Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Amazon
  3. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam (page: 10)
Amazon AWS Certified Security - Specialty (SCS-C01)
Updated on: 24-Mar-2026

Viewing Page 10 of 68
AWS Certified Security-Specialty PDF 532 Questions

An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:



After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

  1. Change the value of IAM MultiFactorAuthPresent to true.
  2. Instruct users to run the IAM sts get-session-token CLI command and pass the multi- factor authentication --serial-number and --token-code parameters. Use these resulting values to make API/CLI calls
  3. Implement federated API/CLI access using SAML 2.0, then configure the identityprovider to enforce multi-factor authentication.
  4. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.

Answer(s): B



Users report intermittent availability of a web application hosted on IAM. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

  1. Deploy IAM WAF to block all unsecured web applications from accessing the internet.
  2. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.
  3. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
  4. Create Amazon CloudFront distribution and configure IAM WAF rules to protect the web applications from malicious traffic.
  5. Use the default Amazon VPC for externakfacing systems to allow IAM to actively block malicious network traffic affecting Amazon EC2 instances.

Answer(s): B,D



A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy''

What will enable the security engineer to saw the change?

  1. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
  2. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console
  3. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  4. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

Answer(s): C


Reference:

https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/create-s3- bucket-policy-for-cloudtrail.html#cloudtrail-add-change-or-remove-a-bucket-prefix



An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.

How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

  1. Configure the application's EC2 instances to use NAT gateways for all inbound traffic.
  2. Move the web servers to private subnets without public IP addresses.
  3. Configure IAM WAF to provide DDoS attack protection for the ALB.
  4. Require all inbound network traffic to route through a bastion host in the private subnet.
  5. Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.

Answer(s): B,C



A company's development team is designing an application using IAM Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's IAM services. The solution must minimize management overhead.

How should the security team prevent privilege escalation for both teams?

  1. Enable IAM CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
  2. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.
  3. Enable IAM Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team
  4. Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.

Answer(s): A



A financial institution has the following security requirements:

Cloud-based users must be contained in a separate authentication domain. Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.

How would the organization manage its resources in the MOST secure manner? (Choose two.)

  1. Configure an IAM Managed Microsoft AD to manage the cloud resources.
  2. Configure an additional on-premises Active Directory service to manage the cloud resources.
  3. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
  4. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
  5. Establish a two-way trust between the new and existing Active Directory services.

Answer(s): A,D

Explanation:

Deploy a new forest/domain on IAM with one-way trust. If you are planning on leveraging credentials from an on-premises AD on IAM member servers, you must establish at least a one-way trust to the Active Directory running on IAM. In this model, the IAM domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain.


Reference:

https://d1.IAMstatic.com/whitepapers/adds-on- IAM.pdf
https://docs.IAM.amazon.com/directoryservice/latest/admin- guide/directory_microsoft_ad.html



A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an IAM CloudFormation template. The Engineer notices instances terminating right after they are launched.

What could be causing these terminations?

  1. The IAM user launching those instances is missing ec2:Runinstances permission.
  2. The AMI used as encrypted and the IAM does not have the required IAM KMS permissions.
  3. The instance profile used with the EC2 instances in unable to query instance metadata.
  4. IAM currently does not have sufficient capacity in the Region.

Answer(s): B


Reference:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/troubleshooting- launch.html



A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its IAM accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution.

When coma nation of the following would satisfy these requirements? (Select TWO)

  1. Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM
  2. Establish network connectivity between on-premises and the user's VPC
  3. Use Amazon Cognito user pools for application authentication
  4. Use AD Connector tor application authentication.
  5. Set up federated sign-in to IAM through ADFS and SAML.

Answer(s): C,D



Viewing Page 10 of 68



Share your comments for Amazon AWS Certified Security-Specialty exam with other users:

Neetu 6/22/2023 8:41:00 AM

please upload the dumps, real need of them
Anonymous


Mark 10/24/2023 1:34:00 AM

any recent feeedback?
UNITED STATES


Gopinadh 8/9/2023 4:05:00 AM

question number 2 is indicating you are giving proper questions. observe and change properly.
Anonymous


Santhi 1/1/2024 8:23:00 AM

passed today.40% questions were new.litwere case study,lots of new questions on afd,ratelimit,tm,lb,app gatway.got 2 set series of questions which are not present here.questions on azure cyclecloud, no.of vnet/vms required for implimentation,blueprints assignment/management group etc
INDIA


Raviraj Magadum 1/12/2024 11:39:00 AM

practice test
INDIA


sivaramakrishnan 7/27/2023 8:12:00 AM

want the dumps for emc content management server programming(cmsp)
Anonymous


Aderonke 10/23/2023 1:52:00 PM

brilliant and helpful
UNITED KINGDOM


Az 9/16/2023 2:43:00 PM

q75. azure files is pass
SWITZERLAND


ketty 11/9/2023 8:10:00 AM

very helpful
Anonymous


Sonail 5/2/2022 1:36:00 PM

thank you for these questions. it helped a lot.
UNITED STATES


Shariq 7/28/2023 8:00:00 AM

how do i get the h12-724 dumps
Anonymous


adi 10/30/2023 11:51:00 PM

nice data dumps
Anonymous


EDITH NCUBE 7/25/2023 7:28:00 AM

answers are correct
SOUTH AFRICA


Raja 6/20/2023 4:38:00 AM

good explanation
UNITED STATES


BigMouthDog 1/22/2022 8:17:00 PM

hi team just want to know if there is any update version of the exam 350-401
AUSTRALIA


francesco 10/30/2023 11:08:00 AM

helpful on 2017 scrum guide
EUROPEAN UNION


Amitabha Roy 10/5/2023 3:16:00 AM

planning to attempt for the exam.
Anonymous


Prem Yadav 7/29/2023 6:20:00 AM

pleaseee upload
INDIA


Ahmed Hashi 7/6/2023 5:40:00 PM

thanks ly so i have information cia
EUROPEAN UNION


mansi 5/31/2023 7:58:00 AM

hello team, i need sap qm dumps for practice
INDIA


Jamil aljamil 12/4/2023 4:47:00 AM

it’s good but not senatios based
UNITED KINGDOM


Cath 10/10/2023 10:19:00 AM

q.119 - the correct answer is b - they are not captured in an update set as theyre data.
VIET NAM


P 1/6/2024 11:22:00 AM

good matter
Anonymous


surya 7/30/2023 2:02:00 PM

please upload c_sacp_2308
CANADA


Sasuke 7/11/2023 10:30:00 PM

please upload the dump. thanks very much !!
Anonymous


V 7/4/2023 8:57:00 AM

good questions
UNITED STATES


TTB 8/22/2023 5:30:00 AM

hi, could you please update the latest dump version
Anonymous


T 7/28/2023 9:06:00 PM

this question is keep repeat : you are developing a sales application that will contain several azure cloud services and handle different components of a transaction. different cloud services will process customer orders, billing, payment, inventory, and shipping. you need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using xml messages. what should you include in the recommendation?
NEW ZEALAND


Gurgaon 9/28/2023 4:35:00 AM

great questions
UNITED STATES


wasif 10/11/2023 2:22:00 AM

its realy good
UNITED ARAB EMIRATES


Shubhra Rathi 8/26/2023 1:12:00 PM

oracle 1z0-1059-22 dumps
Anonymous


Leo 7/29/2023 8:48:00 AM

please share me the pdf..
INDIA


AbedRabbou Alaqabna 12/18/2023 3:10:00 AM

q50: which two functions can be used by an end user when pivoting an interactive report? the correct answer is a, c because we do not have rank in the function pivoting you can check in the apex app
GREECE


Rohan Limaye 12/30/2023 8:52:00 AM

best to practice
Anonymous