All Vendors

Amazon SCS-C02 Exam Questions

Expected SCS-C02 Exam Topics (AWS Certified Security – Specialty)

All ExamTopics 1: Threat Detection and Incident Response

This topic focuses on identifying security threats and responding to incidents in AWS environments. Candidates learn how to design effective incident response plans, detect anomalies using AWS security services, and take immediate action to protect compromised resources. Mastering this area ensures readiness to handle real-world security incidents efficiently.

Topic 2: Security Logging and Monitoring

This section emphasizes the importance of continuous monitoring and logging for maintaining security visibility. Candidates learn how to configure logging services, analyze logs, and create alerting systems to detect suspicious activities. It also includes troubleshooting logging solutions to ensure accurate and reliable security monitoring.

Topic 3: Infrastructure Security

This topic covers securing AWS infrastructure, including networks, edge services, and compute resources. Candidates learn how to implement security controls, protect workloads, and reduce risks across cloud environments. The focus is on building resilient and secure architectures that can defend against potential threats.

Topic 4: Identity and Access Management (IAM)

This section focuses on controlling access to AWS resources through secure identity management. Candidates learn how to design and implement authentication and authorization mechanisms, manage users and roles, and apply best practices for least privilege access. Strong IAM skills are essential for protecting cloud environments.

Topic 5: Data Protection

This topic explains how to secure sensitive data in AWS environments. Candidates learn techniques for protecting data both at rest and in transit using encryption and key management services. It also includes managing data lifecycle policies and safeguarding credentials to ensure data confidentiality and integrity.

Topic 6: Management and Security Governance

This section focuses on governance, compliance, and centralized security management in AWS. Candidates learn how to manage multiple accounts, enforce security policies, and conduct audits to identify vulnerabilities. It also covers aligning cloud environments with compliance standards and implementing best practices for secure resource management.

Exam Name:

AWS Certified Security - Specialty (old)

Registration Code:

SCS-C02

Related Certification:

Amazon Specialty Certification

Certification Provider:

Amazon

Get Full Version

Total Questions

467 (updated)

Regular Update

Exam Duration

170 Minutes

Get Premium

Full PDF

Question 1: A security engineer configures VPC Flow Logs and the associated IAM role to log all VPC traffic to a log group in Amazon CloudWatch Logs. After a wait of 10 minutes, no logs are appearing in the log group. The security engineer confirms that traffic is being sent to the VPC. After additional debugging, the security engineer isolates the problem to the role that is associated with the VPC flow logs. What could be the reason that the logs are not appearing in CloudWatch Logs?

Correct Answer: C

Question 2: [Identity and Access Management] A company’s engineering team is developing a new application that creates AWS KMS customer managed key (CMK) grants for users. Immediately after a grant is created, users must be able to use the CMK to encrypt a 512-byte payload. During load testing, the team observes intermittent AccessDeniedException errors when users first attempt to perform the encryption operation. Which solution should the company’s security specialist recommend?
Correct Answer: D

To avoid AccessDeniedExceptions when users first attempt to encrypt using the CMK, the security specialist should recommend the following solution:

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. This allows the engineering team to use the grant token as a form of temporary authorization for the grant.

Instruct users to use that grant token in their call to encrypt. This allows the users to use the grant token as a proof that they have permission to use the CMK, and to avoid any eventual consistency issues with the grant creation.

Question 3: [Identity and Access Management] A company’s security policy requires that all API keys be encrypted and stored separately from source code in a centralized security account managed by the security team. However, an audit reveals that an API key is stored directly in the source code of an AWS Lambda function within an AWS CodeCommit repository in the DevOps account. How should the security team securely store the API key to comply with the company’s policy?
Correct Answer: C

To securely store the API key, the security team should do the following:

Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. This allows the security team to encrypt and manage the API key centrally, and to configure automatic rotation schedules for it.

Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API. This allows the security team to avoid storing the API key with the source code, and to use IAM policies to control access to the secret.

Question 4: Here is a clearer and more structured rewrite of your question: [Logging and Monitoring] A company hosts a web application on an Apache web server running on Amazon EC2 instances in an Auto Scaling group. The EC2 instances are configured to send Apache access logs to an Amazon CloudWatch Logs log group with a retention period of 1 year. The company recently identified a suspicious IP address in the Apache logs. A security engineer needs to analyze the past week of logs to determine: The total number of requests made by the suspicious IP address The specific URLs that the IP address accessed What is the most efficient way for the security engineer to perform this analysis with the least operational effort?

Correct Answer: C

Relevant Exams

ISC2 Certified in Cybersecurit Questions and Free Exams
ISC2 Cybersecurity Certifications
ISC2 CCSP Exam Questions
Certified Cloud Security Professional
PMI PMP Exam Questions
Project Management Professional (2025 Version)
Amazon SCS-C02 Exam Questions
AWS Certified Security - Specialty (old)
Amazon AIF-C01 Exam questions
Amazon AWS Certified AI Practitioner
Amazon SOA-C03 Exam Questions
AWS Certified CloudOps Engineer - Associate