1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 151:

    A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

    When the developer uses the ARN and tests the new Lambda function, an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

    A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

    Which combination of steps should the security engineer take to meet these requirements? (Choose two.)

    A. In the security account, configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
    B. In the development account, configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.
    C. In the development account, configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
    D. Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the security account.
    E. Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

  • Question 152:

    An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.

    Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below

    Please select:

    A. A network ACL with a rule that allows outgoing traffic on port 443.
    B. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
    C. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
    D. A security group with a rule that allows outgoing traffic on port 443
    E. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
    F. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.

  • Question 153:

    A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bucket across the organization.

    What is the MOST scalable solution that meets these requirements?

    A. Permissions boundaries in AWS Identity and Access Management (IAM)
    B. S3 bucket policies
    C. Tag policies
    D. SCPs

  • Question 154:

    A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties

    How can a security engineer provide the access to meet these requirements'?

    A. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the IAM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect
    B. Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance
    C. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the IAM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect
    D. Assign an IAM policy to the IAM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method

  • Question 155:

    You need to have a requirement to store objects in an S3 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose?

    Please select:

    A. AWS KMS
    B. AWS S3 Server side encryption
    C. AWS Customer Keys
    D. AWS Cloud HSM

  • Question 156:

    A company is using CloudTrail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.

    What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below

    Please select:

    A. Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.
    B. Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
    C. Enable CloudTrail log file integrity validation
    D. Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
    E. Create a Security Group that blocks all traffic except calls from the CloudTrail service.Associate the security group with) all the Cloud Trail destination S3 buckets.

  • Question 157:

    A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext. Which action would provide the required functionality?

    A. Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.
    B. Use IAM policies to restrict access to Encrypt and Decrypt API actions.
    C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.
    D. Use key policies to restrict access to the appropriate IAM groups.

  • Question 158:

    A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.

    What should the Security Engineer do to accomplish this?

    A. Filter AWS CloudTrail logs for KeyRotaton events
    B. Monitor Amazon CloudWatcn Events for any AWS KMS CMK rotation events
    C. Using the AWS CLI. run the aws kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
    D. Use Amazon Athena to query AWS CloudTrail logs saved in an S3 bucket to filter Generate New Key events

  • Question 159:

    Your developer is using the KMS service and an assigned key in their Java program. They get the below error when running the code

    arn:aws:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey

    Which of the following could help resolve the issue?

    Please select:

    A. Ensure that UserB is given the right IAM role to access the key
    B. Ensure that UserB is given the right permissions in the IAM policy
    C. Ensure that UserB is given the right permissions in the Key policy
    D. Ensure that UserB is given the right permissions in the Bucket policy

  • Question 160:

    A company has decided to use AWS Key Management Service (AWS KMS) for all of its encryption keys. The company plans to create all of its keys as customer managed CMKs and will not import any encryption keys. The company must rotate its encryption keys once every 12 months.

    Which solution will meet these requirements?

    A. Change the customer managed CMK key policy to enable automatic key rotation.
    B. Use AWS managed CMKs instead of customer managed CMKs so that AWS will rotate the keys automatically.
    C. Invoke an AWS Lambda function regularly to rotate the backing key of each customer managed CMK.
    D. Enable automatic key rotation for each customer managed CMK after it has been created in AWS KMS.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.