SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 221:

    A company ' s security engineer receives an abuse notification from AWS indicating that malware is being hosted from the company's AWS account. The security engineer discovers that an IAM user created a new Amazon S3 bucket without authorization.

    Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Select THREE.)

    A. Encrypt all AWS CloudTrail logs.
    B. Turn on Amazon GuardDuty.
    C. Change the password for all IAM users.
    D. Rotate or delete all AWS access keys.
    E. Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.
    F. Delete any resources that are unrecognized or unauthorized.

  • Question 222:

    A company is running a new workload across accounts in an organization in AWS Organizations. All running resources must have a tag of CostCenter, and the tag must have one of three approved values.

    The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value.

    Which solution will meet these requirements?

    A. Use AWS Config custom policy rule and an SCP to deny non-approved aws:RequestTag/CostCenter values.
    B. Use CloudTrail + EventBridge + Lambda to block creation.
    C. Enable tag policies, define allowed values, enforce noncompliant operations, and use an SCP to deny creation when aws:RequestTag/CostCenter is null.
    D. Enable tag policies and use EventBridge + Lambda to block changes.

  • Question 223:

    A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive data. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting.

    Which solution will provide remote access while meeting these requirements?

    A. Grant access to the EC2 serial console and allow IAM role access.
    B. Enable EC2 Instance Connect and configure security groups accordingly.
    C. Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager and assign it to an IAM Identity Center role.
    D. Use Systems Manager Automation to temporarily open remote access ports.

  • Question 224:

    A security engineer for a company wants to maintain all IAM users and roles according to the principle of least privilege. The security engineer plans to audit the IAM permissions once every 365 days. The security engineer must view the permissions that each IAM identity used in the last 365 days and must remove any unused permissions.

    Which solution will meet these requirements?

    A. Use AWS CloudTrail logs to review IAM identity actions and to remove unused permissions.
    B. Use AWS Config to review configuration changes by each IAM identity and to remove unused permissions.
    C. Use AWS Identity and Access Management Access Analyzer to review last accessed information and to remove unused permissions.
    D. Use AWS Trusted Advisor to check the IAM identities that have elevated permissions and to remove unused permissions.

  • Question 225:

    A company runs a web application on a fleet of Amazon EC2 instances in an Auto Scaling group. Amazon GuardDuty and AWS Security Hub are enabled. The security engineer needs an automated response to anomalous traffic that follows AWS best practices and minimizes application disruption.

    Which solution will meet these requirements?

    A. Use EventBridge to disable the instance profile access keys.
    B. Use EventBridge to invoke a Lambda function that removes the affected instance from the Auto Scaling group and isolates it with a restricted security group.
    C. Use Security Hub to update the subnet network ACL to block traffic.
    D. Send GuardDuty findings to Amazon SNS for email notification.

  • Question 226:

    A company has many S3 buckets across accounts and needs a central inventory of where sensitive data is stored. Findings should be visible to the security team from one account and should support follow-up reviews.

    A. Enable Amazon Inspector on EC2 instances and use package vulnerability findings as the inventory.
    B. Create a CloudTrail trail in each account and search for object names that appear sensitive.
    C. Configure Amazon Macie delegated administration and enable sensitive data discovery for the organization.
    D. Use AWS Backup reports to infer which buckets contain regulated data.

  • Question 227:

    A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment.

    One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

    The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

    Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

    A. Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
    B. Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
    C. Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.
    D. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.
    E. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway as the target of the route.

  • Question 228:

    A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics. Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client ' s privilege scope.

    Which combination of actions should the company take to prevent this threat? (Select TWO.)

    A. In the application, use an IoT thing name as the client ID to connect the device to AWS IoT Core.
    B. In the application, add a client ID check. Disconnect from the server if any special character is detected.
    C. Apply an AWS IoT Core policy that allows " AWSIoTWirelessDataAccess " with the principal set to " client/${iot:Connection.Thing.ThingName} " .
    D. Apply an AWS IoT Core policy to the device to allow " iot:Connect " with the resource set to " client /${iot:ClientId} " .
    E. Apply an AWS IoT Core policy to the device to allow " iot:Connect " with the resource set to " client /${iot:Connection.Thing.ThingName} " .

  • Question 229:

    A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services. The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

    Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

    Which solution will prevent the web clients from directly accessing the ALB?

    A. Create an AWS PrivateLink endpoint. Specify the existing ALB as the target. Update the CloudFront distribution by setting the PrivateLink endpoint as the origin.
    B. Create a new internal ALB. Move all the ECS services to the internal ALB. Delete the internet-facing ALB. Update the CloudFront distribution by setting the internal ALB as the origin.
    C. Modify the listener rules for the existing ALB. Add a condition to forward only the requests that come from IP addresses in the CloudFront origin prefix list.
    D. Update the CloudFront distribution by adding an X-Shared-Secret custom header for the origin. Modify the listener rules for the existing ALB to forward only the requests in which the X-Shared-Secret header has the correct value.

  • Question 230:

    A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status.

    Which solution will meet these requirements?

    A. Use AWS Audit Manager with a custom framework.
    B. Enable AWS Config and use managed rules to monitor Aurora MySQL compliance.
    C. Use AWS Security Hub configuration policies.
    D. Use EventBridge and Lambda with custom metrics.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.