SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 161:

    A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster. The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.

    How can the security engineer meet these requirements?

    A. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena.
    B. To create the keys, use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
    C. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.
    D. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

  • Question 162:

    A security engineer needs to develop a process to investigate and respond to potential security events on a company's Amazon EC2 instances. All the EC2 instances are backed by Amazon EBS. The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent on all the EC2 instances.

    The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:

    - A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.

    - A compromised EC2 instance's metadata must be updated with corresponding incident ticket information.

    - A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.

    - Any investigative activity during the collection of volatile data must be captured as part of the process.

    Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Select THREE.)

    A. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance's security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.
    B. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing resources.
    C. Use Systems Manager Run Command to invoke scripts that collect volatile data.
    D. Establish a Linux SSH or Windows Remote Desktop Protocol session to the compromised EC2 instance to invoke scripts that collect volatile data.
    E. Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information.
    F. Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

  • Question 163:

    A company's application uses standard tier SecureString parameters from AWS Systems Manager Parameter Store. The application is receiving error messages when the company tries to update a parameter. The parameter uses an AWS KMS customer managed key for encryption and decryption.

    What are the reasons for the error messages? (Select TWO.)

    A. The application does not have the kms:Encrypt permission for the customer managed key.
    B. The customer managed key is already being used to encrypt another SecureString parameter.
    C. Standard tier SecureString parameters cannot use a customer managed key for encryption.
    D. The customer managed key that is specified in the application has its key state set to Disabled.
    E. The customer managed key that is specified in the application is using a key alias instead of a key ID.

  • Question 164:

    A security engineer discovers that a company ' s user passwords have no required minimum length. The company is using the following two identity providers (IdPs):

    - AWS Identity and Access Management (IAM) federated with on-premises Active Directory

    - Amazon Cognito user pools that contain the user database for an AWS Cloud application that the company developed

    Which combination of actions should the security engineer take to implement a required minimum length for the passwords? (Select TWO.)

    A. Update the password length policy in the IAM configuration.
    B. Update the password length policy in the Cognito configuration.
    C. Update the password length policy in the on-premises Active Directory configuration.
    D. Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for IAM and Cognito.
    E. Create an IAM policy that includes a condition for minimum password length. Enforce the policy for IAM and Cognito.

  • Question 165:

    A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.

    Which combination of AWS solutions will meet these requirements? (Select TWO.)

    A. AWS Site-to-Site VPN
    B. AWS Direct Connect
    C. AWS VPN CloudHub
    D. VPC peering
    E. NAT gateway

  • Question 166:

    A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer.

    Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music. The company has implemented a security architecture on AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk. A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and detective controls. The solution must meet an

    RPO of1 hour.

    Which solution will meet these requirements?

    A. Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.
    B. Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.
    C. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response. Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.
    D. Create EBS snapshots every 4 hours. Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.

  • Question 167:

    A company has an AWS Lambda function that requires access to an Amazon S3 bucket. The company's security policy requires that connections to Amazon S3 are over a private network and are secure.

    The company has configured a gateway VPC endpoint in the VPC to allow access to Amazon S3. The company has configured the Lambda function to run inside the VPC. Additionally, the company has configured the Lambda function to use a private subnet that has a route to the internet through a NAT gateway. Other resources in the VPC use this private subnet to access the internet successfully.

    When the Lambda function runs, it uses the NAT gateway instead of the gateway VPC endpoint to access Amazon S3.

    What can a security engineer do to ensure that the Lambda function uses the gateway VPC endpoint for Amazon S3?

    A. Remove the route to the NAT gateway within the route table of the private subnet that the Lambda function uses.
    B. Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses.
    C. Adjust the gateway VPC endpoint policy to allow access from the Lambda function's network interface address.
    D. Configure the Lambda function's security group to allow connections to the S3 network address space.

  • Question 168:

    A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.

    Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.

    What should the security engineer do to meet these requirements with the LEAST effort?

    A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.
    B. Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.
    C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.
    D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP address. Use AWS Glue to view the results.

  • Question 169:

    A company is undergoing a security audit. The company issues IAM user credentials for an auditor.

    Because of third-party integration requirements, the auditor is unable to assume an IAM role. The auditor attempts to log in to AWS for the first time to reset the account password and to configure multi-factor authentication (MFA). However, the auditor receives an "Access Denied" error during the attempt to reset the password.

    The auditor's account has the following IAM permissions: securityhub:Get* securityhub:List* securityhub:BatchGet* securityhub:Describe*

    iam:ChangePassword on arn:aws:iam::*:user/${aws:username}

    Which action will resolve this error?

    A. The auditor needs to configure MFA before resetting the password.
    B. The auditor must create a more complex password that requires additional characters or symbols.
    C. Add iam:GetAccountPasswordPolicy with Resource: " * " to the auditor's user account policy.
    D. Add iam:ChangePassword with Resource: " * " to the auditor's user account policy.

  • Question 170:

    A security engineer is responding to an incident that is affecting an AWS account. The ID of the account is

    123456789012. The attack created workloads that are distributed across multiple AWS Regions.

    The security engineer contains the attack and removes all compute and storage resources from all affected Regions. However, the attacker also created an AWS KMS key. The key policy on the KMS key explicitly allows IAM principal kms:* permissions.

    The key was scheduled to be deleted the previous day. However, the key is still enabled and usable. The key has an ARN of arn:aws:kms:us-east-2:123456789012:key/mrk-0bb0212cd9864fdea0dcamzo26efb5670.

    The security engineer must delete the key as quickly as possible.

    Which solution will meet this requirement?

    A. Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.
    B. Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.
    C. Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.
    D. Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.