AWS Certified Security - Specialty

Here you have the best Amazon SCS-C01 practice exam questions

  • You have 509 total questions to study from
  • Each page has 5 questions, making a total of 102 pages
  • You can navigate through the pages using the buttons at the bottom
  • This questions were last updated on December 20, 2024
Question 1 of 509

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.

What approach would enable the Security team to find out what the former employee may have done within AWS?

    Correct Answer: A

    To determine what the former employee may have done within AWS, the most direct approach would be to use the AWS CloudTrail console to search for user activity. AWS CloudTrail records AWS API calls and events for your account and provides visibility into user activities. With CloudTrail, you can look up API call history for the past 90 days without any prior setup, enabling you to quickly identify the actions taken by specific users or access keys. This makes it the most efficient tool for investigating recent user activity within AWS.

Question 2 of 509

A company is storing data in Amazon S3 Glacier. The security engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.

What is the MOST cost-effective way to correct this?

    Correct Answer: A

    To correct the vault lock policy, abort the current in-progress lock using the abort-vault-lock operation, make the necessary updates to the policy to correct the typo, and then call the initiate-vault-lock operation again to establish the updated policy. This approach avoids any unnecessary data transfer or the complexity of managing new vaults or buckets, making it the most cost-effective solution.

Question 3 of 509

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.

What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

    Correct Answer: C

    To control access to AWS resources using identities and groups defined in an existing Microsoft Active Directory, the company must create AWS IAM roles. IAM roles allow the company to assign permissions for AWS services based on attributes from Active Directory users, enabling seamless integration and access management without creating individual IAM users or groups within AWS. This approach leverages federated access, which is ideal for integrating external identity providers like Active Directory.

Question 4 of 509

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.

Which of the following may be causing this problem? (Choose three.)

    Correct Answer: A, C, F

    Several factors could cause the Auditor to experience difficulties accessing some AWS accounts. If the external ID used by the Auditor is missing or incorrect, it could prevent successful role assumption in the accounts, leading to access issues. Additionally, the Auditor must have the sts:AssumeRole permission for the role in the destination account to assume the role and access the resources. Finally, ensuring that the role ARN used by the Auditor is accurate is critical, as any discrepancy in this identifier can prevent role assumption and access. Therefore, these are the most likely causes of the problem.

Question 5 of 509

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.

Which of the following solutions will meet these requirements?

    Correct Answer: B

    To meet the compliance requirements of ensuring all communications between on-premises hosts and EC2 instances are encrypted in transit while using custom proprietary protocols, the chosen solution must provide end-to-end encryption without termination at the load balancer. A Classic Load Balancer with a TCP listener routes traffic without decrypting it, allowing the TLS connection to be terminated directly on the EC2 instances. This setup supports custom protocols and maintains encryption throughout the transmission, ensuring both compliance and increased availability through load balancing.