Amazon SCS-C01 AWS Certified Security - Specialty Exam Exam Practice Test Questions

• Question 1

  A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.The Security Engineer has verified the following:1. The rule set in the Security Groups is correct2. The rule set in the network ACLs is correct3. The rule set in the virtual appliance is correctWhich of the following are other valid items to troubleshoot in this scenario? (Choose two.)

  • Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
  • Verify which Security Group is applied to the particular web server's elastic network interface (ENI).
  • Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
  • Verify the registered targets in the ALB.
  • Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

  Show Answer Answer: C, D Next

• Question 2

  A large organization is planning on IAM to host their resources. They have a number of autonomous departments that wish to use IAM. What could be the strategy to adopt for managing the accounts.Please select:

  • Use multiple VPCs in the account each VPC for each department
  • Use multiple IAM groups, each group for each department
  • Use multiple IAM roles, each group for each department
  • Use multiple IAM accounts, each account for each department

  Show Answer Answer: D Next

• Question 3

  A company has a relational database workload that runs on Amazon Aurora MySQL. According to new compliance standards the company must rotate all database credentials every 30 days. The company needs a solution that maximizes security and minimizes development effort.Which solution will meet these requirements?

  • Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.
  • Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.
  • Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.
  • Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.

  Show Answer Answer: A Next

• Question 4

  A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee Even after updating the policy the employee still receives an access denied message.What is the likely cause of this access denial?

  • The ACL in the bucket needs to be updated.
  • The IAM policy does not allow the user to access the bucket
  • It takes a few minutes for a bucket policy to take effect
  • The allow permission is being overridden by the deny.

  Show Answer Answer: D Next

• Question 5

  A company has an IAM account and allows a third-party contractor who uses another IAM account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accountsWhat should the company do to accomplish this?A)B)C)D)

  • Option A
  • Option B
  • Option C
  • Option D

  Show Answer Answer: A Next