Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: get65

Page: 1 / 17

AWS Certified Specialty AWS Certified Security – Specialty

AWS Certified Security – Specialty

Last Update Jul 8, 2026
Total Questions : 231

To help you prepare for the SCS-C03 Amazon Web Services exam, we are offering free SCS-C03 Amazon Web Services exam questions. All you need to do is sign up, provide your details, and prepare with the free SCS-C03 practice questions. Once you have done that, you will have access to the entire pool of AWS Certified Security – Specialty SCS-C03 test questions which will help you better prepare for the exam. Additionally, you can also find a range of AWS Certified Security – Specialty resources online to help you better understand the topics covered on the exam, such as AWS Certified Security – Specialty SCS-C03 video tutorials, blogs, study guides, and more. Additionally, you can also practice with realistic Amazon Web Services SCS-C03 exam simulations and get feedback on your progress. Finally, you can also share your progress with friends and family and get encouragement and support from them.

Questions 2

A company ' s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only3 times in any 5-minute period.

Which solution will meet this requirement with the LEAST effort?

Options:

A.  

Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.

B.  

Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-minute intervals and to provide notification if the count exceeds 3.

C.  

Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.

D.  

Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.

Discussion 0
Lennie
I passed my exam and achieved wonderful score, I highly recommend it.
Emelia Jun 15, 2026
I think I'll give Cramkey a try next time I take a certification exam. Thanks for the recommendation!
Everleigh
I must say that they are updated regularly to reflect the latest exam content, so you can be sure that you are getting the most accurate information. Plus, they are easy to use and understand, so even new students can benefit from them.
Huxley Jun 15, 2026
That's great to know. So, you think new students should buy these dumps?
Lennox
Something Special that they provide a comprehensive overview of the exam content. They cover all the important topics and concepts, so you can be confident that you are well-prepared for the test.
Aiza Jun 1, 2026
That makes sense. What makes Cramkey Dumps different from other study materials?
Hendrix
Great website with Great Exam Dumps. Just passed my exam today.
Luka Jun 21, 2026
Absolutely. Cramkey Dumps only provides the latest and most updated exam questions and answers.
Annabel
I recently used them for my exam and I passed it with excellent score. I am impressed.
Amirah Jun 20, 2026
I passed too. The questions I saw in the actual exam were exactly the same as the ones in the Cramkey Dumps. I was able to answer the questions confidently because I had already seen and studied them.
Questions 3

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues.

Which solution will meet these requirements with theLEAST operational effort?

Options:

A.  

Designate an Amazon GuardDuty administrator account in the organization’s management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

B.  

Designate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use Amazon Inspector to evaluate the logs.

C.  

Centralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.

D.  

Stream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda functions.

Discussion 0
Questions 4

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company ' s primary website. The GuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

What is the first step the security engineer should take?

Options:

A.  

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

B.  

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

C.  

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

D.  

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

Discussion 0
Questions 5

A company uses AWS Organizations to manage its AWS accounts in a single organization. The company applies the FullAWSAccess SCP to every OU. However, now the company must explicitly deny specific services. The company needs a solution that restricts any users in the organization from using the explicitly denied services.

Additionally, the solution must enforce all Amazon S3 buckets across the organization to have a minimum TLS version of 1.2. The company requires a central solution that applies to all existing accounts and any new accounts that the company creates in the future.

Which solution will meet these requirements?

Options:

A.  

Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.

B.  

Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach the SCP to the root OU. Attach the RCP to each account within the organization.

C.  

Create an SCP deny statement to disallow s3:* where the TLS version is less than 1.2. Create an RCP that denies a list of services that are restricted in the organization. Attach both policies to the root OU.

D.  

Create an SCP that denies a list of services that are restricted in the organization. Create a declarative policy to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.

Discussion 0
Title
Questions
Posted

SCS-C03
PDF

$36.75  $104.99

SCS-C03 Testing Engine

$43.75  $124.99

SCS-C03 PDF + Testing Engine

$57.75  $164.99