Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Amazon
  3. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam (page: 1)
Amazon AWS Certified Security - Specialty (SCS-C01)
Updated on: 09-Feb-2026

Viewing Page 1 of 68
AWS Certified Security-Specialty PDF 532 Questions

A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

  1. Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate
  2. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.
  3. Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
  4. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Answer(s): B



A global company that deals with International finance is investing heavily in cryptocurrencies and wants to experiment with mining technologies using IAM. The company's security team has enabled Amazon GuardDuty and is concerned by the number of findings being generated by the accounts. The security team wants to minimize the possibility of GuardDuty finding false negatives for compromised instances that are performing mining.

How can the security team continue using GuardDuty while meeting these requirements?

  1. In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option
  2. Create a custom IAM Lambda function to process newly detected GuardDuty alerts Process the CryptoCurrency EC2/BitcoinTool BIDNS alert and filter out the high-severity finding types only.
  3. When creating a new Amazon EC2 Instance, provide the instance with a specific tag that indicates it is performing mining operations Create a custom IAM Lambda function to process newly detected GuardDuty alerts and filter for the presence of this tag
  4. When GuardDuty produces a cryptocurrency finding, process the finding with a custom IAM Lambda function to extract the instance ID from the finding Then use the IAM Systems Manager Run Command to check for a running process performing mining operations

Answer(s): A



A company has multiple production IAM accounts. Each account has IAM CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

Which steps should be taken to troubleshoot the issue? (Choose three.)

  1. Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.
  2. Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.
  3. Create a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket.
  4. Confirm in the CloudTrail Console that each trail is active and healthy.
  5. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.
  6. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Answer(s): B,D,F



A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.

Which action would provide the required functionality?

  1. Pass the key alias to IAM KMS when calling Encrypt and Decrypt API actions.
  2. Use IAM policies to restrict access to Encrypt and Decrypt API actions.
  3. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.
  4. Use key policies to restrict access to the appropriate IAM groups.

Answer(s): C

Explanation:

One of the most important and critical concepts in IAM Key Management Service (KMS) for advanced and secure data usage is EncryptionContext. Using EncryptionContext properly can help significantly improve the security of your applications. EncryptionContext is a key- value map (both strings) that is provided to KMS with each encryption and decryption request. EncryptionContext provides three benefits: Additional authenticated data (AAD), Audit trail, Authorization context.


Reference:

https://IAM.amazon.com/blogs/security/how-to-protect-the-integrity-of-your- encrypted-data-by-using-IAM-key-management-service-and-encryptioncontext/



A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs).

Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)

  1. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
  2. Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instancestagged as being in the development environment.
  3. Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.
  4. Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
  5. Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

Answer(s): C,D



A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.

Which of the following requires the LEAST amount of configuration when implementing this approach?

  1. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different IAM KMS customer managed key.
  2. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys.
  3. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
  4. Place all the files in the same S3 bucket. Use server-side encryption with IAM KMS- managed keys (SSE-KMS) to encrypt the data

Answer(s): D

Explanation:

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) When you use Server- Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. Server-Side Encryption with Customer Master Keys (CMKs) Stored in IAM Key Management Service (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service.

When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual IAM KMS data key for every object. It makes a call to IAM KMS every time a request is made against a KMS-encrypted object.


Reference:

References:
https://docs.IAM.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
https://docs.IAM.amazon.com/AmazonS3/latest/dev/bucket-key.html https://docs.IAM.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html



A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.

Which of the following are required for this configuration to work? (Select TWO.)

  1. The developer must configure Lambda access to the VPC using the --vpc-config parameter.
  2. The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.
  3. The KMS key policy must allow permissions for the developer to use the KMS key.
  4. The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.
  5. The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Answer(s): B,C



A company uses a third-party identity provider and SAML-based SSO for its IAM accounts After the third-party identity provider renewed an expired signing certificate users saw the following message when trying to log in:



A security engineer needs to provide a solution that corrects the error and minimizes operational overhead Which solution meets these requirements?

  1. Upload the third-party signing certificate's new private key to the IAM identity providerentity defined in IAM identity and Access Management (IAM) by using the IAM Management Console
  2. Sign the identity provider's metadata file with the new public key Upload the signature to the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI.
  3. Download the updated SAML metadata tile from the identity service provider Update the file in the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI
  4. Configure the IAM identity provider entity defined in IAM Identity and Access Management (IAM) to synchronously fetch the new public key by using the IAM Management Console.

Answer(s): C



Viewing Page 1 of 68



Share your comments for Amazon AWS Certified Security-Specialty exam with other users:

Vani 8/10/2023 8:11:00 PM

good questions
NEW ZEALAND


Fares 9/11/2023 5:00:00 AM

good one nice revision
Anonymous


Lingaraj 10/26/2023 1:27:00 AM

i love this thank you i need
Anonymous


Muhammad Rawish Siddiqui 12/5/2023 12:38:00 PM

question # 142: data governance is not one of the deliverables in the document and content management context diagram.
SAUDI ARABIA


al 6/7/2023 10:25:00 AM

most answers not correct here
Anonymous


Bano 1/19/2024 2:29:00 AM

what % of questions do we get in the real exam?
UNITED STATES


Oliviajames 10/25/2023 5:31:00 AM

i just want to tell you. i took my microsoft az-104 exam and passed it. your program was awesome. i especially liked your detailed questions and answers and practice tests that made me well-prepared for the exam. thanks to this website!!!
UNITED STATES


Divya 8/27/2023 12:31:00 PM

all the best
UNITED STATES


KY 1/1/2024 11:01:00 PM

very usefull document
Anonymous


Arun 9/20/2023 4:52:00 PM

nice and helpful questions
INDIA


Joseph J 7/11/2023 2:53:00 PM

i found the questions helpful
UNITED STATES


Meg 10/12/2023 8:02:00 AM

q 105 . ans is d
INDIA


Navaneeth S 7/14/2023 7:57:00 AM

i have interest to get a sybase iq dba certification
UNITED STATES


Aish 10/11/2023 5:27:00 AM

want to pass exm.
INDIA


Anonymous 6/12/2023 7:23:00 AM

are the answers correct?
INDIA


Kris 7/7/2023 9:43:00 AM

good morning, could you please upload this exam again, i need it to test my knowledge in sd-wan with version 7.0.
Anonymous


Meghraj mali 10/7/2023 1:47:00 PM

very nice question
CANADA


Noel 11/1/2022 9:14:00 PM

i have learning disability and this exam dumps allowed me to focus on the actual questions and not worry about notes and the those other study materials.
SOUTH AFRICA


Jas 10/25/2023 6:01:00 PM

165 should be apt
UNITED STATES


Neetu 6/22/2023 8:41:00 AM

please upload the dumps, real need of them
Anonymous


Mark 10/24/2023 1:34:00 AM

any recent feeedback?
UNITED STATES


Gopinadh 8/9/2023 4:05:00 AM

question number 2 is indicating you are giving proper questions. observe and change properly.
Anonymous


Santhi 1/1/2024 8:23:00 AM

passed today.40% questions were new.litwere case study,lots of new questions on afd,ratelimit,tm,lb,app gatway.got 2 set series of questions which are not present here.questions on azure cyclecloud, no.of vnet/vms required for implimentation,blueprints assignment/management group etc
INDIA


Raviraj Magadum 1/12/2024 11:39:00 AM

practice test
INDIA


sivaramakrishnan 7/27/2023 8:12:00 AM

want the dumps for emc content management server programming(cmsp)
Anonymous


Aderonke 10/23/2023 1:52:00 PM

brilliant and helpful
UNITED KINGDOM


Az 9/16/2023 2:43:00 PM

q75. azure files is pass
SWITZERLAND


ketty 11/9/2023 8:10:00 AM

very helpful
Anonymous


Sonail 5/2/2022 1:36:00 PM

thank you for these questions. it helped a lot.
UNITED STATES


Shariq 7/28/2023 8:00:00 AM

how do i get the h12-724 dumps
Anonymous


adi 10/30/2023 11:51:00 PM

nice data dumps
Anonymous


EDITH NCUBE 7/25/2023 7:28:00 AM

answers are correct
SOUTH AFRICA


Raja 6/20/2023 4:38:00 AM

good explanation
UNITED STATES


BigMouthDog 1/22/2022 8:17:00 PM

hi team just want to know if there is any update version of the exam 350-401
AUSTRALIA