1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 481:

    A company stores sensitive documents in Amazon S3 by using server-side encryption with an AWS Key Management Service (AWS KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.

    Which statement should the company add to the key policy to meet this requirement?

    A. Option A
    B. Option B
    C. Option C
    D. Option D

  • Question 482:

    A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less Which AWS Key Management Service (AWS KMS) key solution will allow the security engineer to meet these requirements?

    A. Use Imported key material with CMK
    B. Use an AWS KMS CMK
    C. Use an AWS managed CMK.
    D. Use an AWS KMS customer managed CMK

  • Question 483:

    A company has two VPCs in the us-east-1 Region: vpc-1 and vpe-2. The company recently created an Amazon API Gateway REST API with the endpoint type set to PRIVATE. The company also created a VPC endpoint for the REST API in

    vpc-1. Resources in vpc-1 can access the REST API successfully.

    The company now wants to give resources in vpc-2 the ability to access the REST API. The company creates a VPC endpoint for the REST API in vpc-2, but the resources in vpc-2 cannot access the REST API.

    A security engineer must make the REST API accessible to resources in vpc-2 by creating a solution that provides the minimum access that is necessary.

    Which solution will meet these requirements?

    A. Set up VPC peering between vpc-1 and vpc-2. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.
    B. Set up a VPC endpoint of vpc-2 in vpc-1. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.
    C. Set the API endpoint type to REGIONAL. Attach a resource policy to the REST API to allow access from vpc-2.
    D. Keep the API endpoint type as PRIVATE. Attach a resource policy to the REST API to allow access from vpc-2.

  • Question 484:

    A company needs to migrate several applications to AWS. This will require storing more than 5,000 credentials. To meet compliance requirements, the company will use its existing password management system for key rotation, auditing, and integration with third-party secrets containers. The company has a limited budget and is seeking the most cost-effective solution that is still secure.

    How should the company accomplish this at the LOWEST cost?

    A. Configure the company's key management solution to integrate with AWS Systems Manager Parameter Store.
    B. Configure the company's key management solution to integrate with AWS Secrets Manager.
    C. Use an Amazon S3 encrypted bucket to store the secrets and configure the applications with the appropriate roles to access the secrets.
    D. Configure the company's key management solution to integrate with AWS CloudHSM.

  • Question 485:

    A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:

    1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.

    3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other

    4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols

    5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required

    Which of the following accurately reflects the access control mechanisms the Architect should verify1?

    A. Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
    B. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
    C. Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
    D. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

  • Question 486:

    You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.

    Please select:

    A. Check to see if the right role has been assigned to the EC2 instances
    B. Check to see if the IAM user has the right permissions for EC2
    C. Ensure that agent is running on the instances.
    D. Check the Instance status by using the Health API.

  • Question 487:

    A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.

    How can this task be accomplished?

    A. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe- instances --fi1ters "Name=key-name,Values=KEYNAMEHERE".
    B. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
    C. Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/meta-data/public-keys/0/.
    D. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.

  • Question 488:

    A company is setting up products to deploy in AWS Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. How should the company mitigate this concern?

    A. Add a template constraint to each product in the portfolio.
    B. Add a launch constraint to each product in the portfolio.
    C. Define resource update constraints for each product in the portfolio.
    D. Update the AWS CloudFormalion template backing the product to include a service role configuration.

  • Question 489:

    A company has an application that stores data in an Amazon S3 bucket. In the same AWS account, the company deploys a new data analysis application on Amazon EC2 with an instance profile attached. The analysis application is able to get a list of S3 objects but is unable to read the data. The following IAM policy is attached to the instance role:

    Which solution will give the analysis application the ability to read the data in the S3 bucket?

    A. Option A
    B. Option B
    C. Option C
    D. Option D

  • Question 490:

    A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS.

    Which of the following is a valid option for storing SSL/TLS certificates?

    A. Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)
    B. Default SSL certificate that is stored in Amazon CloudFront.
    C. Custom SSL certificate that is stored in AWS Certificate Manager (ACM)
    D. Default SSL certificate that is stored in Amazon S3

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.