20+ practice questions focused on Management and Security Governance — one of the most tested topics on the AWS Certified Security Specialty SCS-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Management and Security Governance PracticeA company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?
Explanation: Option B is correct because Service Control Policies (SCPs) at the root OU can deny the s3:PutBucketAction (which includes s3:PutBucketEncryption) unless the request includes encryption settings that use AWS KMS. This enforces encryption at the organizational level, overriding any account-level permissions, and ensures that all S3 buckets across all accounts are encrypted with KMS.
A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?
Explanation: Cross-account S3 access requires both a bucket policy in the resource account (Account A) that explicitly grants the cross-account principal (the user in Account B) the s3:GetObject action, and an IAM policy attached to the user in Account B that allows the same action. This two-way authorization is necessary because the bucket policy controls access to the S3 resource, while the IAM policy controls the user's permissions to initiate the request. Without both, the request will be denied by either the resource-based policy or the identity-based policy.
A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?
Explanation: AWS Config managed rules do not support the AWS::IAM::Group resource type, so you cannot use a managed rule to evaluate inline policies on IAM groups. The best approach is to create a custom AWS Config rule backed by a Lambda function that can evaluate the IAM group's inline policies and trigger a compliance check when the group configuration changes. This allows you to detect any inline policy that contains the 'iam:CreateUser' action.
A company wants to use AWS CloudTrail to log all API activity across multiple accounts in AWS Organizations. Which configuration meets the requirement of centralized logging with minimal operational overhead?
Explanation: Option D is correct because creating an organization trail in the management account automatically applies to all accounts in AWS Organizations, centralizing CloudTrail logs into a single S3 bucket without requiring per-account configuration. This approach minimizes operational overhead by leveraging the Organizations integration, which handles log delivery from member accounts transparently.
A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?
Explanation: AWS CloudTrail is the correct service because it records all API calls made in the AWS account, including IAM policy changes (e.g., CreatePolicy, PutRolePolicy, AttachUserPolicy). These events are captured as CloudTrail log entries, providing a complete audit trail of who made the change, when, and from which source IP. This directly meets the requirement to audit all changes to IAM policies.
+15 more Management and Security Governance questions available
Practice all Management and Security Governance questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Management and Security Governance. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Management and Security Governance questions on the SCS-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Management and Security Governance is tested as part of the AWS Certified Security Specialty SCS-C02 blueprint. Practicing with targeted Management and Security Governance questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free SCS-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Management and Security Governance is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Management and Security Governance practice session with instant scoring and detailed explanations.
Start Management and Security Governance Practice →