Knowledge + Practice

SOA-C02 · topic practice

Security And Compliance practice questions

Use this page to practise SOA-C02 Security And Compliance practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.

20 questionsDomain: Security And Compliance

Practice 10 questions Browse domain →

What the exam tests

What to know about Security And Compliance

Security And Compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Practice set

Security And Compliance questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice

Full question →

A company requires that all Amazon S3 buckets in its AWS account must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to detect any bucket that does not have KMS encryption enabled and automatically remediate it by enabling encryption. Which AWS service should be used to implement this automated compliance enforcement?

Full question →

Question 2hardmultiple choice

Full question →

A company manages multiple AWS accounts using AWS Organizations. The security team wants to restrict the use of Amazon EC2 instance types to only those that are approved for production workloads (e.g., m5.large, m5.xlarge). The policy should be applied to all member accounts in the organization, and it should prevent any non-approved instance type from being launched. The SysOps administrator should implement this with minimal operational overhead. Which solution should be used?

Full question →

Question 3hardmultiple choice

Full question →

A company manages multiple AWS accounts under AWS Organizations. The security team requires that all Amazon S3 buckets in the organization must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect any bucket that is not compliant and remediate it by enabling SSE-KMS. Which AWS feature or service should be used to implement this automated compliance enforcement?

Full question →

Question 4hardmultiple choice

Full question →

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest with AWS Key Management Service (AWS KMS) customer managed keys. A SysOps administrator discovers that some buckets are not encrypted. Which combination of AWS services should be used to automatically detect and remediate non-compliant buckets using infrastructure as code?

Full question →

Question 5mediummultiple choice

Full question →

A company runs a critical production database on Amazon RDS for MySQL with Multi-AZ deployment. The SysOps administrator needs to be automatically notified when a failover event occurs, and also capture the exact time and reason for the failover for compliance purposes. Which AWS service or feature should be used to capture the failover event details with the least operational overhead?

Full question →

Question 6mediummultiple choice

Full question →

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

Full question →

Question 7easymultiple choice

Full question →

A company's security policy requires that the AWS account root user must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to continuously verify compliance and automatically notify the security team if the root user is not configured with MFA. Which AWS service can be used to create a compliance rule for this requirement?

Full question →

Question 8easymultiple choice

Full question →

A company's security policy requires that all IAM user passwords must be at least 12 characters long. The SysOps administrator needs to enforce this requirement across the AWS account. Which action should the administrator take?

Full question →

Question 9mediummultiple choice

Full question →

A company's security policy requires that all IAM users must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to automatically detect IAM users without MFA and generate a compliance report. Which AWS service should be used to meet this requirement with minimal operational overhead?

Full question →

Question 10hardmultiple choice

Full question →

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to restrict access to a specific AWS service (Amazon EC2) in all accounts except for the 'production' account. The SysOps administrator needs to implement this restriction centrally. Which approach should the administrator use?

Full question →

Question 11easymultiple choice

Full question →

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are configured with server-side encryption using AWS KMS (SSE-KMS). The administrator wants to automatically detect any S3 buckets that are not compliant and remediate them by enabling SSE-KMS. Which AWS service should be used to implement this automated compliance enforcement?

Full question →

Question 12easymultiple choice

Full question →

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest. The administrator wants to automatically remediate any bucket that is created without default encryption. Which AWS service should be used to achieve this with the least operational overhead?

Full question →

Question 13mediummultiple choice

Full question →

A company's security policy requires that all Amazon EC2 instances must have a specific tag 'Environment' with a value of either 'Production' or 'Development'. The SysOps administrator needs to detect any instance that is missing this tag or has an invalid value, and automatically email the operations team. Which AWS service should be used to achieve this with the least operational overhead?

Full question →

Question 14mediummultiple choice

Full question →

A company's security policy requires that all Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled. The SysOps administrator needs to automatically detect any existing or new S3 bucket that does not have SSE-KMS enabled and automatically apply the encryption configuration. The solution must use managed AWS services with minimal custom code. Which combination of AWS services should be used?

Full question →

Question 15mediummultiple choice

Full question →

A company's security policy requires that all Amazon S3 buckets must have server-side encryption (SSE-S3 or SSE-KMS) enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and remediate it by enabling SSE-S3. Which AWS service should be used to implement this automated compliance enforcement?

Full question →

Question 16easymultiple choice

Full question →

A company's security policy requires that all Amazon S3 buckets must have server-side encryption enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and notify the security team. Which AWS service should be used to detect non-compliant buckets?

Full question →

Question 17mediummultiple choice

Full question →

A company's security policy requires that IAM users rotate their access keys every 90 days. The SysOps administrator must automatically identify users whose access keys are older than 90 days and notify the security team. Which combination of AWS services should be used to meet this requirement with the least operational overhead?

Full question →

Question 18mediummultiple choice

Full question →

A company's security team requires that all Amazon EC2 instances in a specific AWS account must have the tag 'Environment' set to either 'Production' or 'Test'. Any instance that is launched without this tag or with an invalid value must be automatically terminated within five minutes. Which combination of AWS services can enforce this requirement with minimal manual intervention?

Full question →

Question 19easymultiple choice

Full question →

A SysOps administrator needs to audit all API calls made in an AWS account for compliance and security analysis. The logs must be stored securely for at least one year. Which AWS service should the administrator enable?

Full question →

Question 20mediummulti select

Full question →

Match each AWS service with its primary security compliance function. (Drag each service to its correct function.) (Choose 4.)

Full question →

Continue with 20-question session →

Watch out for

Common Security And Compliance exam traps

▸Answering from memory before reading the full scenario.
▸Missing a constraint such as cost, availability, security, scope or command context.
▸Choosing a broad answer when the question asks for the most specific fix.
▸Ignoring why the wrong options are tempting.

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Sign up free Log in

Focused Security And Compliance sessions

Start a Security And Compliance only practice session

Every question in these sessions is drawn from the Security And Compliance domain — nothing else.

10 questions 20 questions 30 questions 50 questions

Browse all Security And Compliance questions →Mixed SOA-C02 session

Related practice questions

Related SOA-C02 topic practice pages

Move into related areas when this topic feels solid.

SOA-C02 fundamentals practice questions

Practise SOA-C02 questions linked to SOA-C02 fundamentals.

SOA-C02 scenario practice questions

Practise SOA-C02 questions linked to SOA-C02 scenario.

SOA-C02 troubleshooting practice questions

Practise SOA-C02 questions linked to SOA-C02 troubleshooting.

Frequently asked questions

What does the SOA-C02 exam test about Security And Compliance?: Security And Compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?: Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security And Compliance questions in a focused session?: Yes — the session launcher on this page draws every question from the Security And Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SOA-C02 topics?: Use the topic links above to move to related areas, or go back to the SOA-C02 question bank to see all topics.
Are these real exam questions or dumps?: These are original practice questions written to test the same concepts the SOA-C02 exam covers. They are not copied from any real exam or dump site.

Security And Compliance only

10 questions 20 questions 30 questions 50 questions

Mixed SOA-C02 session

Track your progress

A free account saves results across sessions and highlights which topics need work.

Study resources

All SOA-C02 questions Security And Compliance domain overview SOA-C02 exam guide All SOA-C02 domains

Exam traps to avoid

▸Answering from memory before reading the full scenario.
▸Missing a constraint such as cost, availability, security, scope or command context.
▸Choosing a broad answer when the question asks for the most specific fix.
▸Ignoring why the wrong options are tempting.