SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 21:

    A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler.

    The company needs to deploy the monitoring service in all existing and future accounts in the organization.

    The company must avoid using the organization ' s management account when the management account is not required.

    Which solution will meet these requirements?

    A. Create a CloudFormation stack set in the organization ' s management account and manually add new accounts.
    B. Configure a delegated administrator account for AWS CloudFormation. Create a CloudFormation StackSet in the delegated administrator account targeting the organization root with automatic deployment enabled.
    C. Use Systems Manager delegated administration and Automation to deploy the Lambda function and schedule.
    D. Create a Systems Manager Automation runbook in the management account and share it to accounts.

  • Question 22:

    A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible.

    Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

    A. Enable AWS Security Hub in the AWS account.
    B. Enable Amazon GuardDuty in the AWS account.
    C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team ' s email distribution list to the topic.
    D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team ' s email distribution list to the queue.
    E. Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.
    F. Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

  • Question 23:

    CloudFormation stack deployments fail for some users due to permission inconsistencies.

    Which combination of steps will ensure consistent deployments MOST securely? (Select THREE.)

    A. Create a composite principal service role.
    B. Create a service role with cloudformation.amazonaws.com as the principal.
    C. Attach scoped policies to the service role.
    D. Attach service ARNs in policy resources.
    E. Update each stack to use the service role.
    F. Allow iam:PassRole to the service role.

  • Question 24:

    A company uses many AWS accounts in AWS Organizations. The security team wants automatic threat detection across existing and future accounts. Findings must be routed to a central security account where responders can create automated notifications and response workflows.

    A. Enable AWS Config in every account and create custom rules for each expected threat pattern.
    B. Designate a delegated Amazon GuardDuty administrator, enable GuardDuty for the organization, and route GuardDuty finding events from the administrator account.
    C. Create an Amazon CloudWatch dashboard in the management account and grant every workload account permission to publish custom metrics.
    D. Deploy a log collection agent to every compute resource and send all logs to a shared Amazon OpenSearch Service domain.

  • Question 25:

    A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization.

    The security tooling account is configured as the organization ' s delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.

    The company is performing control tests on specific GuardDuty findings to make sure that the company ' s security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain,example.com, to generate a DNS finding.

    However, the GuardDuty finding was never created in the Security Hub delegated administrator account.

    Why was the finding not created in the Security Hub delegated administrator account?

    A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
    B. The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.
    C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
    D. Cross-Region aggregation in Security Hub was not configured.

  • Question 26:

    A company runs a public web application on an Amazon EKS cluster. The company uses an Amazon CloudFront distribution to deploy the application. An Application Load Balancer (ALB) is configured as an origin for the distribution.

    A security engineer needs to implement a monitoring solution that sends notifications to an existing Amazon SNS topic. The solution must send a notification to the SNS topic when the application receives 10,000 requests from the same end-user IP address during any 5-minute period.

    Which solution will meet these requirements?

    A. Configure CloudFront standard logging. Send logs to an Amazon CloudWatch Logs log group. Create a log group metric filter to send a notification to the SNS topic when the request threshold is breached.
    B. Configure VPC Flow Logs to send logs for the VPC that contains the EKS cluster to an Amazon CloudWatch Logs log group. Create a log group metric filter to send a notification to the SNS topic when the request threshold is breached.
    C. Configure an AWS WAF web ACL with an Autonomous System Number match rule. Associate the web ACL with the ALB. Create an Amazon CloudWatch metric alarm to send a notification to the SNS topic when the ASN match rule request threshold is breached.
    D. Configure an AWS WAF web ACL with a rate-based rule. Associate the web ACL with the CloudFront distribution. Create an Amazon CloudWatch metric alarm to send a notification to the SNS topic when the rate-based rule request threshold is breached.

  • Question 27:

    A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group.

    The EC2 instances are in the same VPC subnet as other workloads.

    A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub. The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.

    Which solution will meet these requirements?

    A. Disable the EC2 instance profile credentials by using AWS Lambda.
    B. Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.
    C. Update the subnet network ACL to block traffic from the detected source IP addresses.
    D. Send GuardDuty findings to Amazon SNS for email notification.

  • Question 28:

    A company's application team wants to replace an internal application with a new AWS architecture that consists of Amazon EC2 instances, an AWS Lambda function, and an Amazon S3 bucket in a single AWS Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in AWS Organizations to restrict the creation of internet gateways, NAT gateways, and egress-only gateways.

    Which combination of steps should the application team take to meet these requirements? (Select THREE.)

    A. Create an S3 endpoint that has a full-access policy for the application's VPC.
    B. Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.
    C. Launch the Lambda function. Enable the block public access configuration.
    D. Create a security group that has an outbound rule over port 443 with a destination of the S3 endpoint. Associate the security group with the EC2 instances.
    E. Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.
    F. Launch the Lambda function in a VPC.

  • Question 29:

    A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break-glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break-glass user for the AWS account that contains the workload.

    The company must create the break-glass user. The company must log any activities of the break-glass user and send the logs to a security team.

    Which combination of solutions will meet these requirements? (Select TWO.)

    A. Create a local individual break-glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.
    B. Create a break-glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTrail to monitor key pair activity. Send notifications to the security team by using Amazon SNS.
    C. Create a break-glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS CloudTrail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities.
    D. Create a local individual break-glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break-glass IAM users.
    E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon SNS topic.

  • Question 30:

    A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

    The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

    Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

    A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0 / 0.
    B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC ' s CIDR range.
    C. Create an EC2 key pair. Associate the key pair with the EC2 instance.
    D. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
    E. Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC ' s CIDR range.
    F. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.