To pass the AWS SCS-C02 Security Speciality Exam, I covered one course, AWS best practice FAQ, AWS skill builder readiness test, and security learning path which provides video guides for the best practices among different services.
This certification validates your understanding of specialized data classifications and AWS data protection mechanisms; data-encryption methods and AWS mechanisms to implement them; and secure internet protocols and AWS mechanisms to implement them.
AWS recommends five years of IT security experience in designing and implementing security solutions and at least two years of hands-on experience in securing AWS workloads. But this is only a recommendation, not an obligation. You can still prepare for the exam.
You need to know AWS like a solution architect.
My Comprehensive Study Approach
My Comprehensive Study Approach to clear the AWS security specialty SCS-C02 Exam includes the following guides and documents
Time is sufficient if you understand the format and know how to identify the correct answers using techniques like the elimination process and keyword recognition, which are explained in the Exam Readiness materials. I managed to complete my exam in 110 minutes and then spent an additional 50 minutes on revision.
The exam is comparatively simple when compared to the DevOps exam, as it is not excessively technical. Each topic, except for the policy domain, generally consists of 1-2 questions along with questions from other domains.
In my exam, there were 11 questions with 2 choices, 5 questions with 3 choices, and the remaining questions were single-choice questions.
Use the provided paper and pencil efficiently, as you might run out of space. A single sheet is given, which is particularly useful for diagramming architectural concepts.
If a question is taking up too much time, flag it and move on. The next question might be easier and can be covered before the end of the exam.
The exam demands your full concentration, so make sure to rest well and stay calm before the exam day.
Why not is more important than why while eliminating the options
You will receive the exam result via email. If you pass, you’ll receive an email from Credly regarding your new achievement on the same day or the next. AWS will provide the result in terms of total marks within 5 working days, and it will also be visible in your AWS certification portal.
The real question of the exam
please consider, these all are based on memory . 4 questions which are available on examtopics, were also in the exam.
Q – A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts. Which of the following may be causing this problem? (Choose three.)
A. The external ID used by the Auditor is missing or incorrect. B. The Auditor is using the incorrect password. C. The Auditor has not been granted sts: AssumeRole for the role in the destination account. D. The Amazon EC2 role used by the Auditor must be set to the destination account role. E. The secret key used by the Auditor is missing or incorrect. F. The role ARN used by the Auditor is missing or incorrect.
Source : [Exam Topics, and was available in question paper]
Q- A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider. Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)
A. Create a custom authorization service using AWS Lambda. B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes. C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party. D. Configure an Amazon Cognito identity pool to integrate with social login providers. E. Update DynamoDB to store the user email addresses and passwords. F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.
Source : [Exam Topics]
Q- A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)
A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext. B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted. C. Configure automatic rotation of credentials in AWS Secrets Manager. D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it. E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
Source : [Exam Topics]
Q- The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet. What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)
A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers. B. Review the application security groups to ensure that only the necessary ports are open. C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption. D. Use Amazon Inspector to periodically scan the backend instances. E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.
Source : [Exam Topics]
Q- A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements: ✑ Users may access the website by using an Amazon CloudFront distribution. ✑and restricted for a particular country
Relates to – 2 options were different on the basis of either restricting viewer access or geo-restriction
Q- A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.
Relates to – the best process using config
Q- Which of the following options should the Security Engineer use for secure payment processing?
Relates to – nitro enclave instance for payment cryptographic
Q- A lambda is required to launch in customer vpc and need access to SSM service to get credential. how it will get access to ssm
Relates to – VPC end points
Q- While creating image from image builder Error : “AccessDenied: Access Denied status code: 403”
Relates to – — Make sure the following Managed Policies added to your Instance Profile Role: • AmazonSSMManagedInstanceCore, EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds — Add a Policy to your Instance Profile Role for the s3 bucket Put Object
Q- The question was based on active monitoring of the DDos event
Relates to – It can be done through the cloud watch metric of aws shield provided using aws shield advance subscription
Q- Cost-effective operation so that data does not get changed, related to glacier vault lock policy
Relates to – : Direct uploda to glacier vault and apply lock policy : or upload to S3, then transition to Galicer and apply the lock policy
Q- s3 vault lock policy – compliance required for a time period to not change the data
Relates to – S3 object lock : governance mode vs compliance mode
Q- Two Questions were based on bucket policy, and access restriction or allowed on the basis of bucket policy, same account and cross account
Relates to – Deny Vs Allow with not action
Q- 2 questions were based on SCP policy like, as, default SCP allows all access to be applied, but guard duty should not be deleted by a member account
Relates to – Deny Vs Allow with not action
Q- SCP policy apply on root OU and user-facing problem in member account
Relates to – hierarchy of SCP in OU
Q- Existing Cloud trail change s3 log prefix, error for bucket policy, how to troubleshoot
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Q- How to share resources with multiple accounts, while each account should not able to modify / delete the resource
Relates to – RAM
Q- required that an object should delete after 30 days and the same object is pushed to dynamo db using lambda and it should be deleted from dynamo db too.
Relates to – S3 lifecycle and Dynamo db , set TTL
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Q- A user belongs to multiple group and has permission, however, the user should not be able to modify expect ec2 service
Relates to – about role arn, group arun, deny policy, permission guardrail etc
Q- restrict S3 bucket to allow the upload from HTTPS only
Relates to – secure transport policy: true [various options with condition String not like or like or not resource or resource]
Q- multifactor authentication is enabled but how to use that from CLI
Relates to – get session token and use that token for further access
Q- ELB logs are required to monitor through metric for applied ELB cipher
Relates to – Exporting logs from LB — Export log to s3, create Athena table, and export metric from Athena query — Export to Cloudwatch for filtration on cipher
Q- The security team should be notified if CF template does not meet security criteria without affecting developer abilities and without operation overhead
Relates to – Cloud formation guard
Q- security team wants to check the cloud formation standard and enable the AWS config for multi-account setup in each account
Relates to – Cloud formation guard and cloud formation template deployment in multiple accounts
Q- AWS security hub, how to implement automated remediation,
Relates to – Whether to use custom action with lambda OR event bridge + ssm automation playbook
Q- ECR : cve scanning for image on push for some of the repo
Relates to – aws inspector OR basic default inspection of ECR
Q- ssh is connected by an intruder, the session is active, forensic team needs to connect, so how to isolate the instance?
Relates to – SG rule change does not terminate active session, so possible strategy to terminate active session on SG level [removing and reattaching]
Q- A developer report that key has been exposed. The manager inactive the key and wants to know the last usage of the key
Relates to – IAM credential Report vs Access Advisor
Q- Force the user to apply Tag, Tag policy or IAM policy or resource-based policy
Relates to –tag policy does not restrict user to apply tag, i am policy does
Q- ABAC [attribute-based access control] access, based on tag
Q- parameter store in lambda to save db credential instead of any other as the cost is the concern
Q- SSM for db access and rotation handle on the application level when credentials rotate
Q- CloudWatch Agent Not Pushing Log Events , what can be the possible reason
Relates to – Troubleshooting
Q- If an IAM user fail to login 3 times in under 5 min, then how to send a notification
Relates to – Cloudtrail publish logs to cloud watch to create metric and alarm
Q- particular IP list is sending malicious traffic, which rules to be used to block via WAF
Relates to – IP Match or Rate based
Q- Based on AWS backup vault while scheduled on 15th and 25th of every month
Relates to – cron expression or rate expression
Q- based on DNS resolve logs for the source address and query
Q- based on traffic mirroring to monitor
Relates to – source and destination check
Q- Based on NACL vs security group, an external user is not able to connect to application, while inbound is allowed at both level SG and NACL
Relates to – ephemeral port question
Q- ACM based question to achieve end-to-end encryption from user to alb to ec2,
Relates to – generate certificate or import [ACM generated certificate would not be exported to EC2]
Q- EBS encryption and rotation of 90 days using AWS KMS
Relates to – KMS AWS manage keys vs KMS customer imported key vs OS level
Q- While using KMS, the client limit is exhausted because of large number of encryption
Relates to – use sdk as SDK have and options for key caching to avoid limit exhaust
Q- AN unencrypted RDS is running and needs to encrypt that
Relates to – converting Unencrypted to encrypted — Enable encryption during the copy of snapshot and launch OR — Create an encrypted replica and promote it to primary
Q- developer left the company and the company does not want to execute the code written by developer
Relates to – AWS signer : revoke signer keys : or revoke IAM permission
Q- Default SCP policies applied on all member accounts. Need to deny access to guardrail deletion, which policy should be applied at root OU
Relates to – Multiple policies having differences based on Action / Not action, effect [allow/deny]
Q- Based on s3 vpc gateway endpoint and vpc endpoint
