Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02DomainsManagement and Security Governance
SCS-C02Free — No Signup

Management and Security Governance

Practice SCS-C02 Management and Security Governance questions with full explanations on every answer.

262questions

Start practicing

Management and Security Governance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SCS-C02 Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice Management and Security Governance questions

10Q20Q30Q50Q

All SCS-C02 Management and Security Governance questions (262)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?

2

A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?

3

A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?

4

A company wants to use AWS CloudTrail to log all API activity across multiple accounts in AWS Organizations. Which configuration meets the requirement of centralized logging with minimal operational overhead?

5

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?

6

A company uses AWS Organizations with SCPs. The security team wants to ensure that no IAM user can be created without MFA. Which SCP should be applied at the root OU?

7

A security engineer needs to ensure that all EC2 instances launched in a development account are tagged with a cost center. What is the most effective way to enforce this?

8

A company wants to centrally manage access keys for IAM users. Which AWS service can generate and rotate access keys automatically?

9

A company uses AWS Config to record resources. Which TWO actions can be taken to automatically remediate non-compliant resources detected by AWS Config rules?

10

A company wants to implement least privilege access for a data analytics team that uses Amazon Athena to query data in S3. Which THREE steps should be taken?

11

A security engineer is designing a solution to protect sensitive data in S3. Which THREE mechanisms can be used to enforce encryption at rest?

12

Refer to the exhibit. A security engineer applies this bucket policy to an S3 bucket. A user without HTTPS tries to download an object. What is the outcome?

13

Refer to the exhibit. A role has two policies attached. The custom policy includes an Allow for s3:PutObject. An IAM user assumes this role and tries to upload a file to S3. What happens?

14

A company runs a multi-account AWS environment using AWS Organizations. The security team uses AWS Config to monitor compliance. Recently, they noticed that a developer in the 'development' account created an S3 bucket that is publicly accessible. The security team wants to prevent this in the future by automatically remediating any public S3 bucket. They have an SCP that denies s3:PutBucketPublicAccessBlock, but developers are still making buckets public by using bucket ACLs. The security team wants to implement a solution that automatically fixes any bucket that becomes public. Which solution should they choose?

15

A company uses AWS Organizations with a single management account and multiple member accounts. The security team needs to ensure that all member accounts automatically deploy AWS Config rules to audit security group configurations. Which solution meets this requirement with minimal operational overhead?

16

A security engineer is designing a solution to monitor and remediate non-compliant resources across multiple AWS accounts. The company uses AWS Organizations and wants to enforce that any S3 bucket with public read access is automatically remediated. The solution must be centralized and scalable. Which approach should the engineer take?

17

A startup uses a single AWS account for development. The developer has full administrative access and accidentally deleted an S3 bucket containing critical data. The security team wants to prevent similar incidents without hindering agility. What is the MOST effective control?

18

A company has multiple AWS accounts managed through AWS Organizations. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI). Which governance control should be implemented?

19

A company wants to use AWS CloudFormation to manage infrastructure. The security team requires that all templates are scanned for security vulnerabilities before deployment. Which service should be integrated into the pipeline?

20

A large enterprise uses AWS Organizations with hundreds of accounts. The security team needs to enforce that all accounts have AWS CloudTrail enabled and logs are delivered to a centralized S3 bucket in the management account. The team also wants to ensure that no account can disable CloudTrail or delete the bucket. Which combination of controls meets these requirements?

21

A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. Which configuration should be used?

22

A security engineer is designing a governance framework for a multi-account AWS environment. The framework must enforce the principle of least privilege for cross-account access. Which TWO strategies should be implemented?

23

A company's security team is implementing controls to meet PCI DSS compliance. The environment includes Amazon EC2, RDS, and S3. Which THREE controls should be implemented to address logging and monitoring requirements?

24

A security engineer attaches the above SCP to an OU containing development accounts. The engineer expects that only t3.micro instances can be launched, but developers report that they cannot launch any EC2 instances. What is the MOST likely reason?

25

A security engineer reviews the above CloudTrail event. Which action should the engineer take FIRST to mitigate a potential security issue?

26

A global e-commerce company operates in three AWS Regions: us-east-1, eu-west-1, and ap-southeast-1. The company uses AWS Organizations with 50 member accounts grouped by business unit. The security team recently discovered that several S3 buckets containing customer data were accidentally made public due to misconfigured bucket policies. The team wants to implement a preventive control that blocks any S3 bucket from becoming public across all accounts, while still allowing authorized cross-account access. The solution must be centrally managed and not require changes to existing IAM policies. Additionally, the team needs to be notified immediately when a public bucket is attempted. Which solution meets all requirements?

27

A company uses AWS Organizations with multiple accounts and wants to ensure that all newly created S3 buckets have encryption enabled. The Security team needs a solution that automatically remediates non-compliant buckets without manual intervention. What should they do?

28

A security engineer is designing a centralized logging solution for a multi-account AWS environment. They need to ensure log files are tamper-proof and cannot be deleted or modified by anyone, including the root user of any account. Which configuration meets these requirements?

29

Which TWO of the following are valid methods to centrally manage security policies and enforce compliance across multiple AWS accounts? (Choose two.)

30

Refer to the exhibit. An organization applies this SCP to an OU containing a developer account. A developer in that account tries to launch an m5.large instance using the AWS Management Console. What is the outcome?

31

A company has a three-tier web application running on AWS. The application consists of an Application Load Balancer (ALB), an EC2 Auto Scaling group for web servers, and an RDS MySQL database. The Security team recently discovered that the database is publicly accessible from the internet. They need to remediate this immediately while minimizing downtime. The database is critical for the application, and the application must remain available. The team has identified that the database security group currently allows inbound traffic from 0.0.0.0/0 on port 3306. The web servers are in a security group named 'web-sg'. The database security group is named 'db-sg'. The team wants to restrict access to only the ALB and the web servers. Which action should the team take to resolve the issue with the least downtime?

32

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the organization have multi-factor authentication (MFA) enabled. Which combination of actions should be taken to enforce this requirement?

33

A security engineer is designing a governance framework for a multi-account AWS environment. The engineer needs to ensure that all accounts comply with the principle of least privilege for IAM roles and that any non-compliant resources are automatically reported. Which two AWS services should the engineer use together to achieve this? (Choose TWO.)

34

Refer to the exhibit. A security engineer applied the bucket policy shown. What is the effect of this policy?

35

Drag and drop the steps to configure Amazon GuardDuty for multi-account security in the correct order.

36

Drag and drop the steps to set up a secure S3 bucket with encryption and access control in the correct order.

37

Match each AWS security control to its category.

38

Match each AWS VPC flow log type to its description.

39

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce that all S3 buckets across the organization have block public access enabled. Which policy should be used?

40

A security engineer notices that an IAM role in the production account is being assumed by a user from another AWS account, which violates the principle of least privilege. The role's trust policy allows the root user of the external account. What is the MOST secure way to restrict access to only a specific user in the external account?

41

A company wants to automatically detect and remediate S3 buckets that are publicly accessible. Which AWS service can be used to evaluate bucket policies against a defined rule and trigger an automated response?

42

A company uses AWS Organizations with all features enabled. The security team wants to ensure that no IAM users are created in any account. Which approach should be used?

43

A company's security team needs to enforce encryption at rest for all RDS instances in the production account. They have enabled mandatory encryption using a service control policy. What else must be done to ensure existing unencrypted RDS instances are encrypted?

44

A company needs to audit all changes to IAM policies in their AWS account for compliance. Which AWS service should be enabled to record the API calls that modify IAM policies?

45

A security engineer notices that an S3 bucket contains objects that are accessible to authenticated users from other AWS accounts. The bucket policy allows access to the 'aws:SourceArn' condition that references an Amazon Resource Name (ARN) from another account. What is the MOST effective way to restrict access to only users from the company's own account?

46

A company's security team is implementing a data classification policy for S3 objects using S3 Object Tags. They need to ensure that any object uploaded without the required 'classification' tag is automatically denied. Which S3 bucket policy condition should be used?

47

A company wants to centrally manage and enforce backup policies for all EC2 instances across multiple AWS accounts. Which AWS service should be used?

48

A company uses AWS Organizations and wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail log files from S3. Which TWO actions should the security team take? (Choose TWO.)

49

A security team needs to ensure that all IAM users in a production account use multi-factor authentication (MFA) before accessing the AWS Management Console. Which THREE steps should be taken? (Choose THREE.)

50

A company uses AWS KMS to encrypt sensitive data. The security team needs to ensure that KMS keys cannot be deleted accidentally. Which TWO actions should be taken? (Choose TWO.)

51

An IAM policy is used to grant access to an S3 bucket. The policy condition requires that objects be retrieved using AES256 encryption. However, users can still download objects without specifying encryption. What is the MOST likely reason?

52

A security engineer is reviewing the CloudTrail configuration for a trail named 'management-trail'. The engineer needs to ensure that all S3 object-level operations in the bucket 'my-bucket' are logged. What is the issue with the current configuration?

53

An S3 bucket policy is created as shown. What is the effect of this policy?

54

A security engineer notices that an IAM user has permissions that exceed their job requirements. The engineer wants to implement the principle of least privilege. Which IAM feature should be used to grant only the necessary permissions?

55

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that no account can disable a specific security service, such as AWS Config, across all accounts. Which approach should be used?

56

A developer has created an S3 bucket policy that grants public read access. The security team wants to prevent any S3 bucket from becoming public. Which AWS service can enforce this restriction across all accounts?

57

A company wants to centrally manage IAM users and allow them to access multiple AWS accounts using a single set of credentials. Which AWS service should be used?

58

A security team needs to enforce that all EC2 instances launched in a specific AWS account use only approved AMIs. Which combination of services can enforce this requirement?

59

A company wants to automate the enforcement of security best practices across all AWS accounts. Which AWS service provides pre-built rules for security compliance?

60

A security engineer discovers that an IAM user has a policy that allows them to delete any S3 bucket in the account. The engineer wants to audit all delete actions performed by this user. Which AWS service should be used?

61

A company uses AWS Organizations and wants to restrict the use of specific AWS services in member accounts. For example, they want to block the use of Amazon Redshift. Which policy type should be used?

62

A security engineer needs to automatically detect and respond to unauthorized API calls in an AWS account. Which two services should be used together?

63

Which TWO actions can be taken to enforce the principle of least privilege for IAM users in an AWS account? (Choose two.)

64

Which THREE are benefits of using AWS CloudTrail for security governance? (Choose three.)

65

Which TWO are valid methods to centrally manage multiple AWS accounts? (Choose two.)

66

A company requires that all IAM users in the Security team must use multi-factor authentication (MFA) to access the AWS Management Console. The company has enabled MFA for all users, but the Security team administrator reports that some users can still sign in without MFA. Which action should the administrator take to enforce MFA for all sign-ins?

67

A developer needs to grant an IAM user read-only access to an S3 bucket containing sensitive data. The bucket is encrypted with an AWS KMS customer managed key. Which set of permissions must be included in the IAM policy?

68

A company's Security team is using AWS Organizations with a consolidated billing account. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. Which combination of actions should the security team take? (Choose the best answer.)

69

A company uses AWS Organizations with multiple accounts. The security team wants to centrally manage IAM policies across all accounts. Which AWS feature should the team use to enforce permissions across member accounts?

70

A security engineer needs to grant an EC2 instance access to an S3 bucket without storing long-term credentials on the instance. Which approach should the engineer use?

71

A company is using AWS Organizations with SCPs. The management account has an SCP that denies access to all EC2 actions. A developer in a member account tries to launch an EC2 instance but receives an authorization error. The developer has an IAM policy that allows ec2:RunInstances. What is the most likely cause of the error?

72

A company wants to ensure that IAM users with console access have strong passwords. Which IAM password policy setting should the company configure to enforce the use of at least one uppercase letter?

73

A security engineer needs to audit all API calls made in an AWS account for the past 90 days. Which AWS service should the engineer use?

74

A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys can only be used by specific IAM roles and that key usage is logged. Which combination of actions should the team take? (Choose the best answer.)

75

Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)

76

Which THREE measures should a security team implement to detect and respond to potential security incidents in an AWS environment? (Select THREE.)

77

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple AWS accounts? (Select TWO.)

78

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization block public access. Which policy should be attached to the root organizational unit to achieve this?

79

A security engineer notices that an IAM user has been performing suspicious actions in an AWS account. The engineer needs to generate a credential report to identify the age of the user's access keys. Which AWS CLI command should the engineer run?

80

A company wants to centrally manage and enforce security policies across all accounts in AWS Organizations. Which AWS service should be used to define and apply guardrails?

81

A security engineer is designing a solution to automatically remediate non-compliant resources in an AWS account. The engineer needs to trigger an AWS Lambda function when an EC2 instance is launched without the required tags. Which AWS service should be used to detect the non-compliant resource and invoke the Lambda function?

82

An organization has a requirement to retain all AWS CloudTrail logs for at least 7 years for compliance. Currently, logs are stored in an S3 bucket with default settings. What is the MOST cost-effective way to meet the retention requirement?

83

A company's security team wants to receive alerts when an IAM user creates a new access key. Which AWS service can be used to monitor and notify on this specific API call?

84

A security engineer is designing a cross-account access policy. The engineer has an S3 bucket in Account A and wants to grant read access to a user in Account B. Which combination of policies is required?

85

An organization uses AWS Organizations and wants to restrict the use of specific EC2 instance types across all member accounts. Which policy type should be used to enforce this restriction?

86

A company wants to log all API calls made in their AWS account for auditing. Which AWS service should be enabled to capture these logs?

87

A security engineer is reviewing the following IAM policy attached to a role. Which TWO actions are allowed by this policy? (Choose two.)

88

A company is implementing AWS Organizations with multiple accounts. Which THREE are benefits of using service control policies (SCPs)? (Choose three.)

89

Which TWO AWS services can be used to detect and alert on suspicious API activity in real-time? (Choose two.)

90

Refer to the exhibit. A security engineer attaches this S3 bucket policy to an S3 bucket. What is the effect of this policy?

91

Refer to the exhibit. A security engineer runs the get-trail-status command for a CloudTrail trail. The engineer notices that LatestCloudWatchLogsDeliveryTime is null. What does this indicate?

92

Refer to the exhibit. A security engineer creates this IAM policy for a user. Which action can the user perform?

93

A company wants to enforce that all IAM users in an AWS account must have multi-factor authentication (MFA) enabled. Which AWS service can be used to automatically detect and remediate non-compliant users?

94

A security engineer needs to centrally manage and enforce security policies across multiple AWS accounts in an organization. Which AWS service should they use?

95

A company's security team discovers that an IAM role has been assumed from an unexpected external AWS account. Which AWS service can be used to analyze the trust policy and identify unintended access?

96

A company wants to automatically detect and notify about any S3 buckets that have public read access. Which combination of services should be used?

97

A security engineer needs to ensure that all new IAM users are created with a strong password policy enforced. Which action should be taken?

98

A security team wants to audit all changes to IAM policies in the AWS account. Which AWS service should be used to track these changes?

99

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that no account can disable Amazon GuardDuty. Which SCP should be applied?

100

A security engineer notices that an S3 bucket policy allows access to a principal from another AWS account. Which AWS feature can be used to check if this external access is intended?

101

A company wants to run a security assessment that checks for vulnerabilities in an EC2 instance. Which AWS service should be used?

102

Which TWO actions should a security engineer take to ensure that an S3 bucket is not publicly accessible? (Choose two.)

103

Which THREE AWS services can be used to detect and alert on suspicious API activity in an AWS account? (Choose three.)

104

Which TWO AWS services can be used to enforce that specific resource types (e.g., EC2 instances) are tagged with a 'CostCenter' tag? (Choose two.)

105

A company wants to enforce that all IAM users in its AWS account use multi-factor authentication (MFA) for console login. Which action should be taken to ensure compliance?

106

A security engineer needs to ensure that an Amazon S3 bucket is not publicly accessible. Which AWS service can be used to continuously monitor and alert if the bucket becomes public?

107

A company uses AWS Organizations with multiple accounts. The security team wants to prevent members of the 'Developers' group from modifying IAM roles in any account. What is the most effective way to enforce this restriction?

108

A company requires that all Amazon EC2 instances be launched only with an approved Amazon Machine Image (AMI) that has been hardened by the security team. Which AWS service should be used to enforce this requirement?

109

A security engineer needs to automate the response to an AWS CloudTrail log event that indicates a potential security threat. Which AWS service would be most appropriate to orchestrate the automated response?

110

A company has an AWS account with a single VPC and multiple subnets. The security team wants to ensure that no network ACL (NACL) allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS service can be used to detect and alert on such non-compliant NACLs?

111

A company needs to audit all changes to IAM policies in its AWS account. Which AWS service should be used to record the change history of IAM policies?

112

A security engineer needs to generate a report of all AWS Identity and Access Management (IAM) users who have not used their access keys in the last 90 days. Which AWS service can provide this information?

113

A company uses AWS Organizations and wants to restrict the AWS Regions in which resources can be created across all member accounts. Which mechanism should be used?

114

A security engineer needs to implement a solution to detect and alert on suspicious API calls in an AWS account. Which TWO AWS services should be integrated to achieve this? (Choose two.)

115

A company wants to centrally manage and enforce security policies across multiple AWS accounts using AWS Organizations. Which THREE actions should be taken? (Choose three.)

116

A company needs to ensure that its S3 buckets are not publicly accessible. Which TWO AWS services can be used to detect and report on public S3 buckets? (Choose two.)

117

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all newly created accounts automatically have AWS CloudTrail enabled, with logs delivered to a centralized S3 bucket. Which solution meets these requirements with the least operational overhead?

118

A security engineer needs to audit all IAM role creations across an AWS account. Which AWS service should be used to log these API calls?

119

A company has a requirement that all access keys for IAM users must be rotated every 90 days. A security engineer needs to implement an automated solution to identify and disable keys that are older than 90 days. Which approach meets the requirement with the least operational overhead?

120

An IAM policy is attached to a user. The user reports that they cannot list objects in the bucket 'example-bucket' from their home office IP address 203.0.113.50. What is the most likely cause?

121

A company wants to grant cross-account access to an S3 bucket owned by Account A to a user in Account B. The bucket policy in Account A allows access from Account B. What additional configuration is required?

122

A security engineer notices that CloudTrail logs are not being delivered to the S3 bucket for the past 2 hours. The output of 'get-trail-status' is shown. What is the most likely cause?

123

A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. Which AWS service can be used to enforce this requirement?

124

A security team needs to centralize audit logs from multiple AWS accounts into a single S3 bucket. The solution must be scalable and support future account additions. Which approach meets these requirements?

125

This SCP is attached to an organizational unit (OU). A developer in an account within the OU tries to launch a t2.small instance. What is the outcome?

126

A security engineer is designing a data encryption strategy for an S3 bucket that contains sensitive information. Which TWO of the following are valid options for enforcing encryption at rest?

127

A company has a security requirement that any Amazon RDS database must be encrypted at rest. Which TWO actions should be taken to enforce this requirement?

128

A security engineer needs to grant a user read-only access to an S3 bucket. Which THREE of the following are required in the IAM policy?

129

A company uses AWS Organizations to manage 50 accounts. The security team has enabled AWS CloudTrail in the management account with an organization trail that delivers logs to a central S3 bucket. The bucket policy grants necessary permissions to CloudTrail. Recently, the security team noticed that logs from two member accounts stopped appearing in the bucket. Other accounts continue to deliver logs correctly. The CloudTrail status in the management account shows that the trail is logging and deliveries are succeeding. The security team checked the CloudTrail configuration in the affected member accounts and found that they do not have any trails configured. The IAM roles used for CloudTrail in the management account have sufficient permissions. What is the most likely cause of the missing logs?

130

A company has a single AWS account with multiple IAM users. The security team wants to enforce that all users use MFA for API calls. An IAM policy is created that denies all actions unless MFA is present. The policy is attached to all users. However, users report that they can still make API calls without MFA. The security team reviews the policy and confirms it is correct. What is the most likely reason the policy is not being enforced?

131

A company has an AWS account with multiple S3 buckets that contain sensitive data. The security team wants to ensure that no public access is granted to any bucket. The team has enabled AWS Config and set up a rule to detect public buckets. The rule reports that all buckets are compliant. However, during a security review, a team member finds that one bucket has a bucket policy that grants 's3:GetObject' to 'Principal': '*'. Why did the AWS Config rule not detect this?

132

A security engineer is auditing an S3 bucket policy that allows cross-account access. The engineer wants to ensure that only encrypted connections are permitted. Which condition should be added to the policy?

133

A company uses AWS Organizations with all features enabled. The security team needs to ensure that no member account can disable AWS CloudTrail logging or delete CloudTrail logs stored in S3. Which combination of preventive controls should be implemented?

134

A security engineer is designing a system to centrally manage IAM users and roles across multiple AWS accounts. The company uses AWS Organizations. Which AWS service should be used to manage permissions across accounts?

135

A company has a requirement to automatically rotate secrets for an RDS database every 90 days. The secrets are stored in AWS Secrets Manager. Which resource should be configured to perform the rotation?

136

A security engineer is designing a logging solution for a multi-account environment using AWS Organizations. The solution must meet the following requirements: - Logs from all accounts must be centrally stored and immutable. - Only the security team should be able to delete logs. - Logs must be encrypted at rest. Which TWO steps should the engineer take to meet these requirements? (Choose TWO.)

137

A security engineer is implementing a data classification policy for an S3 bucket that contains sensitive customer data. The policy requires that all objects be encrypted at rest using AWS KMS and that any attempt to upload an unencrypted object be denied. Which THREE steps should the engineer take to enforce this policy? (Choose THREE.)

138

A company is using AWS Organizations and wants to restrict the use of specific AWS services in member accounts. Which TWO approaches can be used to enforce these restrictions? (Choose TWO.)

139

A security engineer needs to ensure that all API calls in an AWS account are logged and that the logs are encrypted at rest and retained for at least 7 years. Which THREE steps should the engineer take? (Choose THREE.)

140

A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to read objects from an S3 bucket only from the office IP range 192.0.2.0/24. However, the user reports that they can access objects from any IP address. What is the most likely reason?

141

A security engineer runs the above CloudTrail lookup command to investigate a change to the S3 bucket policy. The command only returns one event, but the engineer knows that the bucket policy was changed multiple times. What is the most likely reason?

142

A company has a single AWS account with multiple IAM users. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They attach an IAM policy that denies all actions if the user does not have MFA. However, after attaching the policy, some users report that they are unable to perform any actions even after authenticating with MFA. The policy uses the condition "aws:MultiFactorAuthPresent": "false". The security team verifies that the users have MFA enabled and are using it. What is the most likely cause of this issue?

143

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that the logs are delivered to a centralized S3 bucket in the management account. The team creates an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail. Additionally, they enable CloudTrail organizational trail. However, after some time, they discover that one member account has disabled CloudTrail. What is the most likely reason this happened?

144

A startup is deploying a web application on AWS. The application runs on EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that all traffic to the EC2 instances is encrypted. They configure the ALB to listen on HTTPS (port 443) and forward traffic to the EC2 instances on HTTP (port 80). Additionally, they create a security group for the EC2 instances that only allows inbound traffic from the ALB's security group on port 80. However, a security audit reveals that the traffic between the ALB and EC2 instances is not encrypted. Which step should the security team take to encrypt the traffic between the ALB and EC2 instances?

145

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security engineer tests the configuration and finds that requests from the VPC endpoint are being denied. The bucket policy contains the following condition: "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-12345678" } }. The VPC endpoint ID is correct. The engineer also confirms that the VPC endpoint policy allows the necessary S3 actions. What is the most likely reason for the denial?

146

A company uses AWS Organizations and has a requirement to enforce that all EC2 instances launched in any account must have a specific tag "Environment" with value "Production". The security team wants to prevent any instance without this tag from being launched. They implement a service control policy (SCP) that denies the ec2:RunInstances action if the request does not include the required tag. However, they find that users are still able to launch instances without the tag. The SCP is attached to the root OU. The team also has an IAM policy that allows ec2:RunInstances with no conditions. What is the most likely reason the SCP is not preventing the launches?

147

A company has a multi-account AWS Organizations setup with hundreds of accounts. The Security team needs to enforce a policy that prohibits the creation of any S3 bucket with public read access across all accounts. They have enabled all features in Organizations and are using Service Control Policies (SCPs). The team creates an SCP with a Deny effect for s3:PutBucketAcl and s3:PutBucketPolicy when the request includes a condition that would make the bucket public. They attach the SCP to the root OU. However, a developer in a member account under the root OU is able to create a bucket with a bucket policy that grants public read access. The SCP is evaluated and shows the Deny is effective for s3:PutBucketPolicy but the bucket policy is still created. What is the MOST likely reason for this behavior?

148

A security engineer needs to ensure that all API calls made to AWS services are logged for auditing. Which AWS service should be used?

149

A company wants to enforce that all S3 buckets are encrypted with SSE-KMS. Which AWS service can be used to automatically remediate non-compliant buckets?

150

A security team needs to centrally manage permissions for multiple AWS accounts. Which AWS service should they use?

151

A company wants to grant cross-account access to an S3 bucket. What is the best practice for managing permissions?

152

A security engineer notices that an IAM user has been inactive for 90 days. What is the best way to identify and disable such users?

153

Which AWS service provides a centralized view of compliance status for AWS resources?

154

A company wants to enforce that all EC2 instances use a specific AMI ID. Which AWS service can be used to detect and remediate non-compliant instances?

155

A security engineer needs to monitor for unauthorized API calls in real-time. Which combination of services should be used?

156

Which AWS service allows you to create and manage encryption keys for your AWS resources?

157

Which TWO actions should a security engineer take to protect root user credentials? (Select TWO.)

158

Which THREE AWS services can be used to centrally manage security across multiple accounts? (Select THREE.)

159

Which TWO are best practices for managing IAM policies? (Select TWO.)

160

Refer to the exhibit. An IAM policy attached to a user allows s3:GetObject only from a specific IP range and denies all S3 actions if not using HTTPS. What happens when the user makes a GET request from IP 10.0.0.5 using HTTP?

161

Refer to the exhibit. A security engineer runs the AWS CLI command to look up CloudTrail events. What can be concluded from the output?

162

Refer to the exhibit. A CloudFormation template creates an S3 bucket. Which security control is NOT enabled by this template?

163

A security engineer is designing a solution to enforce that all S3 buckets in an AWS account have server-side encryption enabled. The engineer needs to automatically remediate any non-compliant buckets. Which AWS service should be used to implement this requirement?

164

A company wants to grant a third-party auditor read-only access to specific CloudTrail log files stored in an S3 bucket. The auditor should not be able to list or access any other objects in the bucket. What is the most secure way to achieve this?

165

A company's security team needs to implement a solution to detect and alert on the creation of IAM users or roles with administrative privileges. The solution must be able to analyze historical account activity and provide real-time alerts. Which combination of AWS services should be used?

166

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. What is the most efficient way to enforce this across all accounts?

167

A developer accidentally committed AWS access keys to a public GitHub repository. The security team needs to immediately revoke the compromised keys and ensure that no new keys are created for that IAM user. What is the most effective immediate action?

168

A company has a requirement that all Amazon EC2 instances must be launched with an IAM role that grants least-privilege permissions. The security team wants to prevent users from launching instances without a role, and also want to ensure that the role used is one of a set of approved roles. How can this be enforced?

169

A company uses AWS Key Management Service (KMS) to encrypt sensitive data in Amazon S3. The security team needs to ensure that the KMS key can only be used from within the company's VPC and not from the public internet. How can this be achieved?

170

A company is using AWS Organizations and wants to delegate the management of IAM policies to a specific member account without granting full administrative access. Which AWS feature allows the management account to delegate policy management to another account?

171

A company's security team is implementing a solution to automatically revoke public access to Amazon S3 buckets that become public. The solution must be serverless and use native AWS services. Which combination of services should be used?

172

Which TWO AWS services can be used to centrally manage and audit permissions across multiple AWS accounts? (Choose two.)

173

Which THREE steps should a security engineer take to remediate a compromised IAM user whose access keys were exposed? (Choose three.)

174

Which TWO AWS services can be used to enforce that Amazon S3 buckets are not publicly accessible? (Choose two.)

175

The exhibit shows an SCP attached to an organizational unit. What is the effect of this policy?

176

A security engineer runs the get-account-authorization-details command and sees the exhibit output. The engineer wants to ensure that the 'admin' user does not have administrative access. Which steps should be taken?

177

The exhibit shows an S3 bucket policy. The security team wants to ensure that only users from account 123456789012 can access objects in the bucket. What is a potential security issue with this policy?

178

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all S3 buckets across the organization are encrypted with AWS KMS keys. What is the MOST effective way to enforce this requirement?

179

A security engineer is designing a centralized logging solution for a multi-account AWS environment using AWS Organizations. The solution must ensure that all CloudTrail logs from all accounts are delivered to a single S3 bucket in the security account. Additionally, the logs must be encrypted with a KMS key that is managed by the security account. Which combination of steps is required?

180

A company wants to automate the enforcement of security best practices across all AWS accounts in an organization. The solution should automatically remediate noncompliant resources. Which AWS service should be used to achieve this?

181

A security team is reviewing IAM roles and policies. They want to ensure that any new IAM role created in the account must include a specific managed policy (e.g., SecurityAudit). What AWS service can enforce this requirement?

182

A company uses AWS Organizations with a management account and several member accounts. The security team wants to restrict the use of specific AWS services (e.g., EC2, Lambda) in certain accounts based on the account's environment (dev, test, prod). Which approach should be used to implement this requirement?

183

A company wants to centralize the management of IAM users and groups for multiple AWS accounts. Which AWS service should be used to allow users to access multiple accounts with a single set of credentials?

184

A security engineer needs to ensure that all EC2 instances launched in an account have a specific tag (e.g., CostCenter) applied. If an instance is launched without the tag, it should be automatically terminated. Which solution meets these requirements with minimal effort?

185

A company is using AWS Organizations and wants to delegate the administration of certain accounts to different teams. For example, the finance team should be able to manage billing-related accounts, but not development accounts. Which AWS feature allows this type of delegation?

186

A company wants to receive real-time notifications when an IAM user in their AWS account performs a console login. Which AWS service should be used to monitor and alert on this activity?

187

A security engineer is configuring AWS Config to track changes to security groups in a VPC. The engineer wants to be notified when a security group is modified. Which TWO steps are required to achieve this?

188

A company is implementing a data classification policy using AWS. The policy requires that all S3 objects containing personally identifiable information (PII) be automatically tagged and encrypted. Which THREE services should be used together to meet this requirement?

189

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that no root user credentials are used for any account. Which TWO actions should be taken to enforce this?

190

A security engineer has attached the above IAM policy to a user. The user reports that they cannot upload objects to the S3 bucket from their office, which has a public IP address of 198.51.100.50. What is the MOST likely reason for the failure?

191

A security engineer is auditing the AWS Organizations structure. The engineer notices that the 'Management' account (111111111111) has a status of 'ACTIVE' and joined method 'CREATED'. The engineer is concerned about potential security risks. Which action should the engineer take to improve security?

192

A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?

193

A company is using AWS Organizations to manage multiple accounts. The security team needs to enforce that all newly created S3 buckets across the organization have server-side encryption (SSE-S3) enabled by default. Which solution is MOST operationally efficient?

194

A security engineer is designing a solution to automatically remediate noncompliant EC2 security groups. The company uses AWS Organizations with multiple accounts. The engineer wants to deploy an AWS Config rule and a custom Lambda function in a central security account to evaluate and remediate security groups across all accounts. Which combination of steps is REQUIRED to allow the Lambda function to modify security groups in member accounts? (Choose TWO.)

195

A company wants to ensure that all IAM users in an account have multi-factor authentication (MFA) enabled. A security administrator needs to identify users who do not have MFA. Which AWS service should the administrator use?

196

A company uses AWS CloudFormation to deploy infrastructure. The security team requires that all CloudTrail trails be encrypted with a customer-managed KMS key. Which CloudFormation template snippet correctly enforces this requirement?

197

A security engineer is investigating a potential data exfiltration incident. The engineer notices that an EC2 instance in a private subnet is making outbound connections to an external IP address on port 443. The VPC has a NAT gateway in a public subnet, and the route table for the private subnet directs 0.0.0.0/0 to the NAT gateway. The security group for the instance allows all outbound traffic. Which AWS service can the engineer use to determine which IAM role or user is responsible for launching the instance?

198

A company has a requirement that all S3 buckets must block public access. The security engineer needs to continuously monitor for compliance and automatically remediate any noncompliant buckets. Which combination of AWS services should the engineer use?

199

A company uses AWS Key Management Service (KMS) to encrypt data. The security team needs to ensure that KMS keys cannot be deleted accidentally. Which action should be taken?

200

A company uses AWS Organizations with a multi-account strategy. The security team wants to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI) ID. Which approach should the team take to enforce this requirement across all accounts?

201

A security engineer is tasked with ensuring that all S3 buckets in an AWS account have versioning enabled. The engineer needs to identify buckets that do not have versioning enabled. Which AWS service is BEST suited for this task?

202

A company is implementing a data retention policy for CloudTrail logs. The logs are stored in an S3 bucket. The policy requires that logs be retained for 7 years and then automatically deleted. Which TWO actions should the security engineer take to meet this requirement?

203

A company uses AWS Organizations with 50 accounts. The security team wants to centrally manage IAM roles that grant cross-account access to a central security account. Which THREE steps are required to set up this cross-account access?

204

A security engineer is auditing IAM policies. The engineer wants to identify if any policy grants 'Effect: Allow' with 'Action: *' and 'Resource: *'. Which TWO AWS services can be used to detect such overly permissive policies?

205

A company wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which policy should be attached to the IAM users or group to enforce this requirement?

206

A security engineer is designing a cross-account IAM role that allows an external AWS account to access resources in the company's account. The external account's root user must not be able to delegate permissions to other users. Which trust policy condition should be included?

207

A company is using AWS Organizations to manage multiple accounts. The security team wants to prevent any IAM user from creating access keys. Which type of policy should be used to enforce this control across all accounts?

208

A company uses AWS KMS to encrypt data in S3 buckets. The security team needs to ensure that KMS keys can only be used by specific IAM roles within the same account. Which key policy should be applied?

209

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to enforce that all S3 buckets created by CloudFormation have encryption enabled. Which approach should be used to enforce this policy?

210

A company wants to centrally manage access keys for all IAM users across multiple accounts. Which AWS service should be used to rotate access keys automatically?

211

A security engineer is configuring an S3 bucket policy to restrict access to only requests that originate from a specific VPC endpoint. Which condition key should be used?

212

A company is using AWS Config to evaluate resource compliance. They need to ensure that all EC2 instances have a specific tag key 'Environment' with a value of 'Production' or 'Development'. Which type of AWS Config rule should be used?

213

A company needs to grant an IAM user permissions to start and stop specific EC2 instances. Which IAM policy element should be used to restrict actions to specific instances?

214

Which TWO actions are valid ways to enforce the principle of least privilege in an AWS environment?

215

Which THREE AWS services can be used to centrally manage and audit permissions across multiple accounts in AWS Organizations?

216

Which TWO AWS services can be used to detect and alert on unauthorized API calls in real time?

217

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to upload an object to my-bucket using server-side encryption with AWS KMS (SSE-KMS). What is the outcome?

218

Refer to the exhibit. A security engineer runs the CLI command to determine if the IAM user 'testuser' created a key pair in January 2023. The output shows one event. What can be concluded from this output?

219

Refer to the exhibit. A company uses this CloudFormation template. What security best practice is being violated?

220

A company needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record these changes?

221

A security engineer notices that an IAM user has permissions to launch EC2 instances but the engineer wants to ensure that all new instances are automatically tagged with the creator's user name. What is the most efficient way to enforce this?

222

A company has a multi-account AWS Organization with hundreds of accounts. The security team wants to prevent any IAM user from creating access keys in any account. What is the most scalable and secure approach?

223

A company wants to ensure that all S3 buckets in their AWS account have encryption enabled. Which AWS service can continuously evaluate compliance and automatically remediate non-compliant buckets?

224

An organization uses AWS Organizations with multiple OUs. The security team wants to ensure that any new account created in the 'Production' OU automatically gets a set of mandatory tags (CostCenter, Environment) and that these tags cannot be removed. What is the most effective approach?

225

A security auditor needs to view a list of all IAM users, including their last activity timestamps, for a compliance review. Which AWS service provides this information natively?

226

A company wants to centrally manage and enforce encryption on all EBS volumes across multiple AWS accounts. Which AWS service can be used to define and enforce encryption policies at the organizational level?

227

A security engineer is designing a system to detect and respond to IAM policy changes that could grant excessive permissions. The solution must alert within minutes of the change and automatically revert the change if it violates a predefined baseline. Which combination of services should the engineer use?

228

What is the purpose of an AWS Service Control Policy (SCP) in AWS Organizations?

229

A company wants to implement a least-privilege access model for their AWS resources. Which TWO of the following are best practices for achieving this?

230

A security engineer is designing a solution to detect and alert on any S3 bucket that is publicly accessible. Which THREE services can be used together to achieve this?

231

Which TWO of the following are valid AWS IAM security best practices?

232

A company is implementing a multi-account strategy using AWS Organizations. The security team wants to enforce that all newly created member accounts automatically have an IAM role that allows read-only access to the management account. Which configuration should be used?

233

A security engineer is reviewing an SCP that denies access to a specific AWS service. The engineer notices that the SCP has an Effect of 'Deny' for 's3:PutObject' but the condition block uses 'StringEquals' with 'aws:SourceIp' set to an IP range. Users in the account are still able to upload objects to S3 from IP addresses outside the range. What is the most likely reason?

234

A company has a requirement to audit all API calls made to AWS services in their account. Which AWS service should be used to meet this requirement?

235

A company uses AWS Organizations with multiple accounts. The security team wants to prevent all users in the production account from disabling AWS CloudTrail or modifying its configuration. What is the MOST effective way to achieve this?

236

A security engineer creates the IAM policy shown in the exhibit. The policy is attached to an IAM role. When a user assumes the role and attempts to upload an object to the bucket without specifying server-side encryption, what is the expected behavior?

237

A company wants to ensure that all IAM users have multi-factor authentication (MFA) enabled. Which AWS service can be used to detect users without MFA and automatically send a notification?

238

A security engineer is designing a system to centrally manage security rules across multiple AWS accounts. The engineer wants to ensure that any resources that are non-compliant with security policies are automatically remediated. Which combination of services should the engineer use?

239

A company uses AWS Organizations with many accounts. The security team wants to ensure that no account can disable AWS CloudTrail or stop logging. Which configuration should be used?

240

A company needs to centrally manage access to AWS resources across multiple accounts. Which AWS service should be used to define and enforce a set of common permissions for all accounts in the organization?

241

Which TWO actions are effective for detecting and responding to unauthorized access in an AWS environment? (Choose two.)

242

Which THREE are best practices for managing security in a multi-account AWS environment? (Choose three.)

243

Which TWO AWS services can be used to automatically enforce policies on resources at the time of creation? (Choose two.)

244

A company has a multi-account AWS Organization with 50 accounts. The security team uses AWS CloudTrail to log all API calls and sends the logs to a central S3 bucket in the security account. The team wants to ensure that any attempt to disable CloudTrail logging or delete the trail is detected and automatically remediated within 5 minutes. They have configured an AWS Config rule that triggers an AWS Lambda function when the CloudTrail configuration changes. However, the Lambda function is not being invoked when they test by stopping the trail. The Lambda function's IAM role has permissions to start and update CloudTrail. CloudTrail logs show that the Config rule is evaluating the resource, but the Lambda function is not triggered. What is the most likely cause?

245

A company is using AWS Organizations with a management account and several member accounts. The security team has created an SCP that denies access to all actions for the 'ec2:*' service unless the request comes from a specific VPC endpoint. The SCP is attached to the organization root. However, users in a member account are still able to launch EC2 instances from the AWS Management Console, which does not use a VPC endpoint. The SCP is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:*", "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-12345678" } } } ] } What is the most likely reason the SCP is not preventing the users from launching instances?

246

A company has a single AWS account with several IAM users. The security team wants to ensure that all IAM users have strong passwords and that passwords are rotated every 90 days. The team also wants to receive a notification if any user's password is older than 90 days. The team has enabled an IAM password policy that requires strong passwords and sets a maximum password age of 90 days. However, they are not receiving notifications about expired passwords. Which additional step should the security team take to receive notifications?

247

A company has an AWS environment with multiple accounts managed under AWS Organizations. The security team wants to enforce that all newly created S3 buckets in any account have encryption enabled by default. Which approach should the security team take?

248

A security engineer is troubleshooting a situation where an IAM user is unable to assume a role in a different account. The trust policy of the role allows the user's account to assume the role, and the user has permissions to call AssumeRole. However, the user receives an 'AccessDenied' error. What is the most likely cause?

249

A company wants to centrally manage backups for Amazon RDS instances across multiple AWS accounts. Which AWS service should be used to automate the creation and enforcement of backup policies?

250

A security team needs to ensure that all API calls made in the AWS account are logged and the logs are stored in a central S3 bucket that is encrypted with a KMS key. Which combination of steps should the team take to achieve this?

251

A company has a security policy that requires all IAM users to use multi-factor authentication (MFA) when accessing the AWS Management Console. The company also wants to enforce this policy using an SCP. Which TWO conditions must be met for the SCP to be effective?

252

A company is using AWS Organizations to manage multiple accounts. The security team wants to prevent the creation of Amazon EC2 instances with public IP addresses in all accounts. Which TWO actions should the team take to implement this control using Service Control Policies (SCPs)?

253

A company wants to ensure that all Amazon S3 buckets are encrypted at rest. Which THREE services can be used together to automatically remediate unencrypted S3 buckets?

254

A company has an AWS Organization with hundreds of accounts. The security team wants to enforce that no account can disable AWS CloudTrail logging. Which TWO approaches can achieve this?

255

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload files to the S3 bucket 'example-bucket' using the AWS CLI with HTTPS. What is the most likely reason?

256

A company's security team discovers that an EC2 instance in the production account has been compromised. The instance has an IAM role attached that allows it to read from an S3 bucket containing sensitive data. The team needs to immediately stop the data exfiltration while preserving the evidence. What should the team do first?

257

A company uses AWS Organizations and wants to centrally manage CloudTrail trails across all accounts. Which feature should be enabled?

258

A company has a requirement that all IAM users must use strong passwords. The security engineer needs to enforce a password policy that requires minimum 12 characters, at least one uppercase letter, and at least one number. The engineer sets the password policy in IAM. However, existing users with weak passwords are not forced to change them. What should the engineer do to enforce the policy for existing users?

259

A company has a multi-account AWS environment managed with AWS Organizations. The security team wants to ensure that no EC2 instance in any account can be launched without a specific tag 'CostCenter'. The team has created a Service Control Policy (SCP) that denies the ec2:RunInstances action if the request does not include the tag 'CostCenter'. However, they find that instances are still being launched without the tag in some accounts. What is the most likely reason?

260

A company has an S3 bucket that contains sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that objects in the bucket are being deleted by an IAM user from outside the VPC. The engineer checks the bucket policy and confirms that the policy denies access if the request does not come from the VPC endpoint. However, the deletions continue. What is the most likely cause?

261

A company wants to implement a least-privilege security model for its AWS environment. The security team has identified that many IAM users have overly permissive policies. The team wants to use AWS IAM Access Analyzer to identify policies that grant access to external principals. However, the team is not seeing any findings. What is the most likely reason?

262

A financial services company uses AWS Organizations to manage multiple accounts. The Security team has enabled AWS CloudTrail in all accounts and logs are delivered to a central S3 bucket in the management account. The company has a requirement to detect and alert on any IAM user or role that performs a console login without multi-factor authentication (MFA) across all accounts. Currently, the team manually reviews CloudTrail logs, which is time-consuming and error-prone. They want an automated solution that uses AWS services and follows AWS best practices for security governance. The solution must be cost-effective and should not require custom code or third-party tools. What should the Security team do to meet this requirement?

Practice all 262 Management and Security Governance questions

Other SCS-C02 exam domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementInfrastructure SecurityData Protection

Frequently asked questions

What does the Management and Security Governance domain cover on the SCS-C02 exam?

The Management and Security Governance domain covers the key concepts tested in this area of the SCS-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SCS-C02 domains — no account required.

How many Management and Security Governance questions are in the SCS-C02 question bank?

The Courseiva SCS-C02 question bank contains 262 questions in the Management and Security Governance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Management and Security Governance for SCS-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Management and Security Governance questions for SCS-C02?

Yes — the session launcher on this page draws questions exclusively from the Management and Security Governance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SCS-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03SY0-701CISSP