Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 401–410 of 486

Q401

A company needs to log all API requests to an Amazon S3 bucket. Which solution meets this requirement without significant overhead?

  • A Use AWS CloudTrail
  • B Enable S3 Event Notifications
  • C Set up Amazon CloudWatch Logs
  • D Implement VPC Flow Logs
Explanation AWS CloudTrail automatically logs all API requests, while the others do not cover comprehensive API logging specifically.
Q402

What occurs if you attempt to delete an active Amazon RDS instance?

  • A Deletion is allowed immediately
  • B Instance must be stopped first
  • C It will trigger an automatic backup
  • D Deletion is restricted and fails
Explanation Amazon RDS allows immediate deletion unless specific deletion protection is enabled. The others misrepresent deletion requirements or consequences.
Q403

Which service provides IAM role assumption features for Lambda functions?

  • A AWS IAM
  • B Amazon EC2
  • C AWS Shield
  • D Amazon S3
Explanation AWS IAM allows Lambda functions to assume roles, while other services do not serve this purpose.
Q404

A company needs to ensure encrypted data at rest for their S3 buckets. What should they enable?

  • A IAM policies
  • B S3 Object Versioning
  • C S3 Server-Side Encryption
  • D Bucket Lifecycle Policies
Explanation S3 Server-Side Encryption encrypts data at rest, whereas others are either unrelated or do not provide encryption.
Q405

You are configuring CloudTrail. What happens if you disable it?

  • A Logs will remain available until manually deleted.
  • B New API activity will not be logged.
  • C API activity logs will be retained forever.
  • D All previous logs will be deleted instantly.
Explanation Disabling CloudTrail stops logging new API activity, while previous logs remain until configured otherwise.
Q406

Which AWS service helps automate security assessments?

  • A AWS Inspector
  • B AWS CloudTrail
  • C Amazon Macie
  • D AWS Shield
Explanation AWS Inspector automates security assessments, while the others focus on monitoring or data privacy.
Q407

A company needs to connect on-premise resources securely to AWS services. Which solution is best?

  • A AWS Direct Connect
  • B AWS VPN
  • C AWS Snowball
  • D AWS Storage Gateway
Explanation AWS Direct Connect provides dedicated private connections, offering better reliability than VPNs for security.
Q408

You are configuring IAM policies for a group. What happens if a user has conflicting policies?

  • A The least permissive policy wins
  • B All policies are overridden
  • C The most permissive policy wins
  • D Policies cannot conflict
Explanation The least permissive policy applies, ensuring tighter security controls.
Q409

Which service provides automated security assessments?

  • A AWS Inspector
  • B AWS Shield
  • C AWS Firewall Manager
  • D AWS Macie
Explanation AWS Inspector automates security assessments, while others focus on threat protection or data security.
Q410

A company needs to retain logs for compliance. Which is the best practice?

  • A Store logs in EC2 register
  • B Send logs to CloudTrail
  • C Use S3 with versioning
  • D Log directly into RDS
Explanation Using S3 with versioning ensures logs are retained safely, unlike other options that do not provide adequate retention.