AWS Certified Security – Specialty (SCS-C02)
Exam Notes & Practice Tests

A company needs to inspect and log traffic that passes between instances in the same subnet. They have deployed a virtual security appliance in the subnet. What configuration is required to allow the virtual security appliance to inspect and log traffic?

A company is using AWS KMS to manage encryption keys for an application that stores sensitive data. The company wants to ensure that the keys are automatically rotated every 6 months. What steps should be taken to meet these requirements?

A company uses AWS Security Hub and AWS Inspector to manage and monitor security events. The security team wants to receive notifications via email whenever a medium-priority finding is detected. What is the best way to set this up?

A company is deploying a web application on Amazon EC2 instances within a private subnet. The application needs to be accessible from the internet, but the company wants to ensure that the backend database, hosted on RDS in the same VPC, is not accessible from the internet. What is the best way to configure the security groups and network architecture to meet these requirements?

A company is concerned about potential vulnerabilities in its EC2 instances and wants to ensure compliance with security best practices. What AWS service can be used to scan the instances for known vulnerabilities and compliance with CIS benchmarks?

A company replicates encrypted objects from an S3 bucket in one region to another region. However, only unencrypted objects are successfully replicating. Which actions should be taken to ensure the encrypted objects replicate successfully?

A global organization wants to delegate IAM role creation to regional teams while ensuring that roles cannot be misconfigured to grant excessive permissions. What is the best approach to achieve this?

A company is worried about DDoS attacks on its application hosted behind an Application Load Balancer (ALB). What steps can be taken to mitigate the impact of Layer 7 DDoS attacks?

A security engineer configured an S3 bucket policy to deny access to all users except for a specific set of IAM users. What will be the effect of this policy?

A company wants to enforce security best practices after an access key was accidentally exposed. What are the first steps that should be taken to mitigate the risk?

A company needs to collect forensic data from an EC2 instance that has become unresponsive after a suspected attack. What steps should the security team take?

A security architect needs to ensure secure, encrypted connections for a web application hosted on EC2 instances behind a Network Load Balancer (NLB). What actions should be taken?

Domain: Data Protection A company needs to rotate its KMS keys annually as part of its compliance requirements. The keys were originally created using imported key material. What is the most efficient process for rotating these keys?

A company wants to centralize log data from multiple AWS accounts into a single account for real-time processing and analysis. What is the most effective solution?

An application is deployed on EC2 instances behind a Network Load Balancer (NLB), but the instances are failing health checks. What are possible reasons for this?

A company wants to ensure all configuration changes and access activities in its AWS environment are logged for audit purposes. Which combination of services should be used?

A company plans to store sensitive data in Amazon S3 and use KMS for encryption. The company’s policies require the use of custom key material with specified expiration dates. What is the best way to configure KMS to meet these requirements?

A company is hosting a web application on EC2 instances in a private subnet. The application must be accessible through an Application Load Balancer (ALB) with secure, encrypted connections. What rules should be configured in the security groups?

A company is storing sensitive customer data in an RDS database and wants to ensure the data is encrypted and the credentials are rotated automatically. What solutions should the security engineer implement?

A university using AWS Organizations needs to enforce strict control over the root user accounts across all member accounts. What steps should be taken to achieve this?

A security engineer needs to audit the creation of new AWS accounts in an organization where users authenticate through an on-premises IdP. What is the best way to determine who made the request?

A security team needs to quickly identify any EC2 instances that are running a specific vulnerable version of software. What is the most efficient way to accomplish this? A. Use AWS Systems Manager to run a compliance check on the EC2 instances. B. Set up AWS Config rules to detect non-compliant instances and trigger an alert. C. Configure Amazon Inspector to scan instances for known vulnerabilities. D. Run a custom script on each instance to check for the vulnerable software version.

A company’s security team is designing a distributed application that will operate across multiple AWS regions and on-premises servers. What are correct considerations for encryption in transit? A. Inter-region traffic is encrypted by default on the AWS global network. B. All traffic between Availability Zones is unencrypted unless configured otherwise. C. AWS Direct Connect traffic is automatically encrypted end-to-end. D. Intra-region traffic between EC2 instances is encrypted by default.

A developer has left a company, and the security team needs to ensure that the developer’s code cannot be deployed to AWS Lambda functions. What is the best solution? A. Remove the developer’s IAM permissions for accessing AWS Signer. B. Revoke the signing profile associated with the developer from all Lambda functions. C. Delete the developer’s IAM account and any associated access keys. D. Rotate the encryption keys used for Lambda functions.

A company is using IPv6 in its VPC and needs to provide EC2 instances in a private subnet with internet access for updates. How can this be securely achieved? A. Deploy an egress-only internet gateway and update the route table for the private subnet. B. Set up a NAT gateway in a public subnet and route traffic from the private subnet through it. C. Use an internet gateway in the private subnet and create a custom route table for outbound traffic. D. Enable an internet gateway in a public subnet and route IPv6 traffic from the private subnet through it.

A company has detected that the credentials for one of its AWS IAM users have been compromised. The security team needs to immediately invalidate the compromised credentials and ensure that new, secure credentials are issued and rotated automatically moving forward. Which of the following actions should the security team take to meet these requirements? (Select TWO.) A. Revoke all active sessions for the compromised IAM user using the AWS Management Console or CLI. B. Delete the IAM user and create a new IAM user with a new set of credentials. C. Rotate the compromised credentials using AWS Secrets Manager and enable automatic rotation. D. Create a new access key for the IAM user, disable the old access key, and configure automatic rotation using AWS Secrets Manager. E. Enable AWS CloudTrail to monitor the IAM user activities and automatically disable the credentials if suspicious activity is detected.

A company’s Amazon EC2 instance is suspected to be compromised. As part of the incident response process, the security team needs to isolate the instance from the rest of the network to prevent further damage. Which of the following steps should the security team take to effectively isolate the compromised instance? A. Change the instance's security group to one that denies all inbound and outbound traffic. B. Modify the Network ACL associated with the instance's subnet to block all traffic. C. Terminate the instance to ensure it no longer poses a threat. D. Move the instance to a separate VPC with no Internet Gateway or VPN connection.

Domain: Threat Detection and Incident Response A company wants to streamline its incident response process for security threats detected in its AWS environment. The security team decides to create a set of playbooks and runbooks to standardize responses to specific incidents, such as unauthorized access to S3 buckets or compromised EC2 instances. Which of the following is the MOST effective approach to achieve this? A. Create a playbook that outlines the manual steps for responding to each type of incident and ensure all security team members are trained on it. B. Develop automated runbooks using AWS Systems Manager Automation to execute predefined steps in response to detected incidents, such as isolating compromised instances or revoking access to S3 buckets. C. Use AWS CloudTrail logs to manually investigate security incidents and update playbooks as new threats are discovered. D. Implement AWS Config rules to automatically remediate security incidents without the need for predefined playbooks or runbooks.

Which AWS service provides a comprehensive view of your security alerts across multiple AWS services and helps to prioritize security findings? A. AWS Identity and Access Management (IAM) Access Analyzer B. Amazon GuardDuty C. AWS Security Hub D. Amazon Detective

When configuring Amazon EventBridge to handle security findings from AWS Security Hub, which service or format is primarily used to standardize and centralize these findings? A. Amazon SNS (Simple Notification Service) B. ASFF (AWS Security Finding Format) C. Amazon S3 D. AWS Config

Your organization uses AWS Macie to monitor S3 buckets for sensitive data. Macie has generated a finding indicating the presence of PII in a publicly accessible S3 bucket. What should be your immediate action? A. Modify the bucket policy to restrict public access. B. Delete the S3 bucket to eliminate the risk. C. Enable default encryption for the S3 bucket. D. Create a CloudWatch alarm to monitor further public access.

Which AWS service is best suited for investigating, analyzing, and visualizing security issues detected across multiple AWS accounts? A. AWS CloudTrail B. Amazon Detective C. Amazon GuardDuty D. AWS Security Hub

A security engineer needs to validate suspicious API activities recorded in AWS CloudTrail logs. Which Amazon Athena SQL query should be used to identify all DeleteBucket operations performed by a specific IAM user within the last 24 hours? A. 1. SELECT * FROM cloudtrail_logs 2. WHERE eventName = 'DeleteBucket' 3. AND userIdentity.userName = 'specific-user' 4. AND eventTime > current_timestamp – interval '1' day; B. 1. SELECT * FROM cloudtrail_logs 2. WHERE requestParameters.bucketName = 'DeleteBucket' 3. AND userIdentity.userName = 'specific-user' 4. AND eventTime > current_timestamp – interval '1' day; C. 1. SELECT * FROM cloudtrail_logs 2. WHERE eventName = 'DeleteBucket' 3. AND userIdentity.sessionContext.sessionIssuer.userName = 'specific-user' 4. AND eventTime > current_date – interval '24' hour; D. 1. SELECT * FROM cloudtrail_logs 2. WHERE eventSource = 's3.amazonaws.com' 3. AND eventName = 'DeleteBucket' 4. AND userIdentity.principalId = 'specific-user' 5. AND eventTime > current_date – interval '1' day;

A security engineer suspects that an Amazon EC2 instance in their VPC has been compromised. What is the quickest way to isolate this instance to prevent further damage while maintaining the ability to investigate? A. Terminate the instance immediately. B. Stop the instance to prevent further activity. C. Modify the security group associated with the instance to deny all inbound and outbound traffic. D. Move the instance to a private subnet with no internet access.

When investigating a compromised Amazon EC2 instance, which AWS service allows you to capture a complete memory dump for forensic analysis? A. AWS Systems Manager B. AWS CloudTrail C. AWS Elastic Beanstalk D. EC2Rescue

Domain: Security Logging and Monitoring A custom application running on an Amazon EC2 instance is designed to send operational metrics to Amazon CloudWatch. However, the application is not reporting any statistics as expected. What could be the possible cause of this issue? A. The CloudWatch Logs agent is not installed on the EC2 instance. B. The IAM role attached to the EC2 instance lacks the cloudwatch:PutMetricData permission. C. The CloudWatch alarm associated with the application is not configured properly. D. The EC2 instance is not in the same region as the CloudWatch service.

Domain: Security Logging and Monitoring A financial services company needs to monitor AWS services for any unauthorized API calls or changes to critical resources. The monitoring solution must comply with stringent regulatory requirements for audit trails. Which AWS service should the company use to meet these security and compliance requirements? A. AWS CloudTrail B. Amazon CloudWatch C. AWS GuardDuty D. Amazon Macie

A security engineer needs to configure logging for an Amazon S3 bucket to capture and monitor access requests to the bucket, including requests that are denied due to permissions. Which actions should the security engineer take to enable and access the logs? (Select TWO.) A. Enable server access logging for the S3 bucket. B. Enable AWS CloudTrail Data Events for the S3 bucket. C. Configure Amazon S3 Inventory to track object-level activities. D. Use Amazon Athena to query the CloudTrail logs for S3 access. E. Enable VPC Flow Logs for the VPC containing the S3 bucket.

An organization needs to ensure that its log data is retained for 7 years to comply with regulatory requirements. The log data is stored in Amazon S3. What should the organization do to implement this retention policy? A. Use Amazon S3 Lifecycle policies to transition objects to Glacier after 7 years. B. Use Amazon S3 Lifecycle policies to delete objects automatically after 7 years. C. Enable versioning on the S3 bucket and configure a lifecycle policy to retain logs. D. Move the logs to Amazon Glacier Deep Archive after 7 years for long-term storage.

A security engineer is setting up log ingestion for a new AWS environment. The engineer needs to ensure that logs from Amazon EC2 instances, Amazon S3, and Amazon RDS are captured and centralized for analysis. Which AWS services should the engineer configure to meet this requirement? (Select TWO.) A. Amazon CloudWatch Logs for EC2 instance logs B. AWS CloudTrail Data Events for S3 access logs C. Amazon RDS Enhanced Monitoring for capturing database logs D. AWS Config for tracking changes in resources E. AWS X-Ray for tracing requests across services

A security analyst notices that logs from an important application are missing from the centralized logging system. The application runs on Amazon EC2 instances, and the logs were previously being ingested into Amazon CloudWatch Logs. What should the analyst check first to determine the cause of the missing logs? A. Verify that the CloudWatch Logs agent is running on the EC2 instances. B. Ensure that the EC2 instances have network connectivity to the CloudWatch Logs endpoint. C. Check the CloudWatch Logs quota to ensure that it has not been exceeded. D. Review the IAM role associated with the EC2 instances to verify that it has the correct permissions for CloudWatch Logs.

A security team is tasked with identifying suspicious activity by analyzing logs from various AWS services, including Amazon S3, AWS Lambda, and AWS CloudTrail. The team needs to correlate logs from these services to detect patterns indicative of potential threats. Which AWS service should the team use to normalize, parse, and correlate these logs? A. Amazon Athena B. AWS Security Hub C. Amazon Macie D. AWS Lambda

A company is deploying a new web application on AWS, which includes an Amazon EC2 instance, an RDS database, and an Application Load Balancer (ALB). The security team needs to identify and monitor security-related events across all these components. Which combination of AWS services should the security team use to collect and monitor logs from all components? A. AWS CloudTrail for API activity, Amazon CloudWatch Logs for EC2 logs, and AWS Config for configuration changes B. AWS GuardDuty for threat detection, AWS Config for configuration changes, and Amazon Inspector for vulnerability assessments C. AWS CloudTrail for API activity, AWS X-Ray for request tracing, and Amazon CloudWatch for custom metrics D. AWS CloudTrail for API activity, AWS Config for configuration changes, and AWS Systems Manager for patch compliance

A security engineer needs to configure the storage and lifecycle management of logs according to AWS best practices. What is the recommended solution for managing long-term log storage while optimizing cost? A. Store logs in Amazon S3 with Intelligent-Tiering enabled and set lifecycle policies for transition to Glacier B. Store logs in Amazon RDS with automated snapshots enabled C. Store logs in AWS CloudWatch Logs with perpetual retention D. Store logs in Amazon DynamoDB with global tables enabled

A company has deployed a public-facing website on AWS using Amazon CloudFront as a Content Delivery Network (CDN) and Amazon S3 to host static assets. The company is concerned about potential threats like DDoS attacks and injection vulnerabilities. Which combination of AWS services should the security engineer use to enhance the edge security of the website? A. AWS WAF to protect against SQL injection and XSS attacks, and AWS Shield Standard to mitigate DDoS attacks. B. AWS Config to monitor configuration changes and AWS GuardDuty for threat detection. C. AWS Certificate Manager (ACM) for SSL/TLS certificates and Amazon Macie for sensitive data discovery. D. Amazon Inspector to assess vulnerabilities and AWS Secrets Manager to manage sensitive information.

A mobile application backend is hosted on AWS using serverless architecture, including Amazon API Gateway and AWS Lambda. The application is experiencing an increase in API request volumes, potentially indicating a DDoS attack. What edge security strategies should the security engineer implement to protect the application? A. Enable AWS Shield Advanced for API Gateway and configure rate-based rules in AWS WAF to block malicious requests. B. Use Amazon CloudFront to cache API responses and AWS Macie to detect sensitive data. C. Deploy AWS Systems Manager to automate the blocking of IP addresses and Amazon Inspector for vulnerability scanning. D. Implement AWS Key Management Service (KMS) to encrypt API requests and AWS Config for configuration management.

A company is configuring an application that needs to access AWS resources in another account temporarily. The application requires short-lived access credentials for this purpose. Which service should the company use to issue these credentials? A. AWS Identity and Access Management (IAM) B. AWS Security Token Service (AWS STS) C. AWS Directory Service D. AWS Single Sign-On (SSO)

Domain: Identity and Access Management A security engineer needs to enforce multi-factor authentication (MFA) for users accessing sensitive data in an Amazon S3 bucket. The users already have permissions to access the bucket. What is the best approach to enforce MFA for this access? A. Update the IAM policy attached to the users to require MFA for the S3 actions. B. Create an S3 bucket policy that denies access unless MFA is used. C. Enable MFA on the root account. D. Attach a service control policy (SCP) requiring MFA to the organizational unit (OU) containing the users.

An organization uses attribute-based access control (ABAC) to manage permissions for its users. The company wants to ensure that employees only have access to resources tagged with their department name. Which IAM policy condition key should be used to enforce this requirement? A. aws:PrincipalTag B. aws:RequestTag C. aws:ResourceTag D. aws:RequestRegion

A security engineer is reviewing an IAM policy that allows a user to perform actions on an Amazon S3 bucket but denies actions if the request is not from a specific IP range. What will be the effect of this policy? A. The user can access the S3 bucket only from the specified IP range. B. The user can access the S3 bucket from any IP address. C. The user cannot access the S3 bucket at all. D. The policy will be ignored, and the default allow behavior will apply.

A developer is troubleshooting a Lambda function that cannot access an Amazon DynamoDB table. The IAM role attached to the function has the necessary permissions. What should the developer check next? A. Whether the IAM policy is attached to the correct role. B. Whether the IAM role has an explicit deny statement for DynamoDB. C. Whether the DynamoDB table’s resource policy allows access to the role. D. Whether the Lambda function’s VPC configuration is correct.

A company needs to enforce the principle of least privilege for its IAM users. The security team discovered that some users have permissions that are not necessary for their roles. What is the best approach to address this issue? A. Use IAM Access Analyzer to identify and remove unnecessary permissions. B. Manually review each user’s permissions and adjust as needed. C. Enable service control policies (SCPs) to limit permissions across the organization. D. Require multi-factor authentication (MFA) for all actions performed by users.

A company has implemented role-based access control (RBAC) for its AWS environment. A new project requires specific access to a subset of resources by users from different roles. How should the company grant these permissions while maintaining the principle of least privilege? A. Create a new IAM role with the necessary permissions and assign it to the users. B. Modify the existing IAM roles to include the new permissions. C. Use resource-based policies to grant access to the specific resources. D. Use service control policies (SCPs) to enforce the new permissions.

A company needs to establish secure connectivity between their on-premises data center and AWS using Direct Connect. They want to ensure that all traffic is encrypted while traversing the connection. Which approach should the company take? A. Use AWS Direct Connect with a private VIF and enable encryption using an AWS Site-to-Site VPN over Direct Connect. B. Use AWS Direct Connect with a public VIF and enable SSL/TLS encryption for application-level traffic. C. Use AWS Direct Connect with a private VIF and rely on AWS Shield for encryption. D. Use AWS Direct Connect with a public VIF and configure encryption in the Direct Connect settings.

A company wants to ensure that all connections to their Amazon S3 buckets require encryption. How can the company enforce this requirement? A. Apply a bucket policy that requires the use of the x-amz-server-side-encryption header for all PUT requests. B. Enable default encryption on the S3 bucket using AWS KMS keys. C. Configure a VPC endpoint for S3 and require all connections to use HTTPS. D. Use AWS WAF to block any non-encrypted requests to the S3 bucket.

Your organization is setting up an Amazon RDS instance for a critical application. The security team requires that all connections to the RDS instance be encrypted. What should you do to meet this requirement? A. Enable encryption in the RDS settings and configure the application to use SSL/TLS for connections. B. Set up a VPN between the application server and the RDS instance to ensure encrypted traffic. C. Use IAM roles to enforce encrypted connections to the RDS instance. D. Apply an S3 bucket policy to enforce encryption when accessing the RDS instance.

A company is designing a cross-Region networking solution using AWS Direct Connect. They want to ensure that traffic between Regions is secure and does not traverse the public internet. What solution should they implement? A. Use AWS Direct Connect with private VIFs in each Region and configure VPNs over Direct Connect for encryption. B. Use AWS Direct Connect with public VIFs and enable AWS Shield for secure connections. C. Use AWS Direct Connect Gateway to route traffic between private VIFs in different Regions. D. Use AWS Global Accelerator to route traffic securely between Regions over the public internet.

A company needs to establish a secure, cross-Region connection between its AWS environments in the US East (N. Virginia) and Europe (Frankfurt) Regions. The company wants to ensure that traffic does not traverse the public internet. Which configuration should the company implement? A. Set up a VPN over AWS Direct Connect with private VIFs in both Regions and route traffic through a Direct Connect Gateway. B. Use a public VIF on AWS Direct Connect in both Regions to ensure traffic does not traverse the public internet. C. Configure VPC peering between the VPCs in both Regions to route traffic securely. D. Use AWS Transit Gateway with VPC attachments in both Regions and enable AWS Global Accelerator for secure routing.

A company is planning to implement AWS Control Tower to manage its multi-account environment. Which prerequisite must be considered before deployment? A. Deactivate AWS Config across all existing accounts B. Ensure AWS Organizations is enabled with all features C. Disable Amazon CloudWatch Logs in all existing accounts D. Remove all existing Service Control Policies (SCPs) from the organization

An organization wants to enforce strict limitations on the use of root accounts across its AWS accounts. Which strategy should the organization implement using AWS Organizations? A. Apply an SCP that denies all actions except billing for root users B. Enable AWS CloudTrail to log all actions performed by the root account C. Use IAM policies to restrict root account access D. Set up AWS Config to monitor root account activities and alert when used

An organization needs to securely share resources like Amazon S3 buckets and Amazon RDS instances across multiple AWS accounts. Which service provides a solution for securely sharing resources? A. AWS Resource Access Manager (RAM) B. AWS Control Tower C. AWS Organizations D. AWS Service Catalog

A security engineer needs to enforce a centralized security policy across multiple AWS accounts to manage network firewalls. Which service should they deploy to achieve this? A. AWS Firewall Manager B. AWS Security Hub C. AWS Control Tower D. AWS Config

A company needs to deploy a consistent and secure cloud environment across multiple AWS accounts, ensuring only approved services are available for use. Which service should be used to create and manage portfolios of approved services? A. AWS Service Catalog B. AWS Control Tower C. AWS Resource Access Manager (RAM) D. AWS Firewall Manager

A security team is tasked with ensuring that all AWS accounts in an organization are consistently managed and that security configurations are centralized. What AWS service should be used to aggregate findings and manage security configurations across accounts? A. AWS Control Tower B. AWS Config aggregators C. AWS Resource Access Manager (RAM) D. AWS Service Catalog

Your company has multiple AWS accounts and wants to enforce a tagging strategy across all resources. What method can be used to ensure compliance with the tagging strategy? A. Implement an SCP that denies resource creation without proper tags B. Use AWS Config to create rules that evaluate resource tags across accounts C. Apply a CloudFormation template that enforces tagging on all resources D. Utilize AWS Service Catalog to enforce tagging during resource provisioning