About This Flashcard Deck
This flashcard deck contains 10 cards covering key Governance & Compliance concepts for the SCS-C02 exam. Test your knowledge of Organizations, SCPs, Config, Control Tower, and security governance patterns. Use active recall by attempting to answer each question before revealing the answer. Research shows that flashcard-based active recall is one of the most effective study techniques for certification exams.
Question
What is the difference between preventive and detective controls?
Click to reveal answer
Answer
Preventive: stop actions before they happen (SCPs, permission boundaries). Detective: identify violations after they occur (Config rules, Security Hub). Use both for defense-in-depth.
Click to flip back
All Governance & Compliance Flashcards
Q: What is the difference between preventive and detective controls?
A: Preventive: stop actions before they happen (SCPs, permission boundaries). Detective: identify violations after they occur (Config rules, Security Hub). Use both for defense-in-depth.
Q: What are common SCP deny patterns?
A: Deny leaving organization, deny disabling CloudTrail/GuardDuty/Config, deny access to unused regions, deny root user actions, enforce S3 encryption.
Q: What is Control Tower guardrail?
A: A governance rule implemented as either an SCP (preventive) or Config rule (detective). Applied at OU level. Mandatory, strongly recommended, or elective.
Q: What is a Config aggregator?
A: Collects Config data from multiple accounts/regions into a single account. Provides organization-wide compliance dashboard without deploying rules per account.
Q: What is Firewall Manager prerequisite?
A: Requires AWS Organizations with all features enabled, a Firewall Manager administrator account, and Config enabled in all managed accounts.
Q: How do you enforce MFA for specific operations?
A: IAM policy condition: aws:MultiFactorAuthPresent = true. Or deny if NOT MFA-authenticated. Common for S3 delete, IAM changes, and billing.
Q: What is Audit Manager?
A: Automates evidence collection for compliance audits (SOC 2, PCI, HIPAA). Maps AWS usage data to compliance framework controls automatically.
Q: What is the delegated administrator pattern?
A: Management account delegates service administration (GuardDuty, Security Hub, etc.) to a security account. Avoids over-using the management account.
Q: How do you enforce encryption everywhere?
A: SCPs deny unencrypted actions, Config rules detect unencrypted resources, default encryption on services (S3, EBS, RDS), and auto-remediation for violations.
Q: What is Service Catalog for security?
A: Pre-approved CloudFormation templates (products) that teams can launch. Ensures resources meet security baselines. Constraint: launch role, tag, notification.