Last Update 22 hours ago Total Questions : 231
The AWS Certified Security – Specialty content is now fully updated, with all current exam questions added 22 hours ago. Deciding to include SCS-C03 practice exam questions in your study plan goes far beyond basic test preparation.
You'll find that our SCS-C03 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C03 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security – Specialty practice test comfortably within the allotted time.
A company’s application uses standard tier SecureString parameters from AWS Systems Manager Parameter Store. The application is receiving error messages when the company tries to update a parameter. The parameter uses an AWS KMS customer managed key for encryption and decryption.
What are the reasons for the error messages? (Select TWO.)
A security engineer wants to create a new AWS KMS customer managed key. The KMSAdmin IAM role will create and disable this key. The KMSUser IAM role will use this key for decryption.
Which key policy will meet these requirements?
A development team is creating an open source toolset to manage a company’s software as a service (SaaS) application. The company stores the code in a public repository so that anyone can view and download the toolset’s code. The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company ' s AWS environment. A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials.
Which combination of steps will meet these requirements? (Select TWO.)
A company wants to implement a content delivery network (CDN) for an upcoming product launch. The origin for distribution is a web server outside the AWS Cloud. The origin requires an authorization header from each request.
Which solution will meet these requirements?
A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:
• Database storage must be encrypted at rest.
• Deletion protection must be enabled.
• Databases must not be publicly accessible.
• Database audit logs must be published to Amazon CloudWatch Logs.
A security engineer must implement a solution thatcontinuously monitorsall Aurora MySQL resources for compliance with this policy. The solution must be able todisplay a database ' s compliance state for each part of the policy at any time.
Which solution will meet these requirements?
A security engineer needs to develop a process to investigate and respond to potential security events on a company’s Amazon EC2 instances. All the EC2 instances are backed by Amazon EBS. The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent on all the EC2 instances.
The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:
• A compromised EC2 instance’s volatile memory and non-volatile memory must be preserved for forensic purposes.
• A compromised EC2 instance’s metadata must be updated with corresponding incident ticket information.
• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
• Any investigative activity during the collection of volatile data must be captured as part of the process.
Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Select THREE.)
A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company uses AWS IAM Identity Center to manage access to the accounts. The company uses AWS Directory Service as an identity source. Employees access the AWS console and specific AWS accounts and permissions through the AWS access portal.
A security engineer creates a new permissions set in IAM Identity Center and assigns the permissions set to one of the member accounts in the organization. The security engineer assigns the permissions set to a user group for developers namedDevOpsin the member account. The security engineer expects all the developers to see the new permissions set listed for the member account in the AWS access portal. All the developers except for one can see the permissions set. The security engineer must ensure that the remaining developer can see the permissions set in the AWS access portal.
Which solution will meet this requirement?
A company needs the ability to identify the root cause of security findings in an AWS account. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail. The company must investigate any IAM roles that are involved in the security findings and must visualize the findings.
Which solution will meet these requirements?
A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The solution must require no additional configuration of the existing EKS deployment.
Which solution will meet these requirements with the LEAST operational effort?
A company uses AWS Organizations. The company subscribes to AWS Shield Advanced. The company must share third-party firewall logs from all its accounts with the Shield Response Team. The company stores the logs in an Amazon S3 bucket that uses server-side encryption with S3 managed keys (SSE-S3).
Which combination of steps will meet these requirements? (Select TWO.)
