1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 431:

    A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.

    After a short period of time, a number of existing applications have failed with authentication errors.

    What is the MOST likely cause of the authentication errors?

    A. Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.
    B. Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
    C. The Secrets Manager IAM policy does not allow access to the RDS database.
    D. The Secrets Manager IAM policy does not allow access for the applications.

  • Question 432:

    You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?

    Please select:

    A. An AWS Managed Policy
    B. An Inline Policy
    C. A Bucket Policy
    D. A bucket ACL

  • Question 433:

    A company has resources hosted in their AWS Account. There is a requirement to monitor all API activity for all regions. The audit needs to be applied for future regions as well. Which of the following can be used to fulfil this requirement.

    Please select:

    A. Ensure Cloudtrail for each region. Then enable for each future region.
    B. Ensure one Cloudtrail trail is enabled for all regions.
    C. Create a Cloudtrail for each region. Use Cloudformation to enable the trail for all future regions.
    D. Create a Cloudtrail for each region. Use AWS Config to enable the trail for all future regions.

  • Question 434:

    A company has hundreds of AWS accounts, and a centralized Amazon S3 bucket used to collect AWS CloudTrail logs for all of these accounts. A Security Engineer wants to create a solution that will enable the company to run ad hoc queries against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company's AWS account.

    How should the company accomplish this with the least amount of administrative overhead?

    A. Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.
    B. Use the events history/feature of the CloudTrail console to query the CloudTrail trails.
    C. Write an AWS Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.
    D. Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

  • Question 435:

    A company's security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company's accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

    What should the security engineer do to meet these requirements?

    A. Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.
    B. In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.
    C. Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.
    D. Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

  • Question 436:

    Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.

    Which of the following troubleshooting steps should be performed?

    A. Check inbound and outbound security groups, looking for DENY rules.
    B. Check inbound and outbound Network ACL rules, looking for DENY rules.
    C. Review the rejected packet reason codes in the VPC Flow Logs.
    D. Use AWS X-Ray to trace the end-to-end application flow

  • Question 437:

    Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the Internet. The connection either fails to respond or generates the following error message:

    Network error: Connection timed out.

    What could be responsible for the connection failure? (Choose three.)

    A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
    B. The internet gateway of the VPC has been reconfigured
    C. The security group denies outbound traffic on ephemeral ports
    D. The route table is missing a route to the internet gateway
    E. The NACL denies outbound traffic on ephemeral ports
    F. The host-based firewall is denying SSH traffic

  • Question 438:

    A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.

    How should access be granted?

    A. Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.
    B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
    C. Create a temporary IAM user for the application to use in the production account.
    D. Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

  • Question 439:

    A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user- managed architectural components. Native IAM features should be used as much as possible The security engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.

    Which additional steps should the security engineer take to complete the task?

    A. Use AD Connector to create users and groups for all employees that require access to IAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees`job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.
    B. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees`job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.
    C. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.
    D. Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

  • Question 440:

    The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.

    How can the InfoSec team ensure compliance with this mandate?

    A. Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
    B. Patch all running instances by using AWS Systems Manager.
    C. Deploy AWS Config rules and check all running instances for compliance.
    D. Define a metric filter in Amazon CloudWatch Logs to verify compliance.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.