Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

AWS Certified Security – Specialty

Last Update 22 hours ago Total Questions : 231

The AWS Certified Security – Specialty content is now fully updated, with all current exam questions added 22 hours ago. Deciding to include SCS-C03 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SCS-C03 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C03 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security – Specialty practice test comfortably within the allotted time.

Question # 61

A security engineer needs to prepare for a security audit of an AWS account.

Select the correct AWS resource from the following list to meet each requirement. Select each resource one time or not at all. (Select THREE.)

• AWS Artifact reports

• AWS Audit Manager controls

• AWS Config conformance packs

• AWS Config rules

• Amazon Detective investigations

• AWS Identity and Access Management Access Analyzer internal access analyzers

Question # 62

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.

Which solution will meet these requirements?

A.

Disable the EC2 instance profile credentials by using AWS Lambda.

B.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.

C.

Update the subnet network ACL to block traffic from the detected source IP addresses.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Question # 63

A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period.

Which solution will meet these requirements?

A.

Configure CloudFront standard logging and CloudWatch Logs metric filters.

B.

Configure VPC Flow Logs and CloudWatch Logs metric filters.

C.

Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.

D.

Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SNS.

Question # 64

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys Amazon GuardDuty and integrates it with AWS Security Hub. The security engineer needs to implement anautomated solutionto detect and respond to anomalous traffic patterns. The solution must follow AWS best practices forinitial incident responseand mustminimize disruptionto the web application.

Which solution will meet these requirements?

A.

Disable the instance profile access keys by using AWS Lambda.

B.

Remove the affected instance from the Auto Scaling group and isolate it with a restricted security group by using AWS Lambda.

C.

Update the network ACL to block the detected traffic source.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Question # 65

A security engineer discovers that a company ' s user passwords have no required minimum length. The company is using the following two identity providers (IdPs):

• AWS Identity and Access Management (IAM) federated with on-premises Active Directory

• Amazon Cognito user pools that contain the user database for an AWS Cloud application that the company developed

Which combination of actions should the security engineer take to implement a required minimum length for the passwords? (Select TWO.)

A.

Update the password length policy in the IAM configuration.

B.

Update the password length policy in the Cognito configuration.

C.

Update the password length policy in the on-premises Active Directory configuration.

D.

Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for IAM and Cognito.

E.

Create an IAM policy that includes a condition for minimum password length. Enforce the policy for IAM and Cognito.

Question # 66

A company uses AWS Organizations to manage the company’s AWS accounts. The company’s security team needs to implement preventive controls to deny the use of account-level root credentials. The solution must minimize the risk that an AWS account root user could be compromised. The solution must also minimize the effort needed to manage root access.

Which solution will meet these requirements?

A.

Create an AWS Lambda function to disable the root user in every member account. Enable the root account only if the company needs it to modify settings related to centralized billing or the recovery of AWS KMS keys.

B.

Enable centralized root access management in IAM. Remove long-term root credentials in the member accounts. Create a company policy that requires employees to use Organizations to create new accounts.

C.

Enable centralized root access management through AWS Security Hub CSPM. Remove long-term root credentials in the member accounts. Configure new accounts to be created without root credentials in Security Hub CSPM.

D.

Configure an SCP to explicitly deny all actions when the principal is the root user of an account for all member accounts. Require that member account root users have MFA enabled. Require that root credentials are rotated on a regular schedule.

Question # 67

A security engineer must investigate an Amazon GuardDuty finding. The finding indicates potential cryptocurrency mining activity on an Amazon EC2 instance. The security engineer must validate the finding and assess the impact.

Which data sources should the security engineer analyze to meet these requirements?

A.

Check the instance’s CPU utilization metrics in Amazon CloudWatch. Examine the finding’s MITRE ATT & CK tactic classification. Review any associated IAM role permissions.

B.

Count the number of GuardDuty findings associated with the instance. Verify the instance’s launch time. Check AWS Security Hub CSPM for any related alerts.

C.

Review the instance’s process details that relate to the finding. Examine DNS queries to known mining domains. Analyze the instance’s outbound network connections by using VPC Flow Logs.

D.

Examine the instance’s AWS Systems Manager session history. Verify Amazon Route 53 DNS records. Review GuardDuty severity levels.

Question # 68

A security engineer needs to protect a public web application that runs in a VPC. The VPC hosts the origin for an Amazon CloudFront distribution. The application has experienced multiple layer 7 DDoS attacks. An AWS WAF web ACL is associated with the CloudFront distribution. The web ACL contains one AWS managed rule to protect against known IP addresses that have bad reputations.

The security engineer must configure an automated solution that detects and mitigates layer 7 DDoS attacks in real time with no manual effort.

Which solution will meet these requirements?

A.

Enable AWS Shield Advanced on the CloudFront distribution. Configure alerts in Amazon CloudWatch for DDoS indicators.

B.

Enable AWS Shield Advanced and configure proactive engagement with the AWS DDoS Response Team (DRT).

C.

Deploy AWS Network Firewall in the VPC. Create security policies that detect DDoS indicators. Create an AWS Lambda function to automatically update the web ACL rules during an attack.

D.

Add a rate-based rule to the web ACL. Enable AWS Shield Advanced. Enable automatic application layer DDoS mitigation on the CloudFront distribution.

Question # 69

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

A.

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

B.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

C.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

D.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

E.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway as the target of the route.

Go to page: