AWS Certified Security Specialty SCSC02 AWS Certified Security Specialty SCSC02 Free Practice Test — 30 Questions

Question 1

A multinational e-commerce company operating on AWS has detected anomalous outbound network traffic originating from an EC2 instance in its European (Frankfurt) region. Initial investigations suggest a potential exfiltration of customer data, including Personally Identifiable Information (PII), which could trigger stringent notification requirements under regulations like the GDPR. The company’s Chief Information Security Officer (CISO) needs a consolidated view of security findings, an assessment of the potential impact on sensitive data, and a mechanism to streamline the preparation of evidence for regulatory compliance reporting. Which AWS service would be most instrumental in facilitating this initial assessment and compliance preparation phase of the incident response?

Accepted Answer

AWS Security Hub

Question 2

A global financial services organization, operating extensively on AWS, is facing a surge in sophisticated, state-sponsored attacks targeting its cloud infrastructure. Concurrently, the organization is migrating a significant portion of its legacy applications to serverless architectures (e.g., AWS Lambda, API Gateway) and adopting DevSecOps principles, emphasizing a shift-left approach to security. The internal security operations center (SOC) team, accustomed to traditional perimeter-based security and host-centric monitoring, is struggling to effectively detect and respond to novel attack vectors targeting these new environments. They need to develop new detection rules for serverless functions, integrate security testing earlier in the CI/CD pipeline, and adapt their incident response playbooks to account for ephemeral compute and distributed architectures. Which of the following core behavioral competencies is most critical for the SOC team to cultivate and demonstrate to successfully navigate this complex transition and enhance their overall security posture?

Accepted Answer

Adaptability and Flexibility

Question 3

A financial services organization is migrating a substantial volume of sensitive customer Personally Identifiable Information (PII) to AWS. During a routine security audit, it was discovered that a critical Amazon S3 bucket containing this data was inadvertently configured with overly permissive access controls, leading to unauthorized read access by external entities. The organization needs to implement a comprehensive strategy to prevent future occurrences of such unintended data exposure through misconfigured access policies across their AWS environment. Which of the following strategies would most effectively establish a proactive and continuous security posture against misconfigurations, adhering to the principle of least privilege?

Accepted Answer

Regularly utilize AWS IAM Access Analyzer to continuously scan for unintended access to AWS resources, coupled with the enforcement of granular IAM policies and S3 bucket policies that adhere strictly to the principle of least privilege.

Question 4

A financial services firm operating within the European Union experiences a security alert indicating potential unauthorized access to customer PII stored in an S3 bucket. The incident response team must act swiftly to contain the breach, preserve evidence for forensic analysis, and ensure compliance with GDPR\'s data breach notification timelines. The compromised entity is suspected to be an IAM role used by an automated data processing application. Which combination of AWS services would provide the most effective initial strategy for containment, investigation, and evidence preservation?

Accepted Answer

Revoke the compromised IAM role, enable detailed S3 access logging via CloudTrail, and analyze GuardDuty findings for related malicious activity.

Question 5

Following a recent security incident that exposed sensitive customer data, a financial services firm operating on AWS needs to significantly enhance its proactive threat detection capabilities. The firm\'s security operations team has identified that the previous attack vector involved a sophisticated, previously unseen malware variant that evaded signature-based Intrusion Detection Systems (IDS). They are looking for a solution that can intelligently analyze network traffic, account activity, and resource configurations to identify anomalous behavior and potential threats in real-time, even those that do not match known threat patterns. Which AWS service, when properly configured and integrated with relevant data sources, would be most instrumental in achieving this objective of advanced, adaptive threat hunting?

Accepted Answer

AWS GuardDuty

Question 6

A financial services organization operating under strict data residency and privacy regulations, such as those mandated by the European Union\'s General Data Protection Regulation (GDPR), has detected a security alert in AWS Security Hub indicating a potential unauthorized access attempt to a critical Amazon S3 bucket containing customer personally identifiable information (PII). The alert originated from Amazon GuardDuty. The security team needs to conduct an immediate, thorough investigation to understand the scope, origin, and impact of the activity while ensuring compliance with all relevant data protection laws. Which combination of AWS services, when used in sequence, would provide the most effective and compliant initial approach to gather the necessary forensic data and context?

Accepted Answer

Review findings in AWS Security Hub, then analyze AWS Config history for the S3 bucket, followed by examining AWS CloudTrail logs for related API calls.

Question 7

A global financial institution, operating under strict data sovereignty mandates and rigorous customer data protection regulations, is confronting a surge in advanced spear-phishing campaigns designed to exfiltrate sensitive client information. The organization requires a comprehensive solution that not only identifies and mitigates these threats but also provides continuous, auditable assurance of compliance with data access controls and residency requirements. Which combination of AWS services would best address these multifaceted security imperatives by enabling continuous configuration monitoring, detailed audit logging, and centralized security posture management?

Accepted Answer

AWS Config, AWS CloudTrail, and AWS Security Hub

Question 8

A financial services organization operating on AWS has detected anomalous outbound network traffic from an Amazon EC2 instance in its production environment, potentially indicating a data exfiltration attempt. The security team has received a GuardDuty finding indicating \"UnauthorizedAccess:EC2/MaliciousIPCaller.Custom,\" pointing to the compromised instance and a suspicious external IP address. To swiftly contain and investigate this incident, which combination of AWS services would provide the most comprehensive and actionable insights for immediate remediation and understanding the scope of the breach?

Accepted Answer

Analyze VPC Flow Logs filtered by the compromised EC2 instance's network interface, correlate GuardDuty findings with Security Hub for consolidated alerts, and use CloudTrail to investigate API activity on the instance.

Question 9

A financial services firm is experiencing a sophisticated distributed denial-of-service (DDoS) attack that is overwhelming its primary customer-facing web portal, hosted on Amazon EC2 instances behind an Application Load Balancer. The attack exhibits characteristics of both network-layer volumetric floods and application-layer attacks targeting specific API endpoints. The security operations center (SOC) team has identified that the attack traffic is rapidly evolving, and standard WAF rules are proving insufficient due to the dynamic nature of the attack vectors. The firm requires a solution that offers continuous monitoring, automated and customizable mitigation strategies, and expert support to navigate the evolving threat landscape, while also ensuring minimal disruption to legitimate customer traffic.

Which AWS service configuration would best address this situation?

Accepted Answer

Implement AWS Shield Advanced with custom mitigation policies tailored to the application's traffic patterns and integrate with AWS WAF for enhanced application-layer filtering, leveraging the AWS DDoS Response Team for immediate assistance.

Question 10

A multinational e-commerce platform operating across several AWS accounts experiences a sophisticated, multi-vector distributed denial-of-service (DDoS) attack targeting its primary customer-facing web application. The attack involves overwhelming the application servers with a massive volume of HTTP requests, as well as attempting to exhaust network resources through UDP floods. The security operations center (SOC) has confirmed the attack is originating from a large, geographically dispersed botnet. The platform adheres to strict compliance requirements, including those related to data integrity and availability, necessitating a robust and layered security response. Which combination of AWS services and configurations would provide the most effective immediate mitigation and facilitate comprehensive post-attack analysis for future prevention?

Accepted Answer

Implement AWS WAF with custom rate-based rules and geo-blocking, activate AWS Shield Advanced for enhanced network and transport layer protection, and enable VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty across all relevant accounts for detailed logging and threat detection.

Question 11

A multinational financial services firm, operating under strict data residency regulations and the General Data Protection Regulation (GDPR), has stored sensitive customer financial records in Amazon S3 buckets. The security operations team has implemented Amazon GuardDuty to monitor for malicious activity. During a routine audit, they discover that an unauthenticated external IP address attempted to enumerate objects within a critical S3 bucket containing PII. To proactively address such unauthorized access attempts and prevent potential data exfiltration, the team wants to automate the remediation process, ensuring that immediate action is taken to revoke access or isolate the resource upon detection. Which AWS security service integration strategy would provide the most effective automated remediation for this specific threat scenario?

Accepted Answer

Configure AWS Security Hub to ingest findings from Amazon GuardDuty, then set up an Amazon EventBridge rule to trigger an AWS Lambda function that modifies the S3 bucket policy to deny access from the identified suspicious IP or principal.

Question 12

A financial services organization utilizing AWS discovers a potential data exfiltration event involving sensitive customer personally identifiable information (PII) stored in an Amazon S3 bucket. The breach is suspected to have occurred over the past 72 hours, and the organization must adhere to strict data privacy regulations that mandate timely incident reporting and remediation. What is the most critical initial action to take to gain comprehensive visibility into the nature and scope of this unauthorized access?

Accepted Answer

Thoroughly analyze AWS CloudTrail logs for all S3-related API activity within the affected time frame to reconstruct the access patterns and identify the source.

Question 13

A multinational financial services firm operating on AWS has detected a significant security incident. Unauthorized access has been confirmed to a critical Amazon S3 bucket containing personally identifiable information (PII) of its clients. Initial alerts indicate anomalous API activity from an external IP address and a substantial data exfiltration pattern. The Chief Information Security Officer (CISO) has tasked the incident response team with immediately understanding the full scope of the compromise, including the exact sequence of actions performed by the unauthorized entity. Which AWS service is most critical for the security team to analyze to reconstruct the attacker\'s activity and understand the specific actions taken within the AWS environment during this breach?

Accepted Answer

AWS CloudTrail

Question 14

A financial services firm is undertaking a significant migration of sensitive customer Personally Identifiable Information (PII) to AWS, with stringent requirements to comply with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). A critical aspect of this compliance is ensuring that all data processing and storage operations for this PII are confined to specific European Union (EU) regions and that no data can be inadvertently or maliciously transferred or accessed from outside these approved regions. The firm utilizes AWS Organizations to manage its account structure and is considering implementing AWS Control Tower to govern its multi-account environment. Which AWS security mechanism, when applied at the organizational level, would most effectively enforce these data residency constraints across all accounts, acting as a preventative control against unauthorized cross-region operations?

Accepted Answer

Service Control Policies (SCPs) within AWS Organizations to restrict API actions based on the region parameter of the service.

Question 15

A multinational corporation, adhering to strict GDPR data residency mandates for its European customer data, has been alerted by Amazon GuardDuty to a potential exfiltration of sensitive personally identifiable information (PII) from an Amazon EC2 instance. The incident response team suspects the compromised instance might have facilitated data transfer to an unauthorized external endpoint. Which AWS service, when configured with appropriate rules, would be most effective in identifying and potentially remediating resources that are in violation of the established data residency policies in response to this alert?

Accepted Answer

AWS Config rules designed to monitor resource configurations against data residency requirements

Question 16

Following a sophisticated breach where an attacker exploited a misconfigured security group to gain unauthorized access to an Amazon S3 bucket containing regulated customer information, the security operations team needs to rapidly isolate the compromised EC2 instance. The primary objective is to halt any further data exfiltration and preserve the integrity of the environment for forensic analysis. Which AWS service and feature combination is most suitable for remotely executing a command to modify the instance\'s network access controls, thereby achieving immediate containment without requiring manual intervention on the instance itself?

Accepted Answer

AWS Systems Manager Run Command to modify the associated security group or network ACL

Question 17

A global financial services firm operating on AWS is undergoing a significant regulatory audit, requiring immediate adjustments to data residency controls and encryption practices for sensitive customer information. Concurrently, the firm\'s product development team has accelerated the launch of a new AI-driven analytics service, which introduces novel data processing workflows and potential new attack vectors. The cloud security architect must rapidly re-evaluate and re-architect the existing security controls, prioritizing compliance mandates while ensuring the new service is secure and operational within aggressive timelines. Which of the following strategic adjustments best reflects the architect\'s need to demonstrate adaptability, problem-solving under pressure, and effective communication in this dynamic environment?

Accepted Answer

Proactively engage with the compliance team to understand the nuances of the new regulations, leverage AWS Config and Security Hub to automate compliance checks and identify misconfigurations, and develop a phased rollout plan for updated encryption protocols, communicating progress and any identified challenges transparently to all stakeholders.

Question 18

A global enterprise has recently migrated its customer relationship management (CRM) system, containing personally identifiable information (PII) of European Union citizens, to AWS. The organization is subject to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which impose stringent requirements on data processing and storage locations. The security team is tasked with implementing organizational-wide policies to prevent the inadvertent or malicious deployment of any data processing or storage resources in AWS regions outside of the EU and specific US states designated for compliance. Which AWS service, when configured with appropriate policies, offers the most effective mechanism for enforcing these data residency guardrails across all accounts within the AWS Organization?

Accepted Answer

AWS Organizations Service Control Policies (SCPs)

Question 19

A multinational financial services firm, operating under stringent regulations like the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS), has detected anomalous activity originating from an employee\'s AWS account. Suspicion of an insider threat is high, with potential data exfiltration and unauthorized configuration changes to sensitive production environments. The security operations team needs to immediately implement a strategy that ensures comprehensive evidence preservation, facilitates in-depth forensic investigation, and supports regulatory compliance reporting. Which combination of AWS services and configurations best addresses these immediate requirements?

Accepted Answer

Enable AWS CloudTrail in all regions with log file integrity validation, configure AWS Config rules to monitor for unauthorized changes to critical resources, deploy Amazon GuardDuty for threat detection, and leverage Amazon Detective for forensic analysis of correlated security events.

Question 20

A global fintech company, adhering to stringent regulations like PCI DSS and GDPR, is migrating its customer onboarding and transaction processing workloads to AWS. They require a solution that not only continuously monitors the security configuration of their AWS resources against defined compliance benchmarks but also aggregates security findings from various AWS services into a single, actionable dashboard. Furthermore, the solution must facilitate rapid identification and remediation of compliance drift. Which combination of AWS services best addresses these requirements?

Accepted Answer

AWS Config for continuous configuration monitoring and compliance assessment, integrated with AWS Security Hub for centralized security findings aggregation and actionable insights.

Question 21

A global financial services organization has experienced a sophisticated phishing campaign that successfully exfiltrated employee credentials. This compromise led to unauthorized access to sensitive customer financial records stored within their AWS environment. Existing security controls, including advanced email filtering and endpoint detection and response (EDR) solutions, were bypassed. The organization needs to implement a strategy leveraging AWS services to prevent such credential compromise from leading to widespread data exfiltration and to enhance its overall resilience against advanced social engineering threats targeting user authentication. Which of the following AWS strategies would most effectively address both the prevention of credential compromise and the mitigation of its impact?

Accepted Answer

Implement mandatory Multi-Factor Authentication (MFA) for all IAM users and roles, coupled with a rigorous review of IAM policies using IAM Access Analyzer to enforce the principle of least privilege, thereby limiting the blast radius of any compromised credentials.

Question 22

A global financial institution is migrating its core customer transaction data to AWS, necessitating strict adherence to regulations such as PCI DSS and SOX. The primary concern is to ensure that even highly privileged administrative accounts have their access to this sensitive data meticulously logged and, where possible, restricted based on specific operational contexts. The organization needs a solution that not only records all data access attempts but also provides a mechanism to enforce the principle of least privilege for these critical operations. Which AWS security strategy would best address these requirements for auditing and controlled access to sensitive data?

Accepted Answer

Implement granular IAM policies with condition keys that enforce access restrictions based on specific attributes, and leverage AWS CloudTrail to log all API calls related to data access and administrative actions.

Question 23

Globex Corp, a global financial services firm, is mandated by evolving regulatory landscapes, including the General Data Protection Regulation (GDPR) and Australian Privacy Principles (APPs), to ensure that all sensitive customer data is processed and stored exclusively within specific, approved geographic regions. They operate across multiple AWS accounts managed by AWS Organizations. To enforce this data localization policy and prevent accidental or deliberate deployment of services in non-compliant regions, which of the following AWS configurations would provide the most robust and preventative control?

Accepted Answer

Implementing AWS Config rules that trigger alerts when resources are detected in unauthorized regions, coupled with IAM policies that deny specific actions for those regions.

Question 24

A global e-commerce platform operating within the European Union is experiencing a surge in suspicious activity, characterized by a significant increase in anomalous API calls directed at their Amazon S3 buckets containing customer PII, and unusual patterns of access to their Amazon RDS instances. The security team suspects a sophisticated intrusion attempt. To effectively understand the nature and scope of these potential threats and to prepare for regulatory reporting requirements under GDPR, which AWS security service\'s findings would provide the most immediate and granular insight into the specific anomalous API call patterns and potential indicators of compromise?

Accepted Answer

Analyze the findings generated by Amazon GuardDuty.

Question 25

A global financial institution, subject to rigorous Payment Card Industry Data Security Standard (PCI DSS) mandates, is struggling to maintain an accurate and actionable understanding of its cloud security posture. They are currently receiving a high volume of individual alerts from AWS Config, detailing misconfigurations in Amazon S3 buckets that violate PCI DSS requirements related to data encryption and access logging. These granular alerts are overwhelming the Security Operations Center (SOC), making it difficult to prioritize critical deviations and identify overarching compliance gaps. The organization requires a unified dashboard that consolidates security findings and provides a clear, prioritized view of their adherence to PCI DSS, enabling efficient reporting to regulatory bodies and executive leadership. Which AWS service integration would best address this challenge by centralizing, correlating, and prioritizing security and compliance findings?

Accepted Answer

Integrate AWS Config findings into AWS Security Hub for centralized analysis and prioritization against compliance standards.

Question 26

A global financial institution, subject to stringent data localization regulations in its primary operating regions, is modernizing its infrastructure by migrating sensitive customer data to AWS. This initiative involves a hybrid cloud architecture where some data processing and storage remain on-premises. The organization requires a solution that not only enforces strict data residency within approved AWS Regions but also provides a unified, auditable framework for managing user access and enforcing security policies across both its AWS environment and its existing on-premises identity management system. Which AWS service and configuration strategy would best address these multifaceted requirements for comprehensive governance and compliance?

Accepted Answer

Implement AWS Control Tower with region-denial SCPs and federate on-premises Active Directory with IAM Identity Center.

Question 27

A global financial institution operates a complex AWS environment comprising over 500 accounts managed under AWS Organizations. The institution is subject to stringent data protection regulations, including GDPR, and must ensure that no S3 buckets containing personally identifiable information (PII) are inadvertently configured for public access. The security team needs a solution that can automatically detect and, where possible, remediate any such misconfigurations across all accounts, providing a centralized audit trail of compliance status. Which AWS security service, when integrated with AWS Organizations, would best address this requirement for continuous, automated policy enforcement and compliance monitoring?

Accepted Answer

AWS Config rules deployed via AWS Organizations

Question 28

A global financial services firm operating critical applications on AWS has detected an active exploit targeting a zero-day vulnerability in their customer-facing portal. The exploit allows an attacker to bypass authentication mechanisms and potentially access sensitive customer financial data stored in an Amazon RDS instance. The application architecture includes EC2 instances fronted by an Application Load Balancer. The firm\'s security team is under immense pressure to respond swiftly while minimizing service disruption, adhering to strict regulatory compliance requirements like GDPR and PCI DSS. Which sequence of actions would best address this critical security incident?

Accepted Answer

Deploy a custom AWS WAF rule to block the specific exploit signature, then immediately patch the application code on the affected EC2 instances, followed by a comprehensive review of RDS database security configurations and access logs.

Question 29

A global financial institution operating on AWS discovers a previously unknown exploit targeting a critical, managed AWS service. The exploit allows for unauthorized data exfiltration and is actively being leveraged against their sensitive customer information. Existing incident response playbooks do not adequately address this specific zero-day vulnerability, creating significant ambiguity regarding the exploit\'s full scope and potential impact. The security operations center (SOC) must immediately revise its detection rules, containment strategies, and communication protocols to mitigate the escalating threat while awaiting vendor patches. Which of the following behavioral competencies are most critical for the security team to demonstrate in this rapidly evolving situation to ensure effective incident response and minimize organizational risk?

Accepted Answer

Adaptability and Flexibility, Problem-Solving Abilities, and Leadership Potential

Question 30

A multinational fintech company is migrating its core banking application to AWS, which processes highly sensitive customer financial data and must comply with stringent global regulations like PCI DSS and GDPR. The development team aims to adopt a DevSecOps model, embedding security practices throughout the CI/CD pipeline and ensuring continuous security monitoring in production. They require a strategy that minimizes the attack surface, automates security checks, and provides centralized visibility into security findings and compliance status. Which combination of AWS services would best support this initiative by addressing secure credential management, pipeline security, and continuous compliance monitoring?

Accepted Answer

AWS Secrets Manager for credential management, AWS CodePipeline with integrated AWS CodeBuild for SAST and dependency scanning in the CI/CD pipeline, and AWS Config with AWS Security Hub for continuous compliance monitoring and centralized security posture management.

AWS Certified Security Specialty SCSC02 AWS Certified Security Specialty SCSC02 Free Practice Test — 30 Questions

A lot more is already mapped out

About the AWS Certified Security Specialty SCSC02 AWS Certified Security Specialty SCSC02 Certification