1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 621:

    A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements:

    Users may access the website by using an Amazon CloudFront distribution. Users may not access the website directly by using an Amazon S3 URL.

    Which configurations will support these requirements? (Choose two.)

    A. Associate an origin access identity with the CloudFront distribution.
    B. Implement a "Principal": "cloudfront.amazonaws.com" condition in the S3 bucket policy.
    C. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.
    D. Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.
    E. Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

  • Question 622:

    A company's security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic. An Amazon SQS

    queue is subscribed to this SNS topic. The company's SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.

    After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.

    Which of the following are possible causes of this issue? (Choose three.)

    A. The SOS queue does not allow the SQS SendMessage action from the SNS topic
    B. The SNS topic does not allow the SNS Publish action from Amazon S3
    C. The SNS topic is not delivering raw messages to the SQS queue
    D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action
    E. The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic
    F. The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

  • Question 623:

    A company uses AWS Config and AWS Organizations. One of the company's account administrators recently turned off AWS Config recording, and a critical security incident was not logged properly. The company's security engineer must create an SCP that will deny all users the ability to stop AWS Config. The SCP also must allow the ApprovedAdministrator role to edit AWS Config settings. Which SCP meets these requirements?

    A. Option A
    B. Option B
    C. Option C
    D. Option D

  • Question 624:

    You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.

    Please select:

    A. Ensure an IAM role is created which can be assumed by the partner account.
    B. Ensure an IAM user is created which can be assumed by the partner account.
    C. Ensure the partner uses an external id when making the request
    D. Provide the ARN for the role to the partner account
    E. Provide the Account Id to the partner account
    F. Provide access keys for your account to the partner account

  • Question 625:

    Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.

    Please select:

    A. Set up VPC peering between the central server VPC and each of the teams VPCs.
    B. Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.
    C. Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
    D. None of the above options will work.

  • Question 626:

    A security audit reveals that several Amazon Elastic Block Store (Amazon EBS) volumes in a company's production account are not encrypted. The unencrypted EBS volumes are attached to Amazon EC2 instances that are provisioned with

    an Auto Scaling group and a launch template.

    A security engineer must implement a solution to ensure that all EBS volumes are encrypted now and in the future.

    Which solution will meet these requirements?

    A. Update the launch template by setting the Encrypted flag for all EBS volumes to true, Use the Auto Scaling group's instance refresh feature to replace existing instances with new instances.
    B. Create a new launch template from the old launch template. Set the Encrypted flag for all EBS volumes to true. Update the Auto Scaling group to use the new version of the launch template. Wait for the Auto Scaling group to replace all the old instances that have unencrypted EBS volumes.
    C. Use the Amazon EC2 console to enable encryption of new EBS volumes by default for each AWS Region that the company uses. Use the Auto Scaling group's instance refresh feature to replace existing instances with new instances.
    D. Use the Amazon EC2 console to enable encryption of new EBS volumes by default for each AWS Region that the company uses. Update this setting so that Auto Scaling groups will automatically replace existing instances with new instances.

  • Question 627:

    A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. The administrator's workstation has a static IP address of 203.0.113.1/32. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below

    A. Port 443 coming from 0.0.0.0/0
    B. Port 443 coming from 10.0.0.0/16
    C. Port 22 coming from 0.0.0.0/0
    D. Port 22 coming from 203.0.113.1/32

  • Question 628:

    A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.

    A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

    What should be done to enable the user to assume the appropriate role in the target account?

    A. Option A
    B. Option B
    C. Option C
    D. Option D

  • Question 629:

    A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.

    Which solution will meet these requirements?

    A. Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.
    B. Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.
    C. Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.
    D. Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

  • Question 630:

    Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.

    Please select:

    A. Use CloudTrail to see if any KMS API request has been issued against existing keys
    B. Use Key policies to see the access level for the keys
    C. Rotate the keys once before deletion to see if other services are using the keys
    D. Change the IAM policy for the keys to see if other services are using the keys

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.