SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 181:

    A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB).

    The website is experiencing a global DDoS attack from a specific IoT device brand that uses a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate it with the ALB.

    Which rule statement will mitigate the current attack and future attacks from these IoT devices without blocking legitimate customers?

    A. Use an IP set match rule statement.
    B. Use a geographic match rule statement.
    C. Use a rate-based rule statement.
    D. Use a string match rule statement on the user agent.

  • Question 182:

    A company's platform has grown rapidly over the past 6 months. The company's platform architecture evolved quickly to accommodate the growth. The company's development team has been deploying features quickly by using different AWS services. The development team has not performed formal architecture reviews.

    The company needs to evaluate its security posture against AWS security best practices.

    Which solution will meet these requirements?

    A. Create a new workload in the AWS Well-Architected Tool. Work with the development team to answer security questions based on the team's current state. Use the save milestone feature to track improvements against identified high-risk items.
    B. Use the cost recommendations in AWS Cost Explorer. Analyze the cost implications of security misconfigurations. Prioritize architectural changes based on potential cost savings as a result of implementing AWS security best practices.
    C. Enable AWS Security Hub CSPM. Create a Security Hub CSPM automation rule to map existing services to approved architecture patterns. Use the data to identify non-compliance against AWS bestpractices and generate a compliance report.
    D. Enable Amazon Detective. Create a Detective investigation for AWS security best practices. Use a behavior graph to visualize the data. Analyze the entities to identify architectural components that do not follow AWS security best practices.

  • Question 183:

    A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

    A security engineer must implement a solution toprevent CloudTrail from being disabled.

    Which solution will meet this requirement?

    A. Enable CloudTrail log file integrity validation from the organization ' s management account.
    B. Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.
    C. Create a service control policy (SCP) that includes an explicitDenyrule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.
    D. Create IAM policies for all the company ' s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

  • Question 184:

    A company has a compliance requirement to encrypt all data in transit. The company recently discovered an Amazon Aurora cluster that does not meet this requirement.

    How can the company enforce encryption for all connections to the Aurora cluster?

    A. In the Aurora cluster configuration, set therequire_secure_transportDB cluster parameter toON.
    B. Use AWS Directory Service for Microsoft Active Directory to create a user directory and to enforce Kerberos authentication with Aurora.
    C. Configure the Aurora cluster to use AWS Certificate Manager (ACM) to provide encryption certificates.
    D. Create an Amazon RDS proxy. Connect the proxy to the Aurora cluster to enable encryption.

  • Question 185:

    An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company ' s security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future.

    Which steps would help achieve this? (Select TWO.)

    A. Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.
    B. Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.
    C. Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker's IP using security groups.
    D. Set up an Amazon EventBridge rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.
    E. Use AWS WAF to create rules to respond to such attacks.

  • Question 186:

    A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group.

    The EC2 instances are in the same VPC subnet as other workloads.

    A security engineer deploys Amazon GuardDuty and integrates it with AWS Security Hub. The security engineer needs to implement anautomated solutionto detect and respond to anomalous traffic patterns.

    The solution must follow AWS best practices forinitial incident responseand mustminimize disruptionto the web application.

    Which solution will meet these requirements?

    A. Disable the instance profile access keys by using AWS Lambda.
    B. Remove the affected instance from the Auto Scaling group and isolate it with a restricted security group by using AWS Lambda.
    C. Update the network ACL to block the detected traffic source.
    D. Send GuardDuty findings to Amazon SNS for email notification.

  • Question 187:

    A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for event patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.

    Which solution will meet these requirements?

    A. Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.
    B. Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.
    C. Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logs log group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.
    D. Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to analyze the logs.

  • Question 188:

    A workload runs in private subnets with no route to the internet. The application must read objects from Amazon S3 and call AWS KMS without using public internet paths. The design must preserve private connectivity for both services.

    Which combination of changes should the security engineer make? Choose two.

    A. Create a gateway VPC endpoint for Amazon S3 and associate it with the private subnet route tables.
    B. Create an interface VPC endpoint for AWS KMS and enable private DNS.
    C. Add an internet gateway to the VPC and keep the instances in the private subnets.
    D. Route all service traffic through a NAT gateway in a public subnet.
    E. Add inbound rules from the AWS public IP ranges to the instance security group.

  • Question 189:

    A company recently experienced a malicious attack on its cloud-based environment. The company successfully contained and eradicated the attack. A security engineer is performing incident response work.

    The security engineer needs to recover an Amazon RDS database cluster to the last known good version.

    The database cluster is configured to generate automated backups with a retention period of 14 days. The initial attack occurred 5 days ago at exactly 3:15 PM.

    Which solution will meet this requirement?

    A. Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 5 days ago at 3:14 PM.
    B. Identify the Regional cluster ARN for the database. List snapshots that have been taken of the cluster. Restore the database by using the snapshot that has a creation time that is closest to 5 days ago at 3:14 PM.
    C. List all snapshots that have been taken of all the company ' s RDS databases. Identify the snapshot that was taken closest to 5 days ago at 3:14 PM and restore it.
    D. Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 14 days ago.

  • Question 190:

    A security engineer uses Amazon Macie to scan a company ' s Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional scanning on those S3 buckets.

    Which solution will meet these requirements with the LEAST administrative overhead?

    A. Configure S3 Cross-Region Replication (CRR) on the S3 buckets to replicate the objects to a second AWS Region. Configure Macie in the second Region to scan the replicated objects daily.
    B. Create an AWS Lambda function as an S3 event destination for the S3 buckets. Configure the Lambda function to start a Macie scan of an object when the object is uploaded to an S3 bucket.
    C. Configure Macie automated discovery to continuously sample data from the S3 buckets. Perform full scans of the S3 buckets where Macie discovers sensitive data.
    D. Configure Macie scans to run on the S3 buckets. Aggregate the results of the scans in an Amazon DynamoDB table. Use the DynamoDB table for queries.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.