SCS-C03 Exam Details

  • Exam Code
    :SCS-C03
  • Exam Name
    :AWS Certified Security - Specialty
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :257 Q&As
  • Last Updated
    :Jul 15, 2026

Amazon SCS-C03 Online Questions & Answers

  • Question 81:

    A company builds container images in several accounts and deploys serverless functions from those images. The security team needs a centralized view of software vulnerabilities and code risks. Test resources must not appear in operational dashboards.

    A. Enable AWS Shield Advanced and create alarms for protected resources that have test tags.
    B. Use Amazon Inspector with delegated administration and suppress findings for resources that are tagged as test or development.
    C. Use Amazon GuardDuty Malware Protection and exclude test resources with security group rules.
    D. Use AWS Config conformance packs and suppress all noncompliant resources in development accounts.

  • Question 82:

    A company's developers are using AWS Lambda function URLs to invoke functions directly. Thecompany must ensure that developers cannot configure or deploy unauthenticated functions in production accounts.

    The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

    Which solution will meet these requirements?

    A. Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.
    B. Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.
    C. Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.
    D. Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

  • Question 83:

    A company needs a solution to protect critical data from being permanently deleted. The data is stored in Amazon S3 buckets. The company needs to replicate the S3 objects from the company ' s primary AWS Region to a secondary Region to meet disaster recovery requirements. The company must also ensure that users who have administrator access cannot permanently delete the data in the secondary Region.

    Which solution will meet these requirements?

    A. Configure AWS Backup to perform cross-Region S3 backups. Select a backup vault in the secondary Region. Enable AWS Backup Vault Lock in governance mode for the backups in the secondary Region.
    B. Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region.
    C. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Create an S3 bucket policy to deny the s3:ReplicateDelete action on the S3 bucket in the secondary Region.
    D. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Configure S3 object versioning on the S3 bucket in the secondary Region.

  • Question 84:

    A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions.

    Which solution will meet these requirements?

    A. Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.
    B. Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.
    C. Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.
    D. Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.

  • Question 85:

    A company plans to create Amazon S3 buckets to store log data. All the S3 buckets will have versioning enabled and will use the S3 Standard storage class.

    A security engineer needs to implement a solution that protects objects in the S3 buckets from deletion for 90 days. The solution must ensure that no object can be deleted during this time period, even by an administrator or the AWS account root user.

    Which solution will meet these requirements?

    A. Enable S3 Object Lock in governance mode. Set a legal hold of 90 days.
    B. Enable S3 Object Lock in governance mode. Set a retention period of 90 days.
    C. Enable S3 Object Lock in compliance mode. Set a retention period of 90 days.
    D. Create an S3 Glacier Vault Lock policy that prevents deletion for 90 days.

  • Question 86:

    A company is planning to deploy a new log analysis environment. The company needs to analyze logs from multiple AWS services in near real time. The solution must provide the ability to search the logs and must send alerts to an existing Amazon Simple Notification Service (Amazon SNS) topic when specific logs match detection rules.

    Which solution will meet these requirements?

    A. Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.
    B. Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.
    C. Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.
    D. Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.

  • Question 87:

    A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.

    A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests. The security engineer does not want to prevent legitimate users from accessing the application.

    Which solution will meet these requirements?

    A. Use AWS WAF to implement a rate-based rule for all incoming requests.
    B. Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.
    C. Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.
    D. Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

  • Question 88:

    A company stores sensitive files in Amazon S3. The security policy requires all object uploads and downloads to use encrypted transport. Clients that attempt unencrypted transport must be denied, regardless of identity permissions.

    A. Enable default bucket encryption with Amazon S3 managed keys.
    B. Enable versioning on the bucket and require MFA Delete.
    C. Add a bucket policy that denies requests when aws:SecureTransport is false.
    D. Create an IAM policy that allows s3:GetObject only for administrator users.

  • Question 89:

    A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead.

    Which solution will meet these requirements?

    A. Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.
    B. Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.
    C. Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).
    D. Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.

  • Question 90:

    A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK).

    When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

    What should the security engineer do to resolve this error?

    A. Replace the KSK with a zone-signing key (ZSK).
    B. Deactivate and then activate the KSK.
    C. Create a Delegation Signer (DS) record in the parent hosted zone.
    D. Create a Delegation Signer (DS) record in the subdomain.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.