SCS-C03 Free Practice Test

A company experienced a security incident caused by a vulnerable container image that was pushed from an external CI/CD pipeline into Amazon ECR.
Which solution will prevent vulnerable images from being pushed?

1. A. Enable ECR enhanced scanning with Lambda blocking.
2. B. Use Amazon Inspector with EventBridge and Lambda.
3. C. Integrate Amazon Inspector into the CI/CD pipeline using SBOM generation and fail the pipeline on critical findings.
4. D. Enable basic continuous ECR scanning.

Correct Answer: C

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.
Which solution will meet this requirement?

1. A. Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.
2. B. Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.
3. C. Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.
4. D. Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

Correct Answer: A

A company uses AWS Organizations to manage an organization that consists of three workload OUs: Production, Development, and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs. Different SCPs are attached to each workload OU.
The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in an account in the Production OU, the update fails.
The error message reports insufficient IAM permissions.
What is the FIRST step that a security engineer should take to troubleshoot this issue?

1. A. Review the AWS CloudTrail logs in the account in the Production O
2. B. Search for any failed API calls from CloudFormation during the deployment attempt.
3. C. Remove all the SCPs that are attached to the Production O
4. D. Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.
5. E. Confirm that the role used by CloudFormation has sufficient permissions to create, update, and delete the resources that are referenced in the CloudFormation template.
6. F. Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

Correct Answer: A

A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period.
Which solution will meet these requirements?

1. A. Configure CloudFront standard logging and CloudWatch Logs metric filters.
2. B. Configure VPC Flow Logs and CloudWatch Logs metric filters.
3. C. Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.
4. D. Configure an AWS WAF web ACL with a rate-based rul
5. E. Associate it with CloudFron
6. F. Create a CloudWatch alarm to notify SNS.

Correct Answer: D

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket. Which solution will provide the application with AWS credentials to make S3 API calls?

1. A. Integrate with Cognito identity pools and use GetId to obtain AWS credentials.
2. B. Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.
3. C. Integrate with Cognito user pools and use the ID token to obtain AWS credentials.
4. D. Integrate with Cognito user pools and use the access token to obtain AWS credentials.

Correct Answer: B