Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

SCS-C03 AWS Certified Security – Specialty Questions and Answers

Questions 4

A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client ' s own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company ' s AWS resources.

Which additional step will meet these requirements?

Options:

A.

Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.

B.

Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.

C.

Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.

D.

Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.

Buy Now
Questions 5

A consultant agency needs to perform a security audit for a company ' s production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account. The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.

Which solution will provide the consultant agency with access that meets these requirements?

Options:

A.

Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant.

B.

Configure Amazon Cognito on the company’s production account to authenticate against the consultant agency ' s identity provider (IdP). Add MFA to a Cognito user pool.

C.

Create an IAM role in the consultant agency ' s AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company ' s production account as the principal. Attach the trust policy to the role.

D.

Create an IAM role in the company’s production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency ' s AWS account as the principal. Attach the trust policy to the role.

Buy Now
Questions 6

A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.

Which combination of AWS solutions will meet these requirements? (Select TWO.)

Options:

A.

AWS Site-to-Site VPN

B.

AWS Direct Connect

C.

AWS VPN CloudHub

D.

VPC peering

E.

NAT gateway

Buy Now
Questions 7

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

Options:

A.

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

B.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

C.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

D.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

E.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway as the target of the route.

Buy Now
Questions 8

A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics. Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client ' s privilege scope.

Which combination of actions should the company take to prevent this threat? (Select TWO.)

Options:

A.

In the application, use an IoT thing name as the client ID to connect the device to AWS IoT Core.

B.

In the application, add a client ID check. Disconnect from the server if any special character is detected.

C.

Apply an AWS IoT Core policy that allows " AWSIoTWirelessDataAccess " with the principal set to " client/${iot:Connection.Thing.ThingName} " .

D.

Apply an AWS IoT Core policy to the device to allow " iot:Connect " with the resource set to " client/${iot:ClientId} " .

E.

Apply an AWS IoT Core policy to the device to allow " iot:Connect " with the resource set to " client/${iot:Connection.Thing.ThingName} " .

Buy Now
Questions 9

A company has a platform that is divided into 12 AWS accounts under the same organization in AWS Organizations. Many of these accounts use Amazon API Gateway to expose APIs to the company ' s frontend applications. The company needs to protect the existing APIs and any resources that will be deployed in the future against common SQL injection and bot attacks.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create an AWS WAF web ACL for each API. Include managed rules to block SQL injection and bot attacks. Use AWS Config to detect new resources that do not have a web ACL. Configure a remediation action to provision a web ACL for these resources.

B.

Use AWS Firewall Manager to create an AWS WAF policy. Configure the policy to include the AWS Bot Control and SQL database managed rule groups. Set the policy scope to include the API Gateway stage as the resource type.

C.

Create an AWS Service Catalog product for an AWS WAF web ACL that includes rules to block SQL injection and bot attacks. Use AWS Config to detect new resources that do not have this product applied. Configure a remediation action to provision a web ACL for these resources.

D.

Use AWS Security Hub to detect unprotected resources and to send the findings as custom action events to Amazon EventBridge. Create an AWS Lambda function for these events to provision an AWS WAF web ACL for the unprotected resources. Include managed rules to block SQL injection and bot attacks.

Buy Now
Questions 10

A company uses AWS Organizations and has an SCP at the root that prevents sharing resources with external accounts. The company now needs to allow only the marketing account to share resources externally while preventing all other accounts from doing so. All accounts are in the same OU.

Which solution will meet these requirements?

Options:

A.

Create a new SCP in the marketing account to explicitly allow sharing.

B.

Edit the existing SCP to add a condition that excludes the marketing account.

C.

Edit the SCP to include an Allow statement for the marketing account.

D.

Use a permissions boundary in the marketing account.

Buy Now
Questions 11

A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off.

What is the MOST efficient way to implement this solution?

Options:

A.

Use AWS Config with a managed rule to initiate the AWS-EnableCloudTrail remediation.

B.

Create an Amazon EventBridge event with a cloudtrail.amazonaws.com event source and a StartLogging event name to invoke an AWS Lambda function to call the StartLogging API.

C.

Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to invoke an AWS Lambda function to call the StartLogging API.

D.

Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.

Buy Now
Questions 12

A security engineer needs to protect a public web application that runs in a VPC. The VPC hosts the origin for an Amazon CloudFront distribution. The application has experienced multiple layer 7 DDoS attacks. An AWS WAF web ACL is associated with the CloudFront distribution. The web ACL contains one AWS managed rule to protect against known IP addresses that have bad reputations.

The security engineer must configure an automated solution that detects and mitigates layer 7 DDoS attacks in real time with no manual effort.

Which solution will meet these requirements?

Options:

A.

Enable AWS Shield Advanced on the CloudFront distribution. Configure alerts in Amazon CloudWatch for DDoS indicators.

B.

Enable AWS Shield Advanced and configure proactive engagement with the AWS DDoS Response Team (DRT).

C.

Deploy AWS Network Firewall in the VPC. Create security policies that detect DDoS indicators. Create an AWS Lambda function to automatically update the web ACL rules during an attack.

D.

Add a rate-based rule to the web ACL. Enable AWS Shield Advanced. Enable automatic application layer DDoS mitigation on the CloudFront distribution.

Buy Now
Questions 13

A company runs an application outside of AWS. The external application authenticates to AWS as an IAM user. A security engineer needs to migrate the external application to use an IAM role. The company’s human users already use IAM roles with AWS IAM Identity Center.

Which solution will give the external application the ability to use an IAM role?

Options:

A.

Set up the external application as a managed application in IAM Identity Center. Create a new account assignment to generate an IAM role for the external application to use.

B.

Create an AWS Verified Access instance. Set up a trust provider for the external application. Create a Verified Access policy to allow the external application to assume an IAM role.

C.

Use IAM Roles Anywhere. Create a trust anchor and profile on AWS. Set up the credential helper tool in the external application. Configure an IAM role to trust IAM Roles Anywhere.

D.

Enable federation with IAM. Configure SAML 2.0 federation by adding a relying party trust between the external application and AWS. Set up an IAM role for the external application to assume.

Buy Now
Questions 14

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile. However, three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties.

How can a security engineer provide the access to meet these requirements?

Options:

A.

Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Inventory to select the EC2 instance and connect.

B.

Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command. Remove the SSH keys from the EC2 instances. Use Run Command to open an SSH connection to the EC2 instance.

C.

Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Session Manager to select the EC2 instance and connect.

D.

Assign an IAM policy to the IAM user accounts to provide permission to use the EC2 service in the AWS Management Console. Remove the SSH keys from the EC2 instances. Connect to the EC2 instance as the ec2-user through the AWS Management Console’s EC2 SSH client method.

Buy Now
Questions 15

A company is undergoing a security audit. The company issues IAM user credentials for an auditor. Because of third-party integration requirements, the auditor is unable to assume an IAM role. The auditor attempts to log in to AWS for the first time to reset the account password and to configure multi-factor authentication (MFA). However, the auditor receives an “Access Denied” error during the attempt to reset the password.

The auditor’s account has the following IAM permissions:

securityhub:Get*

securityhub:List*

securityhub:BatchGet*

securityhub:Describe*

iam:ChangePassword on arn:aws:iam::*:user/${aws:username}

Which action will resolve this error?

Options:

A.

The auditor needs to configure MFA before resetting the password.

B.

The auditor must create a more complex password that requires additional characters or symbols.

C.

Add iam:GetAccountPasswordPolicy with Resource: " * " to the auditor’s user account policy.

D.

Add iam:ChangePassword with Resource: " * " to the auditor’s user account policy.

Buy Now
Questions 16

A company’s web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file.

Which set of actions will identify the suspect attacker’s IP address for future occurrences?

Options:

A.

Configure VPC Flow Logs and search for PHP file activity.

B.

Install the CloudWatch agent on the ALB and export application logs.

C.

Export ALB access logs to Amazon OpenSearch Service and search them.

D.

Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.

Buy Now
Questions 17

A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances.

Which solution will meet this requirement?

Options:

A.

Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.

B.

Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.

C.

Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.

D.

Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.

Buy Now
Questions 18

A company is using an organization in AWS Organizations that contains 100 accounts. The company has configured trusted access for Amazon GuardDuty to AWS Organizations within the management account. The company has designated a member account to be the GuardDuty administrator for the organization.

GuardDuty is working properly and reports findings for the organization in the GuardDuty console. The company wants a SecOps team to receive real-time email alerts from any GuardDuty finding within the organization that is high severity according to GuardDuty severity levels.

Which solution will meet these requirements?

Options:

A.

In the management account, create a rule in Amazon EventBridge that will react to a GuardDuty finding that has a high severity level. Configure the rule to notify an Amazon SNS topic. Subscribe the SecOps team’s email addresses to the SNS topic.

B.

Configure trusted access for AWS Config within the organization. Create a rule in AWS Config to monitor for any non-archived findings in GuardDuty. Create a rule in Amazon EventBridge that will react if AWS Config detects a compliance change for the AWS Config rule. Configure the EventBridge rule to target an Amazon SNS topic. Subscribe the SecOps team’s email addresses to the SNS topic.

C.

In the GuardDuty delegated administrator account, configure a rule in Amazon EventBridge that will react to a GuardDuty finding that has a high severity level. Configure the rule to notify an Amazon SNS topic. Subscribe the SecOps team’s email addresses to the SNS topic.

D.

Configure AWS CloudTrail for the organization in the management account. Create a rule in Amazon EventBridge that will run on a ListFindings API call. Configure the rule to notify an Amazon SNS topic. Subscribe the SecOps team’s email addresses to the SNS topic.

Buy Now
Questions 19

A company ' s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company ' s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

What should the security engineer do to meet these requirements?

Options:

A.

Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.

B.

In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.

C.

Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.

D.

Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

Buy Now
Questions 20

A security engineer uses Amazon Macie to scan a company ' s Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional scanning on those S3 buckets.

Which solution will meet these requirements with the LEAST administrative overhead?

Options:

A.

Configure S3 Cross-Region Replication (CRR) on the S3 buckets to replicate the objects to a second AWS Region. Configure Macie in the second Region to scan the replicated objects daily.

B.

Create an AWS Lambda function as an S3 event destination for the S3 buckets. Configure the Lambda function to start a Macie scan of an object when the object is uploaded to an S3 bucket.

C.

Configure Macie automated discovery to continuously sample data from the S3 buckets. Perform full scans of the S3 buckets where Macie discovers sensitive data.

D.

Configure Macie scans to run on the S3 buckets. Aggregate the results of the scans in an Amazon DynamoDB table. Use the DynamoDB table for queries.

Buy Now
Questions 21

A company ' s data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information.

On average, the data scientists need 30 days to train models. The S3 bucket has been secured appropriately. The company ' s data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.

Which action should a security engineer take to enforce this data retention policy?

Options:

A.

Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

B.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.

C.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.

D.

Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class.

Buy Now
Questions 22

A company has an AWS Lambda function that requires access to an Amazon S3 bucket. The company’s security policy requires that connections to Amazon S3 are over a private network and are secure.

The company has configured a gateway VPC endpoint in the VPC to allow access to Amazon S3. The company has configured the Lambda function to run inside the VPC. Additionally, the company has configured the Lambda function to use a private subnet that has a route to the internet through a NAT gateway. Other resources in the VPC use this private subnet to access the internet successfully. When the Lambda function runs, it uses the NAT gateway instead of the gateway VPC endpoint to access Amazon S3.

What can a security engineer do to ensure that the Lambda function uses the gateway VPC endpoint for Amazon S3?

Options:

A.

Remove the route to the NAT gateway within the route table of the private subnet that the Lambda function uses.

B.

Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses.

C.

Adjust the gateway VPC endpoint policy to allow access from the Lambda function’s network interface address.

D.

Configure the Lambda function’s security group to allow connections to the S3 network address space.

Buy Now
Questions 23

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.

Which solution will meet these requirements?

Options:

A.

Disable the EC2 instance profile credentials by using AWS Lambda.

B.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.

C.

Update the subnet network ACL to block traffic from the detected source IP addresses.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Buy Now
Questions 24

A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security. The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306.

Which network ACL rule set meets these requirements?

Options:

A.

Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

B.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.

C.

Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

D.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.

Buy Now
Questions 25

A company ' s security engineer receives an abuse notification from AWS indicating that malware is being hosted from the company’s AWS account. The security engineer discovers that an IAM user created a new Amazon S3 bucket without authorization.

Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Select THREE.)

Options:

A.

Encrypt all AWS CloudTrail logs.

B.

Turn on Amazon GuardDuty.

C.

Change the password for all IAM users.

D.

Rotate or delete all AWS access keys.

E.

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

F.

Delete any resources that are unrecognized or unauthorized.

Buy Now
Questions 26

AWS Config cannot deliver configuration snapshots to Amazon S3.

Which TWO actions will remediate this issue?

Options:

A.

Verify the S3 bucket policy allows config.amazonaws.com.

B.

Verify the IAM role has s3:GetBucketAcl and s3:PutObject permissions.

C.

Verify the S3 bucket can assume the IAM role.

D.

Verify IAM policy allows AWS Config to write logs.

E.

Modify AWS Config API permissions.

Buy Now
Questions 27

A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes.

What should the security engineer recommend?

Options:

A.

Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

B.

Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

C.

Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

D.

Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Buy Now
Questions 28

A company has an organization in AWS Organizations. The company uses AWS IAM Identity Center and an external identity provider to manage access. The company needs a solution that maintains access to AWS if the identity provider has an outage. The solution must be able to attribute any emergency access to an individual administrator.

Which solution will meet these requirements?

Options:

A.

Create IAM users for emergency administrators. Set strong passwords and MFA for the IAM users. Assign permissions that grant the IAM users cross-account access to accounts within the organization to perform emergency change actions.

B.

Create emergency users within the identity provider. Enable System for Cross-domain Identity Management provisioning to help ensure mapping between IAM Identity Center and the identity provider. Assign permission sets in IAM Identity Center to the emergency users to give the users cross-account access to perform emergency change actions.

C.

Configure a secondary identity provider in IAM Identity Center. Create emergency users in the secondary identity provider that have permissions to perform cross-account emergency change actions. Change the IAM Identity Center external identity provider to the secondary identity provider.

D.

Create access keys for the management account’s root user. Store the access keys in a shared secret vault for use by any emergency administrator. Use the access keys to perform emergency change actions across the organization.

Buy Now
Questions 29

A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext.

Which solution will meet these requirements?

Options:

A.

Pass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.

B.

Use IAM policies to restrict access to the Encrypt and Decrypt API actions.

C.

Use the kms:EncryptionContext condition key when defining IAM policies for the customer managed key.

D.

Use key policies to restrict access to the appropriate IAM groups.

Buy Now
Questions 30

A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.

Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.

What should the security engineer do to meet these requirements with the LEAST effort?

Options:

A.

Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.

B.

Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.

C.

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

D.

Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP address. Use AWS Glue to view the results.

Buy Now
Questions 31

A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)

Options:

A.

Disable termination protection for the EC2 instance if termination protection has not been disabled.

B.

Enable termination protection for the EC2 instance if termination protection has not been enabled.

C.

Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

D.

Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

E.

Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.

F.

Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

Buy Now
Questions 32

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services.

The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

Which solution will prevent the web clients from directly accessing the ALB?

Options:

A.

Create an AWS PrivateLink endpoint and set it as the CloudFront origin.

B.

Create a new internal ALB and delete the internet-facing ALB.

C.

Modify the ALB listener rules to allow only CloudFront IP ranges.

D.

Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

Buy Now
Questions 33

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues.

Which solution will meet these requirements with theLEAST operational effort?

Options:

A.

Designate an Amazon GuardDuty administrator account in the organization’s management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

B.

Designate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use Amazon Inspector to evaluate the logs.

C.

Centralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.

D.

Stream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda functions.

Buy Now
Questions 34

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization ' s delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.

The company is performing control tests on specific GuardDuty findings to make sure that the company ' s security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain,example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.

Why was the finding not created in the Security Hub delegated administrator account?

Options:

A.

VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B.

The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.

C.

The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D.

Cross-Region aggregation in Security Hub was not configured.

Buy Now
Questions 35

A security engineer needs to prepare for a security audit of an AWS account.

Select the correct AWS resource from the following list to meet each requirement. Select each resource one time or not at all. (Select THREE.)

• AWS Artifact reports

• AWS Audit Manager controls

• AWS Config conformance packs

• AWS Config rules

• Amazon Detective investigations

• AWS Identity and Access Management Access Analyzer internal access analyzers

Options:

Buy Now
Questions 36

A security engineer configured VPC Flow Logs to publish to Amazon CloudWatch Logs. After 10 minutes, no logs appear. The issue is isolated to the IAM role associated with VPC Flow Logs.

What could be the reason?

Options:

A.

logs:GetLogEvents is missing.

B.

The engineer cannot assume the role.

C.

The vpc-flow-logs.amazonaws.com principal cannot assume the role.

D.

The role cannot tag the log stream.

Buy Now
Questions 37

A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:

• Database storage must be encrypted at rest.

• Deletion protection must be enabled.

• Databases must not be publicly accessible.

• Database audit logs must be published to Amazon CloudWatch Logs.

A security engineer must implement a solution thatcontinuously monitorsall Aurora MySQL resources for compliance with this policy. The solution must be able todisplay a database ' s compliance state for each part of the policy at any time.

Which solution will meet these requirements?

Options:

A.

Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.

B.

Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.

C.

Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.

D.

Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.

Buy Now
Questions 38

A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event.

Which solution will meet these requirements?

Options:

A.

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.

B.

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.

C.

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

D.

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

Buy Now
Questions 39

A security engineer needs to develop a process to investigate and respond to potential security events on a company’s Amazon EC2 instances. All the EC2 instances are backed by Amazon EBS. The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent on all the EC2 instances.

The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:

• A compromised EC2 instance’s volatile memory and non-volatile memory must be preserved for forensic purposes.

• A compromised EC2 instance’s metadata must be updated with corresponding incident ticket information.

• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

• Any investigative activity during the collection of volatile data must be captured as part of the process.

Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Select THREE.)

Options:

A.

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance’s security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.

B.

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.

C.

Use Systems Manager Run Command to invoke scripts that collect volatile data.

D.

Establish a Linux SSH or Windows Remote Desktop Protocol session to the compromised EC2 instance to invoke scripts that collect volatile data.

E.

Create a snapshot of the compromised EC2 instance’s EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information.

F.

Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

Buy Now
Questions 40

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic.

Which solution will meet these requirements with the LEAST implementation effort?

Options:

A.

Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.

B.

Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.

C.

Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic.

D.

Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

Buy Now
Questions 41

A security engineer is troubleshooting an AWS Lambda function that is namedMyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is namedDOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy:

{

" Effect " : " Allow " ,

" Principal " : { " Service " : " lambda.amazonaws.com " },

" Action " : " s3:GetObject " ,

" Resource " : " arn:aws:s3:::DOC-EXAMPLE-BUCKET " ,

" Condition " : {

" ArnLike " : {

" aws:SourceArn " : " arn:aws:lambda:::function:MyLambdaFunction "

}

}

}

Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?

Options:

A.

Remove the Condition element. Change the Principal element to the following:{ " AWS " : " arn:aws:lambda:::function:MyLambdaFunction " }

B.

Change the Action element to the following:[ " s3:GetObject* " , " s3:GetBucket* " ]

C.

Change the Resource element to " arn:aws:s3:::DOC-EXAMPLE-BUCKET/* " .

D.

Change the Resource element to " arn:aws:lambda:::function:MyLambdaFunction " . Change the Principal element to the following:{ " Service " : " s3.amazonaws.com " }

Buy Now
Questions 42

A company is planning to migrate its applications to AWS in a single AWS Region. The company’s applications will use a combination of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as possible. All the applications must meet the following requirements:

• Data must be encrypted at rest.

• Data must be encrypted in transit.

• Endpoints must be monitored for anomalous network traffic.

Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Select THREE.)

Options:

A.

Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.

B.

Enable Amazon GuardDuty in all AWS accounts.

C.

Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.

D.

Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.

E.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-side-encryption.

F.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption.

Buy Now
Questions 43

A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.

Which solution will quarantine EC2 instances during a security incident?

Options:

A.

Track SSM Agent versions with AWS Config.

B.

Configure Session Manager to deny external connections.

C.

Store the script in Amazon S3 and grant read access.

D.

Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

Buy Now
Questions 44

A security engineer is responding to an incident that is affecting an AWS account. The ID of the account is 123456789012. The attack created workloads that are distributed across multiple AWS Regions.

The security engineer contains the attack and removes all compute and storage resources from all affected Regions. However, the attacker also created an AWS KMS key. The key policy on the KMS key explicitly allows IAM principal kms:* permissions.

The key was scheduled to be deleted the previous day. However, the key is still enabled and usable. The key has an ARN of

arn:aws:kms:us-east-2:123456789012:key/mrk-0bb0212cd9864fdea0dcamzo26efb5670.

The security engineer must delete the key as quickly as possible.

Which solution will meet this requirement?

Options:

A.

Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

B.

Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.

C.

Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

D.

Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.

Buy Now
Questions 45

A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

Options:

A.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

B.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

C.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

D.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Buy Now
Questions 46

A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change its federation source from one identity provider (IdP) to another. The underlying directory for both IdPs is Active Directory.

Which solution will meet this requirement?

Options:

A.

Disable all existing users and groups within IAM Identity Center that were part of the federation with the original IdP.

B.

Modify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends.

C.

Reconfigure all existing IAM roles in the company ' s AWS accounts to explicitly trust the new IdP as the principal.

D.

Confirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints.

Buy Now
Questions 47

A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance Connect feature. However, the security engineer receives an error for failed host key validation. Before the rotation of the host keys, EC2 Instance Connect worked correctly with this EC2 instance.

What should the security engineer do to resolve this error?

Options:

A.

Import the key material into AWS Key Management Service (AWS KMS).

B.

Manually upload the new host key to the AWS trusted host keys database.

C.

Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.

D.

Create a new SSH key pair for the EC2 instance.

Buy Now
Questions 48

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

Options:

A.

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.

B.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

C.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:kms:us-west-1:* as the principal.

D.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds:us-west-1:* as the principal.

Buy Now
Questions 49

A corporate cloud security policy states that communications between the company ' s VPC and KMS must travel entirely within the AWS network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Select TWO.)

Options:

A.

Add theaws:sourceVpcecondition to the AWS KMS key policy referencing the company ' s VPC endpoint ID.

B.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C.

Create a VPC endpoint for AWS KMS withprivate DNS enabled.

D.

Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

E.

Add the following condition to the AWS KMS key policy: " aws:SourceIp " : " 10.0.0.0/16 " .

Buy Now
Questions 50

A company runs critical workloads in an on-premises data center. The company wants to implement an AWS based disaster recovery (DR) solution that will achieve an RTO of less than 1 hour. The company needs to continuously replicate physical and virtual servers. The company must optimize costs for data storage and bandwidth usage. The DR solution must be automated.

Which solution will meet these requirements?

Options:

A.

Use AWS Backup to directly replicate the on-premises servers to AWS. Enable cross-Region backup copying and data vaulting. Configure recovery points to match the defined RTO. Use AWS Step Functions to automate recovery steps.

B.

Configure an AWS Storage Gateway Volume Gateway to use Amazon Elastic Block Store (Amazon EBS) snapshots for recovery. Configure AWS Backup to manage the snapshots. Create automated recovery procedures.

C.

Enable AWS Elastic Disaster Recovery. Configure replication agents to continuously replicate each on-premises server. Enable the default staging area subnet configuration.

D.

Create an AWS Direct Connect connection between the on-premises data center and AWS. Configure Amazon EventBridge to monitor for failures and to invoke AWS Lambda functions that launch preconfigured Amazon EC2 instances from AMIs in the event of an incident.

Buy Now
Questions 51

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data. During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company ' s source code repository. A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only. The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrative overhead.

Which solution meets these requirements?

Options:

A.

Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

B.

Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

C.

Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

D.

Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Buy Now
Questions 52

A company must capture AWS CloudTrail data events and must retain the logs for 7 years. The logs must be immutable and must be available to be searched by complex queries. The company also needs to visualize the data from the logs.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results.

B.

Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console.

C.

Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations.

D.

Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries.

Buy Now
Questions 53

A company is running a dynamic website by using an Application Load Balancer (ALB). A security engineer notices that bots from different IP addresses are using brute-force attacks to invoke a service endpoint frequently.

What is the FASTEST way to mitigate this problem?

Options:

A.

Create an AWS Lambda function to process ALB logs. Block the bots’ IP addresses in the ALB’s security group.

B.

Create an AWS WAF web ACL for the ALB. Add a rate-based rule to the web ACL to block the bots.

C.

Create an ALB listener rule. Combine source-ip and path-pattern as the conditions to match bots. Specify a fixed-response action to return an HTTP 403 status.

D.

Create an AWS WAF web ACL for the ALB. Add a rate-based rule to a rule group to block the bots. Attach the rule to the web ACL.

Buy Now
Questions 54

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent.

A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers.

Which rule statement will meet these requirements?

Options:

A.

Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.

B.

Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.

C.

Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.

D.

Use a string match rule statement that includes details of the IoT device brand from the user agent.

Buy Now
Questions 55

A company wants to use a suite of AWS Lambda functions to automatically remediate noncompliant resources. The company packages the suite of Lambda functions into an AWS CloudFormation template. The company wants to deploy the suite of Lambda functions to all AWS Organizations accounts. However, the company cannot use the Organizations management account for deployment.

Which solution provides centralized deployment of the Lambda function suite to all accounts in the organization?

Options:

A.

Register a delegated administrator for CloudFormation. Deploy the template to every account in the organization by using StackSets.

B.

Create a cross-account IAM role with a unique external ID in each AWS account. Assume the cross-account role to deploy the template.

C.

Package the template as an AWS Service Catalog product. Log in to each account and provision the product to each account.

D.

Set up AWS CodePipeline in each account. Configure a pipeline to pull the template from an Amazon S3 bucket in the Organizations management account.

Buy Now
Questions 56

A company wants to improve the remediation of specific security incidents. Currently, a security engineer performs network isolation manually if traffic from Amazon EC2 instances to known command and control servers is detected. The manual network isolation process is error prone. The security engineer must automate the process.

The security engineer enables Amazon GuardDuty. The security engineer configures instances to be managed by AWS Systems Manager. The security engineer prepares a Systems Manager Automation document to change security groups on selected instances.

Which solution will meet these requirements?

Options:

A.

Create a permanent Amazon Detective investigation. Select all resources to monitor. Configure Detective to invoke the Systems Manager document if known command and control traffic is detected.

B.

Set up AWS Config. Use the managed rule ec2-prefix-list-tagged to detect traffic to network prefixes tagged for command and control activity. Configure automatic remediation and select the Automation document.

C.

Enable Systems Manager OpsCenter. Create an Amazon EventBridge rule to transform GuardDuty alerts of command and control traffic for OpsCenter. Use the Automation document for remediation.

D.

Configure AWS Security Hub CSPM. Use NIST SP 800-53 scans to report compromised instances based on NIST alerts. Create an automation rule to invoke the Automation document.

Buy Now
Questions 57

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database. The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

Options:

A.

Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.

B.

Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.

C.

Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.

D.

Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.

Buy Now
Questions 58

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

Options:

A.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

B.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

C.

Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

D.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Buy Now
Questions 59

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

Which solution will meet the requirements?

Options:

A.

Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B.

Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS.

C.

Use a SecureString parameter in the CloudFormation template to reference the database credentials in Secrets Manager.

D.

Use a SecureString parameter in the CloudFormation template to reference an encrypted value in AWS KMS.

Buy Now
Questions 60

A company is running a new workload across accounts in an organization in AWS Organizations. All running resources must have a tag of CostCenter, and the tag must have one of three approved values. The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value.

Which solution will meet these requirements?

Options:

A.

Use AWS Config custom policy rule and an SCP to deny non-approved aws:RequestTag/CostCenter values.

B.

Use CloudTrail + EventBridge + Lambda to block creation.

C.

Enable tag policies, define allowed values, enforce noncompliant operations, and use an SCP to deny creation when aws:RequestTag/CostCenter is null.

D.

Enable tag policies and use EventBridge + Lambda to block changes.

Buy Now
Questions 61

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization ' s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

Options:

A.

Grant least privilege access to the organization ' s management account.

B.

Create a new IAM Identity Center directory in the organization ' s management account.

C.

Set up a second AWS Region in the organization ' s management account.

D.

Create permission sets for use only in the organization ' s management account.

E.

Create IAM users for use only in the organization ' s management account.

F.

Create user assignments only in the organization ' s management account.

Buy Now
Questions 62

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company uses AWS IAM Identity Center to manage access to the accounts. The company uses AWS Directory Service as an identity source. Employees access the AWS console and specific AWS accounts and permissions through the AWS access portal.

A security engineer creates a new permissions set in IAM Identity Center and assigns the permissions set to one of the member accounts in the organization. The security engineer assigns the permissions set to a user group for developers namedDevOpsin the member account. The security engineer expects all the developers to see the new permissions set listed for the member account in the AWS access portal. All the developers except for one can see the permissions set. The security engineer must ensure that the remaining developer can see the permissions set in the AWS access portal.

Which solution will meet this requirement?

Options:

A.

Add the remaining developer to the DevOps group in Directory Service.

B.

Remove and then re-add the permissions set in the member account.

C.

Add the service-linked role for organization to the member account.

D.

Update the permissions set to allow console access for the remaining developer.

Buy Now
Questions 63

A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.

A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.

Options:

A.

Configure S3 Versioning to expire object versions that have been in the bucket for 72 hours.

B.

Configure an S3 Lifecycle configuration rule on the bucket to expire objects after 72 hours.

C.

Use the S3 Intelligent-Tiering storage class and configure expiration after 72 hours.

D.

Generate presigned URLs that expire after 72 hours.

Buy Now
Questions 64

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions.

What should the company do to properly encrypt the snapshot in us-west-1?

Options:

A.

Store the customer managed key in AWS Secrets Manager in us-west-1.

B.

Create a new customer managed key in us-west-1 and use it to encrypt the snapshot.

C.

Create an IAM policy to allow access to the key in us-east-1 from us-west-1.

D.

Create an IAM policy that allows RDS in us-west-1 to access the key in us-east-1.

Buy Now
Questions 65

A company ' s security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company ' s AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization.

Which combination of steps should the security engineer take toMINIMIZE the consequencesof this compromise? (Select THREE.)

Options:

A.

Encrypt all AWS CloudTrail logs.

B.

Turn on Amazon GuardDuty.

C.

Change the password for all IAM users.

D.

Rotate or delete all AWS access keys.

E.

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

F.

Delete any resources that are unrecognized or unauthorized.

Buy Now
Questions 66

A company uses an organization in AWS Organizations and AWS IAM Identity Center to manage its AWS environment. The company configures IAM Identity Center to access the company’s on-premises Active Directory through a properly configured AD Connector. All the company’s employees are in an Active Directory group namedCloud.

The employees can view and access nearly all the AWS accounts in the organization, and the employees have the permissions that they require. However, the employees cannot access an account namedAccount A. The company verifies that Account A exists in the organization.

What is the likely reason that the employees are unable to access Account A?

Options:

A.

The company did not add Account A to an organizational unit (OU) within the organization.

B.

The company has not synchronized the Cloud Active Directory group with the on-premises Active Directory.

C.

The company did not assign the Cloud Active Directory group to Account A in IAM Identity Center with a valid permission set.

D.

The company applied an IAM permissions boundary to Account A that is denying access to the account.

Buy Now
Questions 67

A recent security audit identified that a company’s application team injects database credentials into the environment variables of an AWS Fargate task. The company’s security policy mandates that all sensitive data be encrypted at rest and in transit.

Which combination of actions should the security team take to make the application compliant with the security policy? (Select THREE.)

Options:

A.

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role. Ask the application team to read the credentials from the S3 object instead.

B.

Create an AWS Secrets Manager secret and specify the key-value pairs to be stored in this secret.

C.

Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.

D.

Add a policy statement to the container instance IAM role that allows ssm:GetParameters, secretsmanager:GetSecretValue, and kms:Decrypt for the required secret and KMS key.

E.

Add a policy statement to the task role or task execution role that allows ssm:GetParameters, secretsmanager:GetSecretValue, and kms:Decrypt for the required secret and KMS key.

F.

Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secrets Manager, and inject the environment variables. Ask the application team to redeploy the application.

Buy Now
Questions 68

A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions.

Which solution will meet these requirements?

Options:

A.

Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.

B.

Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.

C.

Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.

D.

Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.

Buy Now
Questions 69

A company is running a new workload across accounts that are in an organization in AWS Organizations. All running resources must have a tag ofCostCenter, and the tag must have one of three approved values. The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value.

Which solution will meet these requirements?

Options:

A.

Create an AWS Config Custom Policy rule by using AWS CloudFormation Guard. Include the tag key of CostCenter and the approved values. Create an SCP that denies the creation of resources when the value of the aws:RequestTag/CostCenter condition key is not one of the three approved values.

B.

Create an AWS CloudTrail trail. Create an Amazon EventBridge rule that includes a rule statement that matches the creation of new resources. Configure the EventBridge rule to invoke an AWS Lambda function that checks for the CostCenter tag. Program the Lambda function to block creation in case of a noncompliant value.

C.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Configure the policy to enforce noncompliant operations. Create an SCP that denies the creation of resources when the aws:RequestTag/CostCenter condition key has a null value.

D.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a noncompliant tag is created. Program the Lambda function to block changes to the tag.

Buy Now
Exam Code: SCS-C03
Exam Name: AWS Certified Security – Specialty
Last Update: Jul 1, 2026
Questions: 179
SCS-C03 pdf

SCS-C03 PDF

$25.5  $84.99
SCS-C03 Engine

SCS-C03 Testing Engine

$30  $99.99
SCS-C03 PDF + Engine

SCS-C03 PDF + Testing Engine

$40.5  $134.99