Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Amazon
  3. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam (page: 6)
Amazon AWS Certified Security - Specialty (SCS-C01)
Updated on: 24-Mar-2026

Viewing Page 6 of 68
AWS Certified Security-Specialty PDF 532 Questions

A security engineer is auditing a production system and discovers several additional IAM roles that are not required and were not previously documented during the last audit 90 days ago. The engineer is trying to find out who created these IAM roles and when they were created. The solution must have the lowest operational overhead.

Which solution will meet this requirement?

  1. Import IAM CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.
  2. Create a table in Amazon Athena for IAM CloudTrail events. Query the table in Amazon Athena for CreateRole events.
  3. Use IAM Config to look up the configuration timeline for the additional IAM roles andview the linked IAM CloudTrail event.
  4. Download the credentials report from the IAM console to view the details for each IAM entity, including the creation dates.

Answer(s): A



A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.

Assuming that IAM Certificate Manager is used, how many certificates will need to be generated?

  1. One in the US West (Oregon) region and one in the US East (Virginia) region.
  2. Two in the US West (Oregon) region and none in the US East (Virginia) region.
  3. One in the US West (Oregon) region and none in the US East (Virginia) region.
  4. Two in the US East (Virginia) region and none in the US West (Oregon) region.

Answer(s): A

Explanation:

Why? If you want to require HTTPS between viewers and CloudFront, you must change the IAM Region to US East (N. Virginia) in the IAM Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any Region.


Reference:

https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and- https-requirements.html



A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completedthe following:

· Set up the proxy software on the EC2 instances.

· Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.

· Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.

However, the proxy EC2 instances are not successfully forwarding traffic to the internet.

What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

  1. Put all the proxy EC2 instances in a cluster placement group.
  2. Disable source and destination checks on the proxy EC2 instances.
  3. Open all inbound ports on the proxy EC2 instance security group.
  4. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

Answer(s): B



A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances but a Security Engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.

This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates However, the Security team does not want the application's EC2 instance exposed directly to the internet The Security Engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet

What else does the Security Engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required''

  1. Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance
  2. Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink
  3. Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway
  4. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

Answer(s): D



A company's security team has defined a set of IAM Config rules that must be enforced globally in all IAM accounts the company owns. What should be done to provide a consolidated compliance overview for the security team?

  1. Use IAM Organizations to limit IAM Config rules to the appropriate Regions, and then consolidate the Amazon CloudWatch dashboard into one IAM account.
  2. Use IAM Config aggregation to consolidate the views into one IAM account, and provide role access to the security team.
  3. Consolidate IAM Config rule results with an IAM Lambda function and push data to Amazon SQS. Use Amazon SNS to consolidate and alert when some metrics are triggered.
  4. Use Amazon GuardDuty to load data results from the IAM Config rules compliance status, aggregate GuardDuty findings of all IAM accounts into one IAM account, and provide role access to the security team.

Answer(s): B



A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

  1. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
  2. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
  3. Ensure the CMK was created before the S3 bucket.
  4. Ensure the S3 block public access feature is enabled for the S3 bucket.
  5. Ensure that automatic key rotation is disabled for the CMK
  6. Ensure the SCPs within Organizations allow access to the S3 bucket.

Answer(s): A,B,F



A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material.

How can the Engineer perform the key rotation process MOST efficiently?

  1. Create a new CMK, and redirect the existing Key Alias to the new CMK
  2. Select the option to auto-rotate the key
  3. Upload new key material into the existing CMK.
  4. Create a new CMK, and change the application to point to the new CMK

Answer(s): A



A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with IAM Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

  1. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
  2. Enable the advanced-instances tier in Systems Manager.
  3. Create a managed-instance activation for the on-premises servers.
  4. Reconfigure the Systems Manager Agent with the activation code and I
  5. Assign an IAM role to all of the on-premises servers.
  6. Initiate an inventory collection with Systems Manager on the on-premises servers

Answer(s): C,E,F



Viewing Page 6 of 68



Share your comments for Amazon AWS Certified Security-Specialty exam with other users:

Daisy Delgado 1/9/2023 1:05:00 PM

awesome
UNITED STATES


Atif 6/13/2023 4:09:00 AM

yes please upload
UNITED STATES


Xunil 6/12/2023 3:04:00 PM

great job whoever put this together, for the greater good! thanks!
Anonymous


Lakshmi 10/2/2023 5:26:00 AM

just started to view all questions for the exam
NETHERLANDS


rani 1/19/2024 11:52:00 AM

helpful material
Anonymous


Greg 11/16/2023 6:59:00 AM

hope for the best
UNITED STATES


hi 10/5/2023 4:00:00 AM

will post exam has finished
UNITED STATES


Vmotu 8/24/2023 11:14:00 AM

really correct and good analyze!
AZERBAIJAN


hicham 5/30/2023 8:57:00 AM

excellent thanks a lot
FRANCE


Suman C 7/7/2023 8:13:00 AM

will post once pass the cka exam
INDIA


Ram 11/3/2023 5:10:00 AM

good content
Anonymous


Nagendra Pedipina 7/13/2023 2:12:00 AM

q:32 answer has to be option c
INDIA


Tamer Barakat 12/7/2023 5:17:00 PM

nice questions
Anonymous


Daryl 8/1/2022 11:33:00 PM

i really like the support team in this website. they are fast in communication and very helpful.
UNITED KINGDOM


Curtis Nakawaki 6/29/2023 9:13:00 PM

a good contemporary exam review
UNITED STATES


x-men 5/23/2023 1:02:00 AM

q23, its an array, isnt it? starts with [ and end with ]. its an array of objects, not object.
UNITED STATES


abuti 7/21/2023 6:24:00 PM

cool very helpfull
Anonymous


Krishneel 3/17/2023 10:34:00 AM

i just passed. this exam dumps is the same one from prepaway and examcollection. it has all the real test questions.
INDIA


Regor 12/4/2023 2:01:00 PM

is this a valid prince2 practitioner dumps?
UNITED KINGDOM


asl 9/14/2023 3:59:00 PM

all are relatable questions
CANADA


Siyya 1/19/2024 8:30:00 PM

might help me to prepare for the exam
Anonymous


Ted 6/21/2023 11:11:00 PM

just paid and downlaod the 2 exams using the 50% sale discount. so far i was able to download the pdf and the test engine. all looks good.
GERMANY


Paul K 11/27/2023 2:28:00 AM

i think it should be a,c. option d goes against the principle of building anything custom unless there are no work arounds available
INDIA


ph 6/16/2023 12:41:00 AM

very legible
Anonymous


sephs2001 7/31/2023 10:42:00 PM

is this exam accurate or helpful?
Anonymous


ash 7/11/2023 3:00:00 AM

please upload dump, i have exam in 2 days
INDIA


Sneha 8/17/2023 6:29:00 PM

this is useful
CANADA


sachin 12/27/2023 2:45:00 PM

question 232 answer should be perimeter not netowrk layer. wrong answer selected
Anonymous


tomAws 7/18/2023 5:05:00 AM

nice questions
BRAZIL


Rahul 6/11/2023 2:07:00 AM

hi team, could you please provide this dump ?
INDIA


TeamOraTech 12/5/2023 9:49:00 AM

very helpful to clear the exam and understand the concept.
Anonymous


Curtis 7/12/2023 8:20:00 PM

i think it is great that you are helping people when they need it. thanks.
UNITED STATES


sam 7/17/2023 6:22:00 PM

cannot evaluate yet
Anonymous


nutz 7/20/2023 1:54:00 AM

a laptops wireless antenna is most likely located in the bezel of the lid
UNITED STATES