Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam
AWS Certified Security - Specialty (SCS-C01) (Page 5 )

Updated On: 30-Jan-2026
Page 5 of 108
PDF with 532 Questions

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes The software engineering team needs to make changes that will address the audit findings.

Which set of steps should the software engineering team take?

  1. Use an IAM Key Management Service (IAM KMS) CMK. Encrypt the data at rest.
  2. Use IAM Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.
  3. Use a DynamoDB encryption client. Use client-side encryption and sign the table items
  4. Use the IAM Encryption SDK. Use client-side encryption and sign the table items.

Answer(s): A



A company has the software development teams that are creating applications that store sensitive data in Amazon S3 Each team's data must always be separate. The company's security team must design a data encryption strategy for both teams that provides the ability to audit key usage. The solution must also minimize operational overhead. What should the security team recommend?

  1. Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) IAM managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt
  2. Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) IAM managed CMK Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt
  3. Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt
  4. Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

Answer(s): A



A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the togging server but the web server never receives a reply

Which of the following actions could fix this issue1?

  1. Add an inbound rule to the security group associated with the logging server that allows requests from the web server
  2. Add an outbound rule to the security group associated with the web server that allows requests to the logging server.
  3. Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection
  4. Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

Answer(s): C



A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its IAM accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution.

When coma nation of the following would satisfy these requirements? (Select TWO)

  1. Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM
  2. Establish network connectivity between on-premises and the user's VPC
  3. Use Amazon Cognito user pools for application authentication
  4. Use AD Connector tor application authentication.
  5. Set up federated sign-in to IAM through ADFS and SAML.

Answer(s): C,D



A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an IAM CloudFormation template. The Engineer notices instances terminating right after they are launched.

What could be causing these terminations?

  1. The IAM user launching those instances is missing ec2:Runinstances permission.
  2. The AMI used as encrypted and the IAM does not have the required IAM KMS permissions.
  3. The instance profile used with the EC2 instances in unable to query instance metadata.
  4. IAM currently does not have sufficient capacity in the Region.

Answer(s): B


Reference:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/troubleshooting- launch.html



Viewing page 5 of 108
Viewing questions 21 - 25 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam prep with other Community members:

Join the AWS Certified Security-Specialty Discussion