Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCLF-C02TopicsSecurity and Compliance
Free · No Signup RequiredAmazon Web Services · CLF-C02

CLF-C02 Security and Compliance Practice Questions

20+ practice questions focused on Security and Compliance — one of the most tested topics on the AWS Certified Cloud Practitioner CLF-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Security and Compliance Practice

Exam Domains

Cloud ConceptsSecurity and ComplianceCloud Technology and ServicesBilling, Pricing, and SupportAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Security and Compliance Questions

Practice all 20+ →
1.

A company is preparing for an annual compliance audit. The auditor requests a copy of the AWS SOC 2 Type II report to review AWS's controls. Which AWS service or tool can the company use to obtain this report?

A.AWS Config
B.AWS Artifact
C.AWS Trusted Advisor
D.AWS Security Hub

Explanation: AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC reports, PCI reports, and ISO certifications. The company can use AWS Artifact to download the SOC 2 Type II report directly, fulfilling the auditor's request without needing to contact AWS support.

2.

A company has deployed multiple EC2 instances with different security groups. The compliance team wants to ensure that no security group allows unrestricted SSH access (0.0.0.0/0) and receive alerts if any such rule is created. Which AWS service can they use to continuously monitor and evaluate the security group configurations against this policy?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Config
D.AWS Security Hub

Explanation: AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. With a managed rule like `restricted-ssh`, AWS Config can automatically detect security groups that allow unrestricted SSH access (0.0.0.0/0) and trigger alerts or remediation actions. This meets the compliance team's requirement for ongoing, rule-based evaluation of security group configurations.

3.

A company uses an IAM role to allow an application running on Amazon EC2 to decrypt data stored in Amazon S3. The security team wants to enforce that the application can only use the decryption permission when the IAM role has a specific tag (e.g., 'Environment=Production'). Which approach should the security team implement to meet this requirement?

A.Add a condition to the KMS key policy that uses the 'kms:RequestTag/ConditionKey' to require the tag on the caller.
B.Add a condition to the IAM role's trust policy that denies the 'kms:Decrypt' action unless the role has the tag.
C.Add a condition to the IAM policy that grants the 'kms:Decrypt' permission with a condition on 'aws:PrincipalTag' to require the tag.
D.Add a condition to the S3 bucket policy that denies all access unless the IAM role has the required tag.

Explanation: Option C is correct because the condition key 'aws:PrincipalTag' in an IAM policy allows you to control access based on tags attached to the IAM principal (the role). By adding a condition that requires 'aws:PrincipalTag/Environment' to equal 'Production', the 'kms:Decrypt' permission is only effective when the IAM role has that specific tag. This directly enforces the security team's requirement at the IAM policy level, which is the appropriate place to restrict permissions based on principal attributes.

4.

A company needs to maintain a secure audit trail of all API calls made against its AWS resources. The audit trail must record the identity of the caller, the time of the call, the source IP address, and the request details. The records must be stored securely with integrity guarantees for a minimum of five years to meet compliance requirements. Which AWS service should the company use to capture and store this information?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Trusted Advisor

Explanation: AWS CloudTrail is the correct service because it records all API calls made to AWS services, capturing the identity of the caller, timestamp, source IP address, and request details. It stores these logs in Amazon S3 with server-side encryption and integrity validation via digest files, and can be configured to retain logs for more than five years using lifecycle policies or by archiving to Amazon S3 Glacier.

5.

A financial services company requires all data stored in Amazon S3 to be encrypted at rest. The company has a compliance policy that states encryption keys must be managed entirely by the customer and must never be stored or managed by the cloud provider. Which encryption option should the company use for Amazon S3?

A.Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS)
C.Server-Side Encryption with Customer-Provided Keys (SSE-C)
D.Client-Side Encryption using an on-premises key management system

Explanation: SSE-C allows the customer to provide their own encryption keys for server-side encryption of S3 objects. The customer manages the keys entirely, and AWS does not store or manage them, meeting the compliance requirement that encryption keys must never be stored or managed by the cloud provider.

+15 more Security and Compliance questions available

Practice all Security and Compliance questions

How to master Security and Compliance for CLF-C02

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Security and Compliance. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Security and Compliance questions on the CLF-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CLF-C02 Security and Compliance questions are on the real exam?

The exact number varies per candidate. Security and Compliance is tested as part of the AWS Certified Cloud Practitioner CLF-C02 blueprint. Practicing with targeted Security and Compliance questions ensures you can handle any format or difficulty that appears.

Are these CLF-C02 Security and Compliance practice questions free?

Yes. Courseiva provides free CLF-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Security and Compliance one of the harder CLF-C02 topics?

Difficulty is subjective, but Security and Compliance is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Security and Compliance practice session with instant scoring and detailed explanations.

Start Security and Compliance Practice →

Topic Info

Topic

Security and Compliance

Exam

CLF-C02

Questions available

20+