SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 111:

    A company uses an organization in AWS Organizations to manage multiple AWS accounts. A security engineer creates a WAF policy in AWS Firewall Manager in the us-east-1 Region. The security engineer sets the policy scope to apply to resources that are tagged withWAF-protected:truein one of the member

    accounts in the organization. The security engineer sets up a configuration to automatically remediate any noncompliant resources. In a member account, the security engineer attempts to protect an Amazon API Gateway REST API in the us-east-1 Region by using a web ACL. However, after several minutes, the REST API is still not associated with the web ACL.

    What is the likely cause of this issue?

    A. Web ACLs cannot be applied to REST APIs.
    B. The REST API is missing a tag that includes theWAF-protectedkey and a value oftrue.
    C. The web ACL is already associated with another REST API.
    D. The web ACL is already associated with an Amazon CloudFront distribution.

  • Question 112:

    A consulting firm needs temporary access to a company's production account to perform a security assessment. The firm has its own AWS account. The company requires MFA and does not allow long-term IAM users in the production account for consultants.

    A. Create an IAM user in the production account for each consultant and email the initial passwords.
    B. Create an IAM role in the production account that trusts the consulting firm's account and requires MFA in the trust policy.
    C. Create access keys for the production account root user and store them in a shared password vault.
    D. Add the consulting firm's account root user to every production account resource policy.

  • Question 113:

    A security engineer needs to configure DDoS protection for a Network Load Balancer (NLB) with an Elastic IP address. The security engineer wants to set up an AWS WAF web ACL with a rate-based rule statement to protect the NLB.

    The security engineer needs to determine a rate limit that will not block legitimate traffic. The security engineer has configured the rule statement to aggregate based on the source IP address.

    How should the security engineer configure the rule to protect the NLB?

    A. Configure the rule to use theCountaction.
    B. Configure the rule to use theBlockaction.
    C. Configure the rule to use theMonitoraction.
    D. Configure the rule to use theAllowaction.

  • Question 114:

    A security team manages a company's AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company ' s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team ' s software process with access to the keys.

    Which solution will meet these requirements with the LEAST operational overhead?

    A. Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.
    B. Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.
    C. Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.
    D. Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

  • Question 115:

    A CloudFormation template needs to configure an application with database credentials. The company already stores the credentials in AWS Secrets Manager and uses AWS KMS for encryption. The template must not contain plaintext credentials.

    A. Store the plaintext password in a template parameter and mark the parameter description as confidential.
    B. Use a dynamic reference in the CloudFormation template to retrieve the secret value at deployment time.
    C. Put the password in the template metadata section and restrict read access to the stack events.
    D. Encode the password with base64 in the template and decode it in user data.

  • Question 116:

    A company is using an organization with all features enabled in AWS Organizations. The organization contains OUs. The company has configured a delegated administrator account for AWS IAM Identity Center.

    In this delegated administrator account, the company has deployed an AWS CloudFormation stack that contains permission sets.

    A security engineer must implement a solution to prevent the deletion of the CloudFormation stack.

    Which solution will meet this requirement?

    A. Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:UpdateTerminationProtection action for the stack's ARN. Apply the SCP to the root of the organization.
    B. Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:DeleteStack action for the stack's ARN. Apply the SCP to all OUs except the OU that contains the delegated administrator account.
    C. Set the DeletionPolicy attribute to Retain for all resources in the CloudFormation stack. Create an IAM policy that denies the cloudformation:DeleteStack action for the stack's ARN. Attach the IAM policy to all IAM users and roles in the organization's management account.
    D. Assign a stack policy to deny updates to stack resources. Create an SCP that denies the cloudformation: UpdateStack action for the stack's ARN. Apply the SCP to all OUs and the organization's management account.

  • Question 117:

    A company ' s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only3 times in any 5-minute period.

    Which solution will meet this requirement with the LEAST effort?

    A. Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.
    B. Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-minute intervals and to provide notification if the count exceeds 3.
    C. Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.
    D. Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.

  • Question 118:

    A platform team creates application roles for developers in multiple accounts. The security team wants developers to create and manage resources only within an approved permission envelope, even if a developer can attach policies to roles that the developer creates.

    A. Store all developer credentials in AWS Secrets Manager and rotate them daily.
    B. Use AWS Shield Advanced to block API calls that create privileged roles.
    C. Require a permissions boundary on developer-created roles and deny role creation when the boundary is missing.
    D. Enable S3 Block Public Access on every account.

  • Question 119:

    A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access.

    The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy.

    Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required

    S3 buckets.

    The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that isoutside the company's AWS Organization. The processing job must continue to function.

    Which solution will meet these requirements?

    A. Update the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and aws: PrincipalOrgId match the company's organization.
    B. Update the instance profile role policy to require aws:ResourceOrgId.
    C. Add a network ACL rule to block outbound traffic on port 443.
    D. Apply an SCP that restricts S3 actions using organization condition keys.

  • Question 120:

    A company ' s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company ' s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

    What should the security engineer do to meet these requirements?

    A. Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.
    B. In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.
    C. Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws: SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.
    D. Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.