Amazon SCS-C03 Exam Dumps

AWS Certified Security Specialty

703 Reviews

Exam Code	SCS-C03
Exam Name	AWS Certified Security Specialty
Questions	179 Questions Answers With Explanation
Update Date	04, 29, 2026
Price	Was : $124.2 Today : $69 Was : $142.2 Today : $79 Was : $160.2 Today : $89

Add To Cart

Demo Questions

Question # 1

A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead. Which solution will meet these requirements? 

A. Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices. 
B. Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory. 
C. Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM). 
D. Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level. 

Show Answer

Question # 2

A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly. Which solution will prevent direct access to the ALB? 

A. Use AWS PrivateLink with the ALB. 
B. Replace the ALB with an internal ALB. 
C. Restrict ALB listener rules to CloudFront IP ranges. 
D. Require a custom header from CloudFront and validate it at the ALB. 

Show Answer

Question # 3

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic. Which solution will meet these requirements with the LEAST implementation effort? 

A. Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic. 
B. Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic. 
C. Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic. 
D. Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic. 

Show Answer

Question # 4

A company sends Apache logs from EC2 Auto Scaling instances to a CloudWatch Logs log group with 1-year retention. A suspicious IP address appears in logs. A security engineer needs to analyze the past week of logs to count requests from that IP and list requested URLs. What should the engineer do with the LEAST effort? 

A. Export to S3 and use Macie. 
B. Stream to OpenSearch and analyze. 
C. Use CloudWatch Logs Insights with queries. 
D. Export to S3 and use AWS Glue. 

Show Answer

Question # 5

A company must capture AWS CloudTrail data events and must retain the logs for 7 years. The logs must be immutable and must be available to be searched by complex queries. The company also needs to visualize the data from the logs. Which solution will meet these requirements MOST cost-effectively? 

A. Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results. 
B. Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console. 
C. Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations. 
D. Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries. 

Show Answer

Question # 6

Notify when IAM roles are modified. 

A. Use Amazon Detective. 
B. Use EventBridge with CloudTrail events. 
C. Use CloudWatch metric filters. 
D. Use CloudWatch subscription filters. 

Show Answer

Question # 7

A company is running a new workload across accounts in an organization in AWS Organizations. All running resources must have a tag of CostCenter, and the tag must have one of three approved values. The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value. Which solution will meet these requirements? 

A. Use AWS Config custom policy rule and an SCP to deny non-approved aws:RequestTag/CostCenter values. 
B. Use CloudTrail + EventBridge + Lambda to block creation. 
C. Enable tag policies, define allowed values, enforce noncompliant operations, and use an SCP to deny creation when aws:RequestTag/CostCenter is null. 
D. Enable tag policies and use EventBridge + Lambda to block changes. 

Show Answer

Question # 8

A company must immediately disable compromised IAM users across all AWS accounts and collect all actions performed by the user in the last 7 days. Which solution will meet these requirements? 

A. Disable the IAM user and query CloudTrail logs in Amazon S3 using Athena. 
B. Remove IAM policies and query logs in Security Hub. 
C. Remove permission sets and query logs using CloudWatch Logs Insights. 
D. Disable the user in IAM Identity Center and query the organizational event data store. 

Show Answer

Question # 9

A company runs a global ecommerce website using Amazon CloudFront. The company must block traffic from specific countries to comply with data regulations. Which solution will meet these requirements MOST cost-effectively? 

A. Use AWS WAF IP match rules. 
B. Use AWS WAF geo match rules. 
C. Use CloudFront geo restriction to deny the countries. 
D. Use geolocation headers in CloudFront. 

Show Answer

Question # 10

A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner? 

A. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource. 
B. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource. 
C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource. 
D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource. 

Show Answer

Question # 11

A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts. Which solution meets these requirements with the LEAST operational effort? 

A. Designate a GuardDuty administrator account and enable protections. 
B. Centralize CloudWatch logs and use Inspector. 
C. Centralize CloudTrail logs and query with Athena. 
D. Stream logs to Kinesis and process with Lambda. 

Show Answer

Question # 12

A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again. Which solution will meet these requirements? 

A. Enforce KMS encryption and deny s3:GetObject by SCP. 
B. Enable PublicAccessBlock and deny s3:GetObject by SCP. 
C. Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP. 
D. Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP. 

Show Answer

Question # 13

A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler. The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization's management account when the management account is not required. Which solution will meet these requirements? 

A. Create a CloudFormation stack set in the organization's management account and manually add new accounts. 
B. Configure a delegated administrator account for AWS CloudFormation. Create a CloudFormation StackSet in the delegated administrator account targeting the organization root with automatic deployment enabled. 
C. Use Systems Manager delegated administration and Automation to deploy the Lambda function and schedule. 
D. Create a Systems Manager Automation runbook in the management account and share it to accounts. 

Show Answer

Question # 14

A company is planning to migrate its applications to AWS in a single AWS Region. The company’s applications will use a combination of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as possible. All the applications must meet the following requirements: • Data must be encrypted at rest. • Data must be encrypted in transit. • Endpoints must be monitored for anomalous network traffic. Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Select THREE.)

A. Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation. 
B. Enable Amazon GuardDuty in all AWS accounts. 
C. Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints. 
D. Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM. 
E. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-sideencryption. 
F. Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-sideencryption. 

Show Answer

Question # 15

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys. Which combination of steps must a security engineer take to meet these requirements? (Select THREE.) 

A. Create a new customer managed key in AWS Key Management Service (AWS KMS). 
B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C). 
C. Configure the PHP SDK to use the SSE-S3 key before upload. 
D. Create an AWS managed key for Amazon S3 in AWS KMS. 
E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS). 
F. Change all the S3 objects in the bucket to use the new encryption key. 

Show Answer

Question # 16

A company detects bot activity targeting Amazon Cognito user pool endpoints. The solution must block malicious requests while maintaining access for legitimate users. Which solution meets these requirements? 

A. Enable Amazon Cognito threat protection. 
B. Restrict access to authenticated users only. 
C. Associate AWS WAF with the Cognito user pool. 
D. Monitor requests with CloudWatch. 

Show Answer

Question # 17

A company stores infrastructure and application code in web-based, third-party, Gitcompatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company's AWS account by using OpenID Connect (OIDC). Which solution will meet these requirements? 

A. Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM) federation. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role. 
B. Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that uses OIDC. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role. 
C. Set up an account instance of AWS IAM Identity Center. Configure access to the code repositories as a customer managed OIDC application. Grant the application access to the IAM role. 
D. Use AWS Resource Access Manager (AWS RAM) to create a new resource share that uses OIDC. Limit the resource share to the specified code repositories. Grant the IAM role access to the resource share. 

Show Answer

Question # 18

A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account. The company’s developers have been using an IAM role in the account for the last 3 months. A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access. Which solution will meet this requirement with the LEAST effort? 

A. Implement AWS IAM Access Analyzer policy generation on the role. 
B. Implement AWS IAM Access Analyzer policy validation on the role. 
C. Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions. 
D. Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

Show Answer

Question # 19

A company requires a specific software application to be installed on all new and existing Amazon EC2 instances across an AWS Organization. SSM Agent is installed and active. How can the company continuously monitor deployment status of the software application? 

A. Use AWS Config organization-wide with the ec2-managedinstance-applications-required managed rule and specify the application name. 
B. Use approved AMIs rule organization-wide. 
C. Use Distributor package and review output. 
D. Use Systems Manager Application Manager inventory filtering. 

Show Answer

Question # 20

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application. Which solution will meet these requirements MOST quickly? 

A. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal. 
B. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context. 
C. Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal. 
D. Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context. 

Show Answer

Question # 21

A company needs to scan all AWS Lambda functions for code vulnerabilities. 

A. Use Amazon Macie. 
B. Enable Amazon Inspector Lambda scanning. 
C. Use GuardDuty and Security Hub. 
D. Use GuardDuty Lambda Protection. 

Show Answer

Question # 22

A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company’s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools outside of AWS. What should the security engineer do to meet these requirements? 

A. Create security groups and attach them to all SQS queues. 
B. Modify network ACLs in all VPCs to restrict inbound traffic. 
C. Create interface VPC endpoints for Amazon SQS. Restrict access using aws:SourceVpce and aws:PrincipalOrgId conditions. 
D. Use a third-party cloud access security broker (CASB). 

Show Answer

Question # 23

A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code. Which change should the security engineer make to the AWS KMS configuration to meet these requirements? 

A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1. 
B. Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region. 
C. Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias. 
D. Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1. 

Show Answer

Question # 24

CloudFormation stack deployments fail for some users due to permission inconsistencies. Which combination of steps will ensure consistent deployments MOST securely? (Select THREE.) 

A. Create a composite principal service role. 
B. Create a service role with cloudformation.amazonaws.com as the principal. 
C. Attach scoped policies to the service role. 
D. Attach service ARNs in policy resources. 
E. Update each stack to use the service role.
 F. Allow iam:PassRole to the service role. 

Show Answer

Question # 25

A company is planning to deploy a new log analysis environment. The company needs to analyze logs from multiple AWS services in near real time. The solution must provide the ability to search the logs and must send alerts to an existing Amazon Simple Notification Service (Amazon SNS) topic when specific logs match detection rules. Which solution will meet these requirements? 

A. Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic. 
B. Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic. 
C. Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights. 
D. Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic. 

Show Answer