Actual Dumps for Amazon SCS-C03 Exam 2026

Question No: 1

MultipleChoice

A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.

Which solution will prevent direct access to the ALB?

Options

AUse AWS PrivateLink with the ALB.

BReplace the ALB with an internal ALB.

CRestrict ALB listener rules to CloudFront IP ranges.

DRequire a custom header from CloudFront and validate it at the ALB.

Question No: 2

MultipleChoice

A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.

The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.

Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)

Options

AConfigure a cron job on the instances to forward the log files to Amazon S3 periodically.

BConfigure AWS Glue and Amazon Athena to query the log files.

CConfigure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.

DConfigure Amazon CloudWatch Logs Insights to query the log files.

EConfigure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

Question No: 3

MultipleChoice

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. Three route tables exist: one for the public subnets and one for each private subnet.

The security engineer discovers that all four subnets are routing traffic through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

Options

AVerify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

BVerify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

CModify the route tables for the public subnets to add a local route to the VPC CIDR range.

DModify the route tables for the private subnets to route 0.0.0.0/0 to the NAT gateway in the public subnet of the same Availability Zone.

EModify the route tables for the private subnets to route 0.0.0.0/0 to the internet gateway.

Free Amazon SCS-C03 Exam Dumps May 2026