Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam Questions
AWS Certified Security - Specialty (SCS-C01) (Page 7 )

Updated On: 24-Feb-2026
Page 7 of 108
PDF with 532 Questions

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

· A trusted forensic environment must be provisioned

· Automated response processes must be orchestrated

Which IAM services should be included in the plan? {Select TWO)

  1. IAM CloudFormation
  2. Amazon GuardDuty
  3. Amazon Inspector
  4. Amazon Macie
  5. IAM Step Functions

Answer(s): A,E



A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.

How can this task be accomplished?

  1. Obtain the list of instances by directly querying Amazon EC2 using: IAM ec2 describe- instances --fi1ters "Name=key-name, Values=KEYNAMEHERE".
  2. Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in the Amazon Inspector logs.
  3. Obtain the output from the EC2 instance metadata using: curl http:
    //169.254.169.254/latest/meta-data/public- keys/0/.
  4. Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: IAM logs filter-log-events.

Answer(s): A



A Developer signed in to a new account within an IAM Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:




How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  1. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  2. Add an IAM policy for the Developer, which grants S3 access.
  3. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  4. Add an allow list for the Developer account for the S3 service.

Answer(s): C



A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead.

What should a security engineer recommend to meet these requirements?

  1. Create an IAM Config rule defining the patch as a required configuration for EC2 instances.
  2. Use the IAM Systems Manager Run Command to patch affected instances.
  3. Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.
  4. Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Answer(s): B



A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.

How should a security engineer resolve these issues?

  1. Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
  2. Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.
  3. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.
  4. Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Answer(s): D

Explanation:

"For an ongoing record of events in your IAM account, you must create a trail. Although CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify."


Reference:

https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/best-practices- security.html
https://IAM.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource- configurations-using-IAM-config/






Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam dumps with other Community members:

Join the AWS Certified Security-Specialty Discussion