1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Online Practice Questions and Exam Preparation

SCS-C01 Exam Details

  • Exam Code
    :SCS-C01
  • Exam Name
    :AWS Certified Security - Specialty (SCS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :733 Q&As
  • Last Updated
    :May 27, 2026

Amazon SCS-C01 Online Questions & Answers

  • Question 81:

    A development team is using an AWS Key Management Service (AWS KMS) CMK to try to encrypt and decrypt a secure string parameter from AWS Systems Manager Parameter Store. However, the development team receives an error message on each attempt.

    Which issues that are related to the CMK could be reasons for the error? (Choose two.)

    A. The CMK is used in the attempt does not exist.
    B. The CMK is used in the attempt needs to be rotated.
    C. The CMK is used in the attempt is using the CMK's key ID instead of the CMK ARN.
    D. The CMK is used in the attempt is not enabled.
    E. The CMK is used in the attempt is using an alias.

  • Question 82:

    A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.

    Which combination of steps should the company take to meet this requirement? (Select THREE.)

    A. Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3
    B. Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB
    C. Update the CloudFront distribution to redirect HTTP corrections to HTTPS
    D. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS
    E. Update the ALB listen to listen using HTTPS using the public ACM TLS certificate.Update the CloudFront distribution to connect to the HTTPS listener.
    F. Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

  • Question 83:

    A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.

    Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data

    Which solution will meet these requirements?

    A. Use AWS Secrets Manager and an AWS SDK to create a unique secret for the customer-specific data
    B. Use AWS Key Management Service (AWS KMS) and the AWS Encryption SDK to generate and store a data encryption key for each customer.
    C. Use AWS Key Management Service (AWS KMS) with service-managed keys to generate and store customer-specific data encryption keys
    D. Use AWS Key Management Service (AWS KMS) and create an AWS CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

  • Question 84:

    A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost.

    Which solution meets these requirements?

    A. Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.
    B. Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.
    C. Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys form CloudHSM for client-side encryption of application data.
    D. Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.

  • Question 85:

    A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPC

    A security engineer determines that the Aurora database uses a security group rule that allows connections from the NAT gateway IP address that the Lambda functions use. The company's security policy states that no database should be publicly accessible.

    What is the MOST secure way that the security engineer can provide the Lambda functions with access to the Aurora database?

    A. Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions
    B. Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC. configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.
    C. Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address
    D. Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

  • Question 86:

    A company's public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only 3 times in any 5-minute period.

    Which solution will meet this requirement with the LEAST effort?

    A. Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.
    B. Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-sminute intervals and to provide notification if the count exceeds 3.
    C. Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.
    D. Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.

  • Question 87:

    A security engineer needs to implement an intrusion detection system (IDS) for a shipping company. The findings from the system must generate alerts that can be sent to an email distribution group that the company's operations team uses. The security engineer must maximize the coverage that the IDS provides.

    Which combination of steps should the security engineer take to meet these requirements? (Choose two.)

    A. Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Create VPC flow logs for all VPCs. Specify for the flow logs to capture all traffic.
    B. Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Create VPC flow logs for all VPCS. Specify for the flow logs to capture accepted traffic.
    C. Configure Amazon GuardDuty. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to forward finding events to an Amazon Simple Notification Service (Amazon SNS) topic
    D. Configure AWS Security Hub. Create an Amazon EventBridge (Amazon CloudWatch Events) rue to forward finding events to an Amazon Simple Notification Service (Amazon SNS) topic.
    E. Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Configure an AWS Lambda function to analyze VPC flow logs and to inspect all flow log traffic that matches the ACCEPT filter type.

  • Question 88:

    A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The AWSSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all AWS services and resources within the account

    Which configuration caused this issue?

    A. Option A
    B. Option B
    C. Option C
    D. Option D

  • Question 89:

    A recent security audit identified that a company's application team injects database credentials into the environment variables of an AWS Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

    When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

    A. Option A
    B. Option B
    C. Option C
    D. Option D
    E. Option E
    F. Option F

  • Question 90:

    You have just received an email from AWS Support stating that your AWS account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.

    Please select:

    A. Change the root account password.
    B. Rotate all IAM access keys
    C. Keep all resources running to avoid disruption
    D. Change the password for all IAM users.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SCS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.