Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 101–110 of 486

Q101

A company needs to secure sensitive data at rest in S3. What is the best practice?

  • A Enable versioning
  • B Use Server-Side Encryption
  • C Set bucket to public
  • D Use lifecycle policies
Explanation Server-Side Encryption is specifically designed to secure data at rest, while versioning and lifecycle policies do not encrypt data inherently.
Q102

What happens when a security group rule is removed from an Amazon EC2 instance?

  • A Traffic is automatically allowed
  • B Existing connections are dropped
  • C No effect on existing connections
  • D All security groups are modified
Explanation Removing a rule only affects new connections, not existing ones which remain unaffected.
Q103

Which AWS service enables you to securely store API keys?

  • A AWS Secrets Manager
  • B AWS EC2
  • C AWS S3
  • D AWS DynamoDB
Explanation AWS Secrets Manager securely stores API keys, while the others do not serve this purpose.
Q104

A company needs to restrict AWS Lambda functions to a specific set of IP addresses. What should they use?

  • A Security Groups
  • B Lambda Environment Variables
  • C IAM Policies
  • D API Gateway Resource Policies
Explanation API Gateway Resource Policies allow IP restriction, while the others do not apply directly to Lambda functions.
Q105

What happens when an IAM user initiates a session with temporary security credentials?

  • A The user gains full admin access.
  • B The user operates under session policy.
  • C The user's permissions are revoked.
  • D All actions are logged indefinitely.
Explanation The user operates under restricted session policy, whereas the other options misrepresent IAM functionality.
Q106

Which AWS service provides DDoS protection?

  • A AWS Shield
  • B AWS WAF
  • C Amazon GuardDuty
  • D AWS Config
Explanation AWS Shield is specifically designed for DDoS protection; the others serve different security functions.
Q107

A company needs to restrict IAM user actions based on source IP addresses. Which feature should they use?

  • A IAM Roles
  • B IAM Policies
  • C Security Groups
  • D EC2 Instance Profiles
Explanation IAM Policies can specify conditions, including source IP; the others do not control permissions at this level.
Q108

What happens when a VPC peering connection is established between two VPCs?

  • A VPCs can share IAM roles.
  • B Non-overlapping CIDRs are mandatory.
  • C Data transfer is free.
  • D Route tables are automatically updated.
Explanation Non-overlapping CIDRs are mandatory for peering; while routes may need manual updates, the others are incorrect.
Q109

Which AWS service analyzes logs for security issues?

  • A Amazon GuardDuty
  • B AWS CloudTrail
  • C Amazon Inspector
  • D AWS Config
Explanation Amazon GuardDuty analyzes logs and identifies threats, while the others focus on logging or compliance.
Q110

A company needs to grant temporary access to an external vendor. Which AWS feature should they use?

  • A IAM Roles
  • B IAM Groups
  • C Resource Policies
  • D Access Keys
Explanation IAM Roles allow temporary access for users or services; the others do not have this capability.