100+ Free AWS Security Specialty (SCS-C03) Practice Questions

Pass your AWS Certified Security – Specialty (SCS-C03) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

A security engineer needs continuous monitoring for malicious or unauthorized behavior across AWS accounts and S3 data, leveraging machine learning and threat intelligence. Which service should be enabled organization-wide?

AWS Config

Amazon GuardDuty

AWS CloudTrail

AWS Trusted Advisor

to track

2026 Statistics

Key Facts: AWS Security Specialty (SCS-C03) Exam

65 (50+15)

Questions

AWS SCS-C03 guide

170 min

Exam Time

AWS

750/1000

Passing Score

AWS

$300

Exam Fee

AWS

20% IAM

Heaviest Domain

C03 blueprint

3 years

Cert Validity

AWS

SCS-C03 has 65 questions (50 scored + 15 unscored) in 170 minutes, requires a scaled score of 750/1000, and costs $300. The blueprint shifted IAM to the largest domain (20%), reduced Threat Detection & IR to 14%, and introduced GenAI security in Domain 3. The previous SCS-C02 retired December 1, 2025.

Sample AWS Security Specialty (SCS-C03) Practice Questions

Try these sample questions to test your AWS Security Specialty (SCS-C03) exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A security engineer needs continuous monitoring for malicious or unauthorized behavior across AWS accounts and S3 data, leveraging machine learning and threat intelligence. Which service should be enabled organization-wide?

A.AWS Config

B.Amazon GuardDuty

C.AWS CloudTrail

D.AWS Trusted Advisor

Explanation: Amazon GuardDuty is the AWS intelligent threat detection service that continuously analyzes CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs, and S3 data events using ML and threat intel feeds. It can be enabled across an entire AWS Organization through delegated administration.

2GuardDuty has produced a high-severity finding for a compromised EC2 instance generating cryptocurrency-mining traffic. Which sequence best preserves forensic evidence while stopping the threat?

A.Terminate the instance immediately so the threat cannot spread

B.Snapshot the EBS volumes, isolate the instance with a quarantine security group, then capture a memory dump before stopping it

C.Reboot the instance and detach its IAM role

D.Change the SSH key pair and leave the instance running for monitoring

Explanation: Forensic best practice is to preserve volatile (memory) and non-volatile (disk) evidence first, then contain. Snapshot EBS volumes, replace the security group with one that blocks all traffic, capture memory through SSM or a forensic AMI, and only then stop or terminate the instance.

3A team wants to scan running EC2 instances, container images in ECR, and Lambda functions for OS, language-package, and code vulnerabilities, using a single managed service. Which service provides this?

A.Amazon Inspector

B.AWS Config

C.Amazon Macie

D.AWS Trusted Advisor

Explanation: Amazon Inspector continuously scans EC2 instances, container images in Amazon ECR, and Lambda functions (including layers and dependencies) for software vulnerabilities and unintended network exposure, producing prioritized findings that integrate with Security Hub.

4Security Hub aggregates findings across accounts. The team wants every new CRITICAL finding to automatically open a ticket in their ITSM system and trigger a Lambda remediation. Which integration approach is recommended?

A.Poll the Security Hub API every five minutes from a Lambda function

B.Use EventBridge to match Security Hub Findings - Imported events with severity CRITICAL and route to multiple targets

C.Enable an SNS topic on the Security Hub master account

D.Configure CloudTrail Insights to fire on Security Hub events

Explanation: Security Hub publishes findings as 'Security Hub Findings - Imported' events on the default EventBridge bus. EventBridge rules can filter by severity and fan out to Lambda, Step Functions, SNS, or partner targets such as ServiceNow and Jira.

5A SOC analyst needs to investigate the relationships between an IAM principal, an EC2 instance, and external IP addresses involved in a GuardDuty finding. Which AWS service is purpose-built for this graph-based investigation?

A.AWS Config Aggregator

B.Amazon Detective

C.AWS CloudTrail Lake

D.AWS Audit Manager

Explanation: Amazon Detective ingests CloudTrail, VPC Flow Logs, GuardDuty, and EKS audit data to build a behavior graph that lets analysts pivot from a finding to related entities, time-line activity, and prior baselines.

6The security team wants to detect EBS volumes containing malware after GuardDuty reports a suspicious EC2 instance. Which capability provides this without disrupting the workload?

A.Run an in-place ClamAV scan via SSM on the live instance

B.GuardDuty Malware Protection for EC2, which snapshots and scans EBS volumes in an AWS-managed account

C.Have AWS Support analyze the instance manually

D.Use Inspector to scan EBS snapshots once they are copied to S3

Explanation: GuardDuty Malware Protection takes a snapshot of the suspect instance's EBS volumes, restores them in an AWS-managed account, scans for malware, and reports findings — all with no impact to the running workload.

7GuardDuty keeps generating findings for benign penetration testing originating from a corporate IP block. The team wants those specific findings to stop appearing without disabling detection. What is the correct mechanism?

A.Disable the corresponding GuardDuty detector

B.Create a GuardDuty suppression rule that automatically archives matching findings

C.Add the IP block to a Network Firewall allow rule

D.Delete the findings manually each day

Explanation: GuardDuty suppression rules let you define filter criteria (finding type, source IP, account, etc.); matching findings are automatically archived so they do not appear in the active list, while detection continues for everything else.

8A finding indicates EKS cluster runtime activity consistent with reverse-shell behavior. Which GuardDuty feature surfaces this kind of in-container threat?

A.GuardDuty Runtime Monitoring for EKS, ECS, and EC2

B.GuardDuty S3 Protection

C.GuardDuty Lambda Protection

D.Inspector container scans

Explanation: GuardDuty Runtime Monitoring uses an eBPF-based agent to inspect process, file, and network behavior inside running containers and EC2 instances, detecting threats that only appear at runtime — like reverse shells, crypto mining, or kernel tampering.

9Which capability lets a multi-account organization receive consolidated GuardDuty, Inspector, and Security Hub data in a single delegated security account?

A.Manual cross-account IAM role chaining

B.AWS Organizations delegated administrator for each security service

C.Resource Access Manager shared findings

D.Amazon EventBridge cross-region replication

Explanation: AWS Organizations supports delegating administrator status for GuardDuty, Inspector, Security Hub, Macie, Detective, Config, and others to a dedicated security account, enabling auto-enable for new accounts and centralized management without root access.

10The team needs to automatically remediate a finding by isolating an EC2 instance and rotating its IAM role credentials, with auditable approvals between steps. Which combination is most appropriate?

A.EventBridge + Lambda only

B.EventBridge + Step Functions + Systems Manager Automation, with manual approval actions

C.AWS Config remediation rules only

D.GuardDuty native remediation

Explanation: Complex IR runbooks with branching, retries, and human approval are best modeled as Step Functions state machines, invoked by EventBridge from the finding and using SSM Automation documents for the actual remediation steps.

About the AWS Security Specialty (SCS-C03) Exam

AWS Certified Security – Specialty (SCS-C03) is the 2025+ refresh of the AWS specialty cloud-security exam, available since December 2, 2025. It validates expert skills across IAM (now the heaviest domain at 20%), data protection, infrastructure security, security logging and monitoring, threat detection and incident response, and security foundations and governance — including new content on generative AI security with Amazon Bedrock guardrails and model invocation logging.

Assessment

50 scored multiple choice / multiple response / ordering / matching, plus 15 unscored items

Time Limit

170 minutes

Passing Score

750/1000

Exam Fee

$300 (AWS / Pearson VUE)

AWS Security Specialty (SCS-C03) Exam Content Outline

20%

Identity and Access Management

IAM users/roles/policies, SCPs, permission boundaries, IAM Identity Center, ABAC, federation (SAML/OIDC), STS, Cognito, and cross-account access — now the heaviest C03 domain

18%

Security Logging and Monitoring

CloudTrail (org trails, data events, Insights, Lake), CloudWatch Logs, VPC Flow Logs, Config conformance packs, Athena, OpenSearch, Security Lake (OCSF)

18%

Infrastructure Security

VPC design, NACLs vs SGs, VPC endpoints/PrivateLink, Network Firewall, WAF, Shield Advanced, Firewall Manager, CloudFront edge security, Verified Access, Nitro Enclaves, IRSA

18%

Data Protection

KMS (multi-region, grants, encryption context, Bucket Keys), CloudHSM, Secrets Manager rotation, Parameter Store, S3 encryption, ACM/Private CA, Macie, Backup Vault Lock — and Bedrock GenAI security

14%

Threat Detection and Incident Response

GuardDuty (Runtime, S3, EKS, Lambda, Malware Protection), Security Hub standards, Detective, Inspector, automated remediation with EventBridge + Step Functions + SSM, IR forensics

12%

Security Foundations and Governance

Well-Architected Security Pillar, AWS Organizations, Control Tower guardrails, Service Catalog launch constraints, Audit Manager, Artifact, conformance packs, shared responsibility model

How to Pass the AWS Security Specialty (SCS-C03) Exam

What You Need to Know

Passing score: 750/1000
Assessment: 50 scored multiple choice / multiple response / ordering / matching, plus 15 unscored items
Time limit: 170 minutes
Exam fee: $300

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

AWS Security Specialty (SCS-C03) Study Tips from Top Performers

1Master IAM policy evaluation order — explicit Deny > SCP > resource-based > identity > permission boundary > session policy

2Practice KMS scenarios: cross-account decrypt, multi-region keys, encryption context, grants, and S3 Bucket Keys for cost

3Build muscle memory with GuardDuty + EventBridge + Step Functions + SSM Automation incident-response runbooks

4Study network controls comparatively: SG vs NACL, Network Firewall vs WAF, OAC vs OAI, VPC endpoints vs PrivateLink

5Walk through Bedrock guardrails, model invocation logging, and IAM scoping for InvokeModel — the new Domain 3 GenAI content

6Use Security Hub + Config conformance packs to map controls to NIST 800-53, PCI DSS, HIPAA, and AWS Foundational Best Practices

7Take full-length 170-minute timed practice exams to build endurance for ordering and matching items

Frequently Asked Questions

What changed in SCS-C03 versus SCS-C02?

SCS-C03 retired the C02 on December 1, 2025. IAM weight grew from 16% to 20% (now heaviest), Threat Detection & IR dropped 2% to 14%, Infrastructure Security dropped 2% to 18%, Domain 6 was renamed to Security Foundations and Governance, GenAI security (Bedrock) was added, and new question formats include ordering and matching items.

What is the SCS-C03 exam structure?

65 questions in 170 minutes: 50 scored items (multiple choice, multiple response, ordering, matching) plus 15 unscored research items. The passing score is 750 on a 100–1000 scaled scale. The exam costs US$300 and is delivered by Pearson VUE at a test center or as an online proctored OnVUE exam.

What background does AWS recommend?

AWS recommends 5+ years of IT security experience with at least 2 years of hands-on AWS security work. There are no prerequisite certifications, but Solutions Architect Associate, SysOps Associate, or the Cloud Practitioner provide a useful baseline before tackling the specialty.

How long should I study for SCS-C03?

Most successful candidates spend 100–150 hours over 8–14 weeks. Hands-on labs in IAM policy evaluation, KMS key/grant management, GuardDuty/Security Hub workflows, VPC inspection patterns, and Bedrock guardrails pay off more than memorization.

Is GenAI security really on the SCS-C03 exam?

Yes. The C03 blueprint adds Skill 3.2.7 in Domain 3 covering generative AI security: Bedrock model invocation logging, guardrails for prompt injection and PII, encryption of foundation-model data, and IAM scoping for InvokeModel.

How long is the certification valid?

AWS specialty certifications are valid for three years. You can recertify by retaking the current version of the exam or by passing a higher-level AWS exam that covers the same content area.

What is the retake policy if I fail?

If you fail SCS-C03, AWS requires a 14-day waiting period before a retake. Each retake costs the full $300. After passing, the same exam cannot be retaken for two years.