Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 161–170 of 486

Q161

A company needs to enforce least privilege access on IAM roles. What should you do?

  • A Assign roles to all users
  • B Use identity-based policies
  • C Use data encryption
  • D Monitor API calls
Explanation Using identity-based policies allows precise permissions; other options do not enforce least privilege.
Q162

You are configuring AWS Config rules for compliance. What happens when a resource doesn't comply with a rule?

  • A It is automatically deleted
  • B It is marked as non-compliant
  • C Notifications are ignored
  • D No action taken at all
Explanation Non-compliance is flagged in AWS Config for visibility; other options incorrectly describe resource behavior.
Q163

Which AWS service helps to comply with data privacy regulations?

  • A AWS Artifact
  • B AWS Inspector
  • C AWS CloudTrail
  • D AWS Firewall Manager
Explanation AWS Artifact provides compliance reports and security certifications, while others focus on different security aspects.
Q164

A company needs to securely manage access to its AWS resources for a growing team. Which approach is the best practice?

  • A Use AWS root account for all actions
  • B Create IAM roles for users
  • C Share IAM user passwords
  • D Disable MFA for all accounts
Explanation Creating IAM roles for users allows secure access management without exposing sensitive credentials, unlike the other options.
Q165

What happens when a user attempts to access resources beyond their IAM permission?

  • A Access is granted due to default settings
  • B Access is denied according to least privilege
  • C Access is logged and reported automatically
  • D Access is granted if user is an admin
Explanation IAM follows the principle of least privilege, denying access to unauthorized actions, while others are incorrect interpretations of IAM behavior.
Q166

Which service helps to detect anomalous behavior in AWS accounts?

  • A AWS CloudTrail
  • B Amazon GuardDuty
  • C AWS Config
  • D AWS Inspector
Explanation Amazon GuardDuty provides threat detection based on anomalous behavior, while others serve different monitoring functions.
Q167

A company needs to enforce MFA for all users in an IAM group. What should they do?

  • A Enable password policies
  • B Attach an IAM policy requiring MFA
  • C Use Amazon Cognito for authentication
  • D Setup CloudWatch alarms on logins
Explanation Attaching an IAM policy to require MFA is the correct step, while others do not enforce MFA directly.
Q168

What happens when an Amazon S3 bucket's public access is fully blocked?

  • A All objects are deleted
  • B Public ACLs are ignored
  • C Logging is disabled
  • D Bucket cannot be accessed at all
Explanation Blocking public access ignores any public ACLs but does not impact bucket access from authorized users.
Q169

Which AWS service provides automated threat detection for AWS accounts?

  • A AWS Config
  • B AWS GuardDuty
  • C AWS CloudTrail
  • D AWS Inspector
Explanation AWS GuardDuty automatically monitors for malicious activity, while others focus on compliance or logging.
Q170

A company needs to allow access to an S3 bucket from a specific IP range. What is the best way to achieve this?

  • A Use Security Group rules.
  • B Configure an IAM policy.
  • C Set a bucket policy.
  • D Implement VPC endpoint policies.
Explanation A bucket policy can specifically restrict access based on IP addresses, unlike the other options.