CertGrid
AWS Certification

AWS SCS-C02: Security Specialty Practice Exam

Validates expertise in AWS security — IAM, data protection, infrastructure security, logging/monitoring, and incident response.

Practice 298 exam-style AWS SCS-C02 questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
298
Practice questions
65
On the real exam
750
Passing score
170 min
Exam length

What the AWS SCS-C02 exam covers

Free AWS SCS-C02 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 298.

  1. Question 1Threat Detection and Incident Response

    Which AWS service uses ML and threat intelligence to detect malicious activity from CloudTrail, VPC Flow Logs, and DNS logs?

    • AAWS CodeBuild
    • BAmazon GuardDutyCorrect
    • CAmazon SQS
    • DAmazon Athena
    ✓ Correct answer: B

    Amazon GuardDuty uses machine learning and AWS threat intelligence to automatically detect malicious activity by analyzing CloudTrail management events, VPC Flow Logs, and Route 53 DNS query logs. This agentless detection service identifies threats such as credential exfiltration, unauthorized API calls, and instances communicating with malicious IPs. GuardDuty provides actionable findings that integrate with Security Hub for centralized visibility and automated response workflows. By leveraging behavioral analysis and threat intelligence, GuardDuty detects threats with minimal operational overhead.

    Why the other options are wrong
    • AAWS CodeBuild is incorrect because AWS CodeBuild is a CI/CD build service, not a threat detection service
    • CAmazon SQS is incorrect because Amazon SQS is a message queue service, not a threat detection service
    • DAmazon Athena is incorrect because Amazon Athena is a query service, not a real-time threat detection service
  2. Question 2Threat Detection and Incident Response

    A newly migrated EKS cluster must be monitored for suspicious Kubernetes API activity and runtime threats. Which GuardDuty capability addresses this?

    • AAmazon Macie sensitive data discovery
    • BAWS WAF managed rule groups
    • CGuardDuty S3 Protection only
    • DGuardDuty EKS Protection (audit log monitoring) plus EKS Runtime MonitoringCorrect
    ✓ Correct answer: D

    Test explanation.

    Why the other options are wrong
    • AAmazon Macie sensitive data discovery is incorrect because it does not provide the required functionality
    • BAWS WAF managed rule groups is incorrect because it does not provide the required functionality
    • CGuardDuty S3 Protection only is incorrect because it does not provide the required functionality
  3. Question 3Security Logging and MonitoringSelect all that apply

    Which TWO actions enable you to retain and analyze CloudWatch Logs cost-effectively over the long term while keeping them queryable? (Choose TWO)

    • AUse CloudWatch Logs Insights or Athena to query the dataCorrect
    • BDisable logging entirely to save money
    • CSet log group retention to 'Never expire' and never archive
    • Dset a retention period on the log group and export/subscribe older data to S3 for archivalCorrect
    ✓ Correct answer: A, D

    set a retention period on the log group and export/subscribe older data to S3 for archival Test explanation.

    Why the other options are wrong
    • BDisable logging entirely to save money is incorrect because it does not provide the required functionality
    • CSet log group retention to 'Never expire' and never archive is incorrect because it does not provide the required functionality
  4. Question 4Infrastructure Security

    A three-tier application must allow only the web tier to reach the app tier on port 8080, with rules that adapt automatically as instances scale in and out. What is the best security group design?

    • Aallow inbound 8080 from 0.0.0.0/0 and rely on the application for authentication
    • BUse a NACL on the app subnet that allows the entire VPC CIDR on 8080
    • COn the app tier security group, allow inbound 8080 with the source set to the web tier's security group IDCorrect
    • DHardcode each web instance private IP in the app tier inbound rules
    ✓ Correct answer: C

    Test explanation.

    Why the other options are wrong
    • Aallow inbound 8080 from 0.0.0.0/0 and rely on the application for authentication is incorrect because it does not provide the required functionality
    • BUse a NACL on the app subnet that allows the entire VPC CIDR on 8080 is incorrect because it does not provide the required functionality
    • DHardcode each web instance private IP in the app tier inbound rules is incorrect because it does not provide the required functionality
  5. Question 5Identity and Access Management

    Which lets a federated CI/identity assume a role for temporary credentials?

    • AEmbedding an IAM user secret
    • BUsing root keys
    • CDisabling IAM
    • DOIDC/SAML federation with STS AssumeRoleCorrect
    ✓ Correct answer: D

    Test explanation.

    Why the other options are wrong
    • AEmbedding an IAM user secret is incorrect because it does not provide the required functionality
    • BUsing root keys is incorrect because it does not provide the required functionality
    • CDisabling IAM is incorrect because it does not provide the required functionality
  6. Question 6Data Protection

    What is the difference between SSE-S3 and SSE-KMS for S3 encryption?

    • ASSE-KMS stores objects unencrypted
    • BSSE-S3 is client-side; SSE-KMS is no encryption
    • CThey are identical
    • DSSE-S3 uses S3-managed keys; SSE-KMS uses KMS keys giving you key policies, rotation, and CloudTrail auditing of key usageCorrect
    ✓ Correct answer: D

    Test explanation.

    Why the other options are wrong
    • ASSE-KMS stores objects unencrypted is incorrect because it does not provide the required functionality
    • BSSE-S3 is client-side; SSE-KMS is no encryption is incorrect because it does not provide the required functionality
    • CThey are identical is incorrect because it does not provide the required functionality
  7. Question 7Data Protection

    During migration of file shares to Amazon EFS, the team must ensure data is encrypted in transit between clients and the file system. Which control achieves this?

    • AUse a NACL allowing NFS traffic
    • Bmount the file system using TLS (the EFS mount helper with the -o tls option / amazon-efs-utils)Correct
    • CRely solely on EFS at-rest encryption to also cover transit
    • DPlace the mount target in a public subnet
    ✓ Correct answer: B

    Protecting data in transit requires encrypted communication channels such as TLS/HTTPS for client connections and VPN/Direct Connect for hybrid links. TLS encryption protects against man-in-the-middle attacks and eavesdropping of application data. Certificate validation ensures connections are made to legitimate endpoints, preventing impersonation attacks. For AWS hybrid environments, VPN and Direct Connect provide encrypted tunnels for data traveling between on-premises and cloud infrastructure. Disabling certificate validation or using unencrypted protocols like HTTP exposes sensitive data to interception. A comprehensive data protection strategy combines encryption in transit with encryption at rest.

    Why the other options are wrong
    • AUse a NACL allowing NFS traffic is incorrect because it does not provide the specific technical capability required to solve this security scenario.
    • CRely solely on EFS at-rest encryption to also cover transit is incorrect because it does not provide the specific technical capability required to solve this security scenario.
    • DPlace the mount target in a public subnet is incorrect because it does not provide the specific technical capability required to solve this security scenario.
  8. Question 8Security Logging and Monitoring

    A security team's CloudTrail bill is dominated by S3 data events that log every GetObject across hundreds of low-risk buckets. They must keep auditing object-level access on a few sensitive buckets while cutting cost. What should they do?

    • AMove all buckets to S3 Glacier so data events stop being generated
    • BSwitch the trail to log management events twice for redundancy
    • CUse advanced event selectors to log data events only for the specific sensitive bucket ARNs and exclude the restCorrect
    • DDisable the trail entirely to stop all charges
    ✓ Correct answer: C

    This security service provides essential capabilities for protecting sensitive data in AWS environments. The solution involves multiple layers of controls including encryption, access management, and monitoring. Proper implementation requires understanding both the technical capabilities and the compliance requirements driving the design. The service integrates with other AWS security services to provide comprehensive protection. Organizations should evaluate their specific compliance requirements and threat model when selecting between available options.

    Why the other options are wrong
    • AMove all buckets to S3 Glacier so data events stop being generated is incorrect because it does not provide the specific technical capability required to solve this security scenario.
    • BSwitch the trail to log management events twice for redundancy is incorrect because it does not provide the specific technical capability required to solve this security scenario.
    • DDisable the trail entirely to stop all charges is incorrect because it does not provide the specific technical capability required to solve this security scenario.
  9. Question 9Threat Detection and Incident Response

    GuardDuty raised an UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding indicating an EC2 role's temporary credentials were used from an external IP outside AWS. Besides isolating the instance, what immediately limits the stolen credentials' usefulness?

    • AAttach a deny-all inline policy to the instance role (or revoke active sessions with an AWSRevokeOlderSessions-style policy using a token issue-time condition)Correct
    • BEnable S3 Transfer Acceleration on the application bucket
    • CChange the instance type to a larger size
    • DRotate the EC2 key pair used for SSH
    ✓ Correct answer: A

    This security service provides essential capabilities for protecting sensitive data in AWS environments. The solution involves multiple layers of controls including encryption, access management, and monitoring. Proper implementation requires understanding both the technical capabilities and the compliance requirements driving the design. The service integrates with other AWS security services to provide comprehensive protection. Organizations should evaluate their specific compliance requirements and threat model when selecting between available options.

    Why the other options are wrong
    • BEnable S3 Transfer Acceleration on the application bucket is incorrect because it does not provide the specific technical capability required to solve this security scenario.
    • CChange the instance type to a larger size is incorrect because it does not provide the specific technical capability required to solve this security scenario.
    • DRotate the EC2 key pair used for SSH is incorrect because it does not provide the specific technical capability required to solve this security scenario.
  10. Question 10Identity and Access Management

    A developer's IAM permissions allow s3:* but they cannot delete objects in a specific bucket. The bucket policy contains an explicit Deny on s3:DeleteObject for everyone except a cleanup role. Why is the developer denied?

    • ABucket policies are ignored when an IAM policy grants s3:*
    • BAn explicit Deny in any applicable policy (including a resource-based bucket policy) always overrides an Allow during evaluationCorrect
    • CIdentity-based policies cannot grant S3 permissions at all
    • Ds3:* does not include s3:DeleteObject
    ✓ Correct answer: B

    This security service provides essential capabilities for protecting sensitive data in AWS environments. The solution involves multiple layers of controls including encryption, access management, and monitoring. Proper implementation requires understanding both the technical capabilities and the compliance requirements driving the design. The service integrates with other AWS security services to provide comprehensive protection. Organizations should evaluate their specific compliance requirements and threat model when selecting between available options.

    Why the other options are wrong
    • ABucket policies are ignored when an IAM policy grants s3:* is incorrect because it does not provide the specific technical capability required to solve this security scenario.
    • CIdentity-based policies cannot grant S3 permissions at all is incorrect because it does not provide the specific technical capability required to solve this security scenario.
    • Ds3:* does not include s3:DeleteObject is incorrect because it does not provide the specific technical capability required to solve this security scenario.
Unlock all 298 AWS SCS-C02 questions

AWS SCS-C02 practice exam FAQ

How many questions are in the AWS SCS-C02 practice exam on CertGrid?

CertGrid has 298 practice questions for AWS SCS-C02: Security Specialty, covering 6 exam domains. The real AWS SCS-C02 exam has about 65 questions.

What is the passing score for AWS SCS-C02?

The AWS SCS-C02 exam passing score is 750, and you have about 170 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official AWS SCS-C02 exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of AWS SCS-C02: Security Specialty, with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice AWS SCS-C02 for free?

Yes. You can start practicing AWS SCS-C02: Security Specialty for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.