Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

SCS-C03 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Question # 44

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent.

A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers.

Which rule statement will meet these requirements?

Options:

A.

Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.

B.

Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.

C.

Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.

D.

Use a string match rule statement that includes details of the IoT device brand from the user agent.

Buy Now
Question # 45

A company must immediately disable compromised IAM users across all AWS accounts and collect all actions performed by the user in the last 7 days.

Which solution will meet these requirements?

Options:

A.

Disable the IAM user and query CloudTrail logs in Amazon S3 using Athena.

B.

Remove IAM policies and query logs in Security Hub.

C.

Remove permission sets and query logs using CloudWatch Logs Insights.

D.

Disable the user in IAM Identity Center and query the organizational event data store.

Buy Now
Question # 46

A company needs to scan all AWS Lambda functions for code vulnerabilities.

Options:

A.

Use Amazon Macie.

B.

Enable Amazon Inspector Lambda scanning.

C.

Use GuardDuty and Security Hub.

D.

Use GuardDuty Lambda Protection.

Buy Now
Question # 47

A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

Which change should the security engineer make to the AWS KMS configuration to meet these requirements?

Options:

A.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.

B.

Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.

C.

Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D.

Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.

Buy Now
Question # 48

A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead.

Which solution will meet these requirements?

Options:

A.

Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.

B.

Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.

C.

Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).

D.

Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.

Buy Now
Question # 49

A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions.

Which solution will meet these requirements?

Options:

A.

Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.

B.

Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.

C.

Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.

D.

Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.

Buy Now
Question # 50

A company’s application uses standard tier SecureString parameters from AWS Systems Manager Parameter Store. The application is receiving error messages when the company tries to update a parameter. The parameter uses an AWS KMS customer managed key for encryption and decryption.

What are the reasons for the error messages? (Select TWO.)

Options:

A.

The application does not have the kms:Encrypt permission for the customer managed key.

B.

The customer managed key is already being used to encrypt another SecureString parameter.

C.

Standard tier SecureString parameters cannot use a customer managed key for encryption.

D.

The customer managed key that is specified in the application has its key state set to Disabled.

E.

The customer managed key that is specified in the application is using a key alias instead of a key ID.

Buy Now
Question # 51

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile. However, three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties.

How can a security engineer provide the access to meet these requirements?

Options:

A.

Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Inventory to select the EC2 instance and connect.

B.

Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command. Remove the SSH keys from the EC2 instances. Use Run Command to open an SSH connection to the EC2 instance.

C.

Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Session Manager to select the EC2 instance and connect.

D.

Assign an IAM policy to the IAM user accounts to provide permission to use the EC2 service in the AWS Management Console. Remove the SSH keys from the EC2 instances. Connect to the EC2 instance as the ec2-user through the AWS Management Console’s EC2 SSH client method.

Buy Now
Question # 52

A company uses an organization in AWS Organizations to manage multiple AWS accounts. A security engineer creates a WAF policy in AWS Firewall Manager in the us-east-1 Region. The security engineer sets the policy scope to apply to resources that are tagged withWAF-protected:truein one of the member accounts in the organization. The security engineer sets up a configuration to automatically remediate any noncompliant resources.

In a member account, the security engineer attempts to protect an Amazon API Gateway REST API in the us-east-1 Region by using a web ACL. However, after several minutes, the REST API is still not associated with the web ACL.

What is the likely cause of this issue?

Options:

A.

Web ACLs cannot be applied to REST APIs.

B.

The REST API is missing a tag that includes theWAF-protectedkey and a value oftrue.

C.

The web ACL is already associated with another REST API.

D.

The web ACL is already associated with an Amazon CloudFront distribution.

Buy Now
Question # 53

A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses.

The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1b. Each subnet is associated with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet.

Which response will immediately mitigate the attack and help investigate the root cause?

Options:

A.

Log in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.

B.

Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 i

C.

Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.

D.

Create an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.

Buy Now
Exam Code: SCS-C03
Exam Name: AWS Certified Security – Specialty
Last Update: Jul 11, 2026
Questions: 231
SCS-C03 pdf

SCS-C03 PDF

$25.5  $84.99
SCS-C03 Engine

SCS-C03 Testing Engine

$28.5  $94.99
SCS-C03 PDF + Engine

SCS-C03 PDF + Testing Engine

$40.5  $134.99