Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam Questions
AWS Certified Security - Specialty (SCS-C01) (Page 32 )

Updated On: 31-Mar-2026
Page 21 of 108
PDF with 532 Questions

A Security Engineer is setting up an IAM CloudTrail trail for all regions in an IAM account.

For added security, the logs are stored using server-side encryption with IAM KMS- managed keys (SSE-KMS) and have log integrity validation enabled.

While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

  1. The log files fail integrity validation and automatically are marked as unavailable.
  2. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
  3. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  4. An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

Answer(s): B

Explanation:

Enabling server-side encryption encrypts the log files but not the digest files with SSE- KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3).


Reference:

https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/encrypting-cloudtrail-log-files- with-IAM-kms.html



A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less

Which IAM Key Management Service (IAM KMS) key solution will allow the security engineer to meet these requirements?

  1. Use Imported key material with CMK
  2. Use an IAM KMS CMK
  3. Use an IAM managed CMK.
  4. Use an IAM KMS customer managed CMK

Answer(s): C



A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer noticed that logs were lost after ascale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes

What should the security engineer recommend?

  1. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
  2. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
  3. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
  4. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Answer(s): B



Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured IAM Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.

Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

  1. Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.
  2. Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.
  3. Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.
  4. Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.
  5. Assign the IAMConfigRole managed policy to the IAM Config role

Answer(s): B,E



A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances

Which combination of activities must the company implement to meet its encryption requirements'? (Select TWO )

  1. Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS
  2. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
  3. In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances
  4. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances
  5. Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances

Answer(s): B,C



Viewing page 32 of 108
Viewing questions 156 - 160 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam dumps with other Community members:

AWS Certified Security-Specialty Exam Discussions & Posts

AI Tutor 👋 I’m here to help!