Customers Passed Amazon SCS-C03 Exam
Average Score In Real SCS-C03 Exam
Questions came from our SCS-C03 dumps.
At Certs4Future, we provide you with the highest-quality SCS-C03 dumps to ensure you are fully prepared for the certification exam. Here’s why our exam materials stand out:
Authentic Exam Dumps: Our SCS-C03 exam dumps contain real, exam-specific questions and answers that you are likely to face on your exam.
Guaranteed Success: We are so confident in the quality of our materials that we offer a 100% pass guarantee. If you don’t pass the SCS-C03 exam, we’ll provide a refund or free updated dumps.
Up-to-Date Content: Our SCS-C03 dumps are continuously updated to reflect the latest exam changes and trends.
Detailed Explanations: Every question comes with an explanation to help you understand the reasoning behind the correct answers.
Download the Dumps: After purchasing, you will receive instant access to download the SCS-C03 exam dumps. You can study from any device, anywhere, anytime.
Start Practicing: Go through the practice questions and simulate the real exam environment. Track your progress and focus on areas that need improvement.
Take the Exam: After thorough preparation, take your SCS-C03 exam with confidence, knowing that you’ve used the best possible resources.
Pass and Succeed: With our authentic SCS-C03 dumps, you are guaranteed to pass the exam and earn your certification. If not, take advantage of our refund or free updated dumps.
Don’t leave your certification success to chance! Get the authentic SCS-C03 exam dumps from Certs4Future and start preparing today. With our expert-curated resources and pass guarantee, you'll be ready for the Amazon SCS-C03 exam in no time.
A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices. The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues. Which solution will meet these requirements with theLEAST operational effort?
A. Designate an Amazon GuardDuty administrator account in the organization’s
management account. Enable GuardDuty for all accounts. Enable EKS Protection and
RDS Protection in the GuardDuty administrator account.
B. Designate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use Amazon Inspector to evaluate the logs.
C. Centralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.
D. Stream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda functions.
A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The auditor is having trouble accessing some of the accounts. Which of the following may be causing this problem? (Select THREE.)
A. The external ID used by the auditor is missing or incorrect.
B. The auditor is using the incorrect password.
C. The auditor has not been grantedsts:AssumeRolefor the role in the destination account.
D. The Amazon EC2 role used by the auditor must be set to the destination account role.
E. The secret key used by the auditor is missing or incorrect.
F. The role ARN used by the auditor is missing or incorrect.
A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions. A security engineer must implement a solution toprevent CloudTrail from being disabled. Which solution will meet this requirement?
A. Enable CloudTrail log file integrity validation from the organization's management
account.
B. Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.
C. Create a service control policy (SCP) that includes an explicitDenyrule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.
D. Create IAM policies for all the company's users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes. What should the security engineer recommend?
A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic
Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the
instance is terminated, the EBS volume can be reattached to another instance for log
review.
B. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
C. Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance Connect feature. However, the security engineer receives an error for failed host key validation. Before the rotation of the host keys, EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A. Import the key material into AWS Key Management Service (AWS KMS).
B. Manually upload the new host key to the AWS trusted host keys database.
C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.
D. Create a new SSH key pair for the EC2 instance.
A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off. What is the MOST efficient way to implement this solution?
A. Use AWS Config with a managed rule to initiate the AWS-EnableCloudTrail remediation.
B. Create an Amazon EventBridge event with a cloudtrail.amazonaws.com event source and a StartLogging event name to invoke an AWS Lambda function to call the StartLogging API.
C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to invoke an AWS Lambda function to call the StartLogging API.
D. Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.
A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team. Which solution will meet these requirements?
A. Deploy AWS Security Hub and enable security standards that contain EKS controls.
Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security
team's mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant
Security Hub events to the SNS topic.
B. Enable Amazon Inspector container image scanning. Configure Amazon Detective to analyze EKS security logs. Create Amazon CloudWatch log groups for EKS audit logs. Use an AWS Lambda function to process the logs and to send email alerts to the security team.
C. Enable Amazon GuardDuty. Enable EKS Protection and Runtime Monitoring for Amazon EKS in GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team's mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant GuardDuty events to the SNS topic.
D. Install the AWS Systems Manager Agent (SSM Agent) on all EKS nodes. Configure Amazon CloudWatch Logs to collect EKS audit logs. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team's mailing list as a subscriber. Configure a CloudWatch alarm to publish a message to the SNS topic when new audit logs are generated.
A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account: • Database storage must be encrypted at rest. • Deletion protection must be enabled. • Databases must not be publicly accessible. • Database audit logs must be published to Amazon CloudWatch Logs. A security engineer must implement a solution thatcontinuously monitorsall Aurora MySQL resources for compliance with this policy. The solution must be able todisplay a database's compliance state for each part of the policy at any time. Which solution will meet these requirements?
A. Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that
matches the security requirements. Create an assessment report to view the compliance
state.
B. Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.
C. Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.
D. Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.
A company's security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company's AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization. Which combination of steps should the security engineer take toMINIMIZE the consequencesof this compromise? (Select THREE.)
A. Encrypt all AWS CloudTrail logs.
B. Turn on Amazon GuardDuty.
C. Change the password for all IAM users.
D. Rotate or delete all AWS access keys.
E. Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.
F. Delete any resources that are unrecognized or unauthorized.
A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account. How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?
A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the
HSM that is hosted in the central account with the new dedicated account. Configure the
CloudHSM security group to accept inbound traffic from the private IP addresses of client
instances in the new dedicated account.
B. Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the
new dedicated account. Assign the cross-account role to the new IAM user.
C. Use AWS IAM Identity Center to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
D. Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud. The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket. The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests. Which solution will meet this requirement?
A. Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field
to capture the client IP addresses.
B. Inspect the X-Forwarded-For header in the AWS WAF logs to determine the original client IP addresses.
C. Modify the CloudFront distribution to disable ALB connection reuse. Examine the clientIp field in the AWS WAF logs to identify the original client IP addresses.
D. Configure CloudFront to add a custom header named Client-IP to origin requests that are sent to the ALB.
A company has installed a third-party application that is distributed on several Amazon EC2 instances and on-premises servers. Occasionally, the company's IT team needs to use SSH to connect to each machine to perform software maintenance tasks. Outside these time slots, the machines must be completely isolated from the rest of the network. The company does not want to maintain any SSH keys. Additionally, the company wants to pay only for machine hours when there is an SSH connection. Which solution will meet these requirements?
A. Create a bastion host with port forwarding to connect to the machines.
B. Set up AWS Systems Manager Session Manager to allow temporary connections.
C. Use AWS CloudShell to create serverless connections.
D. Set up an interface VPC endpoint for each machine for private connection.
A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances. The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22. After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked. What should the security engineer do to isolate the target instance?
A. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add
an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then
immediately delete these rules.
B. Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.
C. Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.
D. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.
A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files. Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)
A. Configure access logging for the required API stage.
B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userIdentity, userAgent, and sourceIPAddress fields.
C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.
D. Use Amazon CloudWatch Logs Insights to analyze API access information.
E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.
A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the onpremises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption. Which combination of AWS solutions will meet these requirements? (Select TWO.)
A. AWS Site-to-Site VPN
B. AWS Direct Connect
C. AWS VPN CloudHub
D. VPC peering
E. NAT gateway
A security engineer needs to prepare a company's Amazon EC2 instances for quarantine during a security incident. The AWS Systems Manager Agent (SSM Agent) has been deployed to all EC2 instances. The security engineer has developed a script to install and update forensics tools on the EC2 instances. Which solution will quarantine EC2 instances during a security incident?
A. Create a rule in AWS Config to track SSM Agent versions.
B. Configure Systems Manager Session Manager to deny all connection requests from external IP addresses.
C. Store the script in Amazon S3 and grant read access to the instance profile.
D. Configure IAM permissions for the SSM Agent to run the script as a predefined Systems Manager Run Command document.
A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt the S3 bucket. The company's operations team manages access to the company’s S3 buckets. The company's security team manages access to encryption keys. The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data. Which solution will meet this requirement?
A. Ensure that the operations team configures default bucket encryption on the S3 bucket
to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure
that the security team creates an IAM policy that controls access to use the encryption
keys.
B. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.
C. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.
D. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.
A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics. Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client's privilege scope. Which combination of actions should the company take to prevent this threat? (Select TWO.)
A. In the application, use an IoT thing name as the client ID to connect the device to AWS
IoT Core.
B. In the application, add a client ID check. Disconnect from the server if any special character is detected.
C. Apply an AWS IoT Core policy that allows "AWSIoTWirelessDataAccess" with the principal set to "client/${iot:Connection.Thing.ThingName}".
D. Apply an AWS IoT Core policy to the device to allow "iot:Connect" with the resource set to "client/${iot:ClientId}".
E. Apply an AWS IoT Core policy to the device to allow "iot:Connect" with the resource set to "client/${iot:Connection.Thing.ThingName}".
A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses. The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1b. Each subnet is associated with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet. Which response will immediately mitigate the attack and help investigate the root cause?
A. Log in to the suspicious instance and use the netstat command to identify remote
connections. Use the IP addresses from these remote connections to create deny rules in
the security group of the instance. Install diagnostic tools on the instance for investigation.
Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all
connections as the first rule during the investigation of the instance.
B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance.
C. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.
D. Create an AWS WAF web ACL that denies traffic to and from the suspicious instance.
Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance
and install diagnostic tools to investigate the instance.
A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext. Which solution will meet these requirements?
A. Pass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.
B. Use IAM policies to restrict access to the Encrypt and Decrypt API actions.
C. Use the kms:EncryptionContext condition key when defining IAM policies for the customer managed key.
D. Use key policies to restrict access to the appropriate IAM groups.
A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The solution must require no additional configuration of the existing EKS deployment. Which solution will meet these requirements with the LEAST operational effort?
A. Install a third-party security add-on.
B. Enable AWS Security Hub and monitor Kubernetes findings.
C. Monitor CloudWatch Container Insights metrics for EKS.
D. Enable Amazon GuardDuty and use EKS Audit Log Monitoring.
A company uses AWS Organizations and has an SCP at the root that prevents sharing resources with external accounts. The company now needs to allow only the marketing account to share resources externally while preventing all other accounts from doing so. All accounts are in the same OU. Which solution will meet these requirements?
A. Create a new SCP in the marketing account to explicitly allow sharing.
B. Edit the existing SCP to add a condition that excludes the marketing account.
C. Edit the SCP to include an Allow statement for the marketing account.
D. Use a permissions boundary in the marketing account.
A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to authenticate all S3 API calls with AWS credentials. Which solution will provide the application with AWS credentials?
A. Use Amazon Cognito identity pools and the GetId API.
B. Use Amazon Cognito identity pools and AssumeRoleWithWebIdentity.
C. Use Amazon Cognito user pools with ID tokens.
D. Use Amazon Cognito user pools with access tokens.