Medium SCS-C02 practice questions
Applied — put a concept to work in a realistic situation. 145 medium questions available — no sign-up, always free.
A security team runs a public-facing web application behind an Application Load Balancer (ALB) that terminates TLS using a certificate provisioned by AWS Certificate Manager (ACM). A PCI DSS audit requires that the application no longer negotiate TLS 1.0 or TLS 1.1 and must reject weak ciphers, while still supporting modern browsers. What is the MOST appropriate action to enforce this requirement?
A media company hosts a static website in an S3 bucket served through a CloudFront distribution. The web team, which operates primarily in the eu-west-1 Region, requests an ACM certificate for their custom domain so that the distribution can serve HTTPS traffic. They created a public certificate in ACM in eu-west-1, validated it via DNS, and confirmed its status is 'Issued'. However, the certificate does not appear as a selectable option when they attempt to associate it with the CloudFront distribution. What is the cause and correct remediation?
A company runs a public-facing application behind an Application Load Balancer. The security team uses an SSL/TLS certificate that was issued by the company's existing third-party certificate authority and then imported into AWS Certificate Manager (ACM). During an audit, the team is concerned about a repeat of a past incident where the certificate expired and caused an outage. Which approach ensures they are proactively warned before this imported certificate expires?
A company runs a public-facing REST API behind an Application Load Balancer (ALB). Security requires that the TLS private key used to terminate connections is never exportable or accessible to administrators, and that certificate renewal happens automatically without operator intervention. The team currently uses a certificate issued by a public third-party certificate authority that they trust. Which approach best meets all requirements?
A financial services company runs a fleet of internal microservices on EC2 instances behind internal Application Load Balancers within a private VPC. Security policy requires mutual TLS between all internal services using X.509 certificates issued by a certificate authority the company controls. The certificates must be short-lived and automatically renewed, and the CA's root must NOT be publicly trusted. Which solution best meets these requirements?
A security engineer stores several years of CloudTrail logs in an S3 bucket organized by the standard prefix pattern (AWSLogs/<account>/CloudTrail/<region>/<year>/<month>/<day>/). Analysts run frequent Athena queries filtered to a specific account, region, and date range, but queries are slow and scan far more data than expected, driving up cost. The engineer wants to reduce data scanned and query time without running a crawler or manually adding partitions each day. Which approach best meets these requirements?
A healthcare company operates a public web application behind CloudFront and an Application Load Balancer. A form collects patients' credit card numbers and Social Security numbers. Compliance requires that these specific fields remain encrypted from the moment they enter the AWS edge, so that even the application servers and downstream microservices cannot read them — only a dedicated payment processing service holding a private key may decrypt them. The rest of the request must remain readable for normal application processing. Which CloudFront capability meets this requirement with the least change to backend components?
A media company streams licensed video content through Amazon CloudFront. Licensing agreements require that content be accessible only from viewers in Canada and the United States. Additionally, the security team wants to block a specific list of malicious IP addresses regardless of their geographic origin, and they want both controls applied at the edge with the lowest possible latency and cost. Which combination of controls should the security engineer implement?
A company serves static content from a private S3 bucket through a CloudFront distribution. Security review reveals that the S3 objects can still be downloaded directly using their public S3 URLs, bypassing CloudFront (and its attached WAF web ACL). The team must ensure content is only reachable through CloudFront while following current AWS best practices. What should they implement?
A media company serves video thumbnails and metadata through CloudFront backed by an Application Load Balancer in a single AWS Region. During viral traffic spikes, they observe that origin request volume overwhelms the ALB even though most objects are cacheable, because CloudFront has many regional edge caches making independent requests to the origin on cache misses. The security team also wants to minimize the origin's exposure to direct request bursts. Which CloudFront configuration change most directly reduces redundant origin fetches and consolidates requests to the origin?
A media company stores premium video files in an S3 bucket and serves them to paying subscribers through a CloudFront distribution. The security team requires that each video link works only for a specific authenticated subscriber and automatically stops working after 6 hours. Direct S3 access must remain blocked, and links must not be shareable in a way that grants indefinite access. Which approach meets these requirements with the least operational overhead?
A security engineer configured a CloudTrail trail to deliver events to a CloudWatch Logs log group so that metric filters and alarms can be created. Events are successfully delivered to the S3 bucket, but no log streams or events are appearing in the CloudWatch Logs log group. The trail shows no obvious errors in the console. What is the MOST likely cause?
A security engineer configured an organization trail in CloudTrail to log all management events to a central S3 bucket. During an investigation, the team notices that API calls made in the us-west-2 region for a member account are appearing in the logs, but Amazon S3 object-level GetObject and PutObject calls made against buckets in that account are completely absent from the delivered log files. The trail is confirmed to be logging and delivering files successfully. What is the MOST likely reason the S3 object-level activity is missing?
A security team must be alerted within seconds whenever any IAM policy is attached to a user, group, or role across a single account. They already have an organization CloudTrail delivering management events to an S3 bucket and to a CloudWatch Logs log group. The team wants the lowest-latency, most operationally efficient way to trigger an SNS notification when these specific API calls occur. Which approach best meets the requirement?
A security team wants to detect unusual patterns in API call volume and error rates across their AWS account, such as a sudden spike in IAM policy modifications or an unusual burst of TerminateInstances calls that could indicate compromised credentials. They already have a management events trail enabled but no automated way to surface anomalous behavior. They do not want to build and maintain custom baselining logic or manually tune CloudWatch metric filters for every API. Which approach best meets this requirement with the least operational overhead?
A security team must run ad hoc SQL queries against 18 months of CloudTrail management events to investigate historical API activity. Currently, CloudTrail delivers logs to an S3 bucket, and the team queries them using Athena. However, they find that maintaining Athena table partitions and re-running the AWS Glue crawler as new log prefixes arrive is error-prone, and some queries return incomplete results because partitions were not updated. The team wants a managed solution that requires no partition management and lets them query events with SQL for up to 7 years. Which approach best meets these requirements with the least ongoing maintenance?
A security analyst configured a multi-Region CloudTrail trail delivering management events to an S3 bucket. During an incident investigation, they notice that an API call known to have occurred at 14:02 UTC does not appear in the S3 bucket when they check at 14:08 UTC. The trail is enabled, the S3 bucket policy is correct, and log file validation shows no gaps once files arrive. What is the MOST likely explanation, and what should the analyst do?
A security engineer must prove to auditors that CloudTrail log files stored in an S3 bucket have not been modified or deleted since delivery. The organization already has a multi-Region trail delivering logs to a dedicated central logging account. During a compliance review, the auditors ask for a mechanism that can cryptographically verify whether any log file was altered or removed after CloudTrail wrote it. Which approach satisfies this requirement?
A company has 40 accounts in AWS Organizations. The security team wants to guarantee that management events from every existing and future member account are captured in a single, tamper-evident location, without requiring administrators in each account to create or maintain their own trails. Which approach BEST meets these requirements with the least ongoing operational overhead?
A security engineer configures a new CloudTrail trail to deliver logs to a centralized S3 bucket in a dedicated logging account. The trail is created successfully in the source account, but no log files ever appear in the destination bucket. CloudTrail shows no delivery errors in the console for the first few hours. The bucket has default SSE-S3 encryption enabled and a bucket policy that was recently modified to add a condition requiring the aws:SecureTransport key. What is the MOST likely cause of the missing log files?
A security engineer needs to prove which IAM principals read individual objects from a highly sensitive S3 bucket named 'legal-contracts'. After enabling a multi-region CloudTrail trail, the engineer notices that GetObject and PutObject API calls for the bucket do not appear in the CloudTrail logs, although CreateBucket and PutBucketPolicy calls are present. What is the correct action to capture the required object-level activity?
A security engineer configured a multi-Region CloudTrail trail to deliver logs to an S3 bucket and created an Athena table pointing to the bucket prefix. After several days, queries against the Athena table return zero rows even though the S3 bucket contains many CloudTrail log object files under the correct prefix. The engineer confirms the trail is active and logs are being written. What is the MOST likely cause of the empty query results?
A security engineer must centralize application logs from a fleet of Amazon Linux 2 EC2 instances into CloudWatch Logs so that a metric filter can trigger alarms on repeated authentication failures. After installing and starting the unified CloudWatch agent on the instances, the engineer confirms the agent process is running, but no log groups or log events appear in CloudWatch Logs. The agent configuration file correctly references the application log file path. What is the MOST likely cause of the missing logs?
A security operations team receives dozens of CloudWatch alarm notifications each night for a fleet of EC2 instances. Individual metric alarms fire for high CPU, high memory, and low disk space, but the team only wants to be paged when an instance shows signs of genuine distress — specifically when CPU is high AND disk space is low at the same time. They want to reduce noise without deleting the existing metric alarms, which feed other dashboards. What is the MOST appropriate approach?
A security team operates a centralized logging account. They need application VPC Flow Logs and CloudWatch Logs from 40 member accounts to be continuously streamed in near real time to a central Amazon OpenSearch Service domain in the logging account for correlation and dashboards. The solution must scale to high log volume, require minimal per-account maintenance, and avoid custom polling code. Which approach best meets these requirements?