1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 201:

    Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution

    Please select:

    A. Create a Cloudwatch Events Rule s
    B. Create a Cloudwatch Logs Rule
    C. Use a Lambda function
    D. Use Cloudtrail API call

  • Question 202:

    What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

    A. Use the AWS account root user access keys instead of the AWS Management Console
    B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
    C. Enable multi-factor authentication for the AWS account root user
    D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
    E. Do not create access keys for the AWS account root user; instead, create AWS IAM users

  • Question 203:

    A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs).

    Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Choose two.)

    A. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
    B. Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
    C. Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.
    D. Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
    E. Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

  • Question 204:

    Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these instances communicate via a legacy protocol. There is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?

    Please select:

    A. Use an Application Load balancer and terminate the SSL connection at the ELB
    B. Use a Classic Load balancer and terminate the SSL connection at the ELB
    C. Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
    D. Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances

  • Question 205:

    Which of the below services can be integrated with the AWS Web application firewall service. Choose 2 answers from the options given below

    Please select:

    A. AWS Cloudfront
    B. AWS Lambda
    C. AWS Application Load Balancer
    D. AWS Classic Load Balancer

  • Question 206:

    A large company organizes hundreds of AWS accounts in AWS Organizations in Developer, Test, and Production OUs. Developers who have full administrative privileges in their respective accounts use the accounts in the Developer OU. The company wants to allow only certain Amazon EC2 instance types to be used within the Developer OU.

    How can the company prevent developer accounts from launching unapproved EC2 instance types?

    A. Create a now launch template in each AWS account in the Developer OU to deny the ec2:RunInstances API call for instance types that are not in an approved list Associate these templates with all IAM principals in the account.
    B. Create an IAM policy to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to all IAM principals in all the AWS accounts in the Developer OU.
    C. Use a managed SCP that is attached to the organization's root account to deny the ec2:RunInstances API call for instance types that are not in an approved list
    D. Create an SCP to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to the Developer OU.

  • Question 207:

    A company wants to encrypt the private network between its orvpremises environment and AWS. The company also wants a consistent network experience for its employees.

    What should the company do to meet these requirements?

    A. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native AWS network encryption between Availability Zones and Regions,
    B. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway
    C. Establish a VPN connection with the AWS virtual private cloud over the internet
    D. Establish an AWS Direct Connect connection with AWS and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

  • Question 208:

    A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:

    1.

    Encryption in transit

    2.

    Encryption at rest

    3.

    Logging of all object retrievals in AWS CloudTrail

    Which of the following meet these security requirements? (Choose three.)

    A. Specify "aws:SecureTransport": "true" within a condition in the S3 bucket policy.
    B. Enable a security group for the S3 bucket that allows port 443, but not port 80.
    C. Set up default encryption for the S3 bucket.
    D. Enable Amazon CloudWatch Logs for the AWS account.
    E. Enable API logging of data events for all S3 objects.
    F. Enable S3 object versioning for the S3 bucket.

  • Question 209:

    A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.

    What is the FASTEST way for the security engineer to identify the federated user?

    A. Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name.
    B. Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
    C. Search the AWS CloudTrail logs for the TerminateInstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
    D. Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the TerminateInstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebIdentity event for the user name.

  • Question 210:

    A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:

    -Content Security-Policy

    -X-Frame-Options

    -X-XSS-Protection

    The Engineer does not have access to the source code of the legacy web application.

    Which of the following approaches would meet this requirement?

    A. Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.
    B. Implement an AWS Lambda@Edge origin response function that inserts the required headers.
    C. Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.
    D. Construct an AWS WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.