Free · No account needed · No credit card

AWS Certified Security Specialty SCS-C02 Practice Test

1,738 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 170 min
Pass mark: 750%

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1Management and Security Governancemedium
Full explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?

AApply a bucket policy on each bucket denying PutObject without encryption
Create an SCP at the root OU that denies s3:PutBucketAction without encryptionCorrect
CEnable AWS Config with the s3-bucket-server-side-encryption-enabled rule
DAttach an IAM policy to each account's admin user requiring encryption

Option B is correct because Service Control Policies (SCPs) at the root OU can deny the s3:PutBucketAction (which includes s3:PutBucketEncryption) unless the request includes encryption settings that use AWS KMS. This enforces encryption at the organizational level, overriding an…Read full explanation

Q2Management and Security Governanceeasy
Full explanation →

A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?

AAttach an IAM policy to the user in Account B allowing the action; no bucket policy needed
BApply a bucket policy in Account A granting access to the user in Account B; no user policy needed
CUse S3 bucket ACLs to grant READ access to the Account B user
Apply a bucket policy in Account A granting access to the principal in Account B, and attach an IAM policy to the user in Account B allowing the actionCorrect

Cross-account S3 access requires both a bucket policy in the resource account (Account A) that explicitly grants the cross-account principal (the user in Account B) the s3:GetObject action, and an IAM policy attached to the user in Account B that allows the same action. This two-…Read full explanation

Q3Management and Security Governancehard
Full explanation →

A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?

Create a custom AWS Config rule using a Lambda function that evaluates IAM groupsCorrect
BUse IAM Access Analyzer to identify policies that grant broad access
CUse AWS CloudTrail Insights to detect CreateUser events
DEnable AWS Config advanced query and run a query on IAM groups

AWS Config managed rules do not support the AWS::IAM::Group resource type, so you cannot use a managed rule to evaluate inline policies on IAM groups. The best approach is to create a custom AWS Config rule backed by a Lambda function that can evaluate the IAM group's inline poli…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All SCS-C02 questionsSCS-C02 exam guideStudy guidePractice by domain