SCS-C03 Exam: Absolutely Free Online Practice

Question 1
- A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access. The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy. Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required S3 buckets. The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that isoutside the company’s AWS Organization. The processing job must continue to function. Which solution will meet these requirements?
  A : Update the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and aws: PrincipalOrgId match the company’s organization.
  
  B : Update the instance profile role policy to require aws:ResourceOrgId.
  
  C : Add a network ACL rule to block outbound traffic on port 443.
  
  D : Apply an SCP that restricts S3 actions using organization condition keys.
  
  Answer: A
Question 2
- A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets. Which solution will meet these requirements?
  A : Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.
  
  B : Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.
  
  C : Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.
  
  D : Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.
  
  Answer: B
Question 3
- A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers. Which rule statement will meet these requirements?
  A : Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.
  
  B : Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.
  
  C : Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.
  
  D : Use a string match rule statement that includes details of the IoT device brand from the user agent.
  
  Answer: D
Question 4
- A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker's IP address for future occurrences?
  A : Configure VPC Flow Logs on the subnet where the ALB is located and stream the data to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
  
  B : Configure the CloudWatch agent on the ALB and send application logs to CloudWatch Logs.
  
  C : Configure the ALB to export access logs to an Amazon OpenSearch Service cluster and search for the new-user-creation.php occurrences.
  
  D : Configure the web ACL to send logs to Amazon Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.
  
  Answer: D
Question 5
- A company needs to scan all AWS Lambda functions for code vulnerabilities.
  A : Use Amazon Macie.
  
  B : Enable Amazon Inspector Lambda scanning.
  
  C : Use GuardDuty and Security Hub.
  
  D : Use GuardDuty Lambda Protection.
  
  Answer: B

Free Amazon SCS-C03 Exam Questions

Absolute Free SCS-C03 Exam Practice for Comprehensive Preparation