Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02TopicsManagement and Security Governance
Free · No Signup RequiredAmazon Web Services · SCS-C02

SCS-C02 Management and Security Governance Practice Questions

20+ practice questions focused on Management and Security Governance — one of the most tested topics on the AWS Certified Security Specialty SCS-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Management and Security Governance Practice

Exam Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData ProtectionAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Management and Security Governance Questions

Practice all 20+ →
1.

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?

A.Apply a bucket policy on each bucket denying PutObject without encryption
B.Create an SCP at the root OU that denies s3:PutBucketAction without encryption
C.Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule
D.Attach an IAM policy to each account's admin user requiring encryption

Explanation: Option B is correct because Service Control Policies (SCPs) at the root OU can deny the s3:PutBucketAction (which includes s3:PutBucketEncryption) unless the request includes encryption settings that use AWS KMS. This enforces encryption at the organizational level, overriding any account-level permissions, and ensures that all S3 buckets across all accounts are encrypted with KMS.

2.

A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?

A.Attach an IAM policy to the user in Account B allowing the action; no bucket policy needed
B.Apply a bucket policy in Account A granting access to the user in Account B; no user policy needed
C.Use S3 bucket ACLs to grant READ access to the Account B user
D.Apply a bucket policy in Account A granting access to the principal in Account B, and attach an IAM policy to the user in Account B allowing the action

Explanation: Cross-account S3 access requires both a bucket policy in the resource account (Account A) that explicitly grants the cross-account principal (the user in Account B) the s3:GetObject action, and an IAM policy attached to the user in Account B that allows the same action. This two-way authorization is necessary because the bucket policy controls access to the S3 resource, while the IAM policy controls the user's permissions to initiate the request. Without both, the request will be denied by either the resource-based policy or the identity-based policy.

3.

A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?

A.Create a custom AWS Config rule using a Lambda function that evaluates IAM groups
B.Use IAM Access Analyzer to identify policies that grant broad access
C.Use AWS CloudTrail Insights to detect CreateUser events
D.Enable AWS Config advanced query and run a query on IAM groups

Explanation: AWS Config managed rules do not support the AWS::IAM::Group resource type, so you cannot use a managed rule to evaluate inline policies on IAM groups. The best approach is to create a custom AWS Config rule backed by a Lambda function that can evaluate the IAM group's inline policies and trigger a compliance check when the group configuration changes. This allows you to detect any inline policy that contains the 'iam:CreateUser' action.

4.

A company wants to use AWS CloudTrail to log all API activity across multiple accounts in AWS Organizations. Which configuration meets the requirement of centralized logging with minimal operational overhead?

A.Create a CloudTrail trail in each account and aggregate logs to a common S3 bucket
B.Enable CloudTrail in each account and use cross-account roles to centralize logs
C.Use AWS Config to record API calls and send to CloudWatch Logs
D.Create an organization trail in the management account that applies to all accounts

Explanation: Option D is correct because creating an organization trail in the management account automatically applies to all accounts in AWS Organizations, centralizing CloudTrail logs into a single S3 bucket without requiring per-account configuration. This approach minimizes operational overhead by leveraging the Organizations integration, which handles log delivery from member accounts transparently.

5.

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config

Explanation: AWS CloudTrail is the correct service because it records all API calls made in the AWS account, including IAM policy changes (e.g., CreatePolicy, PutRolePolicy, AttachUserPolicy). These events are captured as CloudTrail log entries, providing a complete audit trail of who made the change, when, and from which source IP. This directly meets the requirement to audit all changes to IAM policies.

+15 more Management and Security Governance questions available

Practice all Management and Security Governance questions

How to master Management and Security Governance for SCS-C02

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Management and Security Governance. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Management and Security Governance questions on the SCS-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SCS-C02 Management and Security Governance questions are on the real exam?

The exact number varies per candidate. Management and Security Governance is tested as part of the AWS Certified Security Specialty SCS-C02 blueprint. Practicing with targeted Management and Security Governance questions ensures you can handle any format or difficulty that appears.

Are these SCS-C02 Management and Security Governance practice questions free?

Yes. Courseiva provides free SCS-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Management and Security Governance one of the harder SCS-C02 topics?

Difficulty is subjective, but Management and Security Governance is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Management and Security Governance practice session with instant scoring and detailed explanations.

Start Management and Security Governance Practice →

Topic Info

Topic

Management and Security Governance

Exam

SCS-C02

Questions available

20+