← Back to exam page

AWS-Certified-Security-Specialty-SCS-C01 AWS Certified Security - Specialty (SCS-C01)

Loading demo links...

Showing 10–12 of 20 questions

Question 10

A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation.

What should the Security Engineer use to isolate and research this event? (Choose three.)

Select all that apply, then click Submit answer.

  • IAM CloudTrail

  • Amazon Athena

  • IAM Key Management Service (IAM KMS)

  • VPC Flow Logs

  • IAM Firewall Manager

  • Security groups
Question 11

A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.

The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.

Which solution will meet these requirements?

Select an option, then click Submit answer.

  • Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.

  • Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.

  • Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.

  • Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.
Question 12

A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented

Which statement should the security specialist include in the policy?

A.

B.

C.

D.

Select an option, then click Submit answer.

  • Option A

  • Option B

  • Option C

  • Option D