Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 441–450 of 486

Q441

What happens when you disable MFA on an IAM user?

  • A User cannot log in anymore
  • B Access remains unchanged
  • C User's permissions are revoked
  • D All MFA sessions are invalidated
Explanation Disabling MFA does not change the user's access or permissions—only the requirement for MFA changes.
Q442

Which AWS service provides a firewall for EC2 instances?

  • A AWS WAF
  • B Security Groups
  • C VPC Peering
  • D AWS Shield
Explanation Security Groups act as virtual firewalls; WAF is for web applications.
Q443

A company needs to rotate IAM user access keys semi-annually. What is the best practice?

  • A Manually delete old keys
  • B Use a script for automation
  • C Leave old keys until expiry
  • D Do nothing, keys are secure
Explanation Automation ensures timely rotation and reduces errors; manual deletion is inefficient.
Q444

What happens when an S3 Bucket Policy is incorrectly configured?

  • A Bucket accessibility is unaffected
  • B All objects become public
  • C Access issues occur per policy rules
  • D Objects are automatically encrypted
Explanation Access issues occur based on applied rules; incorrect policies can restrict or allow unintended access.
Q445

Which AWS service allows you to manage IAM roles across multiple AWS accounts?

  • A AWS Control Tower
  • B AWS Organizations
  • C AWS IAM
  • D AWS SSO
Explanation AWS Organizations allows for centralized management of IAM across accounts, while the others do not focus on cross-account role management.
Q446

A company wants to implement encryption for their data at rest in an S3 bucket. What is the most effective method?

  • A Enable S3 Versioning
  • B Use Client-Side Encryption
  • C Use S3 Server-Side Encryption
  • D Restrict Bucket Policy
Explanation S3 Server-Side Encryption automates data encryption at rest directly in S3, unlike the other options which do not provide direct encryption capabilities.
Q447

You are configuring CloudTrail for auditing purposes. What is a best practice to enhance security?

  • A Use a single S3 bucket for all trails
  • B Store logs in a private S3 bucket
  • C Enable public access to logs
  • D Disable log file validation
Explanation Storing logs in a private S3 bucket enhances security by restricting access, unlike enabling public access.
Q448

Which AWS service helps secure your data at rest by using encryption keys managed in the cloud?

  • A AWS Key Management Service (KMS)
  • B AWS CloudTrail
  • C Amazon S3
  • D Amazon CloudFront
Explanation AWS KMS is specifically designed for encryption key management, while the others do not focus on this functionality.
Q449

A security team needs to monitor and alert on unauthorized API calls in their AWS account. What should they use?

  • A AWS Config
  • B AWS CloudTrail
  • C Amazon GuardDuty
  • D Amazon Inspector
Explanation CloudTrail logs and enables alerts for API calls, whereas the others do not directly track API usage.
Q450

You are configuring IAM policies for a team. What happens if an explicit deny is inheriting from a group attached to a user?

  • A Access is allowed.
  • B Access is denied.
  • C Requires additional permissions to allow.
  • D Access depends on resource policies.
Explanation In AWS IAM, explicit denies take precedence, overriding any allows, meaning access will always be denied in this scenario.