Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 41–50 of 486

Q41

A company needs to allow only certain users to assume a role. What should be added to the IAM policy?

  • A Condition key for user IP
  • B On-demand session permissions
  • C Policy versioning applied
  • D Trust relationship conditions
Explanation A trust relationship condition controls which users can assume the role, while the other options do not directly address this requirement.
Q42

You are configuring AWS Key Management Service (KMS). What happens if a key policy grants access but a user has no IAM permissions?

  • A User can still access the key
  • B User cannot access the key
  • C Access depends on key status
  • D IAM permissions override key policies
Explanation Without appropriate IAM permissions, users can neither use the key nor perform operations on it, regardless of the key policy.
Q43

Which AWS service allows secure connections from on-premises to AWS?

  • A AWS Direct Connect
  • B AWS Lambda
  • C Amazon S3
  • D AWS CloudFormation
Explanation AWS Direct Connect provides a dedicated network connection, while others do not facilitate secure connections.
Q44

A company needs to ensure that their API Gateway does not expose sensitive information if misconfigured. What should they enable?

  • A CORS Configuration
  • B AWS WAF
  • C Resource Policies
  • D CloudTrail Logging
Explanation AWS WAF protects APIs from common web exploits, while others do not specifically address security vulnerabilities.
Q45

What happens when IAM policies lack explicit deny actions?

  • A Access is granted by default
  • B Access is always denied
  • C Only root users can access
  • D Permissions are inherited from resources
Explanation Lacking explicit deny means access is allowed by default, while the other options misinterpret IAM policy behavior.
Q46

Which AWS service provides scalable object storage?

  • A Amazon S3
  • B Amazon RDS
  • C Amazon EBS
  • D Amazon DynamoDB
Explanation Amazon S3 is designed for scalable object storage, while the others serve different data storage functions.
Q47

A company needs to manage temporary access for third-party developers. What should they use?

  • A IAM Roles
  • B AWS Direct Connect
  • C Security Groups
  • D AWS Lambda
Explanation IAM Roles allow temporary access and permissions; the others do not provide the same functionality for access control.
Q48

You are configuring a VPC peering connection. What should you ensure about route tables?

  • A Only one route is needed
  • B Routes must be mutually updated
  • C Default routes override custom ones
  • D Route table modification is optional
Explanation Both VPC route tables must be updated to ensure connectivity; the other options misinterpret VPC routing rules.
Q49

Which AWS service provides continuous compliance monitoring?

  • A AWS Config
  • B Amazon Inspector
  • C AWS Shield
  • D AWS CloudTrail
Explanation AWS Config continuously monitors compliance against defined rules, while the others serve different security functions.
Q50

A company needs to enforce the principle of least privilege in IAM roles. What should they do?

  • A Audit permissions regularly
  • B Use AWS Organizations
  • C Assign permissions broadly
  • D Use policy conditions effectively
Explanation Using policy conditions effectively limits permissions to the least necessary, whereas the other options don't directly enforce least privilege.