Pre-Summer Special Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: spcl70

Practice Free SCS-C03 AWS Certified Security – Specialty Exam Questions Answers With Explanation

We at Crack4sure are committed to giving students who are preparing for the Amazon Web Services SCS-C03 Exam the most current and reliable questions . To help people study, we've made some of our AWS Certified Security – Specialty exam materials available for free to everyone. You can take the Free SCS-C03 Practice Test as many times as you want. The answers to the practice questions are given, and each answer is explained.

Get Full 179 Questions Search Other Amazon Web Services Exam
Question # 6

A healthcare company stores more than 1 million patient records in an Amazon S3 bucket. The patient records include personally identifiable information (PII). The S3 bucket contains hundreds of terabytes of data.

A security engineer receives an alert that was triggered by an Amazon GuardDuty Exfiltration:S3/AnomalousBehavior finding. The security engineer confirms that an attacker is using temporary credentials that were obtained from a compromised Amazon EC2 instance that has s3:GetObject permissions for the S3 bucket. The attacker has begun downloading the contents of the bucket. The security engineer contacts a development team. The development team will require 4 hours to implement and deploy a fix.

The security engineer must take immediate action to prevent the attacker from downloading more data from the S3 bucket.

Which solution will meet this requirement?

A.

Revoke the temporary session that is associated with the instance profile that is attached to the EC2 instance.

B.

Quarantine the EC2 instance by replacing the existing security group with a new security group that has no rules applied.

C.

Enable Amazon Macie on the S3 bucket. Configure the managed data identifiers for personally identifiable information (PII). Enable S3 Object Lock on objects that Macie flags.

D.

Apply an S3 bucket policy temporarily. Configure the policy to deny read access for all principals to block downloads while the development team address the vulnerability.

Question # 7

A company has AWS accounts in an organization in AWS Organizations. The organization includes a dedicated security account.

All AWS account activity across all member accounts must be logged and reported to the dedicated security account. The company must retain all the activity logs in a secure storage location within the dedicated security account for2 years.No changes or deletions of the logs are allowed.

Which combination of steps will meet these requirements with theLEAST operational overhead? (Select TWO.)

A.

In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock incompliance modewith a retention period of 2 years. Set the bucket policy to allow the organization’smanagement accountto write to the S3 bucket.

B.

In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock incompliance modewith a retention period of 2 years. Set the bucket policy to allow the organization’smember accountsto write to the S3 bucket.

C.

In the dedicated security account, create an Amazon S3 bucket with an S3 Lifecycle configuration that expires objects after 2 years. Allow member accounts to write to the bucket.

D.

Create anAWS CloudTrail organization trail. Configure logs to be delivered to the Amazon S3 bucket in the dedicated security account.

E.

Turn on AWS CloudTrail in each account and forward logs to the dedicated security account by using AWS Lambda and Amazon Data Firehose.

Question # 8

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization ' s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

A.

Grant least privilege access to the organization ' s management account.

B.

Create a new IAM Identity Center directory in the organization ' s management account.

C.

Set up a second AWS Region in the organization ' s management account.

D.

Create permission sets for use only in the organization ' s management account.

E.

Create IAM users for use only in the organization ' s management account.

F.

Create user assignments only in the organization ' s management account.

Question # 9

A security engineer needs to prepare a company ' s Amazon EC2 instances for quarantine during a security incident. The AWS Systems Manager Agent (SSM Agent) has been deployed to all EC2 instances. The security engineer has developed a script to install and update forensics tools on the EC2 instances.

Which solution will quarantine EC2 instances during a security incident?

A.

Create a rule in AWS Config to track SSM Agent versions.

B.

Configure Systems Manager Session Manager to deny all connection requests from external IP addresses.

C.

Store the script in Amazon S3 and grant read access to the instance profile.

D.

Configure IAM permissions for the SSM Agent to run the script as a predefined Systems Manager Run Command document.

Question # 10

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company ' s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer’s solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

A.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

C.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

D.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Question # 11

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

{

" Version " : " 2012-10-17 " ,

" Id " : " key-policy-ebs " ,

" Statement " : [

{

" Sid " : " Enable IAM User Permissions " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:root "

},

" Action " : " kms:* " ,

" Resource " : " * "

},

{

" Sid " : " Allow use of the key " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment "

},

" Action " : [

" kms:Encrypt " ,

" kms:Decrypt " ,

" kms:ReEncrypt* " ,

" kms:GenerateDataKey* " ,

" kms:DescribeKey " ,

" kms:CreateGrant " ,

" kms:ListGrants " ,

" kms:RevokeGrant "

],

" Resource " : " * " ,

" Condition " : {

" StringEquals " : {

" kms:ViaService " : " ec2.us-west-2.amazonaws.com "

}

}

}

]

}

The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.

Which change to the policy should the security engineer make to resolve these issues?

A.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change StringEquals to StringLike.

B.

In the policy document, remove the statement block that contains the Sid " Enable IAM User Permissions " . Add key management policies to the KMS policy.

C.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.

D.

In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer ' s IAM role.

Question # 12

A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.

Which action should enforce this policy?

A.

Configure an S3 Lifecycle rule to delete objects after 45 days.

B.

Create a Lambda function triggered on object upload to delete old data.

C.

Create a scheduled Lambda function to delete old objects monthly.

D.

Configure S3 Intelligent-Tiering.

Question # 13

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company ' s security engineer must secure this system against SQL injection attacks within 24 hours. The solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

A.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

C.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

D.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances.

Question # 14

A company has enabled AWS Config for its organization in AWS Organizations. The company has deployed hundreds of Amazon S3 buckets across the organization. A security engineer needs to identify any S3 buckets that are not encrypted with AWS Key Management Service (AWS KMS). The security engineer also must prevent objects that are not encrypted with AWS KMS from being uploaded to the S3 buckets.

Which solution will meet these requirements?

A.

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

B.

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to deny thes3:PutObjectaction only when the object has server-side encryption with S3 managed keys (SSE-S3).

C.

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

D.

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

Question # 15

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to authenticate all S3 API calls with AWS credentials.

Which solution will provide the application with AWS credentials?

A.

Use Amazon Cognito identity pools and the GetId API.

B.

Use Amazon Cognito identity pools and AssumeRoleWithWebIdentity.

C.

Use Amazon Cognito user pools with ID tokens.

D.

Use Amazon Cognito user pools with access tokens.

Question # 16

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive data. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting.

Which solution will provide remote access while meeting these requirements?

A.

Grant access to the EC2 serial console and allow IAM role access.

B.

Enable EC2 Instance Connect and configure security groups accordingly.

C.

Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager and assign it to an IAM Identity Center role.

D.

Use Systems Manager Automation to temporarily open remote access ports.

Question # 17

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

Which solution will meet these requirements MOST cost-effectively?

A.

Create an AWS WAF web ACL with an IP match condition to deny the countries ' IP ranges. Associate the web ACL with the CloudFront distribution.

B.

Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.

C.

Use the geo restriction feature in CloudFront to deny the specific countries.

D.

Use geolocation headers in CloudFront to deny the specific countries.

Question # 18

A company ' s security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company ' s forensics team. Each of the company ' s EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.

The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.

After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.

What should the security engineer do to isolate the target instance?

A.

Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.

B.

Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.

C.

Create a network ACL that is associated with the target instance ' s subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.

D.

Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

Question # 19

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues.

Which solution will meet these requirements with theLEAST operational effort?

A.

Designate an Amazon GuardDuty administrator account in the organization’s management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

B.

Designate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use Amazon Inspector to evaluate the logs.

C.

Centralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.

D.

Stream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda functions.

Question # 20

An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company ' s security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future.

Which steps would help achieve this? (Select TWO.)

A.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

B.

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.

C.

Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker’s IP using security groups.

D.

Set up an Amazon EventBridge rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.

E.

Use AWS WAF to create rules to respond to such attacks.

Question # 21

A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Configure the S3 Block Public Access feature for the AWS account.

B.

Configure the S3 Block Public Access feature for all objects that are in the bucket.

C.

Deactivate ACLs for objects that are in the bucket.

D.

Use AWS PrivateLink for Amazon S3 to access the bucket.

Question # 22

A company must capture AWS CloudTrail data events and must retain the logs for 7 years. The logs must be immutable and must be available to be searched by complex queries. The company also needs to visualize the data from the logs.

Which solution will meet these requirements MOST cost-effectively?

A.

Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results.

B.

Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console.

C.

Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations.

D.

Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries.

Question # 23

A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team.

Which solution will meet these requirements?

A.

Deploy AWS Security Hub and enable security standards that contain EKS controls. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant Security Hub events to the SNS topic.

B.

Enable Amazon Inspector container image scanning. Configure Amazon Detective to analyze EKS security logs. Create Amazon CloudWatch log groups for EKS audit logs. Use an AWS Lambda function to process the logs and to send email alerts to the security team.

C.

Enable Amazon GuardDuty. Enable EKS Protection and Runtime Monitoring for Amazon EKS in GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant GuardDuty events to the SNS topic.

D.

Install the AWS Systems Manager Agent (SSM Agent) on all EKS nodes. Configure Amazon CloudWatch Logs to collect EKS audit logs. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Configure a CloudWatch alarm to publish a message to the SNS topic when new audit logs are generated.

Question # 24

A company runs critical workloads in an on-premises data center. The company wants to implement an AWS based disaster recovery (DR) solution that will achieve an RTO of less than 1 hour. The company needs to continuously replicate physical and virtual servers. The company must optimize costs for data storage and bandwidth usage. The DR solution must be automated.

Which solution will meet these requirements?

A.

Use AWS Backup to directly replicate the on-premises servers to AWS. Enable cross-Region backup copying and data vaulting. Configure recovery points to match the defined RTO. Use AWS Step Functions to automate recovery steps.

B.

Configure an AWS Storage Gateway Volume Gateway to use Amazon Elastic Block Store (Amazon EBS) snapshots for recovery. Configure AWS Backup to manage the snapshots. Create automated recovery procedures.

C.

Enable AWS Elastic Disaster Recovery. Configure replication agents to continuously replicate each on-premises server. Enable the default staging area subnet configuration.

D.

Create an AWS Direct Connect connection between the on-premises data center and AWS. Configure Amazon EventBridge to monitor for failures and to invoke AWS Lambda functions that launch preconfigured Amazon EC2 instances from AMIs in the event of an incident.

Question # 25

A company stores infrastructure and application code in web-based, third-party, Git-compatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company ' s AWS account by using OpenID Connect (OIDC).

Which solution will meet these requirements?

A.

Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM) federation. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.

B.

Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that uses OIDC. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.

C.

Set up an account instance of AWS IAM Identity Center. Configure access to the code repositories as a customer managed OIDC application. Grant the application access to the IAM role.

D.

Use AWS Resource Access Manager (AWS RAM) to create a new resource share that uses OIDC. Limit the resource share to the specified code repositories. Grant the IAM role access to the resource share.

Question # 26

A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.

How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

A.

Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

B.

Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role to the new IAM user.

C.

Use AWS IAM Identity Center to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.

D.

Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

Question # 27

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

A.

Enable AWS Security Hub in the AWS account.

B.

Enable Amazon GuardDuty in the AWS account.

C.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team ' s email distribution list to the topic.

D.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team ' s email distribution list to the queue.

E.

Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

F.

Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Question # 28

A company’s developers are using AWS Lambda function URLs to invoke functions directly. Thecompany must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

A.

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

B.

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

C.

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

D.

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Question # 29

A company runs an application on a fleet of Amazon EC2 instances. The company can remove instances from the fleet without risk to the application. All EC2 instances use the same security group named ProdFleet. Amazon GuardDuty and AWS Config are active in the company ' s AWS account.

A security engineer needs to provide a solution that will prevent an EC2 instance from sending outbound traffic if GuardDuty generates a cryptocurrency finding event. The security engineer creates a new security group named Isolate that contains no outbound rules. The security engineer configures an AWS Lambda function to remove an EC2 instance from the ProdFleet security group and add it to the Isolate security group.

Which additional step will meet this requirement?

A.

Configure GuardDuty to directly invoke the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.

B.

Configure an AWS Config rule that invokes the Lambda function if a CryptoCurrency:EC2/* configuration change event occurs for an EC2 instance.

C.

Configure an Amazon EventBridge rule that invokes the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.

D.

Configure an Amazon EventBridge rule that invokes the Lambda function if AWS Config detects a CryptoCurrency:EC2/* configuration change event for an EC2 instance.

Question # 30

A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file.

However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance.

What should the security engineer do next to resolve the issue?

A.

Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.

B.

Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.

C.

Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.

D.

Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

Question # 31

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company ' s primary website. The GuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

What is the first step the security engineer should take?

A.

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

B.

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

C.

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

D.

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

Question # 32

A security engineer configured VPC Flow Logs to publish to Amazon CloudWatch Logs. After 10 minutes, no logs appear. The issue is isolated to the IAM role associated with VPC Flow Logs.

What could be the reason?

A.

logs:GetLogEvents is missing.

B.

The engineer cannot assume the role.

C.

The vpc-flow-logs.amazonaws.com principal cannot assume the role.

D.

The role cannot tag the log stream.

Question # 33

A security engineer needs to configure DDoS protection for a Network Load Balancer (NLB) with an Elastic IP address. The security engineer wants to set up an AWS WAF web ACL with a rate-based rule statement to protect the NLB.

The security engineer needs to determine a rate limit that will not block legitimate traffic. The security engineer has configured the rule statement to aggregate based on the source IP address.

How should the security engineer configure the rule to protect the NLB?

A.

Configure the rule to use theCountaction.

B.

Configure the rule to use theBlockaction.

C.

Configure the rule to use theMonitoraction.

D.

Configure the rule to use theAllowaction.

Question # 34

A company ' s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only3 times in any 5-minute period.

Which solution will meet this requirement with the LEAST effort?

A.

Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.

B.

Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-minute intervals and to provide notification if the count exceeds 3.

C.

Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.

D.

Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.

Question # 35

A company needs to scan all AWS Lambda functions for code vulnerabilities.

A.

Use Amazon Macie.

B.

Enable Amazon Inspector Lambda scanning.

C.

Use GuardDuty and Security Hub.

D.

Use GuardDuty Lambda Protection.

Question # 36

A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for events patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.

Which solution will meet these requirements?

A.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.

B.

Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.

C.

Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logs log group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.

D.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to query the log group.

Question # 37

A company runs an internet-accessible application on several Amazon EC2 instances that run Windows Server. The company used an instance profile to configure the EC2 instances. A security team currently accesses the VPC that hosts the EC2 instances by using an AWS Site-to-Site VPN tunnel from an on-premises office. The security team issues a policy that requires all external access to the VPC to be blocked in the event of a security incident. However, during an incident, the security team must be able to access the EC2 instances to obtain forensic information on the instances.

Which solution will meet these requirements?

A.

Install EC2 Instance Connect on the EC2 instances. Update the IAM policy for the IAM role to grant the required permissions. Use the AWS CLI to open a tunnel to connect to the instances.

B.

Install EC2 Instance Connect on the EC2 instances. Configure the instances to permit access to the ec2-instance-connect command user. Use the AWS Management Console to connect to the EC2 instances.

C.

Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS CLI to open a tunnel to connect to the instances.

D.

Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS Management Console to connect to the EC2 instances.

Question # 38

A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext.

Which solution will meet these requirements?

A.

Pass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.

B.

Use IAM policies to restrict access to the Encrypt and Decrypt API actions.

C.

Use the kms:EncryptionContext condition key when defining IAM policies for the customer managed key.

D.

Use key policies to restrict access to the appropriate IAM groups.

Question # 39

A company ' s data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information.

On average, the data scientists need 30 days to train models. The S3 bucket has been secured appropriately. The company ' s data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.

Which action should a security engineer take to enforce this data retention policy?

A.

Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

B.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.

C.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.

D.

Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class.

Question # 40

A company needs to identify the root cause of security findings and investigate IAM roles involved in those findings. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail.

Which solution will meet these requirements?

A.

Use Amazon Detective to investigate IAM roles and visualize findings.

B.

Use Amazon Inspector and CloudWatch dashboards.

C.

Export GuardDuty findings to S3 and analyze with Athena.

D.

Use Security Hub custom actions to investigate IAM roles.

Question # 41

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket.

Which solution will meet this requirement?

A.

Configure S3 bucket policies to deny DELETE and PUT object permissions.

B.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Question # 42

A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database.

The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has become a burden for the company ' s customer service team.

The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password resets and login assistance while securely protecting each player ' s credentials.

Which solution will meet these requirements?

A.

When a new player signs up, use an AWS Lambda function to automatically create an IAM access key and a secret access key.

B.

Migrate the player credentials from the Aurora database to AWS Secrets Manager.

C.

Configure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs. Migrate the game ' s authentication mechanism to Cognito.

D.

Issue API keys to new and existing players and use Amazon API Gateway for authentication.

Question # 43

A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.

Which solution will quarantine EC2 instances during a security incident?

A.

Track SSM Agent versions with AWS Config.

B.

Configure Session Manager to deny external connections.

C.

Store the script in Amazon S3 and grant read access.

D.

Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

Question # 44

A security engineer needs to implement a logging solution that captures detailed information about objects in an Amazon S3 bucket. The solution must include details such as the IAM identity that makes the request and the time the object was accessed. The data must be structured and available in near real time.

Which solution meets these requirements?

A.

Enable Amazon S3 server access logging on the S3 bucket. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

B.

Enable AWS CloudTrail data event logging. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

C.

Configure AWS Config rules to log access to the objects stored in the S3 bucket.

D.

Enable Amazon Macie to log access to the objects stored in the S3 bucket.

Question # 45

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.

Which solution will meet this requirement in the MOST operationally efficient way?

A.

Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

B.

Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

C.

Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

D.

Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

Question # 46

A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler.

The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization ' s management account when the management account is not required.

Which solution will meet these requirements?

A.

Create a CloudFormation stack set in the organization ' s management account and manually add new accounts.

B.

Configure a delegated administrator account for AWS CloudFormation. Create a CloudFormation StackSet in the delegated administrator account targeting the organization root with automatic deployment enabled.

C.

Use Systems Manager delegated administration and Automation to deploy the Lambda function and schedule.

D.

Create a Systems Manager Automation runbook in the management account and share it to accounts.

Question # 47

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows thekms:Decryptpermission to the customer managed key. The IAM policy also allows thes3:List* ands3:Get* permissions for the S3 bucket and its objects.

Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

A.

The IAM policy needs to allow thekms:DescribeKeypermission.

B.

The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.

C.

An S3 bucket policy needs to be added to allow the IAM user to access the objects.

D.

The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

Question # 48

A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

A.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

B.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

C.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

D.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Question # 49

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.

Which solution will meet these requirements?

A.

Disable the EC2 instance profile credentials by using AWS Lambda.

B.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.

C.

Update the subnet network ACL to block traffic from the detected source IP addresses.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Question # 50

A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account.

What is the MOST secure way to provide this access?

A.

Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.

B.

Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

C.

Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.

D.

Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

Question # 51

A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again.

Which solution will meet these requirements?

A.

Enforce KMS encryption and deny s3:GetObject by SCP.

B.

Enable PublicAccessBlock and deny s3:GetObject by SCP.

C.

Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP.

D.

Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP.

Question # 52

AWS Config cannot deliver configuration snapshots to Amazon S3.

Which TWO actions will remediate this issue?

A.

Verify the S3 bucket policy allows config.amazonaws.com.

B.

Verify the IAM role has s3:GetBucketAcl and s3:PutObject permissions.

C.

Verify the S3 bucket can assume the IAM role.

D.

Verify IAM policy allows AWS Config to write logs.

E.

Modify AWS Config API permissions.

Question # 53

A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet’s network ACL allows all inbound and outbound traffic.

Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

A.

Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.

B.

Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC ' s CIDR range.

C.

Create an EC2 key pair. Associate the key pair with the EC2 instance.

D.

Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.

E.

Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC ' s CIDR range.

F.

Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

SCS-C03 PDF

$33

$109.99

3 Months Free Update

Add to Cart
  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

SCS-C03 PDF + Testing Engine

$52.8

$175.99

3 Months Free Update

Add to Cart
  • Exam Name: AWS Certified Security – Specialty
  • Last Update: Apr 12, 2026
  • Questions and Answers: 179
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

SCS-C03 Engine

$39.6

$131.99

3 Months Free Update

Add to Cart
  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included