Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 1–10 of 486

Q1

Which service provides centralized logging for AWS services?

  • A AWS CloudTrail
  • B AWS Config
  • C Amazon CloudWatch
  • D AWS Shield
Explanation AWS CloudTrail logs account activities; the others serve different monitoring or protection purposes.
Q2

A company needs to restrict access to S3 buckets based on the Originating IP. Which feature should they implement?

  • A Bucket Policy
  • B IAM Role
  • C S3 Lifecycle Policy
  • D Cross-Origin Resource Sharing
Explanation A Bucket Policy can restrict access by IP, while the others don’t serve this purpose.
Q3

What happens when configuring an IAM policy with a Deny statement at the same level as an Allow statement?

  • A Deny overrides Allow
  • B Allow overrides Deny
  • C Both are ignored
  • D Policy is invalid
Explanation In IAM, Deny statements take precedence over Allow statements in determining access.
Q4

Which AWS service helps in detecting anomalies in accounts and workloads?

  • A Amazon GuardDuty
  • B AWS Inspector
  • C AWS Config
  • D AWS CloudTrail
Explanation Amazon GuardDuty provides intelligent threat detection; the others focus on compliance or logging.
Q5

A company needs to restrict IAM permissions only to certain resources. What is the best practice to implement this?

  • A Use wildcard policies
  • B Specific resource ARNs
  • C Full access to all resources
  • D IAM users can manage policies
Explanation Specific resource ARNs ensure limited access; wildcards and full access allow broader permissions.
Q6

What happens when you enable S3 bucket versioning on an existing bucket?

  • A All existing objects are versioned
  • B Versioning cannot be disabled later
  • C New objects get a version ID
  • D S3 lifecycle policies are voided
Explanation New objects receive a version ID; existing objects maintain their current state unless re-uploaded.
Q7

Which AWS service is primarily used for identity and access management?

  • A IAM
  • B S3
  • C EC2
  • D RDS
Explanation IAM is designed for managing identities and access while the others serve different primary functions.
Q8

A company needs to ensure data in S3 is securely deleted. Which method ensures compliance with NIST guidelines?

  • A Delete the object
  • B Overwrite the object
  • C Remove the bucket policy
  • D Use object lifecycle policies
Explanation Overwriting the object ensures old data is unrecoverable, which complies with data sanitization standards.
Q9

You are configuring a VPC and want to restrict internet access while allowing internal communication. What should you configure?

  • A Public subnets only
  • B NAT Gateway
  • C Everything in a private subnet
  • D Route table for internet gateway
Explanation Only private subnets prevent internet access but allow internal HD communication; other options do not fulfill the requirement.
Q10

Which AWS service provides a fully managed DDoS protection?

  • A AWS Shield
  • B AWS WAF
  • C AWS Firewall Manager
  • D Amazon Inspector
Explanation AWS Shield offers DDoS protection, whereas the others focus on different security aspects.