Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

SCS-C03 AWS Certified Security – Specialty Questions and Answers

Questions 4

A company uses AWS Organizations to manage the company’s AWS accounts. The company’s security team needs to implement preventive controls to deny the use of account-level root credentials. The solution must minimize the risk that an AWS account root user could be compromised. The solution must also minimize the effort needed to manage root access.

Which solution will meet these requirements?

Options:

A.

Create an AWS Lambda function to disable the root user in every member account. Enable the root account only if the company needs it to modify settings related to centralized billing or the recovery of AWS KMS keys.

B.

Enable centralized root access management in IAM. Remove long-term root credentials in the member accounts. Create a company policy that requires employees to use Organizations to create new accounts.

C.

Enable centralized root access management through AWS Security Hub CSPM. Remove long-term root credentials in the member accounts. Configure new accounts to be created without root credentials in Security Hub CSPM.

D.

Configure an SCP to explicitly deny all actions when the principal is the root user of an account for all member accounts. Require that member account root users have MFA enabled. Require that root credentials are rotated on a regular schedule.

Buy Now
Questions 5

A company’s web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file.

Which set of actions will identify the suspect attacker’s IP address for future occurrences?

Options:

A.

Configure VPC Flow Logs and search for PHP file activity.

B.

Install the CloudWatch agent on the ALB and export application logs.

C.

Export ALB access logs to Amazon OpenSearch Service and search them.

D.

Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.

Buy Now
Questions 6

An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company ' s security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future.

Which steps would help achieve this? (Select TWO.)

Options:

A.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

B.

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.

C.

Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker’s IP using security groups.

D.

Set up an Amazon EventBridge rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.

E.

Use AWS WAF to create rules to respond to such attacks.

Buy Now
Questions 7

A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster. The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.

How can the security engineer meet these requirements?

Options:

A.

To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena.

B.

To create the keys, use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

C.

To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.

D.

To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

Buy Now
Questions 8

A company ' s data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information.

On average, the data scientists need 30 days to train models. The S3 bucket has been secured appropriately. The company ' s data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.

Which action should a security engineer take to enforce this data retention policy?

Options:

A.

Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

B.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.

C.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.

D.

Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class.

Buy Now
Questions 9

A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.

Which combination of AWS solutions will meet these requirements? (Select TWO.)

Options:

A.

AWS Site-to-Site VPN

B.

AWS Direct Connect

C.

AWS VPN CloudHub

D.

VPC peering

E.

NAT gateway

Buy Now
Questions 10

A company has a compliance requirement to encrypt all data in transit. The company recently discovered an Amazon Aurora cluster that does not meet this requirement.

How can the company enforce encryption for all connections to the Aurora cluster?

Options:

A.

In the Aurora cluster configuration, set therequire_secure_transportDB cluster parameter toON.

B.

Use AWS Directory Service for Microsoft Active Directory to create a user directory and to enforce Kerberos authentication with Aurora.

C.

Configure the Aurora cluster to use AWS Certificate Manager (ACM) to provide encryption certificates.

D.

Create an Amazon RDS proxy. Connect the proxy to the Aurora cluster to enable encryption.

Buy Now
Questions 11

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data. During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company ' s source code repository. A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only. The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrative overhead.

Which solution meets these requirements?

Options:

A.

Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

B.

Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

C.

Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

D.

Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Buy Now
Questions 12

A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music. The company has implemented a security architecture on AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk. A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and detective controls. The solution must meet an RPO of1 hour.

Which solution will meet these requirements?

Options:

A.

Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.

B.

Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.

C.

Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response. Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.

D.

Create EBS snapshots every 4 hours. Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.

Buy Now
Questions 13

A security engineer needs to configure DDoS protection for a Network Load Balancer (NLB) with an Elastic IP address. The security engineer wants to set up an AWS WAF web ACL with a rate-based rule statement to protect the NLB.

The security engineer needs to determine a rate limit that will not block legitimate traffic. The security engineer has configured the rule statement to aggregate based on the source IP address.

How should the security engineer configure the rule to protect the NLB?

Options:

A.

Configure the rule to use theCountaction.

B.

Configure the rule to use theBlockaction.

C.

Configure the rule to use theMonitoraction.

D.

Configure the rule to use theAllowaction.

Buy Now
Questions 14

A company is using Amazon EC2 instances to host an application in a private subnet in a VPC. The application needs to use AWS KMS.

What is the MOST secure way for a security engineer to meet this requirement?

Options:

A.

Attach an internet gateway to the VPC. Move the EC2 instances to a public subnet. Use the internet gateway to connect to AWS KMS.

B.

Create a gateway VPC endpoint. Use the endpoint to connect to AWS KMS.

C.

Attach a NAT gateway to the VPC. Leave the EC2 instances in the private subnet. Use the NAT gateway to connect to AWS KMS.

D.

Create an interface VPC endpoint. Use the endpoint to connect to AWS KMS.

Buy Now
Questions 15

A systems administrator was attempting to launch a new Amazon EC2 instance with an encrypted boot volume using a new AWS KMS customer managed key. The EC2 console initially stated the launch was successful, but the instance was subsequently terminated. The IAM role used by the systems administrator has the following IAM permissions:

• ec2:Describe*

• ec2:AuthorizeSecurityGroupIngress

• kms:Encrypt

• kms:Decrypt

• kms:ReEncrypt*

• kms:GenerateDataKey*

• kms:DescribeKey

Which IAM permission is the systems administrator missing?

Options:

A.

kms:GetKeyRotationStatus

B.

kms:CreateGrant

C.

kms:GenerateRandom

D.

kms:EnableKey

Buy Now
Questions 16

A company runs a public web application on an Amazon EKS cluster. The company uses an Amazon CloudFront distribution to deploy the application. An Application Load Balancer (ALB) is configured as an origin for the distribution.

A security engineer needs to implement a monitoring solution that sends notifications to an existing Amazon SNS topic. The solution must send a notification to the SNS topic when the application receives 10,000 requests from the same end-user IP address during any 5-minute period.

Which solution will meet these requirements?

Options:

A.

Configure CloudFront standard logging. Send logs to an Amazon CloudWatch Logs log group. Create a log group metric filter to send a notification to the SNS topic when the request threshold is breached.

B.

Configure VPC Flow Logs to send logs for the VPC that contains the EKS cluster to an Amazon CloudWatch Logs log group. Create a log group metric filter to send a notification to the SNS topic when the request threshold is breached.

C.

Configure an AWS WAF web ACL with an Autonomous System Number match rule. Associate the web ACL with the ALB. Create an Amazon CloudWatch metric alarm to send a notification to the SNS topic when the ASN match rule request threshold is breached.

D.

Configure an AWS WAF web ACL with a rate-based rule. Associate the web ACL with the CloudFront distribution. Create an Amazon CloudWatch metric alarm to send a notification to the SNS topic when the rate-based rule request threshold is breached.

Buy Now
Questions 17

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services.

The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

Which solution will prevent the web clients from directly accessing the ALB?

Options:

A.

Create an AWS PrivateLink endpoint and set it as the CloudFront origin.

B.

Create a new internal ALB and delete the internet-facing ALB.

C.

Modify the ALB listener rules to allow only CloudFront IP ranges.

D.

Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

Buy Now
Questions 18

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

Options:

A.

Make the following changes to NACL3:

• Add a rule that allows inbound traffic on port 5432 from NACL2.

• Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.

• Remove the default rules that allow all inbound and outbound traffic.

B.

Make the following changes to NACL3:

• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.

• Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.

• Remove the default rules that allow all inbound and outbound traffic.

C.

Make the following changes to NACL2:

• Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.

• Remove the default rules that allow all inbound and outbound traffic.

D.

Make the following changes to NACL2:

• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.

• Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

Buy Now
Questions 19

A company runs a global ecommerce website using Amazon CloudFront. The company must block traffic from specific countries to comply with data regulations.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Use AWS WAF IP match rules.

B.

Use AWS WAF geo match rules.

C.

Use CloudFront geo restriction to deny the countries.

D.

Use geolocation headers in CloudFront.

Buy Now
Questions 20

A company needs to identify the root cause of security findings and investigate IAM roles involved in those findings. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail.

Which solution will meet these requirements?

Options:

A.

Use Amazon Detective to investigate IAM roles and visualize findings.

B.

Use Amazon Inspector and CloudWatch dashboards.

C.

Export GuardDuty findings to S3 and analyze with Athena.

D.

Use Security Hub custom actions to investigate IAM roles.

Buy Now
Questions 21

A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event.

Which solution will meet these requirements?

Options:

A.

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.

B.

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.

C.

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

D.

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

Buy Now
Questions 22

A company uses an organization in AWS Organizations to manage its 250 member accounts. The company also uses AWS IAM Identity Center with a SAML external identity provider (IdP). IAM Identity Center has been delegated to a member account. The company ' s security team has access to the delegated account.

The security team has been investigating a malicious internal user who might be accessing sensitive accounts. The security team needs to know when the user logged into the organization during the last 7 days.

Which solution will quickly identify the access attempts?

Options:

A.

In the delegated account, use Amazon CloudWatch Logs to search for events that match the user details for all successful attempts.

B.

In each member account, use the IAM Identity Center console to search for events that match the user details for all attempts.

C.

In the external IdP, use Amazon EventBridge to search for events that match the user details for all attempts.

D.

In the organization ' s management account, use AWS CloudTrail to search for events that match the user details for all successful attempts.

Buy Now
Questions 23

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution toprevent CloudTrail from being disabled.

Which solution will meet this requirement?

Options:

A.

Enable CloudTrail log file integrity validation from the organization ' s management account.

B.

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.

C.

Create a service control policy (SCP) that includes an explicitDenyrule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.

D.

Create IAM policies for all the company ' s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Buy Now
Questions 24

A security team manages a company ' s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company ' s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team’s software process with access to the keys.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.

B.

Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.

C.

Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.

D.

Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

Buy Now
Questions 25

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Create an AWS WAF web ACL with an IP match condition to deny the countries ' IP ranges. Associate the web ACL with the CloudFront distribution.

B.

Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.

C.

Use the geo restriction feature in CloudFront to deny the specific countries.

D.

Use geolocation headers in CloudFront to deny the specific countries.

Buy Now
Questions 26

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

Options:

A.

Enable AWS Security Hub in the AWS account.

B.

Enable Amazon GuardDuty in the AWS account.

C.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team ' s email distribution list to the topic.

D.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team ' s email distribution list to the queue.

E.

Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

F.

Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Buy Now
Questions 27

A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS CloudTrail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI. Because of expansion, the company adds resources in multiple Regions. The security engineer notices that the logs from the new Regions are not reaching the S3 bucket.

What should the security engineer do to fix this issue with the LEAST amount of operational overhead?

Options:

A.

Create a new CloudTrail trail. Select the new Regions where the company added resources.

B.

Change the S3 bucket to receive notifications to track all actions from all Regions.

C.

Create a new CloudTrail trail that applies to all Regions.

D.

Change the existing CloudTrail trail so that it applies to all Regions.

Buy Now
Questions 28

A company is using an organization with all features enabled in AWS Organizations. The organization contains OUs. The company has configured a delegated administrator account for AWS IAM Identity Center. In this delegated administrator account, the company has deployed an AWS CloudFormation stack that contains permission sets.

A security engineer must implement a solution to prevent the deletion of the CloudFormation stack.

Which solution will meet this requirement?

Options:

A.

Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:UpdateTerminationProtection action for the stack’s ARN. Apply the SCP to the root of the organization.

B.

Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:DeleteStack action for the stack’s ARN. Apply the SCP to all OUs except the OU that contains the delegated administrator account.

C.

Set the DeletionPolicy attribute to Retain for all resources in the CloudFormation stack. Create an IAM policy that denies the cloudformation:DeleteStack action for the stack’s ARN. Attach the IAM policy to all IAM users and roles in the organization’s management account.

D.

Assign a stack policy to deny updates to stack resources. Create an SCP that denies the cloudformation:UpdateStack action for the stack’s ARN. Apply the SCP to all OUs and the organization’s management account.

Buy Now
Questions 29

A security team manages a company’s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company ' s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team ' s software process with access to the keys.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.

B.

Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.

C.

Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.

D.

Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

Buy Now
Questions 30

A security engineer is responding to an incident that is affecting an AWS account. The ID of the account is 123456789012. The attack created workloads that are distributed across multiple AWS Regions.

The security engineer contains the attack and removes all compute and storage resources from all affected Regions. However, the attacker also created an AWS KMS key. The key policy on the KMS key explicitly allows IAM principal kms:* permissions.

The key was scheduled to be deleted the previous day. However, the key is still enabled and usable. The key has an ARN of

arn:aws:kms:us-east-2:123456789012:key/mrk-0bb0212cd9864fdea0dcamzo26efb5670.

The security engineer must delete the key as quickly as possible.

Which solution will meet this requirement?

Options:

A.

Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

B.

Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.

C.

Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

D.

Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.

Buy Now
Questions 31

A company uses an organization in AWS Organizations to manage multiple AWS accounts. A security engineer creates a WAF policy in AWS Firewall Manager in the us-east-1 Region. The security engineer sets the policy scope to apply to resources that are tagged withWAF-protected:truein one of the member accounts in the organization. The security engineer sets up a configuration to automatically remediate any noncompliant resources.

In a member account, the security engineer attempts to protect an Amazon API Gateway REST API in the us-east-1 Region by using a web ACL. However, after several minutes, the REST API is still not associated with the web ACL.

What is the likely cause of this issue?

Options:

A.

Web ACLs cannot be applied to REST APIs.

B.

The REST API is missing a tag that includes theWAF-protectedkey and a value oftrue.

C.

The web ACL is already associated with another REST API.

D.

The web ACL is already associated with an Amazon CloudFront distribution.

Buy Now
Questions 32

A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database.

The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has become a burden for the company ' s customer service team.

The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password resets and login assistance while securely protecting each player ' s credentials.

Which solution will meet these requirements?

Options:

A.

When a new player signs up, use an AWS Lambda function to automatically create an IAM access key and a secret access key.

B.

Migrate the player credentials from the Aurora database to AWS Secrets Manager.

C.

Configure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs. Migrate the game ' s authentication mechanism to Cognito.

D.

Issue API keys to new and existing players and use Amazon API Gateway for authentication.

Buy Now
Questions 33

A company is planning to migrate its applications to AWS in a single AWS Region. The company’s applications will use a combination of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as possible. All the applications must meet the following requirements:

• Data must be encrypted at rest.

• Data must be encrypted in transit.

• Endpoints must be monitored for anomalous network traffic.

Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Select THREE.)

Options:

A.

Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.

B.

Enable Amazon GuardDuty in all AWS accounts.

C.

Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.

D.

Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.

E.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-side-encryption.

F.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption.

Buy Now
Questions 34

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

Options:

A.

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

B.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

C.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

D.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

E.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway as the target of the route.

Buy Now
Questions 35

A company detects bot activity targeting Amazon Cognito user pool endpoints. The solution must block malicious requests while maintaining access for legitimate users.

Which solution meets these requirements?

Options:

A.

Enable Amazon Cognito threat protection.

B.

Restrict access to authenticated users only.

C.

Associate AWS WAF with the Cognito user pool.

D.

Monitor requests with CloudWatch.

Buy Now
Questions 36

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys Amazon GuardDuty and integrates it with AWS Security Hub. The security engineer needs to implement anautomated solutionto detect and respond to anomalous traffic patterns. The solution must follow AWS best practices forinitial incident responseand mustminimize disruptionto the web application.

Which solution will meet these requirements?

Options:

A.

Disable the instance profile access keys by using AWS Lambda.

B.

Remove the affected instance from the Auto Scaling group and isolate it with a restricted security group by using AWS Lambda.

C.

Update the network ACL to block the detected traffic source.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Buy Now
Questions 37

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store ' s application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company ' s deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

What should the security engineer do next to meet the requirements in theMOST secureway?

Options:

A.

Create an AWS Service Catalog portfolio in the organization ' s management account. Upload the CloudFormation template. Add the template to the portfolio ' s product list. Share the portfolio with the OU.

B.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. In the OU, create an SCP that allows access to the extension.

C.

Create an AWS Service Catalog portfolio in the organization ' s management account. Upload the CloudFormation template. Add the template to the portfolio ' s product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in the OU accounts. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.

D.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Share the extension with the OU.

Buy Now
Questions 38

A security engineer is troubleshooting an AWS Lambda function that is namedMyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is namedDOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy:

{

" Effect " : " Allow " ,

" Principal " : { " Service " : " lambda.amazonaws.com " },

" Action " : " s3:GetObject " ,

" Resource " : " arn:aws:s3:::DOC-EXAMPLE-BUCKET " ,

" Condition " : {

" ArnLike " : {

" aws:SourceArn " : " arn:aws:lambda:::function:MyLambdaFunction "

}

}

}

Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?

Options:

A.

Remove the Condition element. Change the Principal element to the following:{ " AWS " : " arn:aws:lambda:::function:MyLambdaFunction " }

B.

Change the Action element to the following:[ " s3:GetObject* " , " s3:GetBucket* " ]

C.

Change the Resource element to " arn:aws:s3:::DOC-EXAMPLE-BUCKET/* " .

D.

Change the Resource element to " arn:aws:lambda:::function:MyLambdaFunction " . Change the Principal element to the following:{ " Service " : " s3.amazonaws.com " }

Buy Now
Questions 39

A company has an Amazon RDS database. The database contains sensitive data that is shared across teams in the company. The company needs a solution to detect anomalous logins to the database. The solution must notify an existing Amazon SNS topic when anomalous logins occur.

Which solution will meet these requirements?

Options:

A.

Use AWS Trusted Advisor security checks for Amazon RDS. Create an Amazon EventBridge rule to monitor the security checks for status changes. Configure the EventBridge rule to invoke an AWS Lambda function to publish a message to the SNS topic.

B.

Enable AWS AppFabric. Connect AWS AppFabric to the RDS DB instance. Create an Amazon Data Firehose stream as the destination for the AWS AppFabric findings. Create an AWS Lambda function that is invoked by the Firehose stream to publish a message to the SNS topic.

C.

Enable Amazon GuardDuty and configure GuardDuty RDS Protection. Create an Amazon EventBridge rule to monitor GuardDuty findings of anomalous logins. Configure the SNS topic as the target of the EventBridge rule.

D.

Enable Amazon Inspector. Create an Amazon EventBridge rule to monitor Amazon Inspector findings of anomalous logins. Configure the SNS topic as the target of the EventBridge rule.

Buy Now
Questions 40

A company’s security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of the company’s AWS accounts. VPC Flow Logs are enabled for all VPCs.

A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet.

Which solution will meet these requirements?

Options:

A.

Monitor CloudTrail logs for API calls to non-standard time servers.

B.

Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.

C.

Monitor VPC Flow Logs for traffic to non-standard time servers.

D.

Monitor VPC Flow Logs for traffic to the Amazon Time Sync Service.

Buy Now
Questions 41

A company uses AWS Organizations and has an SCP at the root that prevents sharing resources with external accounts. The company now needs to allow only the marketing account to share resources externally while preventing all other accounts from doing so. All accounts are in the same OU.

Which solution will meet these requirements?

Options:

A.

Create a new SCP in the marketing account to explicitly allow sharing.

B.

Edit the existing SCP to add a condition that excludes the marketing account.

C.

Edit the SCP to include an Allow statement for the marketing account.

D.

Use a permissions boundary in the marketing account.

Buy Now
Questions 42

A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates.

After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company’s security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon EBS volume.

Which solution will meet these requirements?

Options:

A.

Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.

B.

Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CD pipeline to an Amazon SNS topic that receives notifications from AWS Config.

C.

Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.

D.

Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phase of the CI/CD process.

Buy Now
Questions 43

A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.

Which solution will quarantine EC2 instances during a security incident?

Options:

A.

Track SSM Agent versions with AWS Config.

B.

Configure Session Manager to deny external connections.

C.

Store the script in Amazon S3 and grant read access.

D.

Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

Buy Now
Questions 44

A development team is creating an open source toolset to manage a company’s software as a service (SaaS) application. The company stores the code in a public repository so that anyone can view and download the toolset’s code. The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company ' s AWS environment. A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials.

Which combination of steps will meet these requirements? (Select TWO.)

Options:

A.

Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.

B.

Deactivate the exposed IAM access key from the user ' s IAM account.

C.

Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

D.

Create a new IAM access key and secret key for the user whose credentials were exposed.

E.

Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

Buy Now
Questions 45

A company begins to use AWS WAF after experiencing an increase in traffic to the company’s public web applications. A security engineer needs to determine if the increase in traffic is because of application-layer attacks. The security engineer needs a solution to analyze AWS WAF traffic.

Which solution will meet this requirement?

Options:

A.

Send AWS WAF logs to AWS CloudTrail and analyze them with OpenSearch.

B.

Send AWS WAF logs to Amazon S3 and query them directly with OpenSearch.

C.

Send AWS WAF logs to Amazon S3. Create an Amazon Athena table with partition projection. Use Athena to query the logs.

D.

Send AWS WAF logs to AWS CloudTrail and analyze them with Amazon Athena.

Buy Now
Questions 46

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent.

A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers.

Which rule statement will meet these requirements?

Options:

A.

Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.

B.

Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.

C.

Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.

D.

Use a string match rule statement that includes details of the IoT device brand from the user agent.

Buy Now
Questions 47

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack from a specific IoT device brand that uses a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate it with the ALB.

Which rule statement will mitigate the current attack and future attacks from these IoT devices without blocking legitimate customers?

Options:

A.

Use an IP set match rule statement.

B.

Use a geographic match rule statement.

C.

Use a rate-based rule statement.

D.

Use a string match rule statement on the user agent.

Buy Now
Questions 48

A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.

Which action should enforce this policy?

Options:

A.

Configure an S3 Lifecycle rule to delete objects after 45 days.

B.

Create a Lambda function triggered on object upload to delete old data.

C.

Create a scheduled Lambda function to delete old objects monthly.

D.

Configure S3 Intelligent-Tiering.

Buy Now
Questions 49

A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client ' s own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company ' s AWS resources.

Which additional step will meet these requirements?

Options:

A.

Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.

B.

Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.

C.

Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.

D.

Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.

Buy Now
Questions 50

A security engineer needs to develop a process to investigate and respond to potential security events on a company’s Amazon EC2 instances. All the EC2 instances are backed by Amazon EBS. The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent on all the EC2 instances.

The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:

• A compromised EC2 instance’s volatile memory and non-volatile memory must be preserved for forensic purposes.

• A compromised EC2 instance’s metadata must be updated with corresponding incident ticket information.

• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

• Any investigative activity during the collection of volatile data must be captured as part of the process.

Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Select THREE.)

Options:

A.

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance’s security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.

B.

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.

C.

Use Systems Manager Run Command to invoke scripts that collect volatile data.

D.

Establish a Linux SSH or Windows Remote Desktop Protocol session to the compromised EC2 instance to invoke scripts that collect volatile data.

E.

Create a snapshot of the compromised EC2 instance’s EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information.

F.

Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

Buy Now
Questions 51

A company wants to improve the remediation of specific security incidents. Currently, a security engineer performs network isolation manually if traffic from Amazon EC2 instances to known command and control servers is detected. The manual network isolation process is error prone. The security engineer must automate the process.

The security engineer enables Amazon GuardDuty. The security engineer configures instances to be managed by AWS Systems Manager. The security engineer prepares a Systems Manager Automation document to change security groups on selected instances.

Which solution will meet these requirements?

Options:

A.

Create a permanent Amazon Detective investigation. Select all resources to monitor. Configure Detective to invoke the Systems Manager document if known command and control traffic is detected.

B.

Set up AWS Config. Use the managed rule ec2-prefix-list-tagged to detect traffic to network prefixes tagged for command and control activity. Configure automatic remediation and select the Automation document.

C.

Enable Systems Manager OpsCenter. Create an Amazon EventBridge rule to transform GuardDuty alerts of command and control traffic for OpsCenter. Use the Automation document for remediation.

D.

Configure AWS Security Hub CSPM. Use NIST SP 800-53 scans to report compromised instances based on NIST alerts. Create an automation rule to invoke the Automation document.

Buy Now
Questions 52

A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

Options:

A.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

B.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

C.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

D.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Buy Now
Questions 53

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access.

The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy. Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required S3 buckets.

The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that isoutside the company’s AWS Organization. The processing job must continue to function.

Which solution will meet these requirements?

Options:

A.

Update the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and aws:PrincipalOrgId match the company’s organization.

B.

Update the instance profile role policy to require aws:ResourceOrgId.

C.

Add a network ACL rule to block outbound traffic on port 443.

D.

Apply an SCP that restricts S3 actions using organization condition keys.

Buy Now
Questions 54

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company’s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer’s solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

Options:

A.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

C.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

D.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Buy Now
Questions 55

A company has an organization with all features enabled in AWS Organizations. In the management account, the company configures AWS IAM Identity Center for the organization in the eu-west-2 Region. The company configures IAM Identity Center with a SAML-based identity provider.

The company needs to configure an AWS managed application that integrates with IAM Identity Center in a new AWS account in the us-east-1 Region. Most of the users that will authenticate to the AWS managed application are external third-party users who cannot be added to the company’s identity provider.

A security engineer needs to configure authentication for the third-party users. The solution must provide isolation from the company’s identity provider.

Which solution will meet these requirements?

Options:

A.

Create a SAML identity provider in IAM in the management account that connects to the third-party users’ identity provider. Create IAM roles in the management account that allow access to the AWS managed application.

B.

Deploy Amazon Cognito into the new AWS account in us-east-1. Configure an identity pool for a SAML-based identity provider. Configure an IAM role that uses the sts:AssumeRole action to allow access to the AWS managed application from Amazon Cognito.

C.

Enable account instances in IAM Identity Center. Deploy an IAM Identity Center account instance in the new AWS account in us-east-1. Configure the AWS managed application to use the new instance. Configure users in the new account instance directory.

D.

Create a new identity provider for the third-party users. Configure a second identity source in IAM Identity Center in the organization’s management account to use the new identity provider. Create a new permission set that gives access to the AWS managed application in the new account.

Buy Now
Questions 56

A company’s developers are using AWS Lambda function URLs to invoke functions directly. Thecompany must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

Options:

A.

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

B.

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

C.

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

D.

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Buy Now
Questions 57

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows thekms:Decryptpermission to the customer managed key. The IAM policy also allows thes3:List* ands3:Get* permissions for the S3 bucket and its objects.

Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

Options:

A.

The IAM policy needs to allow thekms:DescribeKeypermission.

B.

The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.

C.

An S3 bucket policy needs to be added to allow the IAM user to access the objects.

D.

The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

Buy Now
Questions 58

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.

Which solution will meet this requirement?

Options:

A.

Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.

B.

Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.

C.

Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.

D.

Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

Buy Now
Questions 59

A healthcare company stores more than 1 million patient records in an Amazon S3 bucket. The patient records include personally identifiable information (PII). The S3 bucket contains hundreds of terabytes of data.

A security engineer receives an alert that was triggered by an Amazon GuardDuty Exfiltration:S3/AnomalousBehavior finding. The security engineer confirms that an attacker is using temporary credentials that were obtained from a compromised Amazon EC2 instance that has s3:GetObject permissions for the S3 bucket. The attacker has begun downloading the contents of the bucket. The security engineer contacts a development team. The development team will require 4 hours to implement and deploy a fix.

The security engineer must take immediate action to prevent the attacker from downloading more data from the S3 bucket.

Which solution will meet this requirement?

Options:

A.

Revoke the temporary session that is associated with the instance profile that is attached to the EC2 instance.

B.

Quarantine the EC2 instance by replacing the existing security group with a new security group that has no rules applied.

C.

Enable Amazon Macie on the S3 bucket. Configure the managed data identifiers for personally identifiable information (PII). Enable S3 Object Lock on objects that Macie flags.

D.

Apply an S3 bucket policy temporarily. Configure the policy to deny read access for all principals to block downloads while the development team address the vulnerability.

Buy Now
Questions 60

A company is investigating an increase in its AWS monthly bill. The company discovers that bad actors compromised some Amazon EC2 instances and served webpages for a large email phishing campaign. A security engineer must implement a solution to monitor for cost increases in the future to help detect malicious activity.

Which solution will offer the company the EARLIEST detection of cost increases?

Options:

A.

Create an Amazon EventBridge rule that invokes an AWS Lambda function hourly. Program the Lambda function to download an AWS usage report from AWS Data Exports about usage of all services. Program the Lambda function to analyze the report and to send a notification when anomalies are detected.

B.

Create a cost monitor in AWS Cost Anomaly Detection. Configure an individual alert to notify an Amazon Simple Notification Service (Amazon SNS) topic when the percentage above the expected cost exceeds a threshold.

C.

Review AWS Cost Explorer daily to detect anomalies in cost from prior months. Review the usage of any services that experience a significant cost increase from prior months.

D.

Capture VPC flow logs from the VPC where the EC2 instances run. Use a third-party network analysis tool to analyze the flow logs and to detect anomalies in network traffic that might increase cost.

Buy Now
Questions 61

A corporate cloud security policy states that communications between the company ' s VPC and KMS must travel entirely within the AWS network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Select TWO.)

Options:

A.

Add theaws:sourceVpcecondition to the AWS KMS key policy referencing the company ' s VPC endpoint ID.

B.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C.

Create a VPC endpoint for AWS KMS withprivate DNS enabled.

D.

Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

E.

Add the following condition to the AWS KMS key policy: " aws:SourceIp " : " 10.0.0.0/16 " .

Buy Now
Questions 62

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.

Which solution will provide the application with AWS credentials to make S3 API calls?

Options:

A.

Integrate with Cognito identity pools and use GetId to obtain AWS credentials.

B.

Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.

C.

Integrate with Cognito user pools and use the ID token to obtain AWS credentials.

D.

Integrate with Cognito user pools and use the access token to obtain AWS credentials.

Buy Now
Questions 63

A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions.

Which solution will meet these requirements?

Options:

A.

Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.

B.

Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.

C.

Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.

D.

Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.

Buy Now
Questions 64

A company is running its application on AWS. The company has a multi-environment setup, and each environment is isolated in a separate AWS account. The company has an organization in AWS Organizations to manage the accounts. There is a single dedicated security account for the organization. The company must create an inventory of all sensitive data that is stored in Amazon S3 buckets across the organization ' s accounts. The findings must be visible from a single location.

Which solution will meet these requirements?

Options:

A.

Set the security account as the delegated administrator for Amazon Macie and AWS Security Hub. Enable and configure Macie to publish sensitive data findings to Security Hub.

B.

Set the security account as the delegated administrator for AWS Security Hub. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Publish sensitive data findings to Security Hub.

C.

In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Enable Amazon Inspector integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.

D.

In each account, enable and configure Amazon Macie to detect sensitive data. Enable Macie integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.

Buy Now
Questions 65

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company ' s existing and future S3 buckets.

Which solution will meet these requirements?

Options:

A.

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

B.

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

C.

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

D.

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Buy Now
Questions 66

A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt the S3 bucket. The company ' s operations team manages access to the company’s S3 buckets. The company ' s security team manages access to encryption keys. The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.

Which solution will meet this requirement?

Options:

A.

Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.

B.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

C.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.

D.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.

Buy Now
Questions 67

A company ' s security team wants to receive email notification from AWS about any abuse reports regarding DoS attacks. A security engineer needs to implement a solution that will provide a near-real-time alert for any abuse reports that AWS sends for the account. The security engineer already has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the security team ' s email address to the topic.

What should the security engineer do next to meet these requirements?

Options:

A.

Use the AWS Trusted Advisor API and a scheduled Lambda function to detect AWS_ABUSE_DOS_REPORT notifications.

B.

Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event for AWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.

C.

Use the AWS Support API and a scheduled Lambda function to detect abuse report cases.

D.

Use AWS CloudTrail logs with metric filters to detect AWS_ABUSE_DOS_REPORT events.

Buy Now
Questions 68

A security engineer uses Amazon Macie to scan a company ' s Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional scanning on those S3 buckets.

Which solution will meet these requirements with the LEAST administrative overhead?

Options:

A.

Configure S3 Cross-Region Replication (CRR) on the S3 buckets to replicate the objects to a second AWS Region. Configure Macie in the second Region to scan the replicated objects daily.

B.

Create an AWS Lambda function as an S3 event destination for the S3 buckets. Configure the Lambda function to start a Macie scan of an object when the object is uploaded to an S3 bucket.

C.

Configure Macie automated discovery to continuously sample data from the S3 buckets. Perform full scans of the S3 buckets where Macie discovers sensitive data.

D.

Configure Macie scans to run on the S3 buckets. Aggregate the results of the scans in an Amazon DynamoDB table. Use the DynamoDB table for queries.

Buy Now
Exam Code: SCS-C03
Exam Name: AWS Certified Security – Specialty
Last Update: Jul 10, 2026
Questions: 179
SCS-C03 pdf

SCS-C03 PDF

$25.5  $84.99
SCS-C03 Engine

SCS-C03 Testing Engine

$30  $99.99
SCS-C03 PDF + Engine

SCS-C03 PDF + Testing Engine

$40.5  $134.99