Amazon SCS-C01 Online Practice
Questions and Exam Preparation
SCS-C01 Exam Details
Exam Code
:SCS-C01
Exam Name
:AWS Certified Security - Specialty (SCS-C01)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:733 Q&As
Last Updated
:Jul 08, 2026
Amazon SCS-C01 Online Questions &
Answers
Question 1:
A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.
An operational safety policy requires that access to specific credentials is independently auditable.
What is the MOST cost-effective way to manage the storage of credentials?
A. Use AWS Systems Manager to store the credentials as Secure Strings Parameters.Secure by using an AWS KMS key. B. Use AWS Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance. C. Use AWS Secrets Manager to store the credentials. D. Store the credentials in a JSON file on Amazon S3 with server-side encryption.
A. Use AWS Systems Manager to store the credentials as Secure Strings Parameters.Secure by using an AWS KMS key.
A company's security officer is concerned about the risk of AWS account root user logins and has assigned a security engineer to implement a notification solution for near-real-time alerts upon account root user logins.
How should the security engineer meet these requirements?
A. Create a cron job that runs a script to download the AWS IAM security credentials file, parse the file for account root user logins, and email the security team's distribution list. B. Run AWS CloudTrail logs through Amazon CloudWatch Events to detect account root user logins and trigger an AWS Lambda function to send an Amazon SNS notification to the security team's distribution list. C. Save AWS CloudTrail logs to an Amazon S3 bucket in the security team's account. Process the CloudTrail logs with the security engineer's logging solution for account root user logins. Send an Amazon SNS notification to the security team upon encountering the account root user login events. D. Save VPC Flow Logs to an Amazon S3 bucket in the security team's account, and process the VPC Flow Logs with their logging solutions for account root user logins. Send an Amazon SNS notification to the security team upon encountering the account root user login events.
B. Run AWS CloudTrail logs through Amazon CloudWatch Events to detect account root user logins and trigger an AWS Lambda function to send an Amazon SNS notification to the security team's distribution list.
A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline,
the build fails with the following error: “AccessDenied: Access Denied status code: 403”.
The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.
Which combination of steps will meet these requirements? (Choose two.)
A. Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. B. Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. C. Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance. D. Ensure that the security engineer's IAM role has the s3:PutObject permission for the S3 bucket. E. Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket.
B. Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. C. Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance.
Explanation/Reference:
Question 4:
A company uses AWS Signer with all of the company's AWS Lambda functions. A developer recently stopped working for the company. The company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions.
Which solution will meet this requirement?
A. Revoke all versions of the signing profile assigned to the developer. B. Examine the developer's IAM roles. Remove all permissions that grant access to Signer. C. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key. D. Use Amazon CodeGuru to profile all the code that the Lambda functions use.
C. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key.
Explanation/Reference:
Question 5:
Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3 bucket in Account B.
After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.
Which solution will resolve this issue?
A. In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B. B. In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B. C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B. D. In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.
C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.
Explanation/Reference:
Question 6:
A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved? Please select:
A. Use AWS Access keys to encrypt the data B. Use SSL certificates to encrypt the data C. Enable server side encryption on the S3 bucket D. Enable MFA on the S3 bucket
C. Enable server side encryption on the S3 bucket
Explanation/Reference:
The AWS Documentation mentions the following Server-side encryption is about data encryption at rest--that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you
access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects.
Options A and B are invalid because neither Access Keys nor SSL certificates can be used to encrypt data.
Option D is invalid because MFA is just used as an extra level of security for S3 buckets For more information on S3 server side encryption, please refer to the below Link:
A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.
Which solution will meet these requirements MOST cost-effectively?
A. Create an AWS WAF web ACL with an IP match condition to deny the countries' IP ranges. Associate the web ACL with the CloudFront distribution. B. Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution. C. Use the geo restriction feature in CloudFront to deny the specific countries. D. Use geolocation headers in CloudFront to deny the specific countries.
C. Use the geo restriction feature in CloudFront to deny the specific countries.
Your company has a set of EC2 Instances defined in AWS. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below
Please select:
A. Use a host based intrusion detection system B. Use a third party firewall installed on a central EC2 instance C. Use VPC Flow logs D. Use Network Access control lists logging
A. Use a host based intrusion detection system B. Use a third party firewall installed on a central EC2 instance
Explanation/Reference:
If you want to inspect the packets themselves, then you need to use custom based software A diagram representation of this is given in the AWS Security best practices
Option C is invalid because VPC Flow logs cannot conduct packet inspection. For more information on AWS Security best practices, please refer to below URL: The correct answers are: Use a host based intrusion detection system. Use a third party firewall installed on a central EC2
Question 9:
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing AWS Direct Connect connection established between its on-premises data center and an AWS Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution?
A. Add the file-system-id efs aws-region amazonaws com URL to the allow list for the data center firewall Install the AWS CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the AWS CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address C. Add the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets D. Assign a static range of IP addresses for the EFS file system by contacting AWS Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses
B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the AWS CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address
Question 10:
A company receives a notification from the AWS Abuse team about an AWS account The notification indicates that a resource in the account is compromised The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application The compromised EC2 instance is part of an EC2 Auto Scaling group
The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an IAM access key and secret key The IAM access key and secret key are stored inside the AMI that is specified in the Auto Scaling group's launch configuration The company is concerned that the credentials that are stored in the AMI might also have been exposed
The company must implement a solution that remediates the security concerns without causing downtime for the application The solution must comply with security best practices
Which solution will meet these requirements'?
A. Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh B. Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked IAM role that includes a custom policy that matches the potentially compromised access key permission Associate the new IAM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh. C. Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an IAM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and IAM role Perform an EC2 Auto Scaling instance refresh D. Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh
C. Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an IAM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and IAM role Perform an EC2 Auto Scaling instance refresh
Explanation/Reference:
The AWS documentation states that you can create a new AMI without the potentially compromised credentials and create an IAM role that includes the correct permissions. You can then create a launch template for the Auto Scaling group to reference the new AMI and IAM role. This method is the most secure way to remediate the security concerns without causing downtime for the application. References: AWS Security Best Practices
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C01 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.