Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02Exam Questions

Amazon Web Services · Free Practice Questions · Last reviewed May 2026

SCS-C02 Exam Questions and Answers

36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

65 exam questions
170 min time limit
Pass: 750/1000 / 1000
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Threat Detection and Incident Response2. Security Logging and Monitoring3. Identity and Access Management4. Management and Security Governance5. Infrastructure Security6. Data Protection
1

Domain 1: Threat Detection and Incident Response

All Threat Detection and Incident Response questions
Q1
easyFull explanation →

A security engineer is configuring an AWS environment to detect and respond to potential security threats. Which AWS service can be used to automate the remediation of unwanted access to Amazon S3 buckets by invoking AWS Lambda functions?

A

AWS Config

B

Amazon GuardDuty

GuardDuty uses threat intelligence and machine learning to detect threats, and findings can trigger automated remediation via EventBridge and Lambda.

C

Amazon Inspector

D

AWS WAF

Why: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across AWS accounts and workloads. It can integrate with AWS Lambda functions via CloudWatch Events to automate remediation actions, such as blocking unwanted access to S3 buckets by updating bucket policies or removing public access. This makes GuardDuty the correct choice for detecting and automatically responding to security threats against S3 resources.
Q2
mediumFull explanation →

A security team suspects that an attacker has compromised an EC2 instance and is using it to launch outbound DDoS attacks. The team needs to quickly isolate the instance while preserving forensic data. Which combination of actions should the team take? (Choose TWO.)

A

Apply a restrictive security group that blocks all outbound traffic.

This isolates the instance by preventing outbound connections while allowing forensic access via inbound rules if needed.

B

Modify the network ACL for the subnet to deny all outbound traffic.

C

Create a snapshot of the EBS volumes attached to the EC2 instance.

Snapshots preserve the current state of the volumes for forensic analysis.

D

Detach the instance from the Auto Scaling group.

E

Terminate the EC2 instance immediately.

Why: Option A is correct because applying a restrictive security group that blocks all outbound traffic immediately stops the EC2 instance from sending any network packets, including DDoS traffic, without terminating the instance. This preserves the running state and allows forensic data collection from the instance's memory and disk. Security groups act as a stateful virtual firewall at the instance level, so blocking outbound traffic effectively isolates the instance from the network.
Q3
hardFull explanation →

During an incident response, a security engineer needs to collect memory and disk forensics from a running EC2 Windows instance without causing the instance to crash. The engineer has AWS Systems Manager SSM Agent installed. Which method should the engineer use?

A

Create an AMI of the instance.

B

Use AWS Systems Manager Inventory to collect memory and disk information.

SSM Inventory can collect system metadata, and by using custom inventory scripts, it can collect memory dumps and disk files without crashing the instance.

C

Use AWS Backup to create a backup of the instance.

D

Create an EBS snapshot of the root volume.

Why: Option B is correct because AWS Systems Manager Inventory can collect both memory and disk forensics from a running EC2 Windows instance without causing it to crash. The SSM Agent, already installed, allows Inventory to gather metadata such as running processes (memory) and file system details (disk) via the AWS-CollectInventory document, which is designed for live data collection without rebooting or halting the instance.
Q4
mediumFull explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all API calls in the organization are logged and retained for at least one year. Which AWS services or features should be used to meet these requirements? (Choose TWO.)

A

Amazon GuardDuty with threat detection enabled.

B

AWS Config with recording enabled for all resources.

C

Amazon S3 lifecycle policy to transition logs to S3 Glacier after one year.

This ensures logs are retained and cost-effective.

D

VPC Flow Logs for all VPCs.

E

AWS CloudTrail with organization trail.

An organization trail logs API calls for all accounts in the organization.

Why: Option C is correct because an Amazon S3 lifecycle policy can automatically transition CloudTrail log objects from S3 Standard to S3 Glacier after one year, meeting the retention requirement cost-effectively. Option E is correct because AWS CloudTrail with an organization trail logs all API calls across all accounts in the AWS Organization, ensuring comprehensive logging.
Q5
hardFull explanation →

A security engineer is investigating a potential data exfiltration incident. The engineer notices large volumes of data being transferred from an Amazon S3 bucket to an external IP address. Which AWS services can be used to detect and alert on such behavior? (Choose THREE.)

A

Amazon CloudWatch Logs with S3 access log analysis.

S3 server access logs can be sent to CloudWatch Logs for monitoring and alerting.

B

AWS CloudTrail with S3 data event logging.

CloudTrail data events record S3 object-level operations, including GetObject for data downloads.

C

Amazon GuardDuty with anomaly detection.

GuardDuty uses machine learning to detect unusual data access patterns, such as large volumes from an unfamiliar IP.

D

AWS Config with compliance rules.

E

VPC Flow Logs.

Why: Amazon CloudWatch Logs can ingest and analyze S3 access logs, which record detailed information about requests made to an S3 bucket, including the source IP address, request type, and bytes transferred. By analyzing these logs with CloudWatch Logs Insights or metric filters, you can detect large data transfers to external IPs and trigger alerts via CloudWatch Alarms, making it a valid detection and alerting mechanism for data exfiltration.
Q6
mediumFull explanation →

A security engineer reviews the CloudTrail log entry in the exhibit. The engineer notices that an EC2 instance was launched using an AdminRole. Which additional information would help determine if this is a legitimate action or a potential compromise?

A

The AMI ID ami-0abcdef1234567890 is not a standard Amazon-provided AMI.

B

The source IP address 203.0.113.50 is from an unexpected geographic location not associated with the company.

Anomalous source IP is a common indicator of compromise.

C

The instance type m5.xlarge is unusually large compared to previous launches.

D

The security group sg-0123456789abcdef0 allows inbound SSH from 0.0.0.0/0.

Why: The source IP address 203.0.113.50 is from an unexpected geographic location not associated with the company. In CloudTrail, the `sourceIPAddress` field records the originating IP of the API call. If an AdminRole is used from an IP outside the company's known CIDR ranges or geographic regions, it strongly indicates a potential compromise—such as stolen credentials or an attacker using the role from an unauthorized network. This is a key indicator of anomalous behavior in threat detection.

Want more Threat Detection and Incident Response practice?

Practice this domain
2

Domain 2: Security Logging and Monitoring

All Security Logging and Monitoring questions
Q1
easyFull explanation →

A security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?

A

Use Route 53 Resolver DNS Firewall with query logging

DNS Firewall can log DNS queries for VPCs.

B

Use Amazon GuardDuty

C

Enable VPC Flow Logs

D

Enable AWS CloudTrail

Why: Route 53 Resolver DNS Firewall with query logging is the correct choice because it is specifically designed to log all DNS queries made by EC2 instances that use the Route 53 Resolver. This service captures the domain names being queried, the source IP, and the response, enabling detection of DNS-based data exfiltration (e.g., DNS tunneling). It integrates directly with the VPC's DNS resolver, ensuring all outbound DNS traffic from EC2 instances is logged without additional agents.
Q2
mediumFull explanation →

A company uses AWS CloudTrail to log management events in all regions. The security team notices that some API calls made by an IAM user are not appearing in the CloudTrail event history. What is the most likely reason?

A

The user used the AWS Management Console, not the CLI

B

The trail is configured for a single region only

C

The API calls were read-only and excluded by default

D

CloudTrail event history only retains events for 90 days; older events are not visible

CloudTrail event history is limited to 90 days.

Why: D is correct because CloudTrail event history only retains the last 90 days of events. If the API calls were made more than 90 days ago, they would no longer appear in the event history, even though the trail itself may still be delivering log files to an S3 bucket for longer-term storage. The security team is likely looking at the event history rather than querying the S3 bucket or using Athena for older events.
Q3
hardFull explanation →

A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?

A

Use AWS Glue to crawl S3 and load into Amazon Redshift for analysis

B

Send CloudTrail logs to Amazon CloudWatch Logs, then use a subscription filter to Amazon Kinesis Data Firehose delivering to Amazon OpenSearch Service

Enables near real-time streaming.

C

Query CloudTrail logs directly using Amazon Athena

D

Configure S3 event notifications to invoke an AWS Lambda function that writes to Amazon OpenSearch Service

Why: Option B is correct because it provides the lowest-latency path for real-time analysis: CloudTrail logs are delivered to CloudWatch Logs in near real-time, and a subscription filter streams them to Kinesis Data Firehose, which buffers and delivers directly to Amazon OpenSearch Service for immediate indexing and search. This architecture avoids batch processing, minimizes data movement overhead, and uses managed services that scale automatically, keeping both latency and cost low.
Q4
easyFull explanation →

A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?

A

Enable VPC Flow Logs and analyze for S3 API traffic

B

Configure an AWS Config rule to detect changes and invoke a Lambda function

C

Create an Amazon CloudWatch Events rule that matches the PutBucketPolicy API call and triggers an SNS notification

CloudWatch Events can match API calls from CloudTrail.

D

Enable S3 server access logs and parse them for PutBucketPolicy entries

Why: Option C is correct because Amazon CloudWatch Events (now Amazon EventBridge) can directly capture the PutBucketPolicy API call as a real-time event and trigger an SNS notification without any additional compute or polling. This is the most efficient method as it requires no log parsing, no custom code, and no additional infrastructure, providing immediate alerting with minimal overhead.
Q5
mediumFull explanation →

A company uses Amazon GuardDuty and wants to suppress low-severity findings that are known false positives. What is the recommended approach?

A

Configure a CloudWatch Events rule to ignore the findings

B

Manually delete the findings from the GuardDuty console

C

Disable the GuardDuty detector for the affected accounts

D

Create a GuardDuty filter to suppress the findings

Filters can suppress findings from appearing in the console.

Why: GuardDuty filters allow you to automatically suppress low-severity findings that are known false positives by setting the filter action to 'ARCHIVE'. This prevents the findings from appearing in the active findings list without disabling detection or deleting data. Filters are the recommended approach because they are purpose-built for this use case and preserve the audit trail.
Q6
hardFull explanation →

A company stores sensitive data in Amazon S3 and wants to detect and alert on any public read access to objects. Which combination of services provides the most comprehensive solution?

A

Enable VPC Flow Logs and analyze for S3 traffic

B

Use AWS Config rules to check for public bucket policies and alert via SNS

C

Enable S3 server access logging and use Amazon Athena to query logs, with CloudWatch Events to alert on specific patterns

Server access logs record requester, so public reads can be identified.

D

Enable S3 event notifications for all object-level events and send to Amazon SNS

Why: Option C is correct because S3 server access logs capture detailed records of all requests made to a bucket, including the requester, bucket name, request time, action, and response status. By using Amazon Athena to query these logs and CloudWatch Events to trigger alerts on patterns indicating public read access (e.g., a specific HTTP method like GET from an anonymous principal), you can detect and alert on unauthorized public reads comprehensively. This combination provides granular, queryable logging with event-driven alerting, covering both current and historical access patterns.

Want more Security Logging and Monitoring practice?

Practice this domain
3

Domain 3: Identity and Access Management

All Identity and Access Management questions
Q1
easyFull explanation →

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?

A

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}]}

B

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}

C

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::my-bucket/*"}]}

D

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}

Correctly allows read-only access to objects in the bucket.

Why: Option D is correct because it grants the s3:GetObject permission on the 'my-bucket/*' resource, which allows the IAM user to read (download) objects from the bucket. For read-only access, the user needs both s3:ListBucket (to list objects) and s3:GetObject (to retrieve objects), but the question asks for a policy that grants read-only access; while D alone is insufficient for full read-only access (it lacks ListBucket), it is the only option that provides a read action on the bucket's objects. The other options either grant write access, full access, or only list permissions without read capability.
Q2
mediumFull explanation →

A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?

A

Logging bypass via CloudTrail

B

Cross-service confused deputy attack

C

Unauthorized access by an external attacker

Any AWS account can assume the role, leading to unauthorized access.

D

Privilege escalation by attaching additional policies

Why: Option C is correct because an IAM role trust policy that allows any AWS account (i.e., `"Principal": {"AWS": "*"}`) to assume the role means that any user or service in any AWS account can call the STS `AssumeRole` API to obtain temporary credentials for the role. This directly enables unauthorized access by an external attacker who can discover the role ARN and assume it, gaining all permissions attached to the role.
Q3
hardFull explanation →

An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?

A

Denies all requests from EC2 instances

B

Allows the role to be assumed only by EC2 instances in the specified account and region

C

Denies requests that do not originate from an EC2 instance in the specified account and region

Correct interpretation: Denies if SourceArn is not equal to the given ARN pattern.

D

Allows any request that comes from an EC2 instance regardless of account

Why: The condition uses `StringNotEquals` with `aws:SourceArn`, meaning it denies access when the source ARN does NOT match the specified pattern. Since the condition is attached to a role's trust policy, it restricts which principals can assume the role. The correct effect is that requests not originating from an EC2 instance in account 123456789012 and region us-east-1 are denied.
Q4
easyFull explanation →

An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?

A

The policy is missing a condition

B

The bucket policy explicitly denies the action

An explicit deny in the bucket policy overrides the user policy allow.

C

The policy does not include s3:GetObject

D

The policy has a syntax error

Why: The IAM policy grants the s3:ListBucket action on the bucket, which should allow listing objects. However, an explicit deny in a bucket policy overrides any allow, including those from IAM policies. Since the user receives an 'AccessDenied' error, the most likely cause is that the bucket policy explicitly denies the s3:ListBucket action for this user, as explicit denies take precedence over all allows.
Q5
mediumFull explanation →

A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?

A

An IAM role with a trust policy for the SAML provider

The role trust policy allows the SAML provider to issue tokens for the role.

B

An OIDC identity provider

C

An IAM user for each Active Directory user

D

A federation role type

Why: A is correct because when using SAML-based federation, IAM roles are the mechanism to grant permissions to federated users. The role must have a trust policy that specifies the SAML identity provider as the principal, allowing users authenticated by the corporate Active Directory to assume the role and obtain temporary AWS credentials. This maps the SAML assertion attributes (such as the user's group or role) to IAM permissions via the role's permissions policy.
Q6
hardFull explanation →

An IAM policy has the following statement: {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. What does this policy achieve?

A

Denies all actions that are not made over HTTPS

Correctly denies when SecureTransport is false.

B

Allows all actions only when using HTTPS

C

Enforces HTTPS for S3 bucket policies only

D

Blocks all actions for a specific AWS service

Why: This policy statement uses the `aws:SecureTransport` condition key with a `Bool` condition set to `false`. When the condition evaluates to true (i.e., the request is not using HTTPS/TLS), the `Deny` effect applies to all actions on all resources. This effectively denies any API call made over HTTP (non-secure transport), ensuring that only HTTPS requests are allowed. The policy does not explicitly allow anything; it only denies non-HTTPS traffic, so all actions are implicitly allowed when made over HTTPS.

Want more Identity and Access Management practice?

Practice this domain
4

Domain 4: Management and Security Governance

All Management and Security Governance questions
Q1
mediumFull explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?

A

Apply a bucket policy on each bucket denying PutObject without encryption

B

Create an SCP at the root OU that denies s3:PutBucketAction without encryption

SCPs can deny actions across all accounts in the organization.

C

Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule

D

Attach an IAM policy to each account's admin user requiring encryption

Why: Option B is correct because Service Control Policies (SCPs) at the root OU can deny the s3:PutBucketAction (which includes s3:PutBucketEncryption) unless the request includes encryption settings that use AWS KMS. This enforces encryption at the organizational level, overriding any account-level permissions, and ensures that all S3 buckets across all accounts are encrypted with KMS.
Q2
easyFull explanation →

A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?

A

Attach an IAM policy to the user in Account B allowing the action; no bucket policy needed

B

Apply a bucket policy in Account A granting access to the user in Account B; no user policy needed

C

Use S3 bucket ACLs to grant READ access to the Account B user

D

Apply a bucket policy in Account A granting access to the principal in Account B, and attach an IAM policy to the user in Account B allowing the action

Both policies are required for cross-account access.

Why: Cross-account S3 access requires both a bucket policy in the resource account (Account A) that explicitly grants the cross-account principal (the user in Account B) the s3:GetObject action, and an IAM policy attached to the user in Account B that allows the same action. This two-way authorization is necessary because the bucket policy controls access to the S3 resource, while the IAM policy controls the user's permissions to initiate the request. Without both, the request will be denied by either the resource-based policy or the identity-based policy.
Q3
hardFull explanation →

A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?

A

Create a custom AWS Config rule using a Lambda function that evaluates IAM groups

Lambda-backed Config rules can evaluate unsupported resource types via API calls.

B

Use IAM Access Analyzer to identify policies that grant broad access

C

Use AWS CloudTrail Insights to detect CreateUser events

D

Enable AWS Config advanced query and run a query on IAM groups

Why: AWS Config managed rules do not support the AWS::IAM::Group resource type, so you cannot use a managed rule to evaluate inline policies on IAM groups. The best approach is to create a custom AWS Config rule backed by a Lambda function that can evaluate the IAM group's inline policies and trigger a compliance check when the group configuration changes. This allows you to detect any inline policy that contains the 'iam:CreateUser' action.
Q4
mediumFull explanation →

A company wants to use AWS CloudTrail to log all API activity across multiple accounts in AWS Organizations. Which configuration meets the requirement of centralized logging with minimal operational overhead?

A

Create a CloudTrail trail in each account and aggregate logs to a common S3 bucket

B

Enable CloudTrail in each account and use cross-account roles to centralize logs

C

Use AWS Config to record API calls and send to CloudWatch Logs

D

Create an organization trail in the management account that applies to all accounts

Organization trails automatically apply to all accounts.

Why: Option D is correct because creating an organization trail in the management account automatically applies to all accounts in AWS Organizations, centralizing CloudTrail logs into a single S3 bucket without requiring per-account configuration. This approach minimizes operational overhead by leveraging the Organizations integration, which handles log delivery from member accounts transparently.
Q5
easyFull explanation →

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?

A

Amazon Inspector

B

AWS CloudTrail

CloudTrail logs all API calls, including IAM policy changes.

C

Amazon GuardDuty

D

AWS Config

Why: AWS CloudTrail is the correct service because it records all API calls made in the AWS account, including IAM policy changes (e.g., CreatePolicy, PutRolePolicy, AttachUserPolicy). These events are captured as CloudTrail log entries, providing a complete audit trail of who made the change, when, and from which source IP. This directly meets the requirement to audit all changes to IAM policies.
Q6
hardFull explanation →

A company uses AWS Organizations with SCPs. The security team wants to ensure that no IAM user can be created without MFA. Which SCP should be applied at the root OU?

A

Deny iam:CreateUser unconditionally

B

Use an IAM policy to require MFA for API calls

C

Deny iam:CreateUser unless the request includes a condition for MFA

This SCP denies creation of users without MFA requirement.

D

Attach an IAM policy to all users requiring MFA

Why: Option C is correct because it uses a Service Control Policy (SCP) to deny the `iam:CreateUser` action unless the request includes a condition that MFA is present. SCPs are account-level permission boundaries in AWS Organizations, and this approach ensures that no IAM user can be created without MFA across all accounts in the organization, as SCPs are evaluated before any IAM policies.

Want more Management and Security Governance practice?

Practice this domain
5

Domain 5: Infrastructure Security

All Infrastructure Security questions
Q1
mediumFull explanation →

A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?

A

Place all tiers in public subnets and use security groups to restrict traffic.

B

Place the web tier in a public subnet with an internet gateway, and the app and database tiers in private subnets. Use separate security groups for each tier, allowing only necessary traffic.

This ensures isolation and encryption can be applied at the application layer.

C

Place the web and app tiers in public subnets and the database in a private subnet.

D

Place all tiers in private subnets and use a single security group to allow traffic between them.

Why: Option B is correct because it places the web tier in a public subnet with an Internet Gateway (IGW) for internet-facing access, while the application and database tiers reside in private subnets with no direct internet path. Separate security groups enforce least-privilege: the web tier security group allows inbound HTTP/HTTPS (ports 80/443) from 0.0.0.0/0, the app tier security group allows inbound traffic only from the web tier security group (using a security group reference), and the database tier security group allows inbound traffic only from the app tier security group. This ensures encryption (e.g., TLS for web-to-app, and database-native encryption like TLS or AWS RDS encryption in transit) and complete isolation of the internal tiers.
Q2
hardFull explanation →

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

A

The on-premises router does not have a route pointing the VPC CIDR back to the Direct Connect interface.

Without a return route, responses from on-premises are dropped.

B

The network ACL for the subnet is blocking outbound traffic to the on-premises CIDR.

C

The virtual private gateway is not attached to the VPC.

D

The security group does not allow inbound traffic from the on-premises server.

Why: The on-premises firewall logs show packets are received from the EC2 instance, but responses are not reaching it. This indicates a routing issue on the on-premises side: the on-premises router must have a route pointing the VPC CIDR back to the Direct Connect interface (virtual interface) for return traffic to be forwarded correctly. Without this return route, the on-premises server sends responses via its default route (likely the internet), which are dropped by the VPC security group or never reach the EC2 instance.
Q3
easyFull explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?

A

Create an S3 bucket policy in each account to deny access to unencrypted buckets.

B

Use AWS Config rules to detect buckets without encryption and send alerts.

C

Create an IAM role in each account that requires encryption when creating buckets.

D

Create a service control policy (SCP) that denies s3:CreateBucket if the bucket does not have encryption enabled.

SCPs allow central policy enforcement across all accounts in the organization.

Why: Option D is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally deny API actions across all accounts. By creating an SCP that denies `s3:CreateBucket` unless the request includes encryption parameters (SSE-S3 or SSE-KMS), you enforce encryption at the point of bucket creation, preventing non-compliant buckets from ever being created. This is the only approach that proactively enforces the policy across the entire organization, rather than relying on detection or per-account configurations.
Q4
hardFull explanation →

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

A

Create a security group for the web servers that allows outbound traffic on port 3306 to the database security group.

Security groups are stateful and will allow return traffic automatically.

B

Create a security group for the database servers that allows inbound traffic on port 3306 from the web subnet CIDR.

C

Place the database servers in a public subnet for easier connectivity.

D

Configure the network ACL for the database subnet to allow inbound traffic on port 3306 from the web subnet CIDR.

E

Create a security group for the database servers that allows inbound traffic on port 3306 from the web security group ID.

This ensures only instances in the web security group can connect.

Why: Option A is correct because security groups are stateful, so allowing outbound traffic on port 3306 from the web servers to the database security group automatically permits the corresponding return traffic. This adheres to the principle of least privilege by specifying the destination as the database security group ID rather than a broad CIDR range, ensuring only the intended web servers can initiate the connection.
Q5
mediumFull explanation →

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

A

The second statement allows any principal in the 10.0.0.0/8 range to receive messages from the queue.

This is overly permissive and should be scoped down.

B

The policy does not specify a principal, so it will not work.

C

The aws:SourceArn condition uses ArnLike which is deprecated.

D

The aws:SourceIp condition cannot be used with SQS queue policies.

Why: Option A is correct because the second statement in the SQS queue policy allows any principal in the 10.0.0.0/8 IP range to receive messages from the queue, which violates the security requirement that only the SNS topic should be allowed to send messages. The policy should restrict the `sqs:SendMessage` action to the SNS topic using a condition like `aws:SourceArn` and should not include a broad `Effect: Allow` for `sqs:ReceiveMessage` without restricting the principal or source.
Q6
hardFull explanation →

A financial services company runs a critical application on Amazon EC2 instances in a VPC. The application processes sensitive financial data and must meet strict compliance requirements. The security team recently discovered that an EC2 instance was compromised due to an unpatched vulnerability. The attacker used the instance's IAM role to access an S3 bucket containing customer data and exfiltrated the data. The security team needs to prevent such incidents in the future. They have implemented the following controls: - All EC2 instances are launched in private subnets. - The IAM roles used by EC2 instances follow the principle of least privilege. - Security groups restrict inbound and outbound traffic. - AWS Systems Manager Patch Manager is used to patch instances. - AWS CloudTrail is enabled and logs are sent to a centralized S3 bucket. - Amazon GuardDuty is enabled.

Despite these controls, the team is concerned about the blast radius if an instance is compromised again. Which additional measure would MOST effectively limit the blast radius of a compromised EC2 instance?

A

Enable VPC Flow Logs to monitor traffic to S3.

B

Use S3 VPC Endpoints with a bucket policy that only allows access from the VPC endpoint, and use Systems Manager Session Manager instead of SSH.

This restricts S3 access to the VPC and reduces the attack surface for data exfiltration.

C

Deploy AWS WAF in front of the S3 bucket.

D

Create an AWS Config rule to detect S3 access from EC2 instances.

Why: Option B is correct because using an S3 VPC endpoint with a bucket policy that restricts access exclusively to that endpoint ensures that compromised EC2 instances can only reach S3 through the VPC endpoint, preventing data exfiltration over the internet. Additionally, replacing SSH with Systems Manager Session Manager eliminates the need for open inbound SSH ports and provides fine-grained access control through IAM, reducing the attack surface and blast radius.

Want more Infrastructure Security practice?

Practice this domain
6

Domain 6: Data Protection

All Data Protection questions
Q1
mediumFull explanation →

A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?

A

Configure a bucket policy that denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms.

B

Use an S3 Lifecycle policy to transition existing SSE-KMS objects to SSE-S3.

C

Apply a bucket policy that denies s3:PutObject unless the x-amz-server-side-encryption header is AES256.

This policy enforces SSE-S3 for uploads without affecting reads of existing objects.

D

Disable SSE-KMS in the AWS KMS key policy to prevent its use.

Why: Option C is correct because it uses a bucket policy to deny s3:PutObject unless the x-amz-server-side-encryption header is set to AES256, which is the value for SSE-S3. This enforces that all future uploads use SSE-S3, while existing SSE-KMS objects remain readable because the policy only applies to write operations. The condition key s3:x-amz-server-side-encryption checks the encryption header value, and the Deny effect overrides any Allow, ensuring compliance.
Q2
hardFull explanation →

A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?

A

Enable automatic key rotation on the existing CMK.

B

Create a new CMK every 90 days and update the alias to point to the new key. Applications reference the alias.

Alias updates are immediate and do not require application changes; old keys remain available for decryption.

C

Use a CMK with imported key material and rotate the material every 90 days.

D

Continue creating new CMKs but use a script to update the application configuration files.

Why: Option B is correct because it uses aliases to decouple the key identifier from the application configuration. By creating a new CMK every 90 days and updating the alias to point to the new key, applications that reference the alias automatically use the new key without code changes, eliminating downtime. AWS KMS aliases are mutable pointers that can be reassigned to different CMKs, and the old key versions remain available for decryption of historical data.
Q3
easyFull explanation →

A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?

A

Use AWS CloudHSM to store the encryption keys and enable RDS encryption with CloudHSM.

CloudHSM provides a dedicated HSM that you control, and RDS can be encrypted using keys from CloudHSM.

B

Use AWS KMS with a customer master key (CMK) and import key material from the on-premises HSM.

C

Store the encryption keys in AWS Secrets Manager and use them to encrypt the database.

D

Use AWS KMS with a custom key store backed by AWS CloudHSM.

Why: AWS CloudHSM provides a dedicated hardware security module (HSM) that allows you to manage encryption keys on-premises-style, meeting the requirement for key management on the company's own HSM. When you enable Amazon RDS for MySQL encryption with CloudHSM, the database encryption keys are stored and managed in the CloudHSM cluster, and you can rotate them every 6 months as required. This solution directly satisfies the compliance team's mandate for on-premises HSM key management and periodic rotation.
Q4
mediumFull explanation →

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)

A

Enable default encryption on the bucket using SSE-S3.

B

Enable AWS CloudTrail with data events for S3.

CloudTrail logs all API calls, including failed ones, for auditing.

C

Enable S3 Versioning on the bucket.

Versioning allows recovery of deleted objects within the version retention period.

D

Enable S3 server access logs and send them to a separate bucket.

E

Enable MFA Delete on the bucket.

Why: AWS CloudTrail with data events for S3 is correct because it captures all S3 API calls, including GetObject, PutObject, and DeleteObject, and records both successful and failed access attempts. This meets the auditing requirement for all access attempts, including failed ones, as CloudTrail logs the request details, error codes, and source IP addresses.
Q5
hardFull explanation →

A healthcare company runs a HIPAA-compliant application on AWS. The application uses Amazon S3 to store Protected Health Information (PHI). The company has implemented the following controls: (1) All S3 buckets are configured with default encryption using SSE-S3. (2) Bucket policies restrict access to only authorized IAM roles. (3) S3 access logs are enabled and sent to a centralized logging account. (4) MFA Delete is enabled on all buckets. (5) Object lock is not enabled. Recently, an internal auditor discovered that when an authorized user deletes an object, the object is permanently deleted and cannot be recovered. The company's data retention policy requires that deleted PHI be recoverable for at least 30 days after deletion. A review of the IAM policies shows that users have s3:DeleteObject permission. The auditor also notes that the bucket versioning is not enabled. The security team needs to implement a solution that allows authorized users to delete objects but ensures that deleted objects can be recovered within 30 days. Which of the following is the MOST effective course of action?

A

Enable S3 Object Lock in Governance mode with a retention period of 30 days.

B

Enable S3 Versioning on the buckets and ensure that the IAM policies include s3:DeleteObjectVersion where appropriate.

Versioning allows recovery of deleted objects via delete markers or version restoration.

C

Remove the s3:DeleteObject permission from all IAM policies and use S3 Lifecycle policies to expire objects after 30 days.

D

Change the default encryption from SSE-S3 to SSE-C and use a separate key for each object.

Why: Enabling S3 Versioning is the most effective solution because it preserves all object versions, including deleted objects (which become delete markers). With versioning enabled, authorized users can still use s3:DeleteObject to delete the current version, but the previous versions remain recoverable. Since the requirement is to recover deleted PHI within 30 days, versioning combined with a lifecycle policy to permanently delete old versions after 30 days would meet the retention policy without blocking immediate deletion.
Q6
mediumFull explanation →

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which solution meets this requirement?

A

Use an AWS managed key and enable automatic rotation.

B

Use a customer managed key with imported key material and enable automatic rotation.

C

Use a customer managed key and enable automatic rotation with a yearly rotation period.

Customer managed keys support automatic rotation with a configurable period (yearly).

D

Use an AWS managed key and manually rotate it every year.

Why: Option C is correct because customer managed keys (CMKs) in AWS KMS support automatic rotation with a customizable rotation period, which can be set to 365 days (one year) to meet the security team's requirement. AWS managed keys, on the other hand, have a fixed automatic rotation period of every three years (1095 days) and cannot be adjusted, making them unsuitable for a yearly rotation mandate. By using a CMK with automatic rotation enabled and specifying a rotation period of one year, the company ensures that the encryption key material is rotated annually without manual intervention.

Want more Data Protection practice?

Practice this domain

Frequently asked questions

How many questions are on the SCS-C02 exam?

The SCS-C02 exam has 65 questions and must be completed in 170 minutes. The passing score is 750/1000.

What types of questions appear on the SCS-C02 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are SCS-C02 questions organised by domain?

The exam covers 6 domains: Threat Detection and Incident Response, Security Logging and Monitoring, Identity and Access Management, Management and Security Governance, Infrastructure Security, Data Protection. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SCS-C02 exam questions?

No. These are original exam-style practice questions written against the official Amazon Web Services SCS-C02 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 65 SCS-C02 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SCS-C02 questionsTake a timed practice test