Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

SCS-C03 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Question # 54

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company ' s existing and future S3 buckets.

Which solution will meet these requirements?

Options:

A.

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

B.

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

C.

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

D.

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Buy Now
Question # 55

A company’s developers are using AWS Lambda function URLs to invoke functions directly. Thecompany must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

Options:

A.

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

B.

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

C.

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

D.

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Buy Now
Question # 56

A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes.

Which solution meets these requirements?

Options:

A.

Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with log file validation enabled for KMS events. Store logs in the bucket and grant auditors access.

B.

Log application events to Amazon CloudWatch Logs and export them.

C.

Capture KMS API calls using EventBridge and store them in DynamoDB.

D.

Track KMS usage with CloudWatch metrics and dashboards.

Buy Now
Question # 57

A company uses Amazon Cognito user pools with the hosted UI to authenticate its customers. The company’s security team has detected a surge in bot activity and suspicious traffic that targets the Amazon Cognito endpoints. A security engineer must implement a security solution to block these malicious requests. The security measures must maintain uninterrupted access for legitimate users.

Which solution meets these requirements?

Options:

A.

Use Amazon Cognito threat protection on the user pool.

B.

Configure the Amazon Cognito user pool app client settings to restrict access to only authenticated users.

C.

Associate an AWS WAF web ACL with the Amazon Cognito user pool. Define rules to filter unwanted requests and manage bot traffic.

D.

Use Amazon CloudWatch to monitor incoming Amazon Cognito requests. Create an identity pool to block suspicious user agents.

Buy Now
Question # 58

A security engineer is troubleshooting an AWS Lambda function that is namedMyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is namedDOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy:

{

" Effect " : " Allow " ,

" Principal " : { " Service " : " lambda.amazonaws.com " },

" Action " : " s3:GetObject " ,

" Resource " : " arn:aws:s3:::DOC-EXAMPLE-BUCKET " ,

" Condition " : {

" ArnLike " : {

" aws:SourceArn " : " arn:aws:lambda:::function:MyLambdaFunction "

}

}

}

Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?

Options:

A.

Remove the Condition element. Change the Principal element to the following:{ " AWS " : " arn:aws:lambda:::function:MyLambdaFunction " }

B.

Change the Action element to the following:[ " s3:GetObject* " , " s3:GetBucket* " ]

C.

Change the Resource element to " arn:aws:s3:::DOC-EXAMPLE-BUCKET/* " .

D.

Change the Resource element to " arn:aws:lambda:::function:MyLambdaFunction " . Change the Principal element to the following:{ " Service " : " s3.amazonaws.com " }

Buy Now
Question # 59

A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler.

The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization ' s management account when the management account is not required.

Which solution will meet these requirements?

Options:

A.

Create a CloudFormation stack set in the organization ' s management account and manually add new accounts.

B.

Configure a delegated administrator account for AWS CloudFormation. Create a CloudFormation StackSet in the delegated administrator account targeting the organization root with automatic deployment enabled.

C.

Use Systems Manager delegated administration and Automation to deploy the Lambda function and schedule.

D.

Create a Systems Manager Automation runbook in the management account and share it to accounts.

Buy Now
Question # 60

A company detects bot activity targeting Amazon Cognito user pool endpoints. The solution must block malicious requests while maintaining access for legitimate users.

Which solution meets these requirements?

Options:

A.

Enable Amazon Cognito threat protection.

B.

Restrict access to authenticated users only.

C.

Associate AWS WAF with the Cognito user pool.

D.

Monitor requests with CloudWatch.

Buy Now
Question # 61

A security engineer uses Amazon Macie to scan a company ' s Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional scanning on those S3 buckets.

Which solution will meet these requirements with the LEAST administrative overhead?

Options:

A.

Configure S3 Cross-Region Replication (CRR) on the S3 buckets to replicate the objects to a second AWS Region. Configure Macie in the second Region to scan the replicated objects daily.

B.

Create an AWS Lambda function as an S3 event destination for the S3 buckets. Configure the Lambda function to start a Macie scan of an object when the object is uploaded to an S3 bucket.

C.

Configure Macie automated discovery to continuously sample data from the S3 buckets. Perform full scans of the S3 buckets where Macie discovers sensitive data.

D.

Configure Macie scans to run on the S3 buckets. Aggregate the results of the scans in an Amazon DynamoDB table. Use the DynamoDB table for queries.

Buy Now
Question # 62

A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Configure the S3 Block Public Access feature for the AWS account.

B.

Configure the S3 Block Public Access feature for all objects that are in the bucket.

C.

Deactivate ACLs for objects that are in the bucket.

D.

Use AWS PrivateLink for Amazon S3 to access the bucket.

Buy Now
Question # 63

A company runs an internet-accessible application on several Amazon EC2 instances that run Windows Server. The company used an instance profile to configure the EC2 instances. A security team currently accesses the VPC that hosts the EC2 instances by using an AWS Site-to-Site VPN tunnel from an on-premises office. The security team issues a policy that requires all external access to the VPC to be blocked in the event of a security incident. However, during an incident, the security team must be able to access the EC2 instances to obtain forensic information on the instances.

Which solution will meet these requirements?

Options:

A.

Install EC2 Instance Connect on the EC2 instances. Update the IAM policy for the IAM role to grant the required permissions. Use the AWS CLI to open a tunnel to connect to the instances.

B.

Install EC2 Instance Connect on the EC2 instances. Configure the instances to permit access to the ec2-instance-connect command user. Use the AWS Management Console to connect to the EC2 instances.

C.

Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS CLI to open a tunnel to connect to the instances.

D.

Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to allow access between the EC2 instances and the endpoint. Use the AWS Management Console to connect to the EC2 instances.

Buy Now
Exam Code: SCS-C03
Exam Name: AWS Certified Security – Specialty
Last Update: Jul 11, 2026
Questions: 231
SCS-C03 pdf

SCS-C03 PDF

$25.5  $84.99
SCS-C03 Engine

SCS-C03 Testing Engine

$28.5  $94.99
SCS-C03 PDF + Engine

SCS-C03 PDF + Testing Engine

$40.5  $134.99