Free AWS Certified Security - Specialty (SCS-C03) Practice Questions

Sample SCS-C03 Practice Questions

Browse all 20 free AWS Certified Security - Specialty practice questions below.

1. A security architect needs to understand how GuardDuty generates severity scores for findings. What factors influence the severity level assigned to a GuardDuty finding?

   • The time of day the activity occurred - activity outside business hours is considered more severe.
   • The type of activity detected - certain finding types are inherently more severe than others.
   • The confidence level of the detection - higher confidence in malicious activity increases severity.
   • The cost of the affected AWS resources - more expensive resources generate higher severity findings.
   • The potential impact of the detected activity on the affected resources and data.

2. A company needs to implement a break-glass procedure that allows emergency access to production accounts when the normal access mechanisms are unavailable. The access should be logged and require multiple approvals. What solution should they implement?

   • Store AWS root user credentials in Secrets Manager with a rotation policy and retrieve them during emergencies.
   • Configure IAM Identity Center with a break-glass permission set that requires multi-party approval before access is granted.
   • Create a dedicated break-glass IAM user in each account with MFA. Store the MFA device and credentials in a physical safe that requires multiple keyholders to open. Enable CloudTrail to log all activities.
   • Use AWS Organizations SCPs to create a policy that allows emergency access when activated through a central console.

3. A security team is investigating unusual CloudTrail events showing API calls from an assumed role. The calls originated from an IP address outside the company's known ranges. What investigation steps should they take to determine if this is a security incident?

   • Check GuardDuty for findings related to the suspicious activity, as GuardDuty may have already flagged this as a potential threat.
   • Review the sourceIPAddress field in CloudTrail events to identify all API calls from the suspicious IP address and the roles/identities involved.
   • Examine the userIdentity.sessionContext in CloudTrail events to identify the original principal that assumed the role and how the session was obtained.
   • Use Amazon Detective to visualize the role's activity patterns and identify deviations from normal behavior.
   • Immediately revoke the role to stop any ongoing unauthorized access before completing the investigation.

4. A company wants to correlate network events with CloudTrail events to investigate potential security incidents. They're considering Amazon Detective. What should they understand about Detective's correlation capabilities?

   • Detective uses machine learning to establish behavioral baselines and highlight deviations that might indicate security issues.
   • Detective builds entity profiles that show relationships between IAM principals, EC2 instances, IP addresses, and the resources they accessed.
   • Detective can correlate events across different AWS accounts in the same behavior graph.
   • Detective requires CloudWatch Logs agent to be installed on EC2 instances to correlate system events.
   • Detective automatically correlates VPC Flow Logs with CloudTrail events, linking network connections to the API calls that initiated them.

5. A security engineer is writing AWS Verified Access policies using Cedar to control access to an internal HR application. They need to ensure that only users in the 'HR-Admins' group with devices that have a risk score below 'medium' can access the application. Additionally, all POST requests should be restricted to users with an 'Administrator' role. Which TWO statements about Cedar policies in Verified Access are correct? (Select TWO.)

   • Cedar policies are written in JSON format and must be validated through AWS CloudFormation before deployment to Verified Access.
   • Cedar policies access user identity claims and device posture data through the trust provider context, such as context.identity.groups and context.device.risk_score, to make access decisions.
   • Cedar policies can reference HTTP request attributes like the request method (GET, POST) through context.http_request.http_method, which Verified Access includes by default in all policy evaluations.
   • Cedar policies in Verified Access must define explicit principal, action, and resource values in the policy scope, similar to IAM policy structure with Effect, Action, and Resource elements.
   • Cedar policies use an explicit deny model where if any 'forbid' policy matches a request, the request is denied regardless of any matching 'permit' policies, and if no policy matches, the request is implicitly denied.

6. A security team needs to ensure that GuardDuty is enabled in all accounts and regions across their organization. How can they verify and enforce this requirement?

   • Create an SCP that prevents accounts from disabling GuardDuty once it's enabled.
   • Configure GuardDuty to self-heal if it's disabled in any account.
   • Enable GuardDuty organization integration with auto-enable for new accounts, which automatically enables GuardDuty in all existing and new member accounts.
   • Use AWS Config with the guardduty-enabled-centralized rule to monitor GuardDuty status across all accounts.
   • Deploy GuardDuty using CloudFormation StackSets to enable it in all existing regions and accounts.

7. A company needs to ensure that their security tools are protected from being disabled by an attacker who gains administrative access to a member account. Which controls prevent an attacker from disabling security monitoring?

   • Store security logs in a separate log archive account with cross-account write-only access.
   • Create SCPs that deny actions to disable GuardDuty, Security Hub, Config, and CloudTrail in all member accounts.
   • Use IAM permission boundaries to prevent security service modifications.
   • Configure security services as organization-managed from a delegated administrator account, not individual accounts.
   • Enable MFA for all administrator users in member accounts.

8. A financial services company is implementing a privileged access management (PAM) solution for their AWS environment. Administrators should only be able to assume high-privilege roles for a limited time after approval, and all sessions must be recorded. Which AWS services combination provides these capabilities?

   • Use AWS IAM Identity Center with permission sets that have maximum session duration limits. Integrate with an external approval workflow before granting temporary access.
   • Configure IAM role trust policies with conditions requiring MFA for high-privilege role assumption.
   • Configure AWS Systems Manager Session Manager with CloudWatch Logs integration to record all terminal sessions. Enable KMS encryption for session logs.
   • Use CloudTrail to log all AssumeRole API calls for high-privilege roles. Create EventBridge rules to alert when these roles are assumed.
   • Implement AWS Config rules to detect when administrators assume high-privilege roles and automatically terminate sessions exceeding time limits.

9. A company uses AWS Secrets Manager to store database credentials and wants to ensure that secrets can only be created with automatic rotation enabled. How should they enforce this requirement?

   • Configure Secrets Manager to require rotation by default for all new secrets.
   • Use IAM permission boundaries to require rotation configuration in secret creation requests.
   • Use AWS Config to detect secrets without rotation and automatically enable it.
   • Create an SCP that denies secretsmanager:CreateSecret unless the request includes rotation configuration parameters.

10. A company is evaluating encryption options for sensitive data processing. They need to perform computations on encrypted data without ever decrypting it on the server side. Which approach enables this capability?

    • Use client-side encryption with AWS KMS so data is never decrypted on AWS servers.
    • Implement homomorphic encryption using AWS CloudHSM for key management.
    • Use AWS Nitro Enclaves to create isolated compute environments where sensitive data is decrypted only within the enclave, never exposed to the parent instance.
    • Use AWS Clean Rooms which allows computation on encrypted data from multiple parties without exposing raw data.

11. A security team is implementing AWS Network Firewall to inspect traffic between VPCs in a hub-and-spoke Transit Gateway architecture. They need to detect and block SQL injection attempts and known malicious IP addresses while maintaining detailed logs for forensic analysis. Which combination of Network Firewall features should they configure?

    • Use stateless rules with rate limiting to block SQL injection attempts that exceed normal query rates.
    • Enable logging to S3 with flow logs and alert logs configured to capture all stateful rule matches and blocked traffic.
    • Enable stateless rules with TCP flag inspection to identify SQL injection attempts based on packet headers.
    • Configure a stateful rule group using managed threat intelligence feeds to automatically block traffic from known malicious IP addresses.
    • Configure stateful rules using Suricata-compatible IPS rules with signatures for SQL injection patterns in the payload.

12. A company is implementing AWS Network Firewall to inspect traffic flowing through their centralized egress VPC. Arrange the following steps in the correct order to deploy and configure the firewall.

13. A company needs to ensure that all data stored in Amazon S3 is encrypted at rest using keys managed by the company. The keys must be stored in a dedicated hardware security module (HSM) that the company controls. Which encryption option should be used?

    • Server-side encryption with customer-provided keys (SSE-C), where keys are stored in AWS CloudHSM and provided with each S3 request.
    • Client-side encryption with keys managed by AWS CloudHSM before uploading to S3.
    • Server-side encryption with AWS KMS keys (SSE-KMS), where the KMS key is backed by an AWS CloudHSM custom key store.
    • Server-side encryption with Amazon S3-managed keys (SSE-S3) with a customer-managed CMK policy.

14. Match each AWS security governance service with its primary function in an enterprise cloud environment.

15. A company is implementing bring-your-own-key (BYOK) for their AWS KMS encryption. They want to maintain control over key material while using KMS for key management operations. What are the limitations they must consider? (Select TWO)

    • Imported key material does not support automatic key rotation; you must manually reimport new key material.
    • The key material must be imported within 24 hours of creating the KMS key, or the key becomes unusable and must be recreated.
    • Keys with imported material cannot be shared across accounts using key policies.
    • Imported keys cannot be used for envelope encryption operations like GenerateDataKey.
    • Imported key material must use RSA_2048 algorithm; other algorithms are not supported.

16. A security engineer needs to implement a solution that detects and alerts when IAM roles are used outside of their intended AWS services. For example, a role intended only for Lambda should alert if used by EC2 or from the AWS CLI. Which approach provides this detection capability?

    • Create CloudWatch Logs metric filters on CloudTrail logs that alert when AssumeRole events show unexpected userAgent values for specific roles.
    • Use IAM Access Analyzer to continuously monitor role assumptions and generate findings when roles are assumed by unexpected principals.
    • Enable GuardDuty and rely on its behavioral analysis to detect when roles are assumed from unusual sources.
    • Configure IAM role trust policies to restrict which services can assume the role. This prevents rather than detects misuse.

17. A company is deploying Detective across their organization. They want to understand what data sources Detective uses for its analysis. What data does Detective analyze?

    • S3 object contents for data classification and sensitive data detection.
    • AWS CloudTrail management events, providing API activity across AWS services.
    • Amazon CloudWatch Logs from applications running on EC2 instances.
    • Amazon GuardDuty findings, which are correlated with other data sources for investigation.
    • VPC Flow Logs, providing network traffic information between resources.

18. A company wants to use AWS WAF to block requests containing specific sensitive data patterns in request bodies, such as credit card numbers being submitted to unauthorized endpoints. What WAF feature enables this?

    • Use Amazon Macie integration with WAF to detect and block sensitive data patterns.
    • Create a custom WAF rule with a regex pattern set that matches credit card number formats and apply it to the request body component.
    • Configure WAF Bot Control to detect and block automated credit card testing attacks.
    • Enable the AWS Managed Rules Common Rule Set, which includes PCI DSS sensitive data detection.

19. A company needs to implement centralized certificate management for internal services running on EC2 instances. Certificates must be automatically rotated before expiration, and private keys must never leave the AWS environment. Certificate issuance should be automated through infrastructure as code. Which solution meets these requirements?

    • Deploy HashiCorp Vault on EC2 to manage certificate issuance. Configure Vault's PKI secrets engine with automatic rotation and store root CA keys in AWS CloudHSM.
    • Create a private CA using AWS Certificate Manager Private CA. Use ACM to issue private certificates that can be exported to EC2 instances. Automate renewal through Systems Manager State Manager.
    • Use AWS Certificate Manager (ACM) to request public certificates and deploy them to EC2 instances. ACM handles automatic renewal.
    • Generate certificates using OpenSSL in a Lambda function. Store certificates in Secrets Manager with automatic rotation. Deploy to EC2 instances using Systems Manager.

20. A compliance officer is comparing AWS Organizations policy types for a governance strategy. Select TWO correct statements about how declarative policies differ from SCPs and RCPs.

    • Declarative policies are enforced at the service control plane level, ensuring baseline configurations are maintained even when services introduce new APIs
    • Declarative policies can govern service-linked roles, unlike SCPs and RCPs which cannot restrict them
    • Declarative policies support all AWS services, while SCPs and RCPs are limited to specific service integrations
    • Declarative policies produce the same non-customizable access denied errors as SCPs and RCPs
    • Declarative policies require detachment and reattachment whenever the underlying service adds new features