SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 211:

    A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.

    The company often needs to query the logs to produce results about application sessions and user issues.

    The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.

    Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)

    A. Configure a cron job on the instances to forward the log files to Amazon S3 periodically.
    B. Configure AWS Glue and Amazon Athena to query the log files.
    C. Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.
    D. Configure Amazon CloudWatch Logs Insights to query the log files.
    E. Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

  • Question 212:

    A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

    Which solution will meet these requirements MOST cost-effectively?

    A. Create an AWS WAF web ACL with an IP match condition to deny the countries ' IP ranges. Associate the web ACL with the CloudFront distribution.
    B. Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.
    C. Use the geo restriction feature in CloudFront to deny the specific countries.
    D. Use geolocation headers in CloudFront to deny the specific countries.

  • Question 213:

    A corporate cloud security policy states that communications between the company ' s VPC and KMS must travel entirely within the AWS network and not use public service endpoints.

    Which combination of the following actions MOST satisfies this requirement? (Select TWO.)

    A. Add theaws:sourceVpcecondition to the AWS KMS key policy referencing the company ' s VPC endpoint ID.
    B. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
    C. Create a VPC endpoint for AWS KMS withprivate DNS enabled.
    D. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
    E. Add the following condition to the AWS KMS key policy: " aws:SourceIp " : " 10.0.0.0/16 " .

  • Question 214:

    A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The solution must require no additional configuration of the existing EKS deployment.

    Which solution will meet these requirements with the LEAST operational effort?

    A. Install a third-party security add-on.
    B. Enable AWS Security Hub and monitor Kubernetes findings.
    C. Monitor CloudWatch Container Insights metrics for EKS.
    D. Enable Amazon GuardDuty and use EKS Audit Log Monitoring.

  • Question 215:

    A company ' s security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company ' s forensics team. Each of the company ' s EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.

    The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.

    After these changes, the security engineer notices that the SSH connection is still active and usable.

    When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.

    What should the security engineer do to isolate the target instance?

    A. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.
    B. Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.
    C. Create a network ACL that is associated with the target instance ' s subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.
    D. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

  • Question 216:

    A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

    Which solution will meet these requirements with the LEAST operational overhead?

    A. Configure the S3 Block Public Access feature for the AWS account.
    B. Configure the S3 Block Public Access feature for all objects that are in the bucket.
    C. Deactivate ACLs for objects that are in the bucket.
    D. Use AWS PrivateLink for Amazon S3 to access the bucket.

  • Question 217:

    A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company uses AWS IAM Identity Center to manage access to the accounts. The company uses AWS Directory Service as an identity source. Employees access the AWS console and specific AWS accounts and permissions through the AWS access portal.

    A security engineer creates a new permissions set in IAM Identity Center and assigns the permissions set to one of the member accounts in the organization. The security engineer assigns the permissions set to a user

    group for developers namedDevOpsin the member account. The security engineer expects all the developers to see the new permissions set listed for the member account in the AWS access portal. All the developers except for one can see the permissions set. The security engineer must ensure that the

    remaining developer can see the permissions set in the AWS access portal.

    Which solution will meet this requirement?

    A. Add the remaining developer to the DevOps group in Directory Service.
    B. Remove and then re-add the permissions set in the member account.
    C. Add the service-linked role for organization to the member account.
    D. Update the permissions set to allow console access for the remaining developer.

  • Question 218:

    A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company ' s primary website. The GuardDuty finding received read: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

    What is the first step the security engineer should take?

    A. Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.
    B. Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.
    C. Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.
    D. Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

  • Question 219:

    A company uses AWS Lambda functions to implement application logic. The company uses an organization in AWS Organizations to manage hundreds of AWS accounts. The company needs to implement a solution to continuously monitor the Lambda functions for vulnerabilities in all accounts. The solution must publish detected issues to a dashboard. Lambda functions that are being tested or are in development must not appear on the dashboard.

    Which combination of steps will meet these requirements? (Select TWO.)

    A. Designate a delegated Amazon GuardDuty administrator account in the organization's management account. Use the GuardDuty Summary dashboard to obtain an overview of Lambda functions that have vulnerabilities.
    B. Designate a delegated Amazon Inspector administrator account in the organization's management account. Use the Amazon Inspector dashboard to obtain an overview of Lambda functions that have vulnerabilities.
    C. Apply tags of "test" or "development" to all Lambda functions that are in testing or development. Use a suppression filter that suppresses findings that contain these tags.
    D. Enable AWS Shield Advanced in the organization's management account. Use Amazon CloudWatch to build a dashboard for Lambda functions that have vulnerabilities.
    E. Enable Lambda Protection in GuardDuty for all accounts. Auto-enable Lambda Protection for new accounts. Apply a tag to the Lambda functions that are in testing or development. Use GuardDutyExclusion as the tag key and LambdaStandardScanning as the tag value.

  • Question 220:

    A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the snapshots. The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.

    Which solution will meet these requirements?

    A. Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.
    B. Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.
    C. Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.
    D. Create a backup plan in AWS Backup. Configure a 5-year retention period.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.