Summer Certification Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

SCS-C03 Exam Dumps - AWS Certified Security – Specialty

Searching for workable clues to ace the Amazon Web Services SCS-C03 Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s SCS-C03 PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:
Question # 9

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.

Which solution will meet this requirement?

A.

Use Amazon Macie to detect an active DDoS event and create Amazon CloudWatch alarms that respond to Macie findings.

B.

Use Amazon Inspector to review resources and invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.

C.

Create an Amazon CloudWatch alarm that monitors AWS Firewall Manager metrics for an active DDoS event.

D.

Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced metrics for an active DDoS event.

Full Access
Question # 10

A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off.

What is the MOST efficient way to implement this solution?

A.

Use AWS Config with a managed rule to initiate the AWS-EnableCloudTrail remediation.

B.

Create an Amazon EventBridge event with a cloudtrail.amazonaws.com event source and a StartLogging event name to invoke an AWS Lambda function to call the StartLogging API.

C.

Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to invoke an AWS Lambda function to call the StartLogging API.

D.

Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.

Full Access
Question # 11

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.

Which solution will meet this requirement?

A.

Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.

B.

Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.

C.

Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.

D.

Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

Full Access
Question # 12

A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances.

Which solution will meet this requirement?

A.

Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.

B.

Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.

C.

Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.

D.

Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.

Full Access
Question # 13

A company uses Amazon Cognito user pools with the hosted UI to authenticate its customers. The company’s security team has detected a surge in bot activity and suspicious traffic that targets the Amazon Cognito endpoints. A security engineer must implement a security solution to block these malicious requests. The security measures must maintain uninterrupted access for legitimate users.

Which solution meets these requirements?

A.

Use Amazon Cognito threat protection on the user pool.

B.

Configure the Amazon Cognito user pool app client settings to restrict access to only authenticated users.

C.

Associate an AWS WAF web ACL with the Amazon Cognito user pool. Define rules to filter unwanted requests and manage bot traffic.

D.

Use Amazon CloudWatch to monitor incoming Amazon Cognito requests. Create an identity pool to block suspicious user agents.

Full Access
Question # 14

A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.

Which solution will quarantine EC2 instances during a security incident?

A.

Track SSM Agent versions with AWS Config.

B.

Configure Session Manager to deny external connections.

C.

Store the script in Amazon S3 and grant read access.

D.

Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

Full Access
Question # 15

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

{

" Version " : " 2012-10-17 " ,

" Id " : " key-policy-ebs " ,

" Statement " : [

{

" Sid " : " Enable IAM User Permissions " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:root "

},

" Action " : " kms:* " ,

" Resource " : " * "

},

{

" Sid " : " Allow use of the key " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment "

},

" Action " : [

" kms:Encrypt " ,

" kms:Decrypt " ,

" kms:ReEncrypt* " ,

" kms:GenerateDataKey* " ,

" kms:DescribeKey " ,

" kms:CreateGrant " ,

" kms:ListGrants " ,

" kms:RevokeGrant "

],

" Resource " : " * " ,

" Condition " : {

" StringEquals " : {

" kms:ViaService " : " ec2.us-west-2.amazonaws.com "

}

}

}

]

}

The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.

Which change to the policy should the security engineer make to resolve these issues?

A.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change StringEquals to StringLike.

B.

In the policy document, remove the statement block that contains the Sid " Enable IAM User Permissions " . Add key management policies to the KMS policy.

C.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.

D.

In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer ' s IAM role.

Full Access
Question # 16

A company ' s security team wants to receive email notification from AWS about any abuse reports regarding DoS attacks. A security engineer needs to implement a solution that will provide a near-real-time alert for any abuse reports that AWS sends for the account. The security engineer already has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the security team ' s email address to the topic.

What should the security engineer do next to meet these requirements?

A.

Use the AWS Trusted Advisor API and a scheduled Lambda function to detect AWS_ABUSE_DOS_REPORT notifications.

B.

Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event for AWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.

C.

Use the AWS Support API and a scheduled Lambda function to detect abuse report cases.

D.

Use AWS CloudTrail logs with metric filters to detect AWS_ABUSE_DOS_REPORT events.

Full Access
Go to page: