Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 111–120 of 486

Q111

What happens when an S3 bucket policy denies access to all users?

  • A Only specific users are allowed access
  • B Access is granted to public users
  • C No users can access the bucket
  • D Only logged-in IAM users can access
Explanation A deny policy overrides all access, preventing any user from accessing the bucket.
Q112

Which service helps manage AWS user access and permissions?

  • A AWS IAM
  • B AWS S3
  • C AWS EC2
  • D AWS CloudWatch
Explanation AWS IAM specifically manages user access and permissions, while the others serve different purposes.
Q113

A company needs to securely share sensitive data across multiple organizations. Which AWS service is best suited for this task?

  • A AWS Secrets Manager
  • B AWS VPN
  • C AWS Transfer Family
  • D AWS KMS
Explanation AWS Transfer Family allows secure data transfer, while the others focus on different security aspects.
Q114

What happens when you delete an AWS KMS key?

  • A Data encrypted with it stays accessible
  • B All encrypted data is instantly deleted
  • C You cannot recover encrypted data afterwards
  • D Access to it is simply revoked
Explanation Once a KMS key is deleted, the data encrypted with it becomes permanently inaccessible, while the other options don't accurately describe the consequence.
Q115

Which service provides additional security for your Amazon S3 buckets?

  • A AWS IAM
  • B AWS Macie
  • C AWS CloudFormation
  • D AWS CloudWatch
Explanation AWS Macie identifies and helps protect sensitive data in S3; IAM manages permissions but does not provide data security analysis.
Q116

You are configuring AWS Security Groups for your EC2 instance; what happens if you set the ingress rule to deny all inbound traffic?

  • A No external connections are allowed.
  • B Only internal communications are allowed.
  • C The instance will fail to start.
  • D CloudFront will access the instance.
Explanation Denying all inbound traffic blocks external connections, but the instance will still run.
Q117

A company needs to encrypt data at rest in DynamoDB; which method provides the highest level of security control?

  • A AWS managed keys (SSE-KMS)
  • B Client-side encryption
  • C Default encryption settings
  • D Encryption in transit only
Explanation Client-side encryption gives complete control over the keys used, whereas AWS managed keys are managed by AWS.
Q118

Which AWS service provides continuous monitoring for security compliance?

  • A AWS CloudTrail
  • B AWS Config
  • C AWS Shield
  • D Amazon GuardDuty
Explanation AWS Config continuously monitors and records resource configurations, helping ensure compliance, while others focus on logging, protection, or threat detection.
Q119

A company needs to provide IAM access to third-party contractors. What is the best practice?

  • A Create IAM users for each contractor.
  • B Share existing IAM user credentials.
  • C Use IAM roles with temporary credentials.
  • D Create resource policies for access.
Explanation Using IAM roles with temporary credentials is the best practice for third-party access, whereas other options create security risks or lack control.
Q120

What happens when you enable MFA on an IAM user?

  • A User bypasses password requirements.
  • B User requires extra authentication step.
  • C User's access keys are deleted.
  • D User cannot use the console.
Explanation Enabling MFA requires the user to provide an additional authentication factor, enhancing security, while the other options are incorrect interpretations of MFA.