AWS SCS-C03 Sample Questions & Practice Test

SCS-C03 is AWS Certified Security - Specialty. It validates deep AWS security knowledge across detection, incident response, infrastructure security, identity and access management, data protection, governance, and secure production operations.

Full app-backed IT Mastery practice for SCS-C03 is still being prioritized. Use this page to review the exam snapshot, topic coverage, and related live security and AWS practice options.

Who SCS-C03 is for

• security engineers responsible for securing AWS workloads and applications
• candidates with cloud-security experience who need deeper IAM, detection, incident response, encryption, logging, governance, and data protection coverage
• teams that need AWS-specific security scenarios beyond baseline cybersecurity certification practice

SCS-C03 exam snapshot

• Vendor: AWS
• Official exam name: AWS Certified Security - Specialty (SCS-C03)
• Exam code: SCS-C03
• Items: 65 total, including 50 scored and 15 unscored
• Question types: multiple-choice, multiple-response, ordering, and matching
• Passing score: 750 scaled
• Current IT Mastery status: Sample preview

SCS-C03 questions usually reward the option that protects AWS workloads with least privilege, reliable detection, secure data handling, clear incident response, and governance controls that fit the operating environment.

Topic coverage for SCS-C03

Sample Exam Questions

Try these 12 original sample questions for AWS SCS-C03. They are designed for self-assessment and are not official exam questions.

Question 1

What this tests: threat detection signal selection

A security team wants managed detection for suspicious API calls, unusual data access, and known malicious IP activity across AWS accounts. Which service is the best starting point?

• A. Amazon EFS
• B. AWS Budgets
• C. AWS CodeBuild
• D. Amazon GuardDuty

Best answer: D

Explanation: GuardDuty analyzes sources such as CloudTrail management events, VPC Flow Logs, DNS logs, and selected data events to identify suspicious activity. It is a managed threat-detection service. EFS, Budgets, and CodeBuild do not provide this detection function.

Question 2

What this tests: CloudTrail coverage

An auditor asks for a record of management API activity across all Regions in an AWS account. Which configuration is most appropriate?

• A. Enable VPC Flow Logs only in the primary Region
• B. Create a multi-Region CloudTrail trail and send logs to a protected S3 bucket
• C. Rely on application logs from EC2 instances only
• D. Enable S3 static website hosting for the audit bucket

Best answer: B

Explanation: CloudTrail records AWS API activity. A multi-Region trail helps capture management events across Regions, and a protected S3 bucket supports retention and review. VPC Flow Logs and application logs do not replace CloudTrail API audit evidence.

Question 3

What this tests: least privilege IAM

A Lambda function needs read access to one DynamoDB table. Which permission design is most secure?

• A. Attach AdministratorAccess to the function role
• B. Store an IAM user’s access key in the function environment
• C. Attach an execution role policy allowing only the required read actions on the specific table
• D. Give all functions in the account the same broad DynamoDB policy

Best answer: C

Explanation: Least privilege means granting only the actions and resources required for the workload. A scoped Lambda execution role is the correct pattern. Broad managed policies, shared broad permissions, and long-lived access keys increase blast radius.

Question 4

What this tests: service control policy purpose

An organization wants to prevent member accounts from disabling CloudTrail or leaving the organization, even if local administrators have broad account permissions. Which control is most relevant?

• A. AWS Organizations service control policy
• B. Security group outbound rules
• C. S3 lifecycle expiration
• D. Lambda reserved concurrency

Best answer: A

Explanation: Service control policies set permission guardrails across AWS Organizations accounts. They can deny high-risk actions even when account-level IAM would otherwise allow them. Security groups, lifecycle rules, and concurrency controls do not create organization-level permission boundaries.

Question 5

What this tests: KMS access control

An application role has an IAM policy allowing kms:Decrypt, but decrypt calls still fail for a customer managed KMS key. What should the security engineer check?

• A. Whether the S3 bucket has versioning enabled
• B. Whether the VPC route table has a NAT route
• C. Whether CloudFront caching is disabled
• D. Whether the KMS key policy allows the role or allows IAM policies to grant access

Best answer: D

Explanation: KMS authorization depends on the key policy and, when allowed by that policy, IAM policies or grants. An IAM allow alone is not enough if the key policy does not permit the principal or delegate access. S3 versioning, NAT routes, and CloudFront caching do not explain KMS authorization failure.

Question 6

What this tests: S3 public access prevention

A company stores sensitive documents in S3 and wants account-level protection against accidental public bucket policies or ACLs. Which control should be enabled?

• A. Transfer Acceleration
• B. S3 Block Public Access
• C. S3 static website hosting
• D. Amazon CloudFront field-level encryption only

Best answer: B

Explanation: S3 Block Public Access can prevent public ACLs and policies at the account or bucket level. It is a key guardrail for sensitive data. Transfer Acceleration and website hosting do not prevent public exposure, and CloudFront field-level encryption does not secure S3 bucket policy mistakes by itself.

Question 7

What this tests: sensitive data discovery

A security team needs to discover whether S3 buckets contain personally identifiable information and prioritize findings for review. Which AWS service is designed for this?

• A. AWS Batch
• B. Amazon Route 53
• C. Amazon Macie
• D. AWS Cloud9

Best answer: C

Explanation: Macie uses managed data discovery to identify sensitive data such as PII in S3 and produce findings. Batch, Route 53, and Cloud9 do not classify S3 data for sensitive-content risk.

Question 8

What this tests: incident containment

An EC2 instance is suspected of compromise. The team wants to preserve evidence while immediately limiting network communication. What is the best first containment step?

• A. Move the instance to an isolation security group that allows only required forensic access
• B. Terminate the instance immediately and delete all attached volumes
• C. Make the subnet public so investigators can connect faster
• D. Disable CloudTrail to reduce noise

Best answer: A

Explanation: Isolation through a restrictive security group can contain network activity while preserving the instance and volumes for investigation. Immediate termination or evidence deletion can destroy forensic data. Public exposure and disabled logging make the incident response worse.

Question 9

What this tests: private access to AWS APIs

Instances in private subnets must call AWS Systems Manager APIs without using a NAT gateway or internet gateway. Which feature should be used?

• A. Public IP addresses on the instances
• B. A Route 53 public hosted zone
• C. An Application Load Balancer
• D. Interface VPC endpoints for the required Systems Manager services

Best answer: D

Explanation: Interface VPC endpoints let private resources reach supported AWS APIs over private connectivity. Systems Manager typically requires endpoints such as ssm, ssmmessages, and ec2messages for private managed-instance operation. Public IPs, public DNS, and ALBs do not provide private API access.

Question 10

What this tests: unused external access analysis

A security engineer wants to identify resource policies that allow access from outside the account or organization, such as S3 bucket policies and IAM role trust policies. Which service should be used?

• A. Amazon Lightsail
• B. AWS Backup
• C. IAM Access Analyzer
• D. AWS Elastic Beanstalk

Best answer: C

Explanation: IAM Access Analyzer evaluates policies and reports external access findings for supported resources. It is directly aligned with detecting unintended cross-account or public access. Lightsail, Backup, and Elastic Beanstalk do not analyze policy exposure.

Question 11

What this tests: secrets rotation

A database password used by an application must be stored securely and rotated on a schedule with minimal custom code. Which service is the best fit?

• A. AWS Secrets Manager with rotation configured
• B. Plaintext environment variables in every function
• C. A password in a source-code repository secret comment
• D. Manual monthly email to the operations team

Best answer: A

Explanation: Secrets Manager supports secure storage and managed rotation workflows for secrets such as database credentials. Plaintext variables, source-code storage, and email-based rotation create exposure and operational risk.

Question 12

What this tests: centralized security posture

A security team uses GuardDuty, Inspector, Macie, IAM Access Analyzer, and AWS Config across accounts. They want one place to aggregate and prioritize findings against security standards. Which service is most appropriate?

• A. Amazon SQS FIFO queues
• B. AWS Security Hub
• C. Amazon WorkSpaces
• D. AWS App Runner

Best answer: B

Explanation: Security Hub aggregates findings from AWS security services and partners, maps findings to standards, and supports centralized security posture management. Queues, desktop services, and application hosting do not provide security finding aggregation.

SCS-C03 security control map

    flowchart LR
	    A["Asset and threat"] --> B["Identity boundary"]
	    B --> C["Network and workload control"]
	    C --> D["Data protection"]
	    D --> E["Detection and response"]
	    E --> F["Governance evidence"]

Use this map when a Security Specialty scenario asks where to apply a control. Strong answers identify the asset, choose the right identity and network boundary, protect data, and preserve monitoring evidence.

Quick Cheat Sheet

Mini Glossary

• Permission boundary: IAM policy that limits the maximum permissions an identity can receive.
• KMS key policy: Resource policy that controls who can administer and use a KMS key.
• VPC endpoint: Private connection from a VPC to supported AWS services without public internet routing.
• CloudTrail: AWS service that records API activity for audit and investigation.
• GuardDuty: Threat-detection service that analyzes AWS telemetry for suspicious behavior.

Open AWS SCS-C03 in IT Mastery

Use this page to review sample questions, request an update for this route, and compare related IT Mastery pages.

Use these live IT Mastery pages now

Practice status

• Current status: Sample preview
• Full IT Mastery practice for this exam: still being prioritized
• Best use right now: confirm SCS-C03 as your target, then practise baseline security and live AWS architecture/operations routes while the full app-backed route is being prioritized
• Update path: use the update form near the top of this page if SCS-C03 is your actual target exam

Official sources

• AWS SCS-C03 exam guide

What to open next

• Need live baseline security practice now? Open Security+ SY0-701 .
• Need the AWS hub? Open AWS .