Practice Free SCS-C03 Exam Online Questions
A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent.
A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers.
Which rule statement will meet these requirements?
- A . Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.
- B . Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.
- C . Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.
- D . Use a string match rule statement that includes details of the IoT device brand from the user agent.
D
Explanation:
AWS WAF allows security engineers to create string match rule statements that inspect specific parts of web requests, including HTTP headers such as the User-Agent header. According to the AWS Certified Security C Specialty Study Guide and AWS WAF documentation, string match rules are ideal for blocking requests that contain known malicious identifiers, such as a distinctive user agent associated with a specific bot or IoT device brand.
In this scenario, the attack originates from a specific IoT device brand that uses a unique user agent. A string match rule that inspects the User-Agent header can precisely block malicious requests while allowing legitimate customer traffic to continue uninterrupted. This approach provides targeted mitigation for both current and future attacks originating from the same device signature.
Option A is incorrect because IP addresses cannot be derived from user agent strings, and IoT botnets frequently rotate IP addresses, making IP-based blocking ineffective.
Option B is incorrect because geographic blocking is overly broad and risks blocking legitimate customers in the same regions as the attacking devices.
Option C is incorrect because rate-based rules limit request volume per IP address and do not specifically identify malicious device signatures; legitimate high-traffic users could be unintentionally blocked.
AWS documentation emphasizes that header inspection with string match conditions is a best practice for mitigating attacks that use identifiable request characteristics such as custom user agents, especially in DDoS and bot mitigation scenarios.
AWS Certified Security C Specialty Official Study Guide
AWS WAF Developer Guide C Rule Statements
AWS DDoS Resiliency Best Practices
AWS Well-Architected Framework C Security Pillar
A security engineer for a company needs to design an incident response plan that addresses compromised IAM user account credentials. The company uses an organization in AWS Organizations and AWS IAM Identity Center to manage user access. The company uses a delegated administrator account to implement AWS Security Hub. The delegated administrator account contains an organizational trail in AWS CloudTrail that logs all events to an Amazon S3 bucket. The company has also configured an organizational event data store that captures all events from the trail.
The incident response plan must provide steps that the security engineer can take to immediately disable any compromised IAM user when the security engineer receives a notification of a security incident. The plan must prevent the IAM user from being used in any AWS account. The plan must also collect all AWS actions that the compromised IAM user performed across all accounts in the previous 7 days.
Which solution will meet these requirements?
- A . Disable the compromised IAM user in the organization management account. Use Amazon Athena to query the organizational CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.
- B . Remove all IAM policies that are attached to the IAM user in the organization management account. Use AWS Security Hub to query the CloudTrail logs for actions that the IAM user performed in the previous 7 days.
- C . Remove any permission sets that are assigned to the IAM user in IAM Identity Center. Use Amazon CloudWatch Logs Insights to query the CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.
- D . Disable the IAM user’s access in IAM Identity Center. Use AWS CloudTrail to query the organizational event data store for actions that the IAM user performed in the previous 7 days.
D
Explanation:
When AWS IAM Identity Center is used to manage user access across an AWS Organization, Identity Center is the authoritative control plane for enabling and disabling user access. According to the AWS Certified Security C Specialty Official Study Guide, disabling a user in IAM Identity Center immediately prevents that user from accessing any AWS account or role that is assigned through permission sets, satisfying the requirement to stop access organization-wide.
Disabling an IAM user in a single account or removing attached policies (Options A and B) does not prevent access through IAM Identity CenterCmanaged roles in other accounts.
Option C is incomplete because removing permission sets does not immediately disable authentication and still requires querying logs from an unsupported source.
For investigation and evidence collection, AWS CloudTrail organizational event data stores provide centralized, queryable access to all management and data events across all accounts in the organization. CloudTrail Lake enables security engineers to run SQL-based queries directly against event data without exporting logs to other services. This allows rapid collection of all actions that the compromised user performed during the last 7 days.
AWS documentation explicitly identifies the combination of IAM Identity Center for access revocation and CloudTrail Lake for organization-wide investigation as a best practice for identity-related incident response.
AWS Certified Security C Specialty Official Study Guide
AWS IAM Identity Center Documentation
AWS CloudTrail Lake User Guide
AWS Incident Response Best Practices
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.
The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet’s network ACL allows all inbound and outbound traffic.
Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)
- A . Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
- B . Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC’s CIDR range.
- C . Create an EC2 key pair. Associate the key pair with the EC2 instance.
- D . Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
- E . Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC’s CIDR range.
- F . Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.
A, D, E
Explanation:
AWS Systems Manager Session Manager requires secure outbound HTTPS connectivity from the EC2 instance to Systems Manager endpoints. In a VPC without internet access, AWS Certified Security C Specialty documentation recommends using interface VPC endpoints to enable private connectivity without exposing the instance to the internet.
Creating a VPC interface endpoint for Systems Manager allows the SSM Agent to communicate securely with the Systems Manager service. The endpoint must have an attached security group that allows inbound traffic on port 443 from the VPC CIDR range. Additionally, the EC2 instance security group must allow outbound HTTPS traffic on port 443 so the agent can initiate connections.
Option C is incorrect because creating or associating key pairs enables SSH access, which can alter forensic evidence and violates forensic best practices.
Option B is unnecessary because Session Manager does not require inbound rules on the EC2 instance.
Option F is invalid because EC2 does not use interface endpoints for management connectivity.
This combination ensures secure, private access for forensic investigation while preserving evidence integrity and adhering to AWS incident response best practices.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Systems Manager Session Manager Architecture
AWS Incident Response and Forensics Best Practices
A company runs a global ecommerce website using Amazon CloudFront. The company must block traffic from specific countries to comply with data regulations.
Which solution will meet these requirements MOST cost-effectively?
- A . Use AWS WAF IP match rules.
- B . Use AWS WAF geo match rules.
- C . Use CloudFront geo restriction to deny the countries.
- D . Use geolocation headers in CloudFront.
C
Explanation:
Amazon CloudFront includes a built-in geo restriction feature that allows content to be allowed or denied based on the viewer’s country. According to AWS Certified Security C Specialty documentation, CloudFront geo restriction is the most cost-effective method for country-based blocking because it does not require AWS WAF or additional rule processing.
AWS WAF geo match rules incur additional cost and are more appropriate when advanced inspection or layered security controls are required. IP-based blocking is impractical due to frequent IP changes. Geolocation headers do not enforce access control.
CloudFront geo restriction is evaluated at the edge and efficiently blocks disallowed countries with minimal latency and cost.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon CloudFront Geo Restriction
AWS Edge Security Best Practices
A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:
• Database storage must be encrypted at rest.
• Deletion protection must be enabled.
• Databases must not be publicly accessible.
• Database audit logs must be published to Amazon CloudWatch Logs.
A security engineer must implement a solution that continuously monitors all Aurora MySQL resources for compliance with this policy. The solution must be able to display a database’s compliance state for each part of the policy at any time.
Which solution will meet these requirements?
- A . Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.
- B . Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.
- C . Enable AWS Security Hub. Create a configuration policy that includes the security requirements.
Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub. - D . Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.
B
Explanation:
AWS Config is a fully managed service that provides continuous monitoring and evaluation of AWS resource configurations against desired configuration baselines. According to the AWS Certified Security C Specialty Official Study Guide, AWS Config is the primary service used to track configuration changes, evaluate compliance in near real time, and display compliance states for individual AWS resources.
AWS Config provides managed rules that directly map to the listed Aurora MySQL security requirements, including encryption at rest, public accessibility, deletion protection, and log exports to CloudWatch Logs. These managed rules continuously evaluate resources and mark them as compliant or noncompliant whenever a configuration change occurs.
The AWS Config dashboard enables security engineers to view per-resource and per-rule compliance states at any point in time, satisfying the requirement to display compliance status for each part of the policy.
AWS Audit Manager (Option A) is designed for audit evidence collection and reporting, not continuous monitoring. AWS Security Hub (Option C) aggregates findings from other services but relies on AWS Config for configuration compliance data.
Option D introduces unnecessary custom logic and does not provide a native compliance dashboard.
AWS documentation explicitly identifies AWS Config as the authoritative service for continuous compliance monitoring and visibility.
AWS Certified Security C Specialty Official Study Guide
AWS Config Developer Guide
Amazon Aurora Security Best Practices
AWS Well-Architected Framework C Security Pillar
A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for event patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.
Which solution will meet these requirements?
- A . Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.
- B . Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.
- C . Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logs log group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.
- D . Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to analyze the logs.
A
Explanation:
Amazon CloudWatch Logs provides a centralized, scalable service for collecting and storing logs from Amazon EC2 instances, regardless of whether the instances are On-Demand or Spot Instances. According to the AWS Certified Security C Specialty Official Study Guide, CloudWatch Logs is the
recommended service for centralized log aggregation and near-real-time analysis of application and system logs.
By configuring all EC2 instances to send logs to a single CloudWatch Logs log group, the security engineer ensures that logs from all instances are available in one centralized location. Access to the log group can be restricted by using IAM policies, ensuring that only authorized users can view and analyze the logs.
CloudWatch Logs Insights provides a powerful query language with SQL-like syntax, enabling users to search, filter, aggregate, and analyze log data efficiently. This directly satisfies the requirement for SQL-style queries to identify event patterns and perform root cause analysis without requiring data movement or additional services.
Option B is incorrect because CloudWatch Logs Insights cannot query log files stored in Amazon S3.
Option C is inefficient and operationally complex, as Athena cannot directly query CloudWatch Logs log groups.
Option D is invalid because Amazon Detective is designed for security investigations using GuardDuty findings, not for general application log analysis.
AWS documentation explicitly states that CloudWatch Logs combined with CloudWatch Logs Insights is the most efficient and secure approach for centralized log analysis in EC2-based architectures.
AWS Certified Security C Specialty Official Study Guide
Amazon CloudWatch Logs Documentation
CloudWatch Logs Insights Query Guide
A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key. The company wants to allow AWS Lambda to use the KMS key. However, the company wants to prevent Amazon EC2 from using the key.
Which solution will meet these requirements?
- A . Use IAM explicit deny for EC2 instance profiles and allow for Lambda roles.
- B . Use a KMS key policy with kms:ViaService conditions to allow Lambda usage and deny EC2 usage.
- C . Use aws:SourceIp and aws:AuthorizedService condition keys in the KMS key policy.
- D . Use an SCP to deny EC2 and allow Lambda.
B
Explanation:
AWS KMS access control is primarily enforced through key policies (and optionally grants), and AWS recommends using key policy condition keys to restrict how keys can be used. The kms:ViaService condition key is specifically designed to restrict KMS API usage to requests that come through a particular AWS service endpoint in a specific Region. This is the most robust way to ensure a key can be used only via AWS Lambda (for example, lambda.<region>.amazonaws.com) and not via Amazon EC2 (ec2.<region>.amazonaws.com), even if IAM permissions exist elsewhere. By writing a key policy that uses the Lambda execution role as the principal and conditions on kms:ViaService, the company can tightly bind key usage to Lambda-originated cryptographic operations while preventing use through EC2 service paths.
Option A is weaker because EC2 is not the only way an IAM principal might use KMS, and relying on attaching explicit deny policies broadly is harder to manage and can miss principals.
Option C is incorrect because aws:AuthorizedService is not the typical mechanism for KMS service restriction, and SourceIp is unreliable for service-to-service calls.
Option D is not ideal because SCPs do not provide fine-grained service-path restrictions for KMS usage and cannot “allow” beyond IAM; key policy controls still apply.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS KMS Key Policies and Condition Keys
AWS KMS Best Practices for Service-Scoped Key Usage