AWS SCS-C03 Free Dumps (Part 2, Q41-Q60) of V11.02 Are Online Today – Read and Verify the Amazon SCS-C03 Dumps

The Amazon SCS-C03 dumps (V11.02) from DumpsBase serve as a reliable study guide for the AWS Certified Security – Specialty exam, helping you succeed in 2026. Verify the quality by reading our SCS-C03 free dumps (Part 1, Q1-Q40) of V11.02—you’ll find real exam questions with verified answers and detailed explanations that ensure a thorough understanding of all key topics. The SCS-C03 exam dumps (V11.02) are regularly updated to reflect the latest syllabus changes and exam patterns, and include one year of free updates. Using these current materials will boost your confidence and provide a reliable pathway to passing the challenging AWS Certified Security – Specialty (SCS-C03) certification exam on your first attempt. Today, we will continue to share more AWS SCS-C03 free dumps to help you verify again.

AWS SCS-C03 free dumps (Part 2, Q41-Q60) of V11.02 are below to help you verify again:

1. A company recently experienced a malicious attack on its cloud-based environment. The company successfully contained and eradicated the attack. A security engineer is performing incident response work. The security engineer needs to recover an Amazon RDS database cluster to the last known good version. The database cluster is configured to generate automated backups with a retention period of 14 days. The initial attack occurred 5 days ago at exactly 3:15 PM.

Which solution will meet this requirement?

Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 5 days ago at 3:14 P

Identify the Regional cluster ARN for the database. List snapshots that have been taken of the cluster. Restore the database by using the snapshot that has a creation time that is closest to 5 days ago at 3:14 P

List all snapshots that have been taken of all the company's RDS databases. Identify the snapshot that was taken closest to 5 days ago at 3:14 PM and restore it.

Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 14 days ago.

2. A company’s developers are using AWS Lambda function URLs to invoke functions directly. Thecompany must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IA

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NON

3. A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.

Which solution meets these requirements with the LEAST operational effort?

Designate a GuardDuty administrator account and enable protections.

Centralize CloudWatch logs and use Inspector.

Centralize CloudTrail logs and query with Athena.

Stream logs to Kinesis and process with Lambda.

4. A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible.

Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

Enable AWS Security Hub in the AWS account.

Enable Amazon GuardDuty in the AWS account.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email distribution list to the topic.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email distribution list to the queue.

Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

5. A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack from a specific IoT device brand that uses a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate it with the ALB.

Which rule statement will mitigate the current attack and future attacks from these IoT devices without blocking legitimate customers?

Use an IP set match rule statement.

Use a geographic match rule statement.

Use a rate-based rule statement.

Use a string match rule statement on the user agent.

6. A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status.

Which solution will meet these requirements?

Use AWS Audit Manager with a custom framework.

Enable AWS Config and use managed rules to monitor Aurora MySQL compliance.

Use AWS Security Hub configuration policies.

Use EventBridge and Lambda with custom metrics.

7. A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change its federation source from one identity provider (IdP) to another. The underlying directory for both IdPs is Active Directory.

Which solution will meet this requirement?

Disable all existing users and groups within IAM Identity Center that were part of the federation with the original Id

Modify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends.

Reconfigure all existing IAM roles in the company's AWS accounts to explicitly trust the new IdP as the principal.

Confirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints.

8. A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization’s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

Grant least privilege access to the organization's management account.

Create a new IAM Identity Center directory in the organization's management account.

Set up a second AWS Region in the organization’s management account.

Create permission sets for use only in the organization's management account.

Create IAM users for use only in the organization's management account.

Create user assignments only in the organization's management account.

9. A company uses AWS Organizations to manage an organization that consists of three workload OUs: Production, Development, and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs. Different SCPs are attached to each workload OU.

The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in an account in the Production OU, the update fails. The error message reports insufficient IAM permissions.

What is the FIRST step that a security engineer should take to troubleshoot this issue?

Review the AWS CloudTrail logs in the account in the Production O

Search for any failed API calls from CloudFormation during the deployment attempt.

Remove all the SCPs that are attached to the Production O

Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.

Confirm that the role used by CloudFormation has sufficient permissions to create, update, and delete the resources that are referenced in the CloudFormation template.

Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing O

10. A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to authenticate all S3 API calls with AWS credentials.

Which solution will provide the application with AWS credentials?

Use Amazon Cognito identity pools and the GetId AP

Use Amazon Cognito identity pools and AssumeRoleWithWebIdentity.

Use Amazon Cognito user pools with ID tokens.

Use Amazon Cognito user pools with access tokens.

11. An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.

What is the FASTEST way to prevent the sensitive data from being exposed?

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

Revoke the IAM role’s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

12. A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account. The company’s developers have been using an IAM role in the account for the last 3 months.

A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access.

Which solution will meet this requirement with the LEAST effort?

Implement AWS IAM Access Analyzer policy generation on the role.

Implement AWS IAM Access Analyzer policy validation on the role.

Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.

Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

13. A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period.

Which solution will meet these requirements?

Configure CloudFront standard logging and CloudWatch Logs metric filters.

Configure VPC Flow Logs and CloudWatch Logs metric filters.

Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.

Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SN

14. A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.

Which solution will quarantine EC2 instances during a security incident?

Track SSM Agent versions with AWS Config.

Configure Session Manager to deny external connections.

Store the script in Amazon S3 and grant read access.

Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

15. A consultant agency needs to perform a security audit for a company's production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account. The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.

Which solution will provide the consultant agency with access that meets these requirements?

Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant.

Configure Amazon Cognito on the company’s production account to authenticate against the consultant agency's identity provider (IdP). Add MFA to a Cognito user pool.

Create an IAM role in the consultant agency's AWS account. Define a trust policy that requires MF

In the trust policy, specify the company's production account as the principal. Attach the trust policy to the role.

Create an IAM role in the company’s production account. Define a trust policy that requires MF

In the trust policy, specify the consultant agency's AWS account as the principal. Attach the trust policy to the role.

16. A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

17. A company is planning to migrate its applications to AWS in a single AWS Region. The company’s applications will use a combination of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, and Amazon S3 buckets. The company wants to complete the migration as quickly as possible. All the applications must meet the following requirements:

• Data must be encrypted at rest.

• Data must be encrypted in transit.

• Endpoints must be monitored for anomalous network traffic.

Which combination of steps should a security engineer take to meet these requirements with the LEAST effort? (Select THREE.)

Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.

Enable Amazon GuardDuty in all AWS accounts.

Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.

Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from AC

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-side-encryption.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption.

18. A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3). A security engineer must prevent any modifications to the data in the S3 bucket.

Which solution will meet this requirement?

Configure S3 bucket policies to deny DELETE and PUT object permissions.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

19. A security engineer discovers that a company's user passwords have no required minimum length.

The company uses the following identity providers (IdPs):

• AWS Identity and Access Management (IAM) federated with on-premises Active Directory

• Amazon Cognito user pools that contain the user database for an AWS Cloud application

Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)

Update the password length policy in the IAM configuration.

Update the password length policy in the Amazon Cognito configuration.

Update the password length policy in the on-premises Active Directory configuration.

Create an SCP in AWS Organizations to enforce minimum password length.

Create an IAM policy with a minimum password length condition.

20. A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic.

Which solution will meet these requirements with the LEAST implementation effort?

Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.

Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.

Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic.

Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

 Loading...