Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam
AWS Certified Security - Specialty (SCS-C01) (Page 9 )

Updated On: 30-Jan-2026
Page 9 of 108
PDF with 532 Questions

A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An IAM WAF web ACL is associated with the ALB. IAM CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs.

The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user- creation.php file. The operations team needs to view log information to determine if the company is being attacked.

Which set of actions will identify the suspect attacker's IP address for future occurrences?

  1. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
  2. Configure the CloudWatch agent on the ALB Configure the agent to send application logs to CloudWatch Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch Search for the new-user-creation.php occurrences in CloudWatch.
  3. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences.
  4. Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket Use Amazon Athena to query the logs and find the new-user- creation php occurrences.

Answer(s): D

Explanation:

You send logs from your web ACL to an Amazon Kinesis Data Firehose with a configured storage destination. After you enable logging, IAM WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose.


Reference:

https://docs.IAM.amazon.com/waf/latest/developerguide/logging.html



A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:

· Data must be encrypted in transit.

· Data must be encrypted at rest.

· The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential.

Which combination of steps would meet the requirements? (Select THREE.)

  1. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket
  2. Enable default encryption with server-side encryption with IAM KMS-managed keys (SSE-KMS) on the S3 bucket.
  3. Add a bucket policy that includes a deny if a PutObject request does not include IAMiSecureTcanspoct.
  4. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.
  5. Add a bucket policy that includes a deny if a PutObject request does not include s3:x- amz-sairv9r-side-enctyption: "IAM: kms".
  6. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Answer(s): B,D,F



A Security Engineer manages IAM Organizations for a company. The Engineer would like to restrict IAM usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:




The next day. API calls to IAM IAM appear in IAM CloudTrail logs In an account under that OU. How should the Security Engineer resolve this issue?

  1. Move the account to a new OU and deny IAM:* permissions.
  2. Add a Deny policy for all non-S3 services at the account level.
  3. Change the policy to:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AllowS3",
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "*/*»
    }
    ]
    }
  4. Detach the default FullIAMAccess SCP

Answer(s): D

Explanation:

Every root, OU, and account must have at least one SCP attached. If you want to replace the default FullIAMAccess policy with an SCP that limits the permissions that can be delegated, you must attach the replacement SCP before you can remove the default SCP. This is the authorization strategy of an "allow list". If you instead attach a second SCP and leave the FullIAMAccess SCP still attached, and specify "Effect": "Deny" in the second SCP to override the "Effect": "Allow" in the FullIAMAccess policy (or any other attached SCP), you're using the authorization strategy of a "deny list".


Reference:

https://docs.IAM.amazon.com/organizations/latest/APIReference/API_DetachPolicy.html



Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:

Network error: Connection timed out.

What could be responsible for the connection failure? (Select THREE )

  1. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
  2. The internet gateway of the VPC has been reconfigured
  3. The security group denies outbound traffic on ephemeral ports
  4. The route table is missing a route to the internet gateway
  5. The NACL denies outbound traffic on ephemeral ports
  6. The host-based firewall is denying SSH traffic

Answer(s): B,D,F



A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running In Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns

Which solution would have the MOST scalability and LOWEST latency?

  1. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
  2. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
  3. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers
  4. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers

Answer(s): A



Viewing page 9 of 108
Viewing questions 41 - 45 out of 532 questions



Post your Comments and Discuss Amazon AWS Certified Security-Specialty exam prep with other Community members:

Join the AWS Certified Security-Specialty Discussion