Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

SCS-C03 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Question # 24

A company that builds document management systems recently performed a security review of its application on AWS. The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit. A security engineer must implement a solution that prevents uploads that are not encrypted in transit.

Which solution will meet this requirement?

Options:

A.

Ensure that all client implementations are using HTTPS to upload documents into the application.

B.

Configure the s3-bucket-ssl-requests-only managed rule in AWS Config.

C.

Add an S3 bucket policy that denies all S3 actions for condition “aws:SecureTransport”: “false”.

D.

Add an S3 bucket ACL with a grantee of AllUsers, a permission of WRITE, and a condition of secureTransport.

Buy Now
Question # 25

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization ' s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

Options:

A.

Grant least privilege access to the organization ' s management account.

B.

Create a new IAM Identity Center directory in the organization ' s management account.

C.

Set up a second AWS Region in the organization ' s management account.

D.

Create permission sets for use only in the organization ' s management account.

E.

Create IAM users for use only in the organization ' s management account.

F.

Create user assignments only in the organization ' s management account.

Buy Now
Question # 26

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

Options:

A.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

B.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

C.

Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

D.

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Buy Now
Question # 27

A company needs to develop a code-signing application that will use a certificate authority (CA) to sign a code-signing certificate. The solution must use an AWS KMS asymmetric key. The solution needs to collect and store immutable evidence about the creation, origin, and use of the KMS key for compliance purposes. This information must be made available to internal auditors.

Which solution meets these requirements?

Options:

A.

Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with an event selector and log file validation enabled for all kms.amazonaws.com CreateKey events. Configure the event selector to send the CreateKey events to the S3 bucket. Create the KMS key. Update the event selector to filter for API calls that reference the KMS key ARN. Provide the auditors with access to the S3 bucket.

B.

Implement logging for application operations that reference the KMS key. Ensure that the logs contain all associated metadata. Store the logs in an Amazon CloudWatch Logs log group. Configure an automated export of the log group. Send the export to the auditors.

C.

Create an Amazon DynamoDB table that the auditors can access. Create an AWS Lambda function that an Amazon EventBridge rule invokes. Configure the EventBridge rule to monitor KMS API calls. Configure the EventBridge rule to filter for all API calls that reference the KMS key ARN. Configure the Lambda function to store the contents of the API calls in the DynamoDB table.

D.

Set up Amazon CloudWatch Logs Insights with a custom metric to track KMS key usage. Visualize the metrics by using a CloudWatch dashboard with real-time monitoring. Configure CloudWatch alarms. Use a subscription filter to replicate the data to a separate account for the auditors to review.

Buy Now
Question # 28

A company is investigating an increase in its AWS monthly bill. The company discovers that bad actors compromised some Amazon EC2 instances and served webpages for a large email phishing campaign. A security engineer must implement a solution to monitor for cost increases in the future to help detect malicious activity.

Which solution will offer the company the EARLIEST detection of cost increases?

Options:

A.

Create an Amazon EventBridge rule that invokes an AWS Lambda function hourly. Program the Lambda function to download an AWS usage report from AWS Data Exports about usage of all services. Program the Lambda function to analyze the report and to send a notification when anomalies are detected.

B.

Create a cost monitor in AWS Cost Anomaly Detection. Configure an individual alert to notify an Amazon Simple Notification Service (Amazon SNS) topic when the percentage above the expected cost exceeds a threshold.

C.

Review AWS Cost Explorer daily to detect anomalies in cost from prior months. Review the usage of any services that experience a significant cost increase from prior months.

D.

Capture VPC flow logs from the VPC where the EC2 instances run. Use a third-party network analysis tool to analyze the flow logs and to detect anomalies in network traffic that might increase cost.

Buy Now
Question # 29

A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.

Which action should enforce this policy?

Options:

A.

Configure an S3 Lifecycle rule to delete objects after 45 days.

B.

Create a Lambda function triggered on object upload to delete old data.

C.

Create a scheduled Lambda function to delete old objects monthly.

D.

Configure S3 Intelligent-Tiering.

Buy Now
Question # 30

A company ' s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company ' s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

What should the security engineer do to meet these requirements?

Options:

A.

Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.

B.

In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.

C.

Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.

D.

Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

Buy Now
Question # 31

A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.

Which solution meets these requirements with the LEAST operational effort?

Options:

A.

Designate a GuardDuty administrator account and enable protections.

B.

Centralize CloudWatch logs and use Inspector.

C.

Centralize CloudTrail logs and query with Athena.

D.

Stream logs to Kinesis and process with Lambda.

Buy Now
Question # 32

A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud. The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket.

The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.

Which solution will meet this requirement?

Options:

A.

Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field to capture the client IP addresses.

B.

Inspect the X-Forwarded-For header in the AWS WAF logs to determine the original client IP addresses.

C.

Modify the CloudFront distribution to disable ALB connection reuse. Examine the clientIp field in the AWS WAF logs to identify the original client IP addresses.

D.

Configure CloudFront to add a custom header named Client-IP to origin requests that are sent to the ALB.

Buy Now
Question # 33

A company receives an alert from AWS Support. The alert shows a compromised access key on a single standalone AWS account. A security engineer must determine the scope of the issue. Then, the security engineer must triage and remediate the issue.

Which solution will meet these requirements?

Options:

A.

Delete the IAM user that has the AWSCompromisedKeyQuarantineV3 policy attached. Review Amazon CloudWatch for suspicious activity.

B.

Review AWS CloudTrail logs. Remove any unauthorized resources. Rotate all IAM access keys for the user that has the AWSCompromisedKeyQuarantineV3 policy attached. Remove the policy from the user.

C.

Remove the AWSCompromisedKeyQuarantineV3 policy from the impacted IAM user. Review AWS CloudTrail logs. Remove any unauthorized resources.

D.

Review Amazon CloudWatch logs for suspicious activity. Remove all unauthorized resources. Rotate the impacted IAM access keys.

Buy Now
Exam Code: SCS-C03
Exam Name: AWS Certified Security – Specialty
Last Update: Jul 11, 2026
Questions: 231
SCS-C03 pdf

SCS-C03 PDF

$25.5  $84.99
SCS-C03 Engine

SCS-C03 Testing Engine

$28.5  $94.99
SCS-C03 PDF + Engine

SCS-C03 PDF + Testing Engine

$40.5  $134.99