Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free Amazon Web Services SCS-C03 Practice Exam with Questions & Answers | Set: 2

Questions 11

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database. The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

Options:
A.

Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.

B.

Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.

C.

Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.

D.

Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.

Amazon Web Services SCS-C03 Premium Access
Questions 12

A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security. The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306.

Which network ACL rule set meets these requirements?

Options:
A.

Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

B.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.

C.

Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

D.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.

Questions 13

A development team is creating an open source toolset to manage a company’s software as a service (SaaS) application. The company stores the code in a public repository so that anyone can view and download the toolset’s code. The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company ' s AWS environment. A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials.

Which combination of steps will meet these requirements? (Select TWO.)

Options:
A.

Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.

B.

Deactivate the exposed IAM access key from the user ' s IAM account.

C.

Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

D.

Create a new IAM access key and secret key for the user whose credentials were exposed.

E.

Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

Questions 14

A company wants to use a suite of AWS Lambda functions to automatically remediate noncompliant resources. The company packages the suite of Lambda functions into an AWS CloudFormation template. The company wants to deploy the suite of Lambda functions to all AWS Organizations accounts. However, the company cannot use the Organizations management account for deployment.

Which solution provides centralized deployment of the Lambda function suite to all accounts in the organization?

Options:
A.

Register a delegated administrator for CloudFormation. Deploy the template to every account in the organization by using StackSets.

B.

Create a cross-account IAM role with a unique external ID in each AWS account. Assume the cross-account role to deploy the template.

C.

Package the template as an AWS Service Catalog product. Log in to each account and provision the product to each account.

D.

Set up AWS CodePipeline in each account. Configure a pipeline to pull the template from an Amazon S3 bucket in the Organizations management account.

Questions 15

A company experienced a security incident caused by a vulnerable container image that was pushed from an external CI/CD pipeline into Amazon ECR.

Which solution will prevent vulnerable images from being pushed?

Options:
A.

Enable ECR enhanced scanning with Lambda blocking.

B.

Use Amazon Inspector with EventBridge and Lambda.

C.

Integrate Amazon Inspector into the CI/CD pipeline using SBOM generation and fail the pipeline on critical findings.

D.

Enable basic continuous ECR scanning.

Questions 16

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.

Which solution will meet this requirement in the MOST operationally efficient way?

Options:
A.

Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

B.

Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

C.

Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

D.

Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

Questions 17

A company’s application uses standard tier SecureString parameters from AWS Systems Manager Parameter Store. The application is receiving error messages when the company tries to update a parameter. The parameter uses an AWS KMS customer managed key for encryption and decryption.

What are the reasons for the error messages? (Select TWO.)

Options:
A.

The application does not have the kms:Encrypt permission for the customer managed key.

B.

The customer managed key is already being used to encrypt another SecureString parameter.

C.

Standard tier SecureString parameters cannot use a customer managed key for encryption.

D.

The customer managed key that is specified in the application has its key state set to Disabled.

E.

The customer managed key that is specified in the application is using a key alias instead of a key ID.

Questions 18

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company ' s primary website. The GuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

What is the first step the security engineer should take?

Options:
A.

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

B.

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

C.

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

D.

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

Questions 19

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization ' s delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.

The company is performing control tests on specific GuardDuty findings to make sure that the company ' s security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain,example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.

Why was the finding not created in the Security Hub delegated administrator account?

Options:
A.

VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B.

The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.

C.

The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D.

Cross-Region aggregation in Security Hub was not configured.

Questions 20

AWS Config cannot deliver configuration snapshots to Amazon S3.

Which TWO actions will remediate this issue?

Options:
A.

Verify the S3 bucket policy allows config.amazonaws.com.

B.

Verify the IAM role has s3:GetBucketAcl and s3:PutObject permissions.

C.

Verify the S3 bucket can assume the IAM role.

D.

Verify IAM policy allows AWS Config to write logs.

E.

Modify AWS Config API permissions.