SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 101:

    A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident.

    AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.

    Which solution will quarantine EC2 instances during a security incident?

    A. Track SSM Agent versions with AWS Config.
    B. Configure Session Manager to deny external connections.
    C. Store the script in Amazon S3 and grant read access.
    D. Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

  • Question 102:

    A company is using AWS WAF to protect a customized public API service that is based on Amazon EC2 instances. The API uses an Application Load Balancer. The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL.

    The security engineer needs to immediately return the application to service, resolve the issue, and ensure that logging is not turned off in the future. The security engineer turns on logging for the web ACL and specifies Amazon CloudWatch Logs as the destination.

    Which additional set of steps should the security engineer take to meet the requirements?

    A. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.
    B. Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
    C. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.
    D. Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.

  • Question 103:

    A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

    Which combination of actions should the security team take to make the application compliant with the security policy? (Select THREE.)

    A. Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role. Ask the application team to read the credentials from the S3 object instead.
    B. Create an AWS Secrets Manager secret and specify the key-value pairs to be stored in this secret.
    C. Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables.
    D. Add a policy statement to the container instance IAM role that allows ssm:GetParameters, secretsmanager:GetSecretValue, and kms:Decrypt for the required secret and KMS key.
    E. Add a policy statement to the task role or task execution role that allows ssm:GetParameters, secretsmanager:GetSecretValue, and kms:Decrypt for the required secret and KMS key.
    F. Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secrets Manager, and inject the environment variables. Ask the application team to redeploy the application.

  • Question 104:

    A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off.

    What is the MOST efficient way to implement this solution?

    A. Use AWS Config with a managed rule to initiate the AWS-EnableCloudTrail remediation.
    B. Create an Amazon EventBridge event with a cloudtrail.amazonaws.com event source and a StartLogging event name to invoke an AWS Lambda function to call the StartLogging API.
    C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to invoke an AWS Lambda function to call the StartLogging API.
    D. Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.

  • Question 105:

    A company wants to deploy an application in a private VPC that will not be connected to the internet. The company's security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.

    Which combination of steps should the security team take? (Select THREE.)

    A. Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC.
    B. Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager.
    C. Create an SCP that prevents the creation of SSH key pairs.
    D. Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway.
    E. Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2.
    F. Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.

  • Question 106:

    A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

    Which change should the security engineer make to the AWS KMS configuration to meet these requirements?

    A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.
    B. Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.
    C. Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.
    D. Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.

  • Question 107:

    A company sends Apache logs from EC2 Auto Scaling instances to a CloudWatch Logs log group with 1- year retention. A suspicious IP address appears in logs. A security engineer needs to analyze the past week of logs to count requests from that IP and list requested URLs.

    What should the engineer do with the LEAST effort?

    A. Export to S3 and use Macie.
    B. Stream to OpenSearch and analyze.
    C. Use CloudWatch Logs Insights with queries.
    D. Export to S3 and use AWS Glue.

  • Question 108:

    A company is running a dynamic website by using an Application Load Balancer (ALB). A security engineer notices that bots from different IP addresses are using brute-force attacks to invoke a service endpoint frequently.

    What is the FASTEST way to mitigate this problem?

    A. Create an AWS Lambda function to process ALB logs. Block the bots' IP addresses in the ALB's security group.
    B. Create an AWS WAF web ACL for the ALB. Add a rate-based rule to the web ACL to block the bots.
    C. Create an ALB listener rule. Combine source-ip and path-pattern as the conditions to match bots. Specify a fixed-response action to return an HTTP 403 status.
    D. Create an AWS WAF web ACL for the ALB. Add a rate-based rule to a rule group to block the bots. Attach the rule to the web ACL.

  • Question 109:

    A company requires a specific software application to be installed on all new and existing Amazon EC2 instances across an AWS Organization. SSM Agent is installed and active.

    How can the company continuously monitor deployment status of the software application?

    A. Use AWS Config organization-wide with the ec2-managedinstance-applications-required managed rule and specify the application name.
    B. Use approved AMIs rule organization-wide.
    C. Use Distributor package and review output.
    D. Use Systems Manager Application Manager inventory filtering.

  • Question 110:

    A company needs to scan all AWS Lambda functions for code vulnerabilities.

    A. Use Amazon Macie.
    B. Enable Amazon Inspector Lambda scanning.
    C. Use GuardDuty and Security Hub.
    D. Use GuardDuty Lambda Protection.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.