Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam Questions
AWS Certified Security - Specialty (SCS-C01) (Page 11 )

Updated On: 2-Mar-2026
Page 11 of 108
PDF with 532 Questions

A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

  1. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
  2. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
  3. Ensure the CMK was created before the S3 bucket.
  4. Ensure the S3 block public access feature is enabled for the S3 bucket.
  5. Ensure that automatic key rotation is disabled for the CMK
  6. Ensure the SCPs within Organizations allow access to the S3 bucket.

Answer(s): A,B,F



A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material.

How can the Engineer perform the key rotation process MOST efficiently?

  1. Create a new CMK, and redirect the existing Key Alias to the new CMK
  2. Select the option to auto-rotate the key
  3. Upload new key material into the existing CMK.
  4. Create a new CMK, and change the application to point to the new CMK

Answer(s): A



A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with IAM Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

  1. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
  2. Enable the advanced-instances tier in Systems Manager.
  3. Create a managed-instance activation for the on-premises servers.
  4. Reconfigure the Systems Manager Agent with the activation code and I
  5. Assign an IAM role to all of the on-premises servers.
  6. Initiate an inventory collection with Systems Manager on the on-premises servers

Answer(s): C,E,F



A Security Engineer for a large company is managing a data processing application used by 1, 500 subsidiary companies. The parent and subsidiary companies all use IAM. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary

What solution should the Engineer use to implement the appropriate access restrictions for the application?

  1. Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
  2. Create an IAM security group to allow access on TCP port 443 from the 1, 500 subsidiary CIDR block ranges. Associate the security group to the NL Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
  3. Create an IAM PrivateLink endpoint service in the parent company account attached to the NLB. Create an IAM security group for the instances to allow access on TCP port 443 from the IAM PrivateLink endpoint. Use IAM PrivateLink interface endpoints in the 1, 500 subsidiary IAM accounts to connect to the data processing application.
  4. Create an IAM security group to allow access on TCP port 443 from the 1, 500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Answer(s): D



A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.

What immediate action should the security engineer take?

What immediate action should the security engineer take?

  1. Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.
  2. Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.
  3. Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that IAM account Install the Amazon Inspector agent cm the suspicious EC 2 instance toperform a scan.
  4. Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Answer(s): B



Viewing page 11 of 108
Viewing questions 51 - 55 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam dumps with other Community members:

AWS Certified Security-Specialty Exam Discussions & Posts

AI Tutor