Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 321–330 of 486

Q321

You are configuring IAM policies for least privilege access. Which feature should you use to ensure time-limited permissions?

  • A IAM Users
  • B IAM Roles
  • C Temporary Security Credentials
  • D Resource Policies
Explanation Temporary Security Credentials provide defined expiration, enforcing least privilege, while others do not inherently support time limits.
Q322

Which AWS service provides centralized logging of account activity?

  • A AWS CloudTrail
  • B AWS Config
  • C Amazon CloudWatch
  • D AWS Trusted Advisor
Explanation AWS CloudTrail records account activity, while AWS Config monitors configurations.
Q323

A company needs to ensure that sensitive data is encrypted at rest in S3 buckets. What should they implement?

  • A S3 Block Public Access
  • B S3 Object Lock
  • C S3 Server-side Encryption
  • D AWS Firewall Manager
Explanation S3 Server-side Encryption effectively encrypts data at rest, while the other options do not accomplish this.
Q324

What happens when you enable IAM policies that deny access alongside those that allow access?

  • A Access is always granted.
  • B Access is denied regardless.
  • C Access is granted if allowed.
  • D Access is determined by priority.
Explanation Deny policies take precedence over allow policies in IAM, making access denied regardless of allows.
Q325

Which AWS service provides a centralized logging solution?

  • A AWS CloudTrail
  • B Amazon S3
  • C AWS Trusted Advisor
  • D Amazon EC2
Explanation AWS CloudTrail captures API calls for logging, while others don’t primarily focus on logs.
Q326

A company needs to enforce multi-factor authentication (MFA) for all users. What is the best practice to implement this?

  • A Enable MFA in IAM settings
  • B Allow users to opt-in
  • C Use Amazon Cognito only
  • D Disable password policy
Explanation Enabling MFA in IAM settings ensures all users use it, while the other options do not enforce compliance.
Q327

You are configuring a Security Group for an EC2 instance. What is the result of allowing inbound traffic on port 22 from everywhere?

  • A SSH access from any IP
  • B SSH access only from VPC
  • C HTTP access from any IP
  • D Restricted SSH access
Explanation Allowing inbound traffic on port 22 from everywhere permits unrestricted SSH access, whereas others have incorrect implications about access.
Q328

Which AWS service allows you to manage security configurations across multiple accounts?

  • A AWS Security Hub
  • B AWS SageMaker
  • C AWS Batch
  • D AWS Glue
Explanation AWS Security Hub provides a comprehensive view of security across accounts, while others focus on different functionalities.
Q329

A company wants to ensure API keys are not exposed in source control. Which best practice should they implement?

  • A Store keys in Git repository
  • B Use IAM roles for applications
  • C Hardcode keys in source files
  • D Share keys via public channels
Explanation Using IAM roles eliminates storing keys in code, while the other options lead to key exposure.
Q330

What happens when an Amazon S3 bucket policies allow public access to all objects?

  • A Only IAM users can access objects
  • B All users can read objects
  • C Bucket becomes private automatically
  • D Only logged-in users can read
Explanation Public access allows anyone to read objects, while the other options incorrectly specify access controls.