Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 61–70 of 486

Q61

Which AWS service is primarily used for real-time log processing?

  • A Amazon Kinesis
  • B AWS Lambda
  • C Amazon RDS
  • D AWS CloudTrail
Explanation Amazon Kinesis is designed for real-time log data processing, whereas others serve different purposes.
Q62

A company needs high availability for an S3 bucket. What should it enable?

  • A Cross-Region Replication
  • B Standard Storage Class
  • C Eventual Consistency
  • D S3 Lifecycle Policies
Explanation Cross-Region Replication ensures high availability across regions, while others do not specifically address availability.
Q63

You are configuring AWS IAM roles for Lambda functions. What is the primary risk?

  • A Over-permissioning roles
  • B Missed CloudTrail logs
  • C Lambda timeout errors
  • D S3 bucket name collision
Explanation Over-permissioning roles can lead to security vulnerabilities, unlike the other options which are not primary issues.
Q64

Which AWS service provides automated compliance checks?

  • A AWS Config
  • B Amazon CloudWatch
  • C AWS CloudTrail
  • D AWS Lambda
Explanation AWS Config enables you to monitor compliance with configurations while the others serve different monitoring or computing functions.
Q65

A company needs to enforce least privilege for its AWS IAM users. What is the best approach?

  • A Create user groups with policies
  • B Assign IAM roles to users
  • C Use the root user for access
  • D Allow full access as a default
Explanation Creating user groups with specific policies effectively enforces least privilege; roles cannot be directly assigned to users in this context.
Q66

You are configuring an Amazon S3 bucket policy. What happens if the policy denies access to a certain IP range?

  • A Access is granted to all other IPs
  • B No effect on other policies
  • C All access to the bucket is denied
  • D Access is limited to the denied range
Explanation A deny statement in an S3 bucket policy overrides other permissions, thus access is totally denied.
Q67

Which AWS service provides real-time monitoring for your AWS resources?

  • A Amazon CloudWatch
  • B AWS Config
  • C Amazon Inspector
  • D AWS CloudTrail
Explanation Amazon CloudWatch monitors AWS resources in real-time; the others serve different purposes.
Q68

A company needs to implement resource policies for their S3 buckets. What should they configure?

  • A AWS IAM Roles
  • B S3 Bucket Policies
  • C AWS Config Rules
  • D Security Groups
Explanation S3 Bucket Policies are used specifically to manage access; IAM Roles and Security Groups serve other functions.
Q69

What happens when you apply a security group rule that blocks all outbound traffic?

  • A Blocked Inbound Traffic Only
  • B Unrestricted Outbound Traffic
  • C No Network Connectivity
  • D Allows Specific IPs
Explanation Blocking outbound traffic prevents all outbound connectivity; other options misinterpret the effect of security group rules.
Q70

Which AWS service is primarily used for monitoring AWS resources in real-time?

  • A CloudTrail
  • B CloudWatch
  • C Config
  • D GuardDuty
Explanation CloudWatch monitors AWS resources in real-time, while CloudTrail logs API calls, Config tracks compliance, and GuardDuty is for threat detection.