Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 191–200 of 486

Q191

A company needs to ensure its S3 data is encrypted at rest using customer-managed keys. Which service must be used?

  • A Amazon S3
  • B AWS KMS
  • C AWS IAM
  • D Amazon CloudWatch
Explanation AWS KMS is required for managing customer-managed keys for S3 encryption, while the other options do not provide key management.
Q192

What happens when an IAM policy denies an action, even if another policy allows it?

  • A The action is allowed.
  • B The action is denied.
  • C The action is logged.
  • D The action is conditionally allowed.
Explanation IAM policies follow a deny-over-allow principle, which means a deny takes precedence over any allows.
Q193

Which AWS service provides options to centrally manage and enforce policies across AWS accounts?

  • A AWS Organizations
  • B AWS Config
  • C AWS CloudTrail
  • D AWS IAM
Explanation AWS Organizations enables policy management across accounts, while others focus on compliance, monitoring, or identity management.
Q194

You are configuring an S3 bucket to involve multi-factor authentication (MFA). Which of the following is necessary?

  • A Enable bucket versioning
  • B Use an IAM role for access
  • C Specify an MFA delete configuration
  • D Set a bucket policy for public access
Explanation MFA delete must be explicitly enabled on the bucket, while others pertain to different functionalities or access methods.
Q195

What happens when an EC2 instance violates a security group rule?

  • A Access is denied based on rules
  • B Instance is terminated immediately
  • C Instance logs the violation
  • D All traffic is allowed
Explanation Security group rules control inbound and outbound traffic, while other options incorrectly suggest immediate action or logging.
Q196

Which AWS service allows for secure network communication between services in a VPC?

  • A AWS PrivateLink
  • B Amazon CloudFront
  • C AWS Direct Connect
  • D Amazon Route 53
Explanation AWS PrivateLink securely communicates within VPCs; others do not do this specifically.
Q197

A company needs to audit AWS Lambda execution permissions. Which AWS service will assist with this?

  • A AWS Config
  • B Amazon Athena
  • C AWS CloudTrail
  • D AWS Inspector
Explanation AWS CloudTrail logs Lambda activity; others provide different functionalities.
Q198

What happens when you enable S3 Object Lock in Governance Mode?

  • A Users cannot delete objects.
  • B Only admin can delete objects.
  • C No versioning allowed.
  • D Compliance audit is skipped.
Explanation Governance Mode prevents users from deleting unless authorized; A is misleading.
Q199

Which AWS service simplifies the management of access keys?

  • A AWS CloudTrail
  • B AWS IAM Access Analyzer
  • C AWS Secrets Manager
  • D AWS CodePipeline
Explanation AWS Secrets Manager securely stores and manages access keys, while the others focus on different functions unrelated to key management.
Q200

A company is using Amazon S3 for data storage and needs to enforce encryption. What should they do?

  • A Turn on Versioning in S3.
  • B Deploy AWS Shield.
  • C Enable S3 Server-Side Encryption.
  • D Use S3 Object Lock.
Explanation Enabling S3 Server-Side Encryption is the correct way to enforce encryption at rest, while the other options do not directly ensure data encryption.