Back to AWS Certified Security Specialty SCS-C02 questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise AWS Certified Security Specialty SCS-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SCS-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SCS-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

Question 2mediummulti select
Full question →

A security administrator is designing a cross-account access strategy. The administrator needs to allow users in Account A to assume an IAM role in Account B to access an S3 bucket. Which TWO of the following statements are true regarding this configuration?

Question 3mediummulti select
Full question →

Which TWO of the following are valid methods to centrally manage security policies and enforce compliance across multiple AWS accounts? (Choose two.)

Question 4mediummulti select
Full question →

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)

Question 5mediummulti select
Full question →

A company uses AWS Config to record resources. Which TWO actions can be taken to automatically remediate non-compliant resources detected by AWS Config rules?

Question 6hardmulti select
Full question →

A company wants to implement least privilege access for a data analytics team that uses Amazon Athena to query data in S3. Which THREE steps should be taken?

Question 7mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The application servers in the private subnets need to access the internet for software updates, but must not be directly reachable from the internet. Which TWO actions satisfy these requirements?

Question 8mediummulti select
Full question →

A security engineer is designing a governance framework for a multi-account AWS environment. The engineer needs to ensure that all accounts comply with the principle of least privilege for IAM roles and that any non-compliant resources are automatically reported. Which two AWS services should the engineer use together to achieve this? (Choose TWO.)

Question 9hardmulti select
Full question →

A company wants to enforce encryption in transit for all data transferred between its Amazon EC2 instances and an Application Load Balancer (ALB). The company uses AWS Certificate Manager (ACM) to provision TLS certificates. Which TWO actions should the company take? (Choose TWO.)

Question 10mediummulti select
Full question →

Which TWO actions can be performed using AWS IAM? (Choose two.)

Question 11hardmulti select
Full question →

Which TWO steps should a security engineer take when responding to a confirmed security incident involving a compromised EC2 instance? (Choose 2.)

Question 12hardmulti select
Full question →

A security engineer is designing a solution to allow an external auditor to access logs in an S3 bucket in the company's AWS account. The auditor does not have an AWS account. The engineer needs to grant read-only access to the specific bucket for a limited time. Which TWO actions should the engineer take? (Choose two.)

Question 13mediummulti select
Full question →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all API calls in the organization are logged and retained for at least one year. Which AWS services or features should be used to meet these requirements? (Choose TWO.)

Question 14hardmulti select
Full question →

A security engineer is investigating a potential data exfiltration incident. The engineer notices large volumes of data being transferred from an Amazon S3 bucket to an external IP address. Which AWS services can be used to detect and alert on such behavior? (Choose THREE.)

Question 15easymulti select
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager Patch Manager to patch EC2 instances. During a security incident, the security team needs to quickly patch a critical vulnerability across all Windows instances in a specific AWS region. Which steps should the team take? (Choose TWO.)

Question 16hardmulti select
Full question →

A company wants to use AWS CloudTrail to monitor data events for all S3 buckets. Which THREE steps are necessary? (Choose THREE.)

Question 17easymulti select
Read the full NAT/PAT explanation →

Which TWO AWS services provide native integration with Amazon CloudWatch Logs for real-time monitoring of application logs? (Choose TWO.)

Question 18mediummulti select
Full question →

A security engineer needs to capture all network traffic between EC2 instances in a VPC for forensic analysis. Which TWO services should be used together? (Choose TWO.)

Question 19hardmulti select
Full question →

A security engineer needs to monitor cross-account access to resources. Which THREE AWS services can be used to log or detect such access? (Choose THREE.)

Question 20hardmulti select
Full question →

Which THREE factors should be considered when designing IAM policies for cross-account access? (Choose three.)

These SCS-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SCS-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.