SCS-C02 · topic practice

Security Logging and Monitoring practice questions

Practise AWS Certified Security Specialty SCS-C02 Security Logging and Monitoring practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Logging and Monitoring

What the exam tests

What to know about Security Logging and Monitoring

Security Logging and Monitoring questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Logging and Monitoring exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Logging and Monitoring questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full DNS explanation →

A security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?

A company uses AWS CloudTrail to log management events in all regions. The security team notices that some API calls made by an IAM user are not appearing in the CloudTrail event history. What is the most likely reason?

A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?

A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?

A company uses Amazon GuardDuty and wants to suppress low-severity findings that are known false positives. What is the recommended approach?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A company stores sensitive data in Amazon S3 and wants to detect and alert on any public read access to objects. Which combination of services provides the most comprehensive solution?

A security engineer needs to centrally collect and analyze AWS CloudTrail logs from multiple accounts. Which service is designed for this purpose?

A company uses AWS CloudTrail and wants to ensure that any modification to the trail itself is detected immediately. What should be done?

A security engineer needs to capture all network traffic between EC2 instances in a VPC for forensic analysis. Which TWO services should be used together? (Choose TWO.)

A company wants to use AWS CloudTrail to monitor data events for all S3 buckets. Which THREE steps are necessary? (Choose THREE.)

Question 11easymulti select
Read the full NAT/PAT explanation →

Which TWO AWS services provide native integration with Amazon CloudWatch Logs for real-time monitoring of application logs? (Choose TWO.)

A security engineer needs to monitor cross-account access to resources. Which THREE AWS services can be used to log or detect such access? (Choose THREE.)

Refer to the exhibit. A security engineer reviews a CloudTrail log entry. What is the MOST concerning security issue?

Exhibit

Refer to the exhibit.

```
{
  "Records": [
    {
      "eventVersion": "1.08",
      "userIdentity": {
        "type": "Root",
        "arn": "arn:aws:iam::123456789012:root",
        "accountId": "123456789012"
      },
      "eventTime": "2023-09-01T12:34:56Z",
      "eventSource": "ec2.amazonaws.com",
      "eventName": "AuthorizeSecurityGroupIngress",
      "sourceIPAddress": "203.0.113.5",
      "userAgent": "console.amazonaws.com",
      "requestParameters": {
        "groupId": "sg-12345678",
        "ipPermissions": {
          "items": [
            {
              "ipProtocol": "tcp",
              "fromPort": 22,
              "toPort": 22,
              "ipRanges": [
                {
                  "cidrIp": "0.0.0.0/0"
                }
              ]
            }
          ]
        }
      },
      "responseElements": null
    }
  ]
}
```

Refer to the exhibit. A security engineer reviews the CloudTrail trail configuration. What is a security concern?

Exhibit

Refer to the exhibit.

```
{
  "configuration": {
    "name": "my-trail",
    "s3BucketName": "my-cloudtrail-logs",
    "includeGlobalServiceEvents": true,
    "isMultiRegionTrail": true,
    "enableLogFileValidation": true,
    "cloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:aws-cloudtrail-logs:*",
    "cloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role",
    "kmsKeyId": null
  }
}
```

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to implement centralized logging for all AWS CloudTrail events across all accounts. They create a new trail in the management account with the following configuration: trail name 'central-trail', apply to all accounts in the organization, enable data events for all S3 buckets, and store logs in a centralized S3 bucket. After one week, they notice that some accounts are not delivering CloudTrail logs to the central bucket. The security engineer verifies that the trail is still configured to apply to all accounts and that the S3 bucket policy allows cross-account access. What is the MOST likely reason for the missing logs?

A security engineer wants to receive real-time notifications when an AWS API call is made to delete an S3 bucket. Which service should be used to capture and forward these events to an Amazon SNS topic?

A company is using AWS Organizations with multiple accounts. The security team needs to centrally monitor all root user API activity across all accounts and receive alerts within minutes. What is the MOST efficient solution?

A company uses AWS CloudTrail to log all API calls. The security team notices that some expected log entries are missing for actions performed by an IAM role assumed by an EC2 instance. The instance has the required permissions. What is the MOST likely cause of the missing log entries?

A security engineer is designing a monitoring solution for a multi-account AWS environment using AWS Organizations. The solution must provide a centralized view of all API activities and send alerts for suspicious events. Which TWO services together can achieve this? (Choose TWO.)

Question 20hardmulti select
Read the full NAT/PAT explanation →

A company runs a critical application on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The security team enabled VPC Flow Logs, CloudTrail, and CloudWatch Logs for the application tier. Recently, they noticed that some EC2 instances are being terminated unexpectedly by an unknown IAM user. The CloudTrail logs show the TerminateInstances API call, but the source IP address is from within the VPC CIDR range. The security team suspects the action is coming from an EC2 instance that has been compromised. They need to identify the specific compromised instance and the IAM role it used. Which combination of steps will provide the necessary information? (Choose TWO.)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Logging and Monitoring sessions

Start a Security Logging and Monitoring only practice session

Every question in these sessions is drawn from the Security Logging and Monitoring domain — nothing else.

Related practice questions

Related SCS-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SCS-C02 exam test about Security Logging and Monitoring?
Security Logging and Monitoring questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Logging and Monitoring questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Logging and Monitoring domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SCS-C02 topics?
Use the topic links above to move to related areas, or go back to the SCS-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SCS-C02 exam covers. They are not copied from any real exam or dump site.