amazon AWS Certified Security - Specialty SCS-C01 practice test


Question 1

A company recently performed an annual security assessment of its AWS environment. The assessment showed the audit
logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.
How should a Security Engineer resolve these issues?

  • A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
  • B. Configure AWS Artifact to archive AWS CloudTrail logs. Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
  • C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
  • D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.
Answer:

A

Discussions

Question 2

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

  • A. Use the AWS account root user access keys instead of the AWS Management Console
  • B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
  • C. Enable multi-factor authentication for the AWS account root user
  • D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
  • E. Do not create access keys for the AWS account root user; instead, create AWS IAM users
Answer:

B D

Discussions

Question 3

A companys development team is designing an application using AWS Lambda and Amazon Elastic Container Service
(Amazon ECS). The development team needs to create IAM roles to support these systems. The companys security team
wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions
the developers can delegate to those roles. The development team needs access to more permissions than those required
for applications AWS services. The solution must minimize management overhead.
How should the security team prevent privilege escalation for both teams?

  • A. Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
  • B. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development teams IAM role.
  • C. Enable AWS Organizations. Create an SCP that allows the iam:CreateUser action but that has a condition that prevents API calls other than those required by the development team.
  • D. Create an IAM policy with a deny on the iam:CreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.
Answer:

C

Discussions

Question 4

A company has a strict policy against using root credentials. The companys security team wants to be alerted as soon as
possible when root credentials are used to sign in to the AWS Management Console.
How should the security team achieve this goal?

  • A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).
  • B. Use Amazon EventBridge (Amazon CloudWatch Events) to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).
  • C. Use Amazon Athena to query AWS SSO logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.
  • D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).
Answer:

D

Explanation:
Reference https://aws.amazon.com/blogs/security/how-to-receive-notifications-when-your-aws-accounts-root-access-keys-
are-used/

Discussions

Question 5

A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances
cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

  • A. Deny access to the Amazon DNS IP within all security groups.
  • B. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
  • C. Add a route to all route tables that black holes traffic to the Amazon DNS IP.
  • D. Disable DNS resolution within the VPC configuration.
Answer:

D

Explanation:
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

Discussions

Question 6

While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user. What
should the Security Engineer do to provide the highest level of security for the account?

  • A. Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
  • B. Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
  • C. Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
  • D. Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.
Answer:

D

Explanation:
If you continue to use the root user credentials, we recommend that you follow the security best practice to enable multi-
factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account,
adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available.
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

Discussions

Question 7

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of Sensitive,
Confidential, and Restricted. The security solution must meet all of the following requirements:
Each object must be encrypted using a unique key.

Items that are stored in the Restricted bucket require two-factor authentication for decryption. AWS KMS must


automatically rotate encryption keys annually.
Which of the following meets these requirements?

  • A. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the Restricted CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
  • B. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
  • C. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
  • D. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the Restricted key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
Answer:

A

Discussions

Question 8

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.
Which combination of AWS services and features will provide protection in this scenario? (Choose three.)

  • A. Amazon Route 53
  • B. AWS Certificate Manager (ACM)
  • C. Amazon S3
  • D. AWS Shield
  • E. Elastic Load Balancer
  • F. Amazon GuardDuty
Answer:

A C D

Explanation:
Reference: https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-
cards.sort-order=desc

Discussions

Question 9

A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for Internet Security
(CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console
after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations
compliance.
Which steps should the security engineer take to meet these requirements?

  • A. Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation.
  • B. Ensure that AWS Trusted Advisor is enabled in the account, and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions.
  • C. Ensure that AWS Config is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation.
  • D. Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub, and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket.
Answer:

B

Explanation:
Reference: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub.pdf

Discussions

Question 10

A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and
SSO to access the AWS Management Console. Developers migrated an existing legacy web application to an Amazon EC2
instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication
system built into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?

  • A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.
  • B. Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.
  • C. Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.
  • D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.
Answer:

C

Discussions
To page 2