Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 341–350 of 486

Q341

A company needs to encrypt data at rest in S3 without modifying application code. What should it use?

  • A S3 Object Lock
  • B S3-Managed Keys (SSE-S3)
  • C KMS Keys (SSE-KMS)
  • D S3 Versioning
Explanation SSE-S3 manages encryption automatically without requiring code changes, while SSE-KMS requires additional setup.
Q342

What happens when you enable CloudTrail log file validation?

  • A Logs are encrypted at rest.
  • B You can verify integrity of logs.
  • C Logs cannot be deleted.
  • D Logs are stored in S3.
Explanation Enabling log file validation allows for integrity verification, while the other options describe different log features.
Q343

Which AWS service provides a centralized view of AWS account activity?

  • A AWS CloudTrail
  • B AWS Config
  • C AWS Shield
  • D AWS Trusted Advisor
Explanation AWS CloudTrail logs API calls, providing a centralized view, whereas the others serve different functions.
Q344

A company needs to ensure that all data is encrypted at rest and in transit for their S3 buckets. Which feature should be implemented?

  • A S3 Object Lock
  • B S3 Bucket Policies
  • C S3 Default Encryption
  • D S3 Lifecycle Policies
Explanation S3 Default Encryption ensures data at rest is encrypted, while transit security is handled normally by using HTTPS.
Q345

You are configuring IAM roles in a multi-account setup. What must you ensure for cross-account access?

  • A Role permissions are identical
  • B A trust policy grants access
  • C Policies are attached to users
  • D Resources must be publicly accessible
Explanation A trust policy must explicitly allow access for cross-account access, which differs from role permissions.
Q346

Which AWS service provides a centralized view of security and compliance across your AWS accounts?

  • A AWS Security Hub
  • B AWS IAM
  • C Amazon GuardDuty
  • D AWS Config
Explanation AWS Security Hub aggregates security findings; others serve different security functions.
Q347

A company needs to detect possible insider threats in their AWS environment. Which service should they use?

  • A AWS CloudTrail
  • B AWS Inspector
  • C AWS Config
  • D Amazon GuardDuty
Explanation Amazon GuardDuty analyzes account activity for anomalies; others serve different purposes.
Q348

What happens when you enable S3 bucket versioning?

  • A Old versions are deleted permanently.
  • B Each object keeps multiple versions.
  • C Costs for storage decrease significantly.
  • D Object encryption is automatically applied.
Explanation Versioning preserves multiple variants of objects; others describe incorrect behaviors.
Q349

Which AWS service is specifically designed for sensitive data encryption at rest?

  • A AWS KMS
  • B AWS Lambda
  • C AWS EC2
  • D AWS S3
Explanation AWS KMS handles key management and encryption, while others do not specialize in this area.
Q350

A company needs to ensure its IAM policies are not unintentionally broad. What solution helps achieve this?

  • A Use AWS Config
  • B Enable MFA
  • C AWS Identity Federation
  • D S3 Bucket Policies
Explanation AWS Config helps review IAM policies and their usage for compliance and security; others do not directly serve this purpose.