Pre-Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65pass65

AWS-Security-Specialty AWS Certified Security Specialty (SCS-C03) is now Stable and With Pass Result | Test Your Knowledge for Free

  1. Home
  2. Amazon
  3. AWS Certified Security Specialty
  4. AWS-Security-Specialty
  5. AWS Certified Security Specialty (SCS-C03)
Exams4sure Dumps

AWS-Security-Specialty Practice Questions

AWS Certified Security Specialty (SCS-C03)

Last Update 3 days ago
Total Questions : 179

Dive into our fully updated and stable AWS-Security-Specialty practice test platform, featuring all the latest AWS Certified Security Specialty exam questions added this week. Our preparation tool is more than just a Amazon study aid; it's a strategic advantage.

Our free AWS Certified Security Specialty practice questions crafted to reflect the domains and difficulty of the actual exam. The detailed rationales explain the 'why' behind each answer, reinforcing key concepts about AWS-Security-Specialty. Use this test to pinpoint which areas you need to focus your study on.

AWS-Security-Specialty PDF

AWS-Security-Specialty PDF (Printable)
$52.5
$150
 Add to Cart

AWS-Security-Specialty Testing Engine

AWS-Security-Specialty PDF (Printable)
$70
$200
 Add to Cart

AWS-Security-Specialty PDF + Testing Engine

AWS-Security-Specialty PDF (Printable)
$104.65
$299
 Add to Cart
Question # 11

A company has a compliance requirement to encrypt all data in transit. The company recently discovered an Amazon Aurora cluster that does not meet this requirement.

How can the company enforce encryption for all connections to the Aurora cluster?

Options:

A.  

In the Aurora cluster configuration, set therequire_secure_transportDB cluster parameter toON.

B.  

Use AWS Directory Service for Microsoft Active Directory to create a user directory and to enforce Kerberos authentication with Aurora.

C.  

Configure the Aurora cluster to use AWS Certificate Manager (ACM) to provide encryption certificates.

D.  

Create an Amazon RDS proxy. Connect the proxy to the Aurora cluster to enable encryption.

Discussion 0
Question # 12

A company needs to deploy AWS CloudFormation templates that configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

Which solution will meet the requirements?

Options:

A.  

Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B.  

Use encrypted parameters in the CloudFormation template.

C.  

Use SecureString parameters to reference Secrets Manager.

D.  

Use SecureString parameters encrypted by AWS KMS.

Discussion 0
Question # 13

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution toprevent CloudTrail from being disabled.

Which solution will meet this requirement?

Options:

A.  

Enable CloudTrail log file integrity validation from the organization ' s management account.

B.  

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.

C.  

Create a service control policy (SCP) that includes an explicitDenyrule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.

D.  

Create IAM policies for all the company ' s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Discussion 0
Question # 14

A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud. The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the AL

B.  

The company stores AWS WAF logs in an Amazon S3 bucket.

The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.

Which solution will meet this requirement?

Options:

A.  

Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field to capture the client IP addresses.

B.  

Inspect the X-Forwarded-For header in the AWS WAF logs to determine the original client IP addresses.

C.  

Modify the CloudFront distribution to disable ALB connection reuse. Examine the clientIp field in the AWS WAF logs to identify the original client IP addresses.

D.  

Configure CloudFront to add a custom header named Client-IP to origin requests that are sent to the AL

B.  

Discussion 0
Question # 15

A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music. The company has implemented a security architecture on AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk. A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and detective controls. The solution must meet an RPO of1 hour.

Which solution will meet these requirements?

Options:

A.  

Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.

B.  

Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.

C.  

Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response. Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.

D.  

Create EBS snapshots every 4 hours. Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.

Discussion 0
Question # 16

A company’s developers are using AWS Lambda function URLs to invoke functions directly. Thecompany must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

Options:

A.  

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

B.  

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

C.  

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

D.  

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NON

E.  

Discussion 0
Question # 17

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company ' s existing and future S3 buckets.

Which solution will meet these requirements?

Options:

A.  

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

B.  

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

C.  

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

D.  

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Discussion 0
Question # 18

A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.  

Configure the S3 Block Public Access feature for the AWS account.

B.  

Configure the S3 Block Public Access feature for all objects that are in the bucket.

C.  

Deactivate ACLs for objects that are in the bucket.

D.  

Use AWS PrivateLink for Amazon S3 to access the bucket.

Discussion 0
Question # 19

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application. The application processes sensitive data and has the following compliance requirements:

• No remote access management ports to the EC2 instances can be exposed internally or externally.

• All remote session activity must be recorded in an audit log.

• All remote access to the EC2 instances must be authenticated and authorized by AWS IAM Identity Center.

The company ' s DevOps team occasionally needs to connect to one of the EC2 instances to troubleshoot issues.

Which solution will provide remote access to the EC2 instances while meeting the compliance requirements?

Options:

A.  

Grant access to the EC2 serial console at the account level.

B.  

Enable EC2 Instance Connect and configure security group rules.

C.  

Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager. Assign the policy to an IAM role of the DevOps team.

D.  

Use AWS Systems Manager Automation runbooks to open remote access ports.

Discussion 0
Question # 20

A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent string of a known mobile device emulator. A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the application.

Which solution will meet these requirements?

Options:

A.  

Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.

B.  

Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.

C.  

Create an AWS WAF web ACL for the AL

B.  

Create a custom rule that blocks requests that contain the user agent string of the device emulator.

D.  

Create an AWS WAF web ACL for the AL

B.  

Create a custom rule that allows requests from legitimate user agent strings.

Discussion 0
Get AWS-Security-Specialty dumps and pass your exam in 24 hours!

Free Exams Sample Questions

Free SY0-701 Questions
Free Rev-Con-201 Questions
Free 2V0-13.25 Questions
Free ZDTE Questions
Free N10-009 Questions
Free 200-301 Questions
Free AZ-104 Questions
Free 350-401 Questions
Free 2V0-17.25 Questions
Free CMMC-CCP Questions
Free AIF-C01 Questions
Free CMMC-CCA Questions
Free AI-102 Questions
Free 312-50v13 Questions
Free ICWIM Questions
Free CKA Questions
Free SC-200 Questions
Free SC-300 Questions
Free OGEA-102 Questions
NGFW-Engineer Questions
ISA-IEC-62443 Questions
Free Agentforce Specialist Questions
Free Generative-AI-Leader Questions
Free FCSS_EFW_AD-7.6 Questions
Free Secure-Software-Design Questions
Free Data-Cloud-Consultant Questions
Free Workday-Pro-Integrations Questions
Free UAE-Financial-Rules-and-Regulations Questions
AWS-Solution-Architect-Associate Dumps
Professional-Cloud-Architect Dumps
Service-Cloud-Consultant Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
Associate-Cloud-Engineer Dumps
350-701 Dumps
ISO-IEC-27001-Lead-Implementer Dumps
Integration-Architect Dumps
CLF-C02 Dumps
JN0-105 Dumps
CDCP Dumps
CTA Dumps
NCP-MCI-6.10 Dumps
NCA-AIIO Dumps