View SCS-C03 Exam Questions

Q: 11

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive dat a. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting. Which solution will provide remote access while meeting these requirements?

Options

Discussion

Meera P. Feb 24, 2026 6:28 pm

C. I've seen this setup is the only way to avoid open ports and log sessions. Disagree?

Sean L. Feb 14, 2026 5:29 pm

C . D looks tempting but even a second of open ports violates the "no exposed management ports" part.

Taylor Mar 1, 2026 11:47 pm

Hard to say, C, but if compliance is really strict on never exposing ports then D can't be it.

Chloe N. Mar 1, 2026 7:21 pm

Option C. D tries to trick you with "temporarily open remote access" but that's not compliant for sensitive data, pretty sure.

Taylor O. Mar 4, 2026 4:52 am

C tbh. Only Session Manager setup (C) hits all requirements with zero management port exposure. I don't see the others fitting compliance.

Daniel Y. Feb 28, 2026 10:15 am

Saw something just like this in a mock, C is correct. Meets every compliance item without opening management ports at all.

Sanjay Feb 24, 2026 12:45 am

Makes sense to me, C. No open ports at any time and session logging works cleanly with SSM Session Manager. Disagree?

Ishaan K. Mar 1, 2026 6:01 pm

Its C. Session Manager is designed for secure, compliant remote access without opening management ports. D is a trap since you should never open ports just for troubleshooting in sensitive environments. IAM Identity Center works smoothly with SSM roles too. Seen similar Qs in practice tests.

Anita O. Feb 16, 2026 7:09 am

Its C since even a brief opening of ports (like D) breaks the "no exposed management ports" rule, pretty sure that's what flips it for strict compliance cases.

FocusedLearner8198 Mar 2, 2026 5:36 am

D , but C is probably safer for strict compliance since D still exposes ports briefly.

Be respectful. No spam.

Correct Answer:

Explanation

AWS Systems Manager Session Manager provides secure, auditable, and managed instance access without needing to open inbound ports, manage SSH keys, or maintain bastion hosts. It meets all the specified requirements:

1. No exposed management ports: Session Manager uses the SSM Agent, which communicates with the AWS endpoint over an outbound HTTPS (port 443) connection. This eliminates the need to open inbound ports like SSH (22).

2. Full session logging: Session Manager can be configured to log all session activity, including every command and its output, to Amazon CloudWatch Logs or an Amazon S3 bucket, satisfying the compliance need for full logging.

3. Authentication through IAM Identity Center: Access to start a session is controlled by IAM policies. These policies can be attached to an IAM role within an IAM Identity Center permission set, allowing for centralized authentication and authorization.

Why Incorrect

A. The EC2 serial console is primarily for troubleshooting boot, network, or startup issues and is not intended for full, interactive shell sessions. Its logging is less comprehensive for auditing interactive commands.

B. EC2 Instance Connect requires the instance's security group to allow inbound SSH traffic (port 22) from the EC2 Instance Connect service, which violates the "no exposed management ports" requirement. It also lacks native session logging.

D. This approach explicitly opens remote access ports, which directly violates the core requirement of having no exposed management ports. It is an anti-pattern when a more secure option like Session Manager exists.

References

1. AWS Systems Manager User Guide, "AWS Systems Manager Session Manager": "Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys." It also states, "You can audit session activity in your AWS account using AWS CloudTrail. You can also log session data to Amazon S3 or Amazon CloudWatch Logs."

2. AWS Systems Manager User Guide, "Setting up Session Manager": Step 2 of the setup process details creating an instance profile with permissions for the SSM Agent. Step 4 covers granting IAM users session permissions, which is the mechanism used by IAM Identity Center permission sets.

3. AWS Security Blog, "How to use IAM Identity Center to provide access to your AWS Systems Manager tools": This blog post outlines the exact pattern described in the correct answer, stating, "You can use IAM Identity Center to provide your users with access to AWS Systems Manager tools, such as Session Manager... This allows you to provide your users with secure access to your instances without having to manage individual SSH keys."

4. Amazon EC2 User Guide for Linux Instances, "Connect to your Linux instance with EC2 Instance Connect": Under "Prerequisites," the documentation states, "The security group attached to your instance must have an inbound rule that allows SSH traffic (TCP port 22) from your IP address or from the IP address range for the AWS EC2 Instance Connect service." This confirms the need for an open port.

Q: 12

A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler. The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization's management account when the management account is not required. Which solution will meet these requirements?

Options

Discussion

MethodicalEngineer2789 Mar 5, 2026 6:52 am

C vs B here, but B nails the "all existing and future accounts" via StackSet org integration and delegated admin, which is what AWS suggests. C’s tempting since SSM Automation is powerful, but it’s missing the auto-deploy to future accounts piece. Pretty sure B is the one, unless I missed a detail. Agree?

Drew U. Feb 28, 2026 5:53 pm

Cameron Feb 27, 2026 10:39 am

Its B, C is tempting since Systems Manager can work org-wide if set up right but B actually hits all future accounts and uses delegated admin like AWS recommends.

Alex U. Feb 17, 2026 9:18 pm

Its B since StackSets with a delegated admin will push to all current and future org accounts automatically. You only need to use management account for initial setup, after that the delegated admin manages everything. This matches what AWS recommends for org-wide deployments and avoids overusing the management account. Pretty sure that's what the question is after, but open if anyone sees it differently.

Ajay D. Feb 18, 2026 11:18 am

B , this is straight out of the official AWS docs and I've seen similar in practice exams. Review the CloudFormation StackSets section and maybe do some hands-on labs for deploying org-wide resources.

QuietEngineer9925 Feb 25, 2026 7:04 am

Wouldn’t C miss new accounts since StackSets auto-deploy with B but not C?

FocusedLearner4802 Feb 21, 2026 7:07 pm

B tbh

Hannah V. Feb 21, 2026 10:33 pm

ZoeX Feb 28, 2026 2:31 am

Owen S. Feb 28, 2026 8:12 pm

C or D had something like this in a mock, went with C.

Be respectful. No spam.

Correct Answer:

Explanation

This solution correctly addresses all requirements. AWS CloudFormation StackSets with service-managed permissions are designed to deploy resources across an AWS Organization. Enabling automatic deployment ensures that the stack is provisioned in all existing and future member accounts. By configuring a delegated administrator for AWS CloudFormation, the company can manage these StackSets from a designated member account instead of the management account. This adheres to the security best practice of minimizing the use of the management account, fulfilling the principle of least privilege for routine operational tasks.

Why Incorrect

A. This approach is incorrect because it requires manual intervention to add new accounts, failing the automation requirement. It also unnecessarily uses the management account for a task that can be delegated.

C. While Systems Manager can deploy resources and supports delegated administration, AWS CloudFormation StackSets are the purpose-built, more direct, and idiomatic service for provisioning infrastructure from templates across an organization.

D. This solution fails because it uses the management account, violating the principle of least privilege. Additionally, sharing a runbook does not automatically deploy resources to new accounts without a separate triggering mechanism.

References

1. AWS CloudFormation User Guide: The section "Register a delegated administrator" states, "You can register a delegated administrator account to create and manage stack sets with service-managed permissions for your organization. By registering a delegated administrator, you can create and manage stack sets from the delegated administrator account." This directly supports using a delegated administrator.

Source: AWS CloudFormation User Guide, "Working with AWS CloudFormation StackSets," section "Register a delegated administrator."

2. AWS CloudFormation User Guide: The section on creating stack sets with service-managed permissions explains the auto-deployment feature. "When you enable auto-deployment, stack instances are automatically deployed to an account when it is added to a target organization or OU." This confirms the capability to deploy to future accounts automatically.

Source: AWS CloudFormation User Guide, "Create a stack set with service-managed permissions," section "Auto-deployment."

3. AWS Organizations User Guide: The guide on best practices for the management account explicitly recommends delegating tasks. "To help you follow this best practice, AWS has created the delegated administrator feature... you can delegate administrative tasks for a specific AWS service to a designated member account."

Source: AWS Organizations User Guide, "Best practices for the management account."

4. AWS Organizations User Guide: The documentation lists services that can be integrated with Organizations, including AWS CloudFormation, which can be registered as a delegated administrator.

Source: AWS Organizations User Guide, "AWS services that you can use with AWS Organizations," section "Services that support delegated administrator."

Q: 13

A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again. Which solution will meet these requirements?

Options

Discussion

Rowan L. Feb 15, 2026 10:11 pm

C . PublicAccessBlock handles the immediate lock, and denying s3:PutPublicAccessBlock with an SCP prevents anyone from removing it later. D is tempting but Object Lock is about retention, not access. B misses long-term prevention.

Alex G. Feb 26, 2026 5:10 am

Option B looks right to me. If you enable PublicAccessBlock and then deny s3:GetObject at the org level with an SCP, that should stop public reads, and Block Public Access covers other risks. Had something like this in a mock and B was the answer there. Maybe I'm missing something?

Mason Feb 25, 2026 5:08 am

C vs B, but C is better protection. PublicAccessBlock needs to stay enforced, so denying s3:PutPublicAccessBlock in the SCP keeps it locked down. B only blocks current access but admins could disable the block later. Pretty sure C is the intent here.

Luke A. Feb 20, 2026 12:07 pm

Nah, I think D makes more sense here. Object Lock seems like it would block changes to public access too.

Maya L. Feb 16, 2026 2:30 pm

Pretty sure it's C. Had something like this in a mock and blocking public access plus using an SCP to deny changes to the PublicAccessBlock is what locks it down long term. B doesn't stop someone from reversing the block. Agree?

Jordan I. Feb 18, 2026 2:11 pm

Adam Y. Mar 1, 2026 2:46 pm

C/D? Not sure, feels like C but D has Object Lock. Kinda tricky.

AishaH Feb 18, 2026 1:34 am

Nah, B is a trap since you could still turn off PublicAccessBlock after. C.

Karan O. Feb 17, 2026 1:35 am

C over B every time here. You need to not only block public access now but prevent anyone from turning it back on, and denying s3:PutPublicAccessBlock with an SCP (like in C) is the way AWS recommends. B is a common trap for missing the long-term prevention part.

Be respectful. No spam.

Correct Answer:

Explanation

The solution requires two actions: immediate remediation and long-term prevention. First, enabling Amazon S3 Block Public Access on the bucket or account level immediately removes all forms of public access. This feature overrides any conflicting bucket policies or Access Control Lists (ACLs). Second, to ensure this setting cannot be reversed, a Service Control Policy (SCP) must be applied through AWS Organizations. By creating an SCP with a Deny statement for the s3:PutPublicAccessBlock action and attaching it to the relevant account, you prevent any IAM principal (including the root user) within that account from modifying the Block Public Access configuration. This combination effectively meets both requirements.

Why Incorrect

A. KMS encryption protects data at rest but does not control network access. Denying s3:GetObject via SCP would block all read access, not just public access.

B. While enabling Block Public Access is correct, denying s3:GetObject via SCP is an incorrect preventive measure as it blocks all object retrieval, which is overly restrictive.

D. Object Lock is a WORM (Write-Once, Read-Many) feature for data immutability and retention; it is not related to managing public access permissions.

References

1. AWS S3 Developer Guide, "Blocking public access to your Amazon S3 storage": This document explains that S3 Block Public Access provides settings to manage public access to S3 resources. It states, "Amazon S3 Block Public Access can override ACLs and bucket policies so that you can enforce uniform limits on public access to these resources." (See section: How Amazon S3 Block Public Access works).

2. AWS Organizations User Guide, "Service control policies (SCPs)": This guide details how SCPs act as a guardrail to control permissions in an organization. It clarifies, "SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU)... SCPs limit permissions for IAM users and roles in member accounts, including the member account's root user." (See section: Introduction to SCPs).

3. AWS IAM User Guide, "Actions, resources, and condition keys for Amazon S3": This documentation lists all IAM actions for S3. The s3:PutPublicAccessBlock action is defined as granting permission to create or modify the PublicAccessBlock configuration for an account or a bucket, confirming it is the correct action to deny for prevention. (See the Action summary table for Amazon S3).

4. AWS S3 Developer Guide, "Using S3 Object Lock": This source describes Object Lock as a feature to "store objects using a write-once-read-many (WORM) model," which is unrelated to controlling public access. (See section: How S3 Object Lock works).

Q: 14

A company needs to scan all AWS Lambda functions for code vulnerabilities.

Options

Discussion

Sofia O. Feb 28, 2026 11:40 pm

That one's B. No explanation needed here, Inspector Lambda scanning handles this.

ArjunD Feb 18, 2026 5:38 pm

Not D, it’s B. D is for runtime issues but the question wants code scanning.

Drew U. Feb 23, 2026 3:48 pm

Ugh, AWS naming drives me nuts, always sounds so similar. Probably B here.

Ravi X. Feb 18, 2026 12:09 am

D here. Lambda Protection sounds like it covers vulnerabilities, so I'd pick that for code scanning over Inspector. Maybe a trap but seems logical to me.

Jack D. Feb 17, 2026 9:58 pm

B makes sense since Inspector targets Lambda code itself, not just runtime stuff. Pretty sure that's what AWS intends for this scenario. Let me know if you see it differently.

Ivy R. Feb 14, 2026 11:03 am

Its B here, not D. D is a trap since it's more about runtime detection, Inspector does the actual code scanning.

Vikram X. Mar 2, 2026 7:58 pm

B , Inspector is made for Lambda code scanning so fits the ask.

Alex Q. Feb 25, 2026 11:01 pm

B tbh here. D looks attractive but that's for runtime threats, not code scanning. Seen similar on practice, B's correct.

Liam G. Feb 20, 2026 5:15 pm

Seen questions like this in official practice sets, always points to B.

Rowan Feb 24, 2026 7:37 pm

Option D is tempting because GuardDuty sounds security-focused, but it's actually a trap. Inspector (B) does Lambda code vuln scans. Not 100 percent though, someone else might see it differently.

Be respectful. No spam.

Correct Answer:

Explanation

Amazon Inspector is a vulnerability management service that continuously scans AWS workloads. A specific feature, Amazon Inspector Lambda scanning, is designed to identify software vulnerabilities in Lambda functions and associated layers. It performs two types of scans: one for vulnerabilities in application package dependencies (e.g., libraries) and another for code vulnerabilities within the function's custom code, directly addressing the requirement to scan for code vulnerabilities. This is an automated, continuous process once enabled.

Why Incorrect

A. Use Amazon Macie.

Macie is a data security service for discovering and protecting sensitive data (like PII) stored in Amazon S3, not for scanning Lambda function code for vulnerabilities.

C. Use GuardDuty and Security Hub.

GuardDuty is a threat detection service, and Security Hub aggregates security findings. Neither service performs static code analysis or scans Lambda functions for code vulnerabilities.

D. Use GuardDuty Lambda Protection.

This GuardDuty feature detects runtime threats and anomalous behavior in Lambda functions, such as malicious invocations, but it does not scan the function's code for vulnerabilities.

References

1. AWS Documentation: Amazon Inspector User Guide. "Scanning AWS Lambda functions with Amazon Inspector." This section states, "When you activate Lambda scanning, Amazon Inspector automatically discovers all of your Lambda functions... and immediately starts scanning them for vulnerabilities... Amazon Inspector scans Lambda functions for two types of vulnerabilities: Package vulnerabilities... [and] Code vulnerabilities."

2. AWS Documentation: Amazon Inspector User Guide. "Amazon Inspector scans for code vulnerabilities." This page details how Inspector uses automated reasoning and machine learning to detect code vulnerabilities in Lambda functions, covering categories like injection flaws and data leaks.

3. AWS Documentation: Amazon Macie User Guide. "What is Amazon Macie?" The first sentence clarifies its purpose: "Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching."

4. AWS Documentation: Amazon GuardDuty User Guide. "Lambda Protection in GuardDuty." This document explains, "GuardDuty Lambda Protection is a feature in Amazon GuardDuty that monitors AWS CloudTrail management events and VPC Flow Logs to detect threats against your Lambda functions." This confirms its focus is on runtime threat detection, not static code scanning.

Q: 15

A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status. Which solution will meet these requirements?

Options

Discussion

Ben H. Feb 14, 2026 5:08 am

B , saw something like this in a mock, Config managed rules hit all the Aurora MySQL points needed.

SeasonedReviewer3221 Feb 17, 2026 2:13 pm

Leo D. Mar 1, 2026 6:12 pm

Not C, since Security Hub config policies won't give deep Aurora MySQL rule checks. B is correct.

Ava G. Feb 20, 2026 10:00 am

Probably B here, Config managed rules directly track those Aurora settings. C is more for aggregating results across services.

AaronX Mar 2, 2026 2:11 am

B imo. AWS Config's managed rules cover encryption, public access, deletion protection, and logging right out of the box for Aurora MySQL. You get real-time compliance without custom code. Pretty sure that's what they're asking for but let me know if I'm missing something.

Jamie Mar 1, 2026 5:43 pm

Yeah, B. Config managed rules fit Aurora MySQL compliance checks.

Piya N. Mar 6, 2026 1:26 pm

B tbh, Config managed rules are made for this kind of continuous compliance on Aurora MySQL. Simple and does exactly what's needed.

Amelia F. Feb 26, 2026 11:22 pm

B , since managed Config rules do all the compliance checks listed for Aurora MySQL. Keeps monitoring continuous and real-time.

Parker R. Feb 25, 2026 8:46 am

Probably B here. AWS Config has those managed rules for Aurora MySQL that actually check encryption, public access, deletion protection, and audit logging individually. Security Hub is broader but doesn't give that Aurora-level granularity out of the box. Pretty confident but open to other thoughts if someone's seen a new Security Hub update.

CalmSec1547 Feb 19, 2026 3:30 am

B , Config managed rules are Aurora MySQL aware so fits the compliance ask better than C I think.

Be respectful. No spam.

Correct Answer:

Explanation

AWS Config is the primary service for assessing, auditing, and evaluating the configurations of AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. For this scenario, AWS Config provides managed rules that can specifically check Amazon Aurora instances for compliance with the stated security requirements. These rules include checks for public accessibility (rds-instance-public-access-check), storage encryption (rds-storage-encrypted), deletion protection (rds-instance-deletion-protection-enabled), and log exports (aurora-mysql-log-exports-enabled), providing the required continuous monitoring and real-time visibility into the compliance status.

Why Incorrect

A. Use AWS Audit Manager with a custom framework.

AWS Audit Manager is designed for collecting evidence for audits, not for real-time configuration monitoring and alerting. It often uses AWS Config as an evidence source.

C. Use AWS Security Hub configuration policies.

AWS Security Hub aggregates security findings and uses AWS Config rules for many of its checks. AWS Config is the foundational service that performs the actual configuration evaluation.

D. Use EventBridge and Lambda with custom metrics.

This is a custom-built solution that requires significant development and maintenance effort, whereas AWS Config provides a managed, out-of-the-box solution for this exact purpose.

---

References

1. AWS Config Documentation - rds-storage-encrypted: "Checks whether storage encryption is enabled for your Amazon Relational Database Service (Amazon RDS) DB instances."

Source: AWS Config Developer Guide, "List of AWS Config Managed Rules", rds-storage-encrypted.

2. AWS Config Documentation - rds-instance-deletion-protection-enabled: "Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled."

Source: AWS Config Developer Guide, "List of AWS Config Managed Rules", rds-instance-deletion-protection-enabled.

3. AWS Config Documentation - rds-instance-public-access-check: "Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible."

Source: AWS Config Developer Guide, "List of AWS Config Managed Rules", rds-instance-public-access-check.

4. AWS Config Documentation - aurora-mysql-log-exports-enabled: "Checks if an Amazon Aurora MySQL DB cluster has the specified log types exported to Amazon CloudWatch Logs." (The specified log types can include 'audit').

Source: AWS Config Developer Guide, "List of AWS Config Managed Rules", aurora-mysql-log-exports-enabled.

5. AWS Config Documentation - What Is AWS Config?: "AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations."

Source: AWS Config Developer Guide, "What Is AWS Config?".

Question 11 of 20 · Page 2 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE