Back to AWS Certified Security Specialty SCS-C02 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise AWS Certified Security Specialty SCS-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SCS-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SCS-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:us-east-1:123456789012:MyTopic"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:ReceiveMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 2easymultiple choice
Full question →

A security engineer is reviewing a CloudTrail log entry (exhibit). What is the most immediate security concern indicated by this event?

Exhibit

Refer to the exhibit.

```
{
  "Records": [
    {
      "eventVersion": "1.08",
      "userIdentity": {
        "type": "IAMUser",
        "arn": "arn:aws:iam::123456789012:user/JohnDoe",
        "accountId": "123456789012",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE"
      },
      "eventTime": "2024-08-01T12:34:56Z",
      "eventSource": "ec2.amazonaws.com",
      "eventName": "AuthorizeSecurityGroupIngress",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "203.0.113.5",
      "userAgent": "console.amazonaws.com",
      "requestParameters": {
        "groupId": "sg-0123456789abcdef0",
        "ipPermissions": {
          "items": [
            {
              "ipProtocol": "tcp",
              "fromPort": 22,
              "toPort": 22,
              "ipRanges": [
                {
                  "cidrIp": "0.0.0.0/0"
                }
              ]
            }
          ]
        }
      }
    }
  ]
}
```
Question 3hardmultiple choice
Full question →

Refer to the exhibit. An organization applies this SCP to an OU containing a developer account. A developer in that account tries to launch an m5.large instance using the AWS Management Console. What is the outcome?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceType": ["t2.micro", "t2.small"]
                }
            }
        }
    ]
}
Question 4mediummultiple choice
Full question →

Refer to the exhibit. A role has two policies attached. The custom policy includes an Allow for s3:PutObject. An IAM user assumes this role and tries to upload a file to S3. What happens?

Network Topology
$ aws iam list-attached-role-policiesrole-name MyRoleRefer to the exhibit."AttachedPolicies": ["PolicyName": "AmazonS3ReadOnlyAccess","PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"},"PolicyName": "MyCustomPolicy","PolicyArn": "arn:aws:iam::123456789012:policy/MyCustomPolicy"
Question 5hardmultiple choice
Full question →

Refer to the exhibit. A security engineer applied the bucket policy shown. What is the effect of this policy?

Exhibit

Refer to the exhibit. An IAM policy attached to an S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 6hardmultiple choice
Full question →

Refer to the exhibit. A security engineer finds the above IAM policy attached to an IAM group. The policy is intended to allow all EC2 actions only from the corporate network (10.0.0.0/8). However, users report that they can perform EC2 actions from outside the corporate network. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```
Question 7easymultiple choice
Full question →

Refer to the exhibit. An AWS KMS key policy includes the statement shown. The AdminRole tries to decrypt a ciphertext that was encrypted using the same KMS key with encryption context 'department=engineering'. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:department": "finance"
        }
      }
    }
  ]
}
Question 8mediummultiple choice
Full question →

A security engineer reviews the CloudTrail log entry in the exhibit. The engineer notices that an EC2 instance was launched using an AdminRole. Which additional information would help determine if this is a legitimate action or a potential compromise?

Exhibit

Refer to the exhibit.

CloudTrail log entry (simplified):
{
  "eventSource": "ec2.amazonaws.com",
  "eventName": "RunInstances",
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:role/AdminRole",
    "accountId": "123456789012"
  },
  "requestParameters": {
    "instanceType": "m5.xlarge",
    "imageId": "ami-0abcdef1234567890",
    "securityGroupSet": [{"groupId": "sg-0123456789abcdef0"}]
  },
  "responseElements": {
    "instancesSet": {
      "items": [{"instanceId": "i-0a1b2c3d4e5f6g7h8"}]
    }
  },
  "sourceIPAddress": "203.0.113.50",
  "userAgent": "console.amazonaws.com",
  "eventTime": "2025-03-15T14:30:00Z"
}
Question 9easymultiple choice
Full question →

A security engineer is analyzing the VPC Flow Logs entry in the exhibit. The log shows traffic from an internal IP to an external IP. Which potential security concern should the engineer investigate?

Exhibit

Refer to the exhibit.

VPC Flow Logs entry:
2 123456789010 eni-1234567890abcdef 10.0.1.5 203.0.113.50 3389 443 6 10 840 1625097600 1625097660 ACCEPT OK
Question 10hardmultiple choice
Full question →

Refer to the exhibit. A security engineer reviews a CloudTrail log entry. What is the MOST concerning security issue?

Exhibit

Refer to the exhibit.

```
{
  "Records": [
    {
      "eventVersion": "1.08",
      "userIdentity": {
        "type": "Root",
        "arn": "arn:aws:iam::123456789012:root",
        "accountId": "123456789012"
      },
      "eventTime": "2023-09-01T12:34:56Z",
      "eventSource": "ec2.amazonaws.com",
      "eventName": "AuthorizeSecurityGroupIngress",
      "sourceIPAddress": "203.0.113.5",
      "userAgent": "console.amazonaws.com",
      "requestParameters": {
        "groupId": "sg-12345678",
        "ipPermissions": {
          "items": [
            {
              "ipProtocol": "tcp",
              "fromPort": 22,
              "toPort": 22,
              "ipRanges": [
                {
                  "cidrIp": "0.0.0.0/0"
                }
              ]
            }
          ]
        }
      },
      "responseElements": null
    }
  ]
}
```
Question 11mediummultiple choice
Full question →

Refer to the exhibit. A security engineer reviews the CloudTrail trail configuration. What is a security concern?

Exhibit

Refer to the exhibit.

```
{
  "configuration": {
    "name": "my-trail",
    "s3BucketName": "my-cloudtrail-logs",
    "includeGlobalServiceEvents": true,
    "isMultiRegionTrail": true,
    "enableLogFileValidation": true,
    "cloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:aws-cloudtrail-logs:*",
    "cloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role",
    "kmsKeyId": null
  }
}
```
Question 12mediummultiple choice
Full question →

Refer to the exhibit. An IAM policy is attached to a group. An IAM user in that group attempts to stop an EC2 instance from IP address 198.51.100.10. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 13hardmultiple choice
Full question →

Refer to the exhibit. A security engineer runs the command above. Which of the following is true about the role MyRole?

Network Topology
$ aws iam get-rolerole-name MyRoleRefer to the exhibit."Role": {"Path": "/","RoleName": "MyRole","Arn": "arn:aws:iam::123456789012:role/MyRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"
Question 14hardmultiple choice
Full question →

Refer to the exhibit. A security engineer applies this bucket policy to an S3 bucket. A user without HTTPS tries to download an object. What is the outcome?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 15hardmultiple choice
Full question →

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to get and put objects in the S3 bucket 'example-bucket' only from the IP range 203.0.113.0/24. However, the user reports that they are unable to put objects from an IP within that range. What is the most likely cause of this issue?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}

These SCS-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SCS-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.