Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Amazon
  3. AWS Certified Security-Specialty

Amazon AWS Certified Security-Specialty Exam (page: 7)
Amazon AWS Certified Security - Specialty (SCS-C01)
Updated on: 24-Mar-2026

Viewing Page 7 of 68
AWS Certified Security-Specialty PDF 532 Questions

A Security Engineer for a large company is managing a data processing application used by 1, 500 subsidiary companies. The parent and subsidiary companies all use IAM. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary

What solution should the Engineer use to implement the appropriate access restrictions for the application?

  1. Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
  2. Create an IAM security group to allow access on TCP port 443 from the 1, 500 subsidiary CIDR block ranges. Associate the security group to the NL Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
  3. Create an IAM PrivateLink endpoint service in the parent company account attached to the NLB. Create an IAM security group for the instances to allow access on TCP port 443 from the IAM PrivateLink endpoint. Use IAM PrivateLink interface endpoints in the 1, 500 subsidiary IAM accounts to connect to the data processing application.
  4. Create an IAM security group to allow access on TCP port 443 from the 1, 500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Answer(s): D



A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.

What immediate action should the security engineer take?

What immediate action should the security engineer take?

  1. Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.
  2. Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.
  3. Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that IAM account Install the Amazon Inspector agent cm the suspicious EC 2 instance toperform a scan.
  4. Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Answer(s): B



A security engineer needs to configure monitoring and auditing for IAM Lambda.

Which combination of actions using IAM services should the security engineer take to accomplish this goal? (Select TWO.)

  1. Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  2. Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.
  3. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.
  4. Use IAM Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  5. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.

Answer(s): A,B



Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

  1. Default IAM Certificate Manager certificate
  2. Custom SSL certificate stored in IAM KMS
  3. Default CloudFront certificate
  4. Custom SSL certificate stored in IAM Certificate Manager
  5. Default SSL certificate stored in IAM Secrets Manager
  6. Custom SSL certificate stored in IAM IAM

Answer(s): A,C,D



A company has several production IAM accounts and a central security IAM account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.

A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly.

Which combination of actions would build the required solution? (Choose three.)

  1. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
  2. Enable Amazon GuardDuty in the security account. and join the production accounts as members.
  3. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
  4. Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact.
  5. Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
  6. Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

Answer(s): D,E,F



A security engineer need to ensure their company's uses of IAM meets IAM security best practices. As part of this, the IAM account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used.

Which solution meets these requirements?

  1. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.
  2. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.
  3. Set up a rule in IAM config to trigger root user events. Trigger an IAM Lambda function and generate notifications using Amazon SNS.
  4. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Answer(s): A



An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:

· IAM IAM federated with on-premises Active Directory

· Amazon Cognito user pools to accessing an IAM Cloud application developed by the company

Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

  1. Update the password length policy In the on-premises Active Directory configuration.
  2. Update the password length policy In the IAM configuration.
  3. Enforce an IAM policy In Amazon Cognito and IAM IAM with a minimum password length condition.
  4. Update the password length policy in the Amazon Cognito configuration.
  5. Create an SCP with IAM Organizations that enforces a minimum password length for IAM IAM and Amazon Cognito.

Answer(s): A,D



A company has hundreds of IAM accounts, and a centralized Amazon S3 bucket used to collect IAM CloudTrail for all of these accounts. A security engineer wants to create a solution that will enable the company to run ad hoc queues against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company's IAM account.

How should the company accomplish this with the least amount of administrative overhead?

  1. Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.
  2. Use the events history/feature of the CloudTrail console to query the CloudTrail trails.
  3. Write an IAM Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.
  4. Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

Answer(s): D



Viewing Page 7 of 68



Share your comments for Amazon AWS Certified Security-Specialty exam with other users:

dixitdnoh@gmail.com 8/27/2023 2:58:00 PM

this website is very helpful.
UNITED STATES


Sanjay 8/14/2023 8:07:00 AM

good content
INDIA


Blessious Phiri 8/12/2023 2:19:00 PM

so challenging
Anonymous


PAYAL 10/17/2023 7:14:00 AM

17 should be d ,for morequery its scale out
Anonymous


Karthik 10/12/2023 10:51:00 AM

nice question
Anonymous


Godmode 5/7/2023 10:52:00 AM

yes.
NETHERLANDS


Bhuddhiman 7/30/2023 1:18:00 AM

good mateial
Anonymous


KJ 11/17/2023 3:50:00 PM

good practice exam
Anonymous


sowm 10/29/2023 2:44:00 PM

impressivre qustion
Anonymous


CW 7/6/2023 7:06:00 PM

questions seem helpful
Anonymous


luke 9/26/2023 10:52:00 AM

good content
Anonymous


zazza 6/16/2023 9:08:00 AM

question 21 answer is alerts
ITALY


Abwoch Peter 7/4/2023 3:08:00 AM

am preparing for exam
Anonymous


mohamed 9/12/2023 5:26:00 AM

good one thanks
EGYPT


Mfc 10/23/2023 3:35:00 PM

only got thru 5 questions, need more to evaluate
Anonymous


Whizzle 7/24/2023 6:19:00 AM

q26 should be b
Anonymous


sarra 1/17/2024 3:44:00 AM

the aaa triad in information security is authentication, accounting and authorisation so the answer should be d 1, 3 and 5.
UNITED KINGDOM


DBS 5/14/2023 12:56:00 PM

need to attend this
UNITED STATES


Da_costa 8/1/2023 5:28:00 PM

these are free brain dumps i understand, how can one get free pdf
Anonymous


vikas 10/28/2023 6:57:00 AM

provide access
EUROPEAN UNION


Abdullah 9/29/2023 2:06:00 AM

good morning
Anonymous


Raj 6/26/2023 3:12:00 PM

please upload the ncp-mci 6.5 dumps, really need to practice this one. thanks guys
Anonymous


Miguel 10/5/2023 12:21:00 PM

question 16: https://help.salesforce.com/s/articleview?id=sf.care_console_overview.htm&type=5
SPAIN


Hiren Ladva 7/8/2023 10:34:00 PM

yes i m prepared exam
Anonymous


oliverjames 10/24/2023 5:37:00 AM

my experience was great with this site as i studied for the ms-900 from here and got 900/1000 on the test. my main focus was on the tutorials which were provided and practice questions. thanks!
GERMANY


Bhuddhiman 7/20/2023 11:52:00 AM

great course
UNITED STATES


Anuj 1/14/2024 4:07:00 PM

very good question
Anonymous


Saravana Kumar TS 12/8/2023 9:49:00 AM

question: 93 which statement is true regarding the result? sales contain 6 columns and values contain 7 columns so c is not right answer.
INDIA


Lue 3/30/2023 11:43:00 PM

highly recommend just passed my exam.
CANADA


DC 1/7/2024 10:17:00 AM

great practice! thanks
UNITED STATES


Anonymus 11/9/2023 5:41:00 AM

anyone who wrote this exam recently?
SOUTH AFRICA


Khalid Javid 11/17/2023 3:46:00 PM

kindly share the dump
Anonymous


Na 8/9/2023 8:39:00 AM

could you please upload cfe fraud prevention and deterrence questions? it will be very much helpful.
Anonymous


shime 10/23/2023 10:03:00 AM

this is really very very helpful for mcd level 1
ETHIOPIA