SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 1:

    A security engineer needs to implement AWS IAM Identity Center with an external identity provider (IdP).

    Select and order the correct steps from the following list to meet this requirement. Select each step one time or not at all. (Select and order THREE.)

    . Configure the external IdP as the identity source in IAM Identity Center.

    . Create an IAM role that has a trust policy that specifies the IdP ' s API endpoint.

    . Enable automatic provisioning in IAM Identity Center settings.

    . Enable automatic provisioning in the external IdP.

    . Obtain the SAML metadata from IAM Identity Center.

    . Obtain the SAML metadata from the external IdP.

  • Question 2:

    A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

    Which solution will meet the requirements?

    A. Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.
    B. Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS.
    C. Use a SecureString parameter in the CloudFormation template to reference the database credentials in Secrets Manager.
    D. Use a SecureString parameter in the CloudFormation template to reference an encrypted value in AWS KMS.

  • Question 3:

    A GuardDuty finding indicates that temporary credentials from an EC2 instance profile are being used from an unexpected network location. The instance must continue serving traffic for a short period while the application team prepares a fix. The security engineer needs to stop the unauthorized API use immediately.

    A. Revoke the active sessions for the instance profile role and add a temporary deny condition if needed.
    B. Change the instance type to force the attacker to request new credentials.
    C. Remove inbound internet access to the instance security group only.
    D. Enable default encryption on all S3 buckets in the account.

  • Question 4:

    A security engineer is preparing an incident response runbook for compromised Amazon EC2 instances. The runbook must preserve evidence, keep a record of the incident identifier, prevent lateral movement, and capture volatile data without requiring inbound management ports.

    Which combination of steps should the runbook include? Choose three.

    A. Tag the instance with the incident identifier and create snapshots of attached Amazon EBS volumes.
    B. Use AWS Systems Manager Run Command or Session Manager logging to collect volatile evidence.
    C. Replace the instance security group with a restrictive isolation security group.
    D. Terminate the instance immediately so that malicious processes cannot continue running.
    E. Open SSH from the investigation workstation to install forensic tools interactively.
    F. Disable all CloudTrail trails until the investigation is complete.

  • Question 5:

    A security team manages a company ' s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company ' s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team's software process with access to the keys.

    Which solution will meet these requirements with the LEAST operational overhead?

    A. Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.
    B. Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.
    C. Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.
    D. Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

  • Question 6:

    A development organization deploys AWS CloudFormation templates through a CI/CD pipeline. The security team wants to stop templates that would create noncompliant infrastructure before the templates are deployed.

    A. Wait for AWS Config to evaluate the deployed resources and manually delete noncompliant stacks later.
    B. Review CloudTrail logs weekly to identify templates that created noncompliant resources.
    C. Enable GuardDuty and treat every template deployment as a threat finding.
    D. Add AWS CloudFormation Guard checks to the pipeline and fail the deployment when a template violates policy rules.

  • Question 7:

    A company uses AWS Organizations to manage its AWS accounts in a single organization. The company applies the FullAWSAccess SCP to every OU. However, now the company must explicitly deny specific services. The company needs a solution that restricts any users in the organization from using the explicitly denied services.

    Additionally, the solution must enforce all Amazon S3 buckets across the organization to have a minimum TLS version of 1.2. The company requires a central solution that applies to all existing accounts and any new accounts that the company creates in the future.

    Which solution will meet these requirements?

    A. Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.
    B. Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach the SCP to the root OU. Attach the RCP to each account within the organization.
    C. Create an SCP deny statement to disallow s3:* where the TLS version is less than 1.2. Create an RCP that denies a list of services that are restricted in the organization. Attach both policies to the root OU.
    D. Create an SCP that denies a list of services that are restricted in the organization. Create a declarative policy to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.

  • Question 8:

    A security engineer is troubleshooting an AWS Lambda function that is namedMyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is namedDOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy:

    {

    " Effect " : " Allow " ,

    " Principal " : { " Service " : " lambda.amazonaws.com " },

    " Action " : " s3:GetObject " ,

    " Resource " : " arn:aws:s3:::DOC-EXAMPLE-BUCKET " ,

    " Condition " : {

    " ArnLike " : {

    " aws:SourceArn " : " arn:aws:lambda:::function:MyLambdaFunction "

    }

    }

    }

    Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?

    A. Remove the Condition element. Change the Principal element to the following:{ " AWS " : " arn:aws: lambda:::function:MyLambdaFunction " }
    B. Change the Action element to the following:[ " s3:GetObject* " , " s3:GetBucket* " ]
    C. Change the Resource element to " arn:aws:s3:::DOC-EXAMPLE-BUCKET/* " .
    D. Change the Resource element to " arn:aws:lambda:::function:MyLambdaFunction " . Change the Principal element to the following:{ " Service " : " s3.amazonaws.com " }

  • Question 9:

    A company uses AWS to run a web application that manages ticket sales in several countries. The company recently migrated the application to an architecture that includes Amazon API Gateway, AWS Lambda, and Amazon Aurora Serverless. The company needs the application to comply with Payment Card Industry Data Security Standard (PCI DSS) v4.0. A security engineer must generate a report that shows the effectiveness of the PCI DSS v4.0 controls that apply to the application. The company ' s compliance team must be able to add manual evidence to the report.

    Which solution will meet these requirements?

    A. Enable AWS Trusted Advisor. Configure all the Trusted Advisor checks. Manually map the checks against the PCI DSS v4.0 standard to generate the report.
    B. Enable and configure AWS Config. Deploy the Operational Best Practices for PCI DSS conformance pack in AWS Config. Use AWS Config to generate the report.
    C. Enable AWS Security Hub. Enable the Security Hub PCI DSS security standard. Use the AWS Management Console to download the report from the security standard.
    D. Create an AWS Audit Manager assessment that uses the AWS managed PCI DSS v4.0 standard framework. Add all evidence to the assessment. Generate the report in Audit Manager for download.

  • Question 10:

    A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company ' s security engineer must secure this system against SQL injection attacks within 24 hours. The solution must involve the least amount of effort and maintain normal operations during implementation.

    What should the security engineer do to meet these requirements?

    A. Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.
    B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
    C. Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
    D. Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.