Amazon SCS-C02 Exam Questions - Navigate Your Path to Success

The Amazon AWS Certified Security - Specialty (SCS-C02) exam is a good choice for Amazon Security Engineers Amazon Security Architects and if the candidate manages to pass Amazon AWS Certified Security - Specialty exam, he/she will earn Amazon Specialty Certification. Below are some essential facts for Amazon SCS-C02 exam candidates:

In actual Amazon AWS Certified Security - Specialty (SCS-C02) exam, a candidate can expect 65 Questions and the officially allowed time is expected to be around 170 Minutes.
TrendyCerts offers 372 Questions that are based on actual Amazon SCS-C02 syllabus.
Our Amazon SCS-C02 Exam Practice Questions were last updated on: Mar 08, 2025

Sample Questions for Amazon SCS-C02 Exam Preparation

Question 1

A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time.

The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users.

Which solution will mefet these requirements?

AUpdate the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.

BUpdate the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.

CUpdate the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source
IP addresses.

DCreate a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.

Correct : A

To address the issue of an Amazon EC2 instance receiving suspicious requests over an open TCP port, the most effective solution is to update the Network Access Control List (NACL) associated with the subnet where the EC2 instance resides. By adding a deny rule for the specific TCP port and source IP addresses involved in the suspicious activity, the security team can effectively block unwanted traffic at the subnet level. NACLs act as a stateless firewall for controlling traffic in and out of subnets, allowing for broad-based traffic filtering. This measure ensures that only legitimate traffic can reach the EC2 instance, thereby enhancing security without affecting the application's availability to other users. It's a more granular and immediate way to block specific traffic compared to modifying security group rules, which are stateful and apply at the instance level.

Options Selected by Other Users:

Question 2

A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR). The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances. All the company's AWS accounts are in one organization in AWS Organizations. The company will analyze the workloads for software vulnerabilities and unintended network exposure. The company will push any findings to AWS Security Hub. which the company has configured for the organization.

The company must deploy the solution to all member accounts, including pew accounts, automatically. When new workloads come online, the solution must scan the workloads.

Which solution will meet these requirements?

AUse SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.

BConfigure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers

CConfigure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.

DConfigure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers

Correct : C

To implement host-based security for Amazon EC2 instances and containers in Amazon ECR with minimal operational overhead and ensure automatic deployment and scanning for new workloads, the recommended solution is to configure a delegated administrator for Amazon Inspector within the AWS Organizations structure. By enabling Amazon Inspector for the organization and configuring it to automatically scan new member accounts, the company can ensure that all EC2 instances and ECR containers are analyzed for software vulnerabilities and unintended network exposure. Amazon Inspector will automatically assess the workloads and push findings to AWS Security Hub, providing centralized security monitoring and compliance checking. This approach ensures that as new accounts or workloads are added, they are automatically included in the security assessments, maintaining a consistent security posture across the organization with minimal manual intervention.