Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty SCS-C03

Amazon AWS Certified Security - Specialty SCS-C03 Exam
AWS Certified Security - Specialty SCS-C03 (Page 3 )

Updated On: 7-Feb-2026
Page 2 of 14
PDF with 62 Questions

A security engineer is troubleshooting an AWS Lambda function that is named MyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy:



Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?

  1. Remove the Condition element. Change the Principal element to the following:

  2. Change the Action element to the following:

  3. Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE- BUCKET/*''.
  4. Change the Resource element to "arn:aws:lambda:::function:MyLambdaFunction". Change the Principal element to the following:

Answer(s): C

Explanation:

The s3:GetObject permission applies to object ARNs, not the bucket ARN itself. Updating the Resource to arn:aws:s3:::DOC-EXAMPLE-BUCKET/* correctly scopes access to the objects so the Lambda function can read them.



HOTSPOT (Drag and Drop is not supported)

A company is building a web application that needs to authenticate external users across multiple microservices that the company hosts on Amazon Elastic Container Service (Amazon ECS). The solution must use temporary credentials and minimize the management overhead required to maintain user databases.

Select and order the correct steps from the following list to implement a secure authentication strategy that meets these requirements. Select each step one time or not at all.

Configure Amazon Cognito user pools for user authentication.

Set up an IAM role for each microservice. Grant each role appropriate permissions.

Implement an Amazon API Gateway HTTP API with AWS Lambda authorizers to validate tokens before forwarding requests to microservices.
Create an Amazon DynamoDB table to store user credentials for each microservice.

Create an Amazon Cognito application client to interact with the web application.

Set up AWS IAM Identity Center to give users access to the microservices.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:




After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI.

What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

  1. Change the value of aws:MultiFactorAuthPresent to true.
  2. Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication -- serial-number and -token-code parameters. Use these resulting values to make API/CLI calls.
  3. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi- factor authentication.
  4. Create a role and enforce multi-factor authentication in the role trust policy. Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters. Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.

Answer(s): B

Explanation:

The policy explicitly denies EC2 API actions unless MFA is present, and MFA is not automatically included in standard long-term AWS CLI credentials. By obtaining temporary credentials through the STS get-session- token command with MFA parameters, the resulting session includes MFA context, allowing EC2 commands to succeed while still enforcing multi-factor authentication.



A company is using AWS Organizations with the default SCP. The company needs to restrict AWS usage for all AWS accounts that are in a specific OU.

Except for some desired global services, the AWS usage must occur only in the eu-west-1 Region for all accounts in the OU. A security engineer must create an SCP that applies the restriction to existing accounts and any new accounts in the OU.

Which SCP will meet these requirements?





Answer(s): C

Explanation:

An SCP must use an explicit deny to enforce a restriction across accounts. Denying all actions except the listed global services when the requested Region is not eu-west-1 ensures that only eu-west-1 can be used, while still permitting the specified global services everywhere.



HOTSPOT (Drag and Drop is not supported)

A security engineer needs to implement AWS IAM Identity Center with an exlemai identity provider (IdP).

Select and order the correct steps from the following list to meet this requirement. Select each step one time or not at all.

Configure the external IdP as the identity source in IAM Identity Center.

Create an IAM role that has a trust policy that specifics the IdP's API endpoint.

Enable automatic provisioning in IAM Identity Center settings

Enable automatic provisioning in the external IdP.

Obtain the SAML metadata from IAM Identity Center.

Obtain the SAML metadata from the external IdP.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Viewing page 3 of 14
Viewing questions 11 - 15 out of 62 questions



Post your Comments and Discuss Amazon AWS Certified Security - Specialty SCS-C03 exam prep with other Community members:

Join the AWS Certified Security - Specialty SCS-C03 Discussion