Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam
AWS Certified Security - Specialty (SCS-C01) (Page 15 )

Updated On: 30-Jan-2026
Page 15 of 108
PDF with 532 Questions

A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in IAM Systems Manager Parameter Store When the application tries to access the secure string key value, it fails.

Which factors could be the cause of this failure? (Select TWO.)

  1. The EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret
  2. The EC2 instance role does not have read permissions to read the parameters In Parameter Store
  3. Parameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter
  4. The EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret
  5. The EC2 instance does not have any tags associated.

Answer(s): A,B


Reference:

https://docs.IAM.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html



A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

  1. Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead
  2. Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret
  3. Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables.
  4. Add the following statement to the container instance IAM role policy


  5. Add the following statement to the execution role policy.


  6. Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Answer(s): B,E,F



A company's Director of information Security wants a daily email report from IAM that contains recommendations for each company account to meet IAM Security best practices.

Which solution would meet these requirements?

  1. in every IAM account, configure IAM Lambda to query me IAM Support API tor IAM Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.
  2. Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
  3. Use Amazon Athena and Amazon QuickSight to build reports off of IAM CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
  4. Use IAM Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

Answer(s): A



A company has multiple IAM accounts that are part of IAM Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's IAM accounts are unable to access the company's Amazon S3 buckets

How should this be accomplished?

  1. UseSCPs
  2. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles
  3. Use an S3 bucket policy
  4. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3

Answer(s): A



A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee Even after updating the policy the employee still receives an access denied message.

What is the likely cause of this access denial?

  1. The ACL in the bucket needs to be updated.
  2. The IAM policy does not allow the user to access the bucket
  3. It takes a few minutes for a bucket policy to take effect
  4. The allow permission is being overridden by the deny.

Answer(s): D



Viewing page 15 of 108
Viewing questions 71 - 75 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam prep with other Community members:

Join the AWS Certified Security-Specialty Discussion