SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 61:

    A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region that uses an AWS KMS customer managed key. The company must copy a DB snapshot to the us-west-1 Region but cannot access the encryption key across Regions.

    What should the company do to properly encrypt the snapshot in us-west-1?

    A. Store the customer managed key in AWS Secrets Manager in us-west-1.
    B. Create a new customer managed key in us-west-1 and use it to encrypt the snapshot.
    C. Create an IAM policy to allow access to the key in us-east-1 from us-west-1.
    D. Create an IAM policy that allows RDS in us-west-1 to access the key in us-east-1.

  • Question 62:

    A security engineer is reducing excessive IAM permissions. The engineer needs to identify services and actions that IAM principals have used recently so unused permissions can be removed with minimal guesswork.

    A. Use Amazon Macie to classify IAM policy documents as sensitive data.
    B. Use AWS Artifact to identify which principals have administrator access.
    C. Use VPC Flow Logs to determine every IAM action performed by each role.
    D. Use IAM Access Analyzer last accessed information to review permissions that have been used.

  • Question 63:

    A company requires every new cloud resource to include a CostCenter tag with one of several approved values. The company also wants to prevent users from creating resources when the required tag is missing.

    Which combination of controls should the company use? Choose two.

    A. Use AWS Organizations tag policies to define approved tag keys and values.
    B. Use an SCP that denies supported create actions when the required request tag is missing.
    C. Use VPC Flow Logs to detect untagged resource creation.
    D. Use AWS Artifact to publish the list of approved tag values.
    E. Use Amazon Macie to apply missing tags automatically.

  • Question 64:

    A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

    The company needs to implement a monitoring solution for logs from all AWS resources across all accounts.

    The solution must include automatic detection of security-related issues.

    Which solution will meet these requirements with theLEAST operational effort?

    A. Designate an Amazon GuardDuty administrator account in the organization's management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.
    B. Designate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use Amazon Inspector to evaluate the logs.
    C. Centralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.
    D. Stream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda functions.

  • Question 65:

    A company manages multiple AWS accounts through an organization in AWS Organizations. The company enables all features in the organization.

    A security team must implement a solution to centrally manage VPC security groups across the accounts.

    The company uses an existing reference security group with the required configuration. The solution must detect if security group rules have been modified to deviate from the reference security group. The solution must automatically restore any noncompliant security groups to match the reference security group.

    The security team needs to select a solution that does not require custom development or scripting.

    Which solution will meet these requirements?

    A. Use AWS Firewall Manager to manage security group rules through security group policy rules.
    B. Create an AWS Systems Manager Automation runbook to identify and align noncompliant security groups with the reference security group.
    C. Use a custom AWS Config rule with auto remediation. Compare to the reference security group for compliance.
    D. Manage security groups through AWS CloudFormation StackSets. Use the reference security group for the initial rules.

  • Question 66:

    An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon

    S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows thekms:Decryptpermission to the customer managed key. The IAM policy also allows thes3:List* ands3:Get* permissions for the S3 bucket

    and its objects.

    Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

    A. The IAM policy needs to allow thekms:DescribeKeypermission.
    B. The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.
    C. An S3 bucket policy needs to be added to allow the IAM user to access the objects.
    D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

  • Question 67:

    A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.

    Which solution will meet this requirement?

    A. Use Amazon Macie to detect an active DDoS event and create Amazon CloudWatch alarms that respond to Macie findings.
    B. Use Amazon Inspector to review resources and invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.
    C. Create an Amazon CloudWatch alarm that monitors AWS Firewall Manager metrics for an active DDoS event.
    D. Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced metrics for an active DDoS event.

  • Question 68:

    A security engineer needs to implement a logging solution that captures detailed information about objects in an Amazon S3 bucket. The solution must include details such as the IAM identity that makes the request and the time the object was accessed. The data must be structured and available in near real time.

    Which solution meets these requirements?

    A. Enable Amazon S3 server access logging on the S3 bucket. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.
    B. Enable AWS CloudTrail data event logging. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.
    C. Configure AWS Config rules to log access to the objects stored in the S3 bucket.
    D. Enable Amazon Macie to log access to the objects stored in the S3 bucket.

  • Question 69:

    A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client ' s own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company ' s AWS resources.

    Which additional step will meet these requirements?

    A. Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.
    B. Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.
    C. Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.
    D. Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.

  • Question 70:

    A company wants to implement a content delivery network (CDN) for an upcoming product launch. The origin for distribution is a web server outside the AWS Cloud. The origin requires an authorization header from each request.

    Which solution will meet these requirements?

    A. Use AWS Global Accelerator to create a custom routing accelerator. Configure the accelerator to use TCP. Specify the web server's IP address. Include the required authorization header in the request. Configure the web server to respond to requests from authorized users by using a signed cookie in the response header.
    B. Create an Amazon CloudFront distribution. Configure CloudFront to use an origin access control (OAC). Specify the web server as the origin. Include the required authorization header in the OAC request. Configure the web server to respond to requests from authorized users by using a signed URL.
    C. Create an Amazon CloudFront distribution. Configure CloudFront to forward a custom header to the origin. Specify trusted key groups for the distribution. Configure the web server to respond to requests from authorized users by using a signed URL.
    D. Use AWS Global Accelerator to create an origin access control (OAC). Specify the web server as the origin. Include a custom header in the request. Configure the web server to respond to requests from authorized users by using a signed cookie in the response header.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.