amazon AWS Certified Security - Specialty SCS-C01 practice test
Question 1
A company recently performed an annual security assessment of its AWS environment. The assessment showed the audit
logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.
How should a Security Engineer resolve these issues?
- A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
- B. Configure AWS Artifact to archive AWS CloudTrail logs. Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
- C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
- D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.
Answer:
A
Question 2
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)
- A. Use the AWS account root user access keys instead of the AWS Management Console
- B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
- C. Enable multi-factor authentication for the AWS account root user
- D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
- E. Do not create access keys for the AWS account root user; instead, create AWS IAM users
Answer:
B D
Question 3
A companys development team is designing an application using AWS Lambda and Amazon Elastic Container Service
(Amazon ECS). The development team needs to create IAM roles to support these systems. The companys security team
wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions
the developers can delegate to those roles. The development team needs access to more permissions than those required
for applications AWS services. The solution must minimize management overhead.
How should the security team prevent privilege escalation for both teams?
- A. Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
- B. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development teams IAM role.
- C. Enable AWS Organizations. Create an SCP that allows the iam:CreateUser action but that has a condition that prevents API calls other than those required by the development team.
- D. Create an IAM policy with a deny on the iam:CreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.
Answer:
C
Question 4
A company has a strict policy against using root credentials. The companys security team wants to be alerted as soon as
possible when root credentials are used to sign in to the AWS Management Console.
How should the security team achieve this goal?
- A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).
- B. Use Amazon EventBridge (Amazon CloudWatch Events) to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).
- C. Use Amazon Athena to query AWS SSO logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.
- D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).
Answer:
D
Explanation:
Reference https://aws.amazon.com/blogs/security/how-to-receive-notifications-when-your-aws-accounts-root-access-keys-
are-used/
Question 5
A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances
cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?
- A. Deny access to the Amazon DNS IP within all security groups.
- B. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
- C. Add a route to all route tables that black holes traffic to the Amazon DNS IP.
- D. Disable DNS resolution within the VPC configuration.
Answer:
D
Explanation:
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
Question 6
While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user. What
should the Security Engineer do to provide the highest level of security for the account?
- A. Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
- B. Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
- C. Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
- D. Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.
Answer:
D
Explanation:
If you continue to use the root user credentials, we recommend that you follow the security best practice to enable multi-
factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account,
adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available.
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
Question 7
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of Sensitive,
Confidential, and Restricted. The security solution must meet all of the following requirements:
Each object must be encrypted using a unique key.
Items that are stored in the Restricted bucket require two-factor authentication for decryption. AWS KMS must
automatically rotate encryption keys annually.
Which of the following meets these requirements?
- A. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the Restricted CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
- B. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
- C. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
- D. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the Restricted key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
Answer:
A
Question 8
A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.
Which combination of AWS services and features will provide protection in this scenario? (Choose three.)
- A. Amazon Route 53
- B. AWS Certificate Manager (ACM)
- C. Amazon S3
- D. AWS Shield
- E. Elastic Load Balancer
- F. Amazon GuardDuty
Answer:
A C D
Explanation:
Reference: https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-
cards.sort-order=desc
Question 9
A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for Internet Security
(CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console
after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations
compliance.
Which steps should the security engineer take to meet these requirements?
- A. Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation.
- B. Ensure that AWS Trusted Advisor is enabled in the account, and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions.
- C. Ensure that AWS Config is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation.
- D. Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub, and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket.
Answer:
B
Explanation:
Reference: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub.pdf
Question 10
A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and
SSO to access the AWS Management Console. Developers migrated an existing legacy web application to an Amazon EC2
instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication
system built into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?
- A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.
- B. Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.
- C. Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.
- D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.
Answer:
C
Question 11
An Application Developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt
operations for API keys that are less than 2 KB.
Which key policy would allow the application to do this while granting least privilege?
- A. Option A
- B. Option B
- C. Option C
- D. Option D
Answer:
C
Question 12
A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its
DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3
bucket in a centralized AWS account. A security engineer needs to ensure that DevOps team members are unable to modify
or disable this configuration.
How can the security engineers meet these requirements?
- A. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
- B. Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
- C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
- D. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.
Answer:
D
Question 13
A company has a new AWS account that does not have AWS CloudTrail configured. The account has an IAM access key
that was issued by AWS Security Token Service (AWS STS). A security engineer discovers that the IAM access key has
been compromised within the last 24 hours.
The security engineer must stop the compromised IAM access key from being used. The security engineer also must
determine which activities the key has been used for so far.
What should the security engineer do to meet these requirements?
- A. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, with the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.
- B. Create a new CloudTrail trail. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.
- C. Create a new CloudTrail trail. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, delete that IAM role.
- D. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, revoke all active sessions for that IAM role.
Answer:
A
Explanation:
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-account-activity/
Question 14
A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The
company requires that keys be rotated automatically every year. How should the bucket be configured?
- A. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.
- B. Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
- C. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
- D. Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.
Answer:
B
Explanation:
Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
Question 15
A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be
working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been
modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and
has no outbound rules.
What would resolve the connectivity issue?
- A. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range.
- B. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port.
- C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.
- D. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.
Answer:
D