SCS-C03 Free Practice Test

A company is planning to migrate its applications to AWS in a single AWS Region. The company??s applications will use a combination of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as possible. All the applications must meet the following requirements:
• Data must be encrypted at rest.
• Data must be encrypted in transit.
• Endpoints must be monitored for anomalous network traffic.
Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Select THREE.)

1. A. Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.
2. B. Enable Amazon GuardDuty in all AWS accounts.
3. C. Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.
4. D. Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.
5. E. Use AWS Key Management Service (AWS KMS) for key managemen
6. F. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-side- encryption.
7. G. Use AWS Key Management Service (AWS KMS) for key managemen
8. H. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side- encryption.

Correct Answer: BDF

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys.
Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)

1. A. Create a new customer managed key in AWS Key Management Service (AWS KMS).
2. B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).
3. C. Configure the PHP SDK to use the SSE-S3 key before upload.
4. D. Create an AWS managed key for Amazon S3 in AWS KMS.
5. E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS).
6. F. Change all the S3 objects in the bucket to use the new encryption key.

Correct Answer: AEF

A company stores infrastructure and application code in web-based, third-party, Git- compatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company's AWS account by using OpenID Connect (OIDC).
Which solution will meet these requirements?

1. A. Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM) federatio
2. B. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.
3. C. Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that uses OID
4. D. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.
5. E. Set up an account instance of AWS IAM Identity Cente
6. F. Configure access to the code repositories as a customer managed OIDC applicatio
7. G. Grant the application access to the IAM role.
8. H. Use AWS Resource Access Manager (AWS RAM) to create a new resource share that uses OID
9. I. Limit the resource share to the specified code repositorie
10. J. Grant the IAM role access to the resource share.

Correct Answer: A

A company runs an internet-accessible application on several Amazon EC2 instances that run Windows Server. The company used an instance profile to configure the EC2 instances. A security team currently accesses the VPC that hosts the EC2 instances by using an AWS Site-to-Site VPN tunnel from an on-premises office.
The security team issues a policy that requires all external access to the VPC to be blocked in the event of a security incident. However, during an incident, the security team must be able to access the EC2 instances to obtain forensic information on the instances.
Which solution will meet these requirements?

1. A. Install EC2 Instance Connect on the EC2 instance
2. B. Update the IAM policy for the IAM role to grant the required permission
3. C. Use the AWS CLI to open a tunnel to connect to the instances.
4. D. Install EC2 Instance Connect on the EC2 instance
5. E. Configure the instances to permit access to the ec2-instance-connect command use
6. F. Use the AWS Management Console to connect to the EC2 instances.
7. G. Create an EC2 Instance Connect endpoint in the VP
8. H. Configure an appropriate security group to allow access between the EC2 instances and the endpoin
9. I. Use the AWS CLI to open a tunnel to connect to the instances.
10. J. Create an EC2 Instance Connect endpoint in the VP
11. K. Configure an appropriate security group to allow access between the EC2 instances and the endpoin
12. L. Use the AWS Management Console to connect to the EC2 instances.

Correct Answer: D

A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.
Which solution meets these requirements with the LEAST operational effort?

1. A. Designate a GuardDuty administrator account and enable protections.
2. B. Centralize CloudWatch logs and use Inspector.
3. C. Centralize CloudTrail logs and query with Athena.
4. D. Stream logs to Kinesis and process with Lambda.

Correct Answer: A