Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 2 Question 50 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 50
Topic #: 2
[All SCS-C02 Questions]

[Logging and Monitoring]

A company hosts an application on Amazon EC2 instances. The application also uses Amazon S3 and Amazon Simple Queue Service (Amazon SQS). The application is behind an Application Load Balancer (ALB) and scales with AWS Auto Scaling.

The company's security policy requires the use of least privilege access, which has been applied to all existing AWS resources. A security engineer needs to implement private connectivity to AWS services.

Which combination of steps should the security engineer take to meet this requirement? (Select THREE.)

Show Suggested Answer Hide Answer
Suggested Answer: A, C, E

The correct answer is A, C, and E because they provide the most secure and efficient way to implement private connectivity to AWS services. Using interface VPC endpoints for Amazon SQS and gateway VPC endpoints for Amazon S3 allows the application to access these services without using public IP addresses or internet gateways. Modifying the endpoint policies on all VPC endpoints enables the security engineer to specify the SQS and S3 resources that the application uses and restrict access to other resources.

The other options are incorrect because they do not provide private connectivity to AWS services or they introduce unnecessary complexity or cost. Option B is incorrect because AWS Transit Gateway is used to connect multiple VPCs and on-premises networks, not to connect to AWS services. Option D is incorrect because modifying the IAM role applied to the EC2 instances is not sufficient to allow outbound traffic to the interface endpoints. The security group and route table associated with the interface endpoints also need to be configured. Option F is incorrect because AWS Firewall Manager is used to centrally manage firewall rules across multiple accounts and resources, not to connect to AWS services.


by Aliza at Aug 12, 2025, 08:24 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Ivory
3 months ago
E is a must to ensure least privilege access!
upvoted 0 times
...
Buddy
3 months ago
Wait, can you really use a gateway endpoint for S3?
upvoted 0 times
...
Elenore
3 months ago
I think B is overkill for S3 access.
upvoted 0 times
...
Nilsa
3 months ago
Definitely A and C for private connectivity!
upvoted 0 times
...
Kati
4 months ago
Agree with A and C, but not sure about D.
upvoted 0 times
...
William
4 months ago
I’m pretty confident that we need to specify the S3 and SQS resources in the endpoint policies, but I’m not sure if we need to configure a connection through Transit Gateway.
upvoted 0 times
...
Mable
4 months ago
I feel like modifying the IAM role for outbound traffic is important, but I can't recall if it's necessary for this specific setup.
upvoted 0 times
...
Hershel
4 months ago
I remember practicing a question similar to this where we had to choose between interface and gateway endpoints. I think SQS needs an interface endpoint, right?
upvoted 0 times
...
Ramonita
4 months ago
I think using a gateway VPC endpoint for Amazon S3 is definitely one of the steps, but I'm not sure about the others.
upvoted 0 times
...
Stephanie
5 months ago
Modifying the endpoint policies on the VPC endpoints to specify the SQS and S3 resources the application uses is a good idea too. That will help enforce the least privilege access requirement.
upvoted 0 times
...
Leota
5 months ago
The Transit Gateway and Firewall Manager options don't seem relevant to this specific scenario. I think we can safely eliminate those.
upvoted 0 times
...
Kimi
5 months ago
I'm pretty confident that using interface VPC endpoints for Amazon SQS and a gateway VPC endpoint for Amazon S3 are the right approaches here. We'll also need to modify the IAM role to allow outbound traffic to the interface endpoints.
upvoted 0 times
...
Magda
5 months ago
Okay, let's think this through step-by-step. We need to implement private connectivity to the AWS services, and the company's security policy requires least privilege access.
upvoted 0 times
...
Desire
5 months ago
This question seems straightforward, but I want to make sure I understand the requirements correctly before selecting the answers.
upvoted 0 times
...

Save Cancel