SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 51:

    A security engineer needs to prepare a company ' s Amazon EC2 instances for quarantine during a security incident. The AWS Systems Manager Agent (SSM Agent) has been deployed to all EC2 instances.

    The security engineer has developed a script to install and update forensics tools on the EC2 instances.

    Which solution will quarantine EC2 instances during a security incident?

    A. Create a rule in AWS Config to track SSM Agent versions.
    B. Configure Systems Manager Session Manager to deny all connection requests from external IP addresses.
    C. Store the script in Amazon S3 and grant read access to the instance profile.
    D. Configure IAM permissions for the SSM Agent to run the script as a predefined Systems Manager Run Command document.

  • Question 52:

    A developer accidentally committed an IAM access key and secret access key to a public repository. The security team must stop further use of the exposed key and determine whether the key was used after exposure.

    A. Delete the IAM user immediately and review only the current billing dashboard.
    B. Deactivate the exposed access key and review AWS CloudTrail events for activity by the access key.
    C. Attach an explicit deny policy to all roles in the account and wait for credential expiration.
    D. Rotate the account root password and run Amazon Inspector on all compute resources.

  • Question 53:

    A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again.

    Which solution will meet these requirements?

    A. Enforce KMS encryption and deny s3:GetObject by SCP.
    B. Enable PublicAccessBlock and deny s3:GetObject by SCP.
    C. Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP.
    D. Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP.

  • Question 54:

    A company receives an alert from AWS Support. The alert shows a compromised access key on a single standalone AWS account. A security engineer must determine the scope of the issue. Then, the security engineer must triage and remediate the issue.

    Which solution will meet these requirements?

    A. Delete the IAM user that has the AWSCompromisedKeyQuarantineV3 policy attached. Review Amazon CloudWatch for suspicious activity.
    B. Review AWS CloudTrail logs. Remove any unauthorized resources. Rotate all IAM access keys for the user that has the AWSCompromisedKeyQuarantineV3 policy attached. Remove the policy from the user.
    C. Remove the AWSCompromisedKeyQuarantineV3 policy from the impacted IAM user. Review AWS CloudTrail logs. Remove any unauthorized resources.
    D. Review Amazon CloudWatch logs for suspicious activity. Remove all unauthorized resources. Rotate the impacted IAM access keys.

  • Question 55:

    A company must inventory sensitive data across all Amazon S3 buckets in all accounts from a single security account.

    A. Delegate Amazon Macie and Security Hub administration.
    B. Use Amazon Inspector with Security Hub.
    C. Use Inspector with Trusted Advisor.
    D. Use Macie with Trusted Advisor.

  • Question 56:

    A company's security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service.

    AWS CloudTrail trails are enabled in all of the company's AWS accounts. VPC Flow Logs are enabled for all VPCs.

    A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet.

    Which solution will meet these requirements?

    A. Monitor CloudTrail logs for API calls to non-standard time servers.
    B. Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.
    C. Monitor VPC Flow Logs for traffic to non-standard time servers.
    D. Monitor VPC Flow Logs for traffic to the Amazon Time Sync Service.

  • Question 57:

    A company that uses AWS Organizations is using AWS IAM Identity Center to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will

    use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating

    in the management account.

    When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the assignment fails.

    What should the security engineer do to resolve this failure?

    A. Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.
    B. Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.
    C. Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.
    D. Do not add the new permission set to the user. Instead, edit the user ' s existing permission set to include the AWS managed policy and the customer managed policy.

  • Question 58:

    A security analyst is investigating a high severity finding that involves an IAM role, several API calls, DNS activity, and network connections from a workload account. The analyst needs to understand relationships among the finding, the IAM role, and related activity without manually joining raw logs.

    A. Use Amazon Detective to investigate the finding and review the related entities and behavior.
    B. Use AWS Artifact to download compliance reports for the account.
    C. Use AWS CloudFormation drift detection on stacks in the workload account.
    D. Use Amazon Macie to classify the account activity by sensitive data type.

  • Question 59:

    A company runs critical workloads in an on-premises data center. The company wants to implement an AWS based disaster recovery (DR) solution that will achieve an RTO of less than 1 hour. The company needs to continuously replicate physical and virtual servers. The company must optimize costs for data storage and bandwidth usage. The DR solution must be automated.

    Which solution will meet these requirements?

    A. Use AWS Backup to directly replicate the on-premises servers to AWS. Enable cross-Region backup copying and data vaulting. Configure recovery points to match the defined RTO. Use AWS Step Functions to automate recovery steps.
    B. Configure an AWS Storage Gateway Volume Gateway to use Amazon Elastic Block Store (Amazon EBS) snapshots for recovery. Configure AWS Backup to manage the snapshots. Create automated recovery procedures.
    C. Enable AWS Elastic Disaster Recovery. Configure replication agents to continuously replicate each on-premises server. Enable the default staging area subnet configuration.
    D. Create an AWS Direct Connect connection between the on-premises data center and AWS. Configure Amazon EventBridge to monitor for failures and to invoke AWS Lambda functions that launch preconfigured Amazon EC2 instances from AMIs in the event of an incident.

  • Question 60:

    A company runs workloads in an AWS account. A security engineer observes some unusual findings in Amazon GuardDuty. The security engineer wants to investigate a specific IAM role and generate an investigation report. The report must contain details about anomalous behavior and any indicators of compromise.

    Which solution will meet these requirements?

    A. Use Amazon Detective to perform an investigation on the IAM role.
    B. Use AWS Audit Manager to create an assessment. Specify the IAM role. Run an assessment report.
    C. Use Amazon Inspector to create an assessment. Specify the IAM role. Run an assessment report.
    D. Use Amazon Inspector to run an on-demand scan of the IAM role.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.