100% Free Amazon SCS-C03 Practice Test Questions

Question 1

A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client's own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company's AWS resources. Which additional step will meet these requirements?

A : Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.

B : Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.

C : Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.

D : Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.

Answer: B

Question 2

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS ShieldAdvanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against theaccount.Which solution will meet this requirement?

A : Use Amazon Macie to detect an active DDoS event and create Amazon CloudWatch alarms thatrespond to Macie findings.

B : Use Amazon Inspector to review resources and invoke Amazon CloudWatch alarms for anyresources that are vulnerable to DDoS attacks.

C : Create an Amazon CloudWatch alarm that monitors AWS Firewall Manager metrics for an activeDDoS event.

D : Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced metrics for an activeDDoS event.

Answer: D

Question 3

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers. Which rule statement will meet these requirements?

A : Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.

B : Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.

C : Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.

D : Use a string match rule statement that includes details of the IoT device brand from the user agent.

Answer: D

Question 4

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs. Which of the following explains why the logs are not available?

A : The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

B : The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C : The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

D : The version of the Lambda function that was invoked was not current.

Answer: A

Question 5

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company's existing and future S3 buckets. Which solution will meet these requirements?

A : Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

B : Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

C : Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

D : Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Answer: B

Free Practice Amazon SCS-C03 Exam Questions 2026