Login / Register
SCS-C03 dumps
5 Star


Customer Rating & Feedbacks
98%


Exactly Questions Came From Dumps

Amazon SCS-C03 Question Answers

AWS Certified Security – Specialty Dumps June 2026

discount banner
PDF + Test Engine $139  $97
Test Engine
$119  $83
PDF $99  $69

Here are Amazon SCS-C03 PDF available features:

231 questions with answers Updation Date : 16 Jun, 2026
1 day study required to pass exam 100% Passing Assurance
100% Money Back Guarantee Free 3 Months Updates
Amazon SCS-C03 Sample Questions

Question # 61

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets. Which solution will meet these requirements? 

A. Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation. 
B. Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule. 
C. Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule. 
D. Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function. 

Question # 62

A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools. Which solution will quarantine EC2 instances during a security incident? 

A. Track SSM Agent versions with AWS Config. 
B. Configure Session Manager to deny external connections. 
C. Store the script in Amazon S3 and grant read access. 
D. Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document. 

Question # 63

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible. Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

A. Enable AWS Security Hub in the AWS account. 
B. Enable Amazon GuardDuty in the AWS account. 
C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email distribution list to the topic. 
D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email distribution list to the queue. 
E. Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic. C,E 
F. Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue. 

Question # 64

A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions. Which solution will meet these requirements? 

A. Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty. 
B. Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty. 
C. Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector. 
D. Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub. 

Question # 65

A security engineer configured VPC Flow Logs to publish to Amazon CloudWatch Logs. After 10 minutes, no logs appear. The issue is isolated to the IAM role associated with VPC Flow Logs. What could be the reason? 

A. logs:GetLogEvents is missing. 
B. The engineer cannot assume the role. 
C. The vpc-flow-logs.amazonaws.com principal cannot assume the role. 
D. The role cannot tag the log stream. 

Question # 66

A company runs an internet-accessible application on several Amazon EC2 instances that run Windows Server. The company used an instance profile to configure the EC2 instances. A security team currently accesses the VPC that hosts the EC2 instances by using an AWS Site-to-Site VPN tunnel from an on-premises office. The security team issues a policy that requires all external access to the VPC to be blocked in the event of a security incident. However, during an incident, the security team must be able to access the EC2 instances to obtain forensic information on the instances. Which solution will meet these requirements? 

A. Install EC2 Instance Connect on the EC2 instances. Update the IAM policy for the IAM role to grant the required permissions. Use the AWS CLI to open a tunnel to connect to the instances. 
B. Install EC2 Instance Connect on the EC2 instances. Configure the instances to permit access to the ec2-instance-connect command user. Use the AWS Management Console to connect to the EC2 instances. 
C. Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS CLI to open a tunnel to connect to the instances. 
D. Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS Management Console to connect to the EC2 instances. 

Question # 67

A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy. Which action should enforce this policy? 

A. Configure an S3 Lifecycle rule to delete objects after 45 days. 
B. Create a Lambda function triggered on object upload to delete old data. 
C. Create a scheduled Lambda function to delete old objects monthly. 
D. Configure S3 Intelligent-Tiering. 

Question # 68

A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status. Which solution will meet these requirements? 

A. Use AWS Audit Manager with a custom framework. 
B. Enable AWS Config and use managed rules to monitor Aurora MySQL compliance. 
C. Use AWS Security Hub configuration policies. 
D. Use EventBridge and Lambda with custom metrics. 

Question # 69

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer. Which solution will meet this requirement? 

A. Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application. 
B. Enable Amazon Cognito and create a new identity pool for Amazon Q Developer. 
C. Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application. 
D. Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer. 

Question # 70

A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change its federation source from one identity provider (IdP) to another. The underlying directory for both IdPs is Active Directory. Which solution will meet this requirement? 

A. Disable all existing users and groups within IAM Identity Center that were part of the federation with the original IdP. 
B. Modify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends. 
C. Reconfigure all existing IAM roles in the company's AWS accounts to explicitly trust the new IdP as the principal. 
D. Confirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints. 

12345678

Download All 231 Questions Check Customers Feedbacks

About Us

Salesforcexamdumps.com has proven itself credible in providing IT certification candidates valid and accurate Free Dumps worldwide. Hundreds of IT candidates pass with credible results using our Dumps PDF Our Experts give their best to deliver you the best. Order Your Salesforcexamdumps.com set to reach your goals.

Have questions or need assistance? Reach out to us through our Contact Us page, and we'll be happy to help!

SALESFORCE Exams
Contact

© 2026 Copyright SALESFORCEXAMDUMPS. All Rights Reserved.