SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 41:

    A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext.

    Which solution will meet these requirements?

    A. Pass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.
    B. Use IAM policies to restrict access to the Encrypt and Decrypt API actions.
    C. Use the kms:EncryptionContext condition key when defining IAM policies for the customer managed key.
    D. Use key policies to restrict access to the appropriate IAM groups.

  • Question 42:

    A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.

    Which solution will meet this requirement?

    A. Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.
    B. Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.
    C. Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.
    D. Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

  • Question 43:

    A company needs to securely deploy resources and workloads across AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to use AWS CloudFormation for infrastructure as code (IaC) management of approved architectural patterns. The company also must enforce tagging requirements and specific guidelines for resource and workload configuration and creation.

    Which solution will meet these requirements?

    A. Use CloudFormation stack policies to prevent the creation of resources that do not meet the tagging or configuration requirements. Use Amazon EventBridge rules to detect API calls that attempt to create resources outside of CloudFormation.
    B. Use an AWS CodePipeline pipeline to test and deploy IaC-defined workloads through CloudFormation into the accounts. Use AWS Config rules to enforce the tagging requirements. Apply an SCP to prevent the creation of misconfigured resources in all OUs.
    C. Create an IAM permissions boundary to prevent the creation of misconfigured resources through CloudFormation and to enforce the tagging requirements. Apply the permissions boundary to all account roles. Use AWS Config rules to identify existing resources that are in a misconfigured state.
    D. Use AWS Service Catalog with CloudFormation to manage access to approved architecture configurations. Provision Service Catalog portfolios to the accounts across the organization. Use AWS Config rules to enforce the tagging requirements and other resource configuration policies across accounts.

  • Question 44:

    A company needs the ability to identify the root cause of security findings in an AWS account. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail. The company must investigate any IAM roles that are involved in the security findings and must visualize the findings.

    Which solution will meet these requirements?

    A. Use Amazon Detective to run investigations on the IAM roles and to visualize the findings.
    B. Use Amazon Inspector to run investigations on the IAM roles and visualize the findings.
    C. Export GuardDuty findings to Amazon S3 and analyze them with Amazon Athena.
    D. Enable AWS Security Hub and use custom actions to investigate IAM roles.

  • Question 45:

    A company has an organization in AWS Organizations. The company uses AWS IAM Identity Center and an external identity provider to manage access. The company needs a solution that maintains access to AWS if the identity provider has an outage. The solution must be able to attribute any emergency access to an individual administrator.

    Which solution will meet these requirements?

    A. Create IAM users for emergency administrators. Set strong passwords and MFA for the IAM users. Assign permissions that grant the IAM users cross-account access to accounts within the organization to perform emergency change actions.
    B. Create emergency users within the identity provider. Enable System for Cross-domain Identity Management provisioning to help ensure mapping between IAM Identity Center and the identity provider. Assign permission sets in IAM Identity Center to the emergency users to give the users cross-account access to perform emergency change actions.
    C. Configure a secondary identity provider in IAM Identity Center. Create emergency users in the secondary identity provider that have permissions to perform cross-account emergency change actions. Change the IAM Identity Center external identity provider to the secondary identity provider.
    D. Create access keys for the management account's root user. Store the access keys in a shared secret vault for use by any emergency administrator. Use the access keys to perform emergency change actions across the organization.

  • Question 46:

    A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.

    Which solution would have the MOST scalability and LOWEST latency?

    A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
    B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
    C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.
    D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

  • Question 47:

    A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes.

    What should the security engineer recommend?

    A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
    B. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
    C. Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
    D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

  • Question 48:

    A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period.

    Which solution will meet these requirements?

    A. Configure CloudFront standard logging and CloudWatch Logs metric filters.
    B. Configure VPC Flow Logs and CloudWatch Logs metric filters.
    C. Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.
    D. Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SNS.

  • Question 49:

    A company's data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.

    Which action should enforce this policy?

    A. Configure an S3 Lifecycle rule to delete objects after 45 days.
    B. Create a Lambda function triggered on object upload to delete old data.
    C. Create a scheduled Lambda function to delete old objects monthly.
    D. Configure S3 Intelligent-Tiering.

  • Question 50:

    A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store ' s application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account.

    The company uses AWS Organizations and has an OU that is used only for these accounts.

    The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company ' s deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access.

    The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

    What should the security engineer do next to meet the requirements in theMOST secureway?

    A. Create an AWS Service Catalog portfolio in the organization ' s management account. Upload the CloudFormation template. Add the template to the portfolio ' s product list. Share the portfolio with the OU.
    B. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. In the OU, create an SCP that allows access to the extension.
    C. Create an AWS Service Catalog portfolio in the organization ' s management account. Upload the CloudFormation template. Add the template to the portfolio ' s product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in the OU accounts. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.
    D. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Share the extension with the OU.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.