1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 231:

    A company provides an AWS account for each of its teams. Members of each team authenticate with AWS by using user accounts in their own team's account.

    The company created a project-specific AWS account for collaboration by three or more teams. The company also created a new Amazon S3 bucket inside this new account. There is no S3 bucket policy or S3 ACL. A security engineer must implement a secure solution so that all teams can read objects and write to objects that are stored in the S3 bucket.

    What should the security engineer do to meet these requirements?

    A. In the same AWS account where the S3 bucket resides, update the bucket's ACL to include the canonical user ID of the teams’ AWS accounts. Teams will specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket
    B. In the same AWS account where the S3 bucket resides, create an IAM role that has appropriate permissions for the bucket. Include a trust policy that specifies the teams’ AWS accounts as the principals. Teams will assume the role when they read objects and write to objects in the bucket
    C. In the same AWS account where the S3 bucket resides, add a bucket policy to allow all the teams to read objects and write to objects in the bucket. Teams will specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket.
    D. In the same AWS account where the S3 bucket resides, create an IAM user, an IAM group, and access keys for each team. Each team will share its access keys when the team reads objects and writes to objects in the bucket.

  • Question 232:

    You have an EC2 instance with the following security configured:

    1.

    ICMP inbound allowed on Security Group

    2.

    ICMP outbound not configured on Security Group

    3.

    ICMP inbound allowed on Network ACL

    4.

    ICMP outbound denied on Network ACL

    If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below

    Please select:

    A. An ACCEPT record for the request based on the Security Group
    B. An ACCEPT record for the request based on the NACL
    C. A REJECT record for the response based on the Security Group
    D. A REJECT record for the response based on the NACL

  • Question 233:

    A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

    The ALB is in public subnets that are associated with a network ACL that is named NACL. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

    Which set of network ACL changes will increase the security of the application while ensuring functionality?

    A. Make the following changes to NACL3: Add a rule that allows inbound traffic on port 5432 from NACL2. Add a rule that allows outbound traffic on ports 1024-65536 to NACL2. Remove the default rules that allow all inbound and outbound traffic.
    B. Make the following changes to NACL3: Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets. Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets. Remove the default rules that allow all inbound and outbound traffic.
    C. Make the following changes to NACL2: Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets. Remove the default rules that allow all inbound and outbound traffic.
    D. Make the following changes to NACL2: Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets. Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

  • Question 234:

    AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected. What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

    A. Verify that the S3 bucket policy allow CloudTrail to write objects.
    B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
    C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
    D. Verify that the S3 bucket defined in CloudTrail exists.
    E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

  • Question 235:

    A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.

    A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

    Which change should the security engineer make to the IAM KMS configuration to meet these requirements?

    A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.
    B. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.
    C. Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.
    D. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

  • Question 236:

    A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.

    Which of the following requires the LEAST amount of configuration when implementing this approach?

    A. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
    B. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
    C. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
    D. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS- managed keys (SSE-KMS) to encrypt the data

  • Question 237:

    An application is designed to run on an EC2 Instance. The applications needs to work with an S3 bucket. From a security perspective , what is the ideal way for the EC2 instance/ application to be configured?

    Please select:

    A. Use the AWS access keys ensuring that they are frequently rotated.
    B. Assign an IAM user to the application that has specific access to only that S3 bucket
    C. Assign an IAM Role and assign it to the EC2 Instance
    D. Assign an IAM group and assign it to the EC2 Instance

  • Question 238:

    A company runs an application on AWS that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel. How can the Security Engineer protect this workload so that only employees can access it?

    A. Add each employee's home IP address to the security group for the application so that only those users can access the workload.
    B. Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.
    C. Use a VPN appliance from the AWS Marketplace for users to connect to, and restrict workload access to traffic from that appliance.
    D. Route all traffic to the workload through AWS WAF. Add each employee's home IP address into an AWS WAF rule, and block all other traffic.

  • Question 239:

    A company uses AWS Organizations to manage several AWs accounts. The company processes a large volume of sensitive data. The company uses a serverless approach to microservices. The company stores all the data in either Amazon

    S3 or Amazon DynamoDB. The company reads the data by using either AWS lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.

    The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an AWS Key Management Service (AWS KMS) customer managed key.

    What should the company do next to meet these requirements?

    A. Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
    B. Create an IAM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.
    C. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.
    D. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

  • Question 240:

    A large company wants its Compliance team to audit its Amazon S3 buckets to identify if personally identifiable information (PII) is stored in them. The company has hundreds of S3 buckets and has asked the Security Engineers to scan every bucket.

    How can this task be accomplished?

    A. Implement a "write-only" CloudTrail event filter to detect any modifications to the AWS account resources.
    B. Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.
    C. Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.
    D. Enable Amazon S3 event notifications to trigger an AWS Lambda function that sends an email alarm when there are new CloudTrail API entries.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.