Actual Dumps for Amazon SCS-C02 Exam 2026

Question No: 1

MultipleChoice

[Incident Response]

A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

Options

AUpdate the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.

BUpdate the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.

CCreate an EC2 key pair. Associate the key pair with the EC2 instance.

DCreate a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance islocated.

EAttach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.

FCreate a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Question No: 2

MultipleChoice

[Identity and Access Management]

A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows:

The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through the AWS Management Console.

Which change must a security engineer implement so that the developers can access Amazon SES?

Options

AAdd a resource policy that allows each member of the group to access Amazon SES.

BAdd a resource policy that allows 'Principal': {'AWS': 'arn:aws:iam::account-number:group/Dev'}.

CRemove the AWS Control Tower control (guardrail) that restricts access to Amazon SES.

DRemove Amazon SES from the root SCP.

Answer
DExplanation

The correct answer is D. Remove Amazon SES from the root SCP.

This answer is correct because the root SCP is the most restrictive policy that applies to all accounts in the organization. The root SCP explicitly denies access to Amazon SES by using the NotAction element, which means that any action that is not listed in the element is denied. Therefore, removing Amazon SES from the root SCP will allow the developers to access it, as long as there are no other SCPs or IAM policies that deny it.

The other options are incorrect because:

A .Adding a resource policy that allows each member of the group to access Amazon SES is not a solution, because resource policies are not supported by Amazon SES1.Resource policies are policies that are attached to AWS resources, suchas S3 buckets or SNS topics, to control access to those resources2. Amazon SES does not have any resources that can have resource policies attached to them.

B .Adding a resource policy that allows ''Principal'': {''AWS'': ''arn:aws:iam::account-number:group/Dev''} is not a solution, because resource policies do not support IAM groups asprincipals3.Principals are entities that can perform actions on AWS resources, such as IAM users, roles, or AWSaccounts4.IAM groups are not principals, but collections of IAM users that share the same permissions5.

C .Removing the AWS Control Tower control (guardrail) that restricts access to Amazon SES is not a solution, because AWS Control Tower does not have any guardrails that restrict access to Amazon SES6.Guardrails are high-level rules that govern the overall behavior of an organization's accounts7.AWS Control Tower provides a set of predefined guardrails that cover security, compliance, and operations domains8.

References:

1: Amazon Simple Email Service endpoints and quotas2: Resource-based policies and IAM policies3: Specifying a principal in a policy4: Policy elements: Principal5: IAM groups6: AWS Control Tower guardrails reference7: AWS Control Tower concepts8: AWS Control Tower guardrails

Question No: 3

MultipleChoice

[Identity and Access Management]

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company'ssecurity team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account

How should the security learn securely store the API key?

Options

ACreate a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

BStore the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

CCreate a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

DCreate an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Question No: 4

MultipleChoice

Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?

Please select:

Options

AUse Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

BUse Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

CUse IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.

DUse Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Question No: 5

MultipleChoice

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store's application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company's

deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

What should the security engineer do next to meet the requirements in the MOST secure way?

Options

ACreate an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the
portfolio's product list. Share the portfolio with the OIJ.

BUse the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation
registry. Publish the extension. In the OU, create an SCP that allows access to the extension.

CCreate an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the
portfolio's product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in the OU accounts. Attach the
AWSServiceCatalogEndUserFullAccess managed policy to the role.

DUse the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation
registry. Publish the extension. Share the extension with the OU

Answer
AExplanation

The correct answer is A. Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Share the portfolio with the OU.

According to the AWS documentation, AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS. You can use Service Catalog to centrally manage commonly deployed IT services and help achieve consistent governance and compliance requirements, while enabling users to quickly deploy only the approved IT services they need.

To use Service Catalog with multiple AWS accounts, you need to enable AWS Organizations with all features enabled. This allows you to centrally manage your accounts and apply policies across your organization. You can also use Service Catalog as a service principal for AWS Organizations, which lets you share your portfolios with organizational units (OUs) or accounts in your organization.

To create a Service Catalog portfolio, you need to use an administrator account, such as the organization's management account. You can upload your CloudFormation template as a product in your portfolio, and define constraints and tags for it. You can then share your portfolio with the OU that contains the accounts for the web applications. This will allow the developers in those accounts to launch products from the shared portfolio using the Service Catalog end user console.

Option B is incorrect because CloudFormation modules are reusable components that encapsulate one or more resources and their configurations. They are not meant to be used as templates for deploying entire stacks of resources. Moreover, sharing a module with an OU does not grant access to launch stacks from it.

Option C is incorrect because creating an IAM role that has a trust policy that allows cross-account access to the portfolio is not secure. It would allow any user in the OU accounts to assume the role and access the portfolio, regardless of their job function or access requirements.

Option D is incorrect because sharing a module with an OU does not grant access to launch stacks from it. It also does not limit access to the deployment plan to only the developers who need access.

Free Amazon SCS-C02 Exam Dumps May 2026