Exam: SCS-C02

AWS Certified Security - Specialty

AWS Certified Security - Specialty validates your expertise in creating and implementing security solutions in the AWS Cloud. This certification also validates your understanding of specialized data classifications and AWS data protection mechanisms; data-encryption methods and AWS mechanisms to implement them; and secure internet protocols and AWS mechanisms to implement them.

Exam overview
AWS Certified Security - Specialty
Category Specialty
Exam format 65 questions, either multiple choice or multiple response
Cost  USD. Visit Exam pricing for additional cost information, including foreign exchange rates
Duration: 170 minutes (approximately 3 hours)
Question Type: Multiple choice and multiple response
Passing Score: 750 on a scaled score of 100-1000
Validity: 3 years

Prepare for the exam
Go from start to certified. Follow our Exam Prep Plan on AWS Skill Builder, our online learning center, so you can approach exam day with confidence.

1 Get to know the exam with exam-style questions
Follow the 4-step plan.
Review the exam guide.

2 Refresh your AWS Knowledge and skills
Enroll in digital courses where you need to fill gaps in knowledge and skills, practice with AWS Builder Labs, AWS Cloud Quest, and AWS Jam.

3 Review and practice for your exam

Review the scope of the exam. Explore each exam domain’s topics and how they align to AWS services. Reinforce your knowledge and identify learning gaps with exam-style questions and flashcards. Follow instructors as they walk through exam-style questions and provide test-taking strategies. Continue practicing with AWS Builder Labs and/or AWS SimuLearn.

4 Assess your exam readiness
Take the AWS Certification Official Practice Exam.

The AWS Certified Security - Specialty (SCS-C02) exam is a specialty-level certification that validates proficiency in securing AWS workloads. It consists of 65 multiple-choice and multiple-response questions and has a duration of 170 minutes. The exam is offered in multiple languages, including English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), Simplified Chinese, and Spanish (Latin America). A passing score is 750 out of 1000.
Here's a more detailed breakdown:

Exam Format and Information:

Exam Domains:
The SCS-C02 exam covers the following six domains:
Threat Detection and Incident Response: 14%
Security Logging and Monitoring: 18%
Infrastructure Security: 20%
Identity and Access Management: 16%
Data Protection: 18%
Management and Security Governance: 14%

SCS-C02 Brain Dumps Exam + Online / Offline and Android Testing Engine & 4500+ other exams included
$50 - $25 (you save $25)
Buy Now

QUESTION 1
You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire.
What is the best way to achieve this. Please select:

A. Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
B. Use the IAM Encryption CLI to encrypt the data first
C. Use a Lambda function to encrypt the data before sending it to the S3 bucket.
D. Enable client encryption for the bucket

Answer: B

Explanation:
One can use the IAM Encryption CLI to encrypt the data before sending it across to the S3 bucket.
Options A and C are invalid because this would still mean that data is transferred in plain text Option
D is invalid because you cannot just enable client side encryption for the S3 bucket For more
information on Encrypting and Decrypting data, please visit the below URL:
https://IAM.amazonxom/blogs/securirv/how4o-encrvpt-and-decrypt-your-data-with-the-IAMQuestions encryption-cl
The correct answer is: Use the IAM Encryption CLI to encrypt the data first Submit your
Feedback/Queries to our Experts

QUESTION 2
Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security
groups attached to them. You need to ensure that changes to the Security groups are noted and
acted on accordingly. How can you achieve this? Please select:

A. Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
B. Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
C. Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
D. Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Answer: D

Explanation:
The below diagram from an IAM blog shows how security groups can be monitored
Option A is invalid because you need to use Cloudwatch Events to check for chan,
Option B is invalid because you need to use Cloudwatch Events to check for chang
Option C is invalid because IAM inspector is not used to monitor the activity on Security Groups
For more information on monitoring security groups, please visit the below URL:


QUESTION 3
Your company has just set up a new central server in a VPC. There is a requirement for other teams
who have their servers located in different VPC's in the same region to connect to the central server.
Which of the below options is best suited to achieve this requirement. Please select:

A. Set up VPC peering between the central server VPC and each of the teams VPCs.
B. Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.
C. Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
D. None of the above options will work.

Answer: A

Explanation:
A VPC peering connection is a networking connection between two VPCs that enables you to route
traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can
communicate with each other as if they are within the same network. You can create a VPC peering
connection between your own VPCs, or with a VPC in another IAM account within a single region.
Options B and C are invalid because you need to use VPC Peering
Option D is invalid because VPC Peering is available
For more information on VPC Peering please see the below Link:

QUESTION 4
There is a requirement for a company to transfer large amounts of data between IAM and an onpremise
location. There is an additional requirement for low latency and high consistency traffic to IAM.
Given these requirements how would you design a hybrid architecture? Choose the correct
answer from the options below Please select:

A. Provision a Direct Connect connection to an IAM region using a Direct Connect partner.
B. Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
C. Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
D. Create a VPC peering connection between IAM and the Customer gateway.

Answer: A

Explanation:
IAM Direct Connect makes it easy to establish a dedicated network connection from your premises to
IAM. Using IAM Direct Connect you can establish private connectivity between IAM and your
datacenter, office, or colocation environment which in many cases can reduce your network costs,
increase bandwidth throughput and provide a more consistent network experience than Internetbased connections.
Options B and C are invalid because these options will not reduce network latency
Options D is invalid because this is only used to connect 2 VPC's
For more information on IAM direct connect, just browse to the below URL:
The correct answer is: Provision a Direct Connect connection to an IAM region using a Direct Connect
partner. omit your Feedback/Queries to our Experts

QUESTION 5
Which of the following bucket policies will ensure that objects being uploaded to a bucket called
'demo' are encrypted.
Please select:

A.
B.
C.
D.

Answer: A

Explanation:
The condition of "s3:x-amz-server-side-encryption":"IAM:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-sideencryption":" IAM:kms" is present
For more information on IAM KMS best practices, just browse to the below URL:

QUESTION 6
A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an
access change is required for 100 IAM users to have unlimited privileges to S3.As a system
administrator, how can you implement this effectively so that there is no need to apply the policy at
the individual user level? Please select:

A. Create a new role and add each user to the IAM role
B. Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
C. Create a policy and apply it to multiple users using a JSON script
D. Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

Answer: B

SCS-C02 Brain Dumps Exam + Online / Offline and Android Testing Engine & 4500+ other exams included
$50 - $25 (you save $25)
Buy Complete

Students Feedback / Reviews/ Discussion

Mahrous Mostafa Adel Amin 1 week, 2 days ago - Abuhib- United Arab Emirates
Passed the exam today, Got 98 questions in total, and 2 of them weren’t from exam topics. Rest of them was exactly the same!
upvoted 4 times

Mbongiseni Dlongolo - South Africa2 weeks, 5 days ago
Thank you so much, I passed SCS-C02 today! 41 questions out of 44 are from Certkingdom
upvoted 2 times

Kenyon Stefanie 1 month, 1 week ago - USA State / Province = Virginia
Thank you so much, huge help! I passed SCS-C02 SAP today! The big majority of questions were from here.
upvoted 2 times

Danny 1 month, 1 week ago - United States CUSTOMER_STATE_NAME: Costa Mesa = USA
Passed the exam today, 100% points. Got 44 questions in total, and 3 of them weren’t from exam topics. Rest of them was exactly the same!

MENESES RAUL 93% 2 week ago - USA = Texas
was from this topic! I did buy the contributor access. Thank you certkingdom!
upvoted 4 times

Zemljaric Rok 1 month, 2 weeks ago - Ljubljana Slovenia
Cleared my exam today - Over 80% questions from here, many thanks certkingdom and everyone for the meaningful discussions.
upvoted 2 times

logged members Can Post comments / review and take part in Discussion

Enter Email

Enter Subject

Enter Comment

Certkingdom Offline Testing Engine Simulator Download

Prepare with yourself how CertKingdom Offline Exam Simulator it is designed specifically for any exam preparation. It allows you to create, edit, and take practice tests in an environment very similar to an actual exam.


Supported Platforms: Windows-7 64bit or later - EULA | How to Install?


FAQ's: Windows-8 / Windows 10 if you face any issue kinldy uninstall and reinstall the Simulator again.



Download Offline Simulator-Beta

Certkingdom Testing Engine Features

• Certkingdom Testing Engine simulates the real exam environment.
• Interactive Testing Engine Included
• Live Web App Testing Engine
• Offline Downloadable Desktop App Testing Engine
• Testing Engine App for Android
• Testing Engine App for iPhone
• Testing Engine App for iPad
• Working with the Certkingdom Testing Engine is just like taking the real tests, except we also give you the correct answers.
• More importantly, we also give you detailed explanations to ensure you fully understand how and why the answers are correct.

Certkingdom Android Testing Engine Simulator Download

Take your learning mobile android device with all the features as desktop offline testing engine. All android devices are supported.
Supported Platforms: All Android OS EULA

Install the Android Testing Engine from google play store and download the app.ck from certkingdom website android testing engine download

Certkingdom Android Testing Engine Features

• CertKingdom Offline Android Testing Engine
• Make sure to enable Root check in Playstore
• Live Realistic practice tests
• Live Virtual test environment
• Live Practice test environment
• Mark unanswered Q&A
• Free Updates
• Save your tests results
• Re-examine the unanswered Q & A
• Make your own test scenario (settings)
• Just like the real tests: multiple choice questions
• Updated regularly, always current