Amazon AWS Certified Security - Specialty (SCS-C01) Free Practice Test - 20 Questions

Question 1

A security engineer is reviewing an IAM policy attached to a user. The policy allows 's3:GetObject' on 'arn:aws:s3:::example-bucket/*'. There is also a deny-all policy attached via a group. Which of the following describes the effective access?

Accepted Answer

The user cannot get objects because an explicit deny overrides any allow.

Question 2

A company uses an S3 bucket to store sensitive data. They want to ensure that only objects encrypted with a specific KMS key can be uploaded. Which bucket policy condition should be used?

Accepted Answer

Condition { StringEquals: { 's3:x-amz-server-side-encryption-aws-kms-key-id': 'arn:aws:kms:us-east-1:123456789012:key/abc' } }

Question 3

A developer needs to allow an EC2 instance in account A to read a KMS key in account B. The key is used to encrypt an SNS topic. Which combination of steps is required?

Accepted Answer

Add the EC2 instance role to the KMS key policy as a principal and configure the SNS topic policy.

Question 4

A security team wants to verify the integrity of CloudTrail log files over a long period. Which feature should they use?

Accepted Answer

CloudTrail log file validation using SHA-256 hashing and digital signatures.

Question 5

An application running on EC2 instances is experiencing intermittent connectivity issues to a database. The security engineer needs to analyze traffic patterns. Which service should be used to capture network traffic metadata?

Accepted Answer

VPC Flow Logs

Question 6

Which of the following is true regarding security groups and network ACLs in a VPC?

Accepted Answer

Security groups are stateful and support allow rules only; NACLs are stateless and support allow and deny rules.

Question 7

A company uses AWS WAF to protect a web application. They want to block requests from specific IP addresses that are known to be malicious. Which type of rule should be used?

Accepted Answer

IP set match condition in a WAF rule.

Question 8

An Amazon Inspector assessment report shows a high-severity vulnerability in an EC2 instance. Which of the following is the most likely cause?

Accepted Answer

The instance has an outdated operating system with known CVEs.

Question 9

A company wants to automatically remediate non-compliant resources. For example, if an S3 bucket becomes publicly accessible, they want to apply a bucket policy to block public access. Which AWS service should be used?

Accepted Answer

AWS Config with automatic remediation using AWS Systems Manager Automation.

Question 10

A security engineer needs to store database credentials that are automatically rotated every 30 days. Which AWS service is best suited?

Accepted Answer

AWS Secrets Manager.

Question 11

A company uses AWS KMS with customer-managed CMKs for encryption. They want to automatically rotate the key material every year to comply with internal policy. What is the most cost-effective approach?

Accepted Answer

Enable automatic key rotation in KMS for the CMK.

Question 12

A company must meet regulatory requirements that mandate they control the underlying hardware for encryption keys. Which AWS service should they use?

Accepted Answer

AWS CloudHSM.

Question 13

An S3 bucket contains sensitive data. The security engineer wants to ensure that all objects are encrypted at rest using server-side encryption. Which approach requires the least configuration overhead?

Accepted Answer

Use the default S3 encryption settings (SSE-S3) with a bucket policy that denies PutObject without encryption.

Question 14

An application running on EC2 instances needs to access an S3 bucket. The security team wants to avoid storing long-term credentials on the instances. What is the most secure method?

Accepted Answer

Use an IAM role and attach it to the EC2 instance profile.

Question 15

A company uses AWS Certificate Manager (ACM) to manage SSL/TLS certificates for their web application. They need to deploy a certificate in multiple regions. What should they do?

Accepted Answer

Request a certificate in each region where the application is deployed.

Question 16

A company uses AWS CloudHSM to generate and store encryption keys. They want to ensure the keys are backed up for disaster recovery. What is the recommended approach?

Accepted Answer

Use the CloudHSM client to backup keys to a second HSM that is in a different region.

Question 17

Amazon GuardDuty has generated a finding indicating that an EC2 instance is communicating with a known malicious IP address. Which is the most likely root cause?

Accepted Answer

The EC2 instance has been compromised by malware.

Question 18

A security engineer needs to ensure that an IAM user can only perform actions on resources in a specific AWS region. Which IAM policy element should be used?

Accepted Answer

Condition with 'aws:RequestedRegion'.

Question 19

A company wants to replicate S3 objects from one bucket to another in a different AWS account. The objects are encrypted with SSE-KMS using a KMS key in the source account. What must be configured to enable replication?

Accepted Answer

The source KMS key policy must allow the destination account to decrypt, and the IAM role used for replication must have kms:Decrypt and kms:GenerateDataKey permissions.

Question 20

A company uses AWS Organizations and wants to ensure that all member accounts cannot disable CloudTrail. Which mechanism should be used?

Accepted Answer

Attach an SCP to the root OU that denies the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions.

Amazon AWS Certified Security - Specialty (SCS-C01) Free Practice Test - 20 Questions

The free lane is only the front row