Security Foundations and Governance
Drill 20 practice questions focused entirely on Security Foundations and Governance for the AWS SCS-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A financial services company builds internal Lambda functions and shared libraries used across dozens of AWS accounts. Recent industry incidents involving compromised open-source dependencies have prompted the security team to reduce software supply chain risk. They want to (1) ensure developers pull third-party packages only from an approved, versioned internal repository that proxies public registries, and (2) guarantee that only Lambda code artifacts signed by the organization's build pipeline can be deployed to production functions. Which combination of AWS services best meets these requirements?
A security engineer manages an organization with 60 accounts spread across 3 AWS Regions. Each account already has AWS Config enabled recording resources, and a standardized set of Config rules is deployed to every account. The engineer's CISO wants a single, centralized, read-only view of the compliance status of all Config rules across every account and Region, without having to log into each account individually. The solution must require minimal ongoing maintenance as new accounts join the organization. What should the engineer implement?
A security team must deploy a standardized set of AWS Config rules across all 120 accounts in their AWS Organization to enforce a PCI DSS baseline. Requirements: the deployment must automatically apply to newly created accounts, the security team (not the management account) must own and operate the deployment from a dedicated security account, and any account owner must be prevented from deleting the deployed rules. Which approach best meets ALL requirements?
A security engineer must enforce a baseline set of AWS Config rules across all 40 accounts in an AWS Organization. The requirements are: rules must be deployed and maintained centrally from the organization management (or delegated administrator) account, new accounts joining the organization must automatically receive the rules, and any non-compliant S3 buckets that allow public access must be automatically remediated without manual intervention. Which approach best meets ALL of these requirements?
A security team manages compliance across a 200-account AWS Organization using a delegated administrator account for AWS Config. They deploy an organization conformance pack that includes a managed rule with automatic remediation to disable public S3 access. One member account hosts a legitimately public static website bucket that must remain accessible and should not be evaluated by this rule at all. The team wants to keep the conformance pack deployed org-wide with remediation active everywhere else, while ensuring the website account is not affected. What is the most operationally efficient way to achieve this?
A financial services company must produce audit-ready evidence for a SOC 2 examination across 40 AWS accounts in an organization. The security team already uses AWS Config with organization conformance packs to continuously evaluate resource compliance. Auditors now require a consolidated package that maps collected evidence to specific SOC 2 control requirements, automatically gathers supporting data (Config rule results, CloudTrail activity, and resource configurations), and can be exported as an assessment report for the examiners. Which approach best meets this requirement with the least custom development?
A financial services company must produce quarterly evidence packages mapped to the PCI DSS control framework for external auditors. The security team already uses AWS Config rules across all accounts in an AWS Organizations setup. Auditors require a repeatable, framework-organized collection of evidence (configuration snapshots, compliance check results, and CloudTrail activity) that maps individual controls to the underlying AWS resource data, with the ability to delegate manual attestation for controls that AWS services cannot automatically assess. Which approach best meets these requirements with the least custom development?
A financial services company runs a large AWS Organization with 200+ accounts managed via AWS Control Tower. The security team has discovered that development teams occasionally launch EC2 instances from unvetted, publicly shared Amazon Machine Images (AMIs), introducing software supply chain risk. Leadership requires a solution that PREVENTS the launch of any instance from an AMI unless the AMI is owned by a designated internal 'golden image' account. The control must be enforced organization-wide and cannot be bypassed by account administrators, including those with full EC2 permissions. Which approach meets these requirements?
A security governance team must continuously evaluate all member accounts in an AWS Organization against a well-defined internal baseline of 40 specific resource configuration rules (e.g., required EBS encryption, mandatory tags, prohibited public RDS instances). They want the entire ruleset deployed and version-controlled as a single, reusable YAML artifact that includes automatic remediation actions, and they want the same package applied uniformly across all accounts via the delegated administrator. Which approach best meets these requirements?
A security engineer must continuously evaluate whether all Amazon EC2 instances across the organization carry a mandatory 'CostCenter' tag AND that the tag value matches one of a dynamic list of approved cost centers maintained in an external DynamoDB table. AWS Config is already enabled org-wide via a delegated administrator account. Which approach meets these requirements with the least ongoing operational overhead while remaining evaluable by AWS Config?
A financial services company uses AWS Control Tower to govern 120 accounts across multiple OUs. The security team wants every NEW account created through Account Factory to automatically have a standardized set of baseline resources deployed — a hardened VPC configuration, a centralized logging IAM role, and an AWS Config custom rule — as part of the account provisioning process, without requiring manual steps after account creation. Which approach best meets this requirement?
A financial services company uses AWS Control Tower to manage a multi-account environment. The security team must ensure that every newly vaccounted through Account Factory automatically has a standardized security baseline applied, including a mandatory detective control that flags any S3 bucket configured with public read access. This control must be reported centrally without preventing the provisioning of the account. The team wants to use Control Tower's native capability rather than building custom automation. Which approach meets these requirements?
A financial services company currently manages 12 AWS accounts under AWS Organizations, created manually over the past two years. Each account was set up inconsistently — some lack baseline CloudTrail configuration, centralized logging, or standardized IAM roles. The security team must scale to over 100 accounts in the next year and needs every new account to be provisioned with a consistent, pre-approved security baseline (centralized logging to a dedicated log archive account, mandatory guardrails, and a standard network configuration) with minimal manual effort. Which approach best meets these requirements?
A financial services company uses AWS Control Tower to govern 40 member accounts across multiple OUs. The security team has a compliance requirement: developers must never be able to disable AWS CloudTrail logging in any account, and any account that has an S3 bucket without server-side encryption must be flagged for review (but not blocked). The team wants to implement both requirements using Control Tower guardrails with the least operational overhead. Which combination of guardrails should they apply?
A financial services company uses AWS Control Tower to manage a multi-account landing zone across 40 accounts. During a routine audit, the security team discovers that an administrator in a workload account manually modified a CloudTrail trail that Control Tower had configured, disabling log file validation. The security team wants a supported, automated way to detect that the account has diverged from the Control Tower baseline and to bring it back into compliance. Which approach should they use?
A financial services company manages 120 accounts through AWS Control Tower with all accounts in a well-structured OU hierarchy. The security team wants to guarantee that no member account can ever disable AWS CloudTrail logging, and they need this protection to be impossible to bypass — even by a user who has full administrative IAM permissions in a member account. Which approach meets this requirement with the least ongoing operational effort?
A financial services company runs AWS Control Tower with a multi-account landing zone. The central security team wants to run advanced, custom Security Hub and GuardDuty administration across all member accounts, but the company's compliance policy forbids using the Organizations management account for any day-to-day operational security work. The team needs to grant a dedicated Audit account the ability to centrally manage these security services organization-wide. What is the recommended approach to meet this requirement while following AWS best practices?
A large enterprise runs 200 accounts in AWS Organizations. The central security team operates entirely from a dedicated Security account (not the management account). Company policy mandates that the management account should be used only for billing and organization structure changes, and no security operators should have credentials in it. The team needs to administer GuardDuty, Security Hub, and IAM Access Analyzer across the whole organization from the Security account. What is the MOST appropriate way to enable this while adhering to the policy?
A company uses AWS Organizations with SCPs. The root has an SCP attached that allows all actions (the default FullAWSAccess plus a custom policy allowing only ec2:*, s3:*, and cloudwatch:*). The 'Production' OU has an SCP attached that allows only ec2:* and s3:*. The 'Databases' OU is nested inside 'Production' and has an SCP allowing only s3:* and rds:*. An account resides in the 'Databases' OU. Ignoring IAM permissions, which actions are permitted for principals in that account by the SCP hierarchy?
A security governance team at a company with 200+ AWS accounts under AWS Organizations needs to ensure that all resources are tagged with a standardized 'CostCenter' key that only accepts a defined set of allowed values, and that noncompliant tags are reported centrally. The team wants a native Organizations capability that standardizes tag keys and values across accounts without writing custom code. Which approach best meets this requirement?
More SCS-C03 practice
Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.
← Back to SCS-C03 overview