SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 151:

    A company ' s security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company ' s AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization.

    Which combination of steps should the security engineer take toMINIMIZE the consequencesof this compromise? (Select THREE.)

    A. Encrypt all AWS CloudTrail logs.
    B. Turn on Amazon GuardDuty.
    C. Change the password for all IAM users.
    D. Rotate or delete all AWS access keys.
    E. Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.
    F. Delete any resources that are unrecognized or unauthorized.

  • Question 152:

    A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. Three route tables exist: one for the public subnets and one for each private subnet.

    The security engineer discovers that all four subnets are routing traffic through the internet gateway that is attached to the VPC.

    Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

    A. Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
    B. Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
    C. Modify the route tables for the public subnets to add a local route to the VPC CIDR range.
    D. Modify the route tables for the private subnets to route 0.0.0.0/0 to the NAT gateway in the public subnet of the same Availability Zone.
    E. Modify the route tables for the private subnets to route 0.0.0.0/0 to the internet gateway.

  • Question 153:

    A company is using AWS Organizations with the default SCP. The company needs to restrict AWS usage for all AWS accounts that are in a specific OU. Except for some desired global services, the AWS usage must occur only in theeu-west-1Region for all accounts in the OU. A security engineer must create an SCP that applies the restriction to existing accounts and any new accounts in the OU.

    Which SCP will meet these requirements?

    A. Deny with NotAction, but uses StringEquals for aws:RequestedRegion = eu-west-1
    B. Allow with Action, scoped to desired global services in eu-west-1
    C. Deny with NotAction for desired global services, and StringNotEquals aws:RequestedRegion = eu-west-1
    D. Allow with NotAction and StringNotEquals aws:RequestedRegion = eu-west-1

  • Question 154:

    A company uses AWS Organizations to manage an organization that consists of three workload OUs: Production, Development, and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs. Different SCPs are attached to each workload OU.

    The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU.

    When the company uses the same CloudFormation template to deploy the stack update in an account in the Production OU, the update fails. The error message reports insufficient IAM permissions.

    What is the FIRST step that a security engineer should take to troubleshoot this issue?

    A. Review the AWS CloudTrail logs in the account in the Production OU. Search for any failed API calls from CloudFormation during the deployment attempt.
    B. Remove all the SCPs that are attached to the Production OU. Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.
    C. Confirm that the role used by CloudFormation has sufficient permissions to create, update, and delete the resources that are referenced in the CloudFormation template.
    D. Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

  • Question 155:

    A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.

    Which solution will meet this requirement in the MOST operationally efficient way?

    A. Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
    B. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.
    C. Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
    D. Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

  • Question 156:

    A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates.

    After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon EBS volume.

    Which solution will meet these requirements?

    A. Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.
    B. Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CD pipeline to an Amazon SNS topic that receives notifications from AWS Config.
    C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.
    D. Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phase of the CI/CD process.

  • Question 157:

    A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to authenticate all S3 API calls with AWS credentials.

    Which solution will provide the application with AWS credentials?

    A. Use Amazon Cognito identity pools and the GetId API.
    B. Use Amazon Cognito identity pools and AssumeRoleWithWebIdentity.
    C. Use Amazon Cognito user pools with ID tokens.
    D. Use Amazon Cognito user pools with access tokens.

  • Question 158:

    A company is running its application on AWS. The company has a multi-environment setup, and each environment is isolated in a separate AWS account. The company has an organization in AWS Organizations to manage the accounts. There is a single dedicated security account for the organization.

    The company must create an inventory of all sensitive data that is stored in Amazon S3 buckets across the organization ' s accounts. The findings must be visible from a single location.

    Which solution will meet these requirements?

    A. Set the security account as the delegated administrator for Amazon Macie and AWS Security Hub. Enable and configure Macie to publish sensitive data findings to Security Hub.
    B. Set the security account as the delegated administrator for AWS Security Hub. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Publish sensitive data findings to Security Hub.
    C. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Enable Amazon Inspector integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.
    D. In each account, enable and configure Amazon Macie to detect sensitive data. Enable Macie integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.

  • Question 159:

    A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile. However, three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties.

    How can a security engineer provide the access to meet these requirements?

    A. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Inventory to select the EC2 instance and connect.
    B. Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command. Remove the SSH keys from the EC2 instances. Use Run Command to open an SSH connection to the EC2 instance.
    C. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Session Manager to select the EC2 instance and connect.
    D. Assign an IAM policy to the IAM user accounts to provide permission to use the EC2 service in the AWS Management Console. Remove the SSH keys from the EC2 instances. Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method.

  • Question 160:

    A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.

    Which solution will provide the application with AWS credentials to make S3 API calls?

    A. Integrate with Cognito identity pools and use GetId to obtain AWS credentials.
    B. Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.
    C. Integrate with Cognito user pools and use the ID token to obtain AWS credentials.
    D. Integrate with Cognito user pools and use the access token to obtain AWS credentials.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.