Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 431–440 of 486

Q431

A company needs to comply with GDPR for storing user data. What is the best practice when using AWS?

  • A Store all data in one region
  • B Use S3 versioning
  • C Enable encryption at rest
  • D Allow global access to buckets
Explanation Enabling encryption at rest secures data per GDPR requirements, while other options don't address compliance effectively.
Q432

You are configuring a security group for an EC2 instance. What happens when you remove an inbound rule allowing HTTP access?

  • A EC2 instance loses internet access
  • B Traffic stays accessible from the public
  • C No effect on existing connections
  • D All traffic is blocked
Explanation Removing the rule affects only future connections; existing connections remain intact until closed.
Q433

Which AWS service is primarily used for federated authentication?

  • A AWS IAM
  • B Amazon CloudWatch
  • C AWS Cognito
  • D AWS Direct Connect
Explanation AWS Cognito enables user sign-up, sign-in, and access via federated identities, while the others do not focus on federated authentication.
Q434

You are configuring S3 bucket policies. What happens when a policy allows public access?

  • A Access is open to everyone.
  • B Access is denied to everyone.
  • C Access requires IAM roles.
  • D Only specific IPs can access.
Explanation A bucket policy that allows public access grants access to all users regardless of IAM roles or IP restrictions.
Q435

A company needs to secure Lambda functions. What is the best method to limit their execution permissions?

  • A IAM Role with restrictions.
  • B VPC for all Lambda functions.
  • C API Gateway authorization only.
  • D No permissions are needed.
Explanation IAM roles define the permissions of Lambda functions, while the other options do not adequately limit execution permissions.
Q436

Which AWS service helps with data classification and protection?

  • A AWS Macie
  • B AWS CloudTrail
  • C AWS Inspector
  • D AWS Config
Explanation AWS Macie identifies and protects sensitive data, while the others focus on different compliance and monitoring tasks.
Q437

A company needs to enforce IAM policies that allow users to access specific S3 buckets based on their job roles. What should they implement?

  • A Resource-based policies
  • B Service control policies
  • C IAM permissions boundaries
  • D IAM roles
Explanation Resource-based policies directly control access to S3 buckets for specific user roles, while the others do not directly address S3 bucket access based on roles.
Q438

You are configuring security for a Lambda function. Which practice improves its security posture the most?

  • A Assign a wide execution role
  • B Use environment variables for sensitive info
  • C VPC integration for network isolation
  • D Using multiple triggers
Explanation VPC integration provides network isolation, significantly enhancing security compared to the other options that either weaken security or do not affect it.
Q439

Which service provides DDoS protection on AWS?

  • A AWS Shield
  • B AWS Firewall Manager
  • C Amazon CloudFront
  • D AWS WAF
Explanation AWS Shield specifically offers DDoS protection, while others focus on different security aspects.
Q440

A company needs to encrypt data at rest in S3. What should they use?

  • A S3 Default Encryption
  • B IAM Roles
  • C S3 Access Control Lists
  • D VPC Security Groups
Explanation S3 Default Encryption automatically encrypts data at rest; other options do not provide encryption.