Free · 6 practice questions · Cybersecurity

AWS Certified Security - Specialty practice questions.

6 scenario-based questions covering every domain on the exam blueprint. Original DecipherU writing with primary-source citations, not exam-question mimicry. Free to read. Pair with the $147 cert-prep add-on for domain reviews and exam-day strategy.

Read the AWS Certified Security - Specialty exam overview See parent course

Layered on cloud security fundamentals

AWS Certified Security - Specialty Exam Prep Add-On

AWS Certified Security - Specialty (SCS-C02) exam-ready ramp on top of Cloud Security Fundamentals. Six domain reviews mapped to the official AWS exam guide, three full-length mock exams with scaled scoring, and hands-on labs in the AWS free tier.

Buy the prep · $147 See parent course

Question 1 of 6Domain · Threat Detection and Incident Response

A security engineer needs continuous threat detection across CloudTrail, VPC Flow Logs, DNS logs, and EKS audit logs in a multi-account AWS Organization, with findings centralized in a security account. Which combination is the canonical AWS-native fit?

Pick a letter to enable reveal

Question 2 of 6Domain · Security Logging and Monitoring

A compliance auditor must verify that CloudTrail log files have not been tampered with. Which CloudTrail feature provides cryptographic verification?

Pick a letter to enable reveal

Question 3 of 6Domain · Infrastructure Security

A team has a private RDS database accessed only from one application subnet. The application must reach the RDS endpoint without traffic traversing the public internet. Which AWS feature best ensures this?

Pick a letter to enable reveal

Question 4 of 6Domain · Identity and Access Management

An IAM principal needs to assume a role in another AWS account. The cross-account role trust policy must allow only this specific principal and only when an external ID is supplied. Which IAM construct enforces both constraints?

Pick a letter to enable reveal

Question 5 of 6Domain · Data Protection

A team encrypts S3 objects with SSE-KMS using a customer managed key. They need an automated way to detect any object stored without that specific KMS key (for example, an object accidentally written with SSE-S3 instead). Which AWS feature fits?

Pick a letter to enable reveal

Question 6 of 6Domain · Management and Security Governance

An organization wants to prevent any account in a specific Organizational Unit from creating internet-facing load balancers. Which AWS Organizations feature implements that constraint?

Pick a letter to enable reveal

Liked these 6? Get the full prep.

AWS Certified Security - Specialty Exam Prep Add-On

Adds exam-blueprint domain reviews, exam-day strategy, the authorized study resources, and the gated practice scenarios behind purchase. $147 on top of the parent course. Verified against the official blueprint 2026-05-22.

Buy the prep · $147 Today's daily question

Other cert practice sets. Sixteen more cert-prep modules ship with practice question sets:

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.