Free AWS Certified Security – Specialty Exam SCS-C01 Exam Practice Test

An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?Please select:

• Expose the data with a public HTTPS endpoint.
• A VPN between the VPC and the data center over a Direct Connect connection
• A VPN between the VPC and the data center.
• A Direct Connect connection between the VPC and data center

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

• Configure the application's EC2 instances to use NAT gateways for all inbound traffic.
• Move the web servers to private subnets without public IP addresses.
• Configure IAM WAF to provide DDoS attack protection for the ALB.
• Require all inbound network traffic to route through a bastion host in the private subnet.
• Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.

Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.Which approach should the team take to accomplish this task?

• Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation
• Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings
• Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework
• Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework

A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function istriggered whenever an object is stored within the S3 bucket.How should the Lambda function be given access to the DynamoDB table?Please select:

• Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
• Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.
• Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
• Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?

• Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.
• Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
• Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
• Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

A company has a large set of keys defined in IAM KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the IAM KMS service.Please select:

• Enable rotation of the keys
• Use Data key caching
• Create an alias of the key
• Use the right key policy

An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the IAM Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

• Use a filter in IAM CloudTrail to exclude the IP addresses of the Security team's EC2 instances.
• Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.
• Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
• Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, IAM Lambda functions must issue queries to the RDS database by using the same database credentials.The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.What should the Security Engineer do to meet these requirements?

• Store the database credentials in IAM Key Management Service (IAM KMS). Create an IAM role with access to IAM KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
• Store the database credentials in IAM KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
• Store the database credentials in IAM Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
• Store the database credentials in IAM Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

A security engineer is auditing a production system and discovers several additional IAM roles that are not required and were not previously documented during the last audit 90 days ago. The engineer is trying to find out who created these IAM roles and when they were created. The solution must have the lowest operational overhead.Which solution will meet this requirement?

• Import IAM CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.
• Create a table in Amazon Athena for IAM CloudTrail events. Query the table in Amazon Athena for CreateRole events.
• Use IAM Config to look up the configuration timeline for the additional IAM roles and view the linked IAM CloudTrail event.
• Download the credentials report from the IAM console to view the details for each IAM entity, including the creation dates.

Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.Which of the following methods will ensure that the data is unreadable by anyone else?

• Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.
• Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.
• Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.
• Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.