Free AWS Certified Security - Specialty (SCS-C03) Practice Questions
Test your knowledge with 20 free exam-style questions
SCS-C03 Exam Facts
Questions
65
Passing
720/1000
Duration
130 min
A security architect needs to understand how GuardDuty generates severity scores for findings. What factors influence the severity level assigned to a GuardDuty finding?
Frequently Asked Questions
These 20 sample questions let you experience the exact format, difficulty, and question styles you'll encounter on exam day. Use them to identify knowledge gaps and decide if our full practice exam package is right for your preparation strategy.
Our questions mirror the actual exam format, difficulty level, and topic distribution. Each question includes detailed explanations to help you understand the concepts.
The full package includes 7 complete practice exams with 455+ unique questions, detailed explanations, progress tracking, and lifetime access.
Yes! Our SCS-C03 practice questions are regularly updated to reflect the latest exam objectives and question formats. All questions align with the current 2026 exam blueprint.
Sample SCS-C03 Practice Questions
Browse all 20 free AWS Certified Security - Specialty practice questions below.
A security architect needs to understand how GuardDuty generates severity scores for findings. What factors influence the severity level assigned to a GuardDuty finding?
- The time of day the activity occurred - activity outside business hours is considered more severe.
- The type of activity detected - certain finding types are inherently more severe than others.
- The confidence level of the detection - higher confidence in malicious activity increases severity.
- The cost of the affected AWS resources - more expensive resources generate higher severity findings.
- The potential impact of the detected activity on the affected resources and data.
A company needs to implement a break-glass procedure that allows emergency access to production accounts when the normal access mechanisms are unavailable. The access should be logged and require multiple approvals. What solution should they implement?
- Store AWS root user credentials in Secrets Manager with an automatic rotation policy, restrict retrieval to a dedicated emergency IAM role, and retrieve the credentials during declared incidents.
- Configure IAM Identity Center with a dedicated break-glass permission set scoped to emergency operations, and require multi-party approval through an access request workflow before elevated sessions are granted.
- Create a dedicated break-glass IAM user in each account with MFA. Store the MFA device and credentials in a physical safe that requires multiple keyholders to open. Enable CloudTrail to log all activities.
- Use AWS Organizations SCPs to define an emergency-access policy that the security team attaches to the affected accounts through a central console when an incident is declared and detaches once service is restored.
A security team is investigating unusual CloudTrail events showing API calls from an assumed role. The calls originated from an IP address outside the company's known ranges. What investigation steps should they take to determine if this is a security incident?
- Check GuardDuty for findings related to the suspicious activity, as GuardDuty may have already flagged this as a potential threat.
- Review the sourceIPAddress field in CloudTrail events to identify all API calls from the suspicious IP address and the roles/identities involved.
- Examine the userIdentity.sessionContext in CloudTrail events to identify the original principal that assumed the role and how the session was obtained.
- Use Amazon Detective to visualize the role's activity patterns and identify deviations from normal behavior.
- Immediately revoke the role's active sessions and detach its permissions policies before completing the investigation, stopping any ongoing unauthorized access as quickly as possible.
A company wants to correlate network events with CloudTrail events to investigate potential security incidents. They're considering Amazon Detective. What should they understand about Detective's correlation capabilities?
- Detective uses machine learning to establish behavioral baselines and highlight deviations that might indicate security issues.
- Detective builds entity profiles that show relationships between IAM principals, EC2 instances, IP addresses, and the resources they accessed.
- Detective can correlate events across different AWS accounts in the same behavior graph.
- Detective requires the CloudWatch Logs agent on EC2 instances to ingest operating system events into the behavior graph for correlation.
- Detective automatically correlates VPC Flow Logs with CloudTrail events, linking network connections to the API calls that initiated them.
A security engineer is writing AWS Verified Access policies using Cedar to control access to an internal HR application. They need to ensure that only users in the 'HR-Admins' group with devices that have a risk score below 'medium' can access the application. Additionally, all POST requests should be restricted to users with an 'Administrator' role. Which TWO statements about Cedar policies in Verified Access are correct? (Select TWO.)
- Cedar policies are written in JSON format and must be validated through AWS CloudFormation change sets before they can be deployed to Verified Access endpoints.
- Cedar policies access user identity claims and device posture data through the trust provider context, such as context.identity.groups and context.device.risk_score, to make access decisions.
- Cedar policies can reference HTTP request attributes like the request method (GET, POST) through context.http_request.http_method, which Verified Access includes by default in all policy evaluations.
- Cedar policies in Verified Access must define explicit principal, action, and resource values in the policy scope, similar to IAM policy structure with Effect, Action, and Resource elements.
- Cedar policies use an explicit deny model where if any 'forbid' policy matches a request, the request is denied regardless of any matching 'permit' policies, and if no policy matches, the request is implicitly denied.
A security team needs to ensure that GuardDuty is enabled in all accounts and regions across their organization. How can they verify and enforce this requirement?
- Create an SCP that prevents accounts from disabling GuardDuty once it's enabled.
- Turn on the GuardDuty self-healing feature so detectors automatically re-enable themselves if disabled in any account.
- Enable GuardDuty organization integration with auto-enable for new accounts, which automatically enables GuardDuty in all existing and new member accounts.
- Use AWS Config with the guardduty-enabled-centralized rule to monitor GuardDuty status across all accounts.
- Deploy GuardDuty detectors to every existing Region and account using CloudFormation StackSets with drift detection.
A company needs to ensure that their security tools are protected from being disabled by an attacker who gains administrative access to a member account. Which controls prevent an attacker from disabling security monitoring?
- Store security logs in a separate log archive account with cross-account write-only access.
- Create SCPs that deny actions to disable GuardDuty, Security Hub, Config, and CloudTrail in all member accounts.
- Attach IAM permission boundaries to administrator roles in member accounts that exclude security service modifications.
- Configure security services as organization-managed from a delegated administrator account, not individual accounts.
- Require MFA for every administrator user in member accounts using an IAM policy condition on all actions.
A financial services company is implementing a privileged access management (PAM) solution for their AWS environment. Administrators should only be able to assume high-privilege roles for a limited time after approval, and all sessions must be recorded. Which AWS services combination provides these capabilities?
- Use AWS IAM Identity Center with permission sets that have maximum session duration limits. Integrate with an external approval workflow before granting temporary access.
- Configure IAM role trust policies with conditions requiring MFA for high-privilege role assumption.
- Configure AWS Systems Manager Session Manager with CloudWatch Logs integration to record all terminal sessions. Enable KMS encryption for session logs.
- Use CloudTrail to log all AssumeRole API calls for high-privilege roles. Create EventBridge rules to alert when these roles are assumed.
- Implement AWS Config rules to detect when administrators assume high-privilege roles and automatically terminate sessions exceeding time limits.
A company uses AWS Secrets Manager to store database credentials and wants to ensure that secrets can only be created with automatic rotation enabled. How should they enforce this requirement?
- Enable the account-level Secrets Manager setting that makes rotation mandatory by default for every secret created in the account.
- Attach IAM permission boundaries to all principals requiring rotation parameters to be present in CreateSecret requests.
- Deploy an AWS Config managed rule that detects secrets without rotation and flags them as non-compliant for remediation.
- Create an SCP that denies secretsmanager:CreateSecret unless the request includes rotation configuration parameters.
A company is evaluating encryption options for sensitive data processing. They need to perform computations on encrypted data without ever decrypting it on the server side. Which approach enables this capability?
- Use client-side encryption with the AWS Encryption SDK and KMS-generated data keys so that plaintext data never exists on any AWS server at rest or in transit.
- Run open-source homomorphic encryption libraries on EC2 instances with the key material generated and managed in AWS CloudHSM.
- Use AWS Nitro Enclaves to create isolated compute environments where sensitive data is decrypted only within the enclave, never exposed to the parent instance.
- Use AWS Clean Rooms, which lets multiple parties run joint SQL analyses on combined datasets while privacy controls prevent any party from viewing another party's raw row-level data.
A security team is implementing AWS Network Firewall to inspect traffic between VPCs in a hub-and-spoke Transit Gateway architecture. They need to detect and block SQL injection attempts and known malicious IP addresses while maintaining detailed logs for forensic analysis. Which combination of Network Firewall features should they configure?
- Use stateless rule groups with rate-based limits that throttle sources exceeding normal query rates, blocking high-volume SQL injection attempts.
- Enable logging to S3 with flow logs and alert logs configured to capture all stateful rule matches and blocked traffic.
- Enable stateless rules that inspect TCP flags and packet headers using 5-tuple match criteria to identify SQL injection attempts at the network layer.
- Configure a stateful rule group using managed threat intelligence feeds to automatically block traffic from known malicious IP addresses.
- Configure stateful rules using Suricata-compatible IPS rules with signatures for SQL injection patterns in the payload.
A company is implementing AWS Network Firewall to inspect traffic flowing through their centralized egress VPC. Arrange the following steps in the correct order to deploy and configure the firewall.
A company needs to ensure that all data stored in Amazon S3 is encrypted at rest using keys managed by the company. The keys must be stored in a dedicated hardware security module (HSM) that the company controls. Which encryption option should be used?
- Server-side encryption with customer-provided keys (SSE-C), where keys are stored in AWS CloudHSM and provided with each S3 request.
- Client-side encryption with keys managed by AWS CloudHSM before uploading to S3.
- Server-side encryption with AWS KMS keys (SSE-KMS), where the KMS key is backed by an AWS CloudHSM custom key store.
- Server-side encryption with Amazon S3-managed keys (SSE-S3) with a customer-managed CMK policy.
Match each AWS security governance service with its primary function in an enterprise cloud environment.
A company is implementing bring-your-own-key (BYOK) for their AWS KMS encryption. They want to maintain control over key material while using KMS for key management operations. What are the limitations they must consider? (Select TWO)
- Imported key material does not support automatic key rotation; you must manually reimport new key material.
- The key material must be imported within 24 hours of creating the KMS key, or the key becomes unusable and must be recreated.
- Keys with imported material cannot be shared with other AWS accounts, because cross-account access requires AWS generated key material.
- Imported keys support only direct Encrypt and Decrypt operations; envelope encryption calls such as GenerateDataKey are not supported.
- Imported key material must be a 256-bit symmetric key; RSA and ECC asymmetric key material cannot be imported into KMS.
A security engineer needs to implement a solution that detects and alerts when IAM roles are used outside of their intended AWS services. For example, a role intended only for Lambda should alert if used by EC2 or from the AWS CLI. Which approach provides this detection capability?
- Create CloudWatch Logs metric filters on CloudTrail logs that alert when AssumeRole events show unexpected userAgent values for specific roles.
- Use IAM Access Analyzer with an unused access analyzer to continuously monitor role assumptions and generate findings when roles are assumed by unexpected principals or services.
- Enable Amazon GuardDuty across all accounts and rely on its anomaly detection, which baselines normal AssumeRole activity and flags roles assumed from unusual sources.
- Configure IAM role trust policies with aws:SourceArn condition keys to restrict which services can assume each role. This prevents rather than detects misuse.
A company is deploying Detective across their organization. They want to understand what data sources Detective uses for its analysis. What data does Detective analyze?
- S3 object contents for data classification and sensitive data detection.
- AWS CloudTrail management events, providing API activity across AWS services.
- Amazon CloudWatch Logs from applications running on EC2 instances.
- Amazon GuardDuty findings, which are correlated with other data sources for investigation.
- VPC Flow Logs, providing network traffic information between resources.
A company wants to use AWS WAF to block requests containing specific sensitive data patterns in request bodies, such as credit card numbers being submitted to unauthorized endpoints. What WAF feature enables this?
- Enable the Amazon Macie integration with AWS WAF so Macie's managed data identifiers for credit card numbers are evaluated against inbound request bodies.
- Create a custom WAF rule with a regex pattern set that matches credit card number formats and apply it to the request body component.
- Configure AWS WAF Bot Control in targeted inspection mode to detect and block automated credit card testing and carding attacks against the application.
- Enable the AWS Managed Rules Common Rule Set, which includes PCI DSS sensitive data detection for regulated fields submitted in requests.
A company needs to implement centralized certificate management for internal services running on EC2 instances. Certificates must be automatically rotated before expiration, and private keys must never leave the AWS environment. Certificate issuance should be automated through infrastructure as code. Which solution meets these requirements?
- Deploy HashiCorp Vault on EC2 to manage certificate issuance. Configure Vault's PKI secrets engine with automatic rotation, store the root CA keys in AWS CloudHSM, and distribute certificates to instances using the Vault agent.
- Create a private CA using AWS Certificate Manager Private CA. Use ACM to issue private certificates that can be exported to EC2 instances. Automate renewal through Systems Manager State Manager.
- Use AWS Certificate Manager (ACM) to request public certificates and associate them with the EC2 instances from the ACM console. ACM handles automatic renewal so certificates never expire unexpectedly.
- Generate certificates using OpenSSL in a Lambda function. Store certificates in Secrets Manager with automatic rotation. Deploy to EC2 instances using Systems Manager.
A compliance officer is comparing AWS Organizations policy types for a governance strategy. Select TWO correct statements about how declarative policies differ from SCPs and RCPs.
- Declarative policies are enforced at the service control plane level, ensuring baseline configurations are maintained even when services introduce new APIs.
- Declarative policies can govern service-linked roles, unlike SCPs and RCPs which cannot restrict them.
- Declarative policies support every AWS service in the organization, while SCPs and RCPs are limited to a smaller set of service integrations.
- Declarative policies produce the same non-customizable access denied error messages that SCPs and RCPs return to end users.
- Declarative policies must be detached and reattached whenever the underlying service adds new features or APIs so the baseline stays current.