SCS-C03 Leak Questions

AWS Certified Security – Specialty Questions and Answers

Question 5

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys.

Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)

Options:

Create a new customer managed key in AWS Key Management Service (AWS KMS).

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).

Configure the PHP SDK to use the SSE-S3 key before upload.

Create an AWS managed key for Amazon S3 in AWS KMS.

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS).

Change all the S3 objects in the bucket to use the new encryption key.

Question 6

A company must inventory sensitive data across all Amazon S3 buckets in all accounts from a single security account.

Options:

Delegate Amazon Macie and Security Hub administration.

Use Amazon Inspector with Security Hub.

Use Inspector with Trusted Advisor.

Use Macie with Trusted Advisor.

Question 7

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. Three route tables exist: one for the public subnets and one for each private subnet.

The security engineer discovers that all four subnets are routing traffic through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

Options:

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

Modify the route tables for the public subnets to add a local route to the VPC CIDR range.

Modify the route tables for the private subnets to route 0.0.0.0/0 to the NAT gateway in the public subnet of the same Availability Zone.

Modify the route tables for the private subnets to route 0.0.0.0/0 to the internet gateway.

Question 8

A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Configure the S3 Block Public Access feature for the AWS account.

Configure the S3 Block Public Access feature for all objects that are in the bucket.

Deactivate ACLs for objects that are in the bucket.

Use AWS PrivateLink for Amazon S3 to access the bucket.

Answer:

Explanation:

Amazon S3 Block Public Access configured at the AWS account level is the recommended and most effective approach to protect data stored in Amazon S3 while minimizing operational overhead. AWS Security Specialty documentation explains that S3 Block Public Access provides centralized, preventative controls designed to block public access to S3 buckets and objects regardless of individual bucket policies or object-level ACL configurations. When enabled at the account level, these controls automatically apply to all existing and newly created buckets, significantly reducing the risk of accidental exposure caused by misconfigured permissions.

The AWS Certified Security – Specialty Study Guide emphasizes that public access misconfiguration is a leading cause of data leaks in cloud environments. Account-level S3 Block Public Access acts as a guardrail by overriding any attempt to grant public permissions through bucket policies or ACLs. This eliminates the need to manage security settings on a per-bucket or per-object basis, thereby reducing administrative complexity and human error.

Configuring Block Public Access at the object level, as in option B, requires continuous monitoring and manual configuration, which increases operational overhead. Disabling ACLs alone, as described in option C, does not fully prevent public access because bucket policies can still allow public permissions. Using AWS PrivateLink, as in option D, controls network access but does not protect against public exposure through misconfigured S3 policies.

AWS security best practices explicitly recommend enabling S3 Block Public Access at the account level as the primary mechanism for preventing unintended public data exposure with minimal management effort.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Security Best Practices Documentation

Amazon S3 Block Public Access Overview

AWS Well-Architected Framework – Security Pillar

New Year Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

AWS Certified Security – Specialty Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce