Free Amazon SCS-C03 Exam Dumps Questions & Answers

A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.
How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

• A.  Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role to the new IAM user.
• B.  Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
• C.  Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
• D.  Use AWS IAM Identity Center to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.

A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.
A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests but does not want to prevent legitimate users from accessing the application.
Which solution will meet these requirements?

• A.  Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.
• B.  Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.
• C.  Use AWS WAF to implement a rate-based rule for all incoming requests.
• D.  Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.
Which solution will meet this requirement?

• A.  Use Amazon Macie to detect an active DDoS event and create Amazon CloudWatch alarms that respond to Macie findings.
• B.  Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced metrics for an active DDoS event.
• C.  Use Amazon Inspector to review resources and invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.
• D.  Create an Amazon CloudWatch alarm that monitors AWS Firewall Manager metrics for an active DDoS event.

CloudFormation stack deployments fail for some users due to permission inconsistencies. Which combination of steps will ensure consistent deployments MOST securely? (Select THREE.)

• A.  Create a composite principal service role.
• B.  Attach service ARNs in policy resources.
• C.  Allow iam:PassRole to the service role.
• D.  Create a service role with cloudformation.amazonaws.com as the principal.
• E.  Update each stack to use the service role.
• F.  Attach scoped policies to the service role.

A security engineer needs to implement a solution to determine whether a company's Amazon EC2 instances are being used to mine cryptocurrency. The solution must provide notifications of cryptocurrency-related activity to an Amazon Simple Notification Service (Amazon SNS) topic.
Which solution will meet these requirements?

• A.  Enable Amazon Inspector. Create an Amazon EventBridge rule to send alerts to the SNS topic when Amazon Inspector creates a finding that is associated with cryptocurrency-related activity.
• B.  Enable Amazon GuardDuty. Create an Amazon EventBridge rule to send alerts to the SNS topic when GuardDuty creates a finding that is associated with cryptocurrency-related activity.
• C.  Create AWS Config custom rules by using Guard custom policy. Configure the AWS Config rules to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure AWS Config to initiate alerts to the SNS topic.
• D.  Enable VPC flow logs. Send the flow logs to an Amazon S3 bucket. Set up a query in Amazon Athena to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure the Athena query to initiate alerts to the SNS topic.