SCS-C02 · topic practice

Management and Security Governance practice questions

Practise AWS Certified Security Specialty SCS-C02 Management and Security Governance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Management and Security Governance

What the exam tests

What to know about Management and Security Governance

Management and Security Governance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Management and Security Governance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Management and Security Governance questions

20 questions · select your answer, then reveal the explanation

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?

Question 2easymultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?

A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?

A company wants to use AWS CloudTrail to log all API activity across multiple accounts in AWS Organizations. Which configuration meets the requirement of centralized logging with minimal operational overhead?

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?

A company uses AWS Organizations with SCPs. The security team wants to ensure that no IAM user can be created without MFA. Which SCP should be applied at the root OU?

A security engineer needs to ensure that all EC2 instances launched in a development account are tagged with a cost center. What is the most effective way to enforce this?

A company wants to centrally manage access keys for IAM users. Which AWS service can generate and rotate access keys automatically?

A company uses AWS Config to record resources. Which TWO actions can be taken to automatically remediate non-compliant resources detected by AWS Config rules?

A company wants to implement least privilege access for a data analytics team that uses Amazon Athena to query data in S3. Which THREE steps should be taken?

A security engineer is designing a solution to protect sensitive data in S3. Which THREE mechanisms can be used to enforce encryption at rest?

Refer to the exhibit. A security engineer applies this bucket policy to an S3 bucket. A user without HTTPS tries to download an object. What is the outcome?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Refer to the exhibit. A role has two policies attached. The custom policy includes an Allow for s3:PutObject. An IAM user assumes this role and tries to upload a file to S3. What happens?

Network Topology
$ aws iam list-attached-role-policiesrole-name MyRoleRefer to the exhibit."AttachedPolicies": ["PolicyName": "AmazonS3ReadOnlyAccess","PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"},"PolicyName": "MyCustomPolicy","PolicyArn": "arn:aws:iam::123456789012:policy/MyCustomPolicy"
Question 14hardmultiple choice
Study the full ACL explanation →

A company runs a multi-account AWS environment using AWS Organizations. The security team uses AWS Config to monitor compliance. Recently, they noticed that a developer in the 'development' account created an S3 bucket that is publicly accessible. The security team wants to prevent this in the future by automatically remediating any public S3 bucket. They have an SCP that denies s3:PutBucketPublicAccessBlock, but developers are still making buckets public by using bucket ACLs. The security team wants to implement a solution that automatically fixes any bucket that becomes public. Which solution should they choose?

A company uses AWS Organizations with a single management account and multiple member accounts. The security team needs to ensure that all member accounts automatically deploy AWS Config rules to audit security group configurations. Which solution meets this requirement with minimal operational overhead?

A security engineer is designing a solution to monitor and remediate non-compliant resources across multiple AWS accounts. The company uses AWS Organizations and wants to enforce that any S3 bucket with public read access is automatically remediated. The solution must be centralized and scalable. Which approach should the engineer take?

A startup uses a single AWS account for development. The developer has full administrative access and accidentally deleted an S3 bucket containing critical data. The security team wants to prevent similar incidents without hindering agility. What is the MOST effective control?

A company has multiple AWS accounts managed through AWS Organizations. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI). Which governance control should be implemented?

A company wants to use AWS CloudFormation to manage infrastructure. The security team requires that all templates are scanned for security vulnerabilities before deployment. Which service should be integrated into the pipeline?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise uses AWS Organizations with hundreds of accounts. The security team needs to enforce that all accounts have AWS CloudTrail enabled and logs are delivered to a centralized S3 bucket in the management account. The team also wants to ensure that no account can disable CloudTrail or delete the bucket. Which combination of controls meets these requirements?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Management and Security Governance sessions

Start a Management and Security Governance only practice session

Every question in these sessions is drawn from the Management and Security Governance domain — nothing else.

Related practice questions

Related SCS-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SCS-C02 exam test about Management and Security Governance?
Management and Security Governance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Management and Security Governance questions in a focused session?
Yes — the session launcher on this page draws every question from the Management and Security Governance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SCS-C02 topics?
Use the topic links above to move to related areas, or go back to the SCS-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SCS-C02 exam covers. They are not copied from any real exam or dump site.