Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam Questions
AWS Certified Security - Specialty (SCS-C01) (Page 16 )

Updated On: 28-Feb-2026
Page 16 of 108
PDF with 532 Questions

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

  1. In the security group of the EC2 instance, allow inbound ICMP traffic.
  2. In the security group of the EC2 instance, allow outbound ICMP traffic.
  3. In the VPC's NACL, allow inbound ICMP traffic.
  4. In the VPC's NACL, allow outbound ICMP traffic.

Answer(s): D



A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.

Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data

Which solution will meet these requirements?

  1. Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer- specific data
  2. Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.
  3. Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys
  4. Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Answer(s): A



An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:



After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

  1. Change the value of IAM MultiFactorAuthPresent to true.
  2. Instruct users to run the IAM sts get-session-token CLI command and pass the multi- factor authentication --serial-number and --token-code parameters. Use these resulting values to make API/CLI calls
  3. Implement federated API/CLI access using SAML 2.0, then configure the identityprovider to enforce multi-factor authentication.
  4. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.

Answer(s): B



Users report intermittent availability of a web application hosted on IAM. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

  1. Deploy IAM WAF to block all unsecured web applications from accessing the internet.
  2. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.
  3. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
  4. Create Amazon CloudFront distribution and configure IAM WAF rules to protect the web applications from malicious traffic.
  5. Use the default Amazon VPC for externakfacing systems to allow IAM to actively block malicious network traffic affecting Amazon EC2 instances.

Answer(s): B,D



A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy''

What will enable the security engineer to saw the change?

  1. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
  2. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console
  3. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  4. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

Answer(s): C


Reference:

https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/create-s3- bucket-policy-for-cloudtrail.html#cloudtrail-add-change-or-remove-a-bucket-prefix



Viewing page 16 of 108
Viewing questions 76 - 80 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam dumps with other Community members:

AWS Certified Security-Specialty Exam Discussions & Posts

AI Tutor