1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 251:

    You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?

    Please select:

    A. Generate pre-signed URLs for each user as they request access to protected S3 content
    B. Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
    C. Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials
    D. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

  • Question 252:

    A company has a single-page application (SPA) that is served by Amazon CloudFront. An Amazon S3 bucket is the origin of the CloudFront distribution. The company is using Amazon Cognito for authentication.

    An external security review reveals that unauthenticated users can download the application source code from the SPA in index.html and view internal details of the SPA. A security engineer needs to implement a solution to avoid exposing

    the source code to unauthenticated users.

    Which solution will meet these requirements?

    A. Split the login logic to a separate login.html page. Designate the new page as the landing page. Attach an AWS WAF web ACL to the CloudFront distribution to deny unauthenticated requests to index html.
    B. Change the authentication method in Amazon Cognito to use an AWS Lambda authorizer. Configure the Lambda authorizer to control authentication and disallow downloads if the user is not authenticated.
    C. Implement an Amazon Cognito hosted UI for the login. Add Lambda@Edge logic to the CloudFront distribution to either serve content or redirect to the login page.
    D. Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure S3 bucket permissions for the OAI to allow access to authenticated users only.

  • Question 253:

    A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory. What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

    A. AWS IAM groups
    B. AWS IAM users
    C. AWS IAM roles
    D. AWS IAM access keys

  • Question 254:

    Your company is planning on hosting an internal network in AWS. They want machines in the VPC to authenticate using private certificates. They want to minimize the work and maintenance in working with certificates. What is the ideal way

    to fulfil this requirement.

    Please select:

    A. Consider using Windows Server 2016 Certificate Manager
    B. Consider using AWS Certificate Manager
    C. Consider using AWS Access keys to generate the certificates
    D. Consider using AWS Trusted Advisor for managing the certificates

  • Question 255:

    Which of the following minimizes the potential attack surface for applications?

    A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
    B. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
    C. Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
    D. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

  • Question 256:

    A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command. How should a Security Engineer accomplish this?

    A. Allow inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
    B. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.
    C. Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
    D. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each team or group. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instances.

  • Question 257:

    A company's public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue. the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.

    The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.

    Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)

    A. Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.
    B. Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the ALB.
    C. Configure the ALB to forward only requests that contain the custom HTTP header.
    D. Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.
    E. Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).

  • Question 258:

    A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted

    The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead

    Which steps should the security engineer take to meet these requirements?

    A. Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.
    B. Use a customer managed IAM policy that will verify that the encryption ag of the Createvolume context is set to true. Apply this rule to all users.
    C. Create an IAM Config rule to evaluate the conguration of each EC2 instance on creation or modication. Have the IAM Cong rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted.
    D. Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

  • Question 259:

    DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a "WAF sandwich." Which of the following statements best describes what a "WAF sandwich" is? Choose the correct answer from the options below

    Please select:

    A. The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.
    B. The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
    C. The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
    D. The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.

  • Question 260:

    An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:

    1.

    AWS IAM federated with on-premises Active Directory

    2.

    Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

    A. Update the password length policy In the on-premises Active Directory configuration.
    B. Update the password length policy In the IAM configuration.
    C. Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
    D. Update the password length policy in the Amazon Cognito configuration.
    E. Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.