CLF-C02 · topic practice

Security and Compliance practice questions

Security and Compliance is the domain of the AWS Certified Cloud Practitioner (CLF-C02) exam that focuses on how AWS helps you protect your data, systems, and applications in the cloud. Think of it as the set of tools, best practices, and shared responsibilities that ensure your cloud environment is secure and meets legal or industry standards. In plain English, this domain covers everything from who is responsible for what (you vs. AWS) to how you encrypt data, manage access, monitor for threats, and comply with regulations like GDPR or HIPAA. Why is this important in real-world IT? Because security is the number one concern for organizations moving to the cloud. A single misconfiguration—like leaving an S3 bucket public—can expose millions of customer records. Compliance failures can lead to massive fines and loss of trust. Understanding AWS security services (like IAM, KMS, Shield, and Inspector) and the Shared Responsibility Model is essential for anyone working with AWS, whether you're a developer, sysadmin, or manager. You need to know how to design secure architectures and respond to incidents. On the exam, this domain tests your knowledge of core security concepts and AWS services. You'll be asked about the Shared Responsibility Model: which parts AWS secures (the cloud infrastructure) and which parts you secure (your data, OS, network configurations). You'll need to know IAM for managing users, groups, roles, and policies; encryption options like SSE-S3, SSE-KMS, and client-side encryption; and compliance programs like SOC, PCI DSS, and FedRAMP. Expect questions on DDoS protection (AWS Shield), web application firewalls (WAF), and monitoring tools like CloudTrail, Config, and GuardDuty. The exam also covers security best practices like least privilege, multi-factor authentication (MFA), and the principle of defense in depth. To study this domain effectively, start by mastering the Shared Responsibility Model—it's the foundation. Then, get hands-on with IAM: create users, groups, and policies, and understand how roles work. Use the AWS Free Tier to explore S3 bucket policies, enable CloudTrail, and set up a basic CloudWatch alarm. Read the AWS Security Best Practices whitepaper and review the compliance programs on the AWS website. Practice with sample questions that test your ability to identify which service or practice applies to a given scenario. Focus on understanding the purpose of each security service rather than memorizing details. Finally, remember that the exam emphasizes concepts over deep technical implementation—know what each service does and when to use it.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security and Compliance

What the exam tests

What to know about Security and Compliance

Security and Compliance covers the AWS Shared Responsibility Model, identity and access management (IAM), data encryption, monitoring and logging, and compliance programs—essentially how AWS helps you secure your cloud resources and meet regulatory requirements.

Shared Responsibility Model: distinguishing between AWS responsibilities (physical security, hardware) and customer responsibilities (data, OS, network config)

IAM: managing users, groups, roles, policies, and applying least privilege

Data encryption: SSE-S3, SSE-KMS, client-side encryption, and encryption in transit (TLS)

Monitoring and logging: CloudTrail for API activity, CloudWatch for metrics, and Config for resource compliance

DDoS protection: AWS Shield Standard (free) vs. Shield Advanced (paid) for Layer 3/4 attacks

Compliance programs: SOC 1/2/3, PCI DSS Level 1, HIPAA BAA, and FedRAMP for regulated workloads

Watch out for

Common Security and Compliance exam traps

  • Assuming AWS is responsible for everything (forgetting the customer side of the Shared Responsibility Model)
  • Confusing AWS Shield with AWS WAF (Shield is DDoS protection, WAF is a web application firewall for HTTP requests)
  • Thinking that enabling CloudTrail automatically logs all data events (it logs management events by default; data events must be enabled separately)
  • Believing that encryption at rest is always enabled by default (it's not; you must enable it on services like S3 and EBS)

Practice set

Security and Compliance questions

20 questions · select your answer, then reveal the explanation

A company is preparing for an annual compliance audit. The auditor requests a copy of the AWS SOC 2 Type II report to review AWS's controls. Which AWS service or tool can the company use to obtain this report?

A company has deployed multiple EC2 instances with different security groups. The compliance team wants to ensure that no security group allows unrestricted SSH access (0.0.0.0/0) and receive alerts if any such rule is created. Which AWS service can they use to continuously monitor and evaluate the security group configurations against this policy?

A company uses an IAM role to allow an application running on Amazon EC2 to decrypt data stored in Amazon S3. The security team wants to enforce that the application can only use the decryption permission when the IAM role has a specific tag (e.g., 'Environment=Production'). Which approach should the security team implement to meet this requirement?

A company needs to maintain a secure audit trail of all API calls made against its AWS resources. The audit trail must record the identity of the caller, the time of the call, the source IP address, and the request details. The records must be stored securely with integrity guarantees for a minimum of five years to meet compliance requirements. Which AWS service should the company use to capture and store this information?

A financial services company requires all data stored in Amazon S3 to be encrypted at rest. The company has a compliance policy that states encryption keys must be managed entirely by the customer and must never be stored or managed by the cloud provider. Which encryption option should the company use for Amazon S3?

A company runs a web application on Amazon EC2 that connects to an Amazon RDS database. The database credentials are currently hardcoded in the application configuration file. The security team requires that the credentials be automatically rotated every 90 days and that the application retrieves them securely from a managed service without storing them in the application code. Which AWS service should the company use to meet these requirements?

A company stores sensitive customer data in multiple Amazon S3 buckets. The security team wants to proactively identify any buckets that have been configured to allow unintended access from external AWS accounts or from the public internet. The team needs a service that continuously analyzes the resource-based policies attached to these buckets and generates findings when such unintended access is detected. Which AWS service should the security team use to meet this requirement?

A company has a compliance policy requiring that all Amazon EC2 instances in its production environment must have the tag "Environment=Production" and must be associated with a security group named "Prod-SG". The company wants to continuously monitor its AWS account and automatically detect any EC2 instances that do not meet these requirements. The IT team needs a service that can evaluate the configuration of resources against these rules and send notifications when a non-compliant resource is detected. Which AWS service should the company use?

A company runs a public-facing e-commerce website on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team has discovered that attackers are attempting SQL injection attacks through the website's search feature. The company wants to use a managed AWS service to inspect incoming HTTP requests and block these malicious payloads before they reach the application. Which AWS service should the company use?

A company is using AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that users in the development accounts cannot disable AWS CloudTrail logging or delete CloudTrail trails, even if those users have full administrator permissions within their own accounts. The team needs a central mechanism that is enforced across all development accounts regardless of individual IAM policies. Which AWS feature should the security team use to meet this requirement?

A company's security policy requires that all IAM user access keys be rotated every 90 days. The security team wants to automatically identify any IAM user in the company's AWS account whose access keys are older than 90 days and trigger a notification to the security team. They need a managed AWS service that continuously evaluates the access key age against this requirement and generates findings. Which AWS service should the security team use?

A financial services company is preparing for an annual audit. The auditors have requested a copy of the AWS SOC 2 Type II report to verify the security controls of the AWS infrastructure that the company uses. The company's compliance officer needs to directly download this report from a trusted AWS source. Which AWS service should the compliance officer use to obtain the report?

A financial services company must comply with PCI DSS requirements that mandate the use of a dedicated hardware security module (HSM) to store encryption keys used to protect cardholder data. The company plans to use server-side encryption in Amazon S3 and needs to ensure that the encryption keys are stored in a dedicated HSM under the company's sole control. Which AWS service should the company use to meet this requirement?

A company runs a web application that connects to an Amazon RDS for MySQL database. The security policy requires that the database password be rotated every 30 days. The development team wants a fully managed solution that automatically rotates the password, handles the update in RDS, and provides the application with the latest credentials without any code changes. The application should also continue to work during the rotation process. Which AWS service should the company use to meet these requirements?

Question 15mediummultiple choice
Review the full subnetting walkthrough →

A company hosts a multi-tier web application on AWS. The web tier runs on Amazon EC2 instances in a public subnet, and the database tier runs on Amazon EC2 instances in a private subnet. The security team needs to configure security groups to allow only the web tier instances to communicate with the database tier on port 3306 (MySQL). The web tier must be accessible from the internet on port 443. Which security group configuration meets these requirements?

A company hosts a web application behind an Application Load Balancer (ALB) in AWS. The application must comply with a security policy requiring TLS encryption for all traffic between users and the ALB. The company wants to automate the renewal of TLS certificates and avoid manual certificate management. Which AWS service should the company use to provision and automatically renew the certificates?

A company runs multiple workloads on AWS and must ensure that all Amazon S3 buckets have server-side encryption enabled. The compliance team wants to automatically detect any S3 bucket that is created without encryption and receive an alert. They also want to continuously monitor existing buckets for compliance. Which AWS service should they use?

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires that no IAM users can be created in any member account. All access must use federated identities from the company's existing identity provider. The security team needs a single, centralized mechanism to enforce this restriction across all existing and future member accounts. Which AWS feature should the security team use to meet this requirement?

A company stores sensitive documents in Amazon S3. The security team wants a preventive control that ensures no S3 bucket in the AWS account can ever be configured with a bucket policy that grants public read or write access. This control must apply automatically to all newly created buckets and to existing buckets, without requiring changes to individual bucket policies. Which AWS feature should the security team use?

A company uses AWS Organizations to manage multiple AWS accounts. The security team must ensure that all API activity across all accounts, including any new accounts added in the future, is recorded and delivered to a centralized S3 bucket for auditing. The solution should require minimal ongoing manual effort. Which AWS feature should the security team use?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security and Compliance sessions

Start a Security and Compliance only practice session

Every question in these sessions is drawn from the Security and Compliance domain — nothing else.

Related practice questions

Related CLF-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CLF-C02 exam test about Security and Compliance?
Security and Compliance covers the AWS Shared Responsibility Model, identity and access management (IAM), data encryption, monitoring and logging, and compliance programs—essentially how AWS helps you secure your cloud resources and meet regulatory requirements.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security and Compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Security and Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CLF-C02 topics?
Use the topic links above to move to related areas, or go back to the CLF-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CLF-C02 exam covers. They are not copied from any real exam or dump site.