Amazon SCS-C03 Actual Free Exam Questions & Community Discussion

Exam Code/Number: SCS-C03
Exam Name/Title: AWS Certified Security - Specialty
Certification Provider: Amazon
Corresponding Certification: AWS Certified Specialty

Exam Questions: 215
Updated On: May 31, 2026

Page: 7 / 15
Total 215 questions

Question #91

A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team.
Which solution will meet these requirements?

A. Deploy AWS Security Hub and enable security standards that contain EKS controls. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team's mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant Security Hub events to the SNS topic.

B. Install the AWS Systems Manager Agent (SSM Agent) on all EKS nodes. Configure Amazon CloudWatch Logs to collect EKS audit logs. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team's mailing list as a subscriber. Configure a CloudWatch alarm to publish a message to the SNS topic when new audit logs are generated.

C. Enable Amazon Inspector container image scanning. Configure Amazon Detective to analyze EKS security logs. Create Amazon CloudWatch log groups for EKS audit logs. Use an AWS Lambda function to process the logs and to send email alerts to the security team.

D. Enable Amazon GuardDuty. Enable EKS Protection and Runtime Monitoring for Amazon EKS in GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team's mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant GuardDuty events to the SNS topic.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #92

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.
Which combination of the following actions MOST satisfies this requirement? (Choose two.)

A. Create a VPC endpoint for AWS KMS withprivate DNS enabled.

B. Add the following condition to the AWS KMS key policy:"aws:SourceIp": "10.0.0.0/16".

C. Add theaws:sourceVpcecondition to the AWS KMS key policy referencing the company's VPC endpoint ID.

D. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

E. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

Discussion 0

Correct Answer: A,C Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #93

A company requires a specific software application to be installed on all new and existing Amazon EC2 instances across an AWS Organization. SSM Agent is installed and active. How can the company continuously monitor deployment status of the software application?

A. Use approved AMIs rule organization-wide.

B. Use Distributor package and review output.

C. Use Systems Manager Application Manager inventory filtering.

D. Use AWS Config organization-wide with the ec2-managedinstance-applications-required managed rule and specify the application name.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #94

A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.
Which combination of steps should a security engineer take before investigating the issue?
(Choose three.)

A. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.

B. Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

C. Disable termination protection for the EC2 instance if termination protection has not been disabled.

D. Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

E. Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

F. Enable termination protection for the EC2 instance if termination protection has not been enabled.

Discussion 0

Correct Answer: A,B,F Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #95

A security engineer needs to prepare a company's Amazon EC2 instances for quarantine during a security incident. The AWS Systems Manager Agent (SSM Agent) has been deployed to all EC2 instances. The security engineer has developed a script to install and update forensics tools on the EC2 instances. Which solution will quarantine EC2 instances during a security incident?

A. Configure IAM permissions for the SSM Agent to run the script as a predefined Systems Manager Run Command document.

B. Store the script in Amazon S3 and grant read access to the instance profile.

C. Create a rule in AWS Config to track SSM Agent versions.

D. Configure Systems Manager Session Manager to deny all connection requests from external IP addresses.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #96

A security engineer discovers that a company's user passwords have no required minimum length. The company is using the following two identity providers (IdPs):
- AWS Identity and Access Management (IAM) federated with on-premises
Active Directory
- Amazon Cognito user pools that contain the user database for an AWS
Cloud application that the company developed
Which combination of actions should the security engineer take to implement a required minimum length for the passwords? (Choose two.)

A. Update the password length policy in the IAM configuration.

B. Create an IAM policy that includes a condition for minimum password length. Enforce the policy for IAM and Cognito.

C. Update the password length policy in the on-premises Active Directory configuration.

D. Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for IAM and Cognito.

E. Update the password length policy in the Cognito configuration.

Discussion 0

Correct Answer: C,E Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #97

A company uses AWS Organizations and has an SCP at the root that prevents sharing resources with external accounts. The company now needs to allow only the marketing account to share resources externally while preventing all other accounts from doing so. All accounts are in the same OU. Which solution will meet these requirements?

A. Edit the existing SCP to add a condition that excludes the marketing account.

B. Use a permissions boundary in the marketing account.

C. Edit the SCP to include an Allow statement for the marketing account.

D. Create a new SCP in the marketing account to explicitly allow sharing.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #98

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks.
However, other team members can deploy the stacks successfully.
The team members access the account by assuming a role that has a specific set of permissions.
All team members have permissions to perform operations on the stacks.
Which combination of steps will ensure consistent deployment of the stacks MOST securely?
(Select THREE.)

A. Create a service role that has cloudformation.amazonaws.com as the service principal.

B. Add policies that reference each CloudFormation stack ARN.

C. Add a policy to each member role to allow the iam:PassRole action for the service role.

D. Add policies that reference the ARNs of each AWS service that requires permissions.

E. Create a service role that has a composite principal that contains each service that needs the necessary permissions.

F. Update each stack to use the service role.

Discussion 0

Correct Answer: A,C,F Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #99

A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again. Which solution will meet these requirements?

A. Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP.

B. Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP.

C. Enforce KMS encryption and deny s3:GetObject by SCP.

D. Enable PublicAccessBlock and deny s3:GetObject by SCP.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #100

A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket. Which solution will meet these requirements with the LEAST operational overhead?

A. Deactivate ACLs for objects that are in the bucket.

B. Configure the S3 Block Public Access feature for the AWS account.

C. Use AWS PrivateLink for Amazon S3 to access the bucket.

D. Configure the S3 Block Public Access feature for all objects that are in the bucket.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #101

A company's security team wants to receive email notification from AWS about any abuse reports regarding DoS attacks. A security engineer needs to implement a solution that will provide a near- real-time alert for any abuse reports that AWS sends for the account. The security engineer already has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the security team's email address to the topic. What should the security engineer do next to meet these requirements?

A. Use the AWS Trusted Advisor API and a scheduled Lambda function to detect AWS_ABUSE_DOS_REPORT notifications.

B. Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event for AWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.

C. Use AWS CloudTrail logs with metric filters to detect AWS_ABUSE_DOS_REPORT events.

D. Use the AWS Support API and a scheduled Lambda function to detect abuse report cases.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #102

A company uses Amazon Elastic Kubernetes Service (Amazon EKS) clusters to run its Kubernetes-based applications. The company uses Amazon GuardDuty to protect the applications.
EKS Protection is enabled in GuardDuty. However, the corresponding GuardDuty feature is not monitoring the Kubernetes-based applications.
Which solution will cause GuardDuty to monitor the Kubernetes-based applications?

A. Assign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.

B. Enable VPC flow logs for the VPC that hosts the EKS clusters.

C. Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role.

D. Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #103

A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company- provided devices. A security engineer must design a solution that will minimize cost and management overhead. Which solution will meet these requirements?

A. Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.

B. Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate- based device authentication that uses Windows Active Directory.

C. Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).

D. Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices.Enable restricted access at the directory level.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #104

A company runs critical workloads in an on-premises data center. The company wants to implement an AWS based disaster recovery (DR) solution that will achieve an RTO of less than 1 hour. The company needs to continuously replicate physical and virtual servers. The company must optimize costs for data storage and bandwidth usage. The DR solution must be automated.
Which solution will meet these requirements?

A. Enable AWS Elastic Disaster Recovery. Configure replication agents to continuously replicate each on-premises server. Enable the default staging area subnet configuration.

B. Use AWS Backup to directly replicate the on-premises servers to AWS. Enable cross-Region backup copying and data vaulting. Configure recovery points to match the defined RTO. Use AWS Step Functions to automate recovery steps.

C. Create an AWS Direct Connect connection between the on-premises data center and AWS.Configure Amazon EventBridge to monitor for failures and to invoke AWS Lambda functions that launch preconfigured Amazon EC2 instances from AMIs in the event of an incident.

D. Configure an AWS Storage Gateway Volume Gateway to use Amazon Elastic Block Store (Amazon EBS) snapshots for recovery. Configure AWS Backup to manage the snapshots. Create automated recovery procedures.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #105

A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period. Which solution will meet these requirements?

A. Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SNS.

B. Configure VPC Flow Logs and CloudWatch Logs metric filters.

C. Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.

D. Configure CloudFront standard logging and CloudWatch Logs metric filters.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Page: 7 / 15
Total 215 questions

Previous Page Next Page

Unlock all SCS-C03 features

No captcha needed
365 Days Free Updates
Set your Desired Pass Percentage
Allocate Time (Hours : Minutes)
Two Modes For SCS-C03 Practice
Customer Support

Get Full Access Now

Download Free Amazon SCS-C03 Demo

Simply submit your e-mail address below to get started with our free demo of your Amazon SCS-C03 exam.

Email Address:

Our demo shows only a few questions from your selected exam for evaluating purposes.

0 Community Members

0 Shares

0 Demo Downloads

10 Years in Business