Amazon SCS-C03 Online Practice
Questions and Exam Preparation
SCS-C03 Exam Details
Exam Code
:SCS-C03
Exam Name
:AWS Certified Security - Specialty
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:257 Q&As
Last Updated
:Jul 15, 2026
Amazon SCS-C03 Online Questions &
Answers
Question 161:
A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster. The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.
How can the security engineer meet these requirements?
A. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena. B. To create the keys, use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail. C. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty. D. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
A. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena.
Explanation
implement control keys cryptographic operations makes To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster, For auditing, use AWS CloudTrail, the strongest match, because cryptographic operations symmetric keys key asks for a managed AWS capability and that reduces the need for extra supervisory automation. cryptographic operations symmetric keys key depends on To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster, For auditing, use AWS CloudTrail, to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario which keeps the protection aligned with the stated AWS boundary. keys key material generated used is reinforced by A security engineer needs to implement a solution to create and control the keys, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance so administrators can review the configuration without tracing a custom chain.
generated used key store backed also supports To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster, For auditing, use AWS CloudTrail,, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior and the design remains easier to govern across the environment. store backed CloudHSM cluster symmetric would be weaker with To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster, For auditing, use Amazon Athena,, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere which is important when security controls must be repeatable. cluster symmetric asymmetric data key separates To create the keys, use Amazon S3 and the custom key stores with the CloudHSM cluster, For auditing, use AWS CloudTrail, and To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster, For auditing, use Amazon GuardDuty, from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly so the implementation follows the managed service contract instead of a workaround. data key pairs local applications points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads and it avoids mixing detection, storage, deployment, and identity responsibilities.
Question 162:
A security engineer needs to develop a process to investigate and respond to potential security events on a company's Amazon EC2 instances. All the EC2 instances are backed by Amazon EBS. The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent on all the EC2 instances.
The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:
- A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.
- A compromised EC2 instance's metadata must be updated with corresponding incident ticket information.
- A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
- Any investigative activity during the collection of volatile data must be captured as part of the process.
Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Select THREE.)
A. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance's security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources. B. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources. C. Use Systems Manager Run Command to invoke scripts that collect volatile data. D. Establish a Linux SSH or Windows Remote Desktop Protocol session to the compromised EC2 instance to invoke scripts that collect volatile data. E. Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information. F. Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.
A. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance's security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources. B. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.
Explanation
develop process investigate respond potential makes Gather any relevant metadata for the compromised EC2 instance, Enable termination protection, Isolate the instance by updating the instance's security groups to restrict access, Detach the plus Use Systems Manager Run Command to invoke scripts that collect volatile data, plus Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations, Tag the instance with any relevant metadata and incident ticket information, the strongest match, because respond potential events EC2 instances asks for a managed AWS capability so the implementation follows the managed service contract instead of a workaround. respond potential events EC2 instances depends on Gather any relevant metadata for the compromised EC2 instance, Enable termination protection, Isolate the instance by updating the instance's security groups to restrict access, Detach the to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario and it avoids mixing detection, storage, deployment, and identity responsibilities. EC2 instances backed EBS Systems is reinforced by A security engineer needs to develop a process to investigate and respond to potential, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance while keeping the service responsibility clear for operations teams.
instances backed EBS Systems Manager also supports Use Systems Manager Run Command to invoke scripts that collect volatile data,, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior and that reduces the need for extra supervisory automation. Systems Manager manage EC2 instances would be weaker with Gather any relevant metadata for the compromised EC2 instance, Enable termination protection, Move the instance to an isolation subnet that denies all source and destination traffic,, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere which keeps the protection aligned with the stated AWS boundary. EC2 instances installed Systems Manager separates Establish a Linux SSH or Windows Remote Desktop Protocol session to the compromised EC2 instance to invoke scripts that collect volatile data, and Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance, Tag the instance with any relevant metadata and from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly so administrators can review the configuration without tracing a custom chain. Systems Manager Agent EC2 instances points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads and the design remains easier to govern across the environment.
Question 163:
A company's application uses standard tier SecureString parameters from AWS Systems Manager Parameter Store. The application is receiving error messages when the company tries to update a parameter. The parameter uses an AWS KMS customer managed key for encryption and decryption.
What are the reasons for the error messages? (Select TWO.)
A. The application does not have the kms:Encrypt permission for the customer managed key. B. The customer managed key is already being used to encrypt another SecureString parameter. C. Standard tier SecureString parameters cannot use a customer managed key for encryption. D. The customer managed key that is specified in the application has its key state set to Disabled. E. The customer managed key that is specified in the application is using a key alias instead of a key ID.
A. The application does not have the kms:Encrypt permission for the customer managed key. B. The customer managed key is already being used to encrypt another SecureString parameter.
Explanation
application standard tier SecureString parameters makes.
The application does not have the kms, Encrypt permission for the customer managed key, plus.
The customer managed key that is specified in the application has its key state set to Disabled, the strongest match, because SecureString parameters Systems Manager Parameter asks for a managed AWS capability and the design remains easier to govern across the environment. SecureString parameters Systems Manager Parameter depends on The application does not have the kms, Encrypt permission for the customer managed key, to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario which is important when security controls must be repeatable. Manager Parameter Store application receiving is reinforced by A company's application uses standard tier SecureString parameters from AWS Systems Manager Parameter Store,, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance so the implementation follows the managed service contract instead of a workaround.
application receiving error messages tries also supports.
The customer managed key that is specified in the application has its key state set to Disabled,, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior and it avoids mixing detection, storage, deployment, and identity responsibilities. messages tries update parameter KMS would be weaker with The customer managed key is already being used to encrypt another SecureString parameter,, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere while keeping the service responsibility clear for operations teams. parameter KMS customer managed key separates Standard tier SecureString parameters cannot use a customer managed key for encryption, and The customer managed key that is specified in the application is using a key alias instead of a key ID, from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly and that reduces the need for extra supervisory automation. customer managed key encryption decryption points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads which keeps the protection aligned with the stated AWS boundary.
Question 164:
A security engineer discovers that a company ' s user passwords have no required minimum length. The company is using the following two identity providers (IdPs):
- AWS Identity and Access Management (IAM) federated with on-premises Active Directory
- Amazon Cognito user pools that contain the user database for an AWS Cloud application that the company developed
Which combination of actions should the security engineer take to implement a required minimum length for the passwords? (Select TWO.)
A. Update the password length policy in the IAM configuration. B. Update the password length policy in the Cognito configuration. C. Update the password length policy in the on-premises Active Directory configuration. D. Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for IAM and Cognito. E. Create an IAM policy that includes a condition for minimum password length. Enforce the policy for IAM and Cognito.
A. Update the password length policy in the IAM configuration. B. Update the password length policy in the Cognito configuration.
Explanation
discovers user passwords required minimum makes Update the password length policy in the Cognito configuration, plus Update the password length policy in the on-premises Active Directory configuration, the strongest match, because required minimum length identity providers asks for a managed AWS capability which keeps the protection aligned with the stated AWS boundary. required minimum length identity providers depends on Update the password length policy in the Cognito configuration, to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario so administrators can review the configuration without tracing a custom chain. identity providers IdPs Access Management is reinforced by A security engineer discovers that a company ' s user passwords have no required, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance and the design remains easier to govern across the environment.
Identity Access Management IAM federated also supports Update the password length policy in the on- premises Active Directory configuration,, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior which is important when security controls must be repeatable. IAM federated premises Active Directory would be weaker with Update the password length policy in the IAM configuration,, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere so the implementation follows the managed service contract instead of a workaround. Active Directory Cognito user pools separates Create an
SCP in AWS Organizations, Configure the SCP to enforce a minimum password length for IAM and Cognito, and Create an IAM policy that includes a condition for minimum password length, Enforce the policy for IAM and Cognito, from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly and it avoids mixing detection, storage, deployment, and identity responsibilities. user pools contain database Cloud points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads while keeping the service responsibility clear for operations teams.
Question 165:
A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.
Which combination of AWS solutions will meet these requirements? (Select TWO.)
A. AWS Site-to-Site VPN B. AWS Direct Connect C. AWS VPN CloudHub D. VPC peering E. NAT gateway
A. AWS Site-to-Site VPN B. AWS Direct Connect
Explanation
migrating legacy systems premises data makes AWS Site-to-Site VPN plus AWS Direct Connect the strongest match, because premises data center application server asks for a managed AWS capability while keeping the service responsibility clear for operations teams. premises data center application server depends on AWS Site-to-Site VPN to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario and that reduces the need for extra supervisory automation. application server run but database is reinforced by A company is migrating one of its legacy systems from an on-premises data center, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance which keeps the protection aligned with the stated AWS boundary.
but database remain premises data also supports AWS Direct Connect, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior so administrators can review the configuration without tracing a custom chain. premises data center compliance reasons would be weaker with AWS VPN CloudHub, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere and the design remains easier to govern across the environment. compliance reasons database sensitive network separates VPC peering and NAT gateway from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly which is important when security controls must be repeatable. sensitive network latency Additionally data points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads so the implementation follows the managed service contract instead of a workaround.
Question 166:
A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer.
Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music. The company has implemented a security architecture on AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk. A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and detective controls. The solution must meet an
RPO of1 hour.
Which solution will meet these requirements?
A. Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code. B. Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response. C. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response. Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code. D. Create EBS snapshots every 4 hours. Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.
A. Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.
Explanation
EC2 instances host frontend behind makes Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour, Create AWS CloudFormation templates that replicate existing architecture components, Use a the strongest match, because frontend behind Application Load Balancer asks for a managed AWS capability so administrators can review the configuration without tracing a custom chain. frontend behind Application Load Balancer depends on Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour, Create AWS CloudFormation templates that replicate existing architecture components, Use a to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario and the design remains easier to govern across the environment. Load Balancer Elastic Block Store is reinforced by A company uses Amazon EC2 instances to host frontend services behind an Application Load, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance which is important when security controls must be repeatable.
Block Store EBS volumes attached also supports Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour, Create AWS CloudFormation templates that replicate existing architecture components, Use a, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior so the implementation follows the managed service contract instead of a workaround. volumes attached EC2 instances buckets would be weaker with Use AWS Backup to create backups of the EBS volumes and S3 objects every day, Use Amazon Security Lake to create a centralized data lake for, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere and it avoids mixing detection, storage, deployment, and identity responsibilities. instances buckets store large files separates Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs, Use the logs for automated response, Enable AWS and Create EBS snapshots every 4 hours, Enable Amazon GuardDuty Malware Protection, Create automation to immediately restore the most recent snapshot for any EC2 instances that produce from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly while keeping the service responsibility clear for operations teams. large files images music implemented points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads and that reduces the need for extra supervisory automation.
Question 167:
A company has an AWS Lambda function that requires access to an Amazon S3 bucket. The company's security policy requires that connections to Amazon S3 are over a private network and are secure.
The company has configured a gateway VPC endpoint in the VPC to allow access to Amazon S3. The company has configured the Lambda function to run inside the VPC. Additionally, the company has configured the Lambda function to use a private subnet that has a route to the internet through a NAT gateway. Other resources in the VPC use this private subnet to access the internet successfully.
When the Lambda function runs, it uses the NAT gateway instead of the gateway VPC endpoint to access Amazon S3.
What can a security engineer do to ensure that the Lambda function uses the gateway VPC endpoint for Amazon S3?
A. Remove the route to the NAT gateway within the route table of the private subnet that the Lambda function uses. B. Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses. C. Adjust the gateway VPC endpoint policy to allow access from the Lambda function's network interface address. D. Configure the Lambda function's security group to allow connections to the S3 network address space.
A. Remove the route to the NAT gateway within the route table of the private subnet that the Lambda function uses.
Explanation
Lambda function requires access bucket makes Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses, the strongest match, because access bucket policy requires connections asks for a managed AWS capability and the design remains easier to govern across the environment. access bucket policy requires connections depends on Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses, to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario which is important when security controls must be repeatable. requires connections over private network is reinforced by A company has an AWS Lambda function that requires access to an Amazon S3, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance so the implementation follows the managed service contract instead of a workaround.
private network secure configured gateway also supports Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses,, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior and it avoids mixing detection, storage, deployment, and identity responsibilities. configured gateway VPC endpoint allow would be weaker with Remove the route to the NAT gateway within the route table of the private subnet that the Lambda function uses,, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere while keeping the service responsibility clear for operations teams. endpoint VPC allow access configured separates Adjust the gateway VPC endpoint policy to allow access from the Lambda function's network interface address, and Configure the Lambda function's security group to allow connections to the S3 network address space, from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly and that reduces the need for extra supervisory automation. access configured Lambda function run points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads which keeps the protection aligned with the stated AWS boundary.
Question 168:
A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.
Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.
What should the security engineer do to meet these requirements with the LEAST effort?
A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs. B. Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs. C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs. D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP address. Use AWS Glue to view the results.
A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.
Explanation
hosts web application Apache server makes Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs, the strongest match, because Apache web server application runs asks for a managed AWS capability which keeps the protection aligned with the stated AWS boundary. Apache web server application runs depends on Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs, to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario so administrators can review the configuration without tracing a custom chain. application runs EC2 instances Auto is reinforced by A company hosts a web application on an Apache web server, The application runs, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance and the design remains easier to govern across the environment.
instances Auto Scaling group configured also supports Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs,, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior which is important when security controls must be repeatable. group configured EC2 instances send would be weaker with Export the CloudWatch Logs group data to Amazon S3, Use Amazon Macie to query the logs for the specific IP address and the requested URLs,, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere so the implementation follows the managed service contract instead of a workaround. instances send Apache web server separates Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster, Use OpenSearch Service to analyze the logs for the specific and Export the CloudWatch Logs group data to Amazon S3, Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly and it avoids mixing detection, storage, deployment, and identity responsibilities. web server logs CloudWatch group points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads while keeping the service responsibility clear for operations teams.
Question 169:
A company is undergoing a security audit. The company issues IAM user credentials for an auditor.
Because of third-party integration requirements, the auditor is unable to assume an IAM role. The auditor attempts to log in to AWS for the first time to reset the account password and to configure multi-factor authentication (MFA). However, the auditor receives an "Access Denied" error during the attempt to reset the password.
The auditor's account has the following IAM permissions: securityhub:Get* securityhub:List* securityhub:BatchGet* securityhub:Describe*
iam:ChangePassword on arn:aws:iam::*:user/${aws:username}
Which action will resolve this error?
A. The auditor needs to configure MFA before resetting the password. B. The auditor must create a more complex password that requires additional characters or symbols. C. Add iam:GetAccountPasswordPolicy with Resource: " * " to the auditor's user account policy. D. Add iam:ChangePassword with Resource: " * " to the auditor's user account policy.
A. The auditor needs to configure MFA before resetting the password.
Explanation
undergoing audit issues IAM user makes Add iam, GetAccountPasswordPolicy with Resource, " * " to the auditor's user account policy, the strongest match, because IAM user credentials auditor Because asks for a managed AWS capability so administrators can review the configuration without tracing a custom chain. IAM user credentials auditor Because depends on Add iam, GetAccountPasswordPolicy with Resource, " * " to the auditor's user account policy, to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario and the design remains easier to govern across the environment. auditor Because third party integration is reinforced by A company is undergoing a security audit, The company issues IAM user credentials for, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance which is important when security controls must be repeatable.
party integration requirements auditor unable also supports Add iam, GetAccountPasswordPolicy with Resource, " * " to the auditor's user account policy,, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior so the implementation follows the managed service contract instead of a workaround. auditor unable assume IAM role would be weaker with The auditor needs to configure MFA before resetting the password,, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere and it avoids mixing detection, storage, deployment, and identity responsibilities. IAM role auditor attempts log separates The auditor must create a more complex password that requires additional characters or symbols, and Add iam, ChangePassword with Resource, " * " to the auditor's user account policy, from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly while keeping the service responsibility clear for operations teams. attempts log first time reset points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads and that reduces the need for extra supervisory automation.
Question 170:
A security engineer is responding to an incident that is affecting an AWS account. The ID of the account is
123456789012. The attack created workloads that are distributed across multiple AWS Regions.
The security engineer contains the attack and removes all compute and storage resources from all affected Regions. However, the attacker also created an AWS KMS key. The key policy on the KMS key explicitly allows IAM principal kms:* permissions.
The key was scheduled to be deleted the previous day. However, the key is still enabled and usable. The key has an ARN of arn:aws:kms:us-east-2:123456789012:key/mrk-0bb0212cd9864fdea0dcamzo26efb5670.
The security engineer must delete the key as quickly as possible.
Which solution will meet this requirement?
A. Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days. B. Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days. C. Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days. D. Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.
A. Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.
Explanation
responding incident affecting 123456789012 attack makes Log in to the account by using the account root user credentials, Re-issue the deletion request for the KMS key with a waiting period of 7 the strongest match, because 123456789012 attack created workloads distributed asks for a managed AWS capability which is important when security controls must be repeatable. 123456789012 attack created workloads distributed depends on Log in to the account by using the account root user credentials, Re-issue the deletion request for the KMS key with a waiting period of 7 to place the control at the same account, resource, identity, key, log, network, or assessment boundary named by the scenario so the implementation follows the managed service contract instead of a workaround. workloads distributed multiple Regions contains is reinforced by A security engineer is responding to an incident that is affecting an AWS account,, because that wording favors direct service configuration over scripts, forwarding jobs, manual reviews, or account-by-account maintenance and it avoids mixing detection, storage, deployment, and identity responsibilities.
Regions contains attack removes compute also supports Log in to the account by using the account root user credentials, Re-issue the deletion request for the KMS key with a waiting period of 7, since the service keeps policy evaluation, collection, encryption, deployment, or access analysis inside the AWS plane that owns the behavior while keeping the service responsibility clear for operations teams. removes compute storage resources affected would be weaker with Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days,, because that alternative addresses a neighboring activity while the main security action still has to be solved elsewhere and that reduces the need for extra supervisory automation. resources affected Regions However attacker separates Update the IAM principal to allow kms, * permissions on the KMS key ARN, Re-issue the deletion request for the KMS key with a waiting period and Disable the KMS key, Re-issue the deletion request for the KMS key in 30 days, from the requested outcome, since those choices can help a wider architecture without satisfying the complete constraint directly which keeps the protection aligned with the stated AWS boundary. However attacker also created KMS points to a design with clearer responsibility, cleaner operations, and better reviewability for a security team managing AWS workloads so administrators can review the configuration without tracing a custom chain.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.