SCS-C03 시험 - Amazon실제시험문제와 답 - 390문항

Question No : 1

A company needs to identify the root cause of security findings and investigate IAM roles involved in those findings. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail.
Which solution will meet these requirements?

A.Use Amazon Detective to investigate IAM roles and visualize findings.
B.Use Amazon Inspector and CloudWatch dashboards.
C.Export GuardDuty findings to S3 and analyze with Athena.
D.Use Security Hub custom actions to investigate IAM roles.

정답:
Explanation:
Amazon Detective is specifically designed to help security teams investigate and visualize the root cause of security findings. According to AWS Certified Security C Specialty documentation, Detective automatically aggregates and correlates data from GuardDuty, CloudTrail, and VPC Flow Logs to provide interactive visualizations and timelines.
Detective enables investigators to pivot from GuardDuty findings to IAM roles, API calls, network traffic, and resource behavior. This makes it the most efficient tool for understanding how IAM roles
were used during suspicious activity.
Amazon Inspector focuses on vulnerability assessment, not behavioral investigation. Security Hub aggregates findings but does not provide deep investigation graphs. Manual analysis with Athena requires significantly more effort.
AWS guidance explicitly recommends Amazon Detective for root cause analysis and visualization of security incidents.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Detective Investigation Capabilities
AWS Threat Detection and Analysis

Question No : 2

A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.
Which solution will quarantine EC2 instances during a security incident?

A.Track SSM Agent versions with AWS Config.
B.Configure Session Manager to deny external connections.
C.Store the script in Amazon S3 and grant read access.
D.Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

정답:
Explanation:
AWS Systems Manager Run Command enables secure, remote execution of commands on EC2 instances without requiring network access or inbound ports. According to the AWS Certified Security C Specialty Study Guide, Run Command is a recommended mechanism for incident response actions such as installing forensic tools, collecting evidence, or applying quarantine controls.
By granting the SSM Agent permission to execute a predefined Run Command document, the security engineer can immediately run the quarantine script across affected instances. This approach supports automation, scalability, and auditability, all of which are critical during security incidents.
Options A, B, and C do not directly enforce quarantine or execute response actions. Tracking versions and storing scripts alone do not trigger incident response.
AWS documentation highlights Systems Manager Run Command as a core capability for automated containment and investigation.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Systems Manager Run Command
AWS Incident Response Automation

Question No : 3

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions.
What should the company do to properly encrypt the snapshot in us-west-1?

A.Store the customer managed key in AWS Secrets Manager in us-west-1.
B.Create a new customer managed key in us-west-1 and use it to encrypt the snapshot.
C.Create an IAM policy to allow access to the key in us-east-1 from us-west-1.
D.Create an IAM policy that allows RDS in us-west-1 to access the key in us-east-1.

정답:
Explanation:
AWS KMS keys are strictly regional resources. According to AWS Certified Security C Specialty documentation, a KMS key created in one Region cannot be used to encrypt or decrypt data in another Region. This includes encrypted RDS and Aurora snapshots.
When copying an encrypted snapshot to a different Region, the destination Region must have its own
KMS key. AWS automatically re-encrypts the snapshot using the specified KMS key in the destination
Region during the copy operation.
Options C and D are invalid because IAM policies cannot extend a KMS key’s scope across Regions.
Option A is incorrect because Secrets Manager does not store or manage KMS keys themselves.
AWS best practices require creating a new customer managed key in the target Region and using it during the snapshot copy process.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS KMS Regional Key Limitations
Amazon RDS Encrypted Snapshot Copy

Question No : 4

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

A.The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
B.The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
C.The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
D.The version of the Lambda function that was invoked was not current.

정답:
Explanation:
AWS Lambda automatically sends function execution logs to Amazon CloudWatch Logs when logging is enabled in the function code. However, this logging capability depends on the Lambda execution role having the appropriate permissions. According to the AWS Certified Security C Specialty Study Guide, the execution role must include permissions such as logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.
If these permissions are missing, Lambda cannot create log groups or streams, and no execution logs will appear in CloudWatch Logs―even though the function was successfully invoked. This is the most common reason Lambda logs are unavailable during forensic investigations.
Option B is incorrect because Lambda logs are stored in CloudWatch Logs regardless of whether the invocation source is API Gateway, EventBridge, or another AWS service. Option C is incorrect because CloudWatch Logs does not require direct S3 permissions from the Lambda execution role. Option D is irrelevant because Lambda versions do not affect logging behavior.
AWS documentation emphasizes verifying execution role permissions as a first step when Lambda logs are missing.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Lambda Execution Roles
Amazon CloudWatch Logs Integration with Lambda

Question No : 5

A company runs a global ecommerce website using Amazon CloudFront. The company must block traffic from specific countries to comply with data regulations.
Which solution will meet these requirements MOST cost-effectively?

A.Use AWS WAF IP match rules.
B.Use AWS WAF geo match rules.
C.Use CloudFront geo restriction to deny the countries.
D.Use geolocation headers in CloudFront.

정답:
Explanation:
Amazon CloudFront includes a built-in geo restriction feature that allows content to be allowed or denied based on the viewer’s country. According to AWS Certified Security C Specialty documentation, CloudFront geo restriction is the most cost-effective method for country-based blocking because it does not require AWS WAF or additional rule processing.
AWS WAF geo match rules incur additional cost and are more appropriate when advanced inspection or layered security controls are required. IP-based blocking is impractical due to frequent IP changes. Geolocation headers do not enforce access control.
CloudFront geo restriction is evaluated at the edge and efficiently blocks disallowed countries with minimal latency and cost.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon CloudFront Geo Restriction
AWS Edge Security Best Practices

Question No : 6

A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status.
Which solution will meet these requirements?

A.Use AWS Audit Manager with a custom framework.
B.Enable AWS Config and use managed rules to monitor Aurora MySQL compliance.
C.Use AWS Security Hub configuration policies.
D.Use EventBridge and Lambda with custom metrics.

정답:
Explanation:
AWS Config is the AWS service designed to continuously evaluate resource configurations against defined rules. According to the AWS Certified Security C Specialty Study Guide, AWS Config managed rules exist specifically to check database encryption, public accessibility, deletion protection, and log exports for Amazon RDS and Aurora.
AWS Config provides a real-time compliance timeline and displays the compliance state of each resource against each rule at any point in time. This granular visibility is required to assess ongoing compliance with security policies.
Audit Manager generates reports but does not provide continuous compliance monitoring. Security Hub aggregates findings but does not track configuration drift. EventBridge and Lambda introduce unnecessary complexity.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Config Managed Rules for RDS
AWS Continuous Compliance Monitoring

Question No : 7

A company’s web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file.
Which set of actions will identify the suspect attacker’s IP address for future occurrences?

A.Configure VPC Flow Logs and search for PHP file activity.
B.Install the CloudWatch agent on the ALB and export application logs.
C.Export ALB access logs to Amazon OpenSearch Service and search them.
D.Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.

정답:
Explanation:
AWS WAF logs contain detailed request-level information, including source IP addresses, requested URIs, and rule matches. According to AWS Certified Security C Specialty guidance, enabling AWS WAF logging provides the most reliable and tamper-resistant method to investigate web-based attacks, especially when instance-level logs are unavailable.
By streaming WAF logs through Amazon Kinesis Data Firehose to Amazon S3, the company ensures durable, centralized log storage that is independent of EC2 lifecycle events. Amazon Athena can then query the logs efficiently to identify repeated requests to the new-user-creation.php endpoint and extract attacker IP addresses.
VPC Flow Logs do not capture HTTP-level details. ALB access logs alone may not capture blocked requests. WAF logs provide the best forensic visibility for future detection.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS WAF Logging and Monitoring
Amazon Athena Log Analysis

Question No : 8

A security engineer discovers that a company's user passwords have no required minimum length.
The company uses the following identity providers (IdPs):
• AWS Identity and Access Management (IAM) federated with on-premises Active Directory
• Amazon Cognito user pools that contain the user database for an AWS Cloud application
Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)

A.Update the password length policy in the IAM configuration.
B.Update the password length policy in the Amazon Cognito configuration.
C.Update the password length policy in the on-premises Active Directory configuration.
D.Create an SCP in AWS Organizations to enforce minimum password length.
E.Create an IAM policy with a minimum password length condition.

정답:
Explanation:
Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security C Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.
Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.
IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Federation and Password Policies
Amazon Cognito User Pool Security Settings

Question No : 9

A company's security team wants to receive near-real-time email notifications about AWS abuse reports related to DoS attacks. An Amazon SNS topic already exists and is subscribed to by the security team.
What should the security engineer do next?

A.Poll Trusted Advisor for abuse notifications by using a Lambda function.
B.Create an Amazon EventBridge rule that matches AWS Health events for AWS_ABUSE_DOS_REPORT and publishes to SN
C.Poll the AWS Support API for abuse cases by using a Lambda function.
D.Detect abuse reports by using CloudTrail logs and CloudWatch alarms.

정답:
Explanation:
AWS abuse notifications are delivered as AWS Health events. According to the AWS Certified Security
C Specialty Study Guide, Amazon EventBridge integrates natively with AWS Health and can be used to detect specific event types such as AWS_ABUSE_DOS_REPORT in near real time.
By creating an EventBridge rule that filters for the abuse report event type and publishes directly to Amazon SNS, the solution remains fully managed, low latency, and cost effective.
Polling APIs introduces delay and complexity. CloudTrail does not log abuse notifications.
EventBridge with AWS Health is the recommended mechanism for reacting to AWS service events.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Health and EventBridge Integration
AWS Abuse Notification Handling

Question No : 10

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack from a specific IoT device brand that uses a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate it with the ALB.
Which rule statement will mitigate the current attack and future attacks from these IoT devices without blocking legitimate customers?

A.Use an IP set match rule statement.
B.Use a geographic match rule statement.
C.Use a rate-based rule statement.
D.Use a string match rule statement on the user agent.

정답:
Explanation:
AWS WAF string match rule statements allow inspection of HTTP headers, including the User-Agent header. According to AWS Certified Security C Specialty guidance, when malicious traffic can be uniquely identified by a consistent request attribute, such as a device-specific user agent, a string match rule provides precise mitigation with minimal false positives.
IP-based blocking is ineffective for globally distributed botnets. Geographic blocking risks denying access to legitimate users. Rate-based rules limit request volume but do not prevent low-and-slow attacks.
By matching the unique IoT device brand in the User-Agent header, the security engineer can block only malicious requests while preserving customer access.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS WAF Rule Statements
AWS DDoS Mitigation Best Practices

Question No : 11

A company's security engineer receives an abuse notification from AWS indicating that malware is
being hosted from the company’s AWS account. The security engineer discovers that an IAM user created a new Amazon S3 bucket without authorization.
Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Select THREE.)

A.Encrypt all AWS CloudTrail logs.
B.Turn on Amazon GuardDuty.
C.Change the password for all IAM users.
D.Rotate or delete all AWS access keys.
E.Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.
F.Delete any resources that are unrecognized or unauthorized.

정답:
Explanation:
AWS incident response guidance emphasizes immediate containment, credential invalidation, and removal of malicious resources. According to the AWS Certified Security C Specialty documentation, compromised credentials must be rotated or deleted immediately to prevent further unauthorized actions. Rotating or deleting access keys directly mitigates ongoing abuse.
Deleting unrecognized or unauthorized resources, such as the malicious S3 bucket, removes the active threat and limits further damage. Enabling Amazon GuardDuty provides continuous monitoring and helps identify additional compromised resources or malicious behavior that may not yet be visible.
Changing passwords for all IAM users is disruptive and unnecessary if compromise scope is limited. Encrypting CloudTrail logs does not reduce active impact. Taking EBS snapshots is primarily for forensic investigation, not immediate consequence minimization.
AWS best practices recommend GuardDuty activation, credential rotation, and removal of malicious resources as first-response actions.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Incident Response Best Practices
Amazon GuardDuty Threat Detection

Question No : 12

A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.
The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.
Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)

A.Configure a cron job on the instances to forward the log files to Amazon S3 periodically.
B.Configure AWS Glue and Amazon Athena to query the log files.
C.Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.
D.Configure Amazon CloudWatch Logs Insights to query the log files.
E.Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

정답:
Explanation:
Amazon CloudWatch Logs is designed to collect, store, and analyze log data from ephemeral compute resources such as EC2 instances in Auto Scaling groups. According to the AWS Certified Security C Specialty Study Guide, using the CloudWatch agent to stream logs off instances ensures log durability even when instances are terminated during scale-in events.
CloudWatch Logs Insights provides a fully managed, serverless query engine that enables ad hoc querying, filtering, and aggregation of log data without requiring additional infrastructure. This directly satisfies the requirement to query logs for application sessions and user troubleshooting.
Option A introduces operational risk because logs could be lost between cron executions. Option B requires additional services and data pipelines, increasing cost and complexity. Option E adds storage cost and management overhead and is not necessary for log analytics.
AWS best practices recommend CloudWatch Logs and Logs Insights as the most cost-effective and scalable solution for centralized log retention and analysis in Auto Scaling environments.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon CloudWatch Logs and Logs Insights
AWS Logging Best Practices

Question No : 13

A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.
Which solution meets these requirements with the LEAST operational effort?

A.Designate a GuardDuty administrator account and enable protections.
B.Centralize CloudWatch logs and use Inspector.
C.Centralize CloudTrail logs and query with Athena.
D.Stream logs to Kinesis and process with Lambda.

정답:
Explanation:
Amazon GuardDuty provides fully managed threat detection across accounts when configured with delegated administration. EKS and RDS protections enable workload-aware detection with minimal setup.
Other solutions require custom pipelines and higher operational overhead.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon GuardDuty Multi-Account Architecture

Question No : 14

CloudFormation stack deployments fail for some users due to permission inconsistencies.
Which combination of steps will ensure consistent deployments MOST securely? (Select THREE.)

A.Create a composite principal service role.
B.Create a service role with cloudformation.amazonaws.com as the principal.
C.Attach scoped policies to the service role.
D.Attach service ARNs in policy resources.
E.Update each stack to use the service role.
F.Allow iam:PassRole to the service role.

정답:
Explanation:
AWS best practices require CloudFormation to assume a dedicated service role. This ensures consistent permissions regardless of the user. Users must have iam:PassRole permission to pass the role. Updating stacks to use the service role enforces uniform deployment behavior.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS CloudFormation Service Roles

Question No : 15

A company detects bot activity targeting Amazon Cognito user pool endpoints. The solution must block malicious requests while maintaining access for legitimate users.
Which solution meets these requirements?

A.Enable Amazon Cognito threat protection.
B.Restrict access to authenticated users only.
C.Associate AWS WAF with the Cognito user pool.
D.Monitor requests with CloudWatch.

정답:
Explanation:
Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.
AWS WAF cannot be directly associated with Cognito user pools.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Cognito Threat Protection

Amazon SCS-C03 시험