Question 14 - AWS SCS-C03 Real Exam Questions [March 2026 Update]

Q: 14

A company needs to scan all AWS Lambda functions for code vulnerabilities.

Options

Discussion

Sofia O. Mar 1, 2026 7:56 am

That one's B. No explanation needed here, Inspector Lambda scanning handles this.

ArjunD Feb 19, 2026 1:53 am

Not D, it’s B. D is for runtime issues but the question wants code scanning.

Drew U. Feb 24, 2026 12:04 am

Ugh, AWS naming drives me nuts, always sounds so similar. Probably B here.

Ravi X. Feb 18, 2026 8:25 am

D here. Lambda Protection sounds like it covers vulnerabilities, so I'd pick that for code scanning over Inspector. Maybe a trap but seems logical to me.

Jack D. Feb 18, 2026 6:14 am

B makes sense since Inspector targets Lambda code itself, not just runtime stuff. Pretty sure that's what AWS intends for this scenario. Let me know if you see it differently.

Ivy R. Feb 14, 2026 7:19 pm

Its B here, not D. D is a trap since it's more about runtime detection, Inspector does the actual code scanning.

Vikram X. Mar 3, 2026 4:14 am

B , Inspector is made for Lambda code scanning so fits the ask.

Alex Q. Feb 26, 2026 7:16 am

B tbh here. D looks attractive but that's for runtime threats, not code scanning. Seen similar on practice, B's correct.

Liam G. Feb 21, 2026 1:31 am

Seen questions like this in official practice sets, always points to B.

Rowan Feb 25, 2026 3:53 am

Option D is tempting because GuardDuty sounds security-focused, but it's actually a trap. Inspector (B) does Lambda code vuln scans. Not 100 percent though, someone else might see it differently.

Be respectful. No spam.

Correct Answer:

Explanation

Amazon Inspector is a vulnerability management service that continuously scans AWS workloads. A specific feature, Amazon Inspector Lambda scanning, is designed to identify software vulnerabilities in Lambda functions and associated layers. It performs two types of scans: one for vulnerabilities in application package dependencies (e.g., libraries) and another for code vulnerabilities within the function's custom code, directly addressing the requirement to scan for code vulnerabilities. This is an automated, continuous process once enabled.

Why Incorrect

A. Use Amazon Macie.

Macie is a data security service for discovering and protecting sensitive data (like PII) stored in Amazon S3, not for scanning Lambda function code for vulnerabilities.

C. Use GuardDuty and Security Hub.

GuardDuty is a threat detection service, and Security Hub aggregates security findings. Neither service performs static code analysis or scans Lambda functions for code vulnerabilities.

D. Use GuardDuty Lambda Protection.

This GuardDuty feature detects runtime threats and anomalous behavior in Lambda functions, such as malicious invocations, but it does not scan the function's code for vulnerabilities.

References

1. AWS Documentation: Amazon Inspector User Guide. "Scanning AWS Lambda functions with Amazon Inspector." This section states, "When you activate Lambda scanning, Amazon Inspector automatically discovers all of your Lambda functions... and immediately starts scanning them for vulnerabilities... Amazon Inspector scans Lambda functions for two types of vulnerabilities: Package vulnerabilities... [and] Code vulnerabilities."

2. AWS Documentation: Amazon Inspector User Guide. "Amazon Inspector scans for code vulnerabilities." This page details how Inspector uses automated reasoning and machine learning to detect code vulnerabilities in Lambda functions, covering categories like injection flaws and data leaks.

3. AWS Documentation: Amazon Macie User Guide. "What is Amazon Macie?" The first sentence clarifies its purpose: "Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching."

4. AWS Documentation: Amazon GuardDuty User Guide. "Lambda Protection in GuardDuty." This document explains, "GuardDuty Lambda Protection is a feature in Amazon GuardDuty that monitors AWS CloudTrail management events and VPC Flow Logs to detect threats against your Lambda functions." This confirms its focus is on runtime threat detection, not static code scanning.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE