Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 411–420 of 486

Q411

What happens when IAM policy has a Deny statement and an Allow statement?

  • A Allow takes precedence over Deny
  • B Deny takes precedence over Allow
  • C IAM ignores both statements
  • D Policies cancel each other out
Explanation In IAM, Deny statements always take precedence over Allow statements to ensure stricter security policies.
Q412

Which AWS service provides automated security assessments?

  • A Amazon Inspector
  • B AWS CloudTrail
  • C AWS Config
  • D Amazon GuardDuty
Explanation Amazon Inspector automatically assesses applications for vulnerabilities; the others serve different purposes.
Q413

A company needs to restrict S3 bucket access based on IP addresses. Which feature must they use?

  • A IAM Roles
  • B Bucket Policies
  • C S3 Access Control Lists
  • D CloudFront
Explanation Bucket Policies allow IP address restrictions; IAM Roles do not apply to S3 access directly.
Q414

What happens when you disable CloudTrail logging?

  • A Instant deletion of existing logs
  • B Future events are not logged
  • C Security groups are wiped clean
  • D AWS resources stop functioning
Explanation Disabling CloudTrail means future events aren't logged; existing logs remain intact.
Q415

Which AWS service helps you manage secrets such as API keys?

  • A AWS Secrets Manager
  • B Amazon S3
  • C AWS DynamoDB
  • D Amazon RDS
Explanation AWS Secrets Manager securely stores and manages secrets, while others do not focus on secret management.
Q416

A company needs to ensure that its EC2 instances are only accessible through specific IP addresses. What AWS feature should they use?

  • A Security Groups
  • B NAT Gateway
  • C IAM Roles
  • D Elastic Load Balancer
Explanation Security Groups control inbound and outbound traffic to EC2 instances; the others serve different purposes.
Q417

What happens when you enable AWS Config for your resources?

  • A Real-time monitoring of resource changes
  • B Automatic resource backup and recovery
  • C Instant security incident notifications
  • D Reduced costs on resource usage
Explanation AWS Config provides real-time monitoring of resource configuration changes, while others do not accurately describe its functions.
Q418

Which service can you use to manage IAM users and roles?

  • A AWS Identity and Access Management
  • B AWS Config
  • C AWS CloudTrail
  • D AWS Systems Manager
Explanation AWS IAM manages users and roles securely, while the others focus on configuration, logging, or systems management.
Q419

A company needs to ensure that sensitive data stored in S3 is encrypted at rest. Which option should they select?

  • A Enable S3 versioning
  • B Use SSE-S3 or SSE-KMS
  • C Set S3 bucket policies
  • D Apply Object Lifecycle policies
Explanation SSE-S3 or SSE-KMS provides encryption at rest, while other options pertain to versioning or access control.
Q420

You are configuring a VPC and want to ensure that instances can only communicate with each other and not to the internet. What should you do?

  • A Create public subnets
  • B Use security groups with ingress rules
  • C Create private subnets
  • D Attach an Internet Gateway
Explanation Using private subnets isolates instances from the internet, while other options allow internet access or focus on security group settings.