Preparing effectively for the AWS Certified Security – Specialty SCS-C03 means going beyond basic study methods. This test provides a practical way to evaluate your readiness and improve your understanding. By practicing regularly and reviewing your performance, you can build the confidence needed to succeed on exam day.
Updated for 2026: This guide provides a structured approach to help you prepare effectively, understand key concepts, and practice real exam-level questions.
How to Use This Practice Test
- Start by reviewing key concepts before attempting questions
- Take the test in a timed environment
- Analyze your mistakes and revisit weak areas
Why This Practice Test Matters
This practice test is designed to simulate the real exam environment and help you identify knowledge gaps, improve accuracy, and build confidence.
| Exam Name | SCS-C03 Practice Exam – AWS Certified Security Specialty (2026 Updated) |
|---|---|
| Exam Provider | Amazon Web Services (AWS) |
| Certification Type | Specialty-Level Certification (Cloud Security, IAM, Encryption, Threat Detection & Incident Response) |
| Total Practice Questions | 120 Advanced MCQs (Scenario-Based + IAM + KMS + Network Security + Incident Response + Compliance) |
| Exam Domains Covered | • Identity & Access Management (IAM roles, policies, SCPs, federation) • Data Protection (encryption at rest & in transit, KMS, key policies) • Infrastructure Security (VPC, endpoints, WAF, Shield, Network Firewall) • Threat Detection & Monitoring (GuardDuty, CloudTrail, CloudWatch, Security Hub) • Incident Response (forensics, automation, remediation workflows) • Compliance & Governance (AWS Config, auditing, logging, policies) |
| Questions in Real Exam | • Total: ~65 Questions • Highly scenario-based with real-world security cases • Focus on architecture decisions, IAM policy evaluation, and incident response |
| Exam Duration | • Total Time: 180 Minutes • Complex multi-step scenarios requiring deep security expertise • Emphasis on practical, production-level AWS security design |
| Passing Score | • Scaled Score: 750 / 1000 • Requires strong knowledge of AWS security services and best practices • Focus on real-world threat detection and mitigation strategies |
| Question Format | • Multiple Choice & Multiple Response • Scenario-Based Security Architectures • IAM Policy Evaluation & Access Control Cases • Encryption & KMS Configuration Questions • Incident Response & Threat Detection Scenarios |
| Difficulty Level | Advanced to Expert (Specialty-Level + Real-World Security Scenarios) |
| Key Knowledge Areas | • IAM policy evaluation (allow vs deny, SCP interactions, conditions) • KMS key policies, grants, and cross-account encryption • S3 security (bucket policies, encryption enforcement, access control) • Network security (VPC endpoints, WAF, Shield, firewall rules) • Threat detection (GuardDuty findings, anomaly detection, logs analysis) • Logging & auditing (CloudTrail, Config, log integrity validation) • Incident response automation (EventBridge, Lambda workflows) • Compliance frameworks and governance strategies |
| Common Exam Traps | • Ignoring explicit deny overriding allow in IAM/SCP policies • Misconfiguring KMS key policies vs IAM permissions • Forgetting encryption requirements for cross-account access • Choosing incorrect service (CloudTrail vs Config vs GuardDuty) • Ignoring VPC endpoint restrictions leading to data exfiltration • Not enforcing TLS or encryption in transit • Missing incident response automation strategies • Overlooking least privilege and zero trust principles |
| Skills Developed | • Designing secure AWS architectures using defense-in-depth • Implementing IAM policies and access control strategies • Managing encryption keys and securing data at scale • Detecting and responding to security threats effectively • Automating incident response and remediation workflows • Ensuring compliance with security standards and best practices |
| Study Strategy | • Focus on IAM policy evaluation and permission boundaries • Practice KMS configurations and encryption scenarios • Learn GuardDuty, Security Hub, and threat detection workflows • Understand VPC security and network isolation strategies • Study real-world incident response scenarios • Take full-length timed mock exams and review explanations • Identify and avoid common exam traps |
| Best For | • Security engineers and cloud security specialists • AWS architects focusing on security design • DevSecOps engineers and compliance professionals • Professionals preparing for advanced AWS security certifications |
| Career Benefits | • Validates advanced AWS security expertise • Opens roles in cloud security, DevSecOps, and security architecture • Enhances skills in IAM, encryption, and threat detection • Increases earning potential in cybersecurity roles • Recognized as one of the most valuable AWS specialty certifications |
| Updated | 2026 Latest Version – Based on AWS SCS-C03 Exam Guide & Real Security Scenarios |
1.
A company wants least privilege access across accounts. What is BEST?
A. Full access
B. IAM roles with cross-account trust
C. Hardcoded credentials
D. S3
Answer: B
Rationale: Cross-account IAM roles enable secure delegation of permissions without sharing credentials. Combined with least-privilege policies, they minimize risk while enabling controlled access between AWS accounts.
2.
A company wants to encrypt S3 data at rest. What is BEST?
A. IAM
B. SSE-KMS
C. CloudWatch
D. Lambda
Answer: B
Rationale: SSE-KMS uses AWS Key Management Service to encrypt data at rest with centralized key control, auditability, and fine-grained access permissions, ensuring compliance and strong security.
3.
A company wants to detect malicious activity. What is BEST?
A. CloudTrail
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty uses machine learning and threat intelligence to detect suspicious behavior such as unauthorized access and anomalous API activity across AWS environments.
4.
A company wants centralized security findings. What is BEST?
A. CloudTrail
B. Security Hub
C. Config
D. Lambda
Answer: B
Rationale: Security Hub aggregates findings from multiple AWS security services, providing a centralized dashboard and compliance checks across accounts.
5.
A company wants to log API calls. What is BEST?
A. CloudWatch
B. CloudTrail
C. Config
D. Lambda
Answer: B
Rationale: CloudTrail records all API activity, enabling auditing, troubleshooting, and compliance tracking.
6.
A company wants network protection from attacks. What is BEST?
A. IAM
B. AWS Shield
C. S3
D. EC2
Answer: B
Rationale: AWS Shield provides DDoS protection at network and application layers, safeguarding resources from attacks.
7.
A company wants firewall protection. What is BEST?
A. IAM
B. AWS WAF
C. S3
D. EC2
Answer: B
Rationale: AWS WAF protects web applications from common exploits like SQL injection and XSS.
8.
A company wants to manage encryption keys. What is BEST?
A. IAM
B. KMS
C. CloudWatch
D. Lambda
Answer: B
Rationale: KMS provides centralized key management, rotation, and auditing.
9.
A company wants secure secrets storage. What is BEST?
A. Hardcode
B. Secrets Manager
C. S3
D. EC2
Answer: B
Rationale: Secrets Manager securely stores and rotates credentials automatically.
10.
A company wants compliance monitoring. What is BEST?
A. CloudTrail
B. AWS Config
C. CloudWatch
D. Lambda
Answer: B
Rationale: AWS Config evaluates resource configurations against compliance rules and tracks changes over time.
11.
A company wants anomaly detection in logs. What is BEST?
A. CloudTrail
B. CloudWatch anomaly detection
C. Config
D. Lambda
Answer: B
Rationale: CloudWatch anomaly detection identifies unusual patterns in metrics and logs.
12.
A company wants secure VPC access to S3. What is BEST?
A. Public
B. VPC endpoint
C. EC2
D. Lambda
Answer: B
Rationale: VPC endpoints enable private access to S3 without internet exposure, improving security posture.
13.
A company wants identity federation. What is BEST?
A. IAM
B. Cognito or SAML federation
C. S3
D. EC2
Answer: B
Rationale: Federation allows external identities (e.g., corporate directory) to access AWS securely.
14.
A company wants MFA enforcement. What is BEST?
A. Ignore
B. IAM policies with MFA condition
C. EC2
D. S3
Answer: B
Rationale: MFA conditions ensure users authenticate with an additional factor, improving account security.
15.
A company wants to restrict S3 access by IP. What is BEST?
A. IAM
B. Bucket policy with IP condition
C. EC2
D. Lambda
Answer: B
Rationale: Bucket policies can enforce access restrictions based on source IP addresses.
16.
A company wants encryption in transit. What is BEST?
A. HTTP
B. HTTPS (TLS)
C. EC2
D. S3
Answer: B
Rationale: TLS ensures secure data transmission between clients and services.
17.
A company wants to audit resource changes. What is BEST?
A. CloudTrail
B. Config
C. CloudWatch
D. Lambda
Answer: B
Rationale: Config tracks configuration changes and compliance.
18.
A company wants least privilege IAM. What is BEST?
A. Full access
B. Fine-grained policies
C. S3
D. EC2
Answer: B
Rationale: Fine-grained policies minimize permissions.
19.
A company wants threat intelligence. What is BEST?
A. CloudTrail
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty uses threat intelligence feeds.
20.
A company wants key rotation. What is BEST?
A. Manual
B. KMS automatic rotation
C. EC2
D. S3
Answer: B
Rationale: Automatic rotation improves security.
21.
A company wants centralized logging. What is BEST?
A. CloudWatch Logs
B. CloudTrail
C. Config
D. Lambda
Answer: A
Rationale: Logs centralize monitoring.
22.
A company wants DDoS protection. What is BEST?
A. IAM
B. Shield Advanced
C. S3
D. EC2
Answer: B
Rationale: Shield Advanced provides enhanced protection and response.
23.
A company wants web filtering. What is BEST?
A. IAM
B. WAF rules
C. S3
D. EC2
Answer: B
Rationale: WAF filters malicious traffic.
24.
A company wants automated remediation. What is BEST?
A. Manual
B. Config + Lambda
C. EC2
D. S3
Answer: B
Rationale: Automated remediation ensures compliance.
25.
A company wants secure API access. What is BEST?
A. Public
B. API Gateway authorizer
C. S3
D. EC2
Answer: B
Rationale: Authorizers secure APIs.
26.
A company wants encryption keys access control. What is BEST?
A. IAM
B. KMS key policies
C. CloudWatch
D. Lambda
Answer: B
Rationale: Key policies define access.
27.
A company wants incident response automation. What is BEST?
A. Manual
B. EventBridge + Lambda
C. EC2
D. S3
Answer: B
Rationale: Event-driven automation improves response time.
28.
A company wants log analysis. What is BEST?
A. CloudWatch Logs Insights
B. CloudTrail
C. Config
D. Lambda
Answer: A
Rationale: Logs Insights queries logs.
29.
A company wants secure storage. What is BEST?
A. Public S3
B. Private S3 with encryption
C. EC2
D. Lambda
Answer: B
Rationale: Encryption and access control secure data.
30.
A company wants full security posture. What is BEST?
A. Single service
B. Defense-in-depth approach
C. EC2
D. S3
Answer: B
Rationale: Defense-in-depth combines multiple layers of security controls, including IAM, encryption, monitoring, and network protection, ensuring comprehensive protection against a wide range of threats.
31.
An IAM policy allows access, but access is still denied. What is MOST likely?
A. IAM bug
B. Explicit deny in another policy
C. EC2 issue
D. S3 issue
Answer: B
Rationale: In AWS policy evaluation, explicit deny always overrides allow. Even if a policy grants access, any deny statement in SCPs, resource policies, or IAM policies will block the request.
32.
A company wants to prevent privilege escalation. What is BEST?
A. Full access
B. Restrict iam:PassRole
C. EC2
D. S3
Answer: B
Rationale: iam:PassRole can allow users to assign powerful roles to services. Restricting it prevents privilege escalation attacks and enforces least privilege principles.
33.
A KMS key is inaccessible across accounts. What is BEST fix?
A. IAM only
B. Update key policy for cross-account access
C. EC2
D. S3
Answer: B
Rationale: KMS key policies must explicitly allow cross-account principals. IAM permissions alone are insufficient without proper key policy configuration.
34.
A company wants to enforce encryption on all S3 uploads. What is BEST?
A. IAM
B. Bucket policy requiring SSE-KMS
C. EC2
D. Lambda
Answer: B
Rationale: Bucket policies can enforce encryption by denying uploads that do not include encryption headers, ensuring compliance automatically.
35.
An attacker uses stolen credentials. What is BEST detection method?
A. CloudWatch
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty detects anomalous API activity, unusual locations, and credential misuse using ML-based threat detection.
36.
A company wants secure cross-account S3 access. What is BEST?
A. Public access
B. Bucket policy + IAM role
C. EC2
D. Lambda
Answer: B
Rationale: Combining IAM roles with bucket policies ensures secure, controlled cross-account access.
37.
A company wants to rotate secrets automatically. What is BEST?
A. Manual
B. Secrets Manager rotation
C. EC2
D. S3
Answer: B
Rationale: Secrets Manager supports automated rotation using Lambda, reducing risk of credential exposure.
38.
A company wants to restrict API calls by region. What is BEST?
A. IAM
B. Condition aws:RequestedRegion
C. EC2
D. S3
Answer: B
Rationale: IAM condition keys allow restricting access based on region, improving compliance and reducing attack surface.
39.
A company wants to block public S3 access globally. What is BEST?
A. IAM
B. S3 Block Public Access
C. EC2
D. Lambda
Answer: B
Rationale: S3 Block Public Access enforces account-level restrictions preventing accidental exposure of data.
40.
A company wants to detect data exfiltration. What is BEST?
A. CloudTrail
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty detects unusual data access patterns such as large transfers or suspicious API calls.
41.
A company wants to enforce MFA for root user. What is BEST?
A. Ignore
B. Enable MFA on root account
C. EC2
D. S3
Answer: B
Rationale: Root account has full privileges and must be protected with MFA to prevent catastrophic compromise.
42.
A company wants centralized logging across accounts. What is BEST?
A. CloudTrail per account
B. Organization trail
C. Config
D. Lambda
Answer: B
Rationale: Organization trails centralize logs across accounts for auditing and compliance.
43.
A company wants to prevent data tampering. What is BEST?
A. IAM
B. S3 Object Lock
C. EC2
D. Lambda
Answer: B
Rationale: Object Lock provides WORM protection, preventing deletion or modification of objects.
44.
A company wants secure key deletion protection. What is BEST?
A. Immediate deletion
B. KMS deletion window
C. EC2
D. S3
Answer: B
Rationale: KMS enforces a waiting period before key deletion, preventing accidental or malicious loss.
45.
A company wants to monitor IAM changes. What is BEST?
A. CloudWatch
B. CloudTrail
C. Config
D. Lambda
Answer: B
Rationale: CloudTrail logs IAM API activity for auditing.
46.
A company wants to detect unauthorized SSH attempts. What is BEST?
A. CloudTrail
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty detects brute-force attacks and suspicious login attempts.
47.
A company wants fine-grained S3 access control. What is BEST?
A. IAM
B. Bucket policies + IAM
C. EC2
D. Lambda
Answer: B
Rationale: Combining IAM and bucket policies provides granular access control.
48.
A company wants to encrypt EBS volumes. What is BEST?
A. IAM
B. Enable EBS encryption with KMS
C. EC2
D. S3
Answer: B
Rationale: EBS encryption protects data at rest using KMS.
49.
A company wants secure API authentication. What is BEST?
A. Public
B. IAM or Cognito authorizer
C. EC2
D. S3
Answer: B
Rationale: Authorizers enforce authentication and authorization for APIs.
50.
A company wants automated incident response. What is BEST?
A. Manual
B. EventBridge + Lambda
C. EC2
D. S3
Answer: B
Rationale: Event-driven automation enables rapid response to security events.
51.
A company wants encryption in transit enforcement. What is BEST?
A. HTTP
B. Require HTTPS via policy
C. EC2
D. S3
Answer: B
Rationale: Policies can deny non-TLS requests.
52.
A company wants to prevent accidental deletion. What is BEST?
A. Ignore
B. Versioning + MFA delete
C. EC2
D. S3
Answer: B
Rationale: Versioning and MFA delete protect data.
53.
A company wants centralized threat detection. What is BEST?
A. CloudTrail
B. GuardDuty + Security Hub
C. Config
D. Lambda
Answer: B
Rationale: Combined services provide comprehensive detection.
54.
A company wants least privilege across services. What is BEST?
A. Full access
B. Fine-grained IAM policies
C. EC2
D. S3
Answer: B
Rationale: Least privilege reduces attack surface.
55.
A company wants compliance reporting. What is BEST?
A. CloudTrail
B. AWS Config + Security Hub
C. CloudWatch
D. Lambda
Answer: B
Rationale: Provides compliance insights.
56.
A company wants secure key usage auditing. What is BEST?
A. IAM
B. CloudTrail + KMS logs
C. EC2
D. S3
Answer: B
Rationale: Logs track key usage.
57.
A company wants to restrict access by VPC. What is BEST?
A. IAM
B. aws:SourceVpc condition
C. EC2
D. S3
Answer: B
Rationale: Restricts access to specific VPC.
58.
A company wants incident investigation. What is BEST?
A. CloudWatch
B. CloudTrail + logs
C. Config
D. Lambda
Answer: B
Rationale: Logs provide forensic evidence.
59.
A company wants zero trust security model. What is BEST?
A. Public access
B. Strong identity + least privilege + monitoring
C. EC2
D. S3
Answer: B
Rationale: Zero trust requires strict identity verification, least privilege access, and continuous monitoring to minimize risks.
60.
A company wants full security architecture. What is BEST?
A. Single control
B. Defense-in-depth
C. EC2
D. S3
Answer: B
Rationale: Defense-in-depth applies multiple layers of security controls across identity, network, data, and monitoring to ensure comprehensive protection against evolving threats.
61.
An IAM user is allowed in a policy but denied by an SCP. What happens?
A. Allowed
B. Denied
C. Random
D. EC2
Answer: B
Rationale: Service Control Policies set permission boundaries at the org level. If an action is not allowed (or explicitly denied) by an SCP, it cannot be granted by IAM—SCPs effectively cap permissions.
62.
An application cannot decrypt data with KMS despite IAM allow. Why?
A. IAM bug
B. Missing key policy permission
C. EC2 issue
D. S3 issue
Answer: B
Rationale: KMS requires both IAM permissions and a key policy that allows the principal. Without the key policy permission, decryption fails even if IAM allows the action.
63.
A company wants to allow temporary elevated access. What is BEST?
A. Permanent admin
B. IAM role with STS + short duration
C. Hardcode credentials
D. S3
Answer: B
Rationale: STS provides temporary credentials with limited duration, reducing risk exposure and enabling just-in-time access for privileged operations.
64.
A company wants to prevent S3 data exfiltration outside VPC. What is BEST?
A. IAM
B. VPC endpoint + bucket policy
C. EC2
D. Lambda
Answer: B
Rationale: Combining VPC endpoints with bucket policies ensures S3 access occurs only through private network paths, preventing internet-based exfiltration.
65.
A developer accidentally deletes a KMS key. What is TRUE?
A. Immediate deletion
B. Scheduled deletion window applies
C. Cannot delete
D. EC2
Answer: B
Rationale: KMS enforces a mandatory waiting period (7–30 days) before permanent deletion, allowing recovery if deletion was accidental or malicious.
66.
A company wants to audit root account usage. What is BEST?
A. CloudWatch
B. CloudTrail + alerts
C. Config
D. Lambda
Answer: B
Rationale: CloudTrail logs root activity, and alerts ensure immediate response to any root usage, which should be rare.
67.
A company wants to enforce TLS for S3. What is BEST?
A. HTTP
B. Bucket policy denying non-TLS
C. EC2
D. Lambda
Answer: B
Rationale: Bucket policies can deny requests that do not use secure transport (aws:SecureTransport), ensuring encryption in transit.
68.
A company wants to restrict IAM actions by tag. What is BEST?
A. IAM
B. Condition keys with tags
C. EC2
D. S3
Answer: B
Rationale: Tag-based access control enables fine-grained permissions tied to resource or user attributes.
69.
A company wants to detect credential compromise. What is BEST?
A. CloudTrail
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty detects anomalous credential usage such as unusual geolocation or API patterns.
70.
A company wants secure EC2 metadata access. What is BEST?
A. IMDSv1
B. IMDSv2
C. Public access
D. S3
Answer: B
Rationale: IMDSv2 requires session-based authentication, preventing SSRF attacks on instance metadata.
71.
A company wants to enforce encryption for EBS snapshots. What is BEST?
A. IAM
B. Enable encryption by default
C. EC2
D. S3
Answer: B
Rationale: Default encryption ensures all new volumes and snapshots are encrypted without manual configuration.
72.
A company wants to detect unusual API spikes. What is BEST?
A. CloudTrail
B. CloudWatch anomaly detection
C. Config
D. Lambda
Answer: B
Rationale: Anomaly detection identifies deviations from normal usage patterns, signaling potential attacks.
73.
A company wants centralized security alerts. What is BEST?
A. CloudTrail
B. Security Hub
C. Config
D. Lambda
Answer: B
Rationale: Security Hub aggregates and prioritizes findings across services.
74.
A company wants to enforce password policy. What is BEST?
A. Ignore
B. IAM password policy
C. EC2
D. S3
Answer: B
Rationale: Password policies enforce complexity, rotation, and reuse rules.
75.
A company wants cross-account KMS usage. What is BEST?
A. IAM only
B. Key policy + IAM
C. EC2
D. S3
Answer: B
Rationale: Both IAM and key policy must allow access for cross-account usage.
76.
A company wants to monitor network traffic anomalies. What is BEST?
A. CloudTrail
B. VPC Flow Logs + GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: Flow logs provide traffic data, and GuardDuty analyzes it for threats.
77.
A company wants secure Lambda execution. What is BEST?
A. Full access role
B. Least privilege IAM role
C. EC2
D. S3
Answer: B
Rationale: Restricting permissions minimizes attack surface.
78.
A company wants automated compliance checks. What is BEST?
A. Manual
B. AWS Config rules
C. EC2
D. S3
Answer: B
Rationale: Config rules continuously evaluate compliance.
79.
A company wants secure API throttling. What is BEST?
A. IAM
B. API Gateway throttling
C. EC2
D. S3
Answer: B
Rationale: Throttling prevents abuse and DDoS-like behavior.
80.
A company wants to prevent unauthorized AMI usage. What is BEST?
A. Public AMI
B. Restrict AMI sharing
C. EC2
D. S3
Answer: B
Rationale: Limiting AMI access prevents unauthorized deployments.
81.
A company wants to detect insider threats. What is BEST?
A. CloudTrail
B. GuardDuty + anomaly detection
C. Config
D. Lambda
Answer: B
Rationale: Behavioral analysis identifies suspicious insider activity.
82.
A company wants secure database credentials. What is BEST?
A. Hardcode
B. Secrets Manager
C. EC2
D. S3
Answer: B
Rationale: Secure storage and rotation.
83.
A company wants encryption key separation. What is BEST?
A. Single key
B. Separate keys per service
C. EC2
D. S3
Answer: B
Rationale: Limits blast radius.
84.
A company wants secure container workloads. What is BEST?
A. Public
B. IAM roles for tasks
C. EC2
D. S3
Answer: B
Rationale: Avoids hardcoded credentials.
85.
A company wants audit logging integrity. What is BEST?
A. CloudTrail
B. Log file validation
C. Config
D. Lambda
Answer: B
Rationale: Validation ensures logs are not tampered with.
86.
A company wants to restrict S3 by organization. What is BEST?
A. IAM
B. aws:PrincipalOrgID condition
C. EC2
D. Lambda
Answer: B
Rationale: Restricts access to accounts in org.
87.
A company wants to isolate workloads. What is BEST?
A. Single account
B. Multi-account strategy
C. EC2
D. S3
Answer: B
Rationale: Improves security boundaries.
88.
A company wants automated patching. What is BEST?
A. Manual
B. Systems Manager Patch Manager
C. EC2
D. S3
Answer: B
Rationale: Automates patch compliance.
89.
A company wants secure data sharing. What is BEST?
A. Public
B. Signed URLs
C. EC2
D. S3
Answer: B
Rationale: Provides temporary access.
90.
A company wants full AWS security strategy. What is BEST?
A. Single layer
B. Defense-in-depth + zero trust
C. EC2
D. S3
Answer: B
Rationale: Combining layered security with zero trust ensures robust protection across identity, network, and data planes.
91.
An IAM role has permission, but access fails due to missing session context. What is BEST fix?
A. Add policy
B. Use correct STS assume-role conditions
C. EC2
D. S3
Answer: B
Rationale: STS conditions like external ID or session tags may be required. If not satisfied, access is denied even when IAM policies allow the action.
92.
A company wants to prevent privilege escalation via IAM policies. What is BEST?
A. Full access
B. Restrict iam:CreatePolicy and iam:AttachPolicy
C. EC2
D. S3
Answer: B
Rationale: Preventing creation or attachment of powerful policies blocks escalation paths where users grant themselves elevated privileges.
93.
A KMS-encrypted S3 object cannot be accessed across accounts. Why?
A. S3 issue
B. Missing KMS permissions for target account
C. EC2
D. Lambda
Answer: B
Rationale: Cross-account access requires both S3 bucket permissions and KMS key policy permissions. Missing either prevents access.
94.
A company wants to prevent data exfiltration via compromised EC2. What is BEST?
A. IAM
B. VPC endpoints + restrictive policies
C. EC2
D. Lambda
Answer: B
Rationale: Restricting traffic through private endpoints prevents unauthorized outbound data transfers over the internet.
95.
A company wants to detect brute-force login attempts. What is BEST?
A. CloudTrail
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty detects brute-force patterns using ML and threat intelligence.
96.
A company wants to ensure logs cannot be deleted. What is BEST?
A. IAM
B. S3 Object Lock
C. EC2
D. Lambda
Answer: B
Rationale: Object Lock ensures WORM protection, preventing deletion or modification of logs.
97.
A company wants to audit IAM role usage. What is BEST?
A. CloudWatch
B. CloudTrail
C. Config
D. Lambda
Answer: B
Rationale: CloudTrail logs all role assumptions and API calls for auditing.
98.
A company wants to enforce encryption in all services. What is BEST?
A. Manual
B. SCP enforcing encryption
C. EC2
D. S3
Answer: B
Rationale: SCPs enforce organization-wide policies, ensuring encryption is mandatory across accounts.
99.
A company wants secure cross-account Lambda invocation. What is BEST?
A. Public
B. Resource-based policy
C. EC2
D. S3
Answer: B
Rationale: Lambda supports resource-based policies to allow cross-account invocation securely.
100.
A company wants to monitor unusual IAM activity. What is BEST?
A. CloudTrail
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty detects anomalous IAM behavior such as privilege escalation attempts.
101.
A company wants secure API authentication for external users. What is BEST?
A. IAM only
B. Cognito
C. EC2
D. S3
Answer: B
Rationale: Cognito provides authentication, identity federation, and user management for external applications.
102.
A company wants to restrict access to specific time windows. What is BEST?
A. IAM
B. Condition aws:CurrentTime
C. EC2
D. S3
Answer: B
Rationale: Time-based conditions restrict access during defined periods, reducing risk.
103.
A company wants to detect data exfiltration via DNS. What is BEST?
A. CloudTrail
B. GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: GuardDuty analyzes DNS logs for suspicious exfiltration patterns.
104.
A company wants secure RDS encryption. What is BEST?
A. IAM
B. Enable encryption with KMS
C. EC2
D. S3
Answer: B
Rationale: KMS encryption secures database storage and backups.
105.
A company wants to detect unauthorized changes to security groups. What is BEST?
A. CloudTrail
B. Config rules
C. CloudWatch
D. Lambda
Answer: B
Rationale: Config rules monitor changes and ensure compliance.
106.
A company wants to isolate sensitive workloads. What is BEST?
A. Single VPC
B. Separate accounts/VPCs
C. EC2
D. S3
Answer: B
Rationale: Isolation reduces blast radius and improves security boundaries.
107.
A company wants to ensure API requests are signed. What is BEST?
A. HTTP
B. SigV4 signing
C. EC2
D. S3
Answer: B
Rationale: Signature Version 4 ensures request authenticity and integrity.
108.
A company wants to monitor S3 access patterns. What is BEST?
A. CloudTrail
B. S3 access logs + CloudWatch
C. Config
D. Lambda
Answer: B
Rationale: Access logs provide detailed request data for analysis.
109.
A company wants automated threat remediation. What is BEST?
A. Manual
B. EventBridge + Lambda
C. EC2
D. S3
Answer: B
Rationale: Event-driven automation enables rapid response to threats.
110.
A company wants secure container secrets. What is BEST?
A. Hardcode
B. Secrets Manager
C. EC2
D. S3
Answer: B
Rationale: Secure storage and rotation.
111.
A company wants encryption key auditing. What is BEST?
A. IAM
B. CloudTrail logs
C. Config
D. Lambda
Answer: B
Rationale: CloudTrail logs KMS usage.
112.
A company wants to restrict access by IP range. What is BEST?
A. IAM
B. Condition aws:SourceIp
C. EC2
D. S3
Answer: B
Rationale: Restricts access based on IP.
113.
A company wants secure VPC traffic inspection. What is BEST?
A. IAM
B. Network Firewall
C. EC2
D. S3
Answer: B
Rationale: AWS Network Firewall provides deep packet inspection.
114.
A company wants centralized compliance. What is BEST?
A. CloudTrail
B. Security Hub
C. Config
D. Lambda
Answer: B
Rationale: Aggregates compliance findings.
115.
A company wants to protect against SQL injection. What is BEST?
A. IAM
B. WAF rules
C. EC2
D. S3
Answer: B
Rationale: WAF filters malicious requests.
116.
A company wants secure key storage. What is BEST?
A. IAM
B. KMS
C. CloudWatch
D. Lambda
Answer: B
Rationale: KMS manages encryption keys securely.
117.
A company wants to detect unusual network flows. What is BEST?
A. CloudTrail
B. VPC Flow Logs + GuardDuty
C. Config
D. Lambda
Answer: B
Rationale: Detects anomalies.
118.
A company wants secure file sharing. What is BEST?
A. Public
B. Pre-signed URLs
C. EC2
D. S3
Answer: B
Rationale: Temporary secure access.
119.
A company wants to enforce tagging compliance. What is BEST?
A. IAM
B. Config rules
C. EC2
D. S3
Answer: B
Rationale: Config ensures compliance.
120.
A company wants full security architecture. What is BEST?
A. Single control
B. Defense-in-depth + monitoring + automation
C. EC2
D. S3
Answer: B
Rationale: Combining layered security, monitoring, and automation ensures comprehensive protection against evolving threats.
Frequently Asked Questions
How accurate is this AWS Certified Security – Specialty SCS-C03 practice test compared to the real exam?
Yes, this practice test is designed to reflect real exam patterns, structure, and difficulty level to help you prepare effectively.
How should I prepare using this AWS Certified Security – Specialty SCS-C03 practice test?
Take the test in a timed setting, review your answers carefully, and focus on improving weak areas after each attempt.
Is it helpful to repeat this AWS Certified Security – Specialty SCS-C03 practice test?
Yes, repeating the test helps reinforce concepts, improve accuracy, and build confidence for the actual exam.
Is this AWS Certified Security – Specialty SCS-C03 test useful for first-time candidates?
This practice test is suitable for both beginners and retakers who want to improve their understanding and performance.