Skip to main content
Cybersecurity ⭐ Premium ⭐ Featured

AWS Certified Security Specialty (SCS-C03)

By Webmaster Certland English 📝 340 questions ❤️ 0 likes

Practice exam for the AWS Certified Security Specialty (SCS-C03). Covers threat detection, incident response, infrastructure security, identity and access management, data protection, and security foundations and governance.

⭐ Premium Updated Mar 2026

Unlock all 340 AWS Certified Security Specialty (SCS-C03) questions

Full simulation · Detailed explanations · Unlimited attempts

  • 340 questions — ~5 full-length simulations
  • Detailed explanations — why each answer is right or wrong
  • Unlimited attempts — retake as many times as needed
  • Smart Practice + Focus Mode + no ads
340
Questions
All certifications
from $4.90/mo
⭐ Get Premium — $4.90/mo ▶ Try 5 questions free

Sample Questions — AWS Certified Security Specialty (SCS-C03)

5 free sample questions from this practice exam. Correct answers are highlighted.

1. A security engineer needs to enable threat detection for an AWS account. The engineer wants to automatically detect when an EC2 instance is communicating with known malicious IP addresses. Which AWS service should the engineer enable to accomplish this with the least operational overhead?

A Enable Amazon GuardDuty for the AWS account. ✓ Correct
B Enable AWS Security Hub and configure CIS AWS Foundations Benchmark standard.
C Enable Amazon Inspector and configure network reachability assessments.
D Enable VPC Flow Logs and store them in Amazon S3 for analysis.

2. A security engineer is reviewing Amazon GuardDuty findings and notices a finding type CryptoCurrency:EC2/BitcoinTool.B!DNS. The engineer needs to understand what this finding indicates. Which of the following best describes this finding?

A An EC2 instance is querying a domain associated with cryptocurrency mining, detected via DNS query logs. ✓ Correct
B An IAM user is making unauthorized API calls to AWS cryptocurrency services.
C AWS CloudTrail detected the creation of a Bitcoin wallet using an EC2 instance's IAM role.
D An S3 bucket has been accessed by a cryptocurrency mining operation and data has been exposed.

3. A security engineer is building an incident response playbook for AWS environments. The playbook must define the first action to take when Amazon GuardDuty generates a high-severity finding indicating that an EC2 instance is communicating with a known command-and-control server. Which action should be the FIRST step according to incident response best practices?

A Change the EC2 instance's security group to a quarantine group that denies all inbound and outbound traffic except from designated forensic systems ✓ Correct
B Terminate the EC2 instance immediately to stop the malicious activity
C Notify all stakeholders and management before taking any technical action
D Spend 30 minutes analyzing all GuardDuty findings to understand the full scope before acting

4. A security engineer needs to build an automated incident response workflow that: (1) detects when an EC2 instance is tagged as compromised, (2) captures an EBS snapshot, (3) isolates the instance via security group change, and (4) notifies the security team. Which AWS service combination BEST orchestrates this multi-step workflow?

A Write a single Lambda function that performs all four steps sequentially and trigger it via an EventBridge rule that monitors EC2 tag change events.
B Use AWS Systems Manager Automation documents to define each step as a separate runbook action and trigger execution via EventBridge.
C Use Amazon EventBridge to detect the EC2 tag change event and trigger an AWS Step Functions state machine that orchestrates separate Lambda functions for each response step, with error handling and notifications at each stage. ✓ Correct
D Configure an AWS CodePipeline with four stages corresponding to the four response steps, triggered by an EventBridge rule that monitors for the compromised tag.

5. A security engineer is responding to a credential exposure incident where an EC2 instance role's temporary credentials were exfiltrated and are being used from an external IP. The engineer deactivates the access key but the attack continues. Why, and what should the engineer do?

A The attack continues because the access key deactivation failed. The engineer should use the AWS CLI to force-deactivate the temporary credentials through the STS service.
B The attack continues because IAM role deactivation takes up to 5 minutes to propagate globally. The engineer should wait and then verify the attack has stopped.
C The attack continues because temporary credentials cannot be deactivated through IAM. The engineer should attach an inline deny policy to the IAM role with an `aws:TokenIssueTime` condition to revoke all sessions issued before the current time. ✓ Correct
D The attack continues because the attacker escalated privileges to a different role. The engineer should audit all IAM roles and deactivate any roles with recent API activity from the external IP.

Want to test yourself for real?

Create a free account and run our exam simulation engine.

Free No credit card
  • Simulation engine
  • Up to 10 questions per attempt
  • Score & basic stats
Create free account Already have an account? Sign in
Best
Premium Premium
  • All 340 questions
  • Detailed explanations
  • Smart Practice + Focus Mode
⭐ Get Premium

Information

Questions 340
Time 2h 50min
Difficulty Hard
Minimum Score 75.00%
▶ Try 5 questions — no account needed ⭐ Unlock all questions — Premium 🤍 Like

💰 ROI

Official exam $300.00
CertLand $4.90/mo
Prepare for $300 for less than a coffee/mo

Study Guides & Articles

Free

How to Pass AWS Certified Security Specialty (SCS-C03) in 2026: Complete Study Guide

Complete study guide for AWS Security Specialty SCS-C03 in 2026 — all 6 domains, key security services, and an 8-week study plan for security engineers.
⭐ Premium

AWS Security Specialty Deep Dive: IAM Advanced, KMS Architecture, and Threat Detection

A technical deep dive into GuardDuty finding types, KMS key hierarchy and grants, S3 encryption types, and Permission Boundary mechanics for the SCS-C03 exam.
⭐ Premium

AWS Security Specialty Exam Traps: SCPs, KMS Key Policies, and GuardDuty Configuration

The hardest SCS-C03 questions hinge on SCP evaluation order, KMS key policy requirements, GuardDuty suppression vs trusted IPs, and WAF scope differences. This post covers every common trap.

Related Exams

⭐ Premium

ISACA CISA — Certified Information Systems Auditor

340 questions · English
⭐ Premium

Cisco CyberOps Associate (200-201 CBROPS)

340 questions · English
⭐ Premium

Microsoft Azure Security Technologies (AZ-500)

340 questions · English
⭐ Premium

ISC2 Certified in Cybersecurity (CC)

340 questions · English

Discussion

No comments yet. Be the first to start the discussion!

Sign in to join the discussion.