Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

AWS Certified Security – Specialty

Last Update 22 hours ago Total Questions : 231

The AWS Certified Security – Specialty content is now fully updated, with all current exam questions added 22 hours ago. Deciding to include SCS-C03 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SCS-C03 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C03 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security – Specialty practice test comfortably within the allotted time.

Question # 41

A company’s application uses standard tier SecureString parameters from AWS Systems Manager Parameter Store. The application is receiving error messages when the company tries to update a parameter. The parameter uses an AWS KMS customer managed key for encryption and decryption.

What are the reasons for the error messages? (Select TWO.)

A.

The application does not have the kms:Encrypt permission for the customer managed key.

B.

The customer managed key is already being used to encrypt another SecureString parameter.

C.

Standard tier SecureString parameters cannot use a customer managed key for encryption.

D.

The customer managed key that is specified in the application has its key state set to Disabled.

E.

The customer managed key that is specified in the application is using a key alias instead of a key ID.

Question # 42

A security engineer wants to create a new AWS KMS customer managed key. The KMSAdmin IAM role will create and disable this key. The KMSUser IAM role will use this key for decryption.

Which key policy will meet these requirements?

A.

A key policy that grants KMSAdmin only kms:Create and kms:Disable*, and grants KMSUser kms:Decrypt.

B.

A key policy that grants KMSAdmin kms:Create* and kms:Disable*, and grants KMSUser kms:Decrypt.

C.

A key policy that grants KMSAdmin and KMSUser kms:CreateGrant, but does not grant KMSUser kms:Decrypt.

D.

A key policy that grants both KMSAdmin and KMSUser only kms:Decrypt*.

Question # 43

A development team is creating an open source toolset to manage a company’s software as a service (SaaS) application. The company stores the code in a public repository so that anyone can view and download the toolset’s code. The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company ' s AWS environment. A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials.

Which combination of steps will meet these requirements? (Select TWO.)

A.

Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.

B.

Deactivate the exposed IAM access key from the user ' s IAM account.

C.

Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

D.

Create a new IAM access key and secret key for the user whose credentials were exposed.

E.

Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

Question # 44

A company wants to implement a content delivery network (CDN) for an upcoming product launch. The origin for distribution is a web server outside the AWS Cloud. The origin requires an authorization header from each request.

Which solution will meet these requirements?

A.

Use AWS Global Accelerator to create a custom routing accelerator. Configure the accelerator to use TCP. Specify the web server’s IP address. Include the required authorization header in the request. Configure the web server to respond to requests from authorized users by using a signed cookie in the response header.

B.

Create an Amazon CloudFront distribution. Configure CloudFront to use an origin access control (OAC). Specify the web server as the origin. Include the required authorization header in the OAC request. Configure the web server to respond to requests from authorized users by using a signed URL.

C.

Create an Amazon CloudFront distribution. Configure CloudFront to forward a custom header to the origin. Specify trusted key groups for the distribution. Configure the web server to respond to requests from authorized users by using a signed URL.

D.

Use AWS Global Accelerator to create an origin access control (OAC). Specify the web server as the origin. Include a custom header in the request. Configure the web server to respond to requests from authorized users by using a signed cookie in the response header.

Question # 45

A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:

• Database storage must be encrypted at rest.

• Deletion protection must be enabled.

• Databases must not be publicly accessible.

• Database audit logs must be published to Amazon CloudWatch Logs.

A security engineer must implement a solution thatcontinuously monitorsall Aurora MySQL resources for compliance with this policy. The solution must be able todisplay a database ' s compliance state for each part of the policy at any time.

Which solution will meet these requirements?

A.

Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.

B.

Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.

C.

Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.

D.

Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.

Question # 46

A security engineer needs to develop a process to investigate and respond to potential security events on a company’s Amazon EC2 instances. All the EC2 instances are backed by Amazon EBS. The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent on all the EC2 instances.

The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:

• A compromised EC2 instance’s volatile memory and non-volatile memory must be preserved for forensic purposes.

• A compromised EC2 instance’s metadata must be updated with corresponding incident ticket information.

• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

• Any investigative activity during the collection of volatile data must be captured as part of the process.

Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Select THREE.)

A.

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance’s security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.

B.

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.

C.

Use Systems Manager Run Command to invoke scripts that collect volatile data.

D.

Establish a Linux SSH or Windows Remote Desktop Protocol session to the compromised EC2 instance to invoke scripts that collect volatile data.

E.

Create a snapshot of the compromised EC2 instance’s EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information.

F.

Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

Question # 47

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company uses AWS IAM Identity Center to manage access to the accounts. The company uses AWS Directory Service as an identity source. Employees access the AWS console and specific AWS accounts and permissions through the AWS access portal.

A security engineer creates a new permissions set in IAM Identity Center and assigns the permissions set to one of the member accounts in the organization. The security engineer assigns the permissions set to a user group for developers namedDevOpsin the member account. The security engineer expects all the developers to see the new permissions set listed for the member account in the AWS access portal. All the developers except for one can see the permissions set. The security engineer must ensure that the remaining developer can see the permissions set in the AWS access portal.

Which solution will meet this requirement?

A.

Add the remaining developer to the DevOps group in Directory Service.

B.

Remove and then re-add the permissions set in the member account.

C.

Add the service-linked role for organization to the member account.

D.

Update the permissions set to allow console access for the remaining developer.

Question # 48

A company needs the ability to identify the root cause of security findings in an AWS account. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail. The company must investigate any IAM roles that are involved in the security findings and must visualize the findings.

Which solution will meet these requirements?

A.

Use Amazon Detective to run investigations on the IAM roles and to visualize the findings.

B.

Use Amazon Inspector to run investigations on the IAM roles and visualize the findings.

C.

Export GuardDuty findings to Amazon S3 and analyze them with Amazon Athena.

D.

Enable AWS Security Hub and use custom actions to investigate IAM roles.

Question # 49

A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The solution must require no additional configuration of the existing EKS deployment.

Which solution will meet these requirements with the LEAST operational effort?

A.

Install a third-party security add-on.

B.

Enable AWS Security Hub and monitor Kubernetes findings.

C.

Monitor CloudWatch Container Insights metrics for EKS.

D.

Enable Amazon GuardDuty and use EKS Audit Log Monitoring.

Question # 50

A company uses AWS Organizations. The company subscribes to AWS Shield Advanced. The company must share third-party firewall logs from all its accounts with the Shield Response Team. The company stores the logs in an Amazon S3 bucket that uses server-side encryption with S3 managed keys (SSE-S3).

Which combination of steps will meet these requirements? (Select TWO.)

A.

Use the aws shield associate-drt-log-bucket command to grant the Shield Response Team access to the bucket.

B.

Configure multi-account support by creating a delegated administrator account for Shield Advanced.

C.

In the delegated administrator account, configure Shield Advanced to forward events to AWS Security Hub CSPM.

D.

Create an IAM role and attach the AWSShieldDRTAccessPolicy policy. Create a trust policy with the drt.shield.amazonaws.com service principal.

E.

Configure auto-enable preferences in Organizations to enable Shield Advanced as the organization adds new member accounts.

Go to page: