SCS-C03 Online Practice Questions

Home / Amazon / SCS-C03

Latest SCS-C03 Exam Practice Questions

The practice questions for SCS-C03 exam was last updated on 2025-12-21 .

Viewing page 1 out of 26 pages.

Viewing questions 1 out of 130 questions.

Question#1

A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check.
The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.
What could be the reason for the noncompliant status?

A. The IAM credential report was generated within the past 4 hours.
B. The security engineer does not have the GenerateCredentialReport permission.
C. The security engineer does not have the GetCredentialReport permission.
D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.

Explanation:
The correct answer is D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
According to the AWS documentation1, the MaximumExecutionFrequency parameter specifies the maximum frequency with which AWS Config runs evaluations for a rule.
For AWS Config managed rules, this value can be one of the following:
One_Hour
Three_Hours
Six_Hours
Twelve_Hours
TwentyFour_Hours
If the rule is triggered by configuration changes, it will still run evaluations when AWS Config delivers the configuration snapshot. However, if the rule is triggered periodically, it will not run evaluations more often than the specified frequency.
In this case, the security engineer enabled four AWS Config managed rules that are triggered periodically. Therefore, these rules will only run evaluations every 24 hours, regardless of when the IAM credential report is generated. This means that the resources will display as noncompliant until the next evaluation cycle, which could take up to 24 hours after the IAM access keys are rotated.
The other options are incorrect because:
A) The IAM credential report can be generated at any time, but it will not affect the compliance status of the resources until the next evaluation cycle of the AWS Config rules.
B) The security engineer was able to invoke the IAM GenerateCredentialReport API operation, which means they have the GenerateCredentialReport permission. This permission is required to generate a credential report that lists all IAM users in an AWS account and their credential status2.
C) The security engineer does not need the GetCredentialReport permission to enable or evaluate AWS Config rules. This permission is required to retrieve a credential report that was previously generated by using the GenerateCredentialReport operation2.
Reference: 1: AWS: Config: ConfigRule - AWS CloudFormation
2: IAM: Generate and retrieve IAM credential reports

Question#2

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.
What should the security engineer do to resolve this error?

A. Replace the KSK with a zone-signing key (ZSK).
B. Deactivate and then activate the KS
C. Create a Delegation Signer (DS) record in the parent hosted zone.
D. Create a Delegation Signer (DS) record in the subdomain.

Explanation:
When implementing DNSSEC for a subdomain in Amazon Route 53 and encountering a broken trust chain error, creating a Delegation Signer (DS) record in the parent hosted zone is the correct approach. The DS record is essential for establishing the trust chain between the parent and child zones by linking the DNSSEC-signed subdomain to its parent domain. This step is crucial for DNS resolvers to validate the authenticity of DNS responses, thereby resolving the broken trust chain issue and ensuring the integrity and authenticity of the DNS data for the secured subdomain.

Question#3

You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire.
What is the best way to achieve this.

A. Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
B. Use the IAM Encryption CLI to encrypt the data first
C. Use a Lambda function to encrypt the data before sending it to the S3 bucket.
D. Enable client encryption for the bucket

Explanation:
Client-side encryption involves encrypting data on the client's side (before it is transferred across the network) and then sending the encrypted data to S3. This ensures that the data is encrypted before it's transmitted over the network to the S3 bucket. This is the method that ensures that data is encrypted "before sending it across the wire", as the question specifies.
Here is why the other options are not the best choices:
A. Server-side encryption (SSE) encrypts the data at rest once it reaches the S3 bucket. Although the data is encrypted during transmission, it's not encrypted by the client before sending it across the network.
B. IAM does not have an "Encryption CLI." AWS CLI can be used to interact with AWS services, including S3, and client-side encryption libraries can be used to encrypt data before uploading it using the AWS CLI, but IAM primarily manages access and permissions, not encryption tasks.
C. Using a Lambda function to encrypt the data before sending it to S3 could be a valid approach, but it would be more complex than necessary compared to directly enabling client encryption. Lambda would be used more for automated data processing tasks or similar, not generally as a primary means of encrypting data before transmission. It's a viable option but not the best or simplest method compared to client-side encryption.

Question#4

An AWS account includes two S3 buckets: bucketl and bucket2.
The bucket2 does not have a policy defined, but bucketl has the following bucket policy:



In addition, the same account has an 1AM User named "alice", with the following 1AM policy.



Which buckets can user "alice" access?

A. bucketl only
B. bucket2 only
C. Both bucketl and bucket2
D. Neither bucketl nor bucket2

Question#5

A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key
Which solution will meet these requirements?

A. Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key
B. Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3
C. Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3
D. Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3

Explanation:
To meet the requirements of storing scanned copies of customer receipts on Amazon S3, where files will be between 100 KB and 5 MB in PDF format, each retail store must have a unique encryption key, and each object must be encrypted with a unique key, the most appropriate solution would be to create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store. Then, use the S3 Put operation to upload the objects to Amazon S3, specifying server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store’s key.
References: : Amazon S3 - Amazon Web Services : AWS Key Management Service - Amazon Web
Services : Amazon S3 - Amazon Web Services : AWS Key Management Service - Amazon Web Services

Exam Code: SCS-C03Q & A: 390 Q&AsUpdated:  2025-12-21

 Get All SCS-C03 Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Copyright © 2025 CertQuestionsBank NETWORK CO.,LIMITED. All Rights Reserved.