← Back to exam page

AWS-Certified-Security-Specialty-SCS-C01 AWS Certified Security - Specialty (SCS-C01)

Loading demo links...

Showing 1–3 of 20 questions

Question 1

A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.

During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.

Which combination of options can the company use to meet these requirements? (Select TWO.)

Select all that apply, then click Submit answer.

  • Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.

  • Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.

  • Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.

  • Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

  • Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.
Question 2

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside IAM (Account 1). The threat was documented as follows:

Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an IAM account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.

Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.

Which of the following options will mitigate the threat? (Choose two.)

Select all that apply, then click Submit answer.

  • Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

  • Block outbound access to public S3 endpoints on the proxy server.

  • Configure Network ACLs on Server X to deny access to S3 endpoints.

  • Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.

  • Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.
Question 3

A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access. Which actions must the Security Engineer take to access these audit findings? (Choose three.)

Select all that apply, then click Submit answer.

  • Ensure CloudTrail log file validation is turned on.

  • Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage.

  • Use an S3 bucket with tight access controls that exists in a separate account.

  • Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

  • Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.

  • Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS).