Back to AWS Certified Security Specialty SCS-C02 questions

Scenario-based practice

Hard Difficulty Questions

Practise AWS Certified Security Specialty SCS-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SCS-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SCS-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

Question 3hardmultiple choice
Full question →

A developer is trying to upload an object to an S3 bucket named 'my-bucket' using the AWS CLI. The developer has an IAM user with a policy that includes 's3:PutObject' for 'arn:aws:s3:::my-bucket/*'. However, the upload fails with an 'Access Denied' error. The bucket policy is set to allow all principals from the same AWS account to perform 's3:PutObject'. What is the most likely cause of this failure?

Question 4hardmultiple choice
Full question →

An IAM policy is attached to a user. The user is trying to change their own password in the IAM console but receives an 'Access Denied' error. The user has an MFA device configured and is logged in with MFA. Why is the password change failing?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "iam:ChangePassword",
      "Resource": "*"
    }
  ]
}
Question 5hardmultiple choice
Full question →

Refer to the exhibit. An organization applies this SCP to an OU containing a developer account. A developer in that account tries to launch an m5.large instance using the AWS Management Console. What is the outcome?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceType": ["t2.micro", "t2.small"]
                }
            }
        }
    ]
}
Question 6hardmultiple choice
Full question →

A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?

Question 7hardmultiple choice
Full question →

A security engineer is designing a centralized logging solution for a multi-account AWS environment. They need to ensure log files are tamper-proof and cannot be deleted or modified by anyone, including the root user of any account. Which configuration meets these requirements?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A company stores sensitive data in Amazon S3 and wants to detect and alert on any public read access to objects. Which combination of services provides the most comprehensive solution?

Question 9hardmulti select
Full question →

A company wants to implement least privilege access for a data analytics team that uses Amazon Athena to query data in S3. Which THREE steps should be taken?

Question 10hardmulti select
Full question →

A company wants to enforce encryption in transit for all data transferred between its Amazon EC2 instances and an Application Load Balancer (ALB). The company uses AWS Certificate Manager (ACM) to provision TLS certificates. Which TWO actions should the company take? (Choose TWO.)

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise uses AWS Organizations with hundreds of accounts. The security team needs to enforce that all accounts have AWS CloudTrail enabled and logs are delivered to a centralized S3 bucket in the management account. The team also wants to ensure that no account can disable CloudTrail or delete the bucket. Which combination of controls meets these requirements?

Question 12hardmultiple choice
Full question →

Refer to the exhibit. A security engineer applied the bucket policy shown. What is the effect of this policy?

Exhibit

Refer to the exhibit. An IAM policy attached to an S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 13hardmulti select
Full question →

Which TWO steps should a security engineer take when responding to a confirmed security incident involving a compromised EC2 instance? (Choose 2.)

Question 14hardmultiple choice
Study the full ACL explanation →

A company runs a multi-account AWS environment using AWS Organizations. The security team uses AWS Config to monitor compliance. Recently, they noticed that a developer in the 'development' account created an S3 bucket that is publicly accessible. The security team wants to prevent this in the future by automatically remediating any public S3 bucket. They have an SCP that denies s3:PutBucketPublicAccessBlock, but developers are still making buckets public by using bucket ACLs. The security team wants to implement a solution that automatically fixes any bucket that becomes public. Which solution should they choose?

Question 15hardmultiple choice
Full question →

Refer to the exhibit. A security engineer finds the above IAM policy attached to an IAM group. The policy is intended to allow all EC2 actions only from the corporate network (10.0.0.0/8). However, users report that they can perform EC2 actions from outside the corporate network. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```
Question 16hardmulti select
Full question →

A security engineer is designing a solution to allow an external auditor to access logs in an S3 bucket in the company's AWS account. The auditor does not have an AWS account. The engineer needs to grant read-only access to the specific bucket for a limited time. Which TWO actions should the engineer take? (Choose two.)

Question 17hardmultiple choice
Full question →

During an incident response, a security engineer needs to collect memory and disk forensics from a running EC2 Windows instance without causing the instance to crash. The engineer has AWS Systems Manager SSM Agent installed. Which method should the engineer use?

Question 18hardmulti select
Full question →

A security engineer is investigating a potential data exfiltration incident. The engineer notices large volumes of data being transferred from an Amazon S3 bucket to an external IP address. Which AWS services can be used to detect and alert on such behavior? (Choose THREE.)

Question 19hardmulti select
Full question →

A company wants to use AWS CloudTrail to monitor data events for all S3 buckets. Which THREE steps are necessary? (Choose THREE.)

Question 20hardmultiple choice
Full question →

A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?

These SCS-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SCS-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.