AWS Certified Security - Specialty · Difficulty

Hard SCS-C02 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 39 hard questions available — no sign-up, always free.

Question 1 of 25

A security team at a large enterprise manages 120 AWS accounts under AWS Organizations. They need to deploy a standardized set of AWS Config rules across all existing and future member accounts to enforce a PCI DSS baseline. The team wants to manage these rules centrally from a dedicated security tooling account (not the management account) and ensure that member account administrators cannot delete or modify the deployed rules. Which approach best meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 2 of 25

A security governance team manages 60 accounts under AWS Control Tower. Leadership requires that no account be able to create publicly accessible RDS instances, and that any existing RDS instance that becomes publicly accessible be automatically detected and reported to a central compliance dashboard. The team wants to minimize ongoing operational overhead while enforcing this at scale. Which combination of controls best satisfies both the preventive and detective requirements?

Reviewed for accuracy · Report an issue
Question 3 of 25

A financial services company runs 120 accounts under AWS Control Tower. The security team must audit whether every account continuously enforces a set of ~40 detective controls (Config rules) mapped to their internal compliance framework. Finance has flagged that AWS Config recording costs have grown rapidly because every account records ALL resource types, including many that are irrelevant to the compliance framework. The team wants to reduce Config cost while still meeting the audit requirement and managing controls centrally across the organization. Which approach best balances centralized governance, audit coverage, and cost?

Reviewed for accuracy · Report an issue
Question 4 of 25

A security engineer receives a GuardDuty finding of type Stealth:IAMUser/CloudTrailLoggingDisabled indicating an attacker used compromised credentials to stop logging on the organization's primary CloudTrail trail. The engineer must restore audit visibility as quickly as possible and ensure logging cannot be trivially disabled again by the same technique. Which combination of actions BEST addresses both the immediate recovery and future prevention?

Reviewed for accuracy · Report an issue
Question 5 of 25

A security engineer receives a GuardDuty finding of type UnauthorizedAccess:EC2/MaliciousIPCaller.Custom for a production EC2 instance. The organization requires that suspected compromised instances be automatically isolated for forensic investigation while preserving all volatile and non-volatile data, and while allowing forensic tooling in a separate account to access the evidence. Which automated response best meets these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 25

A security engineer receives a GuardDuty finding of type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS. The finding indicates that credentials from an EC2 instance's IAM role were used from an IP address outside AWS. The instance itself is still running normally and serving production traffic, and the team cannot immediately terminate or isolate it without causing an outage. What is the MOST effective immediate containment action to stop the attacker from continuing to use the stolen credentials?

Reviewed for accuracy · Report an issue
Question 7 of 25

A security team enables GuardDuty Lambda Protection across their organization. GuardDuty raises a finding indicating one of the company's Lambda functions is generating network traffic to a known cryptomining domain. The function is triggered by an SQS queue that processes customer uploads. The team must contain the threat quickly while preserving the ability to investigate how the function was compromised. Which action best achieves immediate containment with minimal disruption to unrelated workloads?

Reviewed for accuracy · Report an issue
Question 8 of 25

A security team enables GuardDuty Malware Protection for EC2. GuardDuty generates an 'Execution:EC2/MaliciousFile' finding after scanning an EBS volume attached to a production instance and detecting a trojan. The team wants an automated, least-disruptive first response that preserves the ability to investigate while preventing the malware from spreading laterally, and they must ensure the finding and any related activity remain fully investigable afterward. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 9 of 25

A security engineer discovers that Amazon GuardDuty was intentionally disabled in the production account three weeks ago by a departing administrator, leaving a detection gap. The incident-response team needs to restore threat detection and, as part of recovery, retroactively understand what malicious activity may have occurred during the blind period without waiting weeks for new findings to accumulate. Which approach best supports both re-enabling detection and analyzing the historical gap?

Reviewed for accuracy · Report an issue
Question 10 of 25

A company uses AWS IAM Identity Center (successor to AWS SSO) with an external SAML 2.0 identity provider. Workforce users are assigned to multiple AWS accounts through permission sets. The security team wants to grant each user access only to EC2 instances tagged with their department, without creating a separate permission set per department, and without editing policies whenever a new department is added. Which approach best achieves this at scale?

Reviewed for accuracy · Report an issue
Question 11 of 25

A security engineer attaches a permission boundary to an IAM role that allows only Amazon S3 and Amazon DynamoDB actions. The role's identity-based policy grants full access to S3, DynamoDB, and Amazon SQS. The AWS account belongs to an organization whose SCP allows S3 and SQS actions but does not include DynamoDB. There is no explicit deny anywhere. When the role attempts each service, which actions are effectively allowed?

Reviewed for accuracy · Report an issue
Question 12 of 25

A security engineer is reviewing a customer-managed IAM policy attached to a developer group. The policy contains a single statement with "Effect": "Allow", "NotAction": ["iam:*", "organizations:*"], and "Resource": "*". Developers report they can perform far more actions than intended, including deleting production S3 buckets and modifying KMS keys. What is the most accurate explanation of this behavior?

Reviewed for accuracy · Report an issue
Question 13 of 25

A data engineering team uses an automation pipeline that assumes RoleA in Account 1 via STS. From within that session, the pipeline then assumes RoleB in Account 2 to access data. RoleB has a MaxSessionDuration of 12 hours, and the pipeline requests a 6-hour session when calling AssumeRole for RoleB. The team observes that the credentials for RoleB consistently expire after only 1 hour, causing long-running jobs to fail. What is the cause of this behavior?

Reviewed for accuracy · Report an issue
Question 14 of 25

A company grants a partner account access to a shared S3 bucket via a bucket policy. The security team wants every principal in the partner account to be allowed to read objects EXCEPT for one specific IAM role named 'ContractorRole', which must never be able to read the objects regardless of that role's identity-based permissions. Which S3 bucket policy construct enforces this most reliably?

Reviewed for accuracy · Report an issue
Question 15 of 25

A security engineer at a company using AWS Organizations must enforce that all member accounts can only operate in the eu-west-1 and eu-central-1 regions to meet data residency requirements. However, the finance team needs global services such as IAM, CloudFront, and Route 53 to continue functioning, and one designated account (the networking account) must additionally be allowed to use us-east-1 for a legacy Direct Connect gateway configuration. What is the MOST effective way to implement this using Service Control Policies (SCPs)?

Reviewed for accuracy · Report an issue
Question 16 of 25

A company's production account (Account A) encrypts EBS snapshots with a customer managed KMS key. The DR team in a separate account (Account B) needs to copy these shared snapshots and restore volumes from them in Account B. The security team has already shared the snapshots with Account B via the snapshot sharing feature. However, when Account B attempts to copy the snapshot, the operation fails with an access denied error. What must the security team configure to allow Account B to successfully copy and restore the encrypted snapshots while following least privilege?

Reviewed for accuracy · Report an issue
Question 17 of 25

A security engineer is designing envelope encryption for a multi-tenant SaaS application. Each tenant's data is encrypted with a shared AWS KMS customer managed key. The engineer wants to ensure that ciphertext encrypted for one tenant cannot be decrypted while claiming a different tenant's identity, without creating a separate KMS key per tenant. Which approach best achieves this cryptographic binding?

Reviewed for accuracy · Report an issue
Question 18 of 25

A financial services company must retain full control over the cryptographic material used to encrypt sensitive data in Amazon S3. To meet compliance, they create a KMS key with an origin of EXTERNAL and import their own 256-bit key material, setting it to expire after 90 days. As the expiration date approaches, the security team wants to ensure encrypted objects remain decryptable without disruption. Which action correctly extends the ability to use this key?

Reviewed for accuracy · Report an issue
Question 19 of 25

A financial services company classifies data into three tiers: Public, Internal, and Restricted. Restricted data must be encrypted with a dedicated KMS customer managed key, and the security team requires that any object tagged 'classification=Restricted' stored in S3 be encrypted only with that specific key. Developers currently upload objects using SSE-KMS but can select any KMS key in the account. The security team wants to enforce that Restricted-classified uploads fail unless the correct CMK is used, while allowing other keys for lower tiers. Which approach BEST enforces this requirement?

Reviewed for accuracy · Report an issue
Question 20 of 25

A company stores encrypted application backups in S3 buckets located in us-east-1 and eu-west-1. All objects are encrypted using SSE-KMS with a single-Region customer managed key created in us-east-1. During a disaster recovery test, an EC2 instance running in eu-west-1 fails to decrypt objects that were replicated to the eu-west-1 bucket, returning an error even though the IAM role has kms:Decrypt permission and the key policy grants access to that role. What is the MOST likely cause and the recommended fix?

Reviewed for accuracy · Report an issue
Question 21 of 25

A financial services company encrypts sensitive customer records in an S3 bucket using a customer managed KMS key. Security policy requires that decryption of these records is only possible from within the company's VPC, using a VPC endpoint for KMS, and never from the public internet or other networks. Application EC2 instances in private subnets access the data through an interface VPC endpoint for KMS. Which approach best enforces this requirement?

Reviewed for accuracy · Report an issue
Question 22 of 25

A security engineer creates a customer managed KMS key using the AWS CLI and specifies a custom key policy. The policy grants encrypt/decrypt permissions to a specific application IAM role but does NOT include any statement granting the account root principal access, and it does not enable IAM policies to control the key. Several weeks later, the application role is accidentally deleted during a cleanup, and no other principal can manage or use the key. What is the state of the key and the recommended prevention?

Reviewed for accuracy · Report an issue
Question 23 of 25

A financial services company stores encrypted objects in an S3 bucket using an SSE-KMS customer managed key. A newly created AWS Lambda function (assuming an execution role) needs to read and decrypt these objects, but developers report AccessDenied errors on kms:Decrypt even though the Lambda execution role has an identity-based policy granting kms:Decrypt on the key. The KMS key policy currently contains only a statement granting the account root full access. What is the MOST likely cause and the correct fix that follows least privilege?

Reviewed for accuracy · Report an issue
Question 24 of 25

A financial services company encrypts sensitive customer records in an S3 bucket using a customer managed KMS key. A newly deployed analytics application running on EC2 instances (using an instance profile role) must decrypt these objects only between 01:00 and 05:00 UTC each day when batch jobs run. The security team wants to grant the minimum necessary access without modifying the KMS key policy, which is centrally controlled and change-controlled by a separate team. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 25 of 25

A data engineering team stores analytics output in an S3 bucket encrypted with a customer managed KMS key. An IAM role used by a Glue job has an identity-based policy granting kms:Decrypt and kms:GenerateDataKey on the key's ARN, plus full S3 access to the bucket. The Glue job fails with an AccessDenied error when writing encrypted objects. The KMS key policy contains only the default statement granting the account root full access, and no additional statements. Why is the job failing, and what is the minimal correct fix?

Reviewed for accuracy · Report an issue