1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 471:

    An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects.

    Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

    A. The IAM policy needs to allow the kms:DescribeKey permission.
    B. The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.
    C. An S3 bucket policy needs to be added to allow the IAM user to access the objects.
    D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

  • Question 472:

    A company has installed a third-party application that is distributed on several Amazon EC2 instances and on-premises servers. Occasionally, the company's IT team needs to use SSH to connect to each machine to perform software maintenance tasks. Outside these time slots, the machines must be completely isolated from the rest of the network. The company does not want to maintain any SSH keys. Additionally, the company wants to pay only for machine hours when there is an SSH connection.

    Which solution will meet these requirements?

    A. Create a bastion host with port forwarding to connect to the machines.
    B. Set up AWS Systems Manager Session Manager to allow temporary connections.
    C. Use AWS CloudShell to create serverless connections.
    D. Set up an interface VPC endpoint for each machine for private connection.

  • Question 473:

    A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key

    Which solution will meet these requirements?

    A. Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key
    B. Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3
    C. Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3
    D. Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3

  • Question 474:

    A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native AWS services.

    Which encryption method will meet these requirements?

    A. Use encrypted Amazon EBS volumes with Amazon default keys (AWS EBS)
    B. Use server-side encryption with customer-provided keys (SSE-C)
    C. Use server-side encryption with AWS KMS managed keys (SSE-KMS)
    D. Use server-side encryption with Amazon S3 managed keys (SSE-S3)

  • Question 475:

    The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet. What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

    A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
    B. Review the application security groups to ensure that only the necessary ports are open.
    C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
    D. Use Amazon Inspector to periodically scan the backend instances.
    E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

  • Question 476:

    An organization policy states that all encryption keys must be automatically rotated every 12 months. Which IAM Key Management Service (KMS) key type should be used to meet this requirement?

    A. IAM managed Customer Master Key (CMK)
    B. Customer managed CMK with IAM generated key material
    C. Customer managed CMK with imported key material
    D. AM managed data key

  • Question 477:

    A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.

    Which AWS services should be used to meet these requirements? (Select TWO)

    A. Amazon Athena
    B. Amazon Kinesis
    C. Amazon SQS
    D. Amazon Elasticsearch
    E. Amazon EMR

  • Question 478:

    A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully.

    After several minutes, the Engineer finds that his Athena query has failed with the error message: "Insufficient Permissions". The IAM permissions of the Security Engineer and the Lambda function are shown below:

    Security Engineer

    Lambda function execution role

    What is causing the error?

    A. The Lambda function does not have permissions to start the Athena query execution.
    B. The Security Engineer does not have permissions to start the Athena query execution.
    C. The Athena service does not support invocation through Lambda.
    D. The Lambda function does not have permissions to access the CloudTrail S3 bucket.

  • Question 479:

    A company is using IAM Organizations. The company wants to restrict IAM usage to the eu-west-1 Region for all accounts under an OU that is named "development." The solution must persist restrictions to existing and new IAM accounts under the development OU.

    A. Option A
    B. Option B
    C. Option C
    D. Option D

  • Question 480:

    A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior.

    The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation. The company expects to double in size within the next few months.

    Which solution meets the company's current and future logging requirements?

    A. Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an AWS Lambda function for remediation steps.
    B. Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
    C. Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
    D. Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an AWS Organizations SCP that denies access to certain API calls that are on an ignore list.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.