SCS-C03 Amazon-Web-Services Exam Questions and Free Practice Test

Question 14

A company that uses AWS Organizations is using AWS IAM Identity Center to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account.
When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the assignment fails.
What should the security engineer do to resolve this failure?

A. Create the customer managed policy in every account where the permission set is assigne

B. Give the customer managed policy the same name and same permissions in each account.

C. Remove either the AWS managed policy or the customer managed policy from the permission se

D. Create a second permission set that includes the removed polic

E. Apply the permission sets separately to the user.

F. Evaluate the logic of the AWS managed policy and the customer managed polic

G. Resolve any policy conflicts in the permission set before deployment.

H. Do not add the new permission set to the use

I. Instead, edit the user's existing permission set to include the AWS managed policy and the customer managed policy.

Correct Answer:A

Question 15

A company??s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company??s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS.
What should the security engineer do to meet these requirements?

A. Create security groups and attach them to all SQS queues.

B. Modify network ACLs in all VPCs to restrict inbound traffic.

C. Create interface VPC endpoints for Amazon SQ

D. Restrict access using aws:SourceVpce and aws:PrincipalOrgId conditions.

E. Use a third-party cloud access security broker (CASB).

Correct Answer:C

Question 16

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

B. The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

D. The version of the Lambda function that was invoked was not current.

Correct Answer:A

Question 17

A company runs a global ecommerce website using Amazon CloudFront. The company must block traffic from specific countries to comply with data regulations.
Which solution will meet these requirements MOST cost-effectively?

A. Use AWS WAF IP match rules.

B. Use AWS WAF geo match rules.

C. Use CloudFront geo restriction to deny the countries.

D. Use geolocation headers in CloudFront.

Correct Answer:C

Question 18

A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The solution must require no additional configuration of the existing EKS deployment.
Which solution will meet these requirements with the LEAST operational effort?

A. Install a third-party security add-on.

B. Enable AWS Security Hub and monitor Kubernetes findings.

C. Monitor CloudWatch Container Insights metrics for EKS.

D. Enable Amazon GuardDuty and use EKS Audit Log Monitoring.

Correct Answer:D

START SCS-C03 EXAM

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18