AWS Certified Security - Specialty This Week Result
126+
Customers Passed
They can't be wrong
95%
Average Score
Score in Real Exam at Testing Centre
92%
Exact Questions
Questions came word by word from this dumps
At Passitcerts, we prioritize keeping our resources up to date with the latest changes in the AWS Certified Security - Specialty exam provided by Amazon. Our team actively monitors any adjustments in exam objectives, question formats, or other key updates, and we quickly revise our practice questions and study materials to reflect these changes. This dedication ensures that our clients always have access to the most accurate and current content. By using these updated questions, you can approach the AWS Certified Specialty exam with confidence, knowing you're fully prepared to succeed on your first attempt.
Passing your certification by successfully completing the AWS Certified Security - Specialty exam will open up exciting career opportunities in your field. This certification is highly respected by employers and showcases your expertise in the industry. To support your preparation, we provide genuine AWS Certified Security - Specialty questions that closely mirror those you will find in the actual exam. Our carefully curated question bank is regularly updated to ensure it aligns with the latest exam patterns and requirements. By using these authentic questions, you'll gain confidence, enhance your understanding of key concepts, and greatly improve your chances of passing the exam on your first attempt. Preparing with our reliable question bank is the most effective way to ensure success in earning your AWS Certified Specialty certification.
Many other providers include outdated questions in their materials, which can lead to confusion or failure on the actual exam. At Passitcerts, we ensure that every question in our practice tests is relevant and reflects the current exam structure, so you’re fully equipped to tackle the test. Your success in the AWS Certified Specialty exam is our top priority, and we strive to provide you with the most reliable and effective resources to help you achieve it.
SCS-C02 Dumps: Cutting-Edge Simulations, Effective Training
If you seek validation as a specialist capable of crafting and deploying security solutions within the AWS cloud, the AWS Certified Security - Specialty certification program is made for you. This specialized program caters to professionals, eager to showcase their proficiency in AWS security. Through immersive and true-to-life SCS-C02 practice tests that faithfully replicate the SCS-C02 question answers, you can dive into hands-on scenarios, profoundly understanding the SCS-C02 real exam questions and preparing yourself comprehensively for the certification journey. So, why wait? Order your SCS-C02 braindumps set and start training at the Passitcerts platform.
SCS-C02 Braindumps: A Comprehensive Question Bank
The SCS-C02 certification is designed for individuals with at least two years of practical experience in AWS security and a profound grasp of AWS workload-specific security controls. Consider using SCS-C02 dumps, which provide an extensive bank of SCS-C02 question answers spanning all exam domains, ensuring comprehensive subject matter coverage. Furthermore, the SCS-C02 real exam questions have a detailed explanation, serving as a valuable resource to reinforce your understanding and enhance your knowledge. This establishes the SCS-C02 practice test set as an exceptional option for individuals seeking to validate and enhance their expertise in AWS security.
Navigating Your Learning Journey With SCS-C02 Practice Test Personalized Study Paths
Earning the AWS Certified Security - Specialty credential showcases your ability to design, implement, and manage secure AWS applications and infrastructure. Furthermore, it boosts your appeal in the job market and increases your earning potential. At Passitcerts, you can find SCS-C02 dumps that offer AI-driven insights for targeted improvement and customizable SCS-C02 braindumps study plans. These SCS-C02 question answers empower you to use your strengths to your advantage and address weaknesses effectively. With SCS-C02 real exam questions, you'll be thoroughly prepared to conquer AWS challenges, enhancing your expertise and career prospects.
With the SCS-C02 exam, everything comes down to how you prepare. Individuals with at least five years of IT security experience and a deep understanding of AWS security services and features would understand SCS-C02 question answers style and pattern better. Various SCS-C02 dumps resources are available to help you prepare for the exam. But we recommend choosing one that helps you track your progress and identify weak spots with interactive SCS-C02 braindumps. We have tons to offer with effective and interactive resources to monitor your growth and readiness for the SCS-C02 exam.
SCS-C02 Real Exam Questions: Customer Support & Feedback Features
Amazon Web Services (AWS) designed the exam to facilitate multiple languages. The exam is available in English, French, Italian, Japanese, Korean, Portuguese, Simplified Chinese, and Spanish. If you are wondering, you can register for the exam at Pearson VUE. The exam is taken at one of their testing centers or online through a proctored exam. Our customer care service is the best support you can get with an interactive SCS-C02 dumps set. By connecting with people who understand your SCS-C02 question answers problems, you improve daily. Share your SCS-C02 braindumps experiences to benefit from SCS-C02 practice test tips and insights.
Related Exam
Passitcerts Providing most updated AWS Certified Security - Specialty Certification Question Answers. Here are a few exams:
A company's data scientists want to create artificial intelligence and machine learning(AI/ML) training models by using Amazon SageMaker. The training models will use largedatasets in an Amazon S3 bucket. The datasets contain sensitive information.On average. the data scientists need 30 days to train models. The S3 bucket has beensecured appropriately The companfs data retention policy states that all data that is olderthan 45 days must be removed from the S3 bucket.Which action should a security engineer take to enforce this data retention policy?
A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.
B. Create an AWS Lambda function to check the last-modified date of the S3 objects anddelete objects that are older than 45 days. Create an S3 event notification to invoke theLambda function for each PutObject operation.
C. Create an AWS Lambda function to check the last-modified date of the S3 objects anddelete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.
D. Configure S3 Intelligent-Ttering on the S3 bucket to automatically transition objects toanother storage class.
Answer: A
Explanation:
The correct answer is A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects
after 45 days.
The reason is that this is the simplest and most effective way to enforce the data retention
policy. According to the AWS documentation1, “To manage your objects so that they are
stored cost effectively throughout their lifecycle, configure their Amazon S3 Lifecycle. An
S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a
group of objects. There are two types of actions: Transition actions and Expiration actions.”
The documentation1 also states that “Expiration actions define when objects expire.
Amazon S3 deletes expired objects on your behalf.” Therefore, by configuring an S3
Lifecycle rule on the S3 bucket to delete objects after 45 days, the security engineer can
ensure that the data is removed from the S3 bucket according to the company’s policy.
The other options are incorrect because:
B. Create an AWS Lambda function to check the last-modified date of the S3
objects and delete objects that are older than 45 days. Create an S3 event
notification to invoke the Lambda function for each PutObject operation. This
option is not optimal because it requires deploying and maintaining a Lambda
function, which adds complexity and cost. Moreover, it does not guarantee that the
data is deleted exactly after 45 days, since the Lambda function is triggered only
when a new object is put into the S3 bucket. If there are no new objects for a long
period of time, the Lambda function will not run and the data will not be deleted.
C. Create an AWS Lambda function to check the last-modified date of the S3
objects and delete objects that are older than 45 days. Create an Amazon
EventBridge rule to invoke the Lambda function each month. This option is not
optimal because it requires deploying and maintaining a Lambda function, which
adds complexity and cost. Moreover, it does not guarantee that the data is deleted
exactly after 45 days, since the Lambda function is triggered only once a month. If
the data is older than 45 days but less than a month, it will not be deleted until the
next month.
D. Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition
objects to another storage class. This option is not sufficient to enforce the data
retention policy, because it does not delete the data from the S3 bucket. It only
moves the data to a less expensive storage class based on access patterns.
According to the AWS documentation2, “S3 Intelligent-Tiering optimizes storage
costs by automatically moving data between two access tiers, frequent access and
infrequent access, when access patterns change.” However, this feature does not
expire or delete the data after a certain period of time.
Question # 2
A company uses Amazon EC2 instances to host frontend services behind an ApplicationLoad Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to theEC2 instances. The company uses Amazon S3 buckets to store large files for images andmusic.The company has implemented a security architecture oit>AWS to prevent, identify, andisolate potential ransomware attacks. The company now wants to further reduce risk.A security engineer must develop a disaster recovery solution that can recover to normaloperations if an attacker bypasses preventive and detective controls. The solution mustmeet an RPO of 1 hour.Which solution will meet these requirements?
A. Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour.Create AWS CloudFormation templates that replicate existing architecture components.Use AWS CodeCommit to store the CloudFormation templates alongside applicationconfiguration code.
B. Use AWS Backup to create backups of the EBS volumes and S3 objects every day. UseAmazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPCflow logs. Use the logs for automated response.
C. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logsand VPC flow logs. Use the logs for automated response Enable AWS Security Hub toestablish a single location for recovery procedures. Create AWS CloudFormation templatesthat replicate existing architecture components. Use AWS CodeCommit to store theCloudFormation templates alongside application configuration code.
D. Create EBS snapshots every 4 hours Enable Amazon GuardDuty Malware Protection.Create automation to immediately restore the most recent snapshot for any EC2 instancesthat produce an Execution:EC2/MaliciousFile finding in GuardDuty.
Answer: A
Explanation: The correct answer is A because it meets the RPO of 1 hour by creating
backups of the EC2 instances and S3 buckets every hour. It also uses AWS
CloudFormation templates to replicate the existing architecture components and AWS
CodeCommit to store the templates and the application configuration code. This way, the
security engineer can quickly restore the environment in case of a ransomware attack.
The other options are incorrect because they do not meet the RPO of 1 hour or they do not
provide a complete disaster recovery solution. Option B only creates backups of the EBS
volumes and S3 objects every day, which is not frequent enough to meet the RPO. Option
C does not create any backups of the EC2 instances or the S3 buckets, which are essential
for the frontend services. Option D only creates EBS snapshots every 4 hours, which is
also not frequent enough to meet the RPO. Additionally, option D relies on Amazon
GuardDuty to detect and respond to ransomware attacks, which may not be effective if the
attacker bypasses the preventive and detective controls.
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealedthat CloudTrail is failing to deliver events to Amazon S3 as expected.What initial actions should be taken to allow delivery of CloudTrail events to S3? (SelectTWO.)
A. Verify thattheS3 bucket policy allows CloudTrail to write objects.
B. Verify thatthe1AM role used by CloudTrail has access to write to Amazon CloudWatchLogs.
C. Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 GlacierFlexible Retrieval.
D. Verify thattheS3 bucket defined in CloudTrail exists.
E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
Answer: A,D
Explanation:
To resolve CloudTrail's failure to deliver events to S3, verifying the S3 bucket policy for
CloudTrail's write permissions (A) and ensuring the existence of the specified S3 bucket
(D) are critical initial steps. These actions ensure that CloudTrail has the necessary
permissions and a valid destination for log file delivery, addressing common configuration
issues that can interrupt event logging.c
Question # 4
A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicatesthat the EC2 instance is receiving a suspicious number of requests over an open TCP portfrom an external source. The TCP port remains open for long periods of time.The company's security team needs to stop all activity to this port from the external sourceto ensure that the EC2 instance is not being compromised. The application must remainavailable to other users.Which solution will mefet these requirements?
A. Update the network ACL that is attached to the subnet that is associated with the EC2instance. Add a Deny statement for the port and the source IP addresses.
B. Update the elastic network interface security group that is attached to the EC2 instanceto remove the port from theinbound rule list.
C. Update the elastic network interface security group that is attached to the EC2 instanceby adding a Deny entry in the inbound list for the port and the sourceIP addresses.
D. Create a new network ACL for the subnet. Deny all traffic from the EC2 instance toprevent data from being removed.
Answer: A
Explanation:
To address the issue of an Amazon EC2 instance receiving suspicious requests over an
open TCP port, the most effective solution is to update the Network Access Control List
(NACL) associated with the subnet where the EC2 instance resides. By adding a deny rule
for the specific TCP port and source IP addresses involved in the suspicious activity, the
security team can effectively block unwanted traffic at the subnet level. NACLs act as a stateless firewall for controlling traffic in and out of subnets, allowing for broad-based traffic
filtering. This measure ensures that only legitimate traffic can reach the EC2 instance,
thereby enhancing security without affecting the application's availability to other users. It's
a more granular and immediate way to block specific traffic compared to modifying security
group rules, which are stateful and apply at the instance level.
Question # 5
A company is running an application on Amazon EC2 instances in an Auto Scaling group.The application stores logs locally. A security engineer noticed that logs were lost after ascale-in event. The security engineer needs to recommend a solution to ensure thedurability and availability of log data All logs must be kept for a minimum of 1 year forauditing purposes. What should the security engineer recommend?
A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon ElasticBlock Store (Amazon EBS) log volume each time an EC2 instance is created. When theinstance is terminated, the EBS volume can be reattached to another instance for logreview.
B. Create an Amazon Elastic File System (Amazon EFS) file system and add a commandin the user data section of the Auto Scaling launch template to mount the EFS file systemduring EC2 instance creation. Configure a process on the instance to copy the logs once aday from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory inthe EFS file system.
C. Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group.Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review,
D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon SimpleNotification Service (Amazon SNS). Configure the hook to remain in the Terminating:Waitstate for 1 hour to allow manual review of the security logs prior to instance termination.
Answer: C
Explanation:
Option C is the best solution to ensure the durability and availability of log data from EC2
instances in an Auto Scaling group. By using an Amazon CloudWatch agent, the logs can
be sent to Amazon CloudWatch Logs, which is a fully managed service that can store,
monitor, and analyze log data. CloudWatch Logs also allows you to set retention policies
for your log groups, so you can keep the logs for a minimum of 1 year for auditing
purposes. CloudWatch Logs also supports encryption, access control, and compliance
features to protect your log data12
Question # 6
A company has AWS accounts in an organization in AWS Organizations. The companyneeds to install a corporate software package on all Amazon EC2 instances for all theaccounts in the organization.A central account provides base AMIs for the EC2 instances. The company uses AWSSystems Manager for software inventory and patching operations.A security engineer must implement a solution that detects EC2 instances ttjat do not havethe required software. The solution also must automatically install the software if thesoftware is not present.Which solution will meet these requirements?
A. Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIsto indicate that the AMIs have the required software. Configure an SCP that allows newEC2 instances to be launched only if the instances have the tagged AMIs. Tag all existingEC2 instances.
B. Configure a custom patch baseline in Systems Manager Patch Manager. Add thepackage name for the required software to the approved packages list. Associate the newpatch baseline with all EC2 instances. Set up a maintenance window for softwaredeployment.
C. Centrally enable AWS Config. Set up the ec2-managedinstance-applications-requiredAWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWSConfig events. Configure the EventBridge rule to invoke an AWS Lambda function thatuses Systems Manager Run Command to install the required software.
D. Create a new Systems Manager Distributor package for the required software. Specifythe download location. Select all EC2 instances in the different accounts. Install thesoftware by using Systems Manager Run Command.
Answer: C
Explanation:
Utilizing AWS Config with a custom AWS Config rule (ec2-managedinstanceapplications-
required) enables detection of EC2 instances lacking the required software
across all accounts in an organization. By creating an Amazon EventBridge rule that
triggers on AWS Config events, and configuring it to invoke an AWS Lambda function,
automated actions can be taken to ensure compliance. The Lambda function can leverage
AWS Systems Manager Run Command to install the necessary software on non-compliant instances. This approach ensures continuous compliance and automated remediation,
aligning with best practices for cloud security and management.
Question # 7
A company uses HTTP Live Streaming (HL'S) to stream live video content to payingsubscribers by using Amazon CloudFront. HLS splits the video content into chunks so thatthe user can request the right chunk based on different conditions. Because the videoevents last for several hours, the total video is made up of thousands of chunks.The origin URL is not disclosed, and every user is forced to access the CloudFront URL.The company has a web application that authenticates the paying users against aninternal repository and a CloudFront key pair that is already issued.What is the simplest and MOST effective way to protect the content?
A. Develop the application to use the CloudFront key pair to set the signed cookies thatusers will use to access the content.
B. Develop the application to issue a security token that Lambda@Edge will receive toauthenticate and authorize access to the content
C. Keep the CloudFront URL encrypted inside the application, and use AWS KMS toresolve the URL on-the-fly after the user is authenticated.
Answer: B
Explanation:
Utilizing CloudFront signed cookies is the simplest and most effective way to protect HLS
video content for paying subscribers. Signed cookies provide access control for multiple
files, such as video chunks in HLS streaming, without the need to generate a signed URL
for each video chunk. This method simplifies the process for long video events with
thousands of chunks, enhancing user experience while ensuring content protection.
Question # 8
A company hosts an application on Amazon EC2 instances. The application also usesAmazon S3 and Amazon Simple Queue Service (Amazon SQS). The application is behindan Application Load Balancer (ALB) and scales with AWS Auto Scaling.The company’s security policy requires the use of least privilege access, which has beenapplied to all existing AWS resources. A security engineer needs to implement privateconnectivity to AWS services.Which combination of steps should the security engineer take to meet this requirement?(Select THREE.)
A. A. Use an interface VPC endpoint for Amazon SQS
B. B. Configure a connection to Amazon S3 through AWS Transit Gateway.
C. C. Use a gateway VPC endpoint for Amazon S3.
D. D. Modify the 1AM role applied to the EC2 instances in the Auto Scaling group to allowoutbound traffic to the interface endpoints.
E. E. Modify the endpoint policies on all VPC endpoints. Specify the SQS and S3 resourcesthat the application uses
F. F. Configure a connection to Amazon S3 through AWS Firewall Manager
Answer: A,C,E
Explanation:
The correct answer is A, C, and E because they provide the most secure and efficient way
to implement private connectivity to AWS services. Using interface VPC endpoints for
Amazon SQS and gateway VPC endpoints for Amazon S3 allows the application to access
these services without using public IP addresses or internet gateways. Modifying the
endpoint policies on all VPC endpoints enables the security engineer to specify the SQS
and S3 resources that the application uses and restrict access to other resources.
The other options are incorrect because they do not provide private connectivity to AWS
services or they introduce unnecessary complexity or cost. Option B is incorrect because
AWS Transit Gateway is used to connect multiple VPCs and on-premises networks, not to
connect to AWS services. Option D is incorrect because modifying the IAM role applied to
the EC2 instances is not sufficient to allow outbound traffic to the interface endpoints. The
security group and route table associated with the interface endpoints also need to be
configured. Option F is incorrect because AWS Firewall Manager is used to centrally
manage firewall rules across multiple accounts and resources, not to connect to AWS
services.
Reference: AWS PrivateLink, VPC Endpoints, Endpoint Policies for Interface Endpoints
Question # 9
A company operates a web application that runs on Amazon EC2 instances. Theapplication listens on port 80 and port 443. The company uses an Application LoadBalancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the applicationinstances only on port 80.The ALB is in public subnets that are associated with a network ACL that is named NACL1.The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance thatuses port 5432 is in a dedicated private subnet that is associated with a network ACL thatis named NACL3. All the network ACLs currently allow all inbound and outbound traffic.Which set of network ACL changes will increase the security of the application whileensuring functionality?
A. Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from NACL2.• Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.• Remove the default rules that allow all inbound and outbound traffic.
B. Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the applicationinstance subnets.• Add a rule that allows outbound traffic on ports 1024-65536 to the application instancesubnets.• Remove the default rules that allow all inbound and outbound traffic.
C. Make the following changes to NACL2:• Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDSsubnets.• Remove the default rules that allow all inbound and outbound traffic.
D. Make the following changes to NACL2:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDSsubnets.• Add a rule that allows outbound traffic on port 5432 to the RDS subnets.
Answer: B
Explanation:
For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic
on port 5432 from the CIDR blocks of the application instance subnets, and allowing
outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure
path for database access. Removing default allow-all rules enhances security by
implementing the principle of least privilege, ensuring that only necessary traffic is
permitted.
Question # 10
An AWS Lambda function was misused to alter data, and a security engineer must identifywho invoked the function and what output was produced. The engineer cannot find anylogs create^ by the Lambda function in Amazon CloudWatch Logs.Which of the following explains why the logs are not available?
A. The execution role for the Lambda function did not grant permissions to write log data toCloudWatch Logs.
B. The Lambda function was invoked by using Amazon API Gateway, so the logs are notstored in CloudWatch Logs.
C. The execution role for the Lambda function did not grant permissions to write to theAmazon S3 bucket where CloudWatch Logs stores the logs.
D. The version of the Lambda function that was invoked was not current.
Answer: A
Question # 11
A company that uses AWS Organizations is using AWS 1AM Identity Center (AWS SingleSign-On) to administer access to AWS accounts. A security engineer is creating a custompermission set in 1AM Identity Center. The company will use the permission set acrossmultiple accounts. An AWS managed policy and a customer managed policy are attachedto the permission set. The security engineer has full administrative permissions and isoperating in the management account.When the security engineer attempts to assign the permission set to an 1AM IdentityCenter user who has access to multiple accounts, the assignment fails.What should the security engineer do to resolve this failure?
A. Create the customer managed policy in every account where the permission set isassigned. Give the customer managed policy the same name and same permissions ineach account.
B. Remove either the AWS managed policy or the customer managed policy from thepermission set. Create a second permission set that includes the removed policy. Apply thepermission sets separately to the user.
C. Evaluate the logic of the AWS managed policy and the customer managed policy.Resolve any policy conflicts in the permission set before deployment.
D. Do not add the new permission set to the user. Instead, edit the user's existingpermission set to include the AWS managed policy and the customer managed policy.
"Before you assign your permission set with IAM policies, you must prepare your member
account. The name of an IAM policy in your member account must be a case-sensitive
match to name of the policy in your management account. IAM Identity Center fails to
assign the permission set if the policy doesn't exist in your member account."
Question # 12
A company suspects that an attacker has exploited an overly permissive role to exportcredentials from Amazon EC2 instance metadata. The company uses Amazon GuardDutyand AWS Audit Manager. The company has enabled AWS CloudTrail logging and AmazonCloudWatch logging for all of its AWS accounts. A security engineer must determine if the credentials were used to access the company'sresources from an external account.Which solution will provide this information?
A. Review GuardDuty findings to find InstanceCredentialExfiltration events.
B. Review assessment reports in the Audit Manager console to findInstanceCredentialExfiltration events.
C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service(AWS STS) that come from an acount ID from outside the company.
D. Review CloudWatch logs for GetSessionToken API calls to AWS Security TokenService (AWS STS) that come from an account ID from outside the company.
Answer: A
Explanation:
The correct answer is A because GuardDuty can detect and alert on EC2 instance
credential exfiltration events. These events indicate that the credentials obtained from the
EC2 instance metadata service are being used from an IP address that is owned by a
different AWS account than the one that owns the instance1. GuardDuty can also provide
details such as the source and destination IP addresses, the AWS account ID of the
attacker, and the API calls made using the exfiltrated credentials2.
The other options are incorrect because they do not provide the information needed to
determine if the credentials were used to access the company’s resources from an external
account. Option B is incorrect because Audit Manager does not generate
InstanceCredentialExfiltration events. Audit Manager is a service that helps you
continuously audit your AWS usage to simplify how you assess risk and compliance with
regulations and industry standards3. Option C is incorrect because CloudTrail logs do not
show the account ID of the caller for GetSessionToken API calls to AWS STS. CloudTrail
logs show the account ID of the identity whose credentials were used to call the API4.
Option D is incorrect because CloudWatch logs do not show the GetSessionToken API
calls to AWS STS by default. CloudWatch logs can show the API calls made by AWS
Lambda functions, Amazon API Gateway, and other AWS services that integrate with
CloudWatch5.
Reference: InstanceCredentialExfiltration, Amazon GuardDuty Enhances Detection of EC2
Instance Credential Exfiltration, What Is AWS Audit Manager?, Logging AWS STS API
Calls with AWS CloudTrail, What Is Amazon CloudWatch Logs?
Question # 13
A security team is working on a solution that will use Amazon EventBridge (AmazonCloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor forpublic access and for changes to any S3 bucket policy or setting that result in publicaccess. The security team configures EventBridge to watch for specific API calls that arelogged from AWS CloudTrail. EventBridge has an action to send an email notificationthrough Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl,s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. Whiledeveloping the solution in a single account, the security team discovers that thes3:PutObjectAcl API call does not invoke an EventBridge event. However, thes3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.The security team has enabled CloudTrail for AWS management events with a basicconfiguration in the AWS Region in which EventBridge is being tested. Verification of theEventBridge event pattern indicates that the pattern is set up correctly. The security teammust implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridgeevent. The solution must not generate false notifications.Which solution will meet these requirements?
A. Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as theevent type.
B. Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket LevelOperations as the event type.
C. Enable CloudTrail Insights to identify unusual API activity.
D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
Answer: D
Explanation:
The correct answer is D. Enable CloudTrail to monitor data events for read and write
operations to S3 buckets. According to the AWS documentation1, CloudTrail data events are the resource operations
performed on or within a resource. These are also known as data plane operations. Data
events are often high-volume activities. For example, Amazon S3 object-level API activity
(such as GetObject, DeleteObject, and PutObject) is a data event.
By default, trails do not log data events. To record CloudTrail data events, you must
explicitly add the supported resources or resource types for which you want to collect
activity. For more information, see Logging data events in the Amazon S3 User Guide2.
In this case, the security team wants EventBridge to watch for the s3:PutObjectAcl API
invocation logs from CloudTrail. This API uses the acl subresource to set the access
control list (ACL) permissions for a new or existing object in an S3 bucket3. This is a data
event that affects the S3 object resource type. Therefore, the security team must enable
CloudTrail to monitor data events for read and write operations to S3 buckets in order to
invoke an EventBridge event for this API call. The other options are incorrect because:
A. Modifying the EventBridge event pattern by selecting Amazon S3 and All
Events as the event type will not capture the s3:PutObjectAcl API call, because
this is a data event and not a management event. Management events provide
information about management operations that are performed on resources in your
AWS account. These are also known as control plane operations4.
B. Modifying the EventBridge event pattern by selecting Amazon S3 and Bucket
Level Operations as the event type will not capture the s3:PutObjectAcl API call,
because this is a data event that affects the S3 object resource type and not the
S3 bucket resource type. Bucket level operations are management events that
affect the configuration or metadata of an S3 bucket5.
C. Enabling CloudTrail Insights to identify unusual API activity will not help the
security team monitor new S3 objects or changes to any S3 bucket policy or
setting that result in public access. CloudTrail Insights helps AWS users identify
and respond to unusual activity associated with API calls and API error rates by
continuously analyzing CloudTrail management events6. It does not analyze data
6: Logging Insights events for trails - AWS CloudTrail
Question # 14
A company runs an online game on AWS. When players sign up for the game, theirusername and password credentials are stored in an Amazon Aurora database.The number of users has grown to hundreds of thousands of players. The number ofrequests for password resets and login assistance has become a burden for the company’scustomer service team.The company needs to implement a solution to give players another way to log in to thegame. The solution must remove the burden of password resets and login assistance whilesecurely protecting each player's credentials.Which solution will meet these requirements?
A. When a new player signs up, use an AWS Lambda function to automatically create an1AM access key and a secret access key. Program the Lambda function to store thecredentials on the player's device. Create 1AM keys for existing players. B Migrate the player credentials from the Aurora database to AWS Secrets Manager. Whena new player signs up. create a key-value pair in Secrets Manager for the player's user IDand password.
B. Configure Amazon Cognito user pools to federate access to the game with third-partyidentity providers (IdPs), such as social IdPs Migrate the game's authentication mechanismto Cognito.
C. Instead of using usernames and passwords for authentication, issue API keys to newand existing players. Create an Amazon API Gateway API to give the game client accessto the game's functionality.
Answer: C
Explanation:
The best solution to meet the company's requirements of offering an alternative login
method while securely protecting player credentials and reducing the burden of password
resets is to use Amazon Cognito with user pools. Amazon Cognito provides a fully
managed service that facilitates the authentication, authorization, and user management
for web and mobile applications. By configuring Amazon Cognito user pools to federate
access with third-party Identity Providers (IdPs), such as social media platforms or Google,
the company can allow users to sign in through these external IdPs, thereby eliminating the
need for traditional username and password logins. This not only enhances user
convenience but also offloads the responsibility of managing user credentials and the
associated challenges like password resets to Amazon Cognito, thereby reducing the
burden on the company's customer service team. Additionally, Amazon Cognito integrates
seamlessly with other AWS services and follows best practices for security and
compliance, ensuring that the player's credentials are protected.
Question # 15
A company wants to receive automated email notifications when AWS access keys fromdeveloper AWS accounts are detected on code repository sites.Which solution will provide the required email notifications?
A. Create an Amazon EventBridge rule to send Amazon Simple Notification Service(Amazon SNS) email notifications for Amazon GuardDutyUnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.
B. Change the AWS account contact information for the Operations type to a separateemail address. Periodically poll this email address for notifications.
C. Create an Amazon EventBridge rule that reacts to AWS Health events that have a valueof Risk for the service category Configure email notifications by using Amazon SimpleNotification Service (Amazon SNS).
D. D. Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configuremonitoring for ConsoleLogin events in the AWS Management Console. Configure emailnotifications from the anomaly detection software.
Answer: A
Explanation: The solution to receiving automated email notifications when AWS access
keys are detected on code repository sites is to use Amazon EventBridge with Amazon
GuardDuty findings. Specifically, creating an EventBridge rule that targets Amazon
GuardDuty findings, particularly the
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type, allows for
the detection of potential unauthorized use or exposure of AWS credentials. When such a
finding is detected, EventBridge can then trigger an action to send a notification via
Amazon Simple Notification Service (Amazon SNS). By configuring an SNS topic to send
emails, stakeholders can be promptly informed of such security incidents. This approach
leverages AWS's native security and monitoring services to provide timely alerts with minimal operational overhead, ensuring that the company can respond quickly to potential
I am writing this AWS Certified Security Specialty Review to appreciate how much the SCS-C02 practice test has done for me. Thanks to the SCS-C02 Exam Insights and excellent guidelines from passitcerts, I not only passed but excelled in my exam.
Connor Murphy
Apr 21, 2025
Thanks a lot, Passitcerts, for these exceptional AWS SCS-C02 Test Prep. The detailed AWS Security Specialty Exam Feedback also helped me understand where I needed to improve so I could improve within time. The SCS-C02 dumps are a must-have for all serious candidates.
Carter Walker
Apr 21, 2025
I can’t thank passitcerts enough for their support and insights into the Advanced AWS Security Concepts. The SCS-C02 Practice Questions were exactly what I needed to enlighten my learning. The details about the format, the solutions discussed, and the practical and applicable tips all led to my success.
Leo Chan
Apr 20, 2025
The AWS Security Certification Guide by passitcerts proved a gem in my training. The superb SCS-C02 Exam Tips made even the challenging objectives seem like a piece of cake. Thanks for your excellent support guys!
Oliver Li
Apr 20, 2025
Passing the exam was so easy with the support of the AWS Security Specialty Study Material. Passitcerts made the AWS Security Best Practices essential in the training. The way SCS-C02 braindumps mirrored the actual exam questions was impressive too. If anyone wants to pass the exam in one go, this is the place they should be at.
Arjun Ganesan
Apr 19, 2025
Pass the AWS Security Specialty Exam with invaluable AWS Security Solutions insights and techniques. Learning from the best resource there is, Passitcerts. I nailed my exam at the very first attempt, thanks to passitcerts guys. Believe me when I say you can do it too.
Bahadur Narasimhan
Apr 19, 2025
The SCS-C02 Security Challenges I faced were more than what I had anticipated. However, the passitcerts’ inclusion of AWS Data Protection Techniques in their SCS-C02 practice test saved me from the embarrassment of failure. Thanks to them, I am now a successful AWS professional.
Mohit Sarraf
Apr 18, 2025
The passitcerts introduced the perfect AWS Security Specialty Learning Path. The plan was thorough, enlightening, and instrumental to my success. Trust no other than the Passitcerts SCS-C02 Certification Study Guide to get you an A Score.
Habib Shanker
Apr 18, 2025
This SCS-C02 Security Solutions Review is proof the Passitcerts latest SCS-C02 braindumps are second to none. The study material here is top-notch, covering everything necessary, and is an absolute must-buy resource. Consider the SCS-C02 practice test for a perfect roadmap to success.
Fernando Cortés
Apr 17, 2025
The SCS-C02 study material is very impressive. They have fully covered tough subjects like AWS Security Compliance and AWS Security Technologies. Passitcerts did a great job intimating the SCS-C02 Exam Format. Thanks to that, I passed my exam with flying colors.
I am writing this AWS Certified Security Specialty Review to appreciate how much the SCS-C02 practice test has done for me. Thanks to the SCS-C02 Exam Insights and excellent guidelines from passitcerts, I not only passed but excelled in my exam.
Thanks a lot, Passitcerts, for these exceptional AWS SCS-C02 Test Prep. The detailed AWS Security Specialty Exam Feedback also helped me understand where I needed to improve so I could improve within time. The SCS-C02 dumps are a must-have for all serious candidates.
I can’t thank passitcerts enough for their support and insights into the Advanced AWS Security Concepts. The SCS-C02 Practice Questions were exactly what I needed to enlighten my learning. The details about the format, the solutions discussed, and the practical and applicable tips all led to my success.
The AWS Security Certification Guide by passitcerts proved a gem in my training. The superb SCS-C02 Exam Tips made even the challenging objectives seem like a piece of cake. Thanks for your excellent support guys!
Passing the exam was so easy with the support of the AWS Security Specialty Study Material. Passitcerts made the AWS Security Best Practices essential in the training. The way SCS-C02 braindumps mirrored the actual exam questions was impressive too. If anyone wants to pass the exam in one go, this is the place they should be at.
Pass the AWS Security Specialty Exam with invaluable AWS Security Solutions insights and techniques. Learning from the best resource there is, Passitcerts. I nailed my exam at the very first attempt, thanks to passitcerts guys. Believe me when I say you can do it too.
The SCS-C02 Security Challenges I faced were more than what I had anticipated. However, the passitcerts’ inclusion of AWS Data Protection Techniques in their SCS-C02 practice test saved me from the embarrassment of failure. Thanks to them, I am now a successful AWS professional.
The passitcerts introduced the perfect AWS Security Specialty Learning Path. The plan was thorough, enlightening, and instrumental to my success. Trust no other than the Passitcerts SCS-C02 Certification Study Guide to get you an A Score.
This SCS-C02 Security Solutions Review is proof the Passitcerts latest SCS-C02 braindumps are second to none. The study material here is top-notch, covering everything necessary, and is an absolute must-buy resource. Consider the SCS-C02 practice test for a perfect roadmap to success.
The SCS-C02 study material is very impressive. They have fully covered tough subjects like AWS Security Compliance and AWS Security Technologies. Passitcerts did a great job intimating the SCS-C02 Exam Format. Thanks to that, I passed my exam with flying colors.