Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

SCS-C03 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Question # 34

A company wants to store all objects that contain sensitive data in an Amazon S3 bucket. The company will use server-side encryption to encrypt the S3 bucket. The company ' s operations team manages access to the company’s S3 buckets. The company ' s security team manages access to encryption keys. The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.

Which solution will meet this requirement?

Options:

A.

Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.

B.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

C.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.

D.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.

Buy Now
Question # 35

A company is planning to deploy a new log analysis environment. The company needs to analyze logs from multiple AWS services in near real time. The solution must provide the ability to search the logs and must send alerts to an existing Amazon Simple Notification Service (Amazon SNS) topic when specific logs match detection rules.

Which solution will meet these requirements?

Options:

A.

Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.

B.

Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.

C.

Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.

D.

Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.

Buy Now
Question # 36

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution toprevent CloudTrail from being disabled.

Which solution will meet this requirement?

Options:

A.

Enable CloudTrail log file integrity validation from the organization ' s management account.

B.

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.

C.

Create a service control policy (SCP) that includes an explicitDenyrule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.

D.

Create IAM policies for all the company ' s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Buy Now
Question # 37

A company needs to deploy AWS CloudFormation templates that configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

Which solution will meet the requirements?

Options:

A.

Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B.

Use encrypted parameters in the CloudFormation template.

C.

Use SecureString parameters to reference Secrets Manager.

D.

Use SecureString parameters encrypted by AWS KMS.

Buy Now
Question # 38

Notify when IAM roles are modified.

Options:

A.

Use Amazon Detective.

B.

Use EventBridge with CloudTrail events.

C.

Use CloudWatch metric filters.

D.

Use CloudWatch subscription filters.

Buy Now
Question # 39

A company must capture AWS CloudTrail data events and must retain the logs for 7 years. The logs must be immutable and must be available to be searched by complex queries. The company also needs to visualize the data from the logs.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results.

B.

Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console.

C.

Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations.

D.

Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries.

Buy Now
Question # 40

A company wants to use a suite of AWS Lambda functions to automatically remediate noncompliant resources. The company packages the suite of Lambda functions into an AWS CloudFormation template. The company wants to deploy the suite of Lambda functions to all AWS Organizations accounts. However, the company cannot use the Organizations management account for deployment.

Which solution provides centralized deployment of the Lambda function suite to all accounts in the organization?

Options:

A.

Register a delegated administrator for CloudFormation. Deploy the template to every account in the organization by using StackSets.

B.

Create a cross-account IAM role with a unique external ID in each AWS account. Assume the cross-account role to deploy the template.

C.

Package the template as an AWS Service Catalog product. Log in to each account and provision the product to each account.

D.

Set up AWS CodePipeline in each account. Configure a pipeline to pull the template from an Amazon S3 bucket in the Organizations management account.

Buy Now
Question # 41

A company ' s security team wants to receive near-real-time email notifications about AWS abuse reports related to DoS attacks. An Amazon SNS topic already exists and is subscribed to by the security team.

What should the security engineer do next?

Options:

A.

Poll Trusted Advisor for abuse notifications by using a Lambda function.

B.

Create an Amazon EventBridge rule that matches AWS Health events for AWS_ABUSE_DOS_REPORT and publishes to SNS.

C.

Poll the AWS Support API for abuse cases by using a Lambda function.

D.

Detect abuse reports by using CloudTrail logs and CloudWatch alarms.

Buy Now
Question # 42

A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS CloudTrail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI. Because of expansion, the company adds resources in multiple Regions. The security engineer notices that the logs from the new Regions are not reaching the S3 bucket.

What should the security engineer do to fix this issue with the LEAST amount of operational overhead?

Options:

A.

Create a new CloudTrail trail. Select the new Regions where the company added resources.

B.

Change the S3 bucket to receive notifications to track all actions from all Regions.

C.

Create a new CloudTrail trail that applies to all Regions.

D.

Change the existing CloudTrail trail so that it applies to all Regions.

Buy Now
Question # 43

A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again.

Which solution will meet these requirements?

Options:

A.

Enforce KMS encryption and deny s3:GetObject by SCP.

B.

Enable PublicAccessBlock and deny s3:GetObject by SCP.

C.

Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP.

D.

Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP.

Buy Now
Exam Code: SCS-C03
Exam Name: AWS Certified Security – Specialty
Last Update: Jul 11, 2026
Questions: 231
SCS-C03 pdf

SCS-C03 PDF

$25.5  $84.99
SCS-C03 Engine

SCS-C03 Testing Engine

$28.5  $94.99
SCS-C03 PDF + Engine

SCS-C03 PDF + Testing Engine

$40.5  $134.99