Summer Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

SCS-C02 Exam Dumps : AWS Certified Security - Specialty

PDF
SCS-C02 pdf
 Real Exam Questions and Answer
 Last Update: Jul 10, 2025
 Question and Answers: 417 With Explanation
 Compatible with all Devices
 Printable Format
 100% Pass Guaranteed
$29.75  $84.99
SCS-C02 exam
PDF + Testing Engine
SCS-C02 PDF + engine
 Both PDF & Practice Software
 Last Update: Jul 10, 2025
 Question and Answers: 417
 Discount Offer
 Download Free Demo
 24/7 Customer Support
$47.25  $134.99
Testing Engine
SCS-C02 Engine
 Desktop Based Application
 Last Update: Jul 10, 2025
 Question and Answers: 417
 Create Multiple Test Sets
 Questions Regularly Updated
  90 Days Free Updates
  Windows and Mac Compatible
$35  $99.99

Verified By IT Certified Experts

CertsTopics.com Certified Safe Files

Up-To-Date Exam Study Material

99.5% High Success Pass Rate

100% Accurate Answers

Instant Downloads

Exam Questions And Answers PDF

Try Demo Before You Buy

Certification Exams with Helpful Questions And Answers

What our customers are saying

Micronesia certstopics Micronesia
Abequa
Jul 4, 2025
I owe my SCS-C02 success to certstopics.com. Their verified questions and answers are gold. A competent team of experts indeed!

AWS Certified Security - Specialty Questions and Answers

Question 1

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAMLambda function into each account that copies the relevant log files to the centralized S3 bucket.

The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

Options:

A.

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

B.

The object ACLs are not being updated to allow the users within the centralized account to access the objects

C.

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

D.

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Buy Now
Question 2

A company's security engineer is developing an incident response plan to detect suspicious activity in an AWS account for VPC hosted resources. The security engineer needs to provide visibility for as many AWS Regions as possible.

Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)

Options:

A.

Turn on VPC Flow Logs for all VPCs in the account.

B.

Activate Amazon GuardDuty across all AWS Regions.

C.

Activate Amazon Detective across all AWS Regions.

D.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule that responds to findings and publishes the find-ings to the SNS topic.

E.

Create an AWS Lambda function. Create an Amazon EventBridge rule that in-vokes the Lambda function to publish findings to Amazon Simple Email Ser-vice (Amazon SES).

Question 3

A company has AWS accounts in an organization in AWS Organizations. The organization includes a dedicated security account.

All AWS account activity across all member accounts must be logged and reported to the dedicated security account. The company must retain all the activity logs in a secure storage location within the dedicated security account for 2 years. No changes or deletions of the logs are allowed.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Select TWO.)

Options:

A.

In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's managementaccount to write to the S3 bucket.

B.

In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's member accounts to write to the S3 bucket.

C.

In the dedicated security account, create an Amazon S3 bucket that has an S3 Lifecycle configuration that expires objects after 2 years. Set the bucket policy to allow the organization's member accounts to write to the S3 bucket.

D.

Create an AWS Cloud Trail trail for the organization. Configure logs to be delivered to the logging Amazon S3 bucket in the dedicated security account.

E.

Turn on AWS CloudTrail in each account. Configure logs to be delivered to an Amazon S3 bucket that is created in the organization's management account. Forward the logs to the S3 bucket in the dedicated security account by using AWS Lambda and Amazon Kinesis Data Firehose.