Practice SOA-C02 Security and Compliance questions with full explanations on every answer.
Start practicing
Security and Compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An organization requires that all Amazon S3 buckets be encrypted at rest by default. A SysOps administrator needs to enforce this using AWS Config. Which AWS Config managed rule should be used?
2A SysOps administrator needs to ensure that all traffic to an Application Load Balancer (ALB) uses encryption. How can this be enforced?
3An organization requires that all Amazon S3 buckets block public access entirely. A SysOps administrator needs to ensure that no bucket can be made public, even accidentally. Which approach enforces this control at the organizational level?
4A company's security team requires that all Amazon EC2 instances in a specific AWS account must have the tag 'Environment' set to either 'Production' or 'Test'. Any instance that is launched without this tag or with an invalid value must be automatically terminated within five minutes. Which combination of AWS services can enforce this requirement with minimal manual intervention?
5A company has an AWS account that contains multiple Amazon S3 buckets with sensitive data. A SysOps administrator needs to ensure that all S3 buckets in the account have versioning enabled to protect against accidental deletions. The administrator wants to automatically remediate any bucket that is created without versioning enabled. Which solution should be used?
6An organization requires that all Amazon EC2 instances must be launched only with approved Amazon Machine Images (AMIs) that have been pre-approved by the security team. The SysOps administrator needs to enforce this policy for all current and future instances in the AWS account. Unapproved AMIs should be prevented from launching. Which solution meets these requirements with the least operational overhead?
7A company uses Amazon S3 to store sensitive customer data. A SysOps administrator needs to ensure that any S3 bucket that is incorrectly configured to allow public read access is automatically remediated within five minutes. The administrator wants to use native AWS services with minimal custom code. Which solution should be used?
8A company's security policy requires that all Amazon RDS for PostgreSQL instances be encrypted at rest using AWS Key Management Service (KMS) customer managed keys and have automated backups enabled with a retention period of at least 30 days. A SysOps administrator needs to use AWS Config to automatically detect any RDS instance that is non-compliant with either requirement and automatically remediate it. Which combination of AWS Config managed rules and remediation actions should be used?
9A company's security policy requires that all Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled. The SysOps administrator needs to automatically detect any existing or new S3 bucket that does not have SSE-KMS enabled and automatically apply the encryption configuration. The solution must use managed AWS services with minimal custom code. Which combination of AWS services should be used?
10An organization wants to ensure that no Amazon S3 bucket in the entire AWS Organization can be made public. The security team requires a preventive control that cannot be overridden by individual account administrators. Which AWS service or feature should be used?
11A company's security policy requires that all new Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled by default. A SysOps administrator wants to enforce this requirement for all current and future S3 buckets in the account. Which AWS service or feature should be used to automatically apply this configuration?
12An organization has a policy requiring that all Amazon EC2 instances launched in the production account must have detailed monitoring enabled for Amazon CloudWatch. A SysOps administrator needs to enforce this rule automatically. Which solution will ensure that any EC2 instance launched without detailed monitoring is automatically remediated?
13A company manages multiple AWS accounts using AWS Organizations. The security team wants to restrict the use of Amazon EC2 instance types to only those that are approved for production workloads (e.g., m5.large, m5.xlarge). The policy should be applied to all member accounts in the organization, and it should prevent any non-approved instance type from being launched. The SysOps administrator should implement this with minimal operational overhead. Which solution should be used?
14A company uses AWS Organizations and wants to restrict access to S3 buckets based on project tags. The security policy requires that users in the 'DataScientists' group can only access S3 buckets that have the tag 'Project: DataEngineering'. Which IAM policy condition key should the SysOps administrator use in a customer managed policy to enforce this restriction?
15A company's security policy requires that all IAM users must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to automatically detect IAM users without MFA and generate a compliance report. Which AWS service should be used to meet this requirement with minimal operational overhead?
16A company's security team requires that all Amazon S3 buckets are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any S3 bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?
17A company's security policy requires that the AWS account root user must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to continuously verify compliance and automatically notify the security team if the root user is not configured with MFA. Which AWS service can be used to create a compliance rule for this requirement?
18A SysOps administrator manages IAM roles for Amazon EC2 instances. The administrator needs to identify permissions that have never been used in the last 90 days to right-size the policies. Which AWS feature should be used to achieve this?
19A company's security policy requires that all Amazon S3 buckets must be non-publicly accessible. The SysOps administrator needs to automatically detect any bucket that becomes publicly accessible and automatically remediate it by applying a bucket policy that blocks public access. The solution should use AWS managed services with minimal custom code. Which combination of services should be used?
20A company's security policy requires that all Amazon S3 buckets must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?
21A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest. The administrator wants to automatically remediate any bucket that is created without default encryption. Which AWS service should be used to achieve this with the least operational overhead?
22A company's security policy requires that IAM users rotate their access keys every 90 days. The SysOps administrator must automatically identify users whose access keys are older than 90 days and notify the security team. Which combination of AWS services should be used to meet this requirement with the least operational overhead?
23A company's security policy requires that all Amazon EC2 instances must have a specific tag 'Environment' with a value of either 'Production' or 'Development'. The SysOps administrator needs to detect any instance that is missing this tag or has an invalid value, and automatically email the operations team. Which AWS service should be used to achieve this with the least operational overhead?
24A company wants to ensure that only specific IAM roles within the same AWS account can encrypt and decrypt data using an AWS KMS customer managed key. Which type of policy must be configured to achieve this restriction?
25A SysOps administrator needs to detect when an IAM user attempts to modify an Amazon S3 bucket policy in the production AWS account. The administrator wants to receive an email notification within 5 minutes of such an event. The solution must use AWS managed services with no custom code. Which combination of services should the administrator use?
26A company's security policy requires that all Amazon S3 buckets must have server-side encryption enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and notify the security team. Which AWS service should be used to detect non-compliant buckets?
27A company wants to enforce that all Amazon EC2 instances launched in the AWS account must have a specific termination protection setting enabled. The SysOps administrator needs to automatically remediate any instances that are launched without termination protection. Which AWS service should be used to achieve this?
28A company requires that all users in an AWS account must authenticate with multi-factor authentication (MFA) before they can perform any actions on Amazon EC2 instances. The SysOps administrator needs to implement this requirement using IAM policies. Which IAM policy condition key should be used to enforce MFA?
29A company's security policy requires that only traffic from the corporate office IP range (203.0.113.0/24) can access an Amazon S3 bucket that stores internal reports. The SysOps administrator must enforce this restriction. Which policy type should be modified to implement this requirement?
30A company requires that all Amazon S3 buckets in its AWS account must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to detect any bucket that does not have KMS encryption enabled and automatically remediate it by enabling encryption. Which AWS service should be used to implement this automated compliance enforcement?
31A company operates a web application behind an Application Load Balancer (ALB). The SysOps administrator needs to block incoming requests from specific geographic locations (countries X and Y) and also enforce a rate limit of 100 requests per IP address per 5-minute window to mitigate DDoS attacks. The solution must be centrally configured and apply to all requests handled by the ALB. Which AWS service should be used to implement these requirements?
32A company requires that all Amazon EC2 instances launched in its AWS account must have termination protection enabled. The SysOps administrator needs to automatically remediate any instance launched without termination protection. The solution should use AWS managed services without custom scripts. Which AWS service should be used?
33A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are configured with server-side encryption using AWS KMS (SSE-KMS). The administrator wants to automatically detect any S3 buckets that are not compliant and remediate them by enabling SSE-KMS. Which AWS service should be used to implement this automated compliance enforcement?
34A company's security policy requires that all IAM users must authenticate with multi-factor authentication (MFA) before they can perform any actions on Amazon EC2 instances. The SysOps administrator needs to enforce this requirement using IAM policies. Which IAM policy condition key should the administrator use in the policy?
35A company's security policy requires that all Amazon S3 buckets must have server-side encryption (SSE-S3 or SSE-KMS) enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and remediate it by enabling SSE-S3. Which AWS service should be used to implement this automated compliance enforcement?
36A company manages multiple AWS accounts under AWS Organizations. The security team requires that all Amazon S3 buckets in the organization must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect any bucket that is not compliant and remediate it by enabling SSE-KMS. Which AWS feature or service should be used to implement this automated compliance enforcement?
37A company wants to restrict access to an AWS Systems Manager Parameter Store parameter to only requests originating from the corporate network IP range (10.0.0.0/8). The SysOps administrator needs to implement this restriction using an IAM policy. Which condition key should be used?
38A company's security team requires that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. The SysOps administrator needs to create an IAM policy that denies all console actions if the user has not authenticated with MFA. Which IAM condition key should the administrator use?
39A company uses AWS Organizations and has multiple accounts. The security team requires that all Amazon S3 buckets across all accounts must be encrypted at rest with AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect non-compliant buckets and remediate them by enabling SSE-KMS. The solution must work across all existing and future accounts. Which AWS service should be used?
40Match each AWS service with its primary security compliance function. (Drag each service to its correct function.) (Choose 4.)
41A company's security policy requires that all Amazon S3 buckets must be encrypted at rest with AWS Key Management Service (AWS KMS) customer managed keys. A SysOps administrator discovers that some buckets are not encrypted. Which combination of AWS services should be used to automatically detect and remediate non-compliant buckets using infrastructure as code?
42A company's security policy requires that all IAM users must change their passwords every 90 days. The SysOps administrator needs to enforce this requirement. Which IAM setting should the administrator configure?
43A company's security policy requires that all IAM user passwords must be at least 12 characters long. The SysOps administrator needs to enforce this requirement across the AWS account. Which action should the administrator take?
44A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to restrict access to a specific AWS service (Amazon EC2) in all accounts except for the 'production' account. The SysOps administrator needs to implement this restriction centrally. Which approach should the administrator use?
45A company's security policy requires that all IAM users must authenticate using multi-factor authentication (MFA) before accessing the Amazon S3 bucket containing confidential finance data. The SysOps administrator needs to create an IAM policy that denies access to the S3 bucket if the user has not authenticated using MFA. Which IAM condition key should the administrator include in the policy?
46A company wants to ensure that all Amazon S3 buckets have versioning enabled to protect against accidental deletion of objects. A SysOps administrator needs to automatically detect any buckets that do not have versioning enabled and receive notifications. Which AWS service should the administrator use?
47A company stores database credentials in AWS Secrets Manager. The security policy requires that the credentials be rotated automatically every 30 days. Which action should the SysOps administrator take to enforce this requirement?
48A company uses AWS Organizations to manage multiple AWS accounts. The security team requires that all Amazon S3 buckets in every account be encrypted at rest using AWS KMS customer managed keys. The SysOps administrator needs to enforce this requirement centrally without requiring changes in each account individually. Which approach should the administrator use?
49A company requires all S3 uploads to use server-side encryption with a specific customer managed KMS key. What is the most direct enforcement mechanism?
50Developers are allowed to create IAM roles for their Lambda functions. However, the security team is concerned that developers could create roles with Administrator access, granting Lambda functions more permissions than the developers themselves have. What IAM feature prevents privilege escalation in this scenario?
51The CISO asks for a centralized dashboard showing security findings from GuardDuty, Macie, Inspector, and Firewall Manager across 30 AWS accounts. Findings must be normalized into a single format so they can be prioritized by severity without switching between services. Which AWS service provides this capability?
52Account A owns an S3 bucket containing shared artifacts. Account B needs to read objects from the bucket. The Account A team wants to grant access without creating IAM users, sharing access keys, or creating a role in Account A that Account B assumes. How should the bucket be configured to allow Account B's IAM roles to read objects?
53An application stores its RDS PostgreSQL credentials in AWS Secrets Manager. The security policy requires credentials to be rotated every 30 days automatically. During rotation, the application must continue to serve traffic with zero downtime. The application retrieves credentials by calling GetSecretValue at the start of each database connection. What must be configured to satisfy all requirements?
54Drag and drop the steps to create an Amazon CloudWatch alarm that sends an email notification when CPU utilization exceeds 90% into the correct order.
55Drag and drop the steps to configure an Amazon Route 53 failover routing policy into the correct order.
56Match each AWS compute service to its use case.
57Match each AWS cost management tool to its purpose.
58A company wants to enforce that all Amazon S3 buckets in their AWS account are encrypted at rest. They have enabled AWS CloudTrail and want to automatically remediate any non-compliant bucket created by users. Which AWS service should they use to achieve this?
59A SysOps administrator needs to ensure that an Amazon EC2 instance can access an Amazon S3 bucket without storing long-term credentials on the instance. Which approach should be used?
60A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create access keys for themselves. Which is the MOST effective way to enforce this policy across all accounts?
61An application running on Amazon EC2 needs to encrypt data before writing to Amazon S3. The encryption key must be rotated every 90 days and access to the key must be auditable. Which solution meets these requirements?
62A SysOps administrator needs to restrict access to an Amazon S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy statement should be added to the bucket policy?
63A company requires that all AWS account activity be recorded and the logs be stored in a centralized S3 bucket for analysis. Which two AWS services should be used together to meet this requirement?
64A company uses AWS Key Management Service (KMS) to encrypt data in Amazon S3. They want to ensure that the KMS key can only be used from within a specific VPC. How can this be accomplished?
65A SysOps administrator is troubleshooting an issue where an IAM user is unable to launch an EC2 instance in a specific subnet. The user has the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:Subnet": "subnet-12345" } } } ] } What is the likely cause of the failure?
66A company wants to ensure that all data in Amazon S3 is encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). Which bucket policy statement should be used to deny any PUT request that does not include the 'x-amz-server-side-encryption' header with value 'aws:kms'?
67A company is designing a secure application architecture. They need to ensure that sensitive data stored in Amazon S3 is not accessible from the public internet. Which TWO actions should be taken? (Choose TWO.)
68A SysOps administrator needs to audit all changes to IAM resources in their AWS account. Which THREE AWS services can be used together to achieve this? (Choose THREE.)
69A company uses AWS Organizations and wants to restrict the use of specific AWS services across all member accounts. Which TWO methods can be used to enforce these restrictions? (Choose TWO.)
70A company wants to ensure that their Amazon S3 bucket policy only allows access from a specific VPC endpoint. Which TWO condition keys can be used in the bucket policy? (Choose TWO.)
71A company has the following S3 bucket policy attached to a bucket named 'example-bucket'. A user is unable to download an object from the bucket using an HTTP URL (not HTTPS). What is the cause?
72A SysOps administrator is investigating a security incident where an unauthorized key pair was created. The CloudTrail lookup command output is shown. The administrator wants to find the source IP address of the 'admin' user who created the key pair. Which field in the 'CloudTrailEvent' JSON should the administrator examine?
73A company's security team notices that an IAM user has been making unauthorized API calls from an IP address outside the company's VPN. The team wants to immediately block all API calls from that specific IP address for all users. Which action should be taken?
74A SysOps administrator is tasked with encrypting data at rest for an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption keys be managed by AWS and rotated automatically. Which encryption solution meets these requirements?
75A company wants to allow a developer to deploy applications using AWS CloudFormation but restrict the developer from creating or modifying IAM resources. Which IAM policy should be used?
76Which TWO actions should a SysOps administrator take to secure an S3 bucket that stores sensitive data? (Choose two.)
77A company wants to audit all API calls made in their AWS account for compliance. Which THREE AWS services can be used together to capture and store these logs? (Choose three.)
78Which TWO measures help protect an AWS account root user? (Choose two.)
79Refer to the exhibit. An IAM policy is attached to a user. The user's IP address is 10.0.1.5. What is the result when the user tries to download an object from the folder 'confidential' in 'example-bucket'?
80Refer to the exhibit. A company has a CloudTrail trail in us-east-1 that logs events for that region only. The company operates in multiple regions and wants to ensure all API calls from all regions are logged. What is the most efficient way to achieve this?
81Refer to the exhibit. An IAM policy allows a user to run instances only of type t2.micro. What happens when the user tries to run a t2.small instance?
82A company's security team wants to ensure that all new S3 buckets created in the AWS account are automatically encrypted with server-side encryption. What should a SysOps administrator do to enforce this?
83An organization requires that all data in transit between EC2 instances and the internet be encrypted. Which AWS service can be used to enforce this requirement?
84A company wants to grant an IAM role in Account A access to an S3 bucket in Account B. What must be configured?
85A SysOps administrator discovers that an EC2 instance was compromised because the SSH key pair was leaked. The administrator wants to ensure that future access to EC2 instances is secured using a method that does not rely on static keys. Which solution should the administrator implement?
86A company's compliance team requires that all changes to IAM policies be logged and immediately alerted. Which AWS solution should be used?
87A SysOps administrator needs to ensure that an EC2 instance can access an S3 bucket without storing AWS credentials on the instance. What should the administrator do?
88A company requires that all API calls to AWS services be logged for compliance. The logs must be stored in a centralized S3 bucket with server-side encryption enabled. Which AWS service should be used to capture the API calls?
89An administrator needs to grant an IAM user the ability to stop and start EC2 instances, but only for instances tagged with 'Environment:Production'. Which IAM policy element should be used to enforce this condition?
90A company uses AWS Organizations with SCPs to restrict member accounts. The security team wants to prevent all users in the 'Developers' OU from deleting S3 buckets, except for the root user of the management account. How should this be implemented?
91A SysOps administrator needs to ensure that data in an S3 bucket is encrypted at rest. The bucket already has server-side encryption with S3 managed keys (SSE-S3) enabled. Which additional step is required to enforce encryption for all objects?
92A company has a legacy application that requires access to an S3 bucket using an IAM user's access keys. The security team wants to rotate the access keys every 90 days automatically. What is the MOST efficient way to achieve this?
93An administrator notices that an EC2 instance has been compromised. The instance is part of an Auto Scaling group. What should the administrator do FIRST to contain the incident?
94A company wants to allow an external auditor to read objects in a specific S3 bucket for 30 days. The auditor does not have an AWS account. Which method should be used?
95An organization wants to enforce that all IAM users have multi-factor authentication (MFA) enabled before they can perform any action except changing their own password. Which IAM policy element is MOST appropriate?
96A company stores sensitive data in an RDS database. Which AWS service should be used to encrypt the database at rest?
97Which TWO actions should a SysOps administrator take to secure an AWS account root user? (Choose two.)
98Which THREE are valid methods to control access to an S3 bucket? (Choose three.)
99Which TWO services can be used to centrally manage cryptographic keys for AWS services? (Choose two.)
100Refer to the exhibit. An IAM policy is attached to a user. Which statement about the user's access is correct?
101Refer to the exhibit. A SysOps administrator runs the AWS CLI command to check the event selectors for a CloudTrail trail. What does the output indicate?
102Refer to the exhibit. A SysOps administrator runs the command to list running EC2 instances. What is the purpose of the '--query' parameter?
103A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users in any member account can create access keys for themselves. What is the MOST efficient way to enforce this policy across all accounts?
104A SysOps administrator needs to share an encrypted AMI with a different AWS account. The AMI uses an AWS KMS key (customer managed key) for EBS encryption. What must be done to allow the target account to launch EC2 instances from the AMI?
105A company's security team notices that an IAM user has been generating multiple access keys and deleting them within a short period. The SysOps administrator needs to detect and alert on this behavior. Which solution is the MOST effective?
106An organization requires that all Amazon S3 buckets be encrypted with AES-256 server-side encryption. A SysOps administrator needs to enforce this policy across the entire AWS account. Which action should be taken?
107A SysOps administrator needs to provide a developer from another AWS account access to an S3 bucket in the administrator's account. The developer must be able to list objects and get objects from the bucket. The administrator does NOT want to share AWS access keys. Which solution meets these requirements?
108A company uses IAM roles to grant EC2 instances access to S3 buckets. After a recent security audit, the SysOps administrator must ensure that only instances with a specific tag (Environment=Production) can assume the role. How can this be achieved?
109A SysOps administrator is configuring a new AWS account and wants to set up a secure password policy for IAM users. The policy must require at least 12 characters, one uppercase letter, one number, and must prevent password reuse. Where should this policy be configured?
110A company wants to provide temporary credentials to an application running on an on-premises server so it can access AWS resources. The credentials must be rotated automatically. Which IAM feature should be used?
111An organization uses AWS KMS to encrypt data in S3. A SysOps administrator needs to ensure that KMS keys cannot be deleted accidentally. What is the MOST effective way to protect against accidental key deletion?
112A company has an S3 bucket that stores sensitive data. The security team requires that all data be encrypted at rest and that all access be logged. Which TWO actions should the SysOps administrator take to meet these requirements? (Choose TWO.)
113A SysOps administrator is designing a solution to manage secrets (e.g., database credentials) for a multi-tier application running on EC2 instances. The solution must rotate secrets automatically and provide fine-grained access control. Which TWO services should be used together? (Choose TWO.)
114A company wants to audit all API calls made in their AWS account for security analysis. They need to record both management events and data events. Which THREE steps should be taken to set up comprehensive logging? (Choose THREE.)
115A company wants to securely store database credentials used by an application running on Amazon EC2. Which AWS service should be used to rotate and manage access to these secrets?
116A SysOps administrator is troubleshooting an issue where an IAM user can launch EC2 instances but cannot terminate them. The user's permissions are based on an IAM group policy. Which action should the administrator take to resolve this?
117A company has an S3 bucket that stores sensitive customer data. The security team requires that all objects uploaded to the bucket must be encrypted at rest using AWS KMS with a specific customer managed key. Which bucket policy condition should be used to enforce this?
118A SysOps administrator needs to ensure that an Amazon RDS instance is encrypted at rest. The instance is already provisioned unencrypted. What is the correct approach to enable encryption?
119A company uses AWS Organizations to manage multiple accounts. The security team wants to restrict all accounts from using specific AWS services unless explicitly allowed. Which feature should be used?
120An application running on Amazon EC2 needs to access an S3 bucket. The SysOps administrator wants to ensure that only that specific EC2 instance can access the bucket, without storing any long-term credentials on the instance. What is the most secure way to achieve this?
121A SysOps administrator needs to audit all API calls made in the AWS account, including actions performed by the root user. Which service should be enabled?
122A company requires that all S3 buckets be tagged with a 'CostCenter' tag. A SysOps administrator needs to enforce this and prevent creation of untagged buckets. Which approach should be used?
123A SysOps administrator receives an alert that an IAM user's access key was used from an unexpected geographic location. What should the administrator do to prevent future unauthorized use?
124A company wants to ensure that its AWS resources are compliant with the CIS AWS Foundations Benchmark. Which TWO AWS services can be used to automate compliance checks and remediation?
125A SysOps administrator needs to securely transfer a large dataset from an on-premises server to an Amazon S3 bucket. The data is sensitive and must be encrypted in transit and at rest. Which THREE steps should the administrator take? (Choose three.)
126A SysOps administrator is configuring a new VPC and wants to ensure that only traffic from a specific IP address range can access an EC2 instance via SSH. Which TWO components should be configured? (Choose two.)
127A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no one can disable AWS CloudTrail or delete CloudTrail log files from the S3 bucket. Which THREE actions should be taken? (Choose three.)
128A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets in the organization have server-side encryption enabled. What is the MOST efficient way to achieve this?
129A SysOps administrator needs to provide temporary access to an S3 bucket for a third-party auditor. The access must expire after 24 hours. Which solution should the administrator use?
130A company uses an IAM policy to allow users to manage their own passwords and access keys. The policy includes a condition that requires multi-factor authentication (MFA) for any sensitive operations. However, users report that they are unable to change their own passwords even when MFA is not required. What is the likely cause?
131A SysOps administrator needs to ensure that all API calls made to AWS are logged for auditing purposes. Which AWS service should be enabled to capture management events?
132A company has an S3 bucket that stores sensitive customer data. The security team requires that all objects in the bucket be encrypted at rest using AWS KMS. An administrator notices that some objects are not encrypted. What is the MOST efficient way to enforce encryption for future uploads?
133A SysOps administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance. The user has a policy that allows ec2:RunInstances. What is the most likely cause of the failure?
134A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which solution meets this requirement with minimal administrative overhead?
135A company uses an IAM policy that allows s3:GetObject for a specific bucket. However, an IAM user is getting an Access Denied error when trying to download an object. The bucket policy also allows s3:GetObject for the user's account. What is the most likely cause?
136A SysOps administrator needs to generate a report of all IAM users and their last activity. Which AWS service can provide this information?
137A company wants to ensure that an EC2 instance can access an S3 bucket without storing AWS credentials on the instance. What should the SysOps administrator do?
138An IAM user has the policy shown in the exhibit. The user is trying to download an object from example-bucket from an IP address of 192.0.2.50. However, the request is denied. What is the most likely reason?
139A company wants to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which TWO actions should the SysOps administrator take? (Choose TWO.)
140A company has an AWS account with multiple IAM users. The security team wants to enforce that all users use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should the SysOps administrator take? (Choose THREE.)
141A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores sensitive data in an S3 bucket. The security team has mandated that all data in transit to the S3 bucket must be encrypted using TLS. The SysOps administrator configured the application to use HTTPS endpoints for S3. However, a security audit reveals that some requests to S3 are still being sent over HTTP. The administrator checks the VPC Flow Logs and sees that the EC2 instances are communicating with the S3 bucket via a VPC endpoint. The company also uses an S3 bucket policy that allows access only from the VPC endpoint. What is the most likely reason that some requests are sent over HTTP?
142A company has a single AWS account with multiple IAM users. The security team wants to ensure that no IAM user can create or modify VPC resources. The SysOps administrator creates a managed policy that denies ec2:CreateVpc, ec2:DeleteVpc, ec2:ModifyVpcAttribute, and similar actions. The policy is attached to all IAM users via a group. However, after a week, a user reports that they were able to create a VPC. The administrator checks CloudTrail and confirms that the user created the VPC. What is the most likely cause?
143A company is using AWS Organizations with SCPs to restrict access to services. The security team wants to ensure that no IAM user can create access keys, but the SCP is not working as expected. What is the most likely cause?
144A SysOps administrator is troubleshooting an issue where an EC2 instance cannot access an S3 bucket using an instance profile. The instance profile has an IAM role with a policy that allows s3:GetObject on the bucket. The S3 bucket policy has a Deny for all principals except a specific service role. What is the most likely reason for the access failure?
145A company requires that all data stored in Amazon S3 be encrypted at rest. Which S3 feature should be enabled to meet this requirement without changing the application code?
146A SysOps administrator notices that an EC2 instance running a web server is receiving unexpected traffic from an IP address that is known to be malicious. The administrator wants to block this IP address at the instance level. Which solution should be used?
147A company is using AWS CloudTrail to log all API calls. The security team wants to ensure that logs are tamper-proof and stored securely. Which TWO actions should be taken? (Choose two.)
148A company wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which TWO steps should be taken? (Choose two.)
149A company needs to audit all changes to AWS resources. Which THREE AWS services should be used together to achieve this? (Choose three.)
150A company is using AWS KMS to encrypt data. The security team wants to ensure that a specific IAM role can use a KMS key, but only when the request comes from a specific VPC. Which THREE conditions should be included in the KMS key policy? (Choose three.)
151A SysOps administrator applies the IAM policy shown in the exhibit to an IAM user. The user tries to upload an object to the S3 bucket without specifying encryption. What will happen?
152A SysOps administrator deploys the CloudFormation template shown in the exhibit. The stack creation fails with a security group error. What is the most likely cause?
153A SysOps administrator is investigating an unauthorized stop of an EC2 instance. The CloudTrail log entry shows the event. What is the first step to determine if the action was authorized?
154A company has a fleet of EC2 instances in an Auto Scaling group behind an Application Load Balancer. The security team requires that all traffic to the instances be encrypted in transit. Currently, the ALB terminates HTTPS and forwards HTTP to the instances. The security team wants to ensure that the traffic between the ALB and the instances is also encrypted. What should the SysOps administrator do to meet this requirement with minimal changes?
155A company has an S3 bucket that stores sensitive customer data. The security team requires that all access to the bucket be logged for auditing. The SysOps administrator enabled S3 server access logging and configured the logs to be delivered to a different S3 bucket in the same account. However, after a week, the log bucket is empty. What is the most likely cause?
156A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must use MFA. They create an SCP that denies all actions if the IAM user does not have MFA. However, the SCP does not apply to the root user. The SysOps administrator finds that some IAM users in member accounts are still able to access the console without MFA. What is the most likely reason?
157A company uses AWS KMS to encrypt data stored in S3. The security team wants to rotate the KMS key automatically every year. The SysOps administrator enabled automatic key rotation for the KMS key. However, after a year, the security team finds that the key has not been rotated. What is the most likely cause?
158A company stores sensitive data in an S3 bucket. The security team requires that all objects uploaded to the bucket be encrypted at rest using an AWS KMS customer-managed key. Which S3 bucket policy statement should be added to enforce this requirement?
159A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all new S3 buckets created in any account have encryption enabled. Which approach should be used to enforce this policy?
160A company uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. Which configuration step is required?
161A company wants to allow its DevOps team to launch EC2 instances using a specific AMI ID and only in a particular VPC. Which IAM policy should be used?
162A company is using AWS CodePipeline to deploy a web application. The security team requires that all code changes be reviewed and approved before deployment to production. Which action should be taken to enforce this requirement?
163A company is using Amazon RDS for MySQL and needs to encrypt data at rest. Which action should be taken to enable encryption?
164A company wants to provide temporary access to an S3 bucket for a third-party vendor. The vendor needs to upload files for one hour. Which approach should be used?
165A company has a VPC with public and private subnets. The private subnets contain RDS databases that should not be accessible from the internet. Which configuration ensures that the databases are only accessible from the application servers in the public subnets?
166A company wants to monitor for unauthorized API calls in their AWS account. Which AWS service should they use?
167Which TWO actions can be used to protect data in transit between an EC2 instance and an S3 bucket? (Choose two.)
168Which THREE steps are required to enable AWS CloudTrail log file integrity validation? (Choose three.)
169Which TWO IAM policy conditions can be used to enforce multi-factor authentication (MFA) for API calls? (Choose two.)
170An S3 bucket policy is shown in the exhibit. The AdminRole attempts to upload an object to my-bucket without specifying any server-side encryption header. What will happen?
171A SysOps administrator runs the AWS CLI command shown in the exhibit. What is the purpose of this command?
172A CloudFormation template creates an S3 bucket with encryption and a bucket policy as shown in the exhibit. An administrator tries to upload an object using the AWS CLI without specifying any encryption. What will happen?
173A company is using AWS KMS to encrypt data at rest in S3. The security team wants to ensure that encryption keys are automatically rotated annually. Which type of KMS key should be used?
174A SysOps administrator needs to grant cross-account access to an S3 bucket in Account A for an IAM user in Account B. The bucket policy in Account A allows the IAM user's account root principal. What additional configuration is required?
175A company has an S3 bucket configured to log all access requests to another bucket. The security team notices that some delete requests are not being logged. What is the most likely cause?
176A SysOps administrator is troubleshooting an IAM policy that is not granting the expected permissions. The policy has a Deny effect on a specific action, but the user is still able to perform that action. What is the most likely reason?
177A company wants to ensure that all S3 buckets are encrypted by default. Which AWS service can be used to automatically enforce encryption on newly created S3 buckets?
178A company has an EC2 instance that needs to access an S3 bucket. The instance is launched in a private subnet with no internet gateway. What is the most secure way to provide access to S3 without traversing the internet?
179A SysOps administrator notices that an IAM user can access the AWS Management Console but cannot use the AWS CLI. The user has a password and an access key. What is the most likely cause?
180A company wants to centrally manage access to AWS accounts for its employees. Which AWS service should be used to create and manage users and groups across multiple accounts?
181A company has an S3 bucket with versioning enabled. They want to ensure that objects are not permanently deleted by users. What configuration should be applied?
182Which TWO actions can be taken to secure an S3 bucket that contains sensitive data? (Choose two.)
183A company uses AWS KMS to encrypt EBS volumes. Which TWO statements about using KMS with EBS are correct? (Choose two.)
184Which THREE security best practices should be followed when managing IAM users? (Choose three.)
185Refer to the exhibit. An IAM user has this policy attached. What is the effect when the user attempts to get an object from my-bucket from an IP address in the range 198.51.100.0/24?
186Refer to the exhibit. A SysOps administrator reviews the account password policy. Which of the following is true based on this output?
187Refer to the exhibit. A SysOps administrator creates this stack. Which of the following is true about the bucket?
188A company's security team notices that an IAM user has access keys that have not been rotated in over a year. Which action should the SysOps administrator take to enforce key rotation automatically?
189An organization wants to centrally manage access to multiple AWS accounts in an AWS Organizations setup. Which AWS service should the SysOps administrator use to define and enforce fine-grained permissions across accounts?
190A company uses AWS CloudTrail to log API activity. The security team needs to be alerted when an IAM user creates a new access key. Which combination of services should the SysOps administrator use to meet this requirement?
191Which TWO actions can a SysOps administrator take to secure an Amazon S3 bucket that contains sensitive data? (Choose TWO.)
192Which THREE AWS services can be used to centrally manage and audit user permissions across multiple AWS accounts in AWS Organizations? (Choose THREE.)
193A company needs to comply with PCI DSS requirements for its AWS environment. Which TWO services should the SysOps administrator use to automate compliance checks and generate reports? (Choose TWO.)
194A company has an AWS account with multiple VPCs connected via a transit gateway. The SysOps administrator needs to ensure that all traffic between VPCs is encrypted in transit. Which solution should the administrator implement?
195A SysOps administrator needs to provide temporary, limited-privilege credentials to an application running on an EC2 instance. The application needs to access an S3 bucket. What is the most secure way to grant these credentials?
196A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using keys managed by the company. Which encryption option should the SysOps administrator choose?
197A SysOps administrator is designing a VPC for a web application that must be secure. Which THREE security measures should the administrator implement? (Choose THREE.)
198Which TWO AWS services can be used to encrypt data at rest in Amazon RDS? (Choose TWO.)
199An organization has a requirement to prevent any IAM user from deleting an S3 bucket that contains critical data. The SysOps administrator needs to implement a preventive control that works even if the user has full administrative privileges. Which solution should the administrator implement?
200A company uses S3 to store sensitive data. To meet compliance requirements, all S3 buckets must be encrypted at rest. The security team notices that some objects in a bucket are not encrypted. What is the MOST efficient way to enforce encryption for all future objects?
201A SysOps administrator must grant an IAM user the ability to start and stop specific EC2 instances, but NOT terminate them. The administrator creates a policy with the following statement. However, the user can still terminate instances. What is the MOST likely reason?
202A company requires that all access to the AWS Management Console be protected by multi-factor authentication (MFA). The SysOps administrator has enabled an IAM policy that denies all actions if the user does not authenticate with MFA. However, some users report they cannot list their own MFA devices. What is the MOST likely cause?
203A company uses AWS CloudTrail to log all API calls. The security team requires that all logs be encrypted at rest and stored in an S3 bucket that blocks public access. The SysOps administrator configures the bucket with default encryption (SSE-S3) and a bucket policy that denies all actions unless the request includes the x-amz-server-side-encryption header with value AES256. However, CloudTrail delivery fails. What is the MOST likely cause?
204A SysOps administrator needs to allow an IAM user to launch EC2 instances only in the us-east-1 region. The administrator creates a policy with a condition that uses the aws:RequestedRegion condition key. However, the user can still launch instances in other regions. What is the MOST likely reason?
205A company uses AWS Key Management Service (KMS) to encrypt data in S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which of the following is the MOST effective way to achieve this?
206A company has a VPC with a public and private subnet. The security team wants to restrict outbound traffic from EC2 instances in the private subnet to only allow traffic to an S3 bucket in the same account. Which of the following is the MOST secure way to achieve this?
207A SysOps administrator is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a permissions policy that allows sts:AssumeRole. However, the user still gets an access denied error. What is the MOST likely cause?
208A company uses AWS Config to track resource changes. The security team wants to receive notifications whenever an IAM policy is changed. Which AWS service should be used with AWS Config to send notifications?
209A company has an S3 bucket that stores sensitive data. The security team requires that all access to the bucket be encrypted in transit. Which TWO actions should be taken to enforce this requirement? (Choose two.)
210A company wants to audit all AWS account activity for compliance. Which THREE AWS services should be used together to achieve this? (Choose three.)
211A SysOps administrator needs to restrict access to an S3 bucket so that only users from the corporate network IP range (203.0.113.0/24) can read objects. Which TWO elements are required to implement this? (Choose two.)
212Refer to the exhibit. An IAM user has this policy attached. The user tries to start an EC2 instance that has no tags. What will happen?
213Refer to the exhibit. The security team wants to ensure that all objects uploaded to the S3 bucket 'my-secure-bucket' are encrypted at rest. Based on the CloudTrail log entry, what can be concluded about the object 'confidential.pdf'?
214Refer to the exhibit. An IAM role has the trust policy shown. Which entity can assume this role?
215A company wants to enforce that all IAM users in an AWS account must use multi-factor authentication (MFA) to access the AWS Management Console. Which IAM policy effect should be used to deny access if MFA is not present?
216A SysOps administrator is investigating why an EC2 instance cannot access an S3 bucket using an IAM role. The instance has an associated IAM role with a policy that allows s3:GetObject on the bucket. The bucket policy also allows access from the role. However, the instance's application still gets access denied. What is the most likely cause?
217A company uses AWS CloudTrail to log API calls. The SysOps team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and triggers an automated response. Which combination of services should be used? (Choose two.)
218A company has an S3 bucket that contains sensitive customer data. The security team requires that all data in transit to and from the bucket must be encrypted. Which bucket policy condition should be used?
219A SysOps administrator needs to grant an IAM user the ability to rotate their own access keys. What is the minimum set of permissions required?
220An organization uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any member account can create access keys that are more than 90 days old. What is the most efficient way to enforce this?
221A company wants to use AWS KMS to encrypt data at rest for an S3 bucket. The security policy requires that the CMK be rotated every year. Which of the following are true about automatic key rotation for AWS KMS customer master keys (CMKs)? (Choose TWO.)
222A SysOps administrator is troubleshooting an issue where an EC2 instance cannot pull secrets from AWS Secrets Manager. The instance has an IAM role with a policy that allows secretsmanager:GetSecretValue. The secret is in the same account and region. What are possible reasons for the failure? (Choose THREE.)
223A company uses AWS Shield Advanced to protect against DDoS attacks. Which of the following are benefits of AWS Shield Advanced? (Choose TWO.)
224A SysOps administrator is configuring CloudTrail to log all management events and data events for S3 buckets. Which of the following are true about CloudTrail logging? (Choose THREE.)
225A company wants to use AWS WAF to protect a web application behind an Application Load Balancer. Which of the following can AWS WAF inspect? (Choose THREE.)
226Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission regarding the s3:DeleteObject action on the example-bucket?
227Refer to the exhibit. A SysOps administrator runs the commands shown. Which key(s) have automatic key rotation enabled?
228Refer to the exhibit. An IAM policy allows running instances. A user attempts to launch a t2.micro instance with a 20 GiB gp2 volume and an additional 100 GiB io1 volume. What will happen?
229A company needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used to track these changes?
230A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts have encryption enabled. What is the most efficient way to enforce this policy?
231A SysOps administrator needs to grant a developer access to view only the logs of a specific Amazon RDS instance. Which IAM action should be allowed?
232A company has an S3 bucket configured with default encryption using SSE-S3. Users report that objects uploaded without specifying encryption are still encrypted, but some objects are accessible to unauthorized users. What is the most likely cause?
233A SysOps administrator notices that an Amazon CloudWatch Logs log group is growing rapidly and suspects that an EC2 instance is sending sensitive data to the logs. What is the most effective way to detect and redact sensitive data in real-time?
234A company wants to allow an external auditor to assume an IAM role in their AWS account to review resources. What is the minimum information the auditor needs from the company to do this?
235A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that only specific IAM roles can decrypt the volumes. Which configuration meets this requirement?
236A SysOps administrator needs to audit all IAM user activity in the AWS account for the last 90 days. Which AWS service should be used?
237A company wants to provide temporary security credentials to a mobile application so it can access an S3 bucket. Which AWS service should be used to issue these credentials?
238A SysOps administrator is asked to ensure that all objects in an S3 bucket are encrypted at rest using a customer-managed KMS key. The bucket currently has default encryption set to SSE-S3. What must be done to meet the requirement?
239A company's security team requires that all API calls to AWS services are encrypted in transit using TLS 1.2 or higher. Which TWO actions should be taken to enforce this?
240A company needs to restrict access to an S3 bucket so that only users from a specific VPC can read objects. Which THREE configurations are required?
241A SysOps administrator needs to ensure that an Amazon RDS for MySQL database is compliant with PCI DSS requirements. Which THREE configurations should be implemented?
242Refer to the exhibit. A SysOps administrator applies this S3 bucket policy to a bucket named 'my-bucket'. The root user of account 123456789012 attempts to upload an object to the bucket without specifying encryption. What will happen?
243A SysOps administrator is managing a multi-account AWS environment using AWS Organizations. The security team has mandated that all Amazon S3 buckets across all accounts must be encrypted with SSE-KMS using a centrally managed KMS key. The administrator has created a KMS key in the master account and enabled key rotation. The key policy allows the root user of each member account to use the key. However, users in member accounts report that they cannot upload objects to their S3 buckets with SSE-KMS using the central key, even though they have s3:PutObject permissions. The administrator verifies that the KMS key policy includes the necessary permissions for the member accounts. What should the administrator do to resolve the issue?
244A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores sensitive user data in an S3 bucket. The security team requires that traffic between the ALB and the EC2 instances be encrypted, and that the EC2 instances only accept traffic from the ALB. Currently, the ALB terminates HTTPS and forwards HTTP to the instances. The SysOps administrator needs to implement the required security controls. Which solution should the administrator implement?
245A company wants to securely store secrets such as database credentials and API keys used by applications running on Amazon EC2. Which AWS service should be used to manage and rotate these secrets automatically?
246A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest using server-side encryption. Which combination of actions should be taken to enforce this policy?
247A company is using AWS Organizations with multiple accounts. The security team wants to prevent any IAM user from creating access keys for themselves across all accounts. What is the most effective way to enforce this policy?
248An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket. The company security policy requires that credentials are not stored on the instance. What is the most secure way to grant access?
249A SysOps administrator needs to audit all changes to IAM policies in an AWS account. Which AWS service should be used to record these changes?
250A company has an AWS account with multiple VPCs connected via a transit gateway. The security team wants to centrally manage VPC security group rules and ensure compliance. Which approach is most effective?
251A company is using AWS KMS to encrypt data at rest. Which TWO actions can be taken to audit the usage of a customer managed key?
252A SysOps administrator needs to ensure that an Amazon S3 bucket is not publicly accessible. Which THREE actions should be taken to prevent public access?
253A company is using AWS Organizations and wants to delegate administration of a specific member account to a user in the management account. Which TWO steps are required?
254An organization needs to encrypt data in transit between an Amazon EC2 instance and an Application Load Balancer (ALB). Which THREE actions should be taken?
255Refer to the exhibit. A SysOps administrator applies this bucket policy to an S3 bucket. What is the effect of this policy?
256A company has a production AWS account with multiple IAM users. The security team wants to implement a policy that prevents users from launching EC2 instances without an IAM role that grants access to an S3 bucket containing sensitive data. The policy should also allow users to launch instances with other roles. A SysOps administrator creates an IAM policy that denies ec2:RunInstances if the instance does not have a specific IAM instance profile. However, users are still able to launch instances without any role. What is the most likely reason, and what should be done to fix it?
257A SysOps administrator is managing an AWS account that contains multiple S3 buckets. The security team requires that all objects uploaded to any S3 bucket must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The administrator wants to enforce this using a bucket policy that denies uploads without the x-amz-server-side-encryption header set to AES256. After implementing the policy on a test bucket, the administrator finds that some PutObject API calls from an application are failing even though the application is sending the correct header. The application uses the AWS SDK and the bucket is in the same region. What is the most likely cause?
258A company has an AWS account with several IAM users. The SysOps administrator needs to ensure that all users are required to use multi-factor authentication (MFA) to access the AWS Management Console. The administrator has enabled MFA for each user and created an IAM policy that denies all actions unless MFA is present. However, some users report that they can still access the console without MFA. What is the most likely reason?
259A company has a requirement to store audit logs for a minimum of 7 years to comply with regulatory standards. The logs are currently stored in Amazon S3. The SysOps administrator needs to ensure that logs are not deleted before the retention period expires. Which solution should be implemented?
260A company hosts a critical web application on EC2 instances behind an Application Load Balancer. The security team enabled AWS WAF on the ALB to block SQL injection and XSS attacks. They also use AWS Shield Advanced for DDoS protection. Recently, the application experienced intermittent performance degradation during normal traffic patterns. The security team reviewed the WAF logs and found that legitimate user requests with query strings containing the word "select" (e.g., ?category=select+option) were being blocked. The team wants to ensure that only actual SQL injection attempts are blocked, not legitimate requests with similar patterns. What course of action should the SysOps administrator take to resolve this issue while maintaining security?
The Security and Compliance domain covers the key concepts tested in this area of the SOA-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SOA-C02 domains — no account required.
The Courseiva SOA-C02 question bank contains 260 questions in the Security and Compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included