Amazon Web Services · Free Practice Questions · Last reviewed May 2026
36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A security engineer is configuring an AWS environment to detect and respond to potential security threats. Which AWS service can be used to automate the remediation of unwanted access to Amazon S3 buckets by invoking AWS Lambda functions?
AWS Config
Amazon GuardDuty
GuardDuty uses threat intelligence and machine learning to detect threats, and findings can trigger automated remediation via EventBridge and Lambda.
Amazon Inspector
AWS WAF
A security team suspects that an attacker has compromised an EC2 instance and is using it to launch outbound DDoS attacks. The team needs to quickly isolate the instance while preserving forensic data. Which combination of actions should the team take? (Choose TWO.)
Apply a restrictive security group that blocks all outbound traffic.
This isolates the instance by preventing outbound connections while allowing forensic access via inbound rules if needed.
Modify the network ACL for the subnet to deny all outbound traffic.
Create a snapshot of the EBS volumes attached to the EC2 instance.
Snapshots preserve the current state of the volumes for forensic analysis.
Detach the instance from the Auto Scaling group.
Terminate the EC2 instance immediately.
During an incident response, a security engineer needs to collect memory and disk forensics from a running EC2 Windows instance without causing the instance to crash. The engineer has AWS Systems Manager SSM Agent installed. Which method should the engineer use?
Create an AMI of the instance.
Use AWS Systems Manager Inventory to collect memory and disk information.
SSM Inventory can collect system metadata, and by using custom inventory scripts, it can collect memory dumps and disk files without crashing the instance.
Use AWS Backup to create a backup of the instance.
Create an EBS snapshot of the root volume.
A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all API calls in the organization are logged and retained for at least one year. Which AWS services or features should be used to meet these requirements? (Choose TWO.)
Amazon GuardDuty with threat detection enabled.
AWS Config with recording enabled for all resources.
Amazon S3 lifecycle policy to transition logs to S3 Glacier after one year.
This ensures logs are retained and cost-effective.
VPC Flow Logs for all VPCs.
AWS CloudTrail with organization trail.
An organization trail logs API calls for all accounts in the organization.
A security engineer is investigating a potential data exfiltration incident. The engineer notices large volumes of data being transferred from an Amazon S3 bucket to an external IP address. Which AWS services can be used to detect and alert on such behavior? (Choose THREE.)
Amazon CloudWatch Logs with S3 access log analysis.
S3 server access logs can be sent to CloudWatch Logs for monitoring and alerting.
AWS CloudTrail with S3 data event logging.
CloudTrail data events record S3 object-level operations, including GetObject for data downloads.
Amazon GuardDuty with anomaly detection.
GuardDuty uses machine learning to detect unusual data access patterns, such as large volumes from an unfamiliar IP.
AWS Config with compliance rules.
VPC Flow Logs.
A security engineer reviews the CloudTrail log entry in the exhibit. The engineer notices that an EC2 instance was launched using an AdminRole. Which additional information would help determine if this is a legitimate action or a potential compromise?
The AMI ID ami-0abcdef1234567890 is not a standard Amazon-provided AMI.
The source IP address 203.0.113.50 is from an unexpected geographic location not associated with the company.
Anomalous source IP is a common indicator of compromise.
The instance type m5.xlarge is unusually large compared to previous launches.
The security group sg-0123456789abcdef0 allows inbound SSH from 0.0.0.0/0.
Want more Threat Detection and Incident Response practice?
Practice this domainA security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?
Use Route 53 Resolver DNS Firewall with query logging
DNS Firewall can log DNS queries for VPCs.
Use Amazon GuardDuty
Enable VPC Flow Logs
Enable AWS CloudTrail
A company uses AWS CloudTrail to log management events in all regions. The security team notices that some API calls made by an IAM user are not appearing in the CloudTrail event history. What is the most likely reason?
The user used the AWS Management Console, not the CLI
The trail is configured for a single region only
The API calls were read-only and excluded by default
CloudTrail event history only retains events for 90 days; older events are not visible
CloudTrail event history is limited to 90 days.
A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?
Use AWS Glue to crawl S3 and load into Amazon Redshift for analysis
Send CloudTrail logs to Amazon CloudWatch Logs, then use a subscription filter to Amazon Kinesis Data Firehose delivering to Amazon OpenSearch Service
Enables near real-time streaming.
Query CloudTrail logs directly using Amazon Athena
Configure S3 event notifications to invoke an AWS Lambda function that writes to Amazon OpenSearch Service
A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?
Enable VPC Flow Logs and analyze for S3 API traffic
Configure an AWS Config rule to detect changes and invoke a Lambda function
Create an Amazon CloudWatch Events rule that matches the PutBucketPolicy API call and triggers an SNS notification
CloudWatch Events can match API calls from CloudTrail.
Enable S3 server access logs and parse them for PutBucketPolicy entries
A company uses Amazon GuardDuty and wants to suppress low-severity findings that are known false positives. What is the recommended approach?
Configure a CloudWatch Events rule to ignore the findings
Manually delete the findings from the GuardDuty console
Disable the GuardDuty detector for the affected accounts
Create a GuardDuty filter to suppress the findings
Filters can suppress findings from appearing in the console.
A company stores sensitive data in Amazon S3 and wants to detect and alert on any public read access to objects. Which combination of services provides the most comprehensive solution?
Enable VPC Flow Logs and analyze for S3 traffic
Use AWS Config rules to check for public bucket policies and alert via SNS
Enable S3 server access logging and use Amazon Athena to query logs, with CloudWatch Events to alert on specific patterns
Server access logs record requester, so public reads can be identified.
Enable S3 event notifications for all object-level events and send to Amazon SNS
Want more Security Logging and Monitoring practice?
Practice this domainA developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}]}
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
Correctly allows read-only access to objects in the bucket.
A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?
Logging bypass via CloudTrail
Cross-service confused deputy attack
Unauthorized access by an external attacker
Any AWS account can assume the role, leading to unauthorized access.
Privilege escalation by attaching additional policies
An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?
Denies all requests from EC2 instances
Allows the role to be assumed only by EC2 instances in the specified account and region
Denies requests that do not originate from an EC2 instance in the specified account and region
Correct interpretation: Denies if SourceArn is not equal to the given ARN pattern.
Allows any request that comes from an EC2 instance regardless of account
An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?
The policy is missing a condition
The bucket policy explicitly denies the action
An explicit deny in the bucket policy overrides the user policy allow.
The policy does not include s3:GetObject
The policy has a syntax error
A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?
An IAM role with a trust policy for the SAML provider
The role trust policy allows the SAML provider to issue tokens for the role.
An OIDC identity provider
An IAM user for each Active Directory user
A federation role type
An IAM policy has the following statement: {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. What does this policy achieve?
Denies all actions that are not made over HTTPS
Correctly denies when SecureTransport is false.
Allows all actions only when using HTTPS
Enforces HTTPS for S3 bucket policies only
Blocks all actions for a specific AWS service
Want more Identity and Access Management practice?
Practice this domainA company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?
Apply a bucket policy on each bucket denying PutObject without encryption
Create an SCP at the root OU that denies s3:PutBucketAction without encryption
SCPs can deny actions across all accounts in the organization.
Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule
Attach an IAM policy to each account's admin user requiring encryption
A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?
Attach an IAM policy to the user in Account B allowing the action; no bucket policy needed
Apply a bucket policy in Account A granting access to the user in Account B; no user policy needed
Use S3 bucket ACLs to grant READ access to the Account B user
Apply a bucket policy in Account A granting access to the principal in Account B, and attach an IAM policy to the user in Account B allowing the action
Both policies are required for cross-account access.
A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?
Create a custom AWS Config rule using a Lambda function that evaluates IAM groups
Lambda-backed Config rules can evaluate unsupported resource types via API calls.
Use IAM Access Analyzer to identify policies that grant broad access
Use AWS CloudTrail Insights to detect CreateUser events
Enable AWS Config advanced query and run a query on IAM groups
A company wants to use AWS CloudTrail to log all API activity across multiple accounts in AWS Organizations. Which configuration meets the requirement of centralized logging with minimal operational overhead?
Create a CloudTrail trail in each account and aggregate logs to a common S3 bucket
Enable CloudTrail in each account and use cross-account roles to centralize logs
Use AWS Config to record API calls and send to CloudWatch Logs
Create an organization trail in the management account that applies to all accounts
Organization trails automatically apply to all accounts.
A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?
Amazon Inspector
AWS CloudTrail
CloudTrail logs all API calls, including IAM policy changes.
Amazon GuardDuty
AWS Config
A company uses AWS Organizations with SCPs. The security team wants to ensure that no IAM user can be created without MFA. Which SCP should be applied at the root OU?
Deny iam:CreateUser unconditionally
Use an IAM policy to require MFA for API calls
Deny iam:CreateUser unless the request includes a condition for MFA
This SCP denies creation of users without MFA requirement.
Attach an IAM policy to all users requiring MFA
Want more Management and Security Governance practice?
Practice this domainA company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?
Place all tiers in public subnets and use security groups to restrict traffic.
Place the web tier in a public subnet with an internet gateway, and the app and database tiers in private subnets. Use separate security groups for each tier, allowing only necessary traffic.
This ensures isolation and encryption can be applied at the application layer.
Place the web and app tiers in public subnets and the database in a private subnet.
Place all tiers in private subnets and use a single security group to allow traffic between them.
A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?
The on-premises router does not have a route pointing the VPC CIDR back to the Direct Connect interface.
Without a return route, responses from on-premises are dropped.
The network ACL for the subnet is blocking outbound traffic to the on-premises CIDR.
The virtual private gateway is not attached to the VPC.
The security group does not allow inbound traffic from the on-premises server.
A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?
Create an S3 bucket policy in each account to deny access to unencrypted buckets.
Use AWS Config rules to detect buckets without encryption and send alerts.
Create an IAM role in each account that requires encryption when creating buckets.
Create a service control policy (SCP) that denies s3:CreateBucket if the bucket does not have encryption enabled.
SCPs allow central policy enforcement across all accounts in the organization.
A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?
Create a security group for the web servers that allows outbound traffic on port 3306 to the database security group.
Security groups are stateful and will allow return traffic automatically.
Create a security group for the database servers that allows inbound traffic on port 3306 from the web subnet CIDR.
Place the database servers in a public subnet for easier connectivity.
Configure the network ACL for the database subnet to allow inbound traffic on port 3306 from the web subnet CIDR.
Create a security group for the database servers that allows inbound traffic on port 3306 from the web security group ID.
This ensures only instances in the web security group can connect.
A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?
The second statement allows any principal in the 10.0.0.0/8 range to receive messages from the queue.
This is overly permissive and should be scoped down.
The policy does not specify a principal, so it will not work.
The aws:SourceArn condition uses ArnLike which is deprecated.
The aws:SourceIp condition cannot be used with SQS queue policies.
A financial services company runs a critical application on Amazon EC2 instances in a VPC. The application processes sensitive financial data and must meet strict compliance requirements. The security team recently discovered that an EC2 instance was compromised due to an unpatched vulnerability. The attacker used the instance's IAM role to access an S3 bucket containing customer data and exfiltrated the data. The security team needs to prevent such incidents in the future. They have implemented the following controls: - All EC2 instances are launched in private subnets. - The IAM roles used by EC2 instances follow the principle of least privilege. - Security groups restrict inbound and outbound traffic. - AWS Systems Manager Patch Manager is used to patch instances. - AWS CloudTrail is enabled and logs are sent to a centralized S3 bucket. - Amazon GuardDuty is enabled.
Despite these controls, the team is concerned about the blast radius if an instance is compromised again. Which additional measure would MOST effectively limit the blast radius of a compromised EC2 instance?
Enable VPC Flow Logs to monitor traffic to S3.
Use S3 VPC Endpoints with a bucket policy that only allows access from the VPC endpoint, and use Systems Manager Session Manager instead of SSH.
This restricts S3 access to the VPC and reduces the attack surface for data exfiltration.
Deploy AWS WAF in front of the S3 bucket.
Create an AWS Config rule to detect S3 access from EC2 instances.
Want more Infrastructure Security practice?
Practice this domainA company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?
Configure a bucket policy that denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms.
Use an S3 Lifecycle policy to transition existing SSE-KMS objects to SSE-S3.
Apply a bucket policy that denies s3:PutObject unless the x-amz-server-side-encryption header is AES256.
This policy enforces SSE-S3 for uploads without affecting reads of existing objects.
Disable SSE-KMS in the AWS KMS key policy to prevent its use.
A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?
Enable automatic key rotation on the existing CMK.
Create a new CMK every 90 days and update the alias to point to the new key. Applications reference the alias.
Alias updates are immediate and do not require application changes; old keys remain available for decryption.
Use a CMK with imported key material and rotate the material every 90 days.
Continue creating new CMKs but use a script to update the application configuration files.
A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?
Use AWS CloudHSM to store the encryption keys and enable RDS encryption with CloudHSM.
CloudHSM provides a dedicated HSM that you control, and RDS can be encrypted using keys from CloudHSM.
Use AWS KMS with a customer master key (CMK) and import key material from the on-premises HSM.
Store the encryption keys in AWS Secrets Manager and use them to encrypt the database.
Use AWS KMS with a custom key store backed by AWS CloudHSM.
A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)
Enable default encryption on the bucket using SSE-S3.
Enable AWS CloudTrail with data events for S3.
CloudTrail logs all API calls, including failed ones, for auditing.
Enable S3 Versioning on the bucket.
Versioning allows recovery of deleted objects within the version retention period.
Enable S3 server access logs and send them to a separate bucket.
Enable MFA Delete on the bucket.
A healthcare company runs a HIPAA-compliant application on AWS. The application uses Amazon S3 to store Protected Health Information (PHI). The company has implemented the following controls: (1) All S3 buckets are configured with default encryption using SSE-S3. (2) Bucket policies restrict access to only authorized IAM roles. (3) S3 access logs are enabled and sent to a centralized logging account. (4) MFA Delete is enabled on all buckets. (5) Object lock is not enabled. Recently, an internal auditor discovered that when an authorized user deletes an object, the object is permanently deleted and cannot be recovered. The company's data retention policy requires that deleted PHI be recoverable for at least 30 days after deletion. A review of the IAM policies shows that users have s3:DeleteObject permission. The auditor also notes that the bucket versioning is not enabled. The security team needs to implement a solution that allows authorized users to delete objects but ensures that deleted objects can be recovered within 30 days. Which of the following is the MOST effective course of action?
Enable S3 Object Lock in Governance mode with a retention period of 30 days.
Enable S3 Versioning on the buckets and ensure that the IAM policies include s3:DeleteObjectVersion where appropriate.
Versioning allows recovery of deleted objects via delete markers or version restoration.
Remove the s3:DeleteObject permission from all IAM policies and use S3 Lifecycle policies to expire objects after 30 days.
Change the default encryption from SSE-S3 to SSE-C and use a separate key for each object.
A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which solution meets this requirement?
Use an AWS managed key and enable automatic rotation.
Use a customer managed key with imported key material and enable automatic rotation.
Use a customer managed key and enable automatic rotation with a yearly rotation period.
Customer managed keys support automatic rotation with a configurable period (yearly).
Use an AWS managed key and manually rotate it every year.
Want more Data Protection practice?
Practice this domainThe SCS-C02 exam has 65 questions and must be completed in 170 minutes. The passing score is 750/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 6 domains: Threat Detection and Incident Response, Security Logging and Monitoring, Identity and Access Management, Management and Security Governance, Infrastructure Security, Data Protection. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Amazon Web Services SCS-C02 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.