SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 171:

    A company stores infrastructure and application code in web-based, third-party, Git-compatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company ' s AWS account by using OpenID Connect (OIDC).

    Which solution will meet these requirements?

    A. Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM) federation. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.
    B. Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that uses OIDC. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.
    C. Set up an account instance of AWS IAM Identity Center. Configure access to the code repositories as a customer managed OIDC application. Grant the application access to the IAM role.
    D. Use AWS Resource Access Manager (AWS RAM) to create a new resource share that uses OIDC. Limit the resource share to the specified code repositories. Grant the IAM role access to the resource share.

  • Question 172:

    A legacy web application is publicly reachable and cannot be patched before the next maintenance window.

    The security team has confirmed that current attack traffic matches common SQL injection patterns. The business requires the application to remain available while the short-term mitigation is deployed.

    A. Disable the database subnet route table so that the application cannot connect to the database.
    B. Place the application behind an Application Load Balancer, associate an AWS WAF web ACL that blocks SQL injection patterns, and restrict direct access to the instances.
    C. Replace all application instances with new instances that use the same vulnerable application image.
    D. Create an IAM policy that denies database queries containing SQL keywords.

  • Question 173:

    A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt the S3 bucket. The company ' s operations team manages access to the company's S3 buckets. The company ' s security team manages access to encryption keys. The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.

    Which solution will meet this requirement?

    A. Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.
    B. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.
    C. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.
    D. Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.

  • Question 174:

    A security engineer discovers that a company ' s user passwords have no required minimum length. The company uses the following identity providers (IdPs):

    - AWS Identity and Access Management (IAM) federated with on-premises Active Directory

    - Amazon Cognito user pools that contain the user database for an AWS Cloud application

    Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)

    A. Update the password length policy in the IAM configuration.
    B. Update the password length policy in the Amazon Cognito configuration.
    C. Update the password length policy in the on-premises Active Directory configuration.
    D. Create an SCP in AWS Organizations to enforce minimum password length.
    E. Create an IAM policy with a minimum password length condition.

  • Question 175:

    A company has an organization with all features enabled in AWS Organizations. In the management account, the company configures AWS IAM Identity Center for the organization in the eu-west-2 Region.

    The company configures IAM Identity Center with a SAML-based identity provider. The company needs to configure an AWS managed application that integrates with IAM Identity Center in a new AWS account in the us-east-1 Region. Most of the users that will authenticate to the AWS managed application are external third-party users who cannot be added to the company's identity provider.

    A security engineer needs to configure authentication for the third-party users. The solution must provide isolation from the company's identity provider.

    Which solution will meet these requirements?

    A. Create a SAML identity provider in IAM in the management account that connects to the third-party users' identity provider. Create IAM roles in the management account that allow access to the AWS managed application.
    B. Deploy Amazon Cognito into the new AWS account in us-east-1. Configure an identity pool for a SAML-based identity provider. Configure an IAM role that uses the sts:AssumeRole action to allow access to the AWS managed application from Amazon Cognito.
    C. Enable account instances in IAM Identity Center. Deploy an IAM Identity Center account instance in the new AWS account in us-east-1. Configure the AWS managed application to use the new instance. Configure users in the new account instance directory.
    D. Create a new identity provider for the third-party users. Configure a second identity source in IAM Identity Center in the organization's management account to use the new identity provider. Create a new permission set that gives access to the AWS managed application in the new account.

  • Question 176:

    A security engineer is asked to update an AWS CloudTrail log file prefix for an existing trail.

    When attempting to save the change in the CloudTrail console, the security engineer receives the following error message: "There is a problem with the bucket policy."

    What will enable the security engineer to save the change?

    A. Create a new trail with the updated log file prefix, and then delete the original trail.
    B. Update the existing bucket policy in the Amazon S3 console to allow the security engineer's principal to perform PutBucketPolicy, and then update the log file prefix in the CloudTrail console.
    C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
    D. Update the existing bucket policy in the Amazon S3 console to allow the security engineer's principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console.

  • Question 177:

    A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database.

    The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has become a burden for the company ' s customer service team.

    The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password resets and login assistance while securely protecting each player ' s credentials.

    Which solution will meet these requirements?

    A. When a new player signs up, use an AWS Lambda function to automatically create an IAM access key and a secret access key.
    B. Migrate the player credentials from the Aurora database to AWS Secrets Manager.
    C. Configure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs. Migrate the game ' s authentication mechanism to Cognito.
    D. Issue API keys to new and existing players and use Amazon API Gateway for authentication.

  • Question 178:

    A compliance policy forbids inbound SSH and RDP ports on production instances. Administrators still need occasional command-line access, session logging, and IAM-based authorization.

    A. Use a bastion host with a shared SSH key and rotate the key monthly.
    B. Open SSH only from the corporate office CIDR block and disable session recording.
    C. Use AWS Systems Manager Session Manager with an instance profile and IAM permissions for approved administrators.
    D. Store administrator passwords in instance user data and require manual approval before login.

  • Question 179:

    A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.

    Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

    A. Configure access logging for the required API stage.
    B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userIdentity, userAgent, and sourceIPAddress fields.
    C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.
    D. Use Amazon CloudWatch Logs Insights to analyze API access information.
    E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.

  • Question 180:

    A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.

    Which solution will prevent direct access to the ALB?

    A. Use AWS PrivateLink with the ALB.
    B. Replace the ALB with an internal ALB.
    C. Restrict ALB listener rules to CloudFront IP ranges.
    D. Require a custom header from CloudFront and validate it at the ALB.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.