Amazon AWS Certified Security - Specialty SCS-C03 Exam Questions

Page: 1 / 14
Total 121 questions

Want more questions? Get Premium Access.
()

Question 1

A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change its federation source from one identity provider (IdP) to another. The underlying directory for both IdPs is Active Directory.

Which solution will meet this requirement?

ADisable all existing users and groups within IAM Identity Center that were part of the federation with the original IdP.

BModify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends.

CReconfigure all existing IAM roles in the company's AWS accounts to explicitly trust the new IdP as the principal.

DConfirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints.

Answer : B

AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security -- Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP's SAML assertions.

By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management.

Option A unnecessarily disables identities and causes access outages. Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP. Option D is unrelated to federation source configuration and only affects authentication timing issues.

AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

AWS IAM Identity Center SAML Federation

AWS Identity Federation Best Practices

Question 2

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys Amazon GuardDuty and integrates it with AWS Security Hub. The security engineer needs to implement an automated solution to detect and respond to anomalous traffic patterns. The solution must follow AWS best practices for initial incident response and must minimize disruption to the web application.

Which solution will meet these requirements?

ADisable the instance profile access keys by using AWS Lambda.

BRemove the affected instance from the Auto Scaling group and isolate it with a restricted security group by using AWS Lambda.

CUpdate the network ACL to block the detected traffic source.

DSend GuardDuty findings to Amazon SNS for email notification.

Answer : B

AWS incident response best practices emphasize containment with minimal blast radius while preserving business continuity. According to the AWS Certified Security -- Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue operating is the recommended initial response.

By creating an Amazon EventBridge rule that reacts to GuardDuty anomalous traffic findings and invokes an AWS Lambda function, the security engineer can automatically remove the affected EC2 instance from the Auto Scaling group and attach a restricted security group. This immediately stops malicious activity while allowing Auto Scaling to replace the instance and keep the application available.

Option A is inappropriate because EC2 instance profiles do not use long-term access keys. Option C applies subnet-wide changes that could disrupt unrelated workloads. Option D provides notification only and does not meet the automated response requirement.

AWS documentation explicitly identifies instance isolation via security groups as a preferred containment technique that preserves application availability and forensic integrity.

AWS Certified Security -- Specialty Official Study Guide

Amazon GuardDuty User Guide

AWS Incident Response Best Practices

Question 3

A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:

* Database storage must be encrypted at rest.

* Deletion protection must be enabled.

* Databases must not be publicly accessible.

* Database audit logs must be published to Amazon CloudWatch Logs.

A security engineer must implement a solution that continuously monitors all Aurora MySQL resources for compliance with this policy. The solution must be able to display a database's compliance state for each part of the policy at any time.

Which solution will meet these requirements?

AEnable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.

BEnable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.

CEnable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.

DCreate an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.

Answer : B

AWS Config is a fully managed service that provides continuous monitoring and evaluation of AWS resource configurations against desired configuration baselines. According to the AWS Certified Security -- Specialty Official Study Guide, AWS Config is the primary service used to track configuration changes, evaluate compliance in near real time, and display compliance states for individual AWS resources.

AWS Config provides managed rules that directly map to the listed Aurora MySQL security requirements, including encryption at rest, public accessibility, deletion protection, and log exports to CloudWatch Logs. These managed rules continuously evaluate resources and mark them as compliant or noncompliant whenever a configuration change occurs.

The AWS Config dashboard enables security engineers to view per-resource and per-rule compliance states at any point in time, satisfying the requirement to display compliance status for each part of the policy.

AWS Audit Manager (Option A) is designed for audit evidence collection and reporting, not continuous monitoring. AWS Security Hub (Option C) aggregates findings from other services but relies on AWS Config for configuration compliance data. Option D introduces unnecessary custom logic and does not provide a native compliance dashboard.

AWS documentation explicitly identifies AWS Config as the authoritative service for continuous compliance monitoring and visibility.

AWS Certified Security -- Specialty Official Study Guide

AWS Config Developer Guide

Amazon Aurora Security Best Practices

AWS Well-Architected Framework -- Security Pillar

Question 4

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.

The team members access the account by assuming a role that has a specific set of permissions. All team members have permissions to perform operations on the stacks.

Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Select THREE.)

ACreate a service role that has a composite principal that contains each service that needs the necessary permissions.

BCreate a service role that has cloudformation.amazonaws.com as the service principal.

CAdd policies that reference each CloudFormation stack ARN.

DAdd policies that reference the ARNs of each AWS service that requires permissions.

EUpdate each stack to use the service role.

FAdd a policy to each member role to allow the iam:PassRole action for the service role.

Answer : B, E, F

AWS CloudFormation supports the use of a service role, which allows CloudFormation to assume a dedicated IAM role to create and manage resources on behalf of users. According to the AWS Certified Security -- Specialty Study Guide, using a service role is the most secure and consistent way to ensure predictable stack deployments when users have varying permission sets.

By creating a service role with cloudformation.amazonaws.com as the trusted service principal (Option B), CloudFormation---not individual users---assumes responsibility for resource creation. Updating each stack to explicitly use this service role (Option E) ensures that all deployments use the same permission set, eliminating inconsistencies.

Granting the team members permission to pass the service role via iam:PassRole (Option F) is required so that CloudFormation can assume the role during stack operations. This approach adheres to the principle of least privilege and prevents users from gaining direct access to elevated permissions.

Composite principals (Option A) are unnecessary and insecure. Referencing stack ARNs (Option C) does not solve the root cause. While Option D reflects good policy design, it is implicit in creating the service role and is not a required standalone step.

AWS documentation clearly identifies CloudFormation service roles combined with iam:PassRole as best practice for secure, consistent infrastructure deployments.

AWS Certified Security -- Specialty Official Study Guide

AWS CloudFormation Service Role Documentation

AWS IAM Best Practices

Question 5

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access.

The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy. Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required S3 buckets.

The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that is outside the company's AWS Organization. The processing job must continue to function.

Which solution will meet these requirements?

AUpdate the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and aws:PrincipalOrgId match the company's organization.

BUpdate the instance profile role policy to require aws:ResourceOrgId.

CAdd a network ACL rule to block outbound traffic on port 443.

DApply an SCP that restricts S3 actions using organization condition keys.

Answer : A

Amazon S3 gateway endpoints support endpoint policies that can restrict which S3 resources are accessible through the endpoint. According to AWS Certified Security -- Specialty documentation, endpoint policies are evaluated in addition to IAM policies and are ideal for enforcing data exfiltration controls without breaking legitimate workloads.

By updating the S3 gateway endpoint policy to require both aws:ResourceOrgId and aws:PrincipalOrgId to match the company's AWS Organization, the security engineer ensures that EC2 instances can access only S3 buckets that belong to the organization. This immediately blocks exfiltration to external S3 buckets while allowing legitimate internal data access to continue uninterrupted.

Option B is insufficient because IAM policies alone cannot prevent access when the endpoint allows it. Option C would break all S3 access and stop the processing job. Option D applies too broadly and can impact unrelated services across the account.

AWS documentation highlights S3 VPC endpoint policies with organization condition keys as a best practice for preventing S3 data exfiltration in private VPC environments.

AWS Certified Security -- Specialty Official Study Guide

Amazon S3 VPC Endpoint Policy Documentation

AWS Organizations Condition Keys Documentation

Question 6

A company's data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.

Which action should enforce this policy?

AConfigure an S3 Lifecycle rule to delete objects after 45 days.

BCreate a Lambda function triggered on object upload to delete old data.

CCreate a scheduled Lambda function to delete old objects monthly.

DConfigure S3 Intelligent-Tiering.

Answer : A

Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security -- Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.

Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

Amazon S3 Lifecycle Management

Question 7

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution to prevent CloudTrail from being disabled.

Which solution will meet this requirement?

AEnable CloudTrail log file integrity validation from the organization's management account.

BEnable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.

CCreate a service control policy (SCP) that includes an explicit Deny rule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.

DCreate IAM policies for all the company's users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Answer : C

AWS CloudTrail is a foundational security service that records API activity and account events. According to the AWS Certified Security -- Specialty Official Study Guide, the only way to centrally and reliably prevent CloudTrail from being disabled across multiple AWS accounts is by using AWS Organizations service control policies (SCPs).

SCPs define the maximum available permissions for all accounts in an organization or organizational unit. By creating an SCP with an explicit Deny for the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions and attaching it to the root OU, the security engineer ensures that no principal in any member account---including administrators---can stop or delete CloudTrail trails. Explicit denies in SCPs cannot be overridden by IAM permissions.

Option A is incorrect because log file integrity validation only detects tampering after logs are delivered and does not prevent CloudTrail from being disabled. Option B protects log data at rest but does not prevent trail deletion or logging suspension. Option D removes read-only permissions and does not affect the ability to stop or delete CloudTrail.

AWS documentation explicitly states that SCPs are the recommended mechanism to enforce mandatory security controls such as CloudTrail logging across an organization, making this the correct and most secure solution.

AWS Certified Security -- Specialty Official Study Guide

AWS Organizations SCP Documentation

AWS CloudTrail Security Best Practices