SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 141:

    A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database. The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses.

    However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

    What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

    A. Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.
    B. Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
    C. Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
    D. Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.

  • Question 142:

    A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer's solution must involve the least amount of effort and maintain normal operations during implementation.

    What should the security engineer do to meet these requirements?

    A. Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.
    B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
    C. Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
    D. Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

  • Question 143:

    A company operates an Amazon EC2 instance that is registered as a target of a Network Load Balancer (NLB). The NLB is associated with a security group. The security group allows inbound TCP traffic on port 22 from 10.0.0.0/23.

    The company maps the NLB to two subnets that share the same network ACL and route table. The route table has a route for 0.0.0.0/0 to an internet gateway. The network ACL has one inbound rule that has a priority of 20 and that allows TCP traffic on port 22 from 10.0.0.0/16.

    A security engineer receives an alert that there is an unauthorized SSH session on the EC2 instance. The

    unauthorized session originates from 10.0.1.5. The company ' s incident response procedure requires

    unauthorized SSH sessions to beimmediately interrupted. The instance must remain running, and its memory must remain intact.

    Which solution will meet these requirements?

    A. Restart the EC2 instance from either the AWS Management Console or the AWS CLI.
    B. Add a new inbound rule that has a priority of 10 to the network ACL to deny TCP traffic on port 22 from 10.0.1.5.
    C. Remove the security group rule that allows inbound TCP traffic on port 22 from 10.0.0.0/16.
    D. Update the route table to remove the route to the internet gateway.

  • Question 144:

    A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.

    What should the company do to set up the snapshot in us-west-1 with proper encryption?

    A. Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.
    B. Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.
    C. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws: kms:us-west-1:* as the principal.
    D. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn:aws:rds: us-west-1:* as the principal.

  • Question 145:

    A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization's management account.

    Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

    A. Grant least privilege access to the organization ' s management account.
    B. Create a new IAM Identity Center directory in the organization ' s management account.
    C. Set up a second AWS Region in the organization's management account.
    D. Create permission sets for use only in the organization ' s management account.
    E. Create IAM users for use only in the organization ' s management account.
    F. Create user assignments only in the organization ' s management account.

  • Question 146:

    A company ' s security team wants to receive email notification from AWS about any abuse reports regarding

    DoS attacks. A security engineer needs to implement a solution that will provide a near-real-time alert for any abuse reports that AWS sends for the account. The security engineer already has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the security team ' s email address to the topic.

    What should the security engineer do next to meet these requirements?

    A. Use the AWS Trusted Advisor API and a scheduled Lambda function to detect AWS_ABUSE_DOS_REPORT notifications.
    B. Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event forAWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.
    C. Use the AWS Support API and a scheduled Lambda function to detect abuse report cases.
    D. Use AWS CloudTrail logs with metric filters to detect AWS_ABUSE_DOS_REPORT events.

  • Question 147:

    A company detects bot activity targeting Amazon Cognito user pool endpoints. The solution must block malicious requests while maintaining access for legitimate users.

    Which solution meets these requirements?

    A. Enable Amazon Cognito threat protection.
    B. Restrict access to authenticated users only.
    C. Associate AWS WAF with the Cognito user pool.
    D. Monitor requests with CloudWatch.

  • Question 148:

    A company serves an application through Amazon CloudFront. The origin is an internet-facing Application Load Balancer with an AWS WAF web ACL associated with the CloudFront distribution. Users have discovered that they can bypass CloudFront and access the load balancer directly.

    A. Replace the load balancer with a NAT gateway and route CloudFront traffic through the NAT gateway.
    B. Disable TLS on the load balancer so that only CloudFront can negotiate HTTPS.
    C. Require CloudFront to add a shared secret header and configure the load balancer listener rules to allow only requests with that header.
    D. Add a security group rule that allows inbound traffic from all client IP addresses.

  • Question 149:

    A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services.

    The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB).

    The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

    Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

    Which solution will prevent the web clients from directly accessing the ALB?

    A. Create an AWS PrivateLink endpoint and set it as the CloudFront origin.
    B. Create a new internal ALB and delete the internet-facing ALB.
    C. Modify the ALB listener rules to allow only CloudFront IP ranges.
    D. Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

  • Question 150:

    A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:

    - Database storage must be encrypted at rest.

    - Deletion protection must be enabled.

    - Databases must not be publicly accessible.

    - Database audit logs must be published to Amazon CloudWatch Logs.

    A security engineer must implement a solution thatcontinuously monitorsall Aurora MySQL resources for compliance with this policy. The solution must be able todisplay a database ' s compliance state for each part of the policy at any time.

    Which solution will meet these requirements?

    A. Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.
    B. Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.
    C. Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.
    D. Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.