AWS Certified Security - Specialty

Here you have the best Amazon SCS-C01 practice exam questions

  • You have 509 total questions across 102 pages (5 per page)
  • These questions were last updated on February 10, 2026
  • This site is not affiliated with or endorsed by Amazon.
Question 1 of 509
The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.
What approach would enable the Security team to find out what the former employee may have done within AWS?
Suggested Answer: A

To determine what the former employee may have done within AWS, the most direct approach would be to use the AWS CloudTrail console to search for user activity. AWS CloudTrail records AWS API calls and events for your account and provides visibility into user activities. With CloudTrail, you can look up API call history for the past 90 days without any prior setup, enabling you to quickly identify the actions taken by specific users or access keys. This makes it the most efficient tool for investigating recent user activity within AWS.

Community votes

No votes yet

Question 2 of 509
A company is storing data in Amazon S3 Glacier. The security engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.
What is the MOST cost-effective way to correct this?
Suggested Answer: A

To correct the vault lock policy, abort the current in-progress lock using the abort-vault-lock operation, make the necessary updates to the policy to correct the typo, and then call the initiate-vault-lock operation again to establish the updated policy. This approach avoids any unnecessary data transfer or the complexity of managing new vaults or buckets, making it the most cost-effective solution.

Community votes

No votes yet

Question 3 of 509
A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?
Suggested Answer: C

To control access to AWS resources using identities and groups defined in an existing Microsoft Active Directory, the company must create AWS IAM roles. IAM roles allow the company to assign permissions for AWS services based on attributes from Active Directory users, enabling seamless integration and access management without creating individual IAM users or groups within AWS. This approach leverages federated access, which is ideal for integrating external identity providers like Active Directory.

Community votes

No votes yet

Question 4 of 509
A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)
Suggested Answer: A, C, F

Several factors could cause the Auditor to experience difficulties accessing some AWS accounts. If the external ID used by the Auditor is missing or incorrect, it could prevent successful role assumption in the accounts, leading to access issues. Additionally, the Auditor must have the sts:AssumeRole permission for the role in the destination account to assume the role and access the resources. Finally, ensuring that the role ARN used by the Auditor is accurate is critical, as any discrepancy in this identifier can prevent role assumption and access. Therefore, these are the most likely causes of the problem.

Community votes

No votes yet

Question 5 of 509
Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.
Which of the following solutions will meet these requirements?
Suggested Answer: B

To meet the compliance requirements of ensuring all communications between on-premises hosts and EC2 instances are encrypted in transit while using custom proprietary protocols, the chosen solution must provide end-to-end encryption without termination at the load balancer. A Classic Load Balancer with a TCP listener routes traffic without decrypting it, allowing the TLS connection to be terminated directly on the EC2 instances. This setup supports custom protocols and maintains encryption throughout the transmission, ensuring both compliance and increased availability through load balancing.

Community votes

No votes yet

About the Amazon SCS-C01 Certification Exam

About the Exam

The Amazon SCS-C01 (AWS Certified Security - Specialty) validates your knowledge and skills. Passing demonstrates proficiency and can boost your career prospects in the field.

How to Prepare

Work through all 509 practice questions across 102 pages. Focus on understanding the reasoning behind each answer rather than memorizing responses to be ready for any variation on the real exam.

Why Practice Exams?

Practice exams help you familiarize yourself with the question format, manage your time, and reduce anxiety on the test day. Our SCS-C01 questions are regularly updated to reflect the latest exam objectives.