Question 3 - AWS SCS-C03 Real Exam Questions [March 2026 Update]

Q: 3

A company must inventory sensitive data across all Amazon S3 buckets in all accounts from a single security account.

Options

Discussion

Cameron U. Feb 17, 2026 2:16 pm

Option A works because Macie is built for S3 data discovery and lets you handle multiple accounts from a central security account. Quick check though, did the question specify if all S3 buckets are in the same org? That would impact the setup.

Jason I. Mar 2, 2026 4:44 am

AWS really likes to toss Trusted Advisor into these options but it's always Macie for actual sensitive data inventory across S3. A imo, since you need delegated admin to scan org-wide. Security Hub pulls it all together but Macie does the heavy lifting. Open to hearing if someone made D work in real setups.

Arjun H. Feb 18, 2026 8:57 pm

Trusted Advisor does check a lot of stuff with S3 so I'd pick D here.

Parker M. Feb 16, 2026 12:40 pm

Nah, not D. Trusted Advisor checks config but doesn't actually discover sensitive S3 data. It's definitely A for org-wide sensitive data inventory.

SamK Feb 17, 2026 9:16 am

A tbh, Trusted Advisor’s a trap here, only Macie does sensitive data scans org-wide with delegation.

Nathan Feb 24, 2026 10:06 pm

A , since only Macie is really built to inventory sensitive data in S3, and delegation lets you manage org-wide from a security account. Still, Security Hub mostly aggregates, so not 100% confident if I'm missing a trick. Disagree?

Jack F. Mar 3, 2026 2:37 am

AlexM Feb 16, 2026 2:02 am

A is what I'd pick here. Macie handles sensitive data discovery in S3, and with delegated admin you get org-wide coverage from one security account. Trusted Advisor can't do actual data inventory like that. Pretty sure this is what AWS expects, but open to other takes.

Ava S. Feb 24, 2026 11:51 am

Option D, seen similar in practice tests and Trusted Advisor is usually mentioned for best practices checks.

Chloe G. Feb 28, 2026 9:40 am

A saw a similar question in my exam report and Macie delegation was the AWS answer for S3 data discovery.

Be respectful. No spam.

Correct Answer:

Explanation

Amazon Macie is the designated AWS service for discovering and protecting sensitive data in Amazon S3 using machine learning and pattern matching. To meet the requirement of managing this process across all accounts from a single security account, AWS Organizations is used. You can designate a delegated administrator account for Amazon Macie, allowing it to manage and view findings for all member accounts.

Similarly, AWS Security Hub is designed to aggregate, organize, and prioritize security findings from various AWS services. It also supports a delegated administrator model, enabling the central security account to view and manage findings, including those from Macie, from all accounts in the organization. This combination directly addresses the prompt's requirements.

Why Incorrect

B. Use Amazon Inspector with Security Hub.

Amazon Inspector is a vulnerability management service for compute workloads (e.g., EC2, ECR), not for discovering sensitive data within Amazon S3 buckets.

C. Use Inspector with Trusted Advisor.

Neither Inspector nor Trusted Advisor is designed for discovering sensitive data within S3 buckets. Trusted Advisor provides high-level best practice recommendations.

D. Use Macie with Trusted Advisor.

While Macie is the correct discovery tool, Trusted Advisor is not the appropriate service for centralizing and managing detailed security findings from other services like Security Hub is.

References

1. Amazon Macie Documentation - Managing multiple accounts in Amazon Macie: "To manage Macie for multiple accounts, you can integrate Macie with AWS Organizations. After you do this, you can designate a specific AWS account as the delegated Macie administrator account for your organization." (AWS Documentation, Amazon Macie User Guide, "Managing multiple accounts").

2. AWS Security Hub Documentation - Managing accounts with AWS Organizations: "We recommend that you use a centralized configuration to manage Security Hub for multiple accounts in AWS Organizations... You designate a Security Hub administrator account that can manage Security Hub for a set of accounts in your organization." (AWS Documentation, AWS Security Hub User Guide, "Managing accounts with AWS Organizations").

3. Amazon Macie Documentation - Integrating Amazon Macie with AWS Security Hub: "Amazon Macie integrates with AWS Security Hub to help you centralize and prioritize your security findings... When you enable the integration, Macie automatically begins publishing policy and sensitive data findings to Security Hub." (AWS Documentation, Amazon Macie User Guide, "Integrations", "Integrating with AWS Security Hub").

4. Amazon Inspector Documentation - What is Amazon Inspector?: "Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure." (AWS Documentation, Amazon Inspector User Guide, "What is Amazon Inspector?").

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE