🎯 SCS-C02 Free Practice Exam

Simulate the real AWS Security Specialty exam with 65 questions and a 170-minute timer. Covers all SCS-C02 domains.

65Questions
170Minutes
750Passing Score
FreePrice

Real exam simulation with countdown timer.

65 questions · 170-minute exam format · opens existing quiz flow

SCS-C02 Mock Exam Questions (Page 1 of 3)

Preview the questions first, then start in timed or study mode.

  1. Question #1Domain 1

    An AWS environment has been compromised. GuardDuty raises a finding of type 'UnauthorizedAccess:IAMUser/MaliciousIPCaller'. The IR team wants to immediately prevent the compromised IAM user from making further API calls without deleting the user. Which action should they take first?

    ADelete the IAM user's access keys
    BRotate the IAM user's password
    CAttach an explicit Deny policy to the IAM user to revoke all permissions
    DDisable the IAM user's MFA device
  2. Question #2Domain 1

    A security analyst receives a GuardDuty finding that an EC2 instance is communicating with a cryptocurrency mining pool. As part of incident response, the analyst must preserve forensic evidence. Which FIRST step maintains evidence integrity?

    ATerminate the instance immediately
    BIsolate the instance by modifying its security group to block all traffic and take an EBS snapshot
    CCreate an AMI of the instance and terminate it
    DRestore the instance from the last known good backup
  3. Question #3Domain 1

    A company wants to centralize security findings from multiple AWS accounts and services (GuardDuty, Inspector, Macie, Config) into a single pane of glass. Which AWS service provides this centralized aggregation?

    AAWS CloudTrail
    BAmazon Detective
    CAWS Security Hub
    DAmazon CloudWatch
  4. Question #4Domain 1

    After a security incident, a forensics team needs to reconstruct the sequence of API calls made by a compromised IAM role over the past 30 days. Which service provides this complete API activity history?

    AAmazon CloudWatch Logs
    BAWS CloudTrail
    CAWS Config change history
    DAmazon GuardDuty
  5. Question #5Domain 2

    A company needs to monitor for configuration changes to AWS resources and receive alerts when critical resources like security groups or IAM policies are modified. Which service detects and records these configuration changes?

    AAWS CloudTrail
    BAmazon CloudWatch Events
    CAWS Config
    DAmazon GuardDuty
  6. Question #6Domain 2

    A security team wants to alert whenever the root account is used to make API calls. Which combination detects and alerts on this?

    AGuardDuty finding triggering SNS notification
    BCloudTrail logging to CloudWatch Logs with a Metric Filter, CloudWatch Alarm, and SNS
    CAWS Config rule triggering EventBridge and Lambda alert
    DSecurity Hub finding triggering email notification
  7. Question #7Domain 2

    A company stores application logs in Amazon S3. The security team needs to detect when sensitive data (credit card numbers, SSNs) is accidentally written to these log buckets. Which AWS service provides automated PII detection?

    AAmazon GuardDuty
    BAmazon Macie
    CAmazon Inspector
    DAWS Config
  8. Question #8Domain 2

    A company requires that all VPC network traffic metadata be retained for 1 year at minimal cost for compliance auditing. Which approach achieves the best cost-performance balance?

    AEnable VPC Flow Logs to CloudWatch Logs
    BEnable VPC Flow Logs to Amazon S3 with a Lifecycle policy transitioning to Glacier after 30 days
    CStream VPC Flow Logs to Kinesis Data Firehose and store in DynamoDB
    DUse Traffic Mirroring to capture all packets to S3
  9. Question #9Domain 3

    A company's web application is being targeted by a large-scale Layer 7 HTTP flood DDoS attack. Which AWS service provides intelligent Layer 7 DDoS protection with custom rules to mitigate this attack?

    AAWS Shield Standard
    BAWS WAF with rate-based rules
    CAWS Shield Advanced
    DAmazon CloudFront alone
  10. Question #10Domain 3

    A company deploys applications on Amazon EC2. Developers need SSH access to instances for debugging. The security team wants to eliminate bastion hosts and remove the need for port 22 to be open. Which solution achieves this?

    AUse AWS Direct Connect for SSH tunneling
    BAWS Systems Manager Session Manager
    CAWS CloudShell for EC2 access
    DAWS Client VPN with MFA
Page 1 of 3

What's Included

Full-length 65-question exam simulating SCS-C02
170-minute countdown timer matching the real exam
Questions across all 6 domains weighted by exam blueprint
Instant scoring with detailed answer explanations
Pass/fail result at 750/1000 threshold

Domain Coverage

Our mock exam covers all 6 SCS-C02 domains in proportions that match the real exam.

Domain 1: Threat Detection & Incident Response14%
Domain 2: Security Logging & Monitoring18%
Domain 3: Infrastructure Security20%
Domain 4: Identity & Access Management16%
Domain 5: Data Protection18%
Domain 6: Management & Security Governance14%

Frequently Asked Questions

How many questions are on the SCS-C02 exam?

The SCS-C02 exam has 65 questions to be completed in 170 minutes.

What is the passing score for SCS-C02?

The passing score is 750 out of 1000 on a scaled scoring system (100–1000 range).

Is this mock exam free?

Yes, this mock exam is completely free with unlimited retakes. Each attempt draws from our 500+ question bank with randomized order.

How realistic is this practice exam?

Our mock exam mirrors the real SCS-C02 experience: same question count (65), same time limit (170 min), same passing threshold (750/1000), and coverage across all 6 domains.

Prepare for the Mock Exam

IAM Questions Organizations Questions IAM Identity Center Questions KMS Questions Secrets Manager Questions CloudTrail Questions GuardDuty Questions Security Hub Questions Config Questions S3 Security Questions Macie Questions WAF & Shield Questions📅 7-Day Study Plan📅 30-Day Study Plan
← SCS-C02 Study HubAll SCS-C02 Quizzes