SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 31:

    A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for events patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.

    Which solution will meet these requirements?

    A. Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.
    B. Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.
    C. Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logslog group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.
    D. Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to query the log group.

  • Question 32:

    A company begins to use AWS WAF after experiencing an increase in traffic to the company's public web applications. A security engineer needs to determine if the increase in traffic is because of application-layer attacks. The security engineer needs a solution to analyze AWS WAF traffic.

    Which solution will meet this requirement?

    A. Send AWS WAF logs to AWS CloudTrail and analyze them with OpenSearch.
    B. Send AWS WAF logs to Amazon S3 and query them directly with OpenSearch.
    C. Send AWS WAF logs to Amazon S3. Create an Amazon Athena table with partition projection. Use Athena to query the logs.
    D. Send AWS WAF logs to AWS CloudTrail and analyze them with Amazon Athena.

  • Question 33:

    A healthcare company stores more than 1 million patient records in an Amazon S3 bucket. The patient records include personally identifiable information (PII). The S3 bucket contains hundreds of terabytes of data.

    A security engineer receives an alert that was triggered by an Amazon GuardDuty Exfiltration:S3

    /AnomalousBehavior finding. The security engineer confirms that an attacker is using temporary credentials that were obtained from a compromised Amazon EC2 instance that has s3:GetObject permissions for the S3 bucket. The attacker has begun downloading the contents of the bucket. The security engineer contacts a development team. The development team will require 4 hours to implement and deploy a fix.

    The security engineer must take immediate action to prevent the attacker from downloading more data from the S3 bucket.

    Which solution will meet this requirement?

    A. Revoke the temporary session that is associated with the instance profile that is attached to the EC2 instance.
    B. Quarantine the EC2 instance by replacing the existing security group with a new security group that has no rules applied.
    C. Enable Amazon Macie on the S3 bucket. Configure the managed data identifiers for personally identifiable information (PII). Enable S3 Object Lock on objects that Macie flags.
    D. Apply an S3 bucket policy temporarily. Configure the policy to deny read access for all principals to block downloads while the development team address the vulnerability.

  • Question 34:

    A company uses an organization in AWS Organizations to manage its 250 member accounts. The company also uses AWS IAM Identity Center with a SAML external identity provider (IdP). IAM Identity Center has been delegated to a member account. The company ' s security team has access to the delegated account.

    The security team has been investigating a malicious internal user who might be accessing sensitive accounts. The security team needs to know when the user logged into the organization during the last 7 days.

    Which solution will quickly identify the access attempts?

    A. In the delegated account, use Amazon CloudWatch Logs to search for events that match the user details for all successful attempts.
    B. In each member account, use the IAM Identity Center console to search for events that match the user details for all attempts.
    C. In the external IdP, use Amazon EventBridge to search for events that match the user details for all attempts.
    D. In the organization ' s management account, use AWS CloudTrail to search for events that match the user details for all successful attempts.

  • Question 35:

    A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance Connect feature. However, the security engineer receives an error for failed host key validation. Before the rotation of the host keys, EC2 Instance Connect worked correctly with this EC2 instance.

    What should the security engineer do to resolve this error?

    A. Import the key material into AWS Key Management Service (AWS KMS).
    B. Manually upload the new host key to the AWS trusted host keys database.
    C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.
    D. Create a new SSH key pair for the EC2 instance.

  • Question 36:

    A security engineer configures a stateless network ACL for a public subnet. Instances in the subnet need to initiate HTTPS connections to trusted external services. The engineer also must block inbound database connections to the subnet.

    A. Allow inbound TCP 443 only and deny outbound ephemeral ports.
    B. Allow outbound database port traffic and rely on security groups to permit HTTPS responses.
    C. Deny all inbound ephemeral ports and allow only inbound database port traffic from the internet.
    D. Allow outbound TCP 443, allow inbound ephemeral response ports, and deny inbound database port traffic with a lower rule number than any broad allow.

  • Question 37:

    A company runs an internet-accessible application on several Amazon EC2 instances that run Windows Server. The company used an instance profile to configure the EC2 instances. A security team currently accesses the VPC that hosts the EC2 instances by using an AWS Site-to-Site VPN tunnel from an on-premises office. The security team issues a policy that requires all external access to the VPC to be blocked in the event of a security incident. However, during an incident, the security team must be able to access the EC2 instances to obtain forensic information on the instances.

    Which solution will meet these requirements?

    A. Install EC2 Instance Connect on the EC2 instances. Update the IAM policy for the IAM role to grant the required permissions. Use the AWS CLI to open a tunnel to connect to the instances.
    B. Install EC2 Instance Connect on the EC2 instances. Configure the instances to permit access to the ec2- instance-connect command user. Use the AWS Management Console to connect to the EC2 instances.
    C. Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS CLI to open a tunnel to connect to the instances.
    D. Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS Management Console to connect to the EC2 instances.

  • Question 38:

    A company has installed a third-party application that is distributed on several Amazon EC2 instances and on-premises servers. Occasionally, the company ' s IT team needs to use SSH to connect to each machine to perform software maintenance tasks. Outside these time slots, the machines must be completely isolated from the rest of the network. The company does not want to maintain any SSH keys. Additionally, the company wants to pay only for machine hours when there is an SSH connection.

    Which solution will meet these requirements?

    A. Create a bastion host with port forwarding to connect to the machines.
    B. Set up AWS Systems Manager Session Manager to allow temporary connections.
    C. Use AWS CloudShell to create serverless connections.
    D. Set up an interface VPC endpoint for each machine for private connection.

  • Question 39:

    A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes.

    Which solution meets these requirements?

    A. Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with log file validation enabled for KMS events. Store logs in the bucket and grant auditors access.
    B. Log application events to Amazon CloudWatch Logs and export them.
    C. Capture KMS API calls using EventBridge and store them in DynamoDB.
    D. Track KMS usage with CloudWatch metrics and dashboards.

  • Question 40:

    A consultant agency needs to perform a security audit for a company ' s production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account. The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.

    Which solution will provide the consultant agency with access that meets these requirements?

    A. Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant.
    B. Configure Amazon Cognito on the company's production account to authenticate against the consultant agency ' s identity provider (IdP). Add MFA to a Cognito user pool.
    C. Create an IAM role in the consultant agency ' s AWS account. Define a trust policy that requires MFA. Inthe trust policy, specify the company ' s production account as the principal. Attach the trust policy to the role.
    D. Create an IAM role in the company's production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency ' s AWS account as the principal. Attach the trust policy to the role.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.