Free AWS Certified Security – Specialty (SCS-C01) AWS-Security-Specialty Exam Practice Test

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.Please select:

• Set up VPC peering between the central server VPC and each of the teams VPCs.
  
• Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.
  
• Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
  
• None of the above options will work.
  

A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements?Please select:

• Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
  
• Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
  
• Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.
  
• Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.
  

An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management Console; however, other users can download objects from the S3 bucket.Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

• The CMK policy
  
• The VPC endpoint policy
  
• The S3 bucket policy
  
• The S3 ACL
  
• The IAM policy
  

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.What techniques will limit lateral movement and allow evidence gathering?

• Remove the instance from the load balancer and terminate it.
  
• Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
  
• Reboot the instance and check for any Amazon CloudWatch alarms.
  
• Stop the instance and make a snapshot of the root EBS volume.
  

A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.Which combination of steps should a Security Engineer take to federate the company's on-premises Active Directory with AWS? (Choose two.)

• Create IAM roles with permissions corresponding to each Active Directory group.
  
• Create IAM groups with permissions corresponding to each Active Directory group.
  
• Configure Amazon Cloud Directory to support a SAML provider.
  
• Configure Active Directory to add relying party trust between Active Directory and AWS.
  
• Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
  

You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?Please select:

• An AWS Managed Policy
  
• An Inline Policy
  
• A Bucket Policy
  
• A bucket ACL
  

A city is implementing an election results reporting website that will use Amazon GoudFront The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. Election results are updated hourly and are stored as .pdf tiles in an Amazon S3 bucket. A Security Engineer needs to ensure that all external access to the website goes through CloudFront.Which solution meets these requirements?

• Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
  
• Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
  
• Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
  
• Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
  

Your company is planning on developing an application in AWS. This is a web based application. The application users will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.Please select:

• Create an OlDC identity provider in AWS
  
• Create a SAML provider in AWS
  
• Use AWS Cognito to manage the user profiles
  
• Use IAM users to manage the user profiles
  

Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

• Amazon S3 static web hosting
  
• Amazon CloudFront distribution
  
• Application Load Balancer
  
• Amazon Route 53
  
• VPC Flow Logs
  

A company's application team wants to replace an internal application with a new AWS architecture that consists of Amazon EC2 instances, an AWS Lambda function, and an Amazon S3 bucket in a single AWS Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in AWS Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.Which combination of steps should the application team take to meet these requirements? (Select THREE.)

• Create an S3 endpoint that has a full-access policy for the application's VPC.
  
• Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.
  
• Launch the Lambda function. Enable the block public access configuration.
  
• Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances.
  
• Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.
  
• Launch the Lambda function in a VPC.