SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 71:

    A company must capture AWS CloudTrail data events and must retain the logs for 7 years. The logs must be immutable and must be available to be searched by complex queries. The company also needs to visualize the data from the logs.

    Which solution will meet these requirements MOST cost-effectively?

    A. Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results.
    B. Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console.
    C. Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations.
    D. Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries.

  • Question 72:

    A company uses AWS Organizations and has an SCP at the root that prevents sharing resources with external accounts. The company now needs to allow only the marketing account to share resources externally while preventing all other accounts from doing so. All accounts are in the same OU.

    Which solution will meet these requirements?

    A. Create a new SCP in the marketing account to explicitly allow sharing.
    B. Edit the existing SCP to add a condition that excludes the marketing account.
    C. Edit the SCP to include an Allow statement for the marketing account.
    D. Use a permissions boundary in the marketing account.

  • Question 73:

    A company uses an incident response team to troubleshoot incidents. The incident response team must use temporary credentials from AWS STS for cross-account IAM role access when troubleshooting.

    Occasionally, each team member will need to respond to multiple different types of incidents simultaneously.

    Based on the type of incident, the company wants to dynamically assign minimal permissions to whichever team member responds.

    Which solution will meet these requirements?

    A. Attach a policy to the cross-account role that grants the appropriate permissions for all types of incidents. Reduce the scope of those permissions by using a session policy.
    B. Attach a policy to the cross-account role that grants the appropriate permissions for all types of incidents. Reduce the scope of those permissions by using a permissions boundary.
    C. Do not assign any permissions to the cross-account role initially. Assign a session policy to the role being assumed with the required permission for that type of incident.
    D. Use an AWS Lambda function for each incident. Configure the function to create a temporary cross-account role that uses the AWS managed policy AWSSecurityIncidentResponseServiceRolePolicy. Reduce the scope of those permissions by using a permissions boundary.

  • Question 74:

    A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.

    Which solution will meet these requirements MOST quickly?

    A. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.
    B. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.
    C. Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.
    D. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

  • Question 75:

    A security team manages encryption keys and an operations team manages storage buckets. The company wants separation of duties so that a mistake by only one team cannot expose plaintext sensitive data stored in a bucket.

    A. Use server-side encryption with Amazon S3 managed keys and allow the operations team to manage all bucket policies.
    B. Require server-side encryption with a customer managed AWS KMS key in the bucket policy and control key usage through the KMS key policy.
    C. Store the encryption key as an object in the same bucket and deny public access to the bucket.
    D. Use client-side encryption but allow the operations team to manage both the key material and the bucket.

  • Question 76:

    A company uses SAML federation with IAM to provide internal users with SSO for their AWS accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:

    "Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code:

    InvalidIdentityToken)"

    A security engineer needs to address the immediate issue and ensure that it will not occur again.

    Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

    A. Download a new copy of the SAML metadata file from the identity provider. Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.
    B. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary certificate to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.
    C. Download a new copy of the SAML metadata file from the identity provider. Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.
    D. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary certificate to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.
    E. Download a new copy of the SAML metadata file from the identity provider. Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

  • Question 77:

    A development team is creating an open source toolset to manage a company's software as a service (SaaS) application. The company stores the code in a public repository so that anyone can view and download the toolset's code. The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company ' s AWS environment. A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred.

    The solution also must prevent any additional usage of the exposed credentials.

    Which combination of steps will meet these requirements? (Select TWO.)

    A. Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.
    B. Deactivate the exposed IAM access key from the user ' s IAM account.
    C. Create a rule in Amazon GuardDuty to block the access key in the source code from being used.
    D. Create a new IAM access key and secret key for the user whose credentials were exposed.
    E. Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

  • Question 78:

    A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security. The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306.

    Which network ACL rule set meets these requirements?

    A. 443. Use inbound rule 200 to deny traffic on TCP port3306. Use outbound rule 100 to allow traffic on TCP port 443.
    B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.
    C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
    D. 3306. Use inbound rule 200 to allow traffic on TCP port443. Use outbound rule 100 to allow traffic on TCP port 443.

  • Question 79:

    A company uses AWS Organizations. The company subscribes to AWS Shield Advanced. The company must share third-party firewall logs from all its accounts with the Shield Response Team. The company stores the logs in an Amazon S3 bucket that uses server-side encryption with S3 managed keys (SSE-S3).

    Which combination of steps will meet these requirements? (Select TWO.)

    A. Use the aws shield associate-drt-log-bucket command to grant the Shield Response Team access to the bucket.
    B. Configure multi-account support by creating a delegated administrator account for Shield Advanced.
    C. In the delegated administrator account, configure Shield Advanced to forward events to AWS Security Hub CSPM.
    D. Create an IAM role and attach the AWSShieldDRTAccessPolicy policy. Create a trust policy with the drt.shield.amazonaws.com service principal.
    E. Configure auto-enable preferences in Organizations to enable Shield Advanced as the organization adds new member accounts.

  • Question 80:

    A company is planning to migrate its applications to AWS in a single AWS Region. The company's applications will use a combination of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as possible.

    All the applications must meet the following requirements:

    - Data must be encrypted at rest.

    - Data must be encrypted in transit.

    - Endpoints must be monitored for anomalous network traffic.

    Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Select THREE.)

    A. Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.
    B. Enable Amazon GuardDuty in all AWS accounts.
    C. Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.
    D. Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.
    E. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-side-encryption.
    F. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.