SCS-C03 Amazon Web Services AWS Certified Security

AWS Certified Security – Specialty

Last Update 15 hours ago Total Questions : 126

The AWS Certified Security – Specialty content is now fully updated, with all current exam questions added 15 hours ago. Deciding to include SCS-C03 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SCS-C03 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C03 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security – Specialty practice test comfortably within the allotted time.

Question # 4

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic.

Which solution will meet these requirements with the LEAST implementation effort?

Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.

Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.

Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic.

Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

Question # 5

A company’s application team needs a new AWS Key Management Service (AWS KMS) customer managed key to use with Amazon S3. The company’s security policy requires separate keys for different AWS services to limit security exposure.

How can a security engineer limit the KMS customer managed key to work with only Amazon S3?

Configure the key policy to allow only Amazon S3 to perform the kms:Encrypt action.

Configure the key policy to allow KMS actions only when the value for the kms:ViaService condition key matches the Amazon S3 service name.

Configure the application’s IAM role policy to allow Amazon S3 to perform the iam:PassRole action.

Configure the application’s IAM role policy to allow only S3 operations when the operations are combined with the KMS customer managed key.

Question # 6

A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status.

Which solution will meet these requirements?

Use AWS Audit Manager with a custom framework.

Enable AWS Config and use managed rules to monitor Aurora MySQL compliance.

Use AWS Security Hub configuration policies.

Use EventBridge and Lambda with custom metrics.

Question # 7

A company’s web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file.

Which set of actions will identify the suspect attacker’s IP address for future occurrences?

Configure VPC Flow Logs and search for PHP file activity.

Install the CloudWatch agent on the ALB and export application logs.

Export ALB access logs to Amazon OpenSearch Service and search them.

Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.

Question # 8

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive data. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting.

Which solution will provide remote access while meeting these requirements?

Grant access to the EC2 serial console and allow IAM role access.

Enable EC2 Instance Connect and configure security groups accordingly.

Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager and assign it to an IAM Identity Center role.

Use Systems Manager Automation to temporarily open remote access ports.

Question # 9

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.

Which solution would have the MOST scalability and LOWEST latency?

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Question # 10

A security engineer is responding to an incident that is affecting an AWS account. The ID of the account is 123456789012. The attack created workloads that are distributed across multiple AWS Regions.

The security engineer contains the attack and removes all compute and storage resources from all affected Regions. However, the attacker also created an AWS KMS key. The key policy on the KMS key explicitly allows IAM principal kms:* permissions.

The key was scheduled to be deleted the previous day. However, the key is still enabled and usable. The key has an ARN of

arn:aws:kms:us-east-2:123456789012:key/mrk-0bb0212cd9864fdea0dcamzo26efb5670.

The security engineer must delete the key as quickly as possible.

Which solution will meet this requirement?

Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.

Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.