Amazon SCS-C01 Online Practice
Questions and Exam Preparation
SCS-C01 Exam Details
Exam Code
:SCS-C01
Exam Name
:AWS Certified Security - Specialty (SCS-C01)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:733 Q&As
Last Updated
:May 27, 2026
Amazon SCS-C01 Online Questions &
Answers
Question 101:
A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be
rotated annually.
What two methods can the security team use to rotate each key? Select 2 answers from the options given below
Please select:
A. Enable automatic key rotation for a CMK B. Import new key material to an existing CMK C. Use the CLI or console to explicitly rotate an existing CMK D. Import new key material to a new CMK; Point the key alias to the new CMK. E. Delete an existing CMK and a new default CMK will be created.
A. Enable automatic key rotation for a CMK D. Import new key material to a new CMK; Point the key alias to the new CMK.
Explanation/Reference:
The AWS Documentation mentions the following Automatic key rotation is available for all customer managed CMKs with KMS-generated key material. It is not available for CMKs that have imported key material (the value of the Origin field is External), but you can rotate these CMKs manually. Rotating Keys Manually You might want to create a newCMKand use it in place of a current CMK instead of enabling automatic key rotation. When the new CMK has different cryptographic material than the current CMK, using the new CMK has the same effect as changing the backing key in an existing CMK. The process of replacing one CMK with another is known as manual key rotation. When you begin using the new CMK, be sure to keep the original CMK enabled so that AWS KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the sam CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, AWS KMS can decrypt any data that was encrypted by either CMK. Option B is invalid because you also need to point the key alias to the new key Option C is invalid because existing CMK keys cannot be rotated as they are Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key For more information on Key rotation please see the below Link: https://docs.aws.amazon.com/kms/latest/developereuide/rotate-keys.html The correct answers are: Enable automatic key rotation for a CMK, Import new key material to a new CMK; Point the key alias to the new CMK.
Question 102:
While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
What action should be performed to allow the ping to work?
A. In the security group of the EC2 instance, allow inbound ICMP traffic. B. In the security group of the EC2 instance, allow outbound ICMP traffic. C. In the VPC's NACL, allow inbound ICMP traffic. D. In the VPC's NACL, allow outbound ICMP traffic.
D. In the VPC's NACL, allow outbound ICMP traffic.
Question 103:
A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an EC2 Auto Scaling group across multiple Availability Zones. The website is under a DDoS attack by a specific loT device brand that is visible in the user agent A security engineer needs to mitigate the attack without impacting the availability of the public website.
What should the security engineer do to accomplish this?
A. Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB. B. Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution. C. Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for AWS WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution. D. Activate AWS Shield Advanced to enable DDoS protection. Apply an AWS WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.
D. Activate AWS Shield Advanced to enable DDoS protection. Apply an AWS WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.
Question 104:
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?
A. Use custom route tables to prevent malicious traffic from routing to the instances. B. Update security groups to deny traffic from the originating source IP addresses. C. Use network ACLs. D. Install intrusion prevention software (IPS) on each instance.
D. Install intrusion prevention software (IPS) on each instance.
NACL has limit 20 (can increase to maximum 40 rule), and more rule will make more low-latency
Question 105:
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)
A. Use the containers to automate security deployments. B. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries. C. Segregate containers by host, function, and data classification. D. Use Docker Notary framework to sign task definitions. E. Enable container breakout at the host kernel.
A. Use the containers to automate security deployments. C. Segregate containers by host, function, and data classification.
Question 106:
A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to AWS and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest.
Which application flow would meet the data protection requirements on AWS?
A. Digitized files -> Amazon Kinesis Data Analytics B. Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena C. Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena D. Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch
B. Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena
Question 107:
A company recently had a security audit in which the auditors identified multiple potential threats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3 API calls. The threats can come from different sources and can occur at any time. The company needs to implement a solution to continuously monitor its system and identify all these incoming threats in near-real time.
Which solution will meet these requirements?
A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatch Logs to manage these logs from a centralized account. B. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie to monitor these logs from a centralized account. C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs. D. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.
A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatch Logs to manage these logs from a centralized account.
Explanation/Reference:
Question 108:
Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS organisation have access to this bucket?
Please select:
A. Ensure the bucket policy has a condition which involves aws:PrincipalOrglD B. Ensure the bucket policy has a condition which involves aws:AccountNumber C. Ensure the bucket policy has a condition which involves aws:PrincipaliD D. Ensure the bucket policy has a condition which involves aws:OrglD
A. Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
Explanation/Reference:
The AWS Documentation mentions the following AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization Option B.C and D are invalid because the condition in the bucket policy has to mention aws:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link: https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-usins-the-aws-organization-of-iam-principal The correct answer is: Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
Question 109:
A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions. What is the SIMPLEST way to meet these requirements?
A. Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions. B. Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis. C. Enable AWS CloudTrail by creating a new trail and applying the trail to all regions.Specify a single Amazon S3 bucket as the storage location. D. Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.
C. Enable AWS CloudTrail by creating a new trail and applying the trail to all regions.Specify a single Amazon S3 bucket as the storage location.
Question 110:
A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) CMK. All network traffic for
requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet.
The security team is unable to get objects from the S3 bucket.
Which factors could cause this issue? (Choose three.)
A. The IAM instance profile that is attached to the EC2 instance does not allow the s3:ListBucket action to the S3 bucket in the AWS accounts. B. The IAM instance profile that is attached to the EC2 instance does not allow the s3:ListParts action to the S3 bucket in the AWS accounts. C. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms:ListKeys action to the EC2 instance profile ARN. D. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms:Decrypt action to the EC2 instance profile ARN. E. The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443. F. The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.
A. The IAM instance profile that is attached to the EC2 instance does not allow the s3:ListBucket action to the S3 bucket in the AWS accounts. D. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms:Decrypt action to the EC2 instance profile ARN. F. The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C01 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.