AWS Certified Security - Specialty · Difficulty

Medium SCS-C03 practice questions

Applied — put a concept to work in a realistic situation. 114 medium questions available — no sign-up, always free.

Question 1 of 25

A company runs an internal microservices platform on EC2 behind an internal Application Load Balancer. Security requires all service-to-service traffic to use TLS with certificates that automatically renew, are trusted only within the corporate network, and never need to be publicly resolvable or validated through DNS/email challenges. The solution must minimize operational overhead for certificate issuance and rotation. What should the security engineer implement?

Reviewed for accuracy · Report an issue
Question 2 of 25

A company operates 45 AWS accounts managed under AWS Organizations. The security team wants a centralized way to view and prioritize GuardDuty threat findings, Inspector vulnerability findings, and misconfiguration findings from managed compliance standards across all accounts in one console. They also want new accounts to be automatically enrolled without manual configuration. Which approach best meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 3 of 25

A security engineer is performing root cause analysis for an incident that spanned three AWS accounts and two Regions. CloudTrail logs are delivered to a central S3 bucket in a dedicated log-archive account, partitioned by account, Region, and date. The engineer needs to run ad hoc SQL queries across all accounts and Regions to reconstruct the attacker's API activity timeline, while keeping query costs low and avoiding data movement. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 25

A healthcare company must ensure that its RDS, EFS, and DynamoDB backups cannot be deleted or shortened in retention by anyone—including the AWS account root user and administrators—for a regulatory retention period of 7 years. The security team also wants backups copied to a separate, dedicated backup account to protect against a compromised production account. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 25

A media company serves static video assets from an S3 bucket through a CloudFront distribution. The security team discovers that users can bypass CloudFront and download objects directly using the S3 bucket's website endpoint URLs, avoiding WAF rules and geo-restrictions applied at the edge. The team wants to ensure all access to the S3 objects is only possible through CloudFront, using the most current AWS-recommended mechanism. What should they implement?

Reviewed for accuracy · Report an issue
Question 6 of 25

A security team operates a public web application served through Amazon CloudFront with an Application Load Balancer origin. A recent penetration test flagged that the application does not enforce HTTP Strict Transport Security (HSTS) and is missing X-Content-Type-Options and X-Frame-Options headers on responses. The development team is busy and cannot modify the application code for several sprints. The team needs a way to consistently add these security headers to all responses at the edge with minimal operational effort. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 25

A financial services company builds internal Lambda functions and shared libraries used across dozens of AWS accounts. Recent industry incidents involving compromised open-source dependencies have prompted the security team to reduce software supply chain risk. They want to (1) ensure developers pull third-party packages only from an approved, versioned internal repository that proxies public registries, and (2) guarantee that only Lambda code artifacts signed by the organization's build pipeline can be deployed to production functions. Which combination of AWS services best meets these requirements?

Reviewed for accuracy · Report an issue
Question 8 of 25

A security engineer manages an organization with 60 accounts spread across 3 AWS Regions. Each account already has AWS Config enabled recording resources, and a standardized set of Config rules is deployed to every account. The engineer's CISO wants a single, centralized, read-only view of the compliance status of all Config rules across every account and Region, without having to log into each account individually. The solution must require minimal ongoing maintenance as new accounts join the organization. What should the engineer implement?

Reviewed for accuracy · Report an issue
Question 9 of 25

A security team manages compliance across a 200-account AWS Organization using a delegated administrator account for AWS Config. They deploy an organization conformance pack that includes a managed rule with automatic remediation to disable public S3 access. One member account hosts a legitimately public static website bucket that must remain accessible and should not be evaluated by this rule at all. The team wants to keep the conformance pack deployed org-wide with remediation active everywhere else, while ensuring the website account is not affected. What is the most operationally efficient way to achieve this?

Reviewed for accuracy · Report an issue
Question 10 of 25

A financial services company must produce audit-ready evidence for a SOC 2 examination across 40 AWS accounts in an organization. The security team already uses AWS Config with organization conformance packs to continuously evaluate resource compliance. Auditors now require a consolidated package that maps collected evidence to specific SOC 2 control requirements, automatically gathers supporting data (Config rule results, CloudTrail activity, and resource configurations), and can be exported as an assessment report for the examiners. Which approach best meets this requirement with the least custom development?

Reviewed for accuracy · Report an issue
Question 11 of 25

A financial services company must produce quarterly evidence packages mapped to the PCI DSS control framework for external auditors. The security team already uses AWS Config rules across all accounts in an AWS Organizations setup. Auditors require a repeatable, framework-organized collection of evidence (configuration snapshots, compliance check results, and CloudTrail activity) that maps individual controls to the underlying AWS resource data, with the ability to delegate manual attestation for controls that AWS services cannot automatically assess. Which approach best meets these requirements with the least custom development?

Reviewed for accuracy · Report an issue
Question 12 of 25

A financial services company runs a large AWS Organization with 200+ accounts managed via AWS Control Tower. The security team has discovered that development teams occasionally launch EC2 instances from unvetted, publicly shared Amazon Machine Images (AMIs), introducing software supply chain risk. Leadership requires a solution that PREVENTS the launch of any instance from an AMI unless the AMI is owned by a designated internal 'golden image' account. The control must be enforced organization-wide and cannot be bypassed by account administrators, including those with full EC2 permissions. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 25

A security governance team must continuously evaluate all member accounts in an AWS Organization against a well-defined internal baseline of 40 specific resource configuration rules (e.g., required EBS encryption, mandatory tags, prohibited public RDS instances). They want the entire ruleset deployed and version-controlled as a single, reusable YAML artifact that includes automatic remediation actions, and they want the same package applied uniformly across all accounts via the delegated administrator. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 14 of 25

A security engineer must continuously evaluate whether all Amazon EC2 instances across the organization carry a mandatory 'CostCenter' tag AND that the tag value matches one of a dynamic list of approved cost centers maintained in an external DynamoDB table. AWS Config is already enabled org-wide via a delegated administrator account. Which approach meets these requirements with the least ongoing operational overhead while remaining evaluable by AWS Config?

Reviewed for accuracy · Report an issue
Question 15 of 25

A financial services company uses AWS Control Tower to govern 120 accounts across multiple OUs. The security team wants every NEW account created through Account Factory to automatically have a standardized set of baseline resources deployed — a hardened VPC configuration, a centralized logging IAM role, and an AWS Config custom rule — as part of the account provisioning process, without requiring manual steps after account creation. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 16 of 25

A financial services company uses AWS Control Tower to manage a multi-account environment. The security team must ensure that every newly vaccounted through Account Factory automatically has a standardized security baseline applied, including a mandatory detective control that flags any S3 bucket configured with public read access. This control must be reported centrally without preventing the provisioning of the account. The team wants to use Control Tower's native capability rather than building custom automation. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 17 of 25

A financial services company currently manages 12 AWS accounts under AWS Organizations, created manually over the past two years. Each account was set up inconsistently — some lack baseline CloudTrail configuration, centralized logging, or standardized IAM roles. The security team must scale to over 100 accounts in the next year and needs every new account to be provisioned with a consistent, pre-approved security baseline (centralized logging to a dedicated log archive account, mandatory guardrails, and a standard network configuration) with minimal manual effort. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 25

A financial services company uses AWS Control Tower to govern 40 member accounts across multiple OUs. The security team has a compliance requirement: developers must never be able to disable AWS CloudTrail logging in any account, and any account that has an S3 bucket without server-side encryption must be flagged for review (but not blocked). The team wants to implement both requirements using Control Tower guardrails with the least operational overhead. Which combination of guardrails should they apply?

Reviewed for accuracy · Report an issue
Question 19 of 25

A financial services company uses AWS Control Tower to manage a multi-account landing zone across 40 accounts. During a routine audit, the security team discovers that an administrator in a workload account manually modified a CloudTrail trail that Control Tower had configured, disabling log file validation. The security team wants a supported, automated way to detect that the account has diverged from the Control Tower baseline and to bring it back into compliance. Which approach should they use?

Reviewed for accuracy · Report an issue
Question 20 of 25

A financial services company manages 120 accounts through AWS Control Tower with all accounts in a well-structured OU hierarchy. The security team wants to guarantee that no member account can ever disable AWS CloudTrail logging, and they need this protection to be impossible to bypass — even by a user who has full administrative IAM permissions in a member account. Which approach meets this requirement with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 21 of 25

A financial services company runs AWS Control Tower with a multi-account landing zone. The central security team wants to run advanced, custom Security Hub and GuardDuty administration across all member accounts, but the company's compliance policy forbids using the Organizations management account for any day-to-day operational security work. The team needs to grant a dedicated Audit account the ability to centrally manage these security services organization-wide. What is the recommended approach to meet this requirement while following AWS best practices?

Reviewed for accuracy · Report an issue
Question 22 of 25

A security engineer at a company with 40 AWS accounts under AWS Organizations wants to reduce the time analysts spend correlating logs during investigations. Analysts currently pull VPC Flow Logs, CloudTrail events, and GuardDuty findings manually from each account to understand the scope of suspicious activity. The engineer needs a service that automatically ingests these data sources across all member accounts and presents an interactive visualization showing relationships between entities such as IAM roles, IP addresses, and EC2 instances over time. Which approach meets this requirement with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 23 of 25

A security analyst receives a GuardDuty finding indicating that an EC2 instance in the production account is communicating with a known cryptocurrency-mining IP address. Before deciding whether to isolate the instance, the analyst needs to understand whether this behavior is new, which IAM entities and API calls were involved, and how the affected resource's activity has changed over the past several weeks. Which AWS service is purpose-built to help the analyst perform this root-cause investigation with the least setup effort?

Reviewed for accuracy · Report an issue
Question 24 of 25

A security analyst uses Amazon Detective in a delegated administrator account to investigate a GuardDuty finding indicating that an EC2 instance made connections to a known cryptocurrency mining domain. The analyst needs to quickly understand whether the same behavior appeared across other resources, identify the earliest occurrence of the activity, and gather evidence to support an incident report — without manually correlating data from CloudTrail and VPC Flow Logs. Which Detective capability best supports this need?

Reviewed for accuracy · Report an issue
Question 25 of 25

A financial services company stores sensitive transaction records in an Amazon DynamoDB table. Compliance requires that the company be able to prove exactly when the encryption key was used, control key rotation on its own schedule, and be able to immediately deny all access to the data by disabling the key without deleting the table. The team currently uses the default AWS owned key for the table. Which change should the security engineer make to meet all of these requirements?

Reviewed for accuracy · Report an issue