SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 191:

    A company's security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company's accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS.

    What should the security engineer do to meet these requirements?

    A. Create security groups and attach them to all SQS queues.
    B. Modify network ACLs in all VPCs to restrict inbound traffic.
    C. Create interface VPC endpoints for Amazon SQS. Restrict access using aws:SourceVpce and aws: PrincipalOrgId conditions.
    D. Use a third-party cloud access security broker (CASB).

  • Question 192:

    A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

    Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)

    A. Disable termination protection for the EC2 instance if termination protection has not been disabled.
    B. Enable termination protection for the EC2 instance if termination protection has not been enabled.
    C. Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
    D. Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
    E. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.
    F. Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

  • Question 193:

    A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company ' s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer's solution must involve the least amount of effort and maintain normal operations during implementation.

    What should the security engineer do to meet these requirements?

    A. Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Updatesecurity groups on the EC2 instances to prevent direct access from the internet.
    B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
    C. Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
    D. Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

  • Question 194:

    An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.

    What is the FASTEST way to prevent the sensitive data from being exposed?

    A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.
    B. Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.
    C. Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.
    D. Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

  • Question 195:

    A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team.

    Which solution will meet these requirements?

    A. Deploy AWS Security Hub and enable security standards that contain EKS controls. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant Security Hub events to the SNS topic.
    B. Enable Amazon Inspector container image scanning. Configure Amazon Detective to analyze EKS security logs. Create Amazon CloudWatch log groups for EKS audit logs. Use an AWS Lambda function to process the logs and to send email alerts to the security team.
    C. Enable Amazon GuardDuty. Enable EKS Protection and Runtime Monitoring for Amazon EKS in GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant GuardDuty events to the SNS topic.
    D. Install the AWS Systems Manager Agent (SSM Agent) on all EKS nodes. Configure Amazon CloudWatch Logs to collect EKS audit logs. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Configure a CloudWatch alarm to publish a message to the SNS topic when new audit logs are generated.

  • Question 196:

    A company is using Amazon EC2 instances to host an application in a private subnet in a VPC. The application needs to use AWS KMS.

    What is the MOST secure way for a security engineer to meet this requirement?

    A. Attach an internet gateway to the VPC. Move the EC2 instances to a public subnet. Use the internet gateway to connect to AWS KMS.
    B. Create a gateway VPC endpoint. Use the endpoint to connect to AWS KMS.
    C. Attach a NAT gateway to the VPC. Leave the EC2 instances in the private subnet. Use the NAT gateway to connect to AWS KMS.
    D. Create an interface VPC endpoint. Use the endpoint to connect to AWS KMS.

  • Question 197:

    A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event.

    Which solution will meet these requirements?

    A. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.
    B. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.
    C. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.
    D. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

  • Question 198:

    A security engineer must investigate an Amazon GuardDuty finding. The finding indicates potential cryptocurrency mining activity on an Amazon EC2 instance. The security engineer must validate the finding and assess the impact.

    Which data sources should the security engineer analyze to meet these requirements?

    A. Check the instance's CPU utilization metrics in Amazon CloudWatch. Examine the finding's MITRE ATT & CK tactic classification. Review any associated IAM role permissions.
    B. Count the number of GuardDuty findings associated with the instance. Verify the instance's launch time. Check AWS Security Hub CSPM for any related alerts.
    C. Review the instance's process details that relate to the finding. Examine DNS queries to known mining domains. Analyze the instance's outbound network connections by using VPC Flow Logs.
    D. Examine the instance's AWS Systems Manager session history. Verify Amazon Route 53 DNS records. Review GuardDuty severity levels.

  • Question 199:

    A company wants to improve the remediation of specific security incidents. Currently, a security engineer performs network isolation manually if traffic from Amazon EC2 instances to known command and control servers is detected. The manual network isolation process is error prone. The security engineer must automate the process.

    The security engineer enables Amazon GuardDuty. The security engineer configures instances to be managed by AWS Systems Manager. The security engineer prepares a Systems Manager Automation document to change security groups on selected instances.

    Which solution will meet these requirements?

    A. Create a permanent Amazon Detective investigation. Select all resources to monitor. Configure Detective to invoke the Systems Manager document if known command and control traffic is detected.
    B. Set up AWS Config. Use the managed rule ec2-prefix-list-tagged to detect traffic to network prefixes tagged for command and control activity. Configure automatic remediation and select the Automation document.
    C. Enable Systems Manager OpsCenter. Create an Amazon EventBridge rule to transform GuardDuty alerts of command and control traffic for OpsCenter. Use the Automation document for remediation.
    D. Configure AWS Security Hub CSPM. Use NIST SP 800-53 scans to report compromised instances based on NIST alerts. Create an automation rule to invoke the Automation document.

  • Question 200:

    A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.

    What is the MOST cost-effective way to correct this error?

    A. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.
    B. Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.
    C. Update the policy to keep the vault lock in place.
    D. Update the policy. Call the initiate-vault-lock operation again to apply the new policy.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.