SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 121:

    A company's security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically.

    Which solution will meet these requirements with the LEAST amount of effort?

    A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge to send an Amazon SNS notification to the security team.
    B. Create a script to export a.csv file from the AWS Trusted Advisor check for IAM access key rotation. Load the script into an AWS Lambda function that will upload the.csv file to an Amazon S3 bucket. Create an Amazon Athena table query that runs when the.csv file is uploaded to the S3 bucket. Publish the results for any keys older than 90 days by using an invocation of an Amazon SNS notification to the security team.
    C. Create a script to download the IAM credentials report on a periodic basis. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge. Configure the Lambda script to load the report into memory and to filter the report for records in which the key was last rotated at least 90 days ago. If any records are detected, send an Amazon SNS notification to the security team.
    D. Create an AWS Lambda function that queries the IAM API to list all the users. Iterate through the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an SNS notification to the security team if the value is at least 90 days old. Create an EventBridge rule to schedule the Lambda function to run each day.

  • Question 122:

    A company has two AWS accounts: Account A and Account B. Each account has a VPC. An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account B. The application in Account A already has permission to write to the S3 bucket in Account B. The application and the S3 bucket are in the same AWS Region. The company cannot send network traffic over the public internet.

    Which solution will meet these requirements?

    A. Create a VPN connection between the software VPN appliance and a virtual private gateway in Account B.
    B. Update the VPC route tables, network ACLs, and security groups to allow network traffic between the peered IP ranges.
    C. Create a VPC peering connection between the VPC in Account A and the VPC in Account
    D. In Account A, create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account A.

  • Question 123:

    A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

    The ALB is in public subnets that are associated with a network ACL named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

    Which set of network ACL changes will increase the security of the application while ensuring functionality?

    A. Make the following changes to NACL3:- Add a rule that allows inbound traffic on port 5432 from NACL2. - Add a rule that allows outbound traffic on ports 1024-65536 to NACL2. - Remove the default rules that allow all inbound and outbound traffic.
    B. Make the following changes to NACL3:- Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets. - Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets. - Remove the default rules that allow all inbound and outbound traffic.
    C. Make the following changes to NACL2:- Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets. - Remove the default rules that allow all inbound and outbound traffic.
    D. Make the following changes to NACL2:- Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets. - Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

  • Question 124:

    A company ' s data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket.

    The datasets contain sensitive information.

    On average, the data scientists need 30 days to train models. The S3 bucket has been secured appropriately. The company ' s data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.

    Which action should a security engineer take to enforce this data retention policy?

    A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.
    B. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.
    C. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.
    D. Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class.

  • Question 125:

    A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances. A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests but does not want to prevent legitimate users from accessing the application.

    Which solution will meet these requirements?

    A. Use AWS WAF to implement a rate-based rule for all incoming requests.
    B. Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.
    C. Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.
    D. Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

  • Question 126:

    A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS CloudTrail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI. Because of expansion, the company adds resources in multiple Regions.

    The security engineer notices that the logs from the new Regions are not reaching the S3 bucket.

    What should the security engineer do to fix this issue with the LEAST amount of operational overhead?

    A. Create a new CloudTrail trail. Select the new Regions where the company added resources.
    B. Change the S3 bucket to receive notifications to track all actions from all Regions.
    C. Create a new CloudTrail trail that applies to all Regions.
    D. Change the existing CloudTrail trail so that it applies to all Regions.

  • Question 127:

    A company has enabled AWS Config for its organization in AWS Organizations. The company has deployed hundreds of Amazon S3 buckets across the organization. A security engineer needs to identify any S3 buckets that are not encrypted with AWS Key Management Service (AWS KMS). The security engineer also must prevent objects that are not encrypted with AWS KMS from being uploaded to the S3 buckets.

    Which solution will meet these requirements?

    A. Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.
    B. Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to deny thes3:PutObjectaction only when the object has server-side encryption with S3 managed keys (SSE-S3).
    C. Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.
    D. Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

  • Question 128:

    A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

    Which solution will meet these requirements in the MOST operationally efficient manner?

    A. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
    B. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
    C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
    D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

  • Question 129:

    A security engineer needs to prepare for a security audit of an AWS account.

    Select the correct AWS resource from the following list to meet each requirement. Select each resource one time or not at all. (Select THREE.)

    - AWS Artifact reports

    - AWS Audit Manager controls

    - AWS Config conformance packs

    - AWS Config rules

    - Amazon Detective investigations

    - AWS Identity and Access Management Access Analyzer internal access analyzers

  • Question 130:

    A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company ' s existing and future S3 buckets.

    Which solution will meet these requirements?

    A. Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.
    B. Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.
    C. Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.
    D. Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.