← Back to exam page

AWS-Certified-Security-Specialty-SCS-C01 AWS Certified Security - Specialty (SCS-C01)

Loading demo links...

Showing 7–9 of 20 questions

Question 7

A company is running third-party WAF software on AWS. The company’s security team discovers that the third-party WAF software has vulnerabilities that can lead to server-side request forgery (SSRF) attacks. Because of this discovery, the security team mandates that the entire AWS infrastructure must use version 2 of the instance metadata service (IMDSv2).

At the planned completion of the implementation of IMDSv2, the security team uses the Amazon CloudWatch metric Amazon EC2:MetadataNoToken and determines that hundreds of old IMDSv1 requests still are occurring each day. The security team is willing to risk the availability of the company’s application to finish this implementation.

Which combination of steps should the security team take to complete the migration to IMDSv2 in the AWS environment? (Choose two.)

Select all that apply, then click Submit answer.

  • Write and enforce an IAM policy that denies the ec2:runinstances action when the ec2:MetadataHttpTokens condition key is not set to required.

  • Use the ec2 modify-instance-metadata-options command from the AWS CLI with the http-put-response-hop-limit 0 option.

  • Use the ec2 modify-instance-metadata-options command from the AWS CLI with the --http-tokens required option.

  • Modify instance security groups to deny all outbound HTTP traffic to 169.254.169.254.

  • From each of the AWS account EC2 instances run the following command:
Question 8

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

A trusted forensic environment must be provisioned.

Automated response processes must be orchestrated.

Which AWS services should be included in the plan? (Choose two.)

Select all that apply, then click Submit answer.

  • AWS CloudFormation

  • Amazon GuardDuty

  • Amazon Inspector

  • Amazon Macie

  • AWS Step Functions
Question 9

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.

How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

Select all that apply, then click Submit answer.

  • Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

  • Move the web servers to private subnets without public IP addresses.

  • Configure AWS WAF to provide DDoS attack protection for the ALB.

  • Require all inbound network traffic to route through a bastion host in the private subnet.

  • Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.