Amazon SCS-C03 Practice Questions

The latest changes and updates from the administration for this exam.

verified

Latest Update: Jun 01 2026

All questions are working fine.

All Questions (248)bookmarkBookmarked (0)

All248Show all accessible questions in this exam.Missed248Questions you haven't attempted yet.Incorrect0Questions you answered incorrectly on your last attempt.

Question 111

A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year.

How should the bucket be configured?

A. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.

B. Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

C. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.

D. Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.

Question 112

An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management

Console; however, other users can download objects from the S3 bucket.

Which policies should the Security Engineer review and modify to resolve this issue? (Choose three.)

Question 113

While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user.

What should the Security Engineer do to provide the highest level of security for the account?

A. Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.

B. Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.

C. Replace the access key for the AWS account root user. Delete the password for the AWS account root user.

D. Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.

Question 114

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API

Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

Select all that apply

A. Create a custom authorization service using AWS Lambda.

B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

D. Configure an Amazon Cognito identity pool to integrate with social login providers.

E. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

F. Update DynamoDB to store the user email addresses and passwords.

Question 115

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host

(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

A. In the security group of the EC2 instance, allow inbound ICMP traffic.

B. In the security group of the EC2 instance, allow outbound ICMP traffic.

C. In the VPC's NACL, allow inbound ICMP traffic.

D. In the VPC's NACL, allow outbound ICMP traffic.

Question 116

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.

Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

Select all that apply

A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

C. Configure automatic rotation of credentials in AWS Secrets Manager.

D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.

E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Question 117

A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.

A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance, the Security team must be notified quickly.

Which combination of actions would build the required solution? (Choose three.)

Select all that apply

A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.

B. Enable Amazon GuardDuty in the security account, and join the production accounts as members.

C. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.

D. Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.

E. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.

F. Configure event notifications on S3 buckets for PUT, POST, and DELETE events.

Question 118

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.

What should the Security Engineer use to accomplish this?

A. Server-side encryption with Amazon S3-managed keys (SSE-S3)

B. Server-side encryption with AWS KMS-managed keys (SSE-KMS)

C. Server-side encryption with customer-provided keys (SSE-C)

D. Client-side encryption with an AWS KMS-managed CMK

Question 119

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product.

Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

Select all that apply

A. Ensure that the log file integrity validation mechanism is enabled.

B. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.

C. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.

D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing " but not modifying " the log files.

E. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

Question 120

A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.

Which approach will meet these requirements while protecting the external certificate during a breach?

A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.

B. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.

C. Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.

D. Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

Update History

Update History