1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 301:

    A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.

    THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution

    Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

    A. Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution
    B. Create an origin access identity (OAI) for the S3 origin
    C. Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests
    D. Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket
    E. Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

  • Question 302:

    A company uses AWS Certificate Manager (ACM) to automate the renewal of SSL/TLS certificates that the company's Elastic Load Balancers use. The company recently noticed that ACM was unable to automatically renew some certificates.

    These certificates have a status of "pending validation” in the ACM console.

    A security engineer configured the certificates by using DNS validation. The security engineer has verified that the existing certificates have not expired.

    What should the security engineer do to correct this issue?

    A. Manually validate ownership of each domain in the ACM console.
    B. Verify that the DNS CNAME for each domain matches the ACM certificate CNAME record.
    C. Export and then reimport the certificates into ACM.
    D. Validate the ownership of each domain by using email validation.

  • Question 303:

    A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

    The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a

    requirement that traffic between the web servers and the internet flow through the virtual security appliance.

    The Security Engineer has verified the following:

    1.

    The rule set in the Security Groups is correct

    2.

    The rule set in the network ACLs is correct

    3.

    The rule set in the virtual appliance is correct

    Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

    A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
    B. Verify which Security Group is applied to the particular web server's elastic network interface (ENI).
    C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
    D. Verify the registered targets in the ALB.
    E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

  • Question 304:

    Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers.

    Please select:

    A. Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
    B. Use AWS Shield Advanced to protect the EC2 Instances
    C. Use AWS Inspector to protect the EC2 Instances
    D. Use AWS Trusted Advisor to protect the EC2 Instances

  • Question 305:

    A company is planning on using AWS EC2 and AWS Cloudfrontfor their web application. For which one of the below attacks is usage of Cloudfront most suited for? Please select:

    A. Cross side scripting
    B. SQL injection
    C. DDoS attacks
    D. Malware attacks

  • Question 306:

    Which of the following is the responsibility of the customer? Choose 2 answers from the options given below.

    Please select:

    A. Management of the Edge locations
    B. Encryption of data at rest
    C. Protection of data in transit
    D. Decommissioning of old storage devices

  • Question 307:

    The Security Engineer for a mobile game has to implement a method to authenticate users so that they can save their progress. Because most of the users are part of the same OpenID-Connect compatible social media website, the Security Engineer would like to use that as the identity provider.

    Which solution is the SIMPLEST way to allow the authentication of users using their social media identities?

    A. Amazon Cognito
    B. AssumeRoleWithWebIdentity API
    C. Amazon Cloud Directory
    D. Active Directory (AD) Connector

  • Question 308:

    To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.

    What policy should the Engineer implement?

    A. Option A
    B. Option B
    C. Option C
    D. Option D

  • Question 309:

    A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.

    What is the MOST operationally efficient way to meet this requirement?

    A. Create an AWS Lambda function to list al certificates and to go through each certificate to describe the certificate by using the AW'S SDK. Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge (Amazon CloudWatch Events) rate expression to schedule the Lambda function to run daily.
    B. Create an Amazon CloudWatch alarm. Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metric. Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the DaysToExpiry metric is less than or equal to 31.
    C. Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practices standard with integrated ACM to send findings. Configure and use a custom action by creating a rule to match the pattern from the ACM findings on the NotBefore attribute as the event source. Create an Amazon Simple Notification Service (Amazon SNS) top as the target.
    D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule by using a predefined pattern for ACM. Choose the metric in the ACM Certficate Approaching Expiration event as the event pattern. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target.

  • Question 310:

    A company has an AWS account and allows a third-party contractor, who uses another AWS account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts.

    What should the company do to accomplish this?

    A. Add the following condition to the IAM policy attached to all IAM roles:"Effect": "Deny","Condition" : { "BoolItExists" : { "aws:MultiFactorAuthPresent" : false } }
    B. Add the following condition to the IAM policy attached to all IAM roles:"Effect": "Deny","Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : false } }
    C. Add the following condition to the IAM policy attached to all IAM roles:"Effect": "Allow","Condition" : { "Null" : { "aws:MultiFactorAuthPresent" : false } }
    D. Add the following condition to the IAM policy attached to all IAM roles:"Effect": "Allow","Condition" : { "BoolItExists" : { "aws:MultiFactorAuthPresent" : false } }

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.