SOA-C02 · topic practice

Security and Compliance practice questions

Practise AWS Certified SysOps Administrator Associate SOA-C02 Security and Compliance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security and Compliance

What the exam tests

What to know about Security and Compliance

Security and Compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security and Compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security and Compliance questions

20 questions · select your answer, then reveal the explanation

An organization requires that all Amazon S3 buckets be encrypted at rest by default. A SysOps administrator needs to enforce this using AWS Config. Which AWS Config managed rule should be used?

A SysOps administrator needs to ensure that all traffic to an Application Load Balancer (ALB) uses encryption. How can this be enforced?

An organization requires that all Amazon S3 buckets block public access entirely. A SysOps administrator needs to ensure that no bucket can be made public, even accidentally. Which approach enforces this control at the organizational level?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A company's security team requires that all Amazon EC2 instances in a specific AWS account must have the tag 'Environment' set to either 'Production' or 'Test'. Any instance that is launched without this tag or with an invalid value must be automatically terminated within five minutes. Which combination of AWS services can enforce this requirement with minimal manual intervention?

A company has an AWS account that contains multiple Amazon S3 buckets with sensitive data. A SysOps administrator needs to ensure that all S3 buckets in the account have versioning enabled to protect against accidental deletions. The administrator wants to automatically remediate any bucket that is created without versioning enabled. Which solution should be used?

An organization requires that all Amazon EC2 instances must be launched only with approved Amazon Machine Images (AMIs) that have been pre-approved by the security team. The SysOps administrator needs to enforce this policy for all current and future instances in the AWS account. Unapproved AMIs should be prevented from launching. Which solution meets these requirements with the least operational overhead?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon S3 to store sensitive customer data. A SysOps administrator needs to ensure that any S3 bucket that is incorrectly configured to allow public read access is automatically remediated within five minutes. The administrator wants to use native AWS services with minimal custom code. Which solution should be used?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon RDS for PostgreSQL instances be encrypted at rest using AWS Key Management Service (KMS) customer managed keys and have automated backups enabled with a retention period of at least 30 days. A SysOps administrator needs to use AWS Config to automatically detect any RDS instance that is non-compliant with either requirement and automatically remediate it. Which combination of AWS Config managed rules and remediation actions should be used?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled. The SysOps administrator needs to automatically detect any existing or new S3 bucket that does not have SSE-KMS enabled and automatically apply the encryption configuration. The solution must use managed AWS services with minimal custom code. Which combination of AWS services should be used?

An organization wants to ensure that no Amazon S3 bucket in the entire AWS Organization can be made public. The security team requires a preventive control that cannot be overridden by individual account administrators. Which AWS service or feature should be used?

A company's security policy requires that all new Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled by default. A SysOps administrator wants to enforce this requirement for all current and future S3 buckets in the account. Which AWS service or feature should be used to automatically apply this configuration?

An organization has a policy requiring that all Amazon EC2 instances launched in the production account must have detailed monitoring enabled for Amazon CloudWatch. A SysOps administrator needs to enforce this rule automatically. Which solution will ensure that any EC2 instance launched without detailed monitoring is automatically remediated?

A company manages multiple AWS accounts using AWS Organizations. The security team wants to restrict the use of Amazon EC2 instance types to only those that are approved for production workloads (e.g., m5.large, m5.xlarge). The policy should be applied to all member accounts in the organization, and it should prevent any non-approved instance type from being launched. The SysOps administrator should implement this with minimal operational overhead. Which solution should be used?

A company uses AWS Organizations and wants to restrict access to S3 buckets based on project tags. The security policy requires that users in the 'DataScientists' group can only access S3 buckets that have the tag 'Project: DataEngineering'. Which IAM policy condition key should the SysOps administrator use in a customer managed policy to enforce this restriction?

A company's security policy requires that all IAM users must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to automatically detect IAM users without MFA and generate a compliance report. Which AWS service should be used to meet this requirement with minimal operational overhead?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A company's security team requires that all Amazon S3 buckets are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any S3 bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

A company's security policy requires that the AWS account root user must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to continuously verify compliance and automatically notify the security team if the root user is not configured with MFA. Which AWS service can be used to create a compliance rule for this requirement?

A SysOps administrator manages IAM roles for Amazon EC2 instances. The administrator needs to identify permissions that have never been used in the last 90 days to right-size the policies. Which AWS feature should be used to achieve this?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon S3 buckets must be non-publicly accessible. The SysOps administrator needs to automatically detect any bucket that becomes publicly accessible and automatically remediate it by applying a bucket policy that blocks public access. The solution should use AWS managed services with minimal custom code. Which combination of services should be used?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security and Compliance sessions

Start a Security and Compliance only practice session

Every question in these sessions is drawn from the Security and Compliance domain — nothing else.

Related practice questions

Related SOA-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SOA-C02 exam test about Security and Compliance?
Security and Compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security and Compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Security and Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SOA-C02 topics?
Use the topic links above to move to related areas, or go back to the SOA-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SOA-C02 exam covers. They are not copied from any real exam or dump site.