SEC AWS Security and Compliance Architecture - SAP-C02 Practice Questions

Design layered security with IAM, KMS, CloudTrail, Config, GuardDuty, Security Hub, Inspector, Macie, WAF, Shield, and audit evidence.

15Questions Available
3Exam Domains

Practice Security & Compliance Questions Now

Start a timed practice session focusing on AWS Security and Compliance Architecture topics from the SAP-C02 question bank.

Start SAP-C02 Practice Quiz →

SAP-C02 Security & Compliance Question Bank (15 Questions)

Browse all 15 practice questions covering AWS Security and Compliance Architecture for the SAP-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Design Solutions for Organizational Complexity

    A company is designing a centralized security account that must collect security findings from all member accounts. GuardDuty, Security Hub, and AWS Config are all in use. What is the RECOMMENDED multi-account aggregation approach?

    AConfigure each service independently with cross-account IAM roles in the security account
    BUse AWS Organizations integration: designate the security account as delegated administrator for GuardDuty, Security Hub, and AWS Config Aggregator
    CUse Amazon Macie in the security account to aggregate all findings
    DForward all findings to CloudWatch Logs via Lambda functions in each account

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  2. Question 2Design Solutions for Organizational Complexity

    A company wants to delegate the management of security services (GuardDuty, Security Hub, Macie) to a dedicated security account without giving it access to other accounts' resources. Which feature supports this?

    ACross-account IAM roles with full admin permissions
    BAWS Organizations delegated administrator for each security service, scoped to security-specific APIs only
    CCreate the security account as the management account
    DUse AWS Config aggregator in the security account

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  3. Question 3Design Solutions for Organizational Complexity

    A global company requires all new AWS accounts provisioned for development teams to automatically have AWS Config, CloudTrail, and security baselines configured. Which AWS service automates this with guardrails?

    AAWS Service Catalog
    BAWS Control Tower
    CAWS Organizations alone
    DAWS CloudFormation StackSets triggered manually

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  4. Question 4Design Solutions for Organizational Complexity

    A large enterprise with 200 AWS accounts wants to ensure that no account can disable AWS CloudTrail or modify VPC Flow Logs. Which mechanism enforces these controls at the organizational level?

    AAWS Config conformance packs deployed to all accounts
    BIAM permission boundaries on all IAM roles
    CAWS Organizations Service Control Policies (SCPs)
    DAWS Security Hub automated standards

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  5. Question 5Design Solutions for Organizational Complexity

    A large enterprise has 50 AWS accounts managed under AWS Organizations. The security team needs to prevent any account from disabling AWS CloudTrail logs. What is the MOST efficient approach?

    AApply an IAM policy in each account denying cloudtrail:StopLogging
    BAttach a Service Control Policy (SCP) at the root or OU level denying cloudtrail:StopLogging
    CEnable AWS Config rule cloudtrail-enabled in each account
    DUse AWS Security Hub to detect and auto-remediate CloudTrail disabling

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  6. Question 6Design for New Solutions

    A company is building a multi-tier application on AWS. The web tier must communicate with the application tier securely. How should the security groups be configured?

    AAllow all inbound traffic from 0.0.0.0/0 to the application tier
    BConfigure the application tier security group to allow inbound traffic only from the web tier security group ID
    CUse ACLs to restrict traffic between tiers based on IP ranges
    DPlace all tiers in the same security group

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  7. Question 7Continuous Improvement for Existing Solutions

    A company wants to reduce time spent on security incident investigation. They need all CloudTrail events across accounts correlated with a centralized SIEM. What is the MOST appropriate approach?

    AExport CloudTrail logs from each account to individual S3 buckets
    BConfigure CloudTrail organization trail, stream events via Kinesis Data Firehose to a centralized S3 bucket and SIEM
    CUse AWS Security Hub to replace the SIEM
    DInstall security agents on all EC2 instances

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  8. Question 8Design Solutions for Organizational Complexity

    A company is implementing account vending through AWS Control Tower. The security team wants every new account to automatically have a GuardDuty detector enabled. How should this be implemented?

    AManually enable GuardDuty in each new account after creation
    BUse Control Tower's Account Factory Customization (AFC) with AWS Lambda or CloudFormation templates to enable GuardDuty as part of account provisioning
    CUse an SCP to require GuardDuty
    DEnable GuardDuty at the Organizations level with delegated administration

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  9. Question 9Design Solutions for Organizational Complexity

    An organization wants to centralize all VPC Flow Logs from 40 accounts for security analysis. What is the MOST automated approach with minimum per-account configuration?

    ADeploy a Lambda function in each account to push Flow Logs to the central account
    BUse AWS Organizations with CloudFormation StackSets to deploy VPC Flow Logs configuration and Kinesis Firehose destinations pointing to the central logging account
    CUse CloudTrail to capture all Flow Log data
    DEnable VPC Flow Logs manually in each account

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  10. Question 10Design Solutions for Organizational Complexity

    A company uses AWS Config in all accounts. They need aggregated compliance reports across all accounts from a single view. How should this be configured?

    AConnect to each account individually and export reports
    BCreate an AWS Config aggregator in the management account (or delegated admin account) with Organizations as the source
    CUse AWS Security Hub as a Config replacement
    DDeploy AWS Config dashboards in each account and share manually

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  11. Question 11Design Solutions for Organizational Complexity

    A company has 500 AWS accounts. They need to run a custom compliance check on all accounts monthly. The check requires read-only access to resource configurations. What is the MOST scalable approach?

    ACreate IAM users with read-only access in all 500 accounts
    BCreate a cross-account IAM role (ReadOnlyAccess) in all accounts via CloudFormation StackSets, trusted by the compliance account; run compliance checks by assuming these roles
    CUse AWS Trusted Advisor for all compliance checks
    DExport all Config data to S3 and analyze offline

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  12. Question 12Design Solutions for Organizational Complexity

    An enterprise has different compliance requirements for each department stored in separate OUs (Finance: PCI-DSS, Healthcare: HIPAA, Generic: SOC2). How should AWS Config Conformance Packs be deployed?

    ADeploy one generic Conformance Pack to all accounts
    BDeploy appropriate Conformance Packs to each OU via CloudFormation StackSets or Organizations-level Config deployment: PCI-DSS pack to Finance OU, HIPAA pack to Healthcare OU, SOC2 pack to the root
    CManually configure each account with appropriate rules
    DUse a single customized rule that handles all compliance frameworks

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  13. Question 13Continuous Improvement for Existing Solutions

    A company's application uses long-running EC2 instances that are manually patched. This creates configuration drift and compliance issues. What automated improvement should be implemented?

    ACreate a patching script that runs weekly
    BImplement an immutable infrastructure pattern: use EC2 Image Builder to create new AMIs with patches applied, replace instances with new ones using Auto Scaling rolling updates
    CEnable AWS Systems Manager Patch Manager for automated patching
    DUse AWS Config to detect unpatched instances

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  14. Question 14Continuous Improvement for Existing Solutions

    A company wants to implement continuous compliance monitoring and automatic remediation for their S3 buckets. What specific Config rules and remediation actions are needed?

    AEnable S3 versioning only
    BEnable Config rules: s3-bucket-public-read-prohibited, s3-bucket-server-side-encryption-enabled, s3-bucket-logging-enabled; configure SSM Automation for automatic remediation of each rule
    CUse Macie for all S3 compliance
    DEnable S3 Block Public Access at account level

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz
  15. Question 15Continuous Improvement for Existing Solutions

    A company uses S3 for storing customer data. A security audit finds that 15% of objects are not encrypted. What is the MOST efficient way to enforce encryption on existing and future objects?

    AManually re-upload all unencrypted objects
    BEnable S3 default encryption on the bucket (SSE-KMS) and run a batch operation to re-encrypt existing objects
    CCreate an SCP denying unencrypted S3 uploads
    DConfigure a Lambda to encrypt objects on upload

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAP-C02 Quiz

Key Security & Compliance Concepts for SAP-C02

securitycompliancecloudtrailconfigguarddutysecurity hubinspectormacieauditcontrols

SAP-C02 Security & Compliance Exam Tips

AWS Security and Compliance Architecture questions in SAP-C02 are typically scenario-based. Focus on enterprise-scale multi-account architecture, governance, and modernization strategies. Priority concepts: security, compliance, cloudtrail, config, guardduty, security hub.

What SAP-C02 Expects

  • Anchor your answer in prefer future-proof designs that support organizational complexity and migration realities.
  • Security & Compliance scenarios for SAP-C02 are frequently mapped to Domain 1 (26%), Domain 2 (29%), Domain 3 (25%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Security & Compliance interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and vendor best practices.

High-Value Security & Compliance Concepts

  • Know the core Security & Compliance building blocks cold: security, compliance, cloudtrail, config.
  • Review the edge-case features and limits for guardduty, security hub; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Security & Compliance pairs with IAM, KMS, WAF & Shield, Organizations in real deployment patterns.
  • For SAP-C02, explain why the chosen Security & Compliance design meets reliability, security, and cost expectations better than the alternatives.

Common SAP-C02 Traps

  • Watch for answers that work for a single account but fail at organizational scale.
  • Questions in Design Solutions for Organizational Complexity often include distractors that look correct for Security & Compliance but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Security & Compliance implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Design Solutions for Organizational Complexity (26%) outcomes for SAP-C02?
  • Can you explain security and access boundaries for Security & Compliance without relying on default-open assumptions?
  • Can you describe how Security & Compliance integrates with IAM and KMS during failure, scaling, and monitoring events?

Exam Domains Covering Security & Compliance

Domain 1Design Solutions for Organizational Complexity26%Domain 2Design for New Solutions29%Domain 3Continuous Improvement for Existing Solutions25%

Related Resources

🎯 Free SAP-C02 Mock Exam IAM Questions KMS Questions WAF & Shield Questions Organizations Questions

More SAP-C02 Study Resources

← SAP-C02 Study Hub30-Day Study PlanFull Practice Exam