Amazon SCS-C01 Online Practice
Questions and Exam Preparation
SCS-C01 Exam Details
Exam Code
:SCS-C01
Exam Name
:AWS Certified Security - Specialty (SCS-C01)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:733 Q&As
Last Updated
:May 27, 2026
Amazon SCS-C01 Online Questions &
Answers
Question 591:
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:
1.
Have the EC2 instances bootstrapped to connect to a backend database.
2.
Ensure that the database credentials are handled securely.
3.
Ensure that retrievals of database credentials are logged.
Which of the following is the MOST efficient way to meet these requirements?
A. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs. B. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters. C. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog. D. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
B. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.
Question 592:
Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )
A. Default AWS Certificate Manager certificate B. Custom SSL certificate stored in AWS KMS C. Default CloudFront certificate D. Custom SSL certificate stored in AWS Certificate Manager E. Default SSL certificate stored in AWS Secrets Manager F. Custom SSL certificate stored in AWS IAM
C. Default CloudFront certificate D. Custom SSL certificate stored in AWS Certificate Manager F. Custom SSL certificate stored in AWS IAM
Explanation/Reference:
ACM(recommended) lets you import third-party certificates from the ACM console, as well as programmatically. (Not recommended) Use the Amazon CLI command to upload your third-party certificate to the IAM certificate store. You can use their default SSL certificate by accessing the distribution as .cloudfront.net
Question 593:
You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?
Please select:
A. Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group B. Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group C. Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group D. Check the Outbound security rules for the database security group Check the both the Inbound and Outbound security rules for the application security group
A. Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
Explanation/Reference:
Here since the communication would be established inward to the database server and outward from the application server, you need to ensure that just the Outbound rules for application server security groups are checked. And then just the
Inbound rules for database server security groups are checked.
Option B can't be the correct answer. It says that we need to check the outbound security group which is not needed.
We need to check the inbound for DB SG and outbound of Application SG. Because, this two group need to communicate with each other to function properly.
Option C is invalid because you don't need to check for Outbound security rules for the database security group
Option D is invalid because you don't need to check for Inbound security rules for the application security group
For more information on Security Groups, please refer to below URL:
The correct answer is: Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
Question 594:
A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.
What would resolve the connectivity issue?
A. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range. B. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port. C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range. D. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.
C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.
A security engineer needs to configure an Amazon S3 bucket policy to restrict access to an S3 bucket that is named DOC-EXAMPLE-BUCKET. The policy must allow access to only DOC-EXAMPLE-BUCKET from only the following endpoint: vpce-1a2b3c4d. The policy must deny all access to DOC-EXAMPLE-BUCKET if the specified endpoint is not used.
Which bucket policy statement meets these requirements?
A company is using an organization in AWS Organizations to manage its AWS accounts. The company runs its primary application on Amazon EC2 instances. A security engineer discovers unauthorized access in one of the company's developer AWS accounts. An investigation reveals that AWS access keys from the developer account were mistakenly added to public source code repository.
Which combination of actions should the security engineer take to secure the compromised account? (Choose two.)
A. Rotate all the access key pairs in the compromised account. B. Create security group that denies traffic from the internet. Attach the security group to all EC2 instances in the compromised account C. Temporarily remove the compromised account from the organization. D. Delete all EC2 key pairs in the compromised account. E. Delete any potentially unauthorized IAM users in the compromised account. Change the password for all other IAM users.
D. Delete all EC2 key pairs in the compromised account. E. Delete any potentially unauthorized IAM users in the compromised account. Change the password for all other IAM users.
Explanation/Reference:
Question 597:
An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections
Which the SIMPLEST change that would address this server issue?
A. Create an Amazon CloudFront distribution and configure the ALB as the origin B. Block the malicious IPs with a network access list (NACL). C. Create an AWS Web Application Firewall (WAF). and attach it to the ALB D. Map the application domain name to use Route 53
A. Create an Amazon CloudFront distribution and configure the ALB as the origin
Question 598:
A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs.
The Operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the Operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The Operations team needs to view log information to determine if the company is being attacked.
Which set of actions will identify the suspect attacker's IP address for future occurrences?
A. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch. B. Configure the CloudWatch agent on the ALB Configure the agent to send application logs to CloudWatch Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch Search for the new-user-creation.php occurrences in CloudWatch. C. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences. D. Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket Use Amazon Athena to query the logs and find the new-user- creation php occurrences.
A. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
Explanation/Reference:
Question 599:
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes.
What should the security engineer recommend?
A. Within the Auto Scaling lifecycle, add a hook to create an attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review. B. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system. C. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review. D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.
A. Within the Auto Scaling lifecycle, add a hook to create an attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
Explanation/Reference:
Question 600:
A company is designing a solution to serve content from an Amazon CloudFront distribution that will have an Amazon S3 bucket as the origin. A security engineer needs to encrypt S3 data at rest with an AWS Key Management Service (KMS) customer managed key rather than with an S3 managed key. The solution must minimize operational overhead.
Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A. Create the S3 bucket. Configure server-side encryption with a customer managed KMS key. B. Create the S3 bucket. Configure server-side encryption with customer-provided encryption keys (SSE-C). C. Create the CloudFront distribution. Use the S3 bucket as the origin. Configure the distribution to use an origin access identity (OAI). D. Create the CloudFront distribution. Use the S3 bucket as the origin. Delete the origin access identity (OAI) configuration. E. Configure the CloudFront distribution cache to encrypt data at rest by using the customer managed KMS key. F. Create a Lambda@Edge function that runs for origin request events and reads from the S3 bucket by using the customer managed KMS key.
A. Create the S3 bucket. Configure server-side encryption with a customer managed KMS key. C. Create the CloudFront distribution. Use the S3 bucket as the origin. Configure the distribution to use an origin access identity (OAI). E. Configure the CloudFront distribution cache to encrypt data at rest by using the customer managed KMS key.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SCS-C01 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.