Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Amazon
  3. SCS-C01

Amazon SCS-C01 Exam (page: 2)
Amazon AWS Certified Security - Specialty (SCS-C01)
Updated on: 25-Dec-2025

Viewing Page 2 of 108
SCS-C01 PDF 532 Questions

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.

Which of the following requires the LEAST amount of configuration when implementing this approach?

  1. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different IAM KMS customer managed key.
  2. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys.
  3. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
  4. Place all the files in the same S3 bucket. Use server-side encryption with IAM KMS- managed keys (SSE-KMS) to encrypt the data

Answer(s): D

Explanation:

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) When you use Server- Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. Server-Side Encryption with Customer Master Keys (CMKs) Stored in IAM Key Management Service (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service.

When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual IAM KMS data key for every object. It makes a call to IAM KMS every time a request is made against a KMS-encrypted object.


Reference:

References:
https://docs.IAM.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
https://docs.IAM.amazon.com/AmazonS3/latest/dev/bucket-key.html https://docs.IAM.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html



A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.

Which of the following are required for this configuration to work? (Select TWO.)

  1. The developer must configure Lambda access to the VPC using the --vpc-config parameter.
  2. The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.
  3. The KMS key policy must allow permissions for the developer to use the KMS key.
  4. The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.
  5. The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Answer(s): B,C



A company uses a third-party identity provider and SAML-based SSO for its IAM accounts After the third-party identity provider renewed an expired signing certificate users saw the following message when trying to log in:



A security engineer needs to provide a solution that corrects the error and minimizes operational overhead Which solution meets these requirements?

  1. Upload the third-party signing certificate's new private key to the IAM identity providerentity defined in IAM identity and Access Management (IAM) by using the IAM Management Console
  2. Sign the identity provider's metadata file with the new public key Upload the signature to the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI.
  3. Download the updated SAML metadata tile from the identity service provider Update the file in the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI
  4. Configure the IAM identity provider entity defined in IAM Identity and Access Management (IAM) to synchronously fetch the new public key by using the IAM Management Console.

Answer(s): C



A company is outsourcing its operational support 1o an external company. The company's security officer must implement an access solution fen delegating operational support that minimizes overhead.

Which approach should the security officer take to meet these requirements?

  1. implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management Allow the external company to federate through its identity provider
  2. Federate IAM identity and Access Management (IAM) with the external company's identity provider Create an IAM role and attach a policy with the necessary permissions
  3. Create an IAM group for me external company Add a policy to the group that denies IAM modifications Securely provide the credentials to the eternal company.
  4. Use IAM SSO with the external company's identity provider. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions.

Answer(s): B



A Security Engineer accidentally deleted the imported key material in an IAM KMS CMK. What should the Security Engineer do to restore the deleted key material?

  1. Create a new CMK. Download a new wrapping key and a new import token to import the original key material
  2. Create a new CMK Use the original wrapping key and import token to import the original key material.
  3. Download a new wrapping key and a new import token Import the original key material into the existing CMK.
  4. Use the original wrapping key and import token Import the original key material into the existing CMK

Answer(s): C



Viewing Page 2 of 108



Share your comments for Amazon SCS-C01 exam with other users:

Vv 12/2/2023 6:31:00 AM

good to prepare in this site
UNITED STATES


praveenkumar 11/20/2023 11:57:00 AM

very helpful to crack first attempt
Anonymous


asad Raza 5/15/2023 5:38:00 AM

please upload this exam
CHINA


Reeta 7/17/2023 5:22:00 PM

please upload the c_activate22 dump questions with answer
SWEDEN


Wong 12/20/2023 11:34:00 AM

q10 - the answer should be a. if its c, the criteria will meet if either the prospect is not part of the suppression lists or if the job title contains vice president
MALAYSIA


david 12/12/2023 12:38:00 PM

this was on the exam as of 1211/2023
Anonymous


Tink 7/24/2023 9:23:00 AM

great for prep
GERMANY


Jaro 12/18/2023 3:12:00 PM

i think in question 7 the first answer should be power bi portal (not power bi)
Anonymous


9eagles 4/7/2023 10:04:00 AM

on question 10 and so far 2 wrong answers as evident in the included reference link.
Anonymous


Tai 8/28/2023 5:28:00 AM

wonderful material
SOUTH AFRICA


VoiceofMidnight 12/29/2023 4:48:00 PM

i passed!! ...but barely! got 728, but needed 720 to pass. the exam hit me with labs right out of the gate! then it went to multiple choice. protip: study the labs!
UNITED STATES


A K 8/3/2023 11:56:00 AM

correct answer for question 92 is c -aws shield
Anonymous


Nitin Mindhe 11/27/2023 6:12:00 AM

great !! it is really good
IRELAND


BailleyOne 11/22/2023 1:45:00 AM

explanations for the answers are to the point.
Anonymous


patel 10/25/2023 8:17:00 AM

how can rea next
INDIA


MortonG 10/19/2023 6:32:00 PM

question: 128 d is the wrong answer...should be c
EUROPEAN UNION


Jayant 11/2/2023 3:15:00 AM

thanks for az 700 dumps
Anonymous


Bipul Mishra 12/14/2023 7:12:00 AM

thank you for this tableau dumps . it will helpfull for tableau certification
UNITED STATES


hello 10/31/2023 12:07:00 PM

good content
Anonymous


Matheus 9/3/2023 2:14:00 PM

just testing if the comments are real
UNITED STATES


yenvti2@gmail.com 8/12/2023 7:56:00 PM

very helpful for exam preparation
Anonymous


Miguel 10/5/2023 12:16:00 PM

question 11: https://help.salesforce.com/s/articleview?id=sf.admin_lead_to_patient_setup_overview.htm&type=5
SPAIN


Noushin 11/28/2023 4:52:00 PM

i think the answer to question 42 is b not c
CANADA


susan sandivore 8/28/2023 1:00:00 AM

thanks for the dump
Anonymous


Aderonke 10/31/2023 12:51:00 AM

fantastic assessments
Anonymous


Priscila 7/22/2022 9:59:00 AM

i find the xengine test engine simulator to be more fun than reading from pdf.
GERMANY


suresh 12/16/2023 10:54:00 PM

nice document
Anonymous


Wali 6/4/2023 10:07:00 PM

thank you for making the questions and answers intractive and selectable.
UNITED STATES


Nawaz 7/18/2023 1:10:00 AM

answers are correct?
UNITED STATES


das 6/23/2023 7:57:00 AM

can i belive this dump
INDIA


Sanjay 10/15/2023 1:34:00 PM

great site to practice for sitecore exam
INDIA


jaya 12/17/2023 8:36:00 AM

good for students
UNITED STATES


Bsmaind 8/20/2023 9:23:00 AM

nice practice dumps
Anonymous


kumar 11/15/2023 11:24:00 AM

nokia 4a0-114 dumps
Anonymous