Amazon SCS-C01 Online Practice
Questions and Exam Preparation
SCS-C01 Exam Details
Exam Code
:SCS-C01
Exam Name
:AWS Certified Security - Specialty (SCS-C01)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:733 Q&As
Last Updated
:May 27, 2026
Amazon SCS-C01 Online Questions &
Answers
Question 91:
A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs). Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?
A. The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey. B. Newly created CMKs must have a key policy that allows the root principal to perform all actions. C. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation. D. Newly created CMKs must mirror the IAM policy of the KMS key administrator.
B. Newly created CMKs must have a key policy that allows the root principal to perform all actions.
An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below Please select:
A. Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read- only role in the secondary AWS accounts. B. Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files. C. Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail. D. Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.
D. Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.
Explanation/Reference:
Given the current requirements, assume the method of "least privilege" security design and only allow the auditor access to the minimum amount of AWS resources as possibli AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting only be granted access in one location Option A is incorrect since the auditor should B is incorrect since consolidated billing is not a key requirement as part of the question Option C is incorrect since there is not consolidated logging For more information on Cloudtrail please refer to the below URL: https://aws.amazon.com/cloudtraiL The correct answer is: Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bud in the primary account and grant the auditor access to that single bucket in the primary account.
Question 93:
A security engineer is setting up a new AWS account. The engineer has been asked to continuously monitor the company's AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks.
How can the security engineer accomplish this using AWS services?
A. Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled B. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings C. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Shield in all Regions to protect the account from DDoS attacks. D. Enable AWS Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.
D. Enable AWS Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.
Your application currently use AWS Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively?
Please select:
A. Create different cognito endpoints, one for the readers and the other for the contributors. B. Create different cognito groups, one for the readers and the other for the contributors. C. You need to manage this within the application itself D. This needs to be managed via Web security tokens
B. Create different cognito groups, one for the readers and the other for the contributors.
Explanation/Reference:
The AWS Documentation mentions the following You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app. Option A is incorrect since you need to create cognito groups and not endpoints Options C and D are incorrect since these would be overheads when you can use AWS Cognito For more information on AWS Cognito user groups please refer to the below Link: https://docs.aws.amazon.com/coenito/latest/developersuide/cognito-user-pools-user-groups.htmll The correct answer is: Create different cognito groups, one for the readers and the other for the contributors.
Question 95:
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?
A. Disable network ACLs. B. Configure the security appliance's elastic network interface for promiscuous mode. C. Disable the Network Source/Destination check on the security appliance's elastic network interface D. Place the security appliance in the public subnet with the internet gateway
C. Disable the Network Source/Destination check on the security appliance's elastic network interface
Explanation/Reference:
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. In this case virtual security appliance instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."
Question 96:
A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.
Which combination of AWS solutions will meet these requirements? (Choose two.)
A. AWS Site-to-Site VPN B. AWS Direct Connect C. AWS VPN CloudHub D. VPC peering E. NAT gateway
B. AWS Direct Connect D. VPC peering
Explanation/Reference:
Question 97:
A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained.
What Is the MOST secure and cost-effective solution to meet these requirements?
A. Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API B. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy C. Archive the data to Amazon S3 and replicate it to a second bucket in a second AWS Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API D. Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume
B. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy
Explanation/Reference:
Most cost effective : s3 Glacier Most Secure : Vault Lock Policy
Question 98:
An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?
A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action B. Configure the CMK key policy to allow AWS KMS actions only when the kms ViaService condition matches the Amazon S3 service name. C. Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3 D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK
B. Configure the CMK key policy to allow AWS KMS actions only when the kms ViaService condition matches the Amazon S3 service name.
Question 99:
You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table?
Please select:
A. Put the AWS Access keys in the Lambda function since the Lambda function by default is secure B. Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function. C. Use the AWS Access keys which has access to DynamoDB and then place it in an S3 bucket. D. Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.
B. Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.
Explanation/Reference:
AWS Lambda functions uses roles to interact with other AWS services. So use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function. Options A and C are all invalid because you should never use AWS keys for access. Option D is invalid because the VPC endpoint is used for VPCs For more information on Lambda function Permission model, please visit the URL https:// docs.aws.amazon.com/lambda/latest/dg/intro-permissionmodel.html The correct answer is: Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.
Question 100:
A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a ODoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future What are some ways the Engineer could achieve this? (Select THREE )
A. Use AWS X-Ray to inspect the traffic going 10 the EC2 instances B. Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution C. Change the security group configuration to block the source of the attack traffic D. Use AWS WAF security rules to inspect the inbound traffic E. Use Amazon inspector assessment templates to inspect the inbound traffic F. Use Amazon Route 53 to distribute traffic
B. Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution D. Use AWS WAF security rules to inspect the inbound traffic F. Use Amazon Route 53 to distribute traffic
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C01 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.