SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 201:

    A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The auditor is having trouble accessing some of the accounts.

    Which of the following may be causing this problem? (Select THREE.)

    A. The external ID used by the auditor is missing or incorrect.
    B. The auditor is using the incorrect password.
    C. The auditor has not been grantedsts:AssumeRolefor the role in the destination account.
    D. The Amazon EC2 role used by the auditor must be set to the destination account role.
    E. The secret key used by the auditor is missing or incorrect.
    F. The role ARN used by the auditor is missing or incorrect.

  • Question 202:

    A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account.

    What is the MOST secure way to provide this access?

    A. Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.
    B. Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
    C. Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.
    D. Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

  • Question 203:

    A company's web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. Instance logs are lost after reboots. The operations team suspects malicious activity targeting a specific PHP file.

    Which set of actions will identify the suspect attacker's IP address for future occurrences?

    A. Configure VPC Flow Logs and search for PHP file activity.
    B. Install the CloudWatch agent on the ALB and export application logs.
    C. Export ALB access logs to Amazon OpenSearch Service and search them.
    D. Configure the web ACL to send logs to Amazon Kinesis Data Firehose. Deliver logs to Amazon S3 and query them with Amazon Athena.

  • Question 204:

    A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store ' s application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account.

    The company uses AWS Organizations and has an OU that is used only for these accounts.

    The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company ' s deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access.

    The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

    What should the security engineer do next to meet the requirements in theMOST secureway?

    A. Create an AWS Service Catalog portfolio in the organization ' s management account. Upload the CloudFormation template. Add the template to the portfolio ' s product list. Share the portfolio with the OU.
    B. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Create an SCP that allows access to the extension.
    C. Create an AWS Service Catalog portfolio and create an IAM role for cross-account access. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.
    D. Use the CloudFormation CLI to create a module and share the extension directly with the OU.

  • Question 205:

    A company is investigating an increase in its AWS monthly bill. The company discovers that bad actors compromised some Amazon EC2 instances and served webpages for a large email phishing campaign. A security engineer must implement a solution to monitor for cost increases in the future to help detect malicious activity.

    Which solution will offer the company the EARLIEST detection of cost increases?

    A. Create an Amazon EventBridge rule that invokes an AWS Lambda function hourly. Program the Lambda function to download an AWS usage report from AWS Data Exports about usage of all services. Program the Lambda function to analyze the report and to send a notification when anomalies are detected.
    B. Create a cost monitor in AWS Cost Anomaly Detection. Configure an individual alert to notify an Amazon Simple Notification Service (Amazon SNS) topic when the percentage above the expected cost exceeds a threshold.
    C. Review AWS Cost Explorer daily to detect anomalies in cost from prior months. Review the usage of any services that experience a significant cost increase from prior months.
    D. Capture VPC flow logs from the VPC where the EC2 instances run. Use a third-party network analysis tool to analyze the flow logs and to detect anomalies in network traffic that might increase cost.

  • Question 206:

    A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application. The application processes sensitive data and has the following compliance requirements:

    - No remote access management ports to the EC2 instances can be exposed internally or externally.

    - All remote session activity must be recorded in an audit log.

    - All remote access to the EC2 instances must be authenticated and authorized by AWS IAM Identity Center. The company ' s DevOps team occasionally needs to connect to one of the EC2 instances to troubleshoot issues.

    Which solution will provide remote access to the EC2 instances while meeting the compliance requirements?

    A. Grant access to the EC2 serial console at the account level.
    B. Enable EC2 Instance Connect and configure security group rules.
    C. Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager. Assign the policy to an IAM role of the DevOps team.
    D. Use AWS Systems Manager Automation runbooks to open remote access ports.

  • Question 207:

    A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account.

    The company's developers have been using an IAM role in the account for the last 3 months.

    A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access.

    Which solution will meet this requirement with the LEAST effort?

    A. Implement AWS IAM Access Analyzer policy generation on the role.
    B. Implement AWS IAM Access Analyzer policy validation on the role.
    C. Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.
    D. Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

  • Question 208:

    A company is running a new workload across accounts that are in an organization in AWS Organizations.

    All running resources must have a tag ofCostCenter, and the tag must have one of three approved values.

    The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value.

    Which solution will meet these requirements?

    A. Create an AWS Config Custom Policy rule by using AWS CloudFormation Guard. Include the tag key of CostCenter and the approved values. Create an SCP that denies the creation of resources when the valueof the aws:RequestTag/CostCenter condition key is not one of the three approved values.
    B. Create an AWS CloudTrail trail. Create an Amazon EventBridge rule that includes a rule statement that matches the creation of new resources. Configure the EventBridge rule to invoke an AWS Lambda function that checks for the CostCenter tag. Program the Lambda function to block creation in case of a noncompliant value.
    C. Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Configure the policy to enforce noncompliant operations. Create an SCP that denies the creation of resources when the aws:RequestTag/CostCenter condition key has a null value.
    D. Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a noncompliant tag is created. Program the Lambda function to block changes to the tag.

  • Question 209:

    A company begins to use AWS WAF after experiencing an increase in traffic to the company ' s public web applications. A security engineer needs to determine if the increase in traffic is because of application-layer attacks. The security engineer needs a solution to analyze AWS WAF traffic.

    Which solution will meet this requirement?

    A. Configure AWS WAF to send logs to a trail in AWS CloudTrail. Create an Amazon Data Firehose delivery stream to send the logs to Amazon OpenSearch Service. Use OpenSearch Dashboards and an Amazon Athena connector to query the logs.
    B. Configure AWS WAF to send logs to an Amazon S3 bucket. Configure an OpenSearch table with a partition projection of the S3 bucket. Use OpenSearch to query the data in the S3 bucket.
    C. Configure AWS WAF to send logs to an Amazon S3 bucket. Configure an Amazon Athena table with a partition projection of the S3 bucket. Use Athena to query the data in the S3 bucket.
    D. Configure AWS WAF to send logs to a trail in AWS CloudTrail. Create an Amazon Data Firehose delivery stream to send the logs to an Amazon S3 bucket. Use Amazon Athena to query the data in the S3 bucket.

  • Question 210:

    A security engineer wants to create a new AWS KMS customer managed key. The KMSAdmin IAM role will create and disable this key. The KMSUser IAM role will use this key for decryption.

    Which key policy will meet these requirements?

    A. A key policy that grants KMSAdmin only kms:Create and kms:Disable*, and grants KMSUser kms: Decrypt.
    B. A key policy that grants KMSAdmin kms:Create* and kms:Disable*, and grants KMSUser kms: Decrypt.
    C. A key policy that grants KMSAdmin and KMSUser kms:CreateGrant, but does not grant KMSUser kms:Decrypt.
    D. A key policy that grants both KMSAdmin and KMSUser only kms:Decrypt*.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.