AWS Certified Security – Specialty
AWS Certified Security – Specialty validates your expertise in creating and implementing security solutions in the AWS Cloud. This certification also validates your understanding of specialized data classifications and AWS data protection mechanisms; data-encryption methods and AWS mechanisms to implement them; and secure internet protocols and AWS mechanisms to implement them.
Exam overview
AWS Certified Security – Specialty
Category Specialty
Exam format 65 questions, either multiple choice or multiple response
Cost USD. Visit Exam pricing for additional cost information, including foreign exchange rates
Duration: 170 minutes (approximately 3 hours)
Question Type: Multiple choice and multiple response
Passing Score: 750 on a scaled score of 100-1000
Validity: 3 years
Prepare for the exam
Go from start to certified. Follow our Exam Prep Plan on AWS Skill Builder, our online learning center, so you can approach exam day with confidence.
1 Get to know the exam with exam-style questions
Follow the 4-step plan.
Review the exam guide.
2 Refresh your AWS Knowledge and skills
Enroll in digital courses where you need to fill gaps in knowledge and skills, practice with AWS Builder Labs, AWS Cloud Quest, and AWS Jam.
3 Review and practice for your exam
Review the scope of the exam. Explore each exam domain’s topics and how they align to AWS services. Reinforce your knowledge and identify learning gaps with exam-style questions and flashcards. Follow instructors as they walk through exam-style questions and provide test-taking strategies. Continue practicing with AWS Builder Labs and/or AWS SimuLearn.
4 Assess your exam readiness
Take the AWS Certification Official Practice Exam.
The AWS Certified Security – Specialty (SCS-C02) exam is a specialty-level certification that validates proficiency in securing AWS workloads. It consists of 65 multiple-choice and multiple-response questions and has a duration of 170 minutes. The exam is offered in multiple languages, including English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), Simplified Chinese, and Spanish (Latin America). A passing score is 750 out of 1000.
Here’s a more detailed breakdown:
Exam Format and Information:
Exam Domains:
The SCS-C02 exam covers the following six domains:
Threat Detection and Incident Response: 14%
Security Logging and Monitoring: 18%
Infrastructure Security: 20%
Identity and Access Management: 16%
Data Protection: 18%
Management and Security Governance: 14%
Examkingdom Amazon AWS SCS-C02 Exam pdf
Best Amazon AWS SCS-C02 Downloads, Amazon AWS SCS-C02 Dumps at Certkingdom.com
Sample Question and Answers
QUESTION 1
You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire.
What is the best way to achieve this. Please select:
A. Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
B. Use the IAM Encryption CLI to encrypt the data first
C. Use a Lambda function to encrypt the data before sending it to the S3 bucket.
D. Enable client encryption for the bucket
Answer: B
Explanation:
One can use the IAM Encryption CLI to encrypt the data before sending it across to the S3 bucket.
Options A and C are invalid because this would still mean that data is transferred in plain text Option
D is invalid because you cannot just enable client side encryption for the S3 bucket For more
information on Encrypting and Decrypting data, please visit the below URL:
https://IAM.amazonxom/blogs/securirv/how4o-encrvpt-and-decrypt-your-data-with-the-IAMQuestions encryption-cl
The correct answer is: Use the IAM Encryption CLI to encrypt the data first Submit your
Feedback/Queries to our Experts
QUESTION 2
Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security
groups attached to them. You need to ensure that changes to the Security groups are noted and
acted on accordingly. How can you achieve this? Please select:
A. Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
B. Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.
C. Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.
D. Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
Answer: D
Explanation:
The below diagram from an IAM blog shows how security groups can be monitored
Option A is invalid because you need to use Cloudwatch Events to check for chan,
Option B is invalid because you need to use Cloudwatch Events to check for chang
Option C is invalid because IAM inspector is not used to monitor the activity on Security Groups
For more information on monitoring security groups, please visit the below URL:
QUESTION 3
Your company has just set up a new central server in a VPC. There is a requirement for other teams
who have their servers located in different VPC’s in the same region to connect to the central server.
Which of the below options is best suited to achieve this requirement. Please select:
A. Set up VPC peering between the central server VPC and each of the teams VPCs.
B. Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.
C. Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
D. None of the above options will work.
Answer: A
Explanation:
A VPC peering connection is a networking connection between two VPCs that enables you to route
traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can
communicate with each other as if they are within the same network. You can create a VPC peering
connection between your own VPCs, or with a VPC in another IAM account within a single region.
Options B and C are invalid because you need to use VPC Peering
Option D is invalid because VPC Peering is available
For more information on VPC Peering please see the below Link:
QUESTION 4
There is a requirement for a company to transfer large amounts of data between IAM and an onpremise
location. There is an additional requirement for low latency and high consistency traffic to IAM.
Given these requirements how would you design a hybrid architecture? Choose the correct
answer from the options below Please select:
A. Provision a Direct Connect connection to an IAM region using a Direct Connect partner.
B. Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
C. Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
D. Create a VPC peering connection between IAM and the Customer gateway.
Answer: A
Explanation:
IAM Direct Connect makes it easy to establish a dedicated network connection from your premises to
IAM. Using IAM Direct Connect you can establish private connectivity between IAM and your
datacenter, office, or colocation environment which in many cases can reduce your network costs,
increase bandwidth throughput and provide a more consistent network experience than Internetbased connections.
Options B and C are invalid because these options will not reduce network latency
Options D is invalid because this is only used to connect 2 VPC’s
For more information on IAM direct connect, just browse to the below URL:
The correct answer is: Provision a Direct Connect connection to an IAM region using a Direct Connect
partner. omit your Feedback/Queries to our Experts
QUESTION 5
Which of the following bucket policies will ensure that objects being uploaded to a bucket called
‘demo’ are encrypted.
Please select:
A.
B.
C.
D.
Answer: A
Explanation:
The condition of “s3:x-amz-server-side-encryption”:”IAM:kms” ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-sideencryption”:” IAM:kms” is present
For more information on IAM KMS best practices, just browse to the below URL:
QUESTION 6
A company’s IAM account consists of approximately 300 IAM users. Now there is a mandate that an
access change is required for 100 IAM users to have unlimited privileges to S3.As a system
administrator, how can you implement this effectively so that there is no need to apply the policy at
the individual user level? Please select:
A. Create a new role and add each user to the IAM role
B. Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
C. Create a policy and apply it to multiple users using a JSON script
D. Create an S3 bucket policy with unlimited access which includes each user’s IAM account ID
Answer: B
Post your comments