SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 131:

    A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.

    A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.

    A. Configure S3 Versioning to expire object versions that have been in the bucket for 72 hours.
    B. Configure an S3 Lifecycle configuration rule on the bucket to expire objects after 72 hours.
    C. Use the S3 Intelligent-Tiering storage class and configure expiration after 72 hours.
    D. Generate presigned URLs that expire after 72 hours.

  • Question 132:

    A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud.

    The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket.

    The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.

    Which solution will meet this requirement?

    A. Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field to capture the client IP addresses.
    B. Inspect the X-Forwarded-For header in the AWS WAF logs to determine the original client IP addresses.
    C. Modify the CloudFront distribution to disable ALB connection reuse. Examine the clientIp field in the AWS WAF logs to identify the original client IP addresses.
    D. Configure CloudFront to add a custom header named Client-IP to origin requests that are sent to the ALB.

  • Question 133:

    A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.

    Which solution meets these requirements with the LEAST operational effort?

    A. Designate a GuardDuty administrator account and enable protections.
    B. Centralize CloudWatch logs and use Inspector.
    C. Centralize CloudTrail logs and query with Athena.
    D. Stream logs to Kinesis and process with Lambda.

  • Question 134:

    A company wants to use a suite of AWS Lambda functions to automatically remediate noncompliant resources. The company packages the suite of Lambda functions into an AWS CloudFormation template.

    The company wants to deploy the suite of Lambda functions to all AWS Organizations accounts. However, the company cannot use the Organizations management account for deployment.

    Which solution provides centralized deployment of the Lambda function suite to all accounts in the organization?

    A. Register a delegated administrator for CloudFormation. Deploy the template to every account in the organization by using StackSets.
    B. Create a cross-account IAM role with a unique external ID in each AWS account. Assume the cross-account role to deploy the template.
    C. Package the template as an AWS Service Catalog product. Log in to each account and provision the product to each account.
    D. Set up AWS CodePipeline in each account. Configure a pipeline to pull the template from an Amazon S3 bucket in the Organizations management account.

  • Question 135:

    A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key. The company wants to allow AWS Lambda to use the KMS key. However, the company wants to prevent Amazon EC2 from using the key.

    Which solution will meet these requirements?

    A. Use IAM explicit deny for EC2 instance profiles and allow for Lambda roles.
    B. Use a KMS key policy with kms:ViaService conditions to allow Lambda usage and deny EC2 usage.
    C. Use aws:SourceIp and aws:AuthorizedService condition keys in the KMS key policy.
    D. Use an SCP to deny EC2 and allow Lambda.

  • Question 136:

    A company uses AWS Organizations to manage the company's AWS accounts. The company's security team needs to implement preventive controls to deny the use of account-level root credentials. The solution must minimize the risk that an AWS account root user could be compromised. The solution must also minimize the effort needed to manage root access.

    Which solution will meet these requirements?

    A. Create an AWS Lambda function to disable the root user in every member account. Enable the root account only if the company needs it to modify settings related to centralized billing or the recovery of AWS KMS keys.
    B. Enable centralized root access management in IAM. Remove long-term root credentials in the member accounts. Create a company policy that requires employees to use Organizations to create new accounts.
    C. Enable centralized root access management through AWS Security Hub CSPM. Remove long-term root credentials in the member accounts. Configure new accounts to be created without root credentials in Security Hub CSPM.
    D. Configure an SCP to explicitly deny all actions when the principal is the root user of an account for all member accounts. Require that member account root users have MFA enabled. Require that root credentials are rotated on a regular schedule.

  • Question 137:

    A company's application team needs a new AWS Key Management Service (AWS KMS) customer managed key to use with Amazon S3. The company's security policy requires separate keys for different AWS services to limit security exposure.

    How can a security engineer limit the KMS customer managed key to work with only Amazon S3?

    A. Configure the key policy to allow only Amazon S3 to perform the kms:Encrypt action.
    B. Configure the key policy to allow KMS actions only when the value for the kms:ViaService condition key matches the Amazon S3 service name.
    C. Configure the application's IAM role policy to allow Amazon S3 to perform the iam:PassRole action.
    D. Configure the application's IAM role policy to allow only S3 operations when the operations arecombined with the KMS customer managed key.

  • Question 138:

    A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys.

    Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)

    A. Create a new customer managed key in AWS Key Management Service (AWS KMS).
    B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).
    C. Configure the PHP SDK to use the SSE-S3 key before upload.
    D. Create an AWS managed key for Amazon S3 in AWS KMS.
    E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managedkeys (SSE-KMS).
    F. Change all the S3 objects in the bucket to use the new encryption key.

  • Question 139:

    A company uses an external identity provider with IAM Identity Center. The security team needs emergency access if the identity provider is unavailable. Emergency activity must be attributable to individual administrators and must allow cross-account recovery actions.

    A. Share a single root user password among the incident response team and rotate it after each incident.
    B. Create individual break-glass IAM users with MFA and tightly scoped ability to assume emergency roles in member accounts.
    C. Create one generic IAM user named emergency-admin and allow every responder to use it.
    D. Store access keys for every production role in a shared encrypted file.

  • Question 140:

    A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB).

    The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent.

    A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers.

    Which rule statement will meet these requirements?

    A. Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.
    B. Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.
    C. Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.
    D. Use a string match rule statement that includes details of the IoT device brand from the user agent.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.