AWS Certified Security - Specialty · Difficulty

Hard SCS-C03 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 43 hard questions available — no sign-up, always free.

Question 1 of 25

A retail company serves its web application through Amazon CloudFront with an Application Load Balancer (ALB) origin. AWS WAF is associated with the CloudFront distribution to filter malicious requests. During a security review, the team discovers that attackers are bypassing CloudFront by sending requests directly to the ALB's public DNS name, avoiding the WAF rules entirely. The ALB must remain internet-facing to support the CloudFront integration. Which combination of controls MOST effectively ensures that only CloudFront-originated traffic reaches the ALB?

Reviewed for accuracy · Report an issue
Question 2 of 25

During an incident investigation, a security engineer suspects that an attacker with administrative credentials may have altered or deleted CloudTrail logs to hide their activity. The organization needs to guarantee that going forward, historical CloudTrail log files can be proven unaltered and retained for forensic and legal purposes, even against an actor with account-level admin privileges. Which combination of controls BEST ensures the tamper-evidence and long-term integrity of the logs?

Reviewed for accuracy · Report an issue
Question 3 of 25

A financial services company runs a critical application on EC2 that writes structured application logs to Amazon CloudWatch Logs. The incident response team wants near-real-time detection: whenever a log entry contains the string "AuthorizationFailure" more than a threshold number of times within a short window, an automated containment workflow must be triggered within seconds. The solution must not rely on polling and must scale to high log volume without dropping events. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 25

A security team must deploy a standardized set of AWS Config rules across all 120 accounts in their AWS Organization to enforce a PCI DSS baseline. Requirements: the deployment must automatically apply to newly created accounts, the security team (not the management account) must own and operate the deployment from a dedicated security account, and any account owner must be prevented from deleting the deployed rules. Which approach best meets ALL requirements?

Reviewed for accuracy · Report an issue
Question 5 of 25

A security engineer must enforce a baseline set of AWS Config rules across all 40 accounts in an AWS Organization. The requirements are: rules must be deployed and maintained centrally from the organization management (or delegated administrator) account, new accounts joining the organization must automatically receive the rules, and any non-compliant S3 buckets that allow public access must be automatically remediated without manual intervention. Which approach best meets ALL of these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 25

A security analyst is performing forensic acquisition on a compromised EC2 instance that is still running and suspected of active data exfiltration. Company policy requires that both volatile and non-volatile evidence be preserved while minimizing the risk of tipping off the attacker or corrupting evidence. Which sequence of actions BEST preserves forensic integrity?

Reviewed for accuracy · Report an issue
Question 7 of 25

A security team discovers that a containerized application running on Amazon ECS with the Fargate launch type has been compromised. The task is actively communicating with a known command-and-control server. The team must contain the specific task for later forensic analysis while minimizing disruption to other healthy tasks in the same service, and they need to preserve as much volatile evidence as possible. Which containment approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 8 of 25

During an active incident, a security engineer confirms that a single pod running in an Amazon EKS cluster has been compromised and is attempting lateral movement to other pods and out to the internet. The forensics team needs the pod preserved for investigation, but all network communication to and from the pod must be stopped immediately with minimal disruption to other workloads on the same node. Which action provides the fastest, most surgical containment while preserving the pod for analysis?

Reviewed for accuracy · Report an issue
Question 9 of 25

A security team wants automated containment when GuardDuty reports an UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding indicating that EC2 instance role credentials are being used from an external IP. The finding must trigger an automated action within seconds, but the team is concerned that a single Lambda invocation might fail silently and leave credentials active. They also want the response to be auditable and to avoid deleting the IAM role, since it is shared by an Auto Scaling group of healthy instances. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 25

A security team runs a multi-account AWS Organization. When GuardDuty produces a HIGH or CRITICAL finding for an EC2 instance, the team wants automation to determine the incident-response path: production instances (tagged Environment=prod) must trigger a human approval step before any containment action, while non-production instances should be automatically isolated. All findings flow to a central security account via an EventBridge rule. Which design best meets these requirements while minimizing custom code and operational overhead?

Reviewed for accuracy · Report an issue
Question 11 of 25

During an incident, an EC2 instance is confirmed compromised. Before terminating it, the IR team must ensure that any credentials issued through the instance's IAM role are rendered useless, while preserving the instance's EBS volumes and memory for forensic analysis. The instance runs a critical workload, so responders want to stop attacker use of the role credentials as quickly as possible without waiting for the temporary credentials to naturally expire. Which action most effectively invalidates already-issued temporary credentials from the instance role?

Reviewed for accuracy · Report an issue
Question 12 of 25

A company runs a KMS-encrypted S3 bucket in account A (111111111111). A data-processing application running on an EC2 instance in account B (222222222222) uses an IAM role to read objects. The security team confirms the S3 bucket policy in account A grants s3:GetObject to the account B role's ARN, and the KMS key policy in account A grants kms:Decrypt to the same role ARN. However, the application receives AccessDenied errors when downloading objects. The IAM role in account B currently has no attached identity-based policy for S3 or KMS. What must be changed to allow the download to succeed?

Reviewed for accuracy · Report an issue
Question 13 of 25

A company uses AWS IAM Identity Center (successor to AWS SSO) to manage workforce access across 40 accounts in an organization. The security team wants developers in the 'AppDev' group to receive identical read/write permissions to a specific set of DynamoDB tables in every account, but the exact table ARNs differ per account because they include the account ID. Administrators must be able to update the permission logic in one place and have it propagate to all assigned accounts automatically. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 14 of 25

A security engineer manages an S3 bucket that stores audit logs shared across an organization. The bucket resource-based policy must deny all access to the bucket EXCEPT for a specific cross-account IAM role (arn:aws:iam::222222222222:role/AuditReader) and the local account root. The engineer wants the deny to apply to every other principal, including future ones, without having to enumerate them. Which policy construct correctly implements this?

Reviewed for accuracy · Report an issue
Question 15 of 25

A security engineer is designing guardrails for a development team. Developers assume an IAM role that has an identity-based policy granting full access to Amazon S3 and Amazon DynamoDB. The role also has a permissions boundary attached that allows only S3 actions. The account is in an OU whose Service Control Policy (SCP) allows only DynamoDB actions (and denies nothing explicitly). A developer using this role attempts an s3:PutObject call and a dynamodb:PutItem call. What is the result?

Reviewed for accuracy · Report an issue
Question 16 of 25

A company has an S3 bucket in Account A (the resource owner). A role in Account B needs to read objects from this bucket. The security team configures the following: the bucket policy in Account A grants s3:GetObject to the Account B role's ARN; the role in Account B has an identity-based policy allowing s3:GetObject on the bucket; and Account B is in an AWS Organization with an SCP that denies all s3:* actions except s3:ListBucket. When the role in Account B attempts to download an object, the request is denied. What is the cause?

Reviewed for accuracy · Report an issue
Question 17 of 25

A security engineer configures an automation pipeline where an EC2 instance profile role (RoleA) assumes a cross-account role (RoleB) in a partner account to run a long batch job. RoleB has a maximum session duration set to 4 hours. However, when the pipeline calls sts:AssumeRole from RoleA to obtain RoleB credentials, the returned credentials always expire after 1 hour regardless of the DurationSeconds value requested. What is the cause of this behavior?

Reviewed for accuracy · Report an issue
Question 18 of 25

During an incident, a security analyst discovers that temporary credentials issued by an IAM role (used by a fleet of EC2 instances) were exfiltrated and are being used from an external IP to make API calls. The analyst has already identified the role. To immediately contain the threat and invalidate all currently active temporary sessions issued by this role — including those already handed out — while allowing legitimate instances to obtain new credentials after remediation, which action is MOST effective?

Reviewed for accuracy · Report an issue
Question 19 of 25

A security team detects that an EC2 instance in a production VPC has been compromised and is actively communicating with an external command-and-control server. The incident-response runbook requires that the instance be contained for forensic analysis without terminating it, and that all subsequent investigative steps be automated and repeatable across future incidents. Which sequence of actions BEST meets these containment and forensics requirements?

Reviewed for accuracy · Report an issue
Question 20 of 25

A security engineer manages a single AWS KMS customer managed key used by multiple project teams in the same account. Compliance requires that a principal be allowed to call kms:Decrypt only when the data key was originally encrypted for that principal's own project, without creating a separate KMS key per team. Each project's EC2 instances assume a role tagged with Project=<name>, and applications pass an encryption context of {"project":"<name>"} on every Encrypt call. Which approach enforces this requirement using one shared KMS key?

Reviewed for accuracy · Report an issue
Question 21 of 25

A security engineer is designing envelope encryption for an application that stores sensitive customer records in Amazon S3 using SSE-KMS with a customer managed key. Compliance requires that a decryption request only succeeds if it is tied to the same logical tenant that performed the encryption, so that a valid ciphertext for one tenant cannot be decrypted in the context of a different tenant. The engineer wants to enforce this cryptographically without creating a separate KMS key per tenant. Which approach BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 22 of 25

A security engineer manages a KMS customer managed key used by multiple applications to encrypt sensitive financial records. Compliance requires that (1) the key can only be used over encrypted connections and (2) applications must supply a specific encryption context tag so decrypt operations can be scoped and audited. Which combination of key policy conditions enforces both requirements on Decrypt operations?

Reviewed for accuracy · Report an issue
Question 23 of 25

A security engineer creates a new customer managed KMS key using the AWS CLI and specifies a custom key policy. The policy grants a specific application role permission to encrypt and decrypt, but omits any statement referencing the account root principal or the IAM administrators. Shortly after, the administrators discover that no one can manage the key — including updating the key policy itself — and they cannot delete or schedule deletion of the key from the console. What is the root cause and the recommended way to prevent this situation in the future?

Reviewed for accuracy · Report an issue
Question 24 of 25

A financial services company stores encrypted backups in Amazon S3 in us-east-1 using SSE-KMS with a customer managed key. For disaster recovery, they replicate these backups to a bucket in eu-west-1 using S3 Cross-Region Replication. The DR requirement states that in a regional outage of us-east-1, the eu-west-1 team must be able to decrypt the replicated objects without any dependency on us-east-1 resources. Which KMS approach meets this requirement with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 25 of 25

During an active incident, a security engineer must preserve an EBS volume from a compromised EC2 instance for later forensic analysis in a dedicated forensics account. The forensics account uses a customer-managed KMS key to encrypt all evidence. The source volume is encrypted with a different customer-managed KMS key in the production account. The engineer creates a snapshot of the volume and attempts to share it directly with the forensics account, but the account cannot access it. What is the correct sequence to make the encrypted evidence usable in the forensics account while maintaining chain of custody?

Reviewed for accuracy · Report an issue