Practice Free SCS-C03 Exam Online Questions
A security engineer for a company needs to design an incident response plan that addresses compromised IAM user account credentials. The company uses an organization in AWS Organizations and AWS IAM Identity Center to manage user access. The company uses a delegated administrator account to implement AWS Security Hub. The delegated administrator account contains an organizational trail in AWS CloudTrail that logs all events to an Amazon S3 bucket. The company has also configured an organizational event data store that captures all events from the trail.
The incident response plan must provide steps that the security engineer can take to immediately disable any compromised IAM user when the security engineer receives a notification of a security incident. The plan must prevent the IAM user from being used in any AWS account. The plan must also collect all AWS actions that the compromised IAM user performed across all accounts in the previous 7 days.
Which solution will meet these requirements?
- A . Disable the compromised IAM user in the organization management account. Use Amazon Athena to query the organizational CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.
- B . Remove all IAM policies that are attached to the IAM user in the organization management account. Use AWS Security Hub to query the CloudTrail logs for actions that the IAM user performed in the previous 7 days.
- C . Remove any permission sets that are assigned to the IAM user in IAM Identity Center. Use Amazon
CloudWatch Logs Insights to query the CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days. - D . Disable the IAM user’s access in IAM Identity Center. Use AWS CloudTrail to query the organizational event data store for actions that the IAM user performed in the previous 7 days.
D
Explanation:
When AWS IAM Identity Center is used to manage user access across an AWS Organization, Identity Center is the authoritative control plane for enabling and disabling user access. According to the AWS Certified Security C Specialty Official Study Guide, disabling a user in IAM Identity Center immediately prevents that user from accessing any AWS account or role that is assigned through permission sets, satisfying the requirement to stop access organization-wide.
Disabling an IAM user in a single account or removing attached policies (Options A and B) does not prevent access through IAM Identity CenterCmanaged roles in other accounts. Option C is incomplete because removing permission sets does not immediately disable authentication and still requires querying logs from an unsupported source.
For investigation and evidence collection, AWS CloudTrail organizational event data stores provide centralized, queryable access to all management and data events across all accounts in the organization. CloudTrail Lake enables security engineers to run SQL-based queries directly against event data without exporting logs to other services. This allows rapid collection of all actions that the compromised user performed during the last 7 days.
AWS documentation explicitly identifies the combination of IAM Identity Center for access revocation and CloudTrail Lake for organization-wide investigation as a best practice for identity-related incident response.
AWS Certified Security C Specialty Official Study Guide
AWS IAM Identity Center Documentation
AWS CloudTrail Lake User Guide
AWS Incident Response Best Practices
A company’s web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file.
Which set of actions will identify the suspect attacker’s IP address for future occurrences?
- A . Configure VPC Flow Logs and search for PHP file activity.
- B . Install the CloudWatch agent on the ALB and export application logs.
- C . Export ALB access logs to Amazon OpenSearch Service and search them.
- D . Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.
D
Explanation:
AWS WAF logs contain detailed request-level information, including source IP addresses, requested URIs, and rule matches. According to AWS Certified Security C Specialty guidance, enabling AWS WAF logging provides the most reliable and tamper-resistant method to investigate web-based attacks, especially when instance-level logs are unavailable.
By streaming WAF logs through Amazon Kinesis Data Firehose to Amazon S3, the company ensures durable, centralized log storage that is independent of EC2 lifecycle events. Amazon Athena can then query the logs efficiently to identify repeated requests to the new-user-creation.php endpoint and extract attacker IP addresses.
VPC Flow Logs do not capture HTTP-level details. ALB access logs alone may not capture blocked requests. WAF logs provide the best forensic visibility for future detection.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS WAF Logging and Monitoring
Amazon Athena Log Analysis
Notify when IAM roles are modified.
- A . Use Amazon Detective.
- B . Use EventBridge with CloudTrail events.
- C . Use CloudWatch metric filters.
- D . Use CloudWatch subscription filters.
B
Explanation:
EventBridge natively consumes CloudTrail management events and provides near-real-time notifications.
A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.
A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests but does not want to prevent legitimate users from accessing the application.
Which solution will meet these requirements?
- A . Use AWS WAF to implement a rate-based rule for all incoming requests.
- B . Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.
- C . Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.
- D . Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.
A
Explanation:
AWS WAFrate-based rulesare specifically designed to protect applications from traffic floods and distributed attacks that originate from large numbers of IP addresses. According to the AWS Certified Security C Specialty Official Study Guide, rate-based rules automatically track the number of requests coming from individual IP addresses and temporarily block IPs that exceed a defined threshold.
In this scenario, the malicious traffic originates fromhundreds of IP addresses across two countries, mixed with legitimate user traffic. A rate-based rule allows the security engineer tolimit excessive request rates without fully blocking access from entire geographic regions, ensuring that legitimate users can still access the application.
Option B is incorrect because geographic match rules blockalltraffic from selected countries, which would deny access to legitimate users and violate the stated requirement. Option C is invalid because security groups do not support geographic filtering. Option D is not scalable, as manually blocking hundreds of IP addresses is operationally inefficient and ineffective against rapidly changing attacker
IPs.
AWS documentation emphasizes thatrate-based rules are the recommended first-line mitigationfor sudden traffic spikes and potential application-layer DDoS attacks when business continuity must be preserved.
AWS Certified Security C Specialty Official Study Guide
AWS WAF Developer Guide C Rate-Based Rules
AWS DDoS Resiliency Best Practices