Home
Amazon
SCS-C03 Exam Info
SCS-C03 Exam Questions

Home ❯
Amazon ❯
SCS-C03 Exam Info ❯
SCS-C03 Exam Questions

Master Amazon AWS Certified Security - Specialty SCS-C03 Exam

Your journey to becoming a trusted cloud security architect starts here. The AWS Certified Security - Specialty credential opens doors to elite roles commanding six-figure salaries, but the SCS-C03 exam's complexity stops 40% of candidates in their tracks. Our battle-tested practice questions mirror real exam scenarios across incident response, data protection, infrastructure security, and identity managementâ€”giving you the insider advantage that passive studying never could. Whether you're securing S3 buckets, implementing GuardDuty, or architecting zero-trust environments, our multi-format approach (PDF for on-the-go review, web-based for instant feedback, desktop software for offline deep dives) adapts to your lifestyle. Join thousands who've transformed exam anxiety into certification success, then stepped confidently into roles as Security Engineers, Compliance Specialists, and Cloud Security Consultants. Your competitors are preparing right nowâ€”don't let them get there first.

Page: 1 /
Total 179 questions

Unlock 179 Premium Questions Get Free Questions & Answers PDF

Question 1

A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.

Which solution will meet these requirements MOST quickly?

ALog in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

BLog in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

CLog in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

DLog in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Correct : B

Amazon GuardDuty findings provide high-level detection of suspicious activity but are not designed for deep investigation on their own. The AWS Certified Security -- Specialty documentation explains that Amazon Detective is purpose-built to support rapid investigations by automatically collecting, correlating, and visualizing data from GuardDuty, AWS CloudTrail, and VPC Flow Logs. Detective enables security engineers to analyze API calls, user behavior, and resource interactions in context without making any changes to the environment.

Using read-only credentials ensures that the investigation does not impact the production application. Amazon Detective allows investigators to pivot directly from a GuardDuty finding into a detailed activity graph, showing which IAM user made anomalous calls, what resources were accessed, and how behavior deviated from the baseline. This significantly accelerates incident investigation.

Options A and C involve applying DenyAll policies, which are containment actions and could affect application availability. Option D requires manual analysis and setup and is slower than using Amazon Detective, which is designed for immediate investigative workflows.

AWS incident response guidance recommends using Detective for rapid, non-intrusive analysis after GuardDuty findings.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

Amazon GuardDuty and Amazon Detective Integration

AWS Incident Response Investigation Best Practices

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

BLog in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

0 / 1500

Question 2

A security engineer configured VPC Flow Logs to publish to Amazon CloudWatch Logs. After 10 minutes, no logs appear. The issue is isolated to the IAM role associated with VPC Flow Logs.

What could be the reason?

Alogs:GetLogEvents is missing.

BThe engineer cannot assume the role.

CThe vpc-flow-logs.amazonaws.com principal cannot assume the role.

DThe role cannot tag the log stream.

Correct : C

VPC Flow Logs require an IAM role that CloudWatch Logs can use to publish flow log records. AWS documentation and AWS Certified Security -- Specialty materials explain that the VPC Flow Logs service must be able to assume the IAM role through its trust policy. The trust relationship must include the service principal vpc-flow-logs.amazonaws.com. If the trust policy does not allow this principal to assume the role, flow logs cannot be delivered and no records will appear in the CloudWatch Logs log group even when traffic exists. logs:GetLogEvents is not required for delivery; it is used for reading logs. The security engineer's ability to assume the role is not relevant because the service, not the engineer, assumes it. Tagging permissions are not required for basic log delivery. Therefore, the most likely cause is an incorrect trust policy that prevents the VPC Flow Logs service principal from assuming the role.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

Amazon VPC Flow Logs IAM Role Requirements

IAM Trust Policies for AWS Services

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

Alogs:GetLogEvents is missing.

BThe engineer cannot assume the role.

CThe vpc-flow-logs.amazonaws.com principal cannot assume the role.

DThe role cannot tag the log stream.

0 / 1500

Question 3

A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses.

The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1b. Each subnet is associated with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet.

Which response will immediately mitigate the attack and help investigate the root cause?

ALog in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.

BUpdate the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance.

CEnsure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.

DCreate an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.

Correct : C

AWS incident response best practices emphasize immediate containment, preservation of evidence, and safe forensic investigation. According to the AWS Certified Security -- Specialty Study Guide, when an EC2 instance is suspected of compromise, security teams should avoid logging in to the instance or installing additional tools, as these actions can alter evidence and increase risk.

Terminating the compromised instance after ensuring that its Amazon EBS volumes are preserved prevents further malicious activity immediately. By setting the EBS volumes to not delete on termination, all disk data is retained for forensic analysis. Launching a new, clean EC2 instance in a different subnet or Availability Zone with preinstalled diagnostic tools allows investigators to safely attach and analyze the compromised volumes without executing potentially malicious code.

Option A introduces significant risk by logging in to the compromised instance and modifying security controls during active compromise. Option B delays containment and allows continued outbound traffic during investigation steps. Option D is invalid because AWS WAF cannot be attached directly to Amazon EC2 instances and does not control outbound traffic.

AWS documentation strongly recommends isolating or terminating compromised resources and performing offline analysis using detached storage volumes. This approach ensures immediate mitigation, preserves forensic integrity, and aligns with AWS incident response frameworks.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon EC2 and EBS Forensics Guidance

AWS Well-Architected Framework -- Security Pillar

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

0 / 1500

Question 4

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.

Which solution would have the MOST scalability and LOWEST latency?

AConfigure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

BConfigure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

CConfigure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

DConfigure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Correct : C

Network Load Balancers operate at Layer 4 and are optimized for extreme performance, ultra-low latency, and handling sudden traffic spikes. According to AWS Certified Security -- Specialty documentation, using a TCP listener on an NLB allows TLS traffic to pass through directly to backend containers without termination, preserving true end-to-end encryption.

This approach eliminates the overhead of decrypting and re-encrypting traffic at the load balancer, reducing latency and maximizing throughput. NLBs scale automatically to handle volatile traffic patterns and millions of requests per second.

Application Load Balancers operate at Layer 7 and introduce additional latency due to TLS termination and HTTP processing. Route 53 multivalue routing does not provide load balancing at the transport layer and does not ensure encryption handling.

AWS recommends NLB TCP pass-through for high-performance, end-to-end encrypted container workloads.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

Elastic Load Balancing Architecture

Network Load Balancer Performance Characteristics

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AConfigure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

BConfigure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

CConfigure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

DConfigure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

0 / 1500

Question 5

A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.

Which solution meets these requirements with the LEAST operational effort?

ADesignate a GuardDuty administrator account and enable protections.

BCentralize CloudWatch logs and use Inspector.

CCentralize CloudTrail logs and query with Athena.

DStream logs to Kinesis and process with Lambda.

Correct : A

Amazon GuardDuty provides fully managed threat detection across accounts when configured with delegated administration. EKS and RDS protections enable workload-aware detection with minimal setup.

Other solutions require custom pipelines and higher operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

Amazon GuardDuty Multi-Account Architecture

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

ADesignate a GuardDuty administrator account and enable protections.

BCentralize CloudWatch logs and use Inspector.

CCentralize CloudTrail logs and query with Athena.

DStream logs to Kinesis and process with Lambda.

0 / 1500

Page: 1 / 36
Total 179 questions

Want to Unlock Everything for
Amazon SCS-C03 Exam?

By upgrading to Premium Access, you’ll instantly unlock:

Unlock 179 Premium Questions

Exam Name: AWS Certified Security - Specialty
Exam Code: SCS-C03
Last Update: 09-Mar-2026
Formats: PDF, Web-based,
Desktop Practice
24/7 Customer Support

Price: $59 (PDF Format)

Get Full Access Now

Marked Questions
SCS-C03 Exam

SCS-C03 Exam Question 1
SCS-C03 Exam Question 2
SCS-C03 Exam Question 3
SCS-C03 Exam Question 4
SCS-C03 Exam Question 5

Download PDF File Demo

Try Web-Based Exam Practice Software Demo

Commenting

In order to participate in the comments you need to be logged-in.
You can sign-up or login