SCS-C03 dumps
5 Star


Customer Rating & Feedbacks
98%


Exactly Questions Came From Dumps

Amazon SCS-C03 Question Answers

AWS Certified Security – Specialty Dumps July 2026

discount banner
PDF + Test Engine $139  $97
Test Engine
$119  $83
PDF $99  $69

Here are Amazon SCS-C03 PDF available features:

231 questions with answers Updation Date : 16 Jul, 2026
1 day study required to pass exam 100% Passing Assurance
100% Money Back Guarantee Free 3 Months Updates
Amazon SCS-C03 Sample Questions

Question # 11

A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes.
Which solution meets these requirements?  
 

A. Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrailtrail with log file validation enabled for KMS events. Store logs in the bucket and grantauditors access.
B. Log application events to Amazon CloudWatch Logs and export them.
C. Capture KMS API calls using EventBridge and store them in DynamoDB.
D. Track KMS usage with CloudWatch metrics and dashboards.


Question # 12

A consultant agency needs to perform a security audit for a company's production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account. The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials. Which solution will provide the consultant agency with access that meets these requirements? 

A. Create an IAM group. Create an IAM user for each consultant. Add each user to thegroup. Turn on MFA for each consultant.
B. Configure Amazon Cognito on the company’s production account to authenticateagainst the consultant agency's identity provider (IdP). Add MFA to a Cognito user pool
C. Create an IAM role in the consultant agency's AWS account. Define a trust policy thatrequires MFA. In the trust policy, specify the company's production account as theprincipal. Attach the trust policy to the role
D. Create an IAM role in the company’s production account. Define a trust policy thatrequires MFA. In the trust policy, specify the consultant agency's AWS account as theprincipal. Attach the trust policy to the role.


Question # 13

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company uses AWS IAM Identity Center to manage access to the accounts. The company uses AWS Directory Service as an identity source. Employees access the AWS console and specific AWS accounts and permissions through the AWS access portal. A security engineer creates a new permissions set in IAM Identity Center and assigns the permissions set to one of the member accounts in the organization. The security engineer assigns the permissions set to a user group for developers namedDevOpsin the member account. The security engineer expects all the developers to see the new permissions set listed for the member account in the AWS access portal. All the developers except for one can see the permissions set. The security engineer must ensure that the remaining
developer can see the permissions set in the AWS access portal. Which solution will meet this requirement?  

A. Add the remaining developer to the DevOps group in Directory Service.
B. Remove and then re-add the permissions set in the member account.
C. Add the service-linked role for organization to the member account.
D. Update the permissions set to allow console access for the remaining developer.


Question # 14

A company has an AWS Lambda function that requires access to an Amazon S3 bucket. The company’s security policy requires that connections to Amazon S3 are over a private network and are secure. The company has configured a gateway VPC endpoint in the VPC to allow access to Amazon S3. The company has configured the Lambda function to run inside the VPC. Additionally, the company has configured the Lambda function to use a private subnet that has a route to the internet through a NAT gateway. Other resources in the VPC use this private subnet to access the internet successfully. When the Lambda function runs, it uses the NAT gateway instead of the gateway VPC endpoint to access Amazon S3. What can a security engineer do to ensure that the Lambda function uses the gateway VPC endpoint for Amazon S3? 

A. Remove the route to the NAT gateway within the route table of the private subnet thatthe Lambda function uses.
B. Associate the gateway VPC endpoint with the route table of the private subnet that theLambda function uses.
C. Adjust the gateway VPC endpoint policy to allow access from the Lambda function’snetwork interface address.
D. Configure the Lambda function’s security group to allow connections to the S3 networkaddress space.


Question # 15

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company's primary website. The GuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor. What is the first step the security engineer should take? 

A. Open the EC2 console and remove any security groups that allow inbound traffic from0.0.0.0/0.
B. Install the AWS Systems Manager Agent on the EC2 instance and run an inventoryreport.
C. Install the Amazon Inspector agent on the host and run an assessment with the CVErules package
D. Open the IAM console and revoke all IAM sessions that are associated with the instanceprofile.


Question # 16

Notify when IAM roles are modified. 
 

A. Use Amazon Detective.
B. Use EventBridge with CloudTrail events.
C. Use CloudWatch metric filters.
D. Use CloudWatch subscription filters.


Question # 17

A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team. Which solution will meet these requirements? 

A. Deploy AWS Security Hub and enable security standards that contain EKS controls.Create an Amazon Simple Notification Service (Amazon SNS) topic and set the securityteam's mailing list as a subscriber. Use an Amazon EventBridge rule to send relevantSecurity Hub events to the SNS topic.
B. Enable Amazon Inspector container image scanning. Configure Amazon Detective toanalyze EKS security logs. Create Amazon CloudWatch log groups for EKS audit logs. Usean AWS Lambda function to process the logs and to send email alerts to the security team.
C. Enable Amazon GuardDuty. Enable EKS Protection and Runtime Monitoring forAmazon EKS in GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS)topic and set the security team's mailing list as a subscriber. Use an Amazon EventBridgerule to send relevant GuardDuty events to the SNS topic.
D. Install the AWS Systems Manager Agent (SSM Agent) on all EKS nodes. ConfigureAmazon CloudWatch Logs to collect EKS audit logs. Create an Amazon Simple NotificationService (Amazon SNS) topic and set the security team's mailing list as a subscriber.Configure a CloudWatch alarm to publish a message to the SNS topic when new audit logsare generated.


Question # 18

A company's security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company's AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization. Which combination of steps should the security engineer take toMINIMIZE the consequencesof this compromise? (Select THREE.) 

A. Encrypt all AWS CloudTrail logs.
B. Turn on Amazon GuardDuty.
C. Change the password for all IAM users.
D. Rotate or delete all AWS access keys.
E. Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.
F. Delete any resources that are unrecognized or unauthorized.


Question # 19

An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future. Which steps would help achieve this? (Select TWO.) 
 

A. Enable Amazon GuardDuty to automatically monitor for malicious activity and blockunauthorized access.
B. Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of anattack.
C. Use VPC Flow Logs to monitor network traffic and an AWS Lambda function toautomatically block an attacker’s IP using security groups.
D. Set up an Amazon EventBridge rule to monitor the AWS CloudTrail events in real time,use AWS Config rules to audit the configuration, and use AWS Systems Manager forremediation.
E. Use AWS WAF to create rules to respond to such attacks.


Question # 20

A company has an organization in AWS Organizations. The company’s security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization. The company has encrypted the Amazon EBS volumes of all the EC2 instances in the organization by default by using the AWS managed key. The automation
consists of AWS Lambda functions and AWS Step Functions state machines. The automation assumes an IAM role in the target AWS account. The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team’s account to copy the snapshots. The security team has an AWS KMS key to encrypt the snapshots. During testing, the automation fails to copy the snapshots into the security team’s AWS account. Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization? (Select THREE.)  
 

A. In the target AWS account, update the KMS key policy on the AWS managed key toexplicitly allow the kms:Decrypt and kms:CreateGrant actions to the automation’s IAM role.
B. In the target AWS account, create a customer managed KMS key. Update theautomation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, andkms:CreateGrant actions.
C. In the security team’s AWS account, update the automation’s IAM role to allow thekms:Encrypt, kms:Decrypt, and kms:CreateGrant actions for the AWS managed key.
D. In the security team’s AWS account, update the automation’s IAM role to allow thekms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for thecustomer managed KMS key.
E. In the security team’s AWS account, update the automation code to take EBS snapshotsand to use the AWS managed key.
F. In the security team’s AWS account, update the automation code to take EBS snapshotsand to use the customer managed KMS key.


12345678

Download All 231 Questions Check Customers Feedbacks