Amazon SCS-C01 Exam Dumps

AWS Certified Security - Specialty

Amazon SCS-C01 Sample Questions

Question # 1

A company's engineering team is developing a new application that creates AWS KeyManagement Service (AWS KMS) CMK grants for users immediately after a grant IScreated users must be able to use the CMK tu encrypt a 512-byte payload. During loadtesting, a bug appears |intermittently where AccessDeniedExceptions are occasionallytriggered when a user rst attempts to encrypt using the CMKWhich solution should the c0mpany‘s security specialist recommend‘?

A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
B. Instruct the engineering team to consume a random grant token from users, and to callthe CreateGrant operation, passing it the grant token. Instruct use to use that grant token intheir call to encrypt.
C. Instruct the engineering team to create a random name for the grant when calling theCreateGrant operation. Return the name to the users and instruct them to provide thename as the grant token in the call to encrypt.
D. Instruct the engineering team to pass the grant token returned in the CreateGrantresponse to users. Instruct users to use that grant token in their call to encrypt.

Answer: D

Show Answer

Question # 2

A company has an application that uses an Amazon RDS PostgreSQL database. Thecompany is developing an application feature that will store sensitive information for anindividual in the database.During a security review of the environment, the company discovers that the RDS DBinstance is not encrypting data at rest. The company needs a solution that will provideencryption at rest for all the existing data and for any new data that is entered for anindividual.Which combination of options can the company use to meet these requirements? (SelectTWO.)

A. Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, andenable encryption for the copy process. Use the new snapshot to restore the DB instance.
B. Modify the configuration of the DB instance by enabling encryption. Create a snapshotof the DB instance. Use the snapshot to restore the DB instance.
C. Use AWS Key Management Service (AWS KMS) to create a new default AWS managedawa/rds key. Select this key as the encryption key for operations with Amazon RDS.
D. Use AWS Key Management Service (AWS KMS] to create a new CMK. Select this keyas the encryption key for operations with Amazon RDS.
E. Create a snapshot of the DB instance. Enable encryption on the snapshoVUse thesnapshot to restore the DB instance.

Answer: C,E

Show Answer

Question # 3

A company is using AWS Organizations. The company wants to restrict AWS usage to theeu-west-1 Region for all accounts under an OU that is named "development." The solutionmust persist restrictions to existing and new AWS accounts under the development OU.

Answer: A

Show Answer

Question # 4

An audit determined that a company's Amazon EC2 instance security group violatedcompany policy by allowing unrestricted incoming SSH traffic. A security engineer mustimplement a near-real-time monitoring and alerting solution that will notify administrators ofsuch violations.Which solution meets these requirements with the MOST operational efficiency?

A. Create a recurring Amazon Inspector assessment run that runs every day and uses theNetwork Reachability package. Create an Amazon CloudWatch rule that invokes an AWSLambda function when an assessment run starts. Configure the Lambda function toretrieve and evaluate the assessment run report when it completes. Configure the Lambdafunction also to publish an Amazon Simple Notification Service (Amazon SNS) notificationif there are any violations for unrestricted incoming SSH traffic.
B. Use the restricted-ssh AWS Config managed rule that is invoked by security groupconfiguration changes that are not compliant. Use the AWS Config remediation feature topublish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
C. Configure VPC Flow Logs for the VPC. and specify an Amazon CloudWatch Logsgroup. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses newlog entries, detects successful connections on port 22, and publishes a notification throughAmazon Simple Notification Service (Amazon SNS).
D. Create a recurring Amazon Inspector assessment run that runs every day and uses theSecurity Best Practices package. Create an Amazon CloudWatch rule that invokes anAWS Lambda function when an assessment run starts. Configure the Lambda function toretrieve and evaluate the assessment run report when it completes. Configure the Lambdafunction also to publish an Amazon Simple Notification Service (Amazon SNS) notificationif there are any violations for unrestricted incoming SSH traffic.

Answer: A

Show Answer

Question # 5

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

A. Create an AWS Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
B. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Answer: A,D

Show Answer

Question # 6

A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified AWS Key Management Service (AWS KMS) CMK owned by the same account as the S3 bucket. The AWS account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented Which statement should the security specialist include in the policy?

Answer: A

Show Answer

Question # 7

A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below Please select:

A. Enable bucket versioning and also enable CRR
B. Enable bucket versioning and enable Master Pays
C. For the Bucket policy add a condition for {"Null": {"aws:MultiFactorAuthAge": true}} i
D. Enable the Bucket ACL and add a condition for {"Null": {"aws:MultiFactorAuthAge": true}}

Answer: A,C

Show Answer

Question # 8

A company is building an application on AWS that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.What should the security engineer recommend?

A. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.
B. Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.
C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
D. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KMS to encrypt the database. Store database credentials in the AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Answer: C

Show Answer

Question # 9

A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an AWS KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received.What should the Security Engineer do to troubleshoot this issue?

D.

Answer: D

Show Answer

Question # 10

A large organization is planning on AWS to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt formanaging the accounts. Please select:

A. Use multiple VPCs in the account each VPC for each department
B. Use multiple IAM groups, each group for each department
C. Use multiple IAM roles, each group for each department
D. Use multiple AWS accounts, each account for each department

Answer: D

Show Answer

Question # 11

A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure- * sgLB - associated with the ELB * sgWeb - associated with the EC2 instances. * sgDB - associated with the database * sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional? Please select: 

A. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0 sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range 
B. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgLB sgBastion: allow port 22 traffic from the VPC IP address range 
C. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the VPC IP address range 
D. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :al!ow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range 

Answer: D

Show Answer

Question # 12

A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off.What is the MOST efficient way to implement this solution?

A. Use AWS Config with a managed rule to trigger the AWS-EnableCloudTrail remediation.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonaws.com event source and a StartLogging event name to trigger an AWS Lambda function to call the StartLogging API.
C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to trigger an AWS Lambda function to call the StartLogging API.
D. Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.

Answer: B

Show Answer

Question # 13

A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. What is the likely cause of this access denial? A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database. The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales. Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
B. Place the DB instance in a public subnet.
C. Place the DB instance in a private subnet.
D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
F. Deploy the ALB in a private subnet.

Answer: A,C,E

Show Answer

Question # 14

A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user thatterminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?

A. Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.
B. Filter the AWS CloudTrail event history for the Terminatelnstances event and identify the assumed 1AM role. Review the AssumeRoleWithSAML event call in CloudTrail to identifythe corresponding username.
C. Search the AWS CloudTrail logs for the Terminatelnstances event and note the event time. Review the 1AM Access Advisor tab for all federated roles. The last accessed timeshould match the time when the instance was terminated.
D. Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the correspondingrole and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Answer: B

Show Answer

Question # 15

A development team is using an AWS Key Management Service (AWS KMS) CMK to try to encrypt and decrypt a secure string parameter from AWS Systems Manager ParameterStore. However, the development team receives an error message on each attempt.Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

A. The CMK that is used in the attempt does not exist.
B. The CMK that is used in the attempt needs to be rotated.
C. The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.
D. The CMK that is used in the attempt is not enabled.
E. The CMK that is used in the attempt is using an alias.

Answer: A,D

Show Answer

Question # 16

When managing permissions for the API gateway, what can be used to ensure that the right level of permissions are given to developers, IT admins and users? These permissions should be easily managed.Please select:

A. Use the secure token service to manage the permissions for the different users
B. Use IAM Policies to create different policies for the different types of users.
C. Use the AWS Config tool to manage the permissions for the different users
D. Use IAM Access Keys to create sets of keys for the different types of users.

Answer: B

Show Answer

Question # 17

A company is using AWS Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments. Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.Which solution meets these requirements?

A. Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.
B. Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.
C. Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.
D. Enable AWS Resource Access Manager (AWS RAM) for AWS Organizations. Create a shared transit gateway, and make it available by using an AWS RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Answer: C

Show Answer

Question # 18

A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance.Which steps should the security engineer take to meet these requirements?

A. Add full Amazon Inspector 1AM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation
B. Ensure that AWS Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions
C. Ensure that AWS Config. is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation
D. Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Answer: A

Show Answer

Question # 19

Your company has been using AWS for the past 2 years. They have separate S3 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below Please select:

A. Create an IAM user in the company account
B. Create an IAM Role in the company account
C. Ensure the IAM user has access for read-only to the S3 buckets
D. Ensure the IAM Role has access for read-only to the S3 buckets

Answer: B,D

Show Answer

Question # 20

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. Whatshould a security engineer do to ensure that the EC2 instances are logged?

A. Use IPv6 addresses that are configured for hostnames.
B. Configure external DNS resolvers as internal resolvers that are visible only to AWS. 
C. Use AWS DNS resolvers for all EC2 instances.
D. Configure a third-party DNS resolver with logging for all EC2 instances.

Answer: C

Show Answer

Question # 21

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate theTLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.How can a security engineer meet this requirement?

A. Create an HTTPS listener that uses a certificate that is managed by AWS Certificate Manager (ACM).
B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).
C. Create an HTTPS listener that uses the Server Order Preference security feature.
D. Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Answer: A

Show Answer

Question # 22

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an AWS Lambda function m an AWS CodeCommit repository in the DevOps accountHow should the security learn securely store the API key?

A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) tor encryption Require the development team to migrate the Lambdasource code to this repository
B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the AWS CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API
C. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AMrole used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AMrole used by the Lambda function so that the function can decrypt the key at runtime

Answer: C

Show Answer

Question # 23

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet. To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.What should the security engineer do next?

A. Place the network interface in promiscuous mode to capture the traffic.
B. Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
C. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
D. Use Amazon Inspector to detect network-level attacks and trigger an AWS Lambda function to send the suspicious packets to the EC2 instance.

Answer: D

Show Answer

Question # 24

You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?Please select:

A. Add the keys to the backend distribution.
B. Add the keys to the S3 bucket
C. Create pre-signed URL's
D. Use AWS Access keys

Answer: C

Show Answer