Management and Security Governance
Drill 20 practice questions focused entirely on Management and Security Governance for the AWS SCS-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A security governance team manages an AWS Organization with 150 accounts. External auditors need read-only access to view the aggregated compliance status of all AWS Config rules across every account and Region, from a single location, for a quarterly audit. The team wants to minimize ongoing operational effort and avoid granting auditors access to each individual member account. Which approach best meets these requirements?
A security governance team manages 60 accounts through AWS Organizations with Control Tower. They must produce a single dashboard that scores each account against the CIS AWS Foundations Benchmark, automatically re-scores when new accounts are enrolled, and enables cross-account remediation of common misconfigurations without deploying and maintaining rule definitions in every account individually. Which approach best meets these requirements with the least ongoing operational overhead?
A security team at a large enterprise manages 120 AWS accounts under AWS Organizations. They need to deploy a standardized set of AWS Config rules across all existing and future member accounts to enforce a PCI DSS baseline. The team wants to manage these rules centrally from a dedicated security tooling account (not the management account) and ensure that member account administrators cannot delete or modify the deployed rules. Which approach best meets these requirements with the least ongoing operational effort?
A financial services company runs 220 AWS accounts under AWS Organizations. The security governance team wants a single, repeatable way to continuously evaluate accounts against the PCI DSS requirement set, generate compliance reports for auditors, and automatically remediate a specific violation (public S3 buckets) across all accounts. They want to minimize per-account manual setup and centralize the evaluation logic. Which approach best meets these requirements?
A financial services company runs 40 AWS accounts under AWS Organizations. The security governance team must continuously evaluate resource configurations against a custom internal baseline of 25 rules (some with auto-remediation) across all accounts, and they want a single pass/fail compliance score per account that can be centrally deployed and updated without touching each account individually. They already use Security Hub for aggregating GuardDuty and Inspector findings but do not want to pay for additional Security Hub security-standard control checks. Which approach BEST meets the configuration-baseline requirement while minimizing added Security Hub costs?
A security governance team must ensure that every EBS volume across 40 member accounts in an AWS Organization is encrypted, and they want a compliance evaluation to run whenever a volume's configuration changes. They already deploy standard checks through an organization conformance pack. A junior engineer proposes writing a custom AWS Config rule backed by a Lambda function to perform this specific check. Which approach best meets the requirement while minimizing operational overhead and cost?
A financial services company uses AWS Control Tower to govern a multi-account environment with over 80 accounts across several OUs. The security team requires that every newly provisioned account automatically receives a standardized set of baseline resources: a hardened VPC configuration, a specific IAM role for the SOC team, and an SNS topic subscription for security notifications. These resources are not covered by Control Tower guardrails or SCPs. The team wants this to happen automatically whenever Account Factory creates a new account, with minimal manual intervention. Which approach BEST meets these requirements?
A security team manages a multi-account environment through AWS Control Tower. The compliance department requires that every newly provisioned member account automatically block the disabling of AWS Config, enforce a standardized network baseline, and prevent the deletion of the CloudTrail log archive. The team wants these controls applied consistently at account creation without manual per-account setup, and wants strong (preventive) enforcement where possible. Which approach best meets these requirements with the least ongoing operational effort?
A financial services company uses AWS Control Tower to govern 60 member accounts across several OUs. A platform engineer, using local credentials in a workload account, manually modified an AWS Config recorder and detached a CloudTrail trail that Control Tower had configured during account enrollment. The security team wants Control Tower to detect this deviation and restore the mandatory baseline resources to their governed state without re-provisioning the account. Which action accomplishes this with the least operational effort?
A company has been growing organically and now runs 40 AWS accounts that were each created independently using the AWS Organizations 'create account' and 'invite existing account' features. There is no consistent baseline: some accounts lack CloudTrail, encryption defaults vary, and there is no standardized logging or audit account. Leadership wants a governed, repeatable way to provision NEW accounts going forward with a mandatory baseline (centralized logging, guardrails, standardized VPC) and a dashboard showing drift across all accounts, while minimizing custom-built automation. Which approach best meets these requirements?
A security governance team manages 120 accounts under AWS Control Tower. Leadership requires a monthly compliance report showing which accounts have deviated from the mandatory guardrails baseline (such as disallowed public S3 access and CloudTrail configuration changes). The team wants a single dashboard that continuously evaluates resource configurations across all accounts and highlights non-compliant resources over time, without writing custom aggregation code. Which approach best meets this requirement at scale?
A financial services company manages 120 accounts using AWS Control Tower. The security governance team wants to be automatically notified whenever a landing zone control drifts from its expected state — for example, when an SCP guardrail is manually removed from an OU or a required baseline resource is deleted in an enrolled account. They want a low-maintenance, event-driven approach that integrates with their existing incident-response tooling. What should they implement?
A company has been running AWS for three years with 40 accounts created manually and joined into an existing AWS Organizations structure. Leadership now wants centralized governance with automated account provisioning, mandatory logging, and a global standard that blocks any operation outside two approved AWS Regions. The security team wants to minimize custom development and use managed, opinionated guardrails wherever possible. Which approach best meets these requirements?
A security governance team manages 60 accounts under AWS Control Tower. Leadership requires that no account be able to create publicly accessible RDS instances, and that any existing RDS instance that becomes publicly accessible be automatically detected and reported to a central compliance dashboard. The team wants to minimize ongoing operational overhead while enforcing this at scale. Which combination of controls best satisfies both the preventive and detective requirements?
A financial services company runs 120 accounts under AWS Control Tower. The security team must audit whether every account continuously enforces a set of ~40 detective controls (Config rules) mapped to their internal compliance framework. Finance has flagged that AWS Config recording costs have grown rapidly because every account records ALL resource types, including many that are irrelevant to the compliance framework. The team wants to reduce Config cost while still meeting the audit requirement and managing controls centrally across the organization. Which approach best balances centralized governance, audit coverage, and cost?
A company is designing multi-account governance for AWS. The CISO wants a standardized landing zone with pre-configured guardrails, a dedicated log archive account, and an automated account provisioning process. The finance team is concerned about the operational overhead and wants to minimize the effort of maintaining the baseline as new accounts join. The company has no existing multi-account structure. Which approach best meets these requirements with the least ongoing management effort?
A security team manages a 60-account AWS Organization using SCPs. To enforce a strict governance model, they replaced the default FullAWSAccess policy on the root and all OUs with a custom allow-list SCP that explicitly permits only the services currently approved (e.g., ec2, s3, rds, lambda, cloudwatch). A development team now reports that they cannot use Amazon Bedrock in their sandbox account, even though their IAM roles grant full Bedrock permissions and there is no explicit deny anywhere. What is the most likely cause and the correct remediation?
A large enterprise uses AWS Organizations with over 200 accounts. The security governance team wants to reduce untracked cloud spend by ensuring that no EC2 instances or EBS volumes can be created unless they include a mandatory 'CostCenter' tag at creation time. This restriction must apply to all member accounts (including future accounts) but must NOT prevent the organization's central automation role, 'OrgProvisioningRole', from creating resources without the tag during bootstrap operations. Which approach enforces this requirement with the least ongoing administrative effort?
A security governance team manages an AWS Organization with 200 accounts across multiple OUs. They centrally deploy GuardDuty, Config, and CloudTrail using delegated administrator accounts. Recently, a developer with local administrator privileges in a workload account disabled GuardDuty and stopped the account's CloudTrail trail to reduce noise. The team wants to prevent ANY member account principal — including account administrators — from disabling these security services, while still allowing the delegated security administrator account to manage them centrally. Which approach best enforces this at scale?
A company uses AWS Organizations with a nested OU structure. The root has an SCP attached that allows all actions (FullAWSAccess). A top-level "Production" OU has an SCP that denies use of all AWS services except EC2, S3, and CloudWatch. A nested "WebApp" OU under Production has an SCP that explicitly allows RDS and EC2. An account in the WebApp OU has an IAM administrator user attempting to launch an RDS database instance. What is the effective result, and why?
More SCS-C02 practice
Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.
← Back to SCS-C02 overview