1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 651:

    An AWS account that is used for development projects has a VPC that contains two subnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24 assigned. The other subnet is named private-subnet-2 and has the CIDR block 192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances.

    Each subnet is currently using the VPC's default network ACL. The security groups that the EC2 instances in these subnets use have rules that allow traffic between each instance where required. Currently, all network traffic flow is working as expected between the EC2 instances that are using these subnets.

    A security engineer creates a new network ACL that is named subnet-2-NACL with default entries. The security engineer immediately configures private-subnet-2 to use the new network ACL and makes no other changes to the infrastructure. The security engineer starts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2 cannot communicate with each other.

    Which combination of steps should the security engineer take to allow the EC2 instances that are running in these two subnets to communicate again? (Select TWO.)

    A. Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
    B. Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
    C. Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.
    D. Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
    E. Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

  • Question 652:

    A security engineer is analyzing Amazon GuardDuty findings. The security engineer observes an Impact value for ThreatPurpose in a GuardDuty finding. What does this value indicate?

    A. An adversary has compromised an AWS resource so that the resource is capable of contacting its home command and control (CandC) server to receive further instructions for malicious activity.
    B. GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.
    C. GuardDuty is detecting activity or activity patterns that suggest that an adversary is attempting to manipulate, interrupt, or destroy the company's systems and data.
    D. GuardDuty is detecting activity or activity patterns that an adversary might use to expand its knowledge of the company's systems and internal networks.

  • Question 653:

    A company released a new software-as-a-service (SaaS) application that is receiving significant adoption by end users. The rds-storage-encrypted AWS Config managed rule generates an alert that notifies the company's security team about a resource that is not compliant. The noncompliant resource is an Amazon RDS for MySQL database that was deployed as part of the newly released application.

    How can the security team resolve the noncompliance with the LEAST disruption of application availability for the end users?

    A. Use AWS Database Migration Service (AWS DMS) with full load and change data capture (CDC) between the noncompliant database and a new database with storage encrypted. When full load is finished, cut over any application endpoints to the new encrypted database.
    B. Create a snapshot of the noncompliant DB instance. Make a copy of the snapshot in the same AWS Region with encryption configured. Restore the snapshot as a new DB instance. Cut over any application endpoints to the newly restored database.
    C. Deploy a patch to the application to stop writing to the noncompliant database. Enable storage encryption by using the AWS CLI. Patch the application again to restore writing to the database.
    D. Add a read replica to the noncompliant DB instance. Enable storage encryption on the read replica. When the read replica is available, cut over from the writer DB instance to the read replica. Delete the unencrypted DB instance after the cutover.

  • Question 654:

    The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.

    Pattern:

    "randomID_datestamp_PII.csv"

    Example:

    "1234567_12302017_000-00-0000 csv"

    The bucket where these objects are being stored is using server-side encryption (SSE).

    Which solution is the most secure and cost-effective option to protect the sensitive data?

    A. Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.
    B. Add an S3 bucket policy that denies the action s3:GetObject
    C. Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
    D. Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

  • Question 655:

    A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.

    What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below

    Please select:

    A. Attach an IAM role to the bucket that grants the bucket owner full permissions to the object
    B. Add a grant to the objects ACL giving full permissions to bucket owner.
    C. Encrypt the object with a KMS key controlled by the company.
    D. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object
    E. Upload the file to the company's S3 bucket

  • Question 656:

    A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised. The instance was serving up malware. The analysis of the instance showed that the instance was compromised 35 days ago.

    A security engineer must implement a continuous monitoring solution that automatically notifies the company's security team about compromised instances through an email distribution list for high severity findings. The security engineer must implement the solution as soon as possible.

    Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

    A. Enable AWS Security Hub in the AWS account.
    B. Enable Amazon GuardDuty in the AWS account.
    C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email distribution list to the topic.
    D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email distribution list to the queue.
    E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.
    F. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

  • Question 657:

    A company hosts a critical web application on the AWS Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?

    Please select:

    A. Consider using the AWS Shield Service
    B. Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
    C. Consider using the AWS Shield Advanced Service
    D. Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.

  • Question 658:

    A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.

    Which solution will meet these requirements with the LEAST operational overhead?

    A. Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
    B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
    C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
    D. For each AWS account, create tailored identity-based policies for AWS SSO. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

  • Question 659:

    You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?

    Please select:

    A. Enable cross region replication for the bucket
    B. Write a script to copy the objects to another bucket in the destination region
    C. Create an S3 snapshot in the destination region
    D. Enable versioning which will copy the objects to the destination region

  • Question 660:

    A company has set up the following structure to ensure that their S3 buckets always have logging enabled

    If there are any changes to the configuration to an S3 bucket, a config rule gets checked. If logging is disabled , then Lambda function is invoked. This Lambda function will again enable logging on the S3 bucket. Now there is an issue being encoutered with the entire flow. You have verified that the Lambda function is being invoked. But when logging is disabled for the bucket, the lambda function does not enable it again. Which of the following could be an issue

    Please select:

    A. The AWS Config rule is not configured properly
    B. The AWS Lambda function does not have appropriate permissions for the bucket
    C. The AWS Lambda function should use Node.js instead of python.
    D. You need to also use the API gateway to invoke the lambda function

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.