Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam
AWS Certified Security - Specialty (SCS-C01) (Page 7 )

Updated On: 30-Jan-2026
Page 7 of 108
PDF with 532 Questions

An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:



After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

  1. Change the value of IAM MultiFactorAuthPresent to true.
  2. Instruct users to run the IAM sts get-session-token CLI command and pass the multi- factor authentication --serial-number and --token-code parameters. Use these resulting values to make API/CLI calls
  3. Implement federated API/CLI access using SAML 2.0, then configure the identityprovider to enforce multi-factor authentication.
  4. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.

Answer(s): B



A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.

Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data

Which solution will meet these requirements?

  1. Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer- specific data
  2. Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.
  3. Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys
  4. Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Answer(s): A



While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

  1. In the security group of the EC2 instance, allow inbound ICMP traffic.
  2. In the security group of the EC2 instance, allow outbound ICMP traffic.
  3. In the VPC's NACL, allow inbound ICMP traffic.
  4. In the VPC's NACL, allow outbound ICMP traffic.

Answer(s): D



A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.

The Security Engineer has verified the following:

1. The rule set in the Security Groups is correct

2. The rule set in the network ACLs is correct

3. The rule set in the virtual appliance is correct

Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

  1. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
  2. Verify which Security Group is applied to the particular web server's elastic networkinterface (ENI).
  3. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
  4. Verify the registered targets in the ALB.
  5. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Answer(s): C,D


Reference:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/using-eni.html



A company requires that SSH commands used to access its IAM instance be traceable to the user who executed each command.

How should a Security Engineer accomplish this?

  1. Allow inbound access on port 22 at the security group attached to the instance Use IAM

    Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions
  2. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
  3. Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions
  4. Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Answer(s): C



Viewing page 7 of 108
Viewing questions 31 - 35 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam prep with other Community members:

Join the AWS Certified Security-Specialty Discussion