Back to AWS Certified Security Specialty SCS-C02 questions

Scenario-based practice

Drag and Drop Matching Questions

Practise AWS Certified Security Specialty SCS-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

10
scenario questions
SCS-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach drag and drop matching questions

Matching questions give you two columns — concepts, commands, or protocols on the left, and their definitions or use-cases on the right. You drag each left item to its correct match. These appear on most certification exams and punish superficial memorisation.

Quick answer

Drag and Drop Matching Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SCS-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummatching
Full question →

Match each AWS service to its primary security function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Web application firewall

DDoS protection

Key management and encryption

Identity and access management

Data discovery and classification

Question 2mediummatching
Full question →

Match each AWS Storage service encryption feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Server-side encryption with S3 managed keys

Server-side encryption with AWS KMS

Server-side encryption with customer-provided keys

Encryption at rest for EBS volumes

Encryption at rest for RDS instances

Question 3mediummatching
Full question →

Match each AWS VPC flow log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic for a VPC

Capture IP traffic for a subnet

Capture IP traffic for a network interface

Capture IP traffic for a transit gateway

Question 4mediummatching
Full question →

Match each AWS security-related acronym to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Center for Internet Security

Payment Card Industry Data Security Standard

Health Insurance Portability and Accountability Act

System and Organization Controls

International standard for information security management

Question 5mediummatching
Full question →

Match each AWS security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful firewall at instance level

Stateless firewall at subnet level

Centralized management of firewall rules

Managed firewall for VPCs

Question 6mediummatching
Full question →

Match each AWS CloudHSM feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware security module

Cryptographic token interface standard

Java Cryptography Extension provider

Security standard for cryptographic modules

Question 7mediummatching
Full question →

Match each AWS CloudTrail log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Control plane operations

Resource operations like S3 object access

Unusual activity detection

Invocation of Lambda function URLs

Question 8mediummatching
Full question →

Match each AWS IAM policy type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attached to a user, group, or role

Attached to a resource like S3 bucket

Maximum permissions for an identity

Used in AWS Organizations to restrict permissions

Question 9mediummatching
Full question →

Match each AWS KMS key type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed by AWS for use with specific services

Managed by customer with full control

Used internally by AWS, not visible to customers

Key store backed by AWS CloudHSM

Question 10mediummatching
Full question →

Match each AWS security tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated vulnerability assessment

Threat detection service

Centralized security findings aggregation

Investigation and analysis of security issues

Resource configuration monitoring and compliance

These SCS-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SCS-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.