Amazon SCS-C03 Exam Questions

Exam Name: AWS Certified Security – Specialty

Exam Code: SCS-C03

Related Certification(s): Amazon Specialty Certification

Certification Provider: Amazon

Actual Exam Duration: 170 Minutes

Number of SCS-C03 Practice Questions: 179 (updated: )

Question #1

A company uses an organization in AWS Organizations to manage multiple AWS accounts.
The company wants to centrally give users the ability to access Amazon Q Developer.

Which solution will meet this requirement?

A. Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application. B. Enable Amazon Cognito and create a new identity pool for Amazon Q Developer. C. Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application. D. Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

A. Configure the key policy to allow only Amazon S3 to perform the kms:Encrypt action. B. Configure the key policy to allow KMS actions only when the value for the kms:ViaService condition key matches the Amazon S3 service name. C. Configure the application’s IAM role policy to allow Amazon S3 to perform the iam:PassRole action. D. Configure the application’s IAM role policy to allow only S3 operations when the operations are combined with the KMS key.

Question #3

A company’s security team wants to receive near-real-time email notifications about AWS abuse reports related to DoS attacks.
An Amazon SNS topic already exists and is subscribed to by the security team.

What should the security engineer do next?

A. Poll Trusted Advisor for abuse notifications by using a Lambda function. B. Create an Amazon EventBridge rule that matches AWS Health events for AWS_ABUSE_DOS_REPORT and publishes to SNS. C. Poll the AWS Support API for abuse cases by using a Lambda function. D. Detect abuse reports by using CloudTrail logs and CloudWatch alarms.

Question #4

A company is attempting to conduct forensic analysis on an Amazon EC2 instance but cannot connect by using Systems Manager Session Manager.
The instance is in a subnet without an internet gateway.
The security group has no inbound or outbound rules.
The subnet network ACL allows all traffic.

Which combination of actions will allow forensic analysis without compromising data? (Select THREE.)

A. Update the EC2 instance security group to allow outbound traffic on port 443 for 0.0.0.0/0. B. Update the EC2 instance security group to allow inbound traffic on port 443. C. Create an EC2 key pair and associate it with the instance. D. Create a VPC interface endpoint for Systems Manager. E. Attach a security group to the VPC interface endpoint and allow inbound traffic on port 443 from the VPC CIDR range. F. Create a VPC interface endpoint for the EC2 instance.

Question #5

A company has many Amazon Linux 2 EC2 instances that process sensitive data.
Requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center.
DevOps engineers occasionally need troubleshooting access.

Which solution will provide remote access while meeting these requirements?

A. Grant access to the EC2 serial console. B. Enable EC2 Instance Connect. C. Assign an EC2 instance role that allows access to Systems Manager and grant Session Manager permissions through IAM Identity Center. D. Use Systems Manager Automation to temporarily open remote ports.