SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 231:

    A security engineer needs to protect a public web application that runs in a VPC. The VPC hosts the origin for an Amazon CloudFront distribution. The application has experienced multiple layer 7 DDoS attacks. An AWS WAF web ACL is associated with the CloudFront distribution. The web ACL contains one AWS managed rule to protect against known IP addresses that have bad reputations. The security engineer must configure an automated solution that detects and mitigates layer 7 DDoS attacks in real time with no manual effort.

    Which solution will meet these requirements?

    A. Enable AWS Shield Advanced on the CloudFront distribution. Configure alerts in Amazon CloudWatch for DDoS indicators.
    B. Enable AWS Shield Advanced and configure proactive engagement with the AWS DDoS Response Team (DRT).
    C. Deploy AWS Network Firewall in the VPC. Create security policies that detect DDoS indicators. Create an AWS Lambda function to automatically update the web ACL rules during an attack.
    D. Add a rate-based rule to the web ACL. Enable AWS Shield Advanced. Enable automatic application layer DDoS mitigation on the CloudFront distribution.

  • Question 232:

    A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization ' s management account.

    Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

    A. Grant least privilege access to the organization ' s management account.
    B. Create a new IAM Identity Center directory in the organization ' s management account.
    C. Set up a second AWS Region in the organization ' s management account.
    D. Create permission sets for use only in the organization ' s management account.
    E. Create IAM users for use only in the organization ' s management account.
    F. Create user assignments only in the organization ' s management account.

  • Question 233:

    A company uses Amazon Cognito user pools with the hosted UI to authenticate its customers. The company's security team has detected a surge in bot activity and suspicious traffic that targets the Amazon Cognito endpoints. A security engineer must implement a security solution to block these malicious requests.

    The security measures must maintain uninterrupted access for legitimate users.

    Which solution meets these requirements?

    A. Use Amazon Cognito threat protection on the user pool.
    B. Configure the Amazon Cognito user pool app client settings to restrict access to only authenticated users.
    C. Associate an AWS WAF web ACL with the Amazon Cognito user pool. Define rules to filter unwanted requests and manage bot traffic.
    D. Use Amazon CloudWatch to monitor incoming Amazon Cognito requests. Create an identity pool to block suspicious user agents.

  • Question 234:

    A security account receives audit logs from multiple accounts. Compliance requires that log objects remain undeletable for a fixed retention period, even by administrators, and that the logs remain in a central storage location.

    A. Store the logs in an S3 bucket with a lifecycle rule that deletes objects after the retention period.
    B. Store the logs on an encrypted EBS volume attached to an administrator workstation.
    C. Store the logs in a versioned S3 bucket and grant administrators permission to permanently delete object versions.
    D. Store the logs in an S3 bucket with S3 Object Lock in compliance mode and the required retention period.

  • Question 235:

    A company must immediately disable compromised IAM users across all AWS accounts and collect all actions performed by the user in the last 7 days.

    Which solution will meet these requirements?

    A. Disable the IAM user and query CloudTrail logs in Amazon S3 using Athena.
    B. Remove IAM policies and query logs in Security Hub.
    C. Remove permission sets and query logs using CloudWatch Logs Insights.
    D. Disable the user in IAM Identity Center and query the organizational event data store.

  • Question 236:

    A company has queues and object stores that should be accessed only by principals from accounts in its AWS Organization. The security team wants a resource-based control that continues to work as accounts are added or removed from the organization.

    A. Add each account root ARN manually to every resource policy.
    B. Allow any principal and rely on VPC Flow Logs to detect unwanted access later.
    C. Use security groups to restrict access to the public endpoints of all supported services.
    D. Add resource policies that use the aws:PrincipalOrgId condition to allow access only from the organization.

  • Question 237:

    A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

    {

    " Version " : " 2012-10-17 " ,

    " Id " : " key-policy-ebs " ,

    " Statement " : [

    {

    " Sid " : " Enable IAM User Permissions " ,

    " Effect " : " Allow " ,

    " Principal " : {

    " AWS " : " arn:aws:iam::123456789012:root "

    },

    " Action " : " kms:* " ,

    " Resource " : " * "

    },

    {

    " Sid " : " Allow use of the key " ,

    " Effect " : " Allow " ,

    " Principal " : {

    " AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment

    "

    },

    " Action " : [

    " kms:Encrypt " ,

    " kms:Decrypt " ,

    " kms:ReEncrypt* " ,

    " kms:GenerateDataKey* " ,

    " kms:DescribeKey " ,

    " kms:CreateGrant " ,

    " kms:ListGrants " ,

    " kms:RevokeGrant "

    ],

    " Resource " : " * " ,

    " Condition " : {

    " StringEquals " : {

    " kms:ViaService " : " ec2.us-west-2.amazonaws.com "

    }

    }

    }

    ]

    }

    The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.

    Which change to the policy should the security engineer make to resolve these issues?

    A. In the statement block that contains the Sid " Allow use of the key ", under theConditionblock, change StringEquals to StringLike.
    B. In the policy document, remove the statement block that contains the Sid " Enable IAM User Permissions ". Add key management policies to the KMS policy.
    C. In the statement block that contains the Sid " Allow use of the key ", under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.
    D. In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer ' s IAM role.

  • Question 238:

    A company uses AWS Config rules to identify Amazon S3 buckets that are not compliant with the company's data protection policy. The S3 buckets are hosted in several AWS Regions and several AWS accounts. The accounts are in an organization in AWS Organizations. The company needs a solution to remediate the organization ' s existing noncompliant S3 buckets and any noncompliant S3 buckets that are created in the future.

    Which solution will meet these requirements?

    A. Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.
    B. Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.
    C. Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.
    D. Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.

  • Question 239:

    A company uses an organization in AWS Organizations and AWS IAM Identity Center to manage its AWS environment. The company configures IAM Identity Center to access the company's on-premises Active Directory through a properly configured AD Connector. All the company's employees are in an Active Directory group namedCloud.

    The employees can view and access nearly all the AWS accounts in the organization, and the employees have the permissions that they require. However, the employees cannot access an account namedAccount

    A. The company did not add Account A to an organizational unit (OU) within the organization.
    B. The company has not synchronized the Cloud Active Directory group with the on-premises Active Directory.
    C. The company did not assign the Cloud Active Directory group to Account A in IAM Identity Center with a valid permission set.
    D. The company applied an IAM permissions boundary to Account A that is denying access to the account.

  • Question 240:

    A systems administrator was attempting to launch a new Amazon EC2 instance with an encrypted boot volume using a new AWS KMS customer managed key. The EC2 console initially stated the launch was successful, but the instance was subsequently terminated. The IAM role used by the systems administrator has the following IAM permissions:

    - ec2:Describe*

    - ec2:AuthorizeSecurityGroupIngress

    - kms:Encrypt

    - kms:Decrypt

    - kms:ReEncrypt*

    - kms:GenerateDataKey*

    - kms:DescribeKey

    Which IAM permission is the systems administrator missing?

    A. kms:GetKeyRotationStatus
    B. kms:CreateGrant
    C. kms:GenerateRandom
    D. kms:EnableKey

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.