Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam Questions
AWS Certified Security - Specialty (SCS-C01) (Page 19 )

Updated On: 28-Feb-2026
Page 19 of 108
PDF with 532 Questions

A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances:

· Block traffic from documented known bad IP addresses

· Detect known software vulnerabilities and CIS Benchmarks compliance.

Which solution addresses these requirements?

  1. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the IAM CLI to retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance
  2. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
  3. Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
  4. Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Answer(s): D



An application running on Amazon EC2 instances generates log files in a folder on a Linux file system. The instances block access to the console and file transfer utilities, such as Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The Application Support team wants to automatically monitor the application log files so the team can set up notifications in the future.

A Security Engineer must design a solution that meets the following requirements:

· Make the log files available through an IAM managed service.

· Allow for automatic monitoring of the logs.

· Provide an Interlace for analyzing logs.

· Minimize effort.

Which approach meets these requirements^

  1. Modify the application to use the IAM SDK. Write the application logs lo an Amazon S3 bucket
  2. install the unified Amazon CloudWatch agent on the instances Configure the agent to collect the application log dies on the EC2 tile system and send them to Amazon CloudWatch Logs
  3. Install IAM Systems Manager Agent on the instances Configure an automation document to copy the application log files to IAM DeepLens
  4. Install Amazon Kinesis Agent on the instances Stream the application log files to Amazon Kinesis Data Firehose and sot the destination to Amazon Elasticsearch Service

Answer(s): D



A company's security information events management (SIEM) tool receives new IAM CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.

After a recent security review that resulted m restricted permissions, the SEM tool has stopped receiving new CloudTral logs

Which of the following are possible causes of this issue? (Select THREE)

  1. The SOS queue does not allow the SQS SendMessage action from the SNS topic
  2. The SNS topic does not allow the SNS Publish action from Amazon S3
  3. The SNS topic is not delivering raw messages to the SQS queue
  4. The S3 bucket policy does not allow CloudTrail to perform the PutObject action
  5. The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic
  6. The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

Answer(s): A,D,F



A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.

What should the Security Engineer do to meet these requirements?

  1. Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.
  2. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings.
    Send email notifications using Amazon SNS.
  3. Update security contact details in IAM account settings for IAM Support to send alertswhen suspicious activity is detected.
  4. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.

Answer(s): B



A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket example bucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.

What should the Security Engineer do to achieve this?

  1. Use envelope encryption with the IAM-managed CMK IAM/s3.
  2. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${IAM:username}" variable.
  3. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
  4. Change the applicable IAM policy to grant S3 access to "Resource":
    "arn:IAM:s3:::examplebucket/${IAM:username}/*"

Answer(s): B


Reference:

https://IAM.amazon.com/premiumsupport/knowledge-center/iam-s3-user- specific-folder/



Viewing page 19 of 108
Viewing questions 91 - 95 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam dumps with other Community members:

AWS Certified Security-Specialty Exam Discussions & Posts

AI Tutor