SCS-C03 Amazon Web Services AWS Certified Security

AWS Certified Security – Specialty

Last Update 8 hours ago Total Questions : 81

The AWS Certified Security – Specialty content is now fully updated, with all current exam questions added 8 hours ago. Deciding to include SCS-C03 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SCS-C03 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SCS-C03 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Security – Specialty practice test comfortably within the allotted time.

Question # 4

A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Question # 5

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions.

What should the company do to properly encrypt the snapshot in us-west-1?

Store the customer managed key in AWS Secrets Manager in us-west-1.

Create a new customer managed key in us-west-1 and use it to encrypt the snapshot.

Create an IAM policy to allow access to the key in us-east-1 from us-west-1.

Create an IAM policy that allows RDS in us-west-1 to access the key in us-east-1.

Question # 6

A security engineer discovers that a company's user passwords have no required minimum length. The company uses the following identity providers (IdPs):

• AWS Identity and Access Management (IAM) federated with on-premises Active Directory

• Amazon Cognito user pools that contain the user database for an AWS Cloud application

Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)

Update the password length policy in the IAM configuration.

Update the password length policy in the Amazon Cognito configuration.

Update the password length policy in the on-premises Active Directory configuration.

Create an SCP in AWS Organizations to enforce minimum password length.

Create an IAM policy with a minimum password length condition.

Question # 7

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.

Which solution will provide the application with AWS credentials to make S3 API calls?

Integrate with Cognito identity pools and use GetId to obtain AWS credentials.

Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.

Integrate with Cognito user pools and use the ID token to obtain AWS credentials.

Integrate with Cognito user pools and use the access token to obtain AWS credentials.

Question # 8

A company needs to deploy AWS CloudFormation templates that configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

Which solution will meet the requirements?

Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

Use encrypted parameters in the CloudFormation template.

Use SecureString parameters to reference Secrets Manager.

Use SecureString parameters encrypted by AWS KMS.

Question # 9

A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client's own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company's AWS resources.

Which additional step will meet these requirements?

Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.

Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.

Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.

Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.

Question # 10

A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The solution must require no additional configuration of the existing EKS deployment.

Which solution will meet these requirements with the LEAST operational effort?

Install a third-party security add-on.

Enable AWS Security Hub and monitor Kubernetes findings.

Monitor CloudWatch Container Insights metrics for EKS.

Enable Amazon GuardDuty and use EKS Audit Log Monitoring.