Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65pass65

SCS-C03 AWS Certified Security – Specialty is now Stable and With Pass Result | Test Your Knowledge for Free

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C03
  5. AWS Certified Security – Specialty
Exams4sure Dumps

SCS-C03 Practice Questions

AWS Certified Security – Specialty

Last Update 4 days ago
Total Questions : 231

Dive into our fully updated and stable SCS-C03 practice test platform, featuring all the latest AWS Certified Specialty exam questions added this week. Our preparation tool is more than just a Amazon Web Services study aid; it's a strategic advantage.

Our free AWS Certified Specialty practice questions crafted to reflect the domains and difficulty of the actual exam. The detailed rationales explain the 'why' behind each answer, reinforcing key concepts about SCS-C03. Use this test to pinpoint which areas you need to focus your study on.

SCS-C03 PDF

SCS-C03 PDF (Printable)
$54.25
$154.99
 Add to Cart

SCS-C03 Testing Engine

SCS-C03 PDF (Printable)
$59.5
$169.99
 Add to Cart

SCS-C03 PDF + Testing Engine

SCS-C03 PDF (Printable)
$74.55
$212.99
 Add to Cart
Question # 21

A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the snapshots. The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.

Which solution will meet these requirements?

Options:

A.  

Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

B.  

Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.

C.  

Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.

D.  

Create a backup plan in AWS Backup. Configure a 5-year retention period.

Discussion 0
Question # 22

A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company’s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS.

What should the security engineer do to meet these requirements?

Options:

A.  

Create security groups and attach them to all SQS queues.

B.  

Modify network ACLs in all VPCs to restrict inbound traffic.

C.  

Create interface VPC endpoints for Amazon SQS. Restrict access using aws:SourceVpce and aws:PrincipalOrgId conditions.

D.  

Use a third-party cloud access security broker (CASB).

Discussion 0
Question # 23

A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes.

Which solution meets these requirements?

Options:

A.  

Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with log file validation enabled for KMS events. Store logs in the bucket and grant auditors access.

B.  

Log application events to Amazon CloudWatch Logs and export them.

C.  

Capture KMS API calls using EventBridge and store them in DynamoD

B.  

D.  

Track KMS usage with CloudWatch metrics and dashboards.

Discussion 0
Question # 24

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

Which of the following explains why the logs are not available?

Options:

A.  

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

B.  

The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C.  

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

D.  

The version of the Lambda function that was invoked was not current.

Discussion 0
Question # 25

A healthcare company stores more than 1 million patient records in an Amazon S3 bucket. The patient records include personally identifiable information (PII). The S3 bucket contains hundreds of terabytes of data.

A security engineer receives an alert that was triggered by an Amazon GuardDuty Exfiltration:S3/AnomalousBehavior finding. The security engineer confirms that an attacker is using temporary credentials that were obtained from a compromised Amazon EC2 instance that has s3:GetObject permissions for the S3 bucket. The attacker has begun downloading the contents of the bucket. The security engineer contacts a development team. The development team will require 4 hours to implement and deploy a fix.

The security engineer must take immediate action to prevent the attacker from downloading more data from the S3 bucket.

Which solution will meet this requirement?

Options:

A.  

Revoke the temporary session that is associated with the instance profile that is attached to the EC2 instance.

B.  

Quarantine the EC2 instance by replacing the existing security group with a new security group that has no rules applied.

C.  

Enable Amazon Macie on the S3 bucket. Configure the managed data identifiers for personally identifiable information (PII). Enable S3 Object Lock on objects that Macie flags.

D.  

Apply an S3 bucket policy temporarily. Configure the policy to deny read access for all principals to block downloads while the development team address the vulnerability.

Discussion 0
Question # 26

A company has two AWS accounts: Account A and Account

B.  

Each account has a VP

C.  

An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account

B.  

The application in Account A already has permission to write to the S3 bucket in Account

B.  

The application and the S3 bucket are in the same AWS Region. The company cannot send network traffic over the public internet.

Which solution will meet these requirements?

Options:

A.  

In both accounts, create a transit gateway and VPC attachments in a subnet in each Availability Zone. Update the VPC route tables.

B.  

Deploy a software VPN appliance in Account

A.  

Create a VPN connection between the software VPN appliance and a virtual private gateway in Account

B.  

C.  

Create a VPC peering connection between the VPC in Account A and the VPC in Account

B.  

Update the VPC route tables, network ACLs, and security groups to allow network traffic between the peered IP ranges.

D.  

In Account A, create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account

A.  

Discussion 0
Question # 27

A company must inventory sensitive data across all Amazon S3 buckets in all accounts from a single security account.

Options:

A.  

Delegate Amazon Macie and Security Hub administration.

B.  

Use Amazon Inspector with Security Hub.

C.  

Use Inspector with Trusted Advisor.

D.  

Use Macie with Trusted Advisor.

Discussion 0
Question # 28

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access.

The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy. Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required S3 buckets.

The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that isoutside the company’s AWS Organization. The processing job must continue to function.

Which solution will meet these requirements?

Options:

A.  

Update the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and aws:PrincipalOrgId match the company’s organization.

B.  

Update the instance profile role policy to require aws:ResourceOrgId.

C.  

Add a network ACL rule to block outbound traffic on port 443.

D.  

Apply an SCP that restricts S3 actions using organization condition keys.

Discussion 0
Question # 29

A company is using Amazon EC2 instances to host an application in a private subnet in a VP

C.  

The application needs to use AWS KMS.

What is the MOST secure way for a security engineer to meet this requirement?

Options:

A.  

Attach an internet gateway to the VP

C.  

Move the EC2 instances to a public subnet. Use the internet gateway to connect to AWS KMS.

B.  

Create a gateway VPC endpoint. Use the endpoint to connect to AWS KMS.

C.  

Attach a NAT gateway to the VP

C.  

Leave the EC2 instances in the private subnet. Use the NAT gateway to connect to AWS KMS.

D.  

Create an interface VPC endpoint. Use the endpoint to connect to AWS KMS.

Discussion 0
Question # 30

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions.

What should the company do to properly encrypt the snapshot in us-west-1?

Options:

A.  

Store the customer managed key in AWS Secrets Manager in us-west-1.

B.  

Create a new customer managed key in us-west-1 and use it to encrypt the snapshot.

C.  

Create an IAM policy to allow access to the key in us-east-1 from us-west-1.

D.  

Create an IAM policy that allows RDS in us-west-1 to access the key in us-east-1.

Discussion 0
Get SCS-C03 dumps and pass your exam in 24 hours!

Free Exams Sample Questions

Free SY0-701 Questions
Free Rev-Con-201 Questions
Free 2V0-13.25 Questions
Free ZDTE Questions
Free N10-009 Questions
Free 200-301 Questions
Free AZ-104 Questions
Free 350-401 Questions
Free 2V0-17.25 Questions
Free CMMC-CCP Questions
Free AIF-C01 Questions
Free CMMC-CCA Questions
Free AI-102 Questions
Free 312-50v13 Questions
Free ICWIM Questions
Free CKA Questions
Free SC-200 Questions
Free SC-300 Questions
Free OGEA-102 Questions
NGFW-Engineer Questions
ISA-IEC-62443 Questions
Free Agentforce Specialist Questions
Free Generative-AI-Leader Questions
Free FCSS_EFW_AD-7.6 Questions
Free Secure-Software-Design Questions
Free Data-Cloud-Consultant Questions
Free Workday-Pro-Integrations Questions
Free UAE-Financial-Rules-and-Regulations Questions
AWS-Solution-Architect-Associate Dumps
Professional-Cloud-Architect Dumps
Service-Cloud-Consultant Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
Associate-Cloud-Engineer Dumps
350-701 Dumps
ISO-IEC-27001-Lead-Implementer Dumps
Integration-Architect Dumps
CLF-C02 Dumps
JN0-105 Dumps
CDCP Dumps
CTA Dumps
NCP-MCI-6.10 Dumps
NCA-AIIO Dumps