AWS Dumps
| PDF + Test Engine | $65 | |
| Test Engine | $55 | |
| $45 |
- Last Update on July 16, 2026
- 100% Passing Guarantee of SCS-C03 Exam
- 90 Days Free Updates of SCS-C03 Exam
- Full Money Back Guarantee on SCS-C03 Exam
Amazon AWS SCS-C03 Sample Questions
Question 1
A. Create a service role that has a composite principal that contains each service that
needs the necessary permissions.
B. Create a service role that has cloudformation.amazonaws.com as the service principal.
C. Add policies that reference each CloudFormation stack ARN.
D. Add policies that reference the ARNs of each AWS service that requires permissions.
E. Update each stack to use the service role.
F. Add a policy to each member role to allow the iam:PassRole action for the service role.
Answer: B,E,F
Question 2
A. Remove the Condition element. Change the Principal element to the following:{ "AWS":"arn:aws:lambda:::function:MyLambdaFunction" }
B. Change the Action element to the following:["s3:GetObject*", "s3:GetBucket*"]
C. Change the Resource element to"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*".
D. Change the Resource element to "arn:aws:lambda:::function:MyLambdaFunction".Change the Principal element to the following:{ "Service": "s3.amazonaws.com" }
Answer: C
Question 3
A. Create an Application Load Balancer with the existing EC2 instances as a target group.Create an AWS WAF web ACL containing rules that protect the application from this attack,then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirectthe Route 53 records to point to the ALB. Update security groups on the EC2 instances toprevent direct access from the internet.
B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin.Create an AWS WAF web ACL containing rules that protect the application from this attack,then apply it to the distribution. Test to ensure the vulnerability has been mitigated, thenredirect the Route 53 records to point to CloudFront.
C. Obtain the latest source code for the platform and make the necessary updates. Testthe updated code to ensure that the vulnerability has been mitigated, then deploy thepatched version of the platform to the EC2 instances.
D. Update the security group that is attached to the EC2 instances, removing access fromthe internet to the TCP port used by the SQL database. Create an AWS WAF web ACLcontaining rules that protect the application from this attack, then apply it to the EC2instances. Test to ensure the vulnerability has been mitigated, then restore the securitygroup to the original setting.
Answer: A
Question 4
A. Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encryptedwith AWS KMS.
B. Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3buckets. Create bucket policies for each S3 bucket to deny thes3:PutObjectaction onlywhen the object has server-side encryption with S3 managed keys (SSE-S3).
C. Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencryptedS3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object isencrypted with AWS KMS
D. Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencryptedS3 buckets. Create bucket policies for each S3 bucket to allow thes3:PutObjectaction onlywhen the object is encrypted with AWS KMS
Answer: A
Question 5
A. Use Amazon Macie.
B. Enable Amazon Inspector Lambda scanning.
C. Use GuardDuty and Security Hub.
D. Use GuardDuty Lambda Protection.
Answer: B
Question 6
A. Create an AWS WAF web ACL with an IP match condition to deny the countries' IPranges. Associate the web ACL with the CloudFront distribution.
B. Create an AWS WAF web ACL with a geo match condition to deny the specificcountries. Associate the web ACL with the CloudFront distribution.
C. Use the geo restriction feature in CloudFront to deny the specific countries.
D. Use geolocation headers in CloudFront to deny the specific countries.
Answer: C
Question 7
A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select theaccess-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days.Create an Amazon EventBridge rule with an event pattern that matches the compliancetype of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridgeto send an Amazon SNS notification to the security team.
B. Create a script to export a .csv file from the AWS Trusted Advisor check for IAM accesskey rotation. Load the script into an AWS Lambda function that will upload the .csv file toan Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv fileis uploaded to the S3 bucket. Publish the results for any keys older than 90 days by usingan invocation of an Amazon SNS notification to the security team.
C. Create a script to download the IAM credentials report on a periodic basis. Load thescript into an AWS Lambda function that will run on a schedule through AmazonEventBridge. Configure the Lambda script to load the report into memory and to filter thereport for records in which the key was last rotated at least 90 days ago. If any records aredetected, send an Amazon SNS notification to the security team
D. Create an AWS Lambda function that queries the IAM API to list all the users. Iteratethrough the users by using the ListAccessKeys operation. Verify that the value in theCreateDate field is not at least 90 days old. Send an SNS notification to the security team ifthe value is at least 90 days old. Create an EventBridge rule to schedule the Lambdafunction to run each day.
Answer: A
Question 8
A. Install a third-party security add-on.
B. Enable AWS Security Hub and monitor Kubernetes findings.
C. Monitor CloudWatch Container Insights metrics for EKS.
D. Enable Amazon GuardDuty and use EKS Audit Log Monitoring.
Answer: D
Question 9
A. Install a third-party security add-on.
B. Enable AWS Security Hub and monitor Kubernetes findings.
C. Monitor CloudWatch Container Insights metrics for EKS.
D. Enable Amazon GuardDuty and use EKS Audit Log Monitoring.
Answer: D
Question 10
A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query thelogs for the specific IP address and the requested URLs.
B. Configure a CloudWatch Logs subscription to stream the log group to an AmazonOpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specificIP address and the requested URLs
C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatchlogs for the specific IP address and the requested URLs.
D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3bucket for only the log entries that contain the specific IP address. Use AWS Glue to viewthe results.
Answer: C
