Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the Amazon Web Services AWS Certified Specialty SCS-C03 Questions and answers with CertsForce

Viewing page 1 out of 7 pages
Viewing questions 1-10 out of questions
Questions # 1:

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket.

Which solution will meet this requirement?

Options:

A.

Configure S3 bucket policies to deny DELETE and PUT object permissions.


B.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.


C.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.


D.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.


Expert Solution
Questions # 2:

A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status.

Which solution will meet these requirements?

Options:

A.

Use AWS Audit Manager with a custom framework.


B.

Enable AWS Config and use managed rules to monitor Aurora MySQL compliance.


C.

Use AWS Security Hub configuration policies.


D.

Use EventBridge and Lambda with custom metrics.


Expert Solution
Questions # 3:

A company is using an organization in AWS Organizations that contains 100 accounts. The company has configured trusted access for Amazon GuardDuty to AWS Organizations within the management account. The company has designated a member account to be the GuardDuty administrator for the organization.

GuardDuty is working properly and reports findings for the organization in the GuardDuty console. The company wants a SecOps team to receive real-time email alerts from any GuardDuty finding within the organization that is high severity according to GuardDuty severity levels.

Which solution will meet these requirements?

Options:

A.

In the management account, create a rule in Amazon EventBridge that will react to a GuardDuty finding that has a high severity level. Configure the rule to notify an Amazon SNS topic. Subscribe the SecOps team’s email addresses to the SNS topic.


B.

Configure trusted access for AWS Config within the organization. Create a rule in AWS Config to monitor for any non-archived findings in GuardDuty. Create a rule in Amazon EventBridge that will react if AWS Config detects a compliance change for the AWS Config rule. Configure the EventBridge rule to target an Amazon SNS topic. Subscribe the SecOps team’s email addresses to the SNS topic.


C.

In the GuardDuty delegated administrator account, configure a rule in Amazon EventBridge that will react to a GuardDuty finding that has a high severity level. Configure the rule to notify an Amazon SNS topic. Subscribe the SecOps team’s email addresses to the SNS topic.


D.

Configure AWS CloudTrail for the organization in the management account. Create a rule in Amazon EventBridge that will run on a ListFindings API call. Configure the rule to notify an Amazon SNS topic. Subscribe the SecOps team’s email addresses to the SNS topic.


Expert Solution
Questions # 4:

A company uses SAML federation with IAM to provide internal users with SSO for their AWS accounts. The company’s identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:

“Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)”

A security engineer needs to address the immediate issue and ensure that it will not occur again.

Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

Options:

A.

Download a new copy of the SAML metadata file from the identity provider. Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.


B.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary certificate to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.


C.

Download a new copy of the SAML metadata file from the identity provider. Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.


D.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary certificate to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.


E.

Download a new copy of the SAML metadata file from the identity provider. Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.


Expert Solution
Questions # 5:

An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company ' s security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future.

Which steps would help achieve this? (Select TWO.)

Options:

A.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.


B.

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.


C.

Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker’s IP using security groups.


D.

Set up an Amazon EventBridge rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.


E.

Use AWS WAF to create rules to respond to such attacks.


Expert Solution
Questions # 6:

A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances.

Which solution will meet this requirement?

Options:

A.

Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.


B.

Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.


C.

Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.


D.

Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.


Expert Solution
Questions # 7:

A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance Connect feature. However, the security engineer receives an error for failed host key validation. Before the rotation of the host keys, EC2 Instance Connect worked correctly with this EC2 instance.

What should the security engineer do to resolve this error?

Options:

A.

Import the key material into AWS Key Management Service (AWS KMS).


B.

Manually upload the new host key to the AWS trusted host keys database.


C.

Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.


D.

Create a new SSH key pair for the EC2 instance.


Expert Solution
Questions # 8:

A security engineer configured VPC Flow Logs to publish to Amazon CloudWatch Logs. After 10 minutes, no logs appear. The issue is isolated to the IAM role associated with VPC Flow Logs.

What could be the reason?

Options:

A.

logs:GetLogEvents is missing.


B.

The engineer cannot assume the role.


C.

The vpc-flow-logs.amazonaws.com principal cannot assume the role.


D.

The role cannot tag the log stream.


Expert Solution
Questions # 9:

A company’s application team wants to replace an internal application with a new AWS architecture that consists of Amazon EC2 instances, an AWS Lambda function, and an Amazon S3 bucket in a single AWS Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company’s organization in AWS Organizations to restrict the creation of internet gateways, NAT gateways, and egress-only gateways.

Which combination of steps should the application team take to meet these requirements? (Select THREE.)

Options:

A.

Create an S3 endpoint that has a full-access policy for the application’s VPC.


B.

Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.


C.

Launch the Lambda function. Enable the block public access configuration.


D.

Create a security group that has an outbound rule over port 443 with a destination of the S3 endpoint. Associate the security group with the EC2 instances.


E.

Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.


F.

Launch the Lambda function in a VPC.


Expert Solution
Questions # 10:

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to authenticate all S3 API calls with AWS credentials.

Which solution will provide the application with AWS credentials?

Options:

A.

Use Amazon Cognito identity pools and the GetId API.


B.

Use Amazon Cognito identity pools and AssumeRoleWithWebIdentity.


C.

Use Amazon Cognito user pools with ID tokens.


D.

Use Amazon Cognito user pools with access tokens.


Expert Solution
Viewing page 1 out of 7 pages
Viewing questions 1-10 out of questions