Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

AWS Certified Security – Specialty

Last Update 22 hours ago Total Questions : 231

The AWS Certified Security – Specialty content is now fully updated, with all current exam questions added 22 hours ago. Deciding to include SCS-C03 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SCS-C03 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C03 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security – Specialty practice test comfortably within the allotted time.

Question # 21

A company has enabled AWS Config for its organization in AWS Organizations. The company has deployed hundreds of Amazon S3 buckets across the organization. A security engineer needs to identify any S3 buckets that are not encrypted with AWS Key Management Service (AWS KMS). The security engineer also must prevent objects that are not encrypted with AWS KMS from being uploaded to the S3 buckets.

Which solution will meet these requirements?

A.

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

B.

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to deny thes3:PutObjectaction only when the object has server-side encryption with S3 managed keys (SSE-S3).

C.

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

D.

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

Question # 22

A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.

A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests. The security engineer does not want to prevent legitimate users from accessing the application.

Which solution will meet these requirements?

A.

Use AWS WAF to implement a rate-based rule for all incoming requests.

B.

Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.

C.

Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.

D.

Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

Question # 23

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

A.

Replace the KSK with a zone-signing key (ZSK).

B.

Deactivate and then activate the KSK.

C.

Create a Delegation Signer (DS) record in the parent hosted zone.

D.

Create a Delegation Signer (DS) record in the subdomain.

Question # 24

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.

Which solution will meet this requirement?

A.

Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.

B.

Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.

C.

Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.

D.

Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

Question # 25

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store ' s application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company ' s deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

What should the security engineer do next to meet the requirements in theMOST secureway?

A.

Create an AWS Service Catalog portfolio in the organization ' s management account. Upload the CloudFormation template. Add the template to the portfolio ' s product list. Share the portfolio with the OU.

B.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Create an SCP that allows access to the extension.

C.

Create an AWS Service Catalog portfolio and create an IAM role for cross-account access. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.

D.

Use the CloudFormation CLI to create a module and share the extension directly with the OU.

Question # 26

A company receives an alert from AWS Support. The alert shows a compromised access key on a single standalone AWS account. A security engineer must determine the scope of the issue. Then, the security engineer must triage and remediate the issue.

Which solution will meet these requirements?

A.

Delete the IAM user that has the AWSCompromisedKeyQuarantineV3 policy attached. Review Amazon CloudWatch for suspicious activity.

B.

Review AWS CloudTrail logs. Remove any unauthorized resources. Rotate all IAM access keys for the user that has the AWSCompromisedKeyQuarantineV3 policy attached. Remove the policy from the user.

C.

Remove the AWSCompromisedKeyQuarantineV3 policy from the impacted IAM user. Review AWS CloudTrail logs. Remove any unauthorized resources.

D.

Review Amazon CloudWatch logs for suspicious activity. Remove all unauthorized resources. Rotate the impacted IAM access keys.

Question # 27

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.

Which solution would have the MOST scalability and LOWEST latency?

A.

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

B.

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

C.

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

D.

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Question # 28

A company ' s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company ' s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

What should the security engineer do to meet these requirements?

A.

Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.

B.

In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.

C.

Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.

D.

Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

Question # 29

A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break-glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break-glass user for the AWS account that contains the workload.

The company must create the break-glass user. The company must log any activities of the break-glass user and send the logs to a security team.

Which combination of solutions will meet these requirements? (Select TWO.)

A.

Create a local individual break-glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.

B.

Create a break-glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTrail to monitor key pair activity. Send notifications to the security team by using Amazon SNS.

C.

Create a break-glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS CloudTrail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities.

D.

Create a local individual break-glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break-glass IAM users.

E.

Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon SNS topic.

Question # 30

A consultant agency needs to perform a security audit for a company ' s production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account. The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.

Which solution will provide the consultant agency with access that meets these requirements?

A.

Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant.

B.

Configure Amazon Cognito on the company’s production account to authenticate against the consultant agency ' s identity provider (IdP). Add MFA to a Cognito user pool.

C.

Create an IAM role in the consultant agency ' s AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company ' s production account as the principal. Attach the trust policy to the role.

D.

Create an IAM role in the company’s production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency ' s AWS account as the principal. Attach the trust policy to the role.

Go to page: