200+ Free AWS Security Specialty Practice Questions

Pass your AWS Certified Security – Specialty (SCS-C02) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65% Pass Rate

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

A security team needs to detect potentially malicious activity in their AWS environment, including compromised EC2 instances and unauthorized API calls. Which AWS service should they enable?

AWS Config

Amazon GuardDuty

AWS CloudTrail

Amazon Inspector

to track

2026 Statistics

Key Facts: AWS Security Specialty Exam

~65%

Est. Pass Rate

Industry estimate

750/1000

Passing Score

AWS

100-150 hrs

Study Time

Recommended

170 min

Exam Duration

AWS

$300

Exam Fee

AWS

3 years

Cert Valid

AWS

The AWS Security Specialty exam has 65 questions in 170 minutes, requiring a scaled score of 750/1000. The exam covers threat detection, incident response, infrastructure security, IAM, and data protection. Recommended prerequisite: 5+ years of IT security experience with 2+ years of hands-on AWS security experience.

Sample AWS Security Specialty Practice Questions

Try these sample questions to test your AWS Security Specialty exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1A security team needs to detect potentially malicious activity in their AWS environment, including compromised EC2 instances and unauthorized API calls. Which AWS service should they enable?

A.AWS Config

B.Amazon GuardDuty

C.AWS CloudTrail

D.Amazon Inspector

Explanation: Amazon GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior across your AWS accounts, workloads, and data stored in Amazon S3. It uses machine learning, anomaly detection, and integrated threat intelligence to identify threats like compromised instances, reconnaissance by attackers, and cryptocurrency mining.

2GuardDuty detected suspicious API calls from a compromised IAM user credential. The security team wants to automatically block access from the source IP and revoke the IAM user active sessions. What is the recommended approach?

A.Manually delete the IAM user from the console

B.Use Amazon EventBridge to trigger a Lambda function that adds the IP to an NACL deny rule and revokes active sessions

C.Disable the IAM user access keys in the IAM console

D.Create a support case with AWS to block the IP

Explanation: GuardDuty integrates with Amazon EventBridge to enable automated response workflows. When GuardDuty generates a finding, EventBridge can trigger AWS Lambda functions or Step Functions workflows to automatically remediate threats. The Lambda function can add the malicious IP to a Network ACL deny rule and use the IAM API to revoke all active sessions for the compromised user.

3A company uses GuardDuty to monitor their multi-account AWS environment. They need to aggregate all GuardDuty findings to a central security account for analysis. Which configuration should they use?

A.Enable GuardDuty in each account and configure S3 bucket replication

B.Use GuardDuty administrator account with member accounts

C.Create a CloudWatch Logs subscription filter in each account

D.Enable GuardDuty only in the central security account

Explanation: GuardDuty supports a delegated administrator model where you designate an administrator account that automatically has GuardDuty enabled for all member accounts in the AWS Organization. The administrator account can view and manage findings from all member accounts centrally, without needing to enable GuardDuty in each account individually.

4Which data sources does GuardDuty use by default when enabled for an AWS account?

A.VPC Flow Logs, CloudTrail management events, and Route 53 DNS query logs

B.VPC Flow Logs only

C.CloudTrail data events and S3 access logs

D.GuardDuty requires manual configuration of all data sources

Explanation: GuardDuty automatically analyzes VPC Flow Logs, AWS CloudTrail management event logs, and Route 53 DNS query logs without requiring any additional configuration. These data sources are continuously monitored for threat detection. GuardDuty can also monitor CloudTrail data events, EKS audit logs, and EBS volumes for malware, but some may require additional configuration.

5A security team needs a centralized dashboard to view security findings from multiple AWS security services including GuardDuty, Inspector, and Macie, as well as check compliance against security standards. Which service should they use?

A.Amazon CloudWatch

B.AWS Security Hub

C.AWS Config

D.Amazon OpenSearch Service

Explanation: AWS Security Hub provides a comprehensive view of your security posture across AWS accounts. It aggregates, organizes, and prioritizes security findings from AWS security services like GuardDuty, Inspector, and Macie, as well as from AWS Partner Network security solutions. Security Hub also runs automated compliance checks against industry standards like CIS AWS Foundations Benchmark.

6Security Hub is configured in an organization with a delegated administrator account. Where should security standards and controls be enabled to apply across all member accounts?

A.Enable standards in each member account individually

B.Enable standards in the Security Hub administrator account for the organization

C.Enable standards in AWS Organizations only

D.Standards must be configured in CloudFormation StackSets

Explanation: When using Security Hub with AWS Organizations, you designate a Security Hub administrator account. From this account, you can enable security standards and controls that automatically apply to all existing and new member accounts. This provides centralized governance without needing to configure each account individually.

7A security team wants to use Security Hub findings to trigger automated remediation workflows. Which integration mechanism should they use?

A.Direct Lambda function invocation from Security Hub

B.Amazon EventBridge rules reacting to Security Hub findings

C.SNS topics configured in Security Hub settings

D.CloudWatch Alarms based on Security Hub metrics

Explanation: Security Hub sends all findings to Amazon EventBridge (formerly CloudWatch Events). You can create EventBridge rules that match specific finding types and trigger targets like Lambda functions, Step Functions state machines, SNS topics, or Systems Manager Automation documents for automated remediation.

8A company needs to track all API calls made to their AWS account, including the identity of the caller, the time of the call, and the source IP address. Which service should they use?

A.Amazon CloudWatch

B.AWS CloudTrail

C.VPC Flow Logs

D.AWS Config

Explanation: AWS CloudTrail records AWS API calls made on your account and delivers log files containing information about each API call, including the identity of the caller (IAM user or role), the time of the call, the source IP address, the request parameters, and the response elements. This provides a complete audit trail of account activity.

9A security team wants to capture API activity for object-level operations in S3, such as GetObject and PutObject calls. Which CloudTrail feature should they enable?

A.CloudTrail management events

B.CloudTrail data events

C.CloudTrail Insights events

D.VPC Flow Logs for S3

Explanation: CloudTrail data events capture object-level API activity on resources, such as Amazon S3 object-level API activity (GetObject, PutObject, DeleteObject) and Lambda function invocation activity. Management events capture control plane operations like creating or deleting buckets, while data events capture the actual data access operations.

10A company needs to ensure their CloudTrail logs are protected from unauthorized modification or deletion. Which combination of controls should they implement?

A.Enable CloudTrail log file validation and store logs in S3 with MFA Delete enabled

B.Enable CloudTrail Insights and use SSE-S3 encryption

C.Enable log file validation only

D.Store logs in a separate AWS account with read-only access

Explanation: CloudTrail log file validation creates a digitally signed digest file for each log file, allowing you to verify that log files have not been modified. Storing logs in S3 with MFA Delete provides an additional layer of protection against accidental or malicious deletion. Together, these controls ensure log integrity and availability.

About the AWS Security Specialty Exam

The AWS Certified Security – Specialty (SCS-C02) validates advanced skills in securing AWS workloads. It covers incident response, logging and monitoring, infrastructure security, identity and access management, and data protection across the AWS cloud platform.

Questions

65 scored questions

Time Limit

170 minutes

Passing Score

750/1000

Exam Fee

$300 (Amazon Web Services (AWS))

AWS Security Specialty Exam Content Outline

22%

Threat Detection & Incident Response

GuardDuty, Security Hub, Detective, incident response runbooks, forensics, and automated remediation

22%

Security Logging & Monitoring

CloudTrail, CloudWatch, VPC Flow Logs, Config, and centralized logging architectures

20%

Infrastructure Security

VPC security, WAF, Shield, network firewalls, edge security, and host-based protection

20%

Identity & Access Management

IAM policies, roles, federation, SSO, Organizations, SCPs, and cross-account access

16%

Data Protection

KMS, CloudHSM, certificate management, encryption at rest/in transit, secrets management, and Macie

How to Pass the AWS Security Specialty Exam

What You Need to Know

Passing score: 750/1000
Exam length: 65 questions
Time limit: 170 minutes
Exam fee: $300

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

AWS Security Specialty Study Tips from Top Performers

1Master IAM policy evaluation logic — understand explicit deny, implicit deny, and allow interactions

2Know KMS key types, key policies, grants, and encryption context usage

3Study GuardDuty findings and automated remediation with EventBridge and Lambda

4Understand cross-account access patterns: resource-based policies, roles, and Organizations SCPs

5Practice VPC security architectures: NACLs, security groups, VPC endpoints, and PrivateLink

6Review incident response procedures and forensics best practices on AWS

Frequently Asked Questions

What is the AWS Security Specialty pass rate?

The estimated pass rate is approximately 65%. The exam requires a scaled score of 750/1000 with 65 questions in 170 minutes. It is considered one of the more challenging AWS specialty exams.

What prerequisites do I need?

AWS recommends 5+ years of IT security experience and 2+ years of hands-on AWS security experience. While no formal prerequisite exam is required, holding AWS Solutions Architect or SysOps Administrator certifications is helpful.

How long should I study?

Most candidates study for 2-3 months, investing 100-150 hours. Focus on hands-on labs with GuardDuty, Security Hub, KMS, and IAM policy evaluation. Practice with scenario-based questions.

What AWS services are most important?

Core services: IAM (policies, roles, federation), KMS (encryption), GuardDuty (threat detection), Security Hub (compliance), CloudTrail (audit), WAF/Shield (edge protection), and VPC security features.