Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

SCS-C03 Exam Dumps : AWS Certified Security – Specialty

PDF
SCS-C03 pdf
 Real Exam Questions and Answer
 Last Update: Jul 10, 2026
 Question and Answers: 231 With Explanation
 Compatible with all Devices
 Printable Format
 100% Pass Guaranteed
$25.5  $84.99
SCS-C03 exam
PDF + Testing Engine
SCS-C03 PDF + engine
 Both PDF & Practice Software
 Last Update: Jul 10, 2026
 Question and Answers: 231
 Discount Offer
 Download Free Demo
 24/7 Customer Support
$40.5  $134.99
Testing Engine
SCS-C03 Engine
 Desktop Based Application
 Last Update: Jul 10, 2026
 Question and Answers: 231
 Create Multiple Test Sets
 Questions Regularly Updated
  90 Days Free Updates
  Windows and Mac Compatible
$30  $99.99

Verified By IT Certified Experts

CertsTopics.com Certified Safe Files

Up-To-Date Exam Study Material

99.5% High Success Pass Rate

100% Accurate Answers

Instant Downloads

Exam Questions And Answers PDF

Try Demo Before You Buy

Certification Exams with Helpful Questions And Answers

AWS Certified Security – Specialty Questions and Answers

Question 1

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

{

" Version " : " 2012-10-17 " ,

" Id " : " key-policy-ebs " ,

" Statement " : [

{

" Sid " : " Enable IAM User Permissions " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:root "

},

" Action " : " kms:* " ,

" Resource " : " * "

},

{

" Sid " : " Allow use of the key " ,

" Effect " : " Allow " ,

" Principal " : {

" AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment "

},

" Action " : [

" kms:Encrypt " ,

" kms:Decrypt " ,

" kms:ReEncrypt* " ,

" kms:GenerateDataKey* " ,

" kms:DescribeKey " ,

" kms:CreateGrant " ,

" kms:ListGrants " ,

" kms:RevokeGrant "

],

" Resource " : " * " ,

" Condition " : {

" StringEquals " : {

" kms:ViaService " : " ec2.us-west-2.amazonaws.com "

}

}

}

]

}

The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.

Which change to the policy should the security engineer make to resolve these issues?

Options:

A.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change StringEquals to StringLike.

B.

In the policy document, remove the statement block that contains the Sid " Enable IAM User Permissions " . Add key management policies to the KMS policy.

C.

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.

D.

In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer ' s IAM role.

Buy Now
Question 2

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.

Which solution will meet these requirements?

Options:

A.

Disable the EC2 instance profile credentials by using AWS Lambda.

B.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.

C.

Update the subnet network ACL to block traffic from the detected source IP addresses.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Question 3

A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period.

Which solution will meet these requirements?

Options:

A.

Configure CloudFront standard logging and CloudWatch Logs metric filters.

B.

Configure VPC Flow Logs and CloudWatch Logs metric filters.

C.

Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.

D.

Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SNS.