Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 251–260 of 486

Q251

You are configuring a security group. What happens when you remove an inbound rule?

  • A Access is blocked forever
  • B Previously allowed traffic is blocked
  • C Existing connections freeze
  • D No effect on current connections
Explanation Removing an inbound rule blocks new traffic that would have been allowed, but does not affect existing connections.
Q252

A company needs to enforce Multi-Factor Authentication (MFA) for their IAM users. Which approach is best?

  • A IAM Policy with 'MFA required'
  • B Attach MFA device per user
  • C Enable organization-level MFA
  • D Set password expiration policy
Explanation Attaching an MFA device per user effectively enforces MFA, while the other options do not directly implement user-level MFA enforcement.
Q253

Which IAM policy type allows fine-grained permissions?

  • A Identity-based policies
  • B Resource-based policies
  • C Service control policies
  • D Condition-based policies
Explanation Identity-based policies control permissions linked to users or groups, not resource-based governance which is more generalized.
Q254

A company needs to secure sensitive data in S3. What is the best approach?

  • A Disable public access
  • B Use S3 Glacier storage
  • C Enable versioning
  • D Set bucket ownership
Explanation Disabling public access prevents unauthorized access to sensitive data, while other options do not directly secure it.
Q255

You are configuring CloudTrail. What happens when you enable it for an account?

  • A Logs are generated ongoingly
  • B Inside VPC flow logs only
  • C Disables logging of S3 events
  • D Automatically creates IAM policies
Explanation Enabling CloudTrail ensures continuous logging of API activity across the account, not limited to specific logs or services.
Q256

Which service provides data protection with encryption at rest for Amazon S3 buckets?

  • A AWS KMS
  • B Amazon RDS
  • C AWS Backup
  • D AWS Shield
Explanation AWS KMS is designed for encryption at rest, while the others serve different purposes.
Q257

A company needs to limit IAM user permissions based on specific tags. Which AWS feature does this require?

  • A Resource-Based Policies
  • B IAM Roles
  • C Tag-Based Access Control
  • D Service Control Policies
Explanation Tag-Based Access Control uses tags to enforce permissions, while the others do not offer this feature.
Q258

What happens when you enable Amazon EBS volume encryption?

  • A Data is encrypted only during transit.
  • B Only snapshots are encrypted.
  • C Data at rest is encrypted automatically.
  • D You need to manually encrypt each file.
Explanation Enabling EBS volume encryption automatically encrypts all data at rest, while other options are incorrect descriptions of the process.
Q259

Which service provides automated compliance reporting for AWS resources?

  • A AWS Config
  • B AWS CloudTrail
  • C Amazon GuardDuty
  • D AWS IAM
Explanation AWS Config records and evaluates configurations, providing compliance reports; other options do not provide this specific service.
Q260

A company needs to ensure only specific IP addresses can access its S3 buckets. What is the best practice to achieve this?

  • A S3 bucket policies
  • B CloudFront distribution
  • C IAM user policies
  • D AWS Certificate Manager
Explanation S3 bucket policies allow IP address restrictions, while the others do not specifically manage S3 access by IP.