Practice Free SCS-C03 Exam Online Questions
A company recently experienced a malicious attack on its cloud-based environment. The company successfully contained and eradicated the attack. A security engineer is performing incident response work. The security engineer needs to recover an Amazon RDS database cluster to the last known good version. The database cluster is configured to generate automated backups with a retention period of 14 days. The initial attack occurred 5 days ago at exactly 3:15 PM.
Which solution will meet this requirement?
- A . Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 5 days ago at 3:14 PM.
- B . Identify the Regional cluster ARN for the database. List snapshots that have been taken of the cluster. Restore the database by using the snapshot that has a creation time that is closest to 5 days ago at 3:14 PM.
- C . List all snapshots that have been taken of all the company’s RDS databases. Identify the snapshot that was taken closest to 5 days ago at 3:14 PM and restore it.
- D . Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 14 days ago.
A
Explanation:
Amazon RDS supports point-in-time recovery (PITR) using automated backups within the configured retention window. According to the AWS Certified Security C Specialty Study Guide, PITR allows recovery to any second within the retention period, making it the most precise recovery method following a security incident.
By restoring the database cluster to a point just before the attack occurred, such as 3:14 PM, the security engineer ensures that the restored database reflects the last known good state without including malicious changes. This method is more accurate than restoring from snapshots, which are created at fixed intervals and may not align with the exact recovery time.
Options B and C rely on snapshot timing and may reintroduce compromised data.
Option D restores to an arbitrary time and does not meet the requirement to recover to the last known good version.
AWS documentation explicitly recommends point-in-time recovery for incident response scenarios that require precise restoration.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon RDS Automated Backups and PITR
AWS Incident Response and Recovery Guidance
A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company’s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS.
What should the security engineer do to meet these requirements?
- A . Create security groups and attach them to all SQS queues.
- B . Modify network ACLs in all VPCs to restrict inbound traffic.
- C . Create interface VPC endpoints for Amazon SQS. Restrict access using aws:SourceVpce and
aws:PrincipalOrgId conditions. - D . Use a third-party cloud access security broker (CASB).
C
Explanation:
Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security C Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.
By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.
Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC.
Third-party CASB tools add cost and operational overhead.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon SQS Security and VPC Endpoints
AWS Organizations Condition Keys
A security engineer discovers that a company’s user passwords have no required minimum length.
The company uses the following identity providers (IdPs):
• AWS Identity and Access Management (IAM) federated with on-premises Active Directory
• Amazon Cognito user pools that contain the user database for an AWS Cloud application
Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)
- A . Update the password length policy in the IAM configuration.
- B . Update the password length policy in the Amazon Cognito configuration.
- C . Update the password length policy in the on-premises Active Directory configuration.
- D . Create an SCP in AWS Organizations to enforce minimum password length.
- E . Create an IAM policy with a minimum password length condition.
B, C
Explanation:
Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security C Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.
Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.
IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Federation and Password Policies
Amazon Cognito User Pool Security Settings
A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible.
Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)
- A . Enable AWS Security Hub in the AWS account.
- B . Enable Amazon GuardDuty in the AWS account.
- C . Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email distribution list to the topic.
- D . Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team’s email distribution list to the queue.
- E . Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.
- F . Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.
B, C, E
Explanation:
Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security C Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances.
To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification.
Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon GuardDuty Findings and Severity
Amazon EventBridge Integration with GuardDuty
A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.
Which solution will prevent direct access to the ALB?
- A . Use AWS PrivateLink with the ALB.
- B . Replace the ALB with an internal ALB.
- C . Restrict ALB listener rules to CloudFront IP ranges.
- D . Require a custom header from CloudFront and validate it at the ALB.
D
Explanation:
AWS best practices recommend using a shared secret header between CloudFront and ALB origins to prevent direct access. CloudFront injects a custom header, and the ALB listener rules validate its presence.
IP-based controls are brittle due to CloudFront IP changes. PrivateLink and internal ALBs are not supported as CloudFront origins. Header validation is the most reliable and widely recommended pattern.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
CloudFront Origin Protection
AWS WAF and ALB Integration