• Home
  • Blogs
  • BraindumpQuiz SCS-C01 Exam Questions Real SCS-C01 Practice Dumps [Q209-Q224]

BraindumpQuiz SCS-C01 Exam Questions Real SCS-C01 Practice Dumps [Q209-Q224]

Share

BraindumpQuiz SCS-C01 Exam Questions | Real SCS-C01 Practice Dumps

Verified SCS-C01 Exam Dumps Q&As - Provide SCS-C01 with Correct Answers


Amazon AWS-Security-Specialty (AWS Certified Security - Specialty) Exam is a certification exam offered by Amazon Web Services (AWS) for IT professionals who are interested in enhancing their skills and knowledge in cloud security. SCS-C01 exam is designed to validate the expertise of individuals in securing AWS workloads and applications. It is an advanced-level exam that requires a deep understanding of the AWS platform, its security features and services, and best practices for securing cloud environments.


The AWS Certified Security - Specialty Exam is a challenging certification, and candidates must have a deep understanding of security principles and practices. SCS-C01 exam consists of 65 multiple-choice and multiple-response questions and has a time limit of 170 minutes. The passing score for the exam is 750 out of 1000. Candidates who pass the exam receive the AWS Certified Security - Specialty certification, which is recognized globally by employers and IT professionals.

 

NEW QUESTION # 209
An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM
change have been made on the account and the metrics are no longer being reported.
Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

  • A. Modify the IAM role used by the application by adding the CloudWatchFullAccessmanaged policy.
  • B. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.
  • C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
  • D. Add a statement to the IAM policy used by the application to allow logs:putLogEventsand
    logs:createLogStream

Answer: C


NEW QUESTION # 210
A company has a requirement to create a DynamoDB table. The company's software architect has provided the following CLI command for the DynamoDB table

Which of the following has been taken of from a security perspective from the above command?
Please select:

  • A. The above command ensures data encryption in transit for the Customer table
  • B. Since the ID is hashed, it ensures security of the underlying table.
  • C. The right throughput has been specified from a security perspective
  • D. The above command ensures data encryption at rest for the Customer table

Answer: D

Explanation:
Explanation
The above command with the "-sse-specification Enabled=true" parameter ensures that the data for the DynamoDB table is encrypted at rest.
Options A,C and D are all invalid because this command is specifically used to ensure data encryption at rest For more information on DynamoDB encryption, please visit the URL:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html The correct answer is: The above command ensures data encryption at rest for the Customer table


NEW QUESTION # 211
A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS. A security engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?

  • A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  • B. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  • C. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
  • D. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.

Answer: B


NEW QUESTION # 212
For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.
What would be the MOST efficient way to achieve these goals?

  • A. Examine AWS CloudTrail logs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances.
  • B. Configure Amazon EC2 Systems Manager to report on instance patch compliance, and enforce updates during the defined maintenance windows.
  • C. Update the AMIs with the latest approved patches, and redeploy each instance during the defined maintenance window.
  • D. Use Amazon Inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version.

Answer: C


NEW QUESTION # 213
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:
-Have the EC2 instances bootstrapped to connect to a backend database.
-Ensure that the database credentials are handled securely.
-Ensure that retrievals of database credentials are logged.
Which of the following is the MOST efficient way to meet these requirements?

  • A. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.
  • B. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters.
    Set the IAM role for the EC2 instance profile to allow access to the parameters.
  • C. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true.
    Ensure that the instance is configured to log to Amazon CloudWatch Logs.
  • D. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Answer: B


NEW QUESTION # 214
A Developer signed in to a new account within an AWS Organizations organizational unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  • A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  • B. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  • C. Add an IAM policy for the Developer, which grants S3 access.
  • D. Add an allow list for the Developer account for the S3 service.

Answer: B


NEW QUESTION # 215
A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.
How should access be granted?

  • A. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
  • B. Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.
  • C. Create a temporary IAM user for the application to use in the production account.
  • D. Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Answer: B

Explanation:
https://IAM.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/


NEW QUESTION # 216
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that containers are secure.
Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)

  • A. Enable container breakout at the host kernel.
  • B. Use Docker Notary framework to sign task definitions.
  • C. Use the containers to automate security deployments.
  • D. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
  • E. Segregate container by host, function, and data classification.

Answer: B,D


NEW QUESTION # 217
You have an EC2 instance with the following security configured:
a. ICMP inbound allowed on Security Group
b. ICMP outbound not configured on Security Group
c. ICMP inbound allowed on Network ACL
d. ICMP outbound denied on Network ACL
If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below Please select:

  • A. A REJECT record for the response based on the Security Group
  • B. An ACCEPT record for the request based on the Security Group
  • C. An ACCEPT record for the request based on the NACL
  • D. A REJECT record for the response based on the NACL

Answer: B,C,D

Explanation:
Explanation
This example is given in the AWS documentation as well
For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
A REJECT record for the response ping that the network ACL denied.
Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html
The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL Submit your Feedback/Queries to our Experts


NEW QUESTION # 218
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?
Please select:

  • A. "Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
  • B. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"
  • C. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
  • D. "Effect': "Allow", "Action": ["aws-portal:ViewUsage"," aws-portal:ViewBilling"], "Resource": "*"

Answer: D

Explanation:
The aws documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.


NEW QUESTION # 219
A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?

  • A. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
  • B. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
  • C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
  • D. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

Answer: A


NEW QUESTION # 220
A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.
How should the security engineer prevent unauthorized access to the EC2 instances?

  • A. Restrict SSH access in the security group to only known corporate IP addresses.
  • B. Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
  • C. Delete the key pair from the EC2 console. Create a new key pair.
  • D. Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Answer: A


NEW QUESTION # 221
A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and IAM STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?



  • A. Option D
  • B. Option A
  • C. Option C
  • D. Option B

Answer: B

Explanation:
Explanation
It says specific accounts which mean specific governed OUs under your organization and you apply specific service control policy to these OUs.


NEW QUESTION # 222
You have just recently set up a web and database tier in a VPC and hosted the application. When testing the app , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.
Please select:

  • A. Use IAM Guard Duty to analyze the traffic
  • B. Use IAM WAF to analyze the traffic
  • C. Use VPC Flow logs to diagnose the traffic
  • D. Use the IAM Trusted Advisor to see what can be done.

Answer: C

Explanation:
Explanation
Option A is invalid because this can be used to check for security issues in your account, but not verify as to why you cannot reach the home page for your application Option C is invalid because this used to protect your app against application layer attacks, but not verify as to why you cannot reach the home page for your application Option D is invalid because this used to protect your instance against attacks, but not verify as to why you cannot reach the home page for your application The IAM Documentation mentions the following VPC Flow Logs capture network flow information for a VPC, subnet or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules. Customers can also use flow logs as a security toi to monitor the traffic that reaches their instances, to profile network traffic, and to look for abnormal traffic behaviors.
For more information on IAM Security, please visit the following URL:
https://IAM.amazon.com/answers/networking/vpc-security-capabilities>
The correct answer is: Use VPC Flow logs to diagnose the traffic Submit your Feedback/Queries to our Experts


NEW QUESTION # 223
Which of bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.

Answer:

Explanation:
The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:
https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf

Submit your Feedback/Queries to our Expert


NEW QUESTION # 224
......


The AWS-Security-Specialty certification exam requires candidates to have a good understanding of AWS security concepts, such as identity and access management, network security, encryption, and incident response. It covers a wide range of topics, including data protection, infrastructure security, monitoring and logging, and risk management. SCS-C01 exam also evaluates the ability of candidates to apply security best practices to AWS services and architectures, as well as to analyze and remediate security incidents.

 

Get Top-Rated Amazon SCS-C01 Exam Dumps Now: https://interfacett.braindumpquiz.com/SCS-C01-exam-material.html

Related Blogs

more
Amazon SCS-C01 Certification Practice Exam

Copyright © 2026 BRAINDUMPQUIZ.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.