Actual Dumps for Amazon SCS-C03 Exam 2026

Question No: 1

MultipleChoice

A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.

The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.

After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.

What should the security engineer do to isolate the target instance?

Options

AAdd an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.

BRemove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.

CCreate a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.

DCreate an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

Question No: 2

MultipleChoice

A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.

Which solution will prevent direct access to the ALB?

Options

AUse AWS PrivateLink with the ALB.

BReplace the ALB with an internal ALB.

CRestrict ALB listener rules to CloudFront IP ranges.

DRequire a custom header from CloudFront and validate it at the ALB.

Question No: 3

MultipleChoice

A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually.

The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in.

Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)

Options

AConfigure a cron job on the instances to forward the log files to Amazon S3 periodically.

BConfigure AWS Glue and Amazon Athena to query the log files.

CConfigure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.

DConfigure Amazon CloudWatch Logs Insights to query the log files.

EConfigure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

Question No: 4

MultipleChoice

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. Each Availability Zone contains one public subnet and one private subnet. Three route tables exist: one for the public subnets and one for each private subnet.

The security engineer discovers that all four subnets are routing traffic through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

Options

AVerify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

BVerify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

CModify the route tables for the public subnets to add a local route to the VPC CIDR range.

DModify the route tables for the private subnets to route 0.0.0.0/0 to the NAT gateway in the public subnet of the same Availability Zone.

EModify the route tables for the private subnets to route 0.0.0.0/0 to the internet gateway.

Free Amazon SCS-C03 Exam Dumps June 2026