Real IT Certification Exams Questions & Dumps | Get Certified with CertQuestionsBank.com

Latest SCS-C03 Exam Practice Questions

The practice questions for SCS-C03 exam was last updated on 2026-02-24 .

Viewing page 1 out of 3 pages.

Viewing questions 1 out of 16 questions.

Question#1

A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.
Which change should the security engineer make to the AWS KMS configuration to meet these requirements?

A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.

B. Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.

C. Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D. Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.

Explanation:
AWS KMS keys are regional resources and cannot be used across Regions. According to AWS Certified Security C Specialty documentation, applications that are deployed in multiple Regions should use region-specific customer managed keys while referencing keys by alias instead of key ID.
By creating a new customer managed key in eu-north-1 and assigning it the same alias as the key in eu-west-1, the application code can continue to reference the alias without modification. Each Region resolves the alias to the correct local key, ensuring encryption continues to function correctly.
Option A is invalid because KMS keys are regional.
Option B requires application changes.
Option D introduces unsupported alias patterns.
AWS best practices recommend alias-based key references for multi-Region deployments.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS KMS Regional Keys and Aliases
AWS KMS Best Practices

Question#2

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.
Which solution would have the MOST scalability and LOWEST latency?

A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Explanation:
Network Load Balancers operate at Layer 4 and are optimized for extreme performance, ultra-low latency, and handling sudden traffic spikes. According to AWS Certified Security C Specialty documentation, using a TCP listener on an NLB allows TLS traffic to pass through directly to backend containers without termination, preserving true end-to-end encryption.
This approach eliminates the overhead of decrypting and re-encrypting traffic at the load balancer, reducing latency and maximizing throughput. NLBs scale automatically to handle volatile traffic patterns and millions of requests per second.
Application Load Balancers operate at Layer 7 and introduce additional latency due to TLS termination and HTTP processing. Route 53 multivalue routing does not provide load balancing at the transport layer and does not ensure encryption handling.
AWS recommends NLB TCP pass-through for high-performance, end-to-end encrypted container workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Elastic Load Balancing Architecture
Network Load Balancer Performance Characteristics

Question#3

A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which solution will meet these requirements?

A. Pass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.

B. Use IAM policies to restrict access to the Encrypt and Decrypt API actions.

C. Use the kms:EncryptionContext condition key when defining IAM policies for the customer managed key.

D. Use key policies to restrict access to the appropriate IAM groups.

Explanation:
AWS KMS supports additional authenticated data (AAD) through the use of encryption context. According to the AWS Certified Security C Specialty documentation, encryption context is a set of key-value pairs that is cryptographically bound to the ciphertext. Any attempt to decrypt the data must include the same encryption context, or decryption will fail. This mechanism protects against ciphertext tampering and unauthorized reuse.
The kms: Encryption Context condition key allows security engineers to enforce the use of specific encryption context values in IAM or key policies. By defining conditions that require particular encryption context attributes, access to encrypted data can be tightly controlled and bound to specific applications, environments, or workflows.
Option A does not provide integrity protection.
Option B controls access but does not enforce the use of AAD.
Option D restricts administrative access but does not address encryption context enforcement.
AWS documentation explicitly states that encryption context combined with policy conditions is the recommended method to implement authenticated encryption and fine-grained access control with KMS.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS KMS Encryption Context
AWS KMS Policy Condition Keys

Question#4

A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.
A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests but does not want to prevent legitimate users from accessing the application.
Which solution will meet these requirements?

A. Use AWS WAF to implement a rate-based rule for all incoming requests.

B. Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.

C. Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.

D. Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

Explanation:
AWS WAF rate-based rules are specifically designed to protect applications from traffic floods and distributed attacks that originate from large numbers of IP addresses. According to the AWS Certified Security C Specialty Official Study Guide, rate-based rules automatically track the number of requests coming from individual IP addresses and temporarily block IPs that exceed a defined threshold.
In this scenario, the malicious traffic originates from hundreds of IP addresses across two countries, mixed with legitimate user traffic. A rate-based rule allows the security engineer to limit excessive request rates without fully blocking access from entire geographic regions, ensuring that legitimate users can still access the application.
Option B is incorrect because geographic match rules block all traffic from selected countries, which would deny access to legitimate users and violate the stated requirement.
Option C is invalid because security groups do not support geographic filtering.
Option D is not scalable, as manually blocking hundreds of IP addresses is operationally inefficient and ineffective against rapidly changing attacker IPs.
AWS documentation emphasizes that rate-based rules are the recommended first-line mitigation for sudden traffic spikes and potential application-layer DDoS attacks when business continuity must be preserved.
AWS Certified Security C Specialty Official Study Guide
AWS WAF Developer Guide C Rate-Based Rules
AWS DDoS Resiliency Best Practices

Question#5

A company needs centralized log monitoring with automatic detection across hundreds of AWS accounts.
Which solution meets these requirements with the LEAST operational effort?

A. Designate a GuardDuty administrator account and enable protections.

B. Centralize CloudWatch logs and use Inspector.

C. Centralize CloudTrail logs and query with Athena.

D. Stream logs to Kinesis and process with Lambda.

Explanation:
Amazon GuardDuty provides fully managed threat detection across accounts when configured with delegated administration. EKS and RDS protections enable workload-aware detection with minimal setup.
Other solutions require custom pipelines and higher operational overhead.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon GuardDuty Multi-Account Architecture

Disclaimer

This page is for educational and exam preparation reference only. It is not affiliated with Amazon, Certified Security Specialty, or the official exam provider. Candidates should refer to official documentation and training for authoritative information.

Exam Code: SCS-C03Q & A: 121 Q&AsUpdated: 2026-02-24

Get All SCS-C03 Q&As

SCS-C03 Online Practice Questions

Question#1

Question#2

Question#3

Question#4

Question#5

Top 20 Exams

Important Links

Know Us

Follow Us

Payment Methods