DOP-C02 · topic practice

Security and Compliance practice questions

Practise AWS Certified DevOps Engineer Professional DOP-C02 Security and Compliance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security and Compliance

What the exam tests

What to know about Security and Compliance

Security and Compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security and Compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security and Compliance questions

20 questions · select your answer, then reveal the explanation

A company is using AWS Organizations with multiple accounts. The Security team wants to centrally manage IAM roles that can be assumed by users in member accounts. Which solution should be used to enforce that only specific roles can be assumed across accounts, while ensuring that the policy updates are automatically applied to all accounts?

A company is running a critical application on an Amazon EC2 instance that needs to access an S3 bucket. The application must use temporary credentials that automatically rotate. The DevOps engineer must ensure that the credentials are never stored on disk. Which approach meets these requirements?

A DevOps engineer needs to ensure that all API calls made to AWS are recorded for auditing purposes. Which AWS service should be used?

A company uses AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific attribute in their SAML assertion can decrypt the data. Which KMS key policy should be used?

A company has a requirement to rotate database credentials every 30 days for an Amazon RDS for MySQL instance. The credentials are currently stored in AWS Secrets Manager. The DevOps engineer needs to implement automatic rotation without modifying the application code. Which solution should be used?

A company uses AWS Organizations to manage multiple accounts. The Security team wants to prevent member accounts from disabling AWS CloudTrail or deleting CloudTrail log files. Which TWO actions should the Security team take in the organization's management account? (Choose TWO.)

A DevOps team is designing a CI/CD pipeline that deploys a web application on Amazon ECS. The application must be compliant with PCI DSS, which requires encryption of data at rest and in transit, and logging of all access. Which THREE actions should the team implement to meet these requirements? (Choose THREE.)

A company runs a multi-account environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies all actions on DynamoDB tables unless the request includes a specific tag "Environment": "Production". The development team has an IAM role with full DynamoDB access in their account. When they try to create a DynamoDB table using the AWS CLI, they receive an access denied error. They are certain they included the tag. The DevOps engineer reviews the SCP and finds that it uses the condition key "aws:RequestTag". However, the engineer notices that the SCP also denies access if the request does not include the tag for tagging actions. What is the most likely reason for the access denied error?

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all new member accounts automatically receive a specific AWS Config rule to require encryption on Amazon EBS volumes. Which solution meets this requirement with the least operational overhead?

A financial services company is migrating its applications to AWS. The compliance team requires that all Amazon S3 buckets containing personally identifiable information (PII) must have server-side encryption enabled and block public access. The DevOps team discovers that some S3 buckets are not compliant. Which TWO actions should the team take to enforce these requirements automatically for all current and future buckets? (Select TWO.)

A DevOps engineer applies the S3 bucket policy shown in the exhibit to enforce encryption and secure transport. After applying the policy, users report that they can still upload objects without encryption. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryption",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": true
        }
      }
    },
    {
      "Sid": "AllowSSL",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Drag and drop the steps to set up an AWS CloudFormation stack with a nested stack.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each AWS security and identity service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages users, groups, roles, and permissions

Creates and manages encryption keys

Rotates and manages secrets like database credentials

DDoS protection service

Web application firewall

A company uses AWS KMS to encrypt data in S3. They want to audit who used which KMS key and when. Which AWS service should they use?

A DevOps engineer needs to securely store database credentials for an application running on EC2. The credentials must be rotated automatically every 30 days. Which solution meets these requirements?

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. They need a preventive control that applies to all current and future accounts. Which approach should they use?

A developer wants to grant an EC2 instance read-only access to a specific S3 bucket. Which AWS mechanism should they use to securely provide credentials to the instance?

A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest and access should be limited to the security team. Which solution is MOST secure and scalable?

A company runs a web application on EC2 behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting (XSS) attacks. Which AWS service should they use?

A DevOps engineer needs to ensure that all API calls made to AWS are logged for compliance. The logs must be stored in S3 for at least 7 years. Which AWS service should they use?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security and Compliance sessions

Start a Security and Compliance only practice session

Every question in these sessions is drawn from the Security and Compliance domain — nothing else.

Related practice questions

Related DOP-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the DOP-C02 exam test about Security and Compliance?
Security and Compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security and Compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Security and Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other DOP-C02 topics?
Use the topic links above to move to related areas, or go back to the DOP-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the DOP-C02 exam covers. They are not copied from any real exam or dump site.