1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 191:

    A company has thousands of AWS Lambda functions. While reviewing the Lambda functions, a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information are only a few characters long.

    What is the MOST cost-effective way to address this security issue?

    A. Set up IAM policies from the Lambda console to hide access to the environment variables.
    B. Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.
    C. Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access.
    D. Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.

  • Question 192:

    A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will

    need the ability to be assigned to multiple teams. Team members also will need the ability to change teams.

    Additional S3 buckets can be created or deleted.

    An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.

    Which solution meets these requirements?

    A. Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.
    B. Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.
    C. Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.
    D. Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

  • Question 193:

    A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.

    This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates. However, the security team does not want the application's EC2 instance exposed directly to the internet. The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.

    What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?

    A. Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance
    B. Remove the internet gateway, and add AWS PrivateLink to the VPC Then update the custom route table with a new route to AWS PrivateLink
    C. Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway
    D. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

  • Question 194:

    A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2. The solution must analyze logs in real time, provide message replay, and persist logs. Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)

    A. Amazon Athena
    B. Amazon Kinesis
    C. Amazon SQS
    D. Amazon Elasticsearch
    E. Amazon EMR

  • Question 195:

    A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2^16 objects. Any encryption key must be generated on a FIPS-validated hardware security module (HSM). The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers.

    Which approach MOST efficiently meets the company's needs?

    A. Use the AWS Encryption SDK and set the maximum age to 10 days and the minimum number of messages encrypted to 3" 16. Use AWS Key Management Service (AWS KMS) to generate the master key and data key Use data key caching with the Encryption SDk during the encryption process.
    B. Use AWS Key Management Service (AWS KMS) to generate an AWS managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object
    C. Use AWS CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object Rotate the data key every 10 days or after 2" 16 objects have been Uploaded to Amazon 33
    D. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.

  • Question 196:

    A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA). An example of a current policy being applied to these users is as follows:

    The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the AWS CLI. These users are using long-term AWS credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)

    A. Option A
    B. Option B
    C. Option C
    D. Option D
    E. Option E

  • Question 197:

    A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfaenabled, access-key-rotated, and iam-user-unused-credentials-check.

    The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.

    What could be the reason for the noncompliant status?

    A. The IAM credential report was generated within the past 4 hours.
    B. The security engineer does not have the GenerateCredentialReport permission.
    C. The security engineer does not have the GetCredentialReport permission.
    D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.

  • Question 198:

    A company has an existing AWS account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below.

    Please select:

    A. Change the access keys for all IAM users.
    B. Delete all custom created IAM policies
    C. Delete the access keys for the root account
    D. Confirm MFAtoa secure device
    E. Change the password for the root account
    F. Change the password for all IAM users

  • Question 199:

    A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.

    After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.

    All EBS snapshots are encrypted using an AWS KMS CMK.

    Which solution would solve this problem?

    A. Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion
    B. Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
    C. Create a new AWS account with limited privileges. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis
    D. Use AWS Backup to copy EBS snapshots to Amazon S3.

  • Question 200:

    You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below

    Please select:

    A. Use Windows bit locker for EBS volumes on Windows instances
    B. Use TrueEncrypt for EBS volumes on Linux instances
    C. Use AWS Systems Manager to encrypt the existing EBS volumes
    D. Boot EBS volume can be encrypted during launch without using custom AMI

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.