Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: get65

Amazon Web Services Updated SCS-C03 Exam Questions and Answers by laurie

Page: 12 / 17

Amazon Web Services SCS-C03 Exam Overview :

Exam Name: AWS Certified Security – Specialty
Exam Code: SCS-C03 Dumps
Vendor: Amazon Web Services Certification: AWS Certified Specialty
Questions: 231 Q&A's Shared By: laurie
Question 48

A company is running a dynamic website by using an Application Load Balancer (ALB). A security engineer notices that bots from different IP addresses are using brute-force attacks to invoke a service endpoint frequently.

What is the FASTEST way to mitigate this problem?

Options:

A.

Create an AWS Lambda function to process ALB logs. Block the bots’ IP addresses in the ALB’s security group.

B.

Create an AWS WAF web ACL for the ALB. Add a rate-based rule to the web ACL to block the bots.

C.

Create an ALB listener rule. Combine source-ip and path-pattern as the conditions to match bots. Specify a fixed-response action to return an HTTP 403 status.

D.

Create an AWS WAF web ACL for the ALB. Add a rate-based rule to a rule group to block the bots. Attach the rule to the web ACL.

Discussion
Question 49

A company wants to deploy an application in a private VPC that will not be connected to the internet. The company’s security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.

Which combination of steps should the security team take? (Select THREE.)

Options:

A.

Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC.

B.

Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager.

C.

Create an SCP that prevents the creation of SSH key pairs.

D.

Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway.

E.

Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2.

F.

Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.

Discussion
Question 50

A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt the S3 bucket. The company ' s operations team manages access to the company’s S3 buckets. The company ' s security team manages access to encryption keys. The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.

Which solution will meet this requirement?

Options:

A.

Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.

B.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

C.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.

D.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.

Discussion
Question 51

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

{

" Version " : " 2012-10-17 " ,

" Id " : " key-policy-ebs " ,

" Statement " : [

{

" Sid " : " Enable IAM User Permissions " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:root "

},

" Action " : " kms:* " ,

" Resource " : " * "

},

{

" Sid " : " Allow use of the key " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment "

},

" Action " : [

" kms:Encrypt " ,

" kms:Decrypt " ,

" kms:ReEncrypt* " ,

" kms:GenerateDataKey* " ,

" kms:DescribeKey " ,

" kms:CreateGrant " ,

" kms:ListGrants " ,

" kms:RevokeGrant "

],

" Resource " : " * " ,

" Condition " : {

" StringEquals " : {

" kms:ViaService " : " ec2.us-west-2.amazonaws.com "

}

}

}

]

}

The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.

Which change to the policy should the security engineer make to resolve these issues?

Options:

A.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change StringEquals to StringLike.

B.

In the policy document, remove the statement block that contains the Sid " Enable IAM User Permissions " . Add key management policies to the KMS policy.

C.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.

D.

In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer ' s IAM role.

Discussion
Ace
No problem! I highly recommend Cramkey Dumps to anyone looking to pass their certification exams. They will help you feel confident and prepared on exam day. Good luck!
Harris Jun 2, 2026
That sounds amazing. I'll definitely check them out. Thanks for the recommendation!
Andrew
Are these dumps helpful?
Jeremiah Jun 1, 2026
Yes, Don’t worry!!! I'm confident you'll find them to be just as helpful as I did. Good luck with your exam!
Wyatt
Passed my exam… Thank you so much for your excellent Exam Dumps.
Arjun Jun 8, 2026
That sounds really useful. I'll definitely check it out.
Hassan
Highly Recommended Dumps… today I passed my exam! Same questions appear. I bought Full Access.
Kasper Jun 4, 2026
Hey wonderful….so same questions , sounds good. Planning to write this week, I will go for full access today.
Page: 12 / 17
Title
Questions
Posted

SCS-C03
PDF

$36.75  $104.99

SCS-C03 Testing Engine

$43.75  $124.99

SCS-C03 PDF + Testing Engine

$57.75  $164.99