-byte payload.
During load testing AccessDeniedExceptions sometimes occur.

Which solution should the security specialist recommend?

Question #5
[Identity and Access Management]

A company’s policy requires that all API keys be encrypted and stored separately from source code in a centralized security account.
An audit revealed an API key stored with the source code of a Lambda function in a CodeCommit repository.

How should the security team securely store the API key?