1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :Jan 13, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 1:

    A security engineer for a company wants to maintain all IAM users and roles according to the principle of least privilege. The security engineer plans to audit the IAM permissions once every 365 days. The security engineer must view the permissions that each IAM identity used in the last 365 days and must remove any unused permissions.

    Which solution will meet these requirements?

    A. Use AWS CloudTrail logs to review IAM identity actions and to remove unused permissions.
    B. Use AWS Config to review configuration changes by each IAM identity and to remove unused permissions.
    C. Use AWS Identity and Access Management Access Analyzer to review last accessed information and to remove unused permissions.
    D. Use AWS Trusted Advisor to check the IAM identities that have elevated permissions and to remove unused permissions.

  • Question 2:

    A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

    Which solution will meet these requirements in the MOST operationally efficient manner?

    A. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
    B. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
    C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
    D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

  • Question 3:

    A company uses Amazon Route 53 to create a public DNS zone for the domain example.com in Account A. The company creates another public DNS zone for the subdomain dev.example.com in Account B. A security engineer creates a wildcard certificate (*.dev.example.com) with DNS validation by using AWS Certificate Manager (ACM). The security engineer validates that the corresponding CNAME records have been created in the zone for dev.example.com in Account

    A. Purchase a valid wildcard certificate authority (CA) certificate that supports managed renewal. Import this certificate into ACM in Account B.
    B. Add NS records for the subdomain dev.example.com to the Route 53 parent zone example.com in Account A.
    C. Use AWS Certificate Manager Private Certificate Authority to create a subordinate certificate authority (CA). Use ACM to generate a private certificate that supports managed renewal.
    D. Resend the email message that requests ownership validation of dev.example.com.

  • Question 4:

    A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time.

    Which solution will meet these requirements?

    A. Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common DNS queries.
    B. Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.
    C. Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.
    D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

  • Question 5:

    A company wants to use AWS Systems Manager Patch Manager to patch Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are running in a single AWS account. No internet connectivity is allowed from any EC2 instances

    in the account.

    A security engineer has configured the relevant settings in Patch Manager. The security engineer now needs to ensure that the EC2 instances can connect to the Systems Manager endpoint.

    Which combination of steps must the security engineer take to meet these requirements? (Choose three.)

    A. Create a gateway VPC endpoint for com.amazonaws.[region].s3.
    B. Create VPC endpoints for com.amazonaws.[region].ec2messages and com.amazonaws.[region].ssm.
    C. Create a NAT gateway.
    D. Update the route tables to route Systems Manager traffic through the NAT gateway.
    E. Update the route tables with a route to the gateway VPC endpoint.
    F. Update the route tables to route the update traffic through the NAT gateway.

  • Question 6:

    A company's security engineer must record when specific AWS Lambda functions are invoked. The logs must include the AWS principal that invoked the function. External sources and the company's developers deliver the Lambda function code by using a variety of languages such as Python, Node.js, and Golang. The security engineer has created an AWS CloudTrail trail with default configuration for the AWS account.

    Which solution will meet these requirements with the LEAST operational overhead?

    A. Update the Lambda function code to extract the AWS principal from the Lambda context and to write a log entry when the function to be monitored is invoked.
    B. Use Amazon EventBridge (Amazon CloudWatch Events) to configure a rule and custom pattern for lambda:invoke events with a filter on the functions to monitor. Invoke another Lambda function to write the EventBridge (CloudWatch Events) data to Amazon CloudWatch Logs.
    C. Modify the existing CloudTrail trail. Configure the existing CloudTrail trail to monitor Lambda functions as data events.
    D. Create a Lambda layer that provides CloudTrail with a log event that includes the Lambda context when the function is invoked. Attach this layer to all Lambda functions that must be monitored.

  • Question 7:

    A company released a new software-as-a-service (SaaS) application that is receiving significant adoption by end users. The rds-storage-encrypted AWS Config managed rule generates an alert that notifies the company's security team about a resource that is not compliant. The noncompliant resource is an Amazon RDS for MySQL database that was deployed as part of the newly released application.

    How can the security team resolve the noncompliance with the LEAST disruption of application availability for the end users?

    A. Use AWS Database Migration Service (AWS DMS) with full load and change data capture (CDC) between the noncompliant database and a new database with storage encrypted. When full load is finished, cut over any application endpoints to the new encrypted database.
    B. Create a snapshot of the noncompliant DB instance. Make a copy of the snapshot in the same AWS Region with encryption configured. Restore the snapshot as a new DB instance. Cut over any application endpoints to the newly restored database.
    C. Deploy a patch to the application to stop writing to the noncompliant database. Enable storage encryption by using the AWS CLI. Patch the application again to restore writing to the database.
    D. Add a read replica to the noncompliant DB instance. Enable storage encryption on the read replica. When the read replica is available, cut over from the writer DB instance to the read replica. Delete the unencrypted DB instance after the cutover.

  • Question 8:

    A company plans to use AWS CodeDeploy to deploy code to multiple Amazon EC2 instances in a VPC at the same time. The company needs to allow the CodeDeploy service to communicate with the instances in the VPC without going through the public internet for CodeDeploy API operations.

    What should a security engineer do to meet this requirement?

    A. Use a NAT gateway in the VPC.
    B. Use an interface VPC endpoint for CodeDeploy API operations.
    C. Use a gateway VPC endpoint for CodeDeploy API operations.
    D. Use a VPN connection to the VPC.

  • Question 9:

    A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event. Which solution will meet these requirements?

    A. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.
    B. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.
    C. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.
    D. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

  • Question 10:

    A company's security engineer has configured a client account to capture AWS CloudTrail logs that are then sent to an Amazon S3 bucket. The S3 bucket that stores these CloudTrail logs has always been configured to use AWS Key Management Service (AWS KMS) with the default KMS key (aws/s3) for encryption. Recently, the company changed the key on the S3 bucket to a new KMS key.

    Since the modification of the bucket key, the security engineer cannot retrieve new CloudTrail log files that are written to the S3 bucket. The security engineer receives the following error message: “An error occurred (AccessDenied) when calling the GetObject operation: Access Denied”.

    Log files that were written to the S3 bucket before the bucket key was changed are still accessible. The company used the new KMS key to encrypt other S3 buckets, and the same error is occurring with those S3 buckets.

    What is the MOST likely cause of this error?

    A. The security engineer's IAM user does not have encrypt and decrypt permissions for the new KMS key.
    B. The security engineer's IAM user does not have administrative permissions for the new KMS key.
    C. The S3 bucket policy needs modification to allow users to access objects that are encrypted with the new KMS key.
    D. The S3 bucket policy needs modification to allow the security engineer's IAM user to access objects in the S3 bucket.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.