Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > Amazon > Amazon Certifications > SCS-C01 > SCS-C01 Online Practice Questions and Answers

SCS-C01 Online Practice Questions and Answers

Questions 4

A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes.

What should the security engineer recommend?

A. Within the Auto Scaling lifecycle, add a hook to create an attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

B. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

C. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Buy Now

Correct Answer: A

Questions 5

A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers.

The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them.

The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

A. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.

B. Enable the advanced-instances tier in Systems Manager.

C. Create a managed-instance activation for the on-premises servers.

D. Reconfigure the Systems Manager Agent with the activation code and ID.

E. Assign an IAM role to all of the on-premises servers.

F. Initiate an inventory collection with Systems Manager on the on-premises servers

Buy Now

Correct Answer: CEF

Questions 6

An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third- party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.

How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

A. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team's EC2 instances.

B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.

C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.

D. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.

Buy Now

Correct Answer: B

Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region. Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per region.

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html

Questions 7

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions. What is the SIMPLEST way to meet these requirements?

A. Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions.

B. Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

C. Enable AWS CloudTrail by creating a new trail and applying the trail to all regions.Specify a single Amazon S3 bucket as the storage location.

D. Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

Buy Now

Correct Answer: C

Questions 8

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations should be recommended?

A. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.

B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.

C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.

D. Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

Buy Now

Correct Answer: A

By default, Private instance has a private IP address, but no public IP address. These instances can communicate with each other, but can't access the Internet. You can enable Internet access for an instance launched into a nondefault subnet by attaching an Internet gateway to its VPC (if its VPC is not a default VPC) and associating an Elastic IP address with the instance. Alternatively, to allow an instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound connections from the Internet, you can use a network address translation (NAT) instance. NAT maps multiple private IP addresses to a single public IP address. A NAT instance has an Elastic IP address and is connected to the Internet through an Internet gateway.You can connect an instance in a private subnet to the Internet through the NAT instance, which routes traffic from the instance to the Internet gateway, and routes any responses to the instance.

Questions 9

A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old. Which of the following options should the Security Engineer use?

A. In the AWS Console, choose the IAM service and select "Users". Review the "Access Key Age" column.

B. Define an IAM policy that denies access if the key age is more than three months and apply to all users.

C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

D. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.

Buy Now

Correct Answer: C

https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateCredentialReport.html https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetCredentialReport.html

Questions 10

An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?

Please select:

A. Expose the data with a public HTTPS endpoint.

B. A VPN between the VPC and the data center over a Direct Connect connection

C. A VPN between the VPC and the data center.

D. A Direct Connect connection between the VPC and data center

Buy Now

Correct Answer: B

Since this is required over a consistency low latency connection, you should use Direct Connect. For encryption, you can make use of a VPN Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center. Option C is invalid because low latency is a key requirement Option D is invalid because only Direct Connect will not suffice For more information on the connection options please see the below Link: https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharint

The correct answer is: A VPN between the VPC and the data center over a Direct Connect connection

Questions 11

Your company has been using AWS for the past 2 years. They have separate S3 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below

Please select:

A. Create an IAM user in the company account

B. Create an IAM Role in the company account

C. Ensure the IAM user has access for read-only to the S3 buckets

D. Ensure the IAM Role has access for read-only to the S3 buckets

Buy Now

Correct Answer: BD

The AWS Documentation mentions the following To share log files between multiple AWS accounts, you must perform the following general steps. These steps are explained in detail later in this section. Create an IAM role for each account that you want to share log files with. For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with. Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files. Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor is a direct 'NO' practise from a security perspective. For more information on sharing cloudtrail logs files, please visit the following URL https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharine-loes.htmll The correct answers are: Create an IAM Role in the company account Ensure the IAM Role has access for read-only to the S3 buckets

Questions 12

A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.

How should access be granted?

A. Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

C. Create a temporary IAM user for the application to use in the production account.

D. Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Buy Now

Correct Answer: A

Explanation: https://IAM.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

Questions 13

A company uses an Amazon S3 bucket to store reports. Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client specified AWS Key Management Service (AWS KMS) CMK owned by the same account as the S3 bucket. The AWS account number is 111122223333, and the bucket name is reportbucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be implemented.

Which statement should the security specialist include in the policy?

A. Option A

B. Option B

C. Option C

D. Option D

Buy Now

Correct Answer: A

Exam Code: SCS-C01
Exam Name: AWS Certified Security - Specialty (SCS-C01)
Last Update: May 29, 2026
Questions: 733

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2026 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.