Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65pass65

SCS-C03 AWS Certified Security – Specialty is now Stable and With Pass Result | Test Your Knowledge for Free

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C03
  5. AWS Certified Security – Specialty
Exams4sure Dumps

SCS-C03 Practice Questions

AWS Certified Security – Specialty

Last Update 4 days ago
Total Questions : 231

Dive into our fully updated and stable SCS-C03 practice test platform, featuring all the latest AWS Certified Specialty exam questions added this week. Our preparation tool is more than just a Amazon Web Services study aid; it's a strategic advantage.

Our free AWS Certified Specialty practice questions crafted to reflect the domains and difficulty of the actual exam. The detailed rationales explain the 'why' behind each answer, reinforcing key concepts about SCS-C03. Use this test to pinpoint which areas you need to focus your study on.

SCS-C03 PDF

SCS-C03 PDF (Printable)
$54.25
$154.99
 Add to Cart

SCS-C03 Testing Engine

SCS-C03 PDF (Printable)
$59.5
$169.99
 Add to Cart

SCS-C03 PDF + Testing Engine

SCS-C03 PDF (Printable)
$74.55
$212.99
 Add to Cart
Question # 61

A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.

A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests but does not want to prevent legitimate users from accessing the application.

Which solution will meet these requirements?

Options:

A.  

Use AWS WAF to implement a rate-based rule for all incoming requests.

B.  

Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.

C.  

Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.

D.  

Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

Discussion 0
Question # 62

A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.

Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.

What should the security engineer do to meet these requirements with the LEAST effort?

Options:

A.  

Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.

B.  

Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.

C.  

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

D.  

Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP address. Use AWS Glue to view the results.

Discussion 0
Question # 63

A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period.

Which solution will meet these requirements?

Options:

A.  

Configure CloudFront standard logging and CloudWatch Logs metric filters.

B.  

Configure VPC Flow Logs and CloudWatch Logs metric filters.

C.  

Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.

D.  

Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SNS.

Discussion 0
Question # 64

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys.

Which combination of steps must a security engineer take to meet these requirements? (Select THRE

E.  

)

Options:

A.  

Create a new customer managed key in AWS Key Management Service (AWS KMS).

B.  

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).

C.  

Configure the PHP SDK to use the SSE-S3 key before upload.

D.  

Create an AWS managed key for Amazon S3 in AWS KMS.

E.  

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS).

F.  

Change all the S3 objects in the bucket to use the new encryption key.

Discussion 0
Question # 65

A security engineer needs to prepare a company ' s Amazon EC2 instances for quarantine during a security incident. The AWS Systems Manager Agent (SSM Agent) has been deployed to all EC2 instances. The security engineer has developed a script to install and update forensics tools on the EC2 instances.

Which solution will quarantine EC2 instances during a security incident?

Options:

A.  

Create a rule in AWS Config to track SSM Agent versions.

B.  

Configure Systems Manager Session Manager to deny all connection requests from external IP addresses.

C.  

Store the script in Amazon S3 and grant read access to the instance profile.

D.  

Configure IAM permissions for the SSM Agent to run the script as a predefined Systems Manager Run Command document.

Discussion 0
Question # 66

A security engineer is troubleshooting an AWS Lambda function that is namedMyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is namedDOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy:

{

" Effect " : " Allow " ,

" Principal " : { " Service " : " lambda.amazonaws.com " },

" Action " : " s3:GetObject " ,

" Resource " : " arn:aws:s3:::DOC-EXAMPLE-BUCKET " ,

" Condition " : {

" ArnLike " : {

" aws:SourceArn " : " arn:aws:lambda:::function:MyLambdaFunction "

}

}

}

Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?

Options:

A.  

Remove the Condition element. Change the Principal element to the following:{ " AWS " : " arn:aws:lambda:::function:MyLambdaFunction " }

B.  

Change the Action element to the following:[ " s3:GetObject* " , " s3:GetBucket* " ]

C.  

Change the Resource element to " arn:aws:s3:::DOC-EXAMPLE-BUCKET/* " .

D.  

Change the Resource element to " arn:aws:lambda:::function:MyLambdaFunction " . Change the Principal element to the following:{ " Service " : " s3.amazonaws.com " }

Discussion 0
Question # 67

A company begins to use AWS WAF after experiencing an increase in traffic to the company’s public web applications. A security engineer needs to determine if the increase in traffic is because of application-layer attacks. The security engineer needs a solution to analyze AWS WAF traffic.

Which solution will meet this requirement?

Options:

A.  

Send AWS WAF logs to AWS CloudTrail and analyze them with OpenSearch.

B.  

Send AWS WAF logs to Amazon S3 and query them directly with OpenSearch.

C.  

Send AWS WAF logs to Amazon S3. Create an Amazon Athena table with partition projection. Use Athena to query the logs.

D.  

Send AWS WAF logs to AWS CloudTrail and analyze them with Amazon Athena.

Discussion 0
Question # 68

A company manages multiple AWS accounts through an organization in AWS Organizations. The company enables all features in the organization.

A security team must implement a solution to centrally manage VPC security groups across the accounts. The company uses an existing reference security group with the required configuration. The solution must detect if security group rules have been modified to deviate from the reference security group. The solution must automatically restore any noncompliant security groups to match the reference security group.

The security team needs to select a solution that does not require custom development or scripting.

Which solution will meet these requirements?

Options:

A.  

Use AWS Firewall Manager to manage security group rules through security group policy rules.

B.  

Create an AWS Systems Manager Automation runbook to identify and align noncompliant security groups with the reference security group.

C.  

Use a custom AWS Config rule with auto remediation. Compare to the reference security group for compliance.

D.  

Manage security groups through AWS CloudFormation StackSets. Use the reference security group for the initial rules.

Discussion 0
Question # 69

A company uses AWS Organizations to manage its AWS accounts in a single organization. The company applies the FullAWSAccess SCP to every OU. However, now the company must explicitly deny specific services. The company needs a solution that restricts any users in the organization from using the explicitly denied services.

Additionally, the solution must enforce all Amazon S3 buckets across the organization to have a minimum TLS version of 1.2. The company requires a central solution that applies to all existing accounts and any new accounts that the company creates in the future.

Which solution will meet these requirements?

Options:

A.  

Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.

B.  

Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach the SCP to the root OU. Attach the RCP to each account within the organization.

C.  

Create an SCP deny statement to disallow s3:* where the TLS version is less than 1.2. Create an RCP that denies a list of services that are restricted in the organization. Attach both policies to the root OU.

D.  

Create an SCP that denies a list of services that are restricted in the organization. Create a declarative policy to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.

Discussion 0
Get SCS-C03 dumps and pass your exam in 24 hours!

Free Exams Sample Questions

Free SY0-701 Questions
Free Rev-Con-201 Questions
Free 2V0-13.25 Questions
Free ZDTE Questions
Free N10-009 Questions
Free 200-301 Questions
Free AZ-104 Questions
Free 350-401 Questions
Free 2V0-17.25 Questions
Free CMMC-CCP Questions
Free AIF-C01 Questions
Free CMMC-CCA Questions
Free AI-102 Questions
Free 312-50v13 Questions
Free ICWIM Questions
Free CKA Questions
Free SC-200 Questions
Free SC-300 Questions
Free OGEA-102 Questions
NGFW-Engineer Questions
ISA-IEC-62443 Questions
Free Agentforce Specialist Questions
Free Generative-AI-Leader Questions
Free FCSS_EFW_AD-7.6 Questions
Free Secure-Software-Design Questions
Free Data-Cloud-Consultant Questions
Free Workday-Pro-Integrations Questions
Free UAE-Financial-Rules-and-Regulations Questions
AWS-Solution-Architect-Associate Dumps
Professional-Cloud-Architect Dumps
Service-Cloud-Consultant Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
Associate-Cloud-Engineer Dumps
350-701 Dumps
ISO-IEC-27001-Lead-Implementer Dumps
Integration-Architect Dumps
CLF-C02 Dumps
JN0-105 Dumps
CDCP Dumps
CTA Dumps
NCP-MCI-6.10 Dumps
NCA-AIIO Dumps