Amazon SCS-C03 시험

Question No : 1

A company detects bot activity targeting Amazon Cognito user pool endpoints. The solution must block malicious requests while maintaining access for legitimate users.
Which solution meets these requirements?

• A.Enable Amazon Cognito threat protection.
• B.Restrict access to authenticated users only.
• C.Associate AWS WAF with the Cognito user pool.
• D.Monitor requests with CloudWatch.

답을 확인하기

정답:
Explanation:
Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.
AWS WAF cannot be directly associated with Cognito user pools.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Cognito Threat Protection

Question No : 2

A company must immediately disable compromised IAM users across all AWS accounts and collect all actions performed by the user in the last 7 days.
Which solution will meet these requirements?

• A.Disable the IAM user and query CloudTrail logs in Amazon S3 using Athena.
• B.Remove IAM policies and query logs in Security Hub.
• C.Remove permission sets and query logs using CloudWatch Logs Insights.
• D.Disable the user in IAM Identity Center and query the organizational event data store.

답을 확인하기

정답:
Explanation:
AWS IAM Identity Center centrally manages user access across an AWS Organization. Disabling the user in Identity Center immediately revokes access to all AWS accounts. According to AWS Certified Security C Specialty documentation, organizational CloudTrail event data stores provide centralized, queryable access to all events across accounts.
Using CloudTrail Lake enables direct querying of activity without exporting logs. Disabling the user at the Identity Center level ensures full containment.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Identity Center Incident Response
AWS CloudTrail Lake

Question No : 3

A company needs to deploy AWS CloudFormation templates that configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.
Which solution will meet the requirements?

• A.Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.
• B.Use encrypted parameters in the CloudFormation template.
• C.Use SecureString parameters to reference Secrets Manager.
• D.Use SecureString parameters encrypted by AWS KM

답을 확인하기

정답:
Explanation:
AWS CloudFormation supports dynamic references to AWS Secrets Manager, which allow sensitive values to be retrieved securely at stack runtime. According to AWS Certified Security C Specialty guidance, dynamic references prevent secrets from being stored in plaintext in templates, stack metadata, or logs.
Using dynamic references ensures that secrets remain encrypted at rest and are accessed only when required. CloudFormation does not support SecureString parameters for Secrets Manager references, and encrypting templates does not prevent exposure during execution.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS CloudFormation Dynamic References
AWS Secrets Manager Best Practices

Question No : 4

A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company’s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS.
What should the security engineer do to meet these requirements?

• A.Create security groups and attach them to all SQS queues.
• B.Modify network ACLs in all VPCs to restrict inbound traffic.
• C.Create interface VPC endpoints for Amazon SQ
• D.Restrict access using aws:SourceVpce and aws:PrincipalOrgId conditions.
• E.Use a third-party cloud access security broker (CASB).

답을 확인하기

정답:
Explanation:
Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security C Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.
By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.
Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC.
Third-party CASB tools add cost and operational overhead.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon SQS Security and VPC Endpoints
AWS Organizations Condition Keys

Question No : 5

A company runs a web application on a fleet of Amazon EC2 instances in an Auto Scaling group. Amazon GuardDuty and AWS Security Hub are enabled. The security engineer needs an automated response to anomalous traffic that follows AWS best practices and minimizes application disruption.
Which solution will meet these requirements?

• A.Use EventBridge to disable the instance profile access keys.
• B.Use EventBridge to invoke a Lambda function that removes the affected instance from the Auto Scaling group and isolates it with a restricted security group.
• C.Use Security Hub to update the subnet network ACL to block traffic.
• D.Send GuardDuty findings to Amazon SNS for email notification.

답을 확인하기

정답:
Explanation:
AWS incident response best practices emphasize isolating compromised resources rather than immediately terminating them. According to AWS Certified Security C Specialty documentation, removing an instance from an Auto Scaling group prevents replacement loops, while applying a restrictive security group isolates the instance for forensic analysis.
Using Amazon EventBridge to trigger an AWS Lambda function enables automated, consistent responses to GuardDuty findings. This approach minimizes disruption to the application because healthy instances continue serving traffic while the affected instance is isolated.
Disabling credentials or modifying network ACLs can have broader impact on unrelated workloads.
SNS notifications alone do not provide response automation.
AWS recommends isolate-and-investigate patterns for EC2 incident response.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon GuardDuty Automated Responses
AWS Incident Response Playbooks

Question No : 6

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. Three route tables exist: one for the public subnets and one for each private subnet.
The security engineer discovers that all four subnets are routing traffic through the internet gateway that is attached to the VPC.
Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

• A.Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
• B.Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
• C.Modify the route tables for the public subnets to add a local route to the VPC CIDR range.
• D.Modify the route tables for the private subnets to route 0.0.0.0/0 to the NAT gateway in the public subnet of the same Availability Zone.
• E.Modify the route tables for the private subnets to route 0.0.0.0/0 to the internet gateway.

답을 확인하기

정답:
Explanation:
AWS networking best practices require private subnets to access the internet only through NAT gateways located in public subnets. According to the AWS Certified Security C Specialty Study Guide, NAT gateways must be provisioned in public subnets and used as the default route for outbound traffic from private subnets.
Verifying NAT gateways in each Availability Zone ensures high availability and fault tolerance. Updating the private subnet route tables to send 0.0.0.0/0 traffic to the NAT gateway prevents direct internet access while allowing outbound connectivity.
Routing private subnet traffic directly to an internet gateway violates subnet isolation principles. NAT gateways must never be placed in private subnets.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon VPC Routing and NAT Gateways
AWS Network Segmentation Best Practices

Question No : 7

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.
Which solution would have the MOST scalability and LOWEST latency?

• A.Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
• B.Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
• C.Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.
• D.Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

답을 확인하기

정답:
Explanation:
Network Load Balancers operate at Layer 4 and are optimized for extreme performance, ultra-low latency, and handling sudden traffic spikes. According to AWS Certified Security C Specialty documentation, using a TCP listener on an NLB allows TLS traffic to pass through directly to backend containers without termination, preserving true end-to-end encryption.
This approach eliminates the overhead of decrypting and re-encrypting traffic at the load balancer, reducing latency and maximizing throughput. NLBs scale automatically to handle volatile traffic patterns and millions of requests per second.
Application Load Balancers operate at Layer 7 and introduce additional latency due to TLS termination and HTTP processing. Route 53 multivalue routing does not provide load balancing at the transport layer and does not ensure encryption handling.
AWS recommends NLB TCP pass-through for high-performance, end-to-end encrypted container workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Elastic Load Balancing Architecture
Network Load Balancer Performance Characteristics

Question No : 8

A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions.
Which solution will meet these requirements?

• A.Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.
• B.Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.
• C.Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.
• D.Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.

답을 확인하기

정답:
Explanation:
Amazon Inspector is the AWS service designed specifically for vulnerability management across compute workloads, including Amazon ECR container images and AWS Lambda functions. According to the AWS Certified Security C Specialty documentation, Amazon Inspector provides automated vulnerability assessments for container images stored in ECR by performing enhanced image scanning that identifies common vulnerabilities and exposures (CVEs) in operating systems and application dependencies.
Inspector also supports Lambda code scanning to analyze function packages and container-based Lambda images for known software vulnerabilities. Findings include severity ratings and remediation guidance, allowing security teams to identify and prioritize risks efficiently.
Amazon GuardDuty focuses on threat detection using behavioral analysis and does not perform static vulnerability scanning of container images or Lambda code. AWS Security Hub aggregates findings from other services but does not perform scanning itself.
AWS best practices recommend Amazon Inspector for vulnerability detection in container images and serverless workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Inspector for ECR and Lambda
AWS Vulnerability Management Best Practices

Question No : 9

A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.
Which solution will prevent direct access to the ALB?

• A.Use AWS PrivateLink with the AL
• B.Replace the ALB with an internal AL
• C.Restrict ALB listener rules to CloudFront IP ranges.
• D.Require a custom header from CloudFront and validate it at the AL

답을 확인하기

정답:
Explanation:
AWS best practices recommend using a shared secret header between CloudFront and ALB origins to prevent direct access. CloudFront injects a custom header, and the ALB listener rules validate its presence.
IP-based controls are brittle due to CloudFront IP changes. PrivateLink and internal ALBs are not supported as CloudFront origins. Header validation is the most reliable and widely recommended pattern.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
CloudFront Origin Protection
AWS WAF and ALB Integration

Question No : 10

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to authenticate all S3 API calls with AWS credentials.
Which solution will provide the application with AWS credentials?

• A.Use Amazon Cognito identity pools and the GetId AP
• B.Use Amazon Cognito identity pools and AssumeRoleWithWebIdentity.
• C.Use Amazon Cognito user pools with ID tokens.
• D.Use Amazon Cognito user pools with access tokens.

답을 확인하기

정답:
Explanation:
Amazon Cognito identity pools provide temporary AWS credentials by exchanging web identity tokens with AWS STS using AssumeRoleWithWebIdentity. According to AWS Certified Security C Specialty documentation, this is the correct mechanism for granting applications AWS credentials.
User pools authenticate users but do not issue AWS credentials. Identity pools integrate with IAM roles and STS, enabling secure, temporary access to AWS services.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Cognito Identity Pools
AWS STS Web Identity Federation

Question No : 11

A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.
Which action should enforce this policy?

• A.Configure an S3 Lifecycle rule to delete objects after 45 days.
• B.Create a Lambda function triggered on object upload to delete old data.
• C.Create a scheduled Lambda function to delete old objects monthly.
• D.Configure S3 Intelligent-Tiering.

답을 확인하기

정답:
Explanation:
Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security C Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.
Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon S3 Lifecycle Management

Question No : 12

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive data. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting.
Which solution will provide remote access while meeting these requirements?

• A.Grant access to the EC2 serial console and allow IAM role access.
• B.Enable EC2 Instance Connect and configure security groups accordingly.
• C.Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager and assign it to an IAM Identity Center role.
• D.Use Systems Manager Automation to temporarily open remote access ports.

답을 확인하기

정답:
Explanation:
AWS Systems Manager Session Manager provides secure, auditable shell access to EC2 instances without opening inbound ports. According to AWS Certified Security C Specialty guidance, Session Manager records all session activity to CloudWatch Logs or Amazon S3 and integrates with IAM Identity Center for centralized authentication.
This solution meets all requirements: no exposed ports, full audit logging, and identity-based access control. EC2 Instance Connect and serial console access do not integrate with Identity Center and may expose management paths.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Systems Manager Session Manager
AWS IAM Identity Center Integration

Question No : 13

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The solution must involve the least amount of effort and maintain normal operations during implementation.
What should the security engineer do to meet these requirements?

• A.Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the AL
• B.Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the AL
• C.Update security groups on the EC2 instances to prevent direct access from the internet.
• D.Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
• E.Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
• F.Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances.

답을 확인하기

정답:
Explanation:
AWS WAF provides managed and custom rules that can immediately mitigate common web exploits such as SQL injection without modifying application code. According to AWS Certified Security C Specialty documentation, placing AWS WAF in front of an Application Load Balancer is a recommended rapid-response control for legacy applications with known vulnerabilities.
Creating an ALB in front of the existing EC2 instances allows seamless traffic migration. AWS WAF SQL injection rules can be deployed and tested without downtime. Updating Route 53 to point to the ALB preserves normal operations. Restricting EC2 security groups afterward prevents bypassing the WAF.
Option B introduces CloudFront changes and single-origin testing, increasing complexity.
Option C cannot be completed within 24 hours and risks downtime.
Option D is invalid because AWS WAF cannot be attached directly to EC2 instances.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS WAF Web ACL Architecture
AWS Application Load Balancer Security

Question No : 14

A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket.
Which solution will meet this requirement?

• A.Configure S3 bucket policies to deny DELETE and PUT object permissions.
• B.Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.
• C.Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.
• D.Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

답을 확인하기

정답:
Explanation:
Amazon S3 Object Lock in compliance mode provides write-once-read-many (WORM) protection, which prevents objects from being modified or deleted for a specified retention period. According to the AWS Certified Security C Specialty Study Guide, compliance mode enforces immutability even for the root user and cannot be overridden.
Enabling S3 Object Lock requires S3 bucket versioning and ensures that once an object is written, it cannot be changed or removed until the retention period expires. This is the strongest protection against data modification and is commonly used for regulatory and legal retention requirements.
Option A can be bypassed by administrators.
Option D only protects against deletions, not overwrites.
Option C changes encryption but does not prevent modification.
AWS documentation explicitly identifies S3 Object Lock in compliance mode as the correct solution for immutable data storage.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon S3 Object Lock
Amazon S3 Data Protection and Compliance

Question No : 15

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.
Which solution will meet this requirement?

• A.Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.
• B.Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.
• C.Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.
• D.Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

답을 확인하기

정답:
Explanation:
AWS IAM Identity Center is the recommended service for centrally managing workforce access across multiple AWS accounts within an organization. According to AWS Certified Security C Specialty documentation, Amazon Q Developer integrates natively with IAM Identity Center as an AWS managed application.
By enabling IAM Identity Center and assigning Amazon Q Developer to users or groups, the company can centrally control access using permission sets and organizational boundaries. This approach provides centralized authentication, authorization, and auditing with minimal overhead.
Amazon Cognito is intended for customer and application user authentication, not workforce access to AWS services. Identity pools are not applicable to IAM Identity Center integrations.
AWS best practices clearly recommend IAM Identity Center for workforce access to AWS-managed applications.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Identity Center Integrations
Amazon Q Developer Access Management