Courseiva

CLF-C02 · topic practice

Security And Compliance practice questions

Use this page to practise CLF-C02 Security And Compliance practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.

20 questionsDomain: Security And Compliance
Practice 10 questionsBrowse domain →

What the exam tests

What to know about Security And Compliance

Security And Compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Practice set

Security And Compliance questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Full question →

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a policy that restricts SSH access (port 22) from the internet (0.0.0.0/0) in all VPCs across all accounts. The team wants to centrally define the allowed rules and automatically apply them to newly created VPCs and security groups, while also automatically remediating any existing non-compliant security groups. Which AWS service should the team use?

Full question →
Question 2mediummultiple choice
Full question →

A company handles credit card transactions and must comply with the Payment Card Industry Data Security Standard (PCI DSS). The company's compliance officer needs to review AWS's PCI DSS compliance reports and also download and sign the AWS Business Associate Addendum (BAA) for HIPAA eligibility. The company wants a single, managed AWS service that provides on-demand access to these compliance documents and agreements. Which AWS service should the compliance officer use?

Full question →
Question 3mediummultiple choice
Full question →

A company has a compliance policy requiring that all data at rest in Amazon S3 be encrypted with a key that is automatically rotated every year. The company wants to manage the encryption keys themselves, maintain control over access policies, and have AWS handle the key rotation automatically. Which AWS service should the company use?

Full question →
Question 4mediummultiple choice
Full question →

A company has 200 IAM users. The security team needs to automatically verify that every IAM user has enabled multi-factor authentication (MFA) for console access. They also need to receive a notification whenever a new user is created without MFA so they can enforce the policy. Which AWS service should the security team use to meet these requirements?

Full question →
Question 5mediummultiple choice
Full question →

A company has a compliance policy requiring that all Amazon EC2 instances in its production environment must have the tag "Environment=Production" and must be associated with a security group named "Prod-SG". The company wants to continuously monitor its AWS account and automatically detect any EC2 instances that do not meet these requirements. The IT team needs a service that can evaluate the configuration of resources against these rules and send notifications when a non-compliant resource is detected. Which AWS service should the company use?

Full question →
Question 6mediummultiple choice
Full question →

A company has 50 IAM users in a single AWS account. The security policy requires that every IAM user must have a virtual MFA device enabled for AWS Management Console access. The company wants to automatically detect any user who disables or has an inactive MFA device and immediately revoke that user's ability to access AWS resources by disabling their access keys. The solution must be fully managed, require no custom scripts, and use native AWS services. Which AWS service should the company use to define the compliance rule and automatically trigger the remediation action?

Full question →
Question 7easymultiple choice
Full question →

A company has a strict data residency policy that requires all customer data to remain stored on-premises at all times. However, the company experiences unpredictable spikes in compute demand and wants to use an AWS cloud environment to handle this additional workload during peak periods. The company needs a solution that allows them to seamlessly run applications across their on-premises infrastructure and AWS, using consistent management tools and APIs. The company also needs a dedicated, private network connection between the two environments for low latency and security. Which cloud deployment model best describes this architecture?

Full question →
Question 8mediummultiple choice
Full question →

A company has deployed multiple EC2 instances with different security groups. The compliance team wants to ensure that no security group allows unrestricted SSH access (0.0.0.0/0) and receive alerts if any such rule is created. Which AWS service can they use to continuously monitor and evaluate the security group configurations against this policy?

Full question →
Question 9mediummultiple choice
Full question →

A company has internal security policies that require all Amazon S3 buckets to be private (not publicly accessible) and all Amazon EC2 security groups to restrict inbound SSH traffic to a specific IP range. The security team needs to continuously monitor all AWS resources across their account to detect any resource that violates these policies. They also need a historical record of configuration changes and a compliance dashboard that shows overall pass/fail status. Which AWS service should the security team use to meet these requirements?

Full question →
Question 10mediummultiple choice
Full question →

A company has enabled Amazon GuardDuty for threat detection, Amazon Inspector for vulnerability scans, and AWS Config for compliance checks. The security team wants a single, centralized dashboard that aggregates all security findings from these services, provides a consolidated security score, and allows them to automate remediation workflows. Which AWS service should the team use?

Full question →
Question 11mediummultiple choice
Full question →

A company has multiple IAM users. The security policy requires that every user must have an MFA device assigned and must use it for console sign-in. The security team wants to automatically detect any IAM user that does not have MFA enabled and receive an email alert. Which combination of AWS services should the team use to meet these requirements?

Full question →
Question 12mediummultiple choice
Full question →

A company must store sensitive financial records in Amazon S3. The compliance policy mandates that the encryption key for data at rest must be generated and stored on the company's own on-premises hardware security module (HSM). The company must never allow AWS to have access to the plaintext encryption key. Which Amazon S3 encryption option should the company use?

Full question →
Question 13mediummultiple choice
Full question →

A company hosts a web application on an Amazon EC2 instance. The company installs its own application software and configures the operating system. The company also uses AWS Key Management Service (AWS KMS) to create a customer-managed key to encrypt data on the Amazon Elastic Block Store (Amazon EBS) volume attached to the instance. According to the AWS shared responsibility model, which of the following is the responsibility of AWS?

Full question →
Question 14mediummultiple choice
Full question →

A company operates hundreds of AWS accounts under AWS Organizations. The security team wants a single dashboard that aggregates security findings from Amazon GuardDuty, Amazon Inspector, and AWS Macie across all accounts. Additionally, they want to continuously assess the accounts against the CIS AWS Foundations Benchmark and receive a consolidated compliance score. Which AWS service should the security team use?

Full question →
Question 15mediummultiple choice
Full question →

A company operates multiple AWS accounts under AWS Organizations. The security team needs to record all management events (for example, creating Amazon EC2 instances, modifying security groups, and deleting Amazon S3 buckets) across all accounts. The logs must be delivered to a single Amazon S3 bucket that is encrypted with an AWS KMS key and protected from modification. Which AWS feature should the team enable to achieve this centralized logging requirement?

Full question →
Question 16mediummultiple choice
Full question →

A company manages 20 AWS accounts under AWS Organizations. The security team wants to ensure that no security group in any account allows unrestricted inbound RDP access (0.0.0.0/0). They need to automatically detect any security group that violates this rule and receive a notification. They also want to track the configuration history of security group changes for forensic analysis. Which AWS service should they use to achieve these requirements?

Full question →
Question 17mediummultiple choice
Full question →

A company manages multiple AWS accounts using AWS Organizations and maintains hundreds of Amazon S3 buckets across these accounts. The security team wants a service that automatically scans all S3 bucket policies and identifies any bucket that grants access to an external AWS account (an account outside the organization). The team needs to receive findings when such policies are detected and wants to review the findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?

Full question →
Question 18mediummultiple choice
Full question →

A company is preparing for a third-party security audit. The auditors require the company to provide up-to-date AWS compliance reports, such as the SOC 2 report and the ISO 27001 certificate, as part of the evidence. The company needs to access these documents from a centralized, self-service portal within their AWS account. They also need to accept the terms and conditions for the reports. Which AWS service should the company use to meet these requirements?

Full question →
Question 19mediummultiple choice
Full question →

A company manages over 100 AWS accounts using AWS Organizations. The security team wants a centralized service that continuously monitors for malicious or unauthorized behavior across all accounts. The service must analyze AWS CloudTrail management event logs, VPC Flow Logs, and DNS query logs to automatically detect threats such as anomalous API calls, crypto-mining activity, and compromised credentials. The security team wants to receive actionable alerts without having to write custom detection rules or manage underlying infrastructure. Which AWS service should the security team use?

Full question →
Question 20mediummultiple choice
Full question →

A company is preparing for a PCI DSS compliance audit. The security team needs to ensure that all AWS API calls are logged and that the logs are continuously analyzed for suspicious or unauthorized activity. The team wants a managed security service that uses machine learning to identify threats, generates findings for review, and can trigger automated remediation through AWS Lambda. Which AWS service should the team use?

Full question →
Continue with 20-question session →

Watch out for

Common Security And Compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Sign up freeLog in

Focused Security And Compliance sessions

Start a Security And Compliance only practice session

Every question in these sessions is drawn from the Security And Compliance domain — nothing else.

10 questions20 questions30 questions50 questions
Browse all Security And Compliance questions →Mixed CLF-C02 session

Related practice questions

Related CLF-C02 topic practice pages

Move into related areas when this topic feels solid.

AWS shared responsibility model practice questions

Practise CLF-C02 questions linked to AWS shared responsibility model.

AWS Cloud Practitioner cloud concepts practice questions

Practise CLF-C02 questions linked to AWS Cloud Practitioner cloud concepts.

AWS IAM practice questions

Practise CLF-C02 questions linked to AWS IAM.

AWS pricing practice questions

Practise CLF-C02 questions linked to AWS pricing.

AWS support plans practice questions

Practise CLF-C02 questions linked to AWS support plans.

AWS S3 practice questions

Practise CLF-C02 questions linked to AWS S3.

AWS EC2 practice questions

Practise CLF-C02 questions linked to AWS EC2.

Frequently asked questions

What does the CLF-C02 exam test about Security And Compliance?
Security And Compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security And Compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Security And Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CLF-C02 topics?
Use the topic links above to move to related areas, or go back to the CLF-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CLF-C02 exam covers. They are not copied from any real exam or dump site.