1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 381:

    A company is using AWS Organizations to create OUs for its accounts. The company has more than 20 accounts that are all part of the OUs. A security engineer must implement a solution to ensure that no account can stop log file delivery to AWS CloudTrail.

    Which solution will meet this requirement?

    A. Use the --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.
    B. Create an SCP that includes a Deny rule for the cloudtrail:StopLogging action. Apply the SCP to all accounts in the OUs.
    C. Create an SCP that includes an Allow rule for the cloudtrail:StopLogging action. Apply the SCP to all accounts in the OUs.
    D. Use AWS Systems Manager to ensure that CloudTrail is always turned on.

  • Question 382:

    An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs.

    What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)

    A. Turn on AWS CloudTrail in each AWS account
    B. Turn on CloudTrail in only the account that will be storing the logs
    C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
    D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account
    E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

  • Question 383:

    A company has two software development teams that are creating applications that store sensitive data in Amazon S3. Each team's data must always be separate. The company's security team must design a data encryption strategy for both teams that provides the ability to audit key usage. The solution must also minimize operational overhead.

    What should the security team recommend?

    A. Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) AWS managed CMKs. Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt.
    B. Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) AWS managed CMK. Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt.
    C. Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt
    D. Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

  • Question 384:

    A company has a requirement that none of its Amazon RDS resources can be publicly accessible. A security engineer needs to set up monitoring for this requirement and must receive a near-real-time notification if any RDS resource is noncompliant.

    Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

    A. Configure RDS event notifications on each RDS resource. Target an AWS Lambda function that notifies AWS Config of a change to the RDS public access setting
    B. Configure the rds-instance-public-access-check AWS Config managed rule to monitor the RDS resources.
    C. Configure the Amazon EventBridge (Amazon CloudWatch Events) rule to target an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.
    D. Configure RDS event notifications to post events to an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the SQS queue to an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.
    E. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked by a compliance change event from the rds-instance-public-access-check rule.
    F. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked when the AWS Lambda function notifies AWS Config of an RDS event change.

  • Question 385:

    A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.

    Which factors could cause the health check failures? (Select THREE.)

    A. The target instance's security group does not allow traffic from the NLB.
    B. The target instance's security group is not attached to the NLB.
    C. The NLB's security group is not attached to the target instance.
    D. The target instance's subnet network ACL does not allow traffic from the NLB.
    E. The target instance's security group is not using IP addresses to allow traffic from the NLB.
    F. The target network ACL is not attached to the NLB.

  • Question 386:

    A user in account 111122223333 is receiving an access denied error message while calling the AWS Key Management Service (AWS KMS) GenerateDataKey API operation. The key policy contains the following statement:

    Account 111122223333 is not using AWS Organizations SCPs.

    Which combination of steps should a security engineer take to ensure that KMSUser can perform the action on the key? (Choose two.)

    A. Modify the key policy to include the key's key ID in the Resource field.
    B. Verify that KMSUser has no explicit denies for the GenerateDataKey action in its attached IAM policies.
    C. Verify that KMSUser is allowed to perform the GenerateDataKey action in its attached IAM policies for the encryption context.
    D. Ensure that KMSUser is including the encryption context key-value pair in its GenerateDataKey.
    E. Revoke any KMS grants on the key that are denying the GenerateDataKey action for KMSUser.

  • Question 387:

    An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future.

    Which steps would help achieve this? (Choose two.)

    A. Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.
    B. Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.
    C. Use VPC Flow Logs to monitor network: traffic and an AWS Lambda function to automatically block an attacker's IP using security groups.
    D. Set up an Amazon CloudWatch Events rule to monitor the AWS CloudTrail events in real time use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.
    E. Use AWS WAF to create rules to respond to such attacks

  • Question 388:

    A company has multiple AWS accounts that are part of AWS Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's AWS accounts are unable to access the company's Amazon S3 buckets.

    How should this be accomplished?

    A. UseSCPs
    B. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles
    C. Use an S3 bucket policy
    D. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3

  • Question 389:

    A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI. EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role in the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.

    What should the security team do to launch the EC2 instance successfully?

    A. Update the policy that is associated with the federated IAM role to allow the ec2:DescribeImages action for the forensic AML.
    B. Update the policy that is associated with the federated IAM role to allow the ec2:StartInstances action in the security team's AWS account.
    C. Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms:Encrypt and kms:Decrypt actions for the federated IAM role.
    D. Update the policy that is associated with the federated IAM role to allow the kms:DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

  • Question 390:

    Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.

    What is the MOST secure way to meet these requirements?

    A. Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
    B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie- Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
    C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie- Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).
    D. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.