Back to AWS Certified Security Specialty SCS-C02 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise AWS Certified Security Specialty SCS-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SCS-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SCS-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

Question 2easymultiple choice
Full question →

A security engineer is analyzing the VPC Flow Logs entry in the exhibit. The log shows traffic from an internal IP to an external IP. Which potential security concern should the engineer investigate?

Exhibit

Refer to the exhibit.

VPC Flow Logs entry:
2 123456789010 eni-1234567890abcdef 10.0.1.5 203.0.113.50 3389 443 6 10 840 1625097600 1625097660 ACCEPT OK
Question 3mediummultiple choice
Full question →

A company has an S3 bucket policy that allows cross-account access for a specific IAM role in another account. The bucket policy includes a Principal element with the ARN of the role. However, users in the other account that assume the role are unable to access the bucket. Which of the following is the MOST likely cause?

Question 4hardmultiple choice
Full question →

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to get and put objects in the S3 bucket 'example-bucket' only from the IP range 203.0.113.0/24. However, the user reports that they are unable to put objects from an IP within that range. What is the most likely cause of this issue?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 5easymultiple choice
Read the full VPN explanation →

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to an IAM user. The user reports being unable to download objects from the S3 bucket when connecting from a VPN with IP address 10.0.1.45. What is the most likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 6mediummultiple choice
Full question →

Refer to the exhibit. A security engineer runs this AWS CLI command to investigate root user logins. The output shows a successful ConsoleLogin event. What should the engineer do next to improve security?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-01-01T00:00:00Zend-time 2023-01-02T00:00:00Zquery 'Events[?UserIdentity.Type=="Root"]'Refer to the exhibit."EventId": "example1","EventName": "ConsoleLogin","ReadOnly": "False","Username": "root","EventTime": "2023-01-01T12:00:00Z","CloudTrailEvent": "{\"userIdentity\":{\"type\":\"Root\",\"arn\":\"arn:aws:iam::123456789012:root\"},\"responseElements\":{\"ConsoleLogin\":\"Success\"}}"
Question 7mediummultiple choice
Full question →

The above condition is added to an S3 bucket policy to restrict access to a specific VPC endpoint. An EC2 instance in the same VPC is unable to access the bucket. What is the most likely reason?

Exhibit

Refer to the exhibit.

Resource: "arn:aws:ec2:us-east-1:123456789012:instance/*"
Condition: {
  "StringEquals": {
    "aws:SourceVpce": "vpce-0a1b2c3d4e5f67890"
  }
}
Question 8hardmultiple choice
Read the full DNS explanation →

A company uses Amazon Detective to investigate security findings. The security team is analyzing a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. The team wants to use Detective to understand the full scope of the incident, including which other resources the instance communicated with and any IAM roles used. However, when the team opens the finding in Detective, they see no network activity data for the instance. The instance is in a VPC with VPC Flow Logs enabled, and Flow Logs are being published to CloudWatch Logs. What should the team do to enable Detective to display the network activity?

Question 9mediummultiple choice
Full question →

A security engineer is troubleshooting an issue where Amazon GuardDuty is not generating findings for a specific EC2 instance that is known to be compromised. The instance is in a VPC with VPC Flow Logs enabled. What could be the reason for the lack of findings?

Question 10mediummultiple choice
Full question →

A security engineer is troubleshooting why CloudTrail logs are not being delivered to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured to log management events. However, no log files appear in the bucket. What is the MOST likely cause?

Question 11mediummulti select
Full question →

A security engineer is troubleshooting an issue where CloudTrail is not delivering logs to an S3 bucket. The bucket policy appears correct. Which TWO additional steps should the engineer take to diagnose the issue? (Choose TWO.)

Question 12hardmultiple choice
Full question →

A security engineer is troubleshooting why Amazon GuardDuty is not generating findings for suspicious S3 API calls made by an IAM role. The engineer has verified that GuardDuty is enabled in the account and region. What is a likely reason for the missing findings?

Question 13hardmultiple choice
Full question →

A security engineer runs the CLI command above to investigate a console login event. The output shows: {"type":"Root","principalId":"123456789012","arn":"arn:aws:iam::123456789012:root"}. What does this indicate?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamequery 'Events[*].CloudTrailEvent'output textRefer to the exhibit.
Question 14hardmultiple choice
Full question →

A security engineer has attached the above IAM policy to a role used by an application to write logs to an S3 bucket. However, the application is unable to write logs. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 15mediummultiple choice
Full question →

A security engineer is troubleshooting an issue where CloudTrail logs are not being delivered to the specified S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

These SCS-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SCS-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.