Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam
AWS Certified Security - Specialty (SCS-C01) (Page 13 )

Updated On: 1-Feb-2026
Page 13 of 108
PDF with 532 Questions

A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.

Which solution meets these requirements?

  1. Use client-side encryption with an IAM KMS customer-managed key implemented with the IAM Encryption SDK
  2. Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3
  3. Use an IAM KMS customer-managed key that is backed by a custom key store using IAM CloudHSM
  4. Use an IAM KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in IAM CloudHSM

Answer(s): B



A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error

"Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared.

Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

  1. Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
  2. Allow forensics accounting principals to use the CMK by modifying its policy.
  3. Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume
  4. Copy the EBS snapshot to the new decrypted snapshot
  5. Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
  6. Share the target EBS snapshot with the forensics account.

Answer(s): A,B,F



A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.

How should a security engineer resolve these issues?

  1. Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
  2. Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.
  3. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.
  4. Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Answer(s): D

Explanation:

"For an ongoing record of events in your IAM account, you must create a trail. Although CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify."


Reference:

https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/best-practices- security.html
https://IAM.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource- configurations-using-IAM-config/



A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead.

What should a security engineer recommend to meet these requirements?

  1. Create an IAM Config rule defining the patch as a required configuration for EC2 instances.
  2. Use the IAM Systems Manager Run Command to patch affected instances.
  3. Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.
  4. Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Answer(s): B



A Developer signed in to a new account within an IAM Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:




How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  1. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  2. Add an IAM policy for the Developer, which grants S3 access.
  3. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  4. Add an allow list for the Developer account for the S3 service.

Answer(s): C



Viewing page 13 of 108
Viewing questions 61 - 65 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam prep with other Community members:

Join the AWS Certified Security-Specialty Discussion