Offering Free access to AWS Certified Specialty SCS-C03 Exam Questions Pool Bank

AWS Certified Security – Specialty Questions and Answers

Testing Engine

Product Type: Testing Engine

$37.5 ~~$124.99~~

Add to Cart

PDF + Testing Engine

Product Type: PDF + Testing Engine

$52.5 ~~$174.99~~

Add to Cart

PDF Study Guide

Product Type: PDF Study Guide

$33 ~~$109.99~~

Add to Cart

Question 1

A company needs to scan all AWS Lambda functions for code vulnerabilities.

Options:

Use Amazon Macie.

Enable Amazon Inspector Lambda scanning.

Use GuardDuty and Security Hub.

Use GuardDuty Lambda Protection.

Question 2

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

Options:

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances.

Question 3

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to authenticate all S3 API calls with AWS credentials.

Which solution will provide the application with AWS credentials?

Options:

Use Amazon Cognito identity pools and the GetId API.

Use Amazon Cognito identity pools and AssumeRoleWithWebIdentity.

Use Amazon Cognito user pools with ID tokens.

Use Amazon Cognito user pools with access tokens.

Question 4

A company’s developers are using AWS Lambda function URLs to invoke functions directly. The company must ensure that developers cannot configure or deploy unauthenticated functions inproduction accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

Options:

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Answer:

Explanation:

AWS Organizations service control policies (SCPs) are designed to enforce preventive guardrails across accounts without requiring application-level changes. According to the AWS Certified Security – Specialty documentation, SCPs can restrict specific API actions or require certain condition keys to enforce security standards centrally. AWS Lambda function URLs support two authentication modes: AWS_IAM and NONE. When the authentication type is set to NONE, the function URL becomes publicly accessible, which introduces a significant security risk in production environments.

By using an SCP that explicitly denies the lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions when the lambda:FunctionUrlAuthType condition key equals NONE, the organization ensures that unauthenticated function URLs cannot be created or modified in production accounts. This enforcement occurs at the AWS Organizations level and applies automatically to all accounts within the specified organizational units (OUs). Developers are not required to change their workflows or add additional controls, satisfying the requirement of no additional developer effort.

Option A relates to browser-based access controls and does not provide authentication or authorization enforcement. Option B is not valid because AWS WAF cannot be attached directly to AWS Lambda function URLs. Option C is incorrect because SCPs do not grant permissions; they only limit permissions. AWS documentation clearly states that SCPs define maximum available permissions and are evaluated before IAM policies.

This approach aligns with AWS best practices for centralized governance, least privilege, and preventive security controls.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Service Control Policies Documentation

AWS Lambda Security and Function URL Authentication Overview

Question 5

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.

Which solution would have the MOST scalability and LOWEST latency?

Options:

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Question 6

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets.

Which solution will meet these requirements?

Options:

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Question 7

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

Options:

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Question 8

A company's security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company's AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization.

Which combination of steps should the security engineer take toMINIMIZE the consequencesof this compromise? (Select THREE.)

Options:

Encrypt all AWS CloudTrail logs.

Turn on Amazon GuardDuty.

Change the password for all IAM users.

Rotate or delete all AWS access keys.

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

Delete any resources that are unrecognized or unauthorized.

Answer:

B, D, F

Explanation:

AWS incident response best practices emphasizerapid containment, credential revocation, and threat detectionto minimize the blast radius of a compromise. According to the AWS Certified Security – Specialty Official Study Guide, when unauthorized resources such as an Amazon S3 bucket hosting malware are discovered, immediate action must be taken to stop further misuse of the account and to prevent recurrence.

Rotating or deleting all AWS access keys (Option D)is a critical containment step. If an IAM user has been compromised, any long-term credentials associated with that user must be revoked immediately to prevent continued unauthorized access. AWS guidance explicitly lists access key rotation or deletion as a first-response action for suspected credential compromise.

Deleting unrecognized or unauthorized resources (Option F)directly removes the malicious infrastructure that is being abused. In this case, deleting the unauthorized S3 bucket immediately stops malware distribution and reduces reputational and compliance impact.

Turning on Amazon GuardDuty (Option B)enables continuous threat detection by analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty can identify additional malicious activity, compromised credentials, or persistence mechanisms that the attacker may have established. AWS documentation recommends enabling GuardDuty during or immediately after an incident to detect ongoing or future threats.

Option A does not reduce the impact of the current compromise. Option C is overly disruptive and not recommended; credential rotation should be targeted. Option E is unnecessary because there is no indication that EBS-backed compute resources are involved.

AWS incident response guidance clearly prioritizescredential revocation, malicious resource removal, and threat detectionto minimize consequences.

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon GuardDuty User Guide

AWS IAM Security Best Practices

Question 9

A company runs an internet-accessible application on several Amazon EC2 instances that run Windows Server. The company used an instance profile to configure the EC2 instances. A security team currently accesses the VPC that hosts the EC2 instances by using an AWS Site-to-Site VPN tunnel from an on-premises office.

The security team issues a policy that requires all external access to the VPC to be blocked in the event of a security incident. However, during an incident, the security team must be able to access the EC2 instances to obtain forensic information on the instances.

Which solution will meet these requirements?

Options:

Install EC2 Instance Connect on the EC2 instances. Update the IAM policy for the IAM role to grant the required permissions. Use the AWS CLI to open a tunnel to connect to the instances.

Install EC2 Instance Connect on the EC2 instances. Configure the instances to permit access to the ec2-instance-connect command user. Use the AWS Management Console to connect to the EC2 instances.

Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS CLI to open a tunnel to connect to the instances.

Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS Management Console to connect to the EC2 instances.

Question 10

A company runs an application on a fleet of Amazon EC2 instances. The company can remove instances from the fleet without risk to the application. All EC2 instances use the same security group named ProdFleet. Amazon GuardDuty and AWS Config are active in the company's AWS account.

A security engineer needs to provide a solution that will prevent an EC2 instance from sending outbound traffic if GuardDuty generates a cryptocurrency finding event. The security engineer creates a new security group named Isolate that contains no outbound rules. The security engineer configures an AWS Lambda function to remove an EC2 instance from the ProdFleet security group and add it to the Isolate security group.

Which additional step will meet this requirement?

Options:

Configure GuardDuty to directly invoke the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.

Configure an AWS Config rule that invokes the Lambda function if a CryptoCurrency:EC2/* configuration change event occurs for an EC2 instance.

Configure an Amazon EventBridge rule that invokes the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.

Configure an Amazon EventBridge rule that invokes the Lambda function if AWS Config detects a CryptoCurrency:EC2/* configuration change event for an EC2 instance.

Question 11

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys.

Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)

Options:

Create a new customer managed key in AWS Key Management Service (AWS KMS).

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).

Configure the PHP SDK to use the SSE-S3 key before upload.

Create an AWS managed key for Amazon S3 in AWS KMS.

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS).

Change all the S3 objects in the bucket to use the new encryption key.

Question 12

A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.

Which action should enforce this policy?

Options:

Configure an S3 Lifecycle rule to delete objects after 45 days.

Create a Lambda function triggered on object upload to delete old data.

Create a scheduled Lambda function to delete old objects monthly.

Configure S3 Intelligent-Tiering.

Question 13

A company's security team wants to receive email notification from AWS about any abuse reports regarding DoS attacks. A security engineer needs to implement a solution that will provide a near-real-time alert for any abuse reports that AWS sends for the account. The security engineer already has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the security team's email address to the topic.

What should the security engineer do next to meet these requirements?

Options:

Use the AWS Trusted Advisor API and a scheduled Lambda function to detect AWS_ABUSE_DOS_REPORT notifications.

Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event for AWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.

Use the AWS Support API and a scheduled Lambda function to detect abuse report cases.

Use AWS CloudTrail logs with metric filters to detect AWS_ABUSE_DOS_REPORT events.

Question 14

A healthcare company stores more than 1 million patient records in an Amazon S3 bucket. The patient records include personally identifiable information (PII). The S3 bucket contains hundreds of terabytes of data.

A security engineer receives an alert that was triggered by an Amazon GuardDuty Exfiltration:S3/AnomalousBehavior finding. The security engineer confirms that an attacker is using temporary credentials that were obtained from a compromised Amazon EC2 instance that has s3:GetObject permissions for the S3 bucket. The attacker has begun downloading the contents of the bucket. The security engineer contacts a development team. The development team will require 4 hours to implement and deploy a fix.

The security engineer must take immediate action to prevent the attacker from downloading more data from the S3 bucket.

Which solution will meet this requirement?

Options:

Revoke the temporary session that is associated with the instance profile that is attached to the EC2 instance.

Quarantine the EC2 instance by replacing the existing security group with a new security group that has no rules applied.

Enable Amazon Macie on the S3 bucket. Configure the managed data identifiers for personally identifiable information (PII). Enable S3 Object Lock on objects that Macie flags.

Apply an S3 bucket policy temporarily. Configure the policy to deny read access for all principals to block downloads while the development team address the vulnerability.

Question 15

A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account. The company’s developers have been using an IAM role in the account for the last 3 months.

A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access.

Which solution will meet this requirement with the LEAST effort?

Options:

Implement AWS IAM Access Analyzer policy generation on the role.

Implement AWS IAM Access Analyzer policy validation on the role.

Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.

Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

Question 16

Notify when IAM roles are modified.

Options:

Use Amazon Detective.

Use EventBridge with CloudTrail events.

Use CloudWatch metric filters.

Use CloudWatch subscription filters.

Question 17

A company experienced a security incident caused by a vulnerable container image that was pushed from an external CI/CD pipeline into Amazon ECR.

Which solution will prevent vulnerable images from being pushed?

Options:

Enable ECR enhanced scanning with Lambda blocking.

Use Amazon Inspector with EventBridge and Lambda.

Integrate Amazon Inspector into the CI/CD pipeline using SBOM generation and fail the pipeline on critical findings.

Enable basic continuous ECR scanning.

Question 18

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket.

Which solution will meet this requirement?

Options:

Configure S3 bucket policies to deny DELETE and PUT object permissions.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Question 19

A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.

Which solution will prevent direct access to the ALB?

Options:

Use AWS PrivateLink with the ALB.

Replace the ALB with an internal ALB.

Restrict ALB listener rules to CloudFront IP ranges.

Require a custom header from CloudFront and validate it at the ALB.

Question 20

A company's data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information.

On average, the data scientists need 30 days to train models. The S3 bucket has been secured appropriately. The company's data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.

Which action should a security engineer take to enforce this data retention policy?

Options:

Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.

Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class.

Question 21

A security engineer needs to prepare for a security audit of an AWS account.

Select the correct AWS resource from the following list to meet each requirement. Select each resource one time or not at all. (Select THREE.)

• AWS Artifact reports

• AWS Audit Manager controls

• AWS Config conformance packs

• AWS Config rules

• Amazon Detective investigations

• AWS Identity and Access Management Access Analyzer internal access analyzers

Options:

Question 22

A security engineer needs to prepare a company's Amazon EC2 instances for quarantine during a security incident. The AWS Systems Manager Agent (SSM Agent) has been deployed to all EC2 instances. The security engineer has developed a script to install and update forensics tools on the EC2 instances.

Which solution will quarantine EC2 instances during a security incident?

Options:

Create a rule in AWS Config to track SSM Agent versions.

Configure Systems Manager Session Manager to deny all connection requests from external IP addresses.

Store the script in Amazon S3 and grant read access to the instance profile.

Configure IAM permissions for the SSM Agent to run the script as a predefined Systems Manager Run Command document.

Question 23

A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for event patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.

Which solution will meet these requirements?

Options:

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.

Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.

Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logs log group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to analyze the logs.

Question 24

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services.

The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

Which solution will prevent the web clients from directly accessing the ALB?

Options:

Create an AWS PrivateLink endpoint and set it as the CloudFront origin.

Create a new internal ALB and delete the internet-facing ALB.

Modify the ALB listener rules to allow only CloudFront IP ranges.

Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

Question 25

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company's security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

{

"Version": "2012-10-17",

"Id": "key-policy-ebs",

"Statement": [

{

"Sid": "Enable IAM User Permissions",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::123456789012:root"

"Action": "kms:*",

"Resource": "*"

{

"Sid": "Allow use of the key",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment"

"Action": [

"kms:Encrypt",

"kms:Decrypt",

"kms:ReEncrypt*",

"kms:GenerateDataKey*",

"kms:DescribeKey",

"kms:CreateGrant",

"kms:ListGrants",

"kms:RevokeGrant"

"Resource": "*",

"Condition": {

"StringEquals": {

"kms:ViaService": "ec2.us-west-2.amazonaws.com"

}

]

}

The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.

Which change to the policy should the security engineer make to resolve these issues?

Options:

In the statement block that contains the Sid"Allow use of the key", under theConditionblock, change StringEquals to StringLike.

In the policy document, remove the statement block that contains the Sid"Enable IAM User Permissions". Add key management policies to the KMS policy.

In the statement block that contains the Sid"Allow use of the key", under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.

In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer's IAM role.

Question 26

A company’s web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file.

Which set of actions will identify the suspect attacker’s IP address for future occurrences?

Options:

Configure VPC Flow Logs and search for PHP file activity.

Install the CloudWatch agent on the ALB and export application logs.

Export ALB access logs to Amazon OpenSearch Service and search them.

Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.

Question 27

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.

Which solution will provide the application with AWS credentials to make S3 API calls?

Options:

Integrate with Cognito identity pools and use GetId to obtain AWS credentials.

Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.

Integrate with Cognito user pools and use the ID token to obtain AWS credentials.

Integrate with Cognito user pools and use the access token to obtain AWS credentials.

Question 28

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization’s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

Options:

Grant least privilege access to the organization's management account.

Create a new IAM Identity Center directory in the organization's management account.

Set up a second AWS Region in the organization’s management account.

Create permission sets for use only in the organization's management account.

Create IAM users for use only in the organization's management account.

Create user assignments only in the organization's management account.

Question 29

A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.

A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.

Options:

Configure S3 Versioning to expire object versions that have been in the bucket for 72 hours.

Configure an S3 Lifecycle configuration rule on the bucket to expire objects after 72 hours.

Use the S3 Intelligent-Tiering storage class and configure expiration after 72 hours.

Generate presigned URLs that expire after 72 hours.

Question 30

A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.

Which solution will quarantine EC2 instances during a security incident?

Options:

Track SSM Agent versions with AWS Config.

Configure Session Manager to deny external connections.

Store the script in Amazon S3 and grant read access.

Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

Question 31

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

Which of the following explains why the logs are not available?

Options:

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

The version of the Lambda function that was invoked was not current.

Question 32

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution toprevent CloudTrail from being disabled.

Which solution will meet this requirement?

Options:

Enable CloudTrail log file integrity validation from the organization's management account.

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.

Create a service control policy (SCP) that includes an explicitDenyrule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.

Create IAM policies for all the company's users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Question 33

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive data. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting.

Which solution will provide remote access while meeting these requirements?

Options:

Grant access to the EC2 serial console and allow IAM role access.

Enable EC2 Instance Connect and configure security groups accordingly.

Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager and assign it to an IAM Identity Center role.

Use Systems Manager Automation to temporarily open remote access ports.

Question 34

A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company’s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS.

What should the security engineer do to meet these requirements?

Options:

Create security groups and attach them to all SQS queues.

Modify network ACLs in all VPCs to restrict inbound traffic.

Create interface VPC endpoints for Amazon SQS. Restrict access using aws:SourceVpce and aws:PrincipalOrgId conditions.

Use a third-party cloud access security broker (CASB).

Question 35

A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:

• Database storage must be encrypted at rest.

• Deletion protection must be enabled.

• Databases must not be publicly accessible.

• Database audit logs must be published to Amazon CloudWatch Logs.

A security engineer must implement a solution thatcontinuously monitorsall Aurora MySQL resources for compliance with this policy. The solution must be able todisplay a database's compliance state for each part of the policy at any time.

Which solution will meet these requirements?

Options:

Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.

Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.

Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.

Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.

Question 36

A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status.

Which solution will meet these requirements?

Options:

Use AWS Audit Manager with a custom framework.

Enable AWS Config and use managed rules to monitor Aurora MySQL compliance.

Use AWS Security Hub configuration policies.

Use EventBridge and Lambda with custom metrics.

Load More SCS-C03 Questions

Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Amazon Web Services SCS-C03 AWS Certified Security – Specialty Exam Practice Test

AWS Certified Security – Specialty Questions and Answers

Testing Engine

PDF + Testing Engine

PDF Study Guide

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer: