1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 511:

    A company's cloud operations team is responsible for building effective security for IAM cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp).

    The two account policies are as follows: Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

    A. Ask the developers to change their password and use a different web browser.
    B. Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.
    C. Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.
    D. Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.
    E. Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

  • Question 512:

    Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.

    Which of the following methods will ensure that the data is unreadable by anyone else?

    A. Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to AWS.
    B. Release the volumes back to AWS. AWS immediately wipes the disk after it is deprovisioned.
    C. Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS.
    D. Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to AWS.

  • Question 513:

    An application outputs logs to a text file. The logs must be continuously monitored for security incidents. Which design will meet the requirements with MINIMUM effort?

    A. Create a scheduled process to copy the component's logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
    B. Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.
    C. Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
    D. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

  • Question 514:

    A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group

    Which solution will meet this requirement?

    A. Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property
    B. Download and configure the CloudWatch agent on the container instances
    C. Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs
    D. Configure an IAM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

  • Question 515:

    A company receives an email message from the AWS Abuse team. The message states that an IAM user in the company's AWS account has had an associated access key and secret access key pair published in public code repositories.

    The identified AM user is designated as a service account. The IAM user uses hardcoded credentials in a critical customer-facing production application. There are no signs of a compromise within the company's AWS account. The company's security team must address this situation by implementing a solution that minimizes application downtime.

    What is the correct order of actions for the security team to take to meet these requirements?

    A. Delete any AWS Management Console credentials that are associated with the IAM user. Create a new access key and secret access key pair for the IAM user. Update the application to use the new credentials. Inactivate the publicly exposed IAM access key. Revoke any temporary AWS Security Token Service (AWS STS) credentials that are associated with the IAM user.
    B. Revoke any temporary AWS Security Token Service (AWS STS) credentials that are associated with the IAM user. Inactivate the publicly exposed IAM access key. Create a new access key and secret access key pair for the IAM user. Update the application to use the new credentials. Delete any AWS Management Console credentials that are associated with the IAM user.
    C. Inactivate the publicly exposed IAM access key. Create a new access key and secret access key pair for the IAM user. Update the application to use the new credentials. Revoke any temporary AWS Security Token Service (AWS STS) credentials that are associated with the IAM user. Delete any AWS Management Console credentials that are associated with the IAM user.
    D. Delete any AWS Management Console credentials that are associated with the IAM user. Create a new access key and secret access key pair for the IAM user. Inactivate the publicly exposed IAM access key. Revoke any temporary AWS Security Token Service (AWS STS) credentials that are associated with the IAM user. Update the application to use the new credentials.

  • Question 516:

    A company is using AWS Secrets Manager to manage database credentials that an application uses to access Amazon DocumentDB (with MongoDB compatibility). The company needs to implement automated password rotation. Which solution will meet this requirement with the LEAST administrative overhead?

    A. Create a new AWS Lambda function to manage the password rotation. Turn on automatic password rotation in Secrets Manager. Associate the rotation with the Lambda function.
    B. Turn on automatic password rotation in Secrets Manager. Configure Secrets Manager to create a new AWS Lambda function to manage the password rotation.
    C. Use the SecretsManagerRotationTemplate from the AWS Serverless Application Model (AWS SAM) to create a new AWS Lambda function. Change the vpc-config option of the Lambda function to include the subnet IDs when Amazon DocumentDB is hosted.
    D. Use the SecretsManagerRotationTemplate from the AWS Serverlss Application Model (AWS SAM) to create three new AWS Lambda functions: createSecret, setSecret, and testSecret. Change the vpc-config option of all three Lambda functions to include the subnet IDs where Amazon DocumentDB is hosted.

  • Question 517:

    A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties Which combination of actions will meet this requirement? (Select THREE.)

    A. Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)
    B. Encrypt the data in Amazon S3 using server-side encryption with AWS KMS managed encryption keys (SSE-KMS)
    C. Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint
    D. Use the Amazon S3 Block Public Access feature.
    E. Configure the bucket policy to allow access from the application instances only
    F. Use a NACL to filter traffic to Amazon S3

  • Question 518:

    A company has a multi-account AWS environment with AWS Organizations enabled. The company has hundreds of workloads that are deployed across multiple AWS services. The company has enabled AWS Security Hub for all accounts within the organization and has designated a delegated administrator.

    The company wants to implement a centralized solution to provide near-real-time response and automatic remediation for custom security detections throughout the organization.

    Which solution will meet these requirements?

    A. Create Security Hub custom actions in the organization's delegated administrator account. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to evaluate the configuration of the resource and send noncompliant resources to Security Hub. Send the findings to an EventBridge (CloudWatch Events) event to invoke a Lambda function to remediate the custom security detection. Send the Lambda function results to an Amazon Simple Notification Service (Amazon SNS) topic. Update the Security Hub finding.
    B. Create Security Hub insights for findings in the organization's delegated administrator account. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to parse the resources within the insight and send noncompliant resources to Security Hub. Send the output to invoke subsequent Lambda functions to remediate the noncompliant resources. Send the Lambda function results to an Amazon Simple Notification Service (Amazon SNS) topic. Update the Security Hub finding.
    C. Create Security Hub insights for findings in the organization's delegated administrator account and member accounts. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to parse the resources within the insight and send noncompliant resources to Security Hub. Send the output to invoke subsequent Lambda functions to remediate the noncompliant resources. Send the Lambda function results to an Amazon Simple Notification Service (Amazon SNS) topic. Update the Security Hub finding.
    D. Designate an AWS Config delegated administrator account for the organization. Create an AWS Config aggregator in this delegated administrator account and in all member accounts. Enable Security Hub integration with AWS Config. Create an AWS Config custom rule to check for noncompliant resources. Create an associated AWS Lambda function to take action on the noncompliant resources. Send the Lambda function results to a log group in Amazon CloudWatch Logs.

  • Question 519:

    An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.

    The application is being flooded with HTTP requests from all over the world with the User- Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0)

    What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

    A. Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
    B. Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
    C. Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
    D. Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

  • Question 520:

    A company has identified two security concerns. One concern is unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. The other concern is public IP addresses that are assigned to Amazon EC2 instances. A security engineer must build a solution to prevent and remediate these security issues.

    What should the security engineer do to meet these requirements with the LEAST amount of effort?

    A. Use AWS CloudTrail to monitor accounts for noncompliant configurations. Use AWS Lambda functions to evaluate configuration state and perform automated remediation actions.
    B. Use AWS Config rules to monitor accounts for noncompliant configurations. Use AWS Systems Manager Automation to perform automated remediation actions.
    C. Use Amazon GuardDuty to monitor accounts for noncompliant configurations. Use AWS Lambda function to perform automated remediation actions.
    D. Use AWS Systems Manager Compliance to monitor accounts for noncompliant configurations. Use Systems Manager Automation to perform automated remediation actions.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.