Try 10 focused AWS CLF-C02 questions on Security and Compliance, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
| Field | Detail |
|---|---|
| Exam route | AWS CLF-C02 |
| Topic area | Security and Compliance |
| Blueprint weight | 30% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security and Compliance for AWS CLF-C02. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 30% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Security and Compliance
Which statement best describes the primary purpose of AWS Identity and Access Management (IAM)?
Options:
A. It centrally manages multiple AWS accounts, including consolidated billing and account creation.
B. It delivers single sign-on access to multiple AWS accounts and business applications for enterprise users.
C. It securely controls who can sign in to AWS and what actions they can perform on AWS resources.
D. It provides a fully managed directory service compatible with Microsoft Active Directory for applications in AWS.
Best answer: C
Explanation: AWS Identity and Access Management (IAM) is the core AWS service for controlling access to AWS resources. It lets you define who can sign in (authentication) and what they can do (authorization) by assigning permissions to users, groups, and roles. Other account and identity services build on IAM, but IAM itself is the foundation for access control in AWS.
Topic: Security and Compliance
A company runs a public-facing web application on Amazon EC2 behind an Application Load Balancer in a single VPC. The security group and network ACL rules already allow only required ports, but the site is still impacted by large distributed denial-of-service (DDoS) attacks. The operations team wants to improve DDoS protection with minimal ongoing management and without redesigning the network. Which action is the MOST appropriate optimization to meet these goals?
Options:
A. Enable AWS Shield Advanced protection for the Application Load Balancer and configure basic notifications.
B. Replace the Application Load Balancer with a custom proxy EC2 instance running host-based firewall rules.
C. Add detailed deny rules to the network ACLs to block IP addresses seen during previous attacks.
D. Tighten the security group to allow only HTTP and HTTPS traffic from known customer IP address ranges.
Best answer: A
Explanation: DDoS attacks aim to overwhelm an application or its network resources with large amounts of traffic. While security groups and network ACLs control which traffic is allowed, they are not designed to automatically detect and absorb large, distributed attacks.
AWS Shield is a managed DDoS protection service built into AWS. AWS Shield Advanced adds enhanced detection and mitigation, reporting, and support for protected resources such as Application Load Balancers, Amazon CloudFront, and Amazon Route 53. Enabling AWS Shield Advanced directly addresses the DDoS risk while minimizing additional operational work and leaving the existing VPC and access controls in place.
Topic: Security and Compliance
Which TWO of the following statements about data encryption at rest and in transit in the AWS Cloud are NOT correct? (Select TWO.)
Options:
A. Encryption at rest helps protect stored data if someone gains unauthorized access to the underlying storage media.
B. If data is encrypted at rest, there is no need to control who can access it through AWS IAM policies.
C. To use encryption in transit with AWS, customers must always create and manage their own VPN connections.
D. Encryption in transit helps protect data as it travels over networks between users, applications, and AWS services.
E. Many AWS managed services can enable encryption at rest with a setting that uses KMS keys to protect your data.
Correct answers: B and C
Explanation: Encryption at rest protects data stored on disks or other storage so that, if the storage is accessed without authorization, the contents are not easily readable. Encryption in transit protects data as it moves across networks, such as between a user’s browser and an AWS service, reducing the risk of eavesdropping or tampering. These encryption mechanisms work together with, but do not replace, identity and access controls such as AWS IAM policies. AWS also makes it easy to enable encryption on many managed services, often by integrating with AWS Key Management Service (AWS KMS).
Topic: Security and Compliance
Which AWS service specifically provides managed protection against distributed denial of service (DDoS) attacks for applications running on AWS?
Options:
A. AWS Shield
B. Network access control lists (network ACLs)
C. AWS CloudTrail
D. Security groups
Best answer: A
Explanation: AWS Shield is the AWS managed service that provides DDoS protection for applications running on AWS. It is designed to detect and mitigate large-scale traffic floods and other DDoS patterns without customers needing to manually manage complex rules. In contrast, security groups and network ACLs provide basic network access control, and AWS CloudTrail records API calls for auditing, but none of these are dedicated DDoS protection services.
Topic: Security and Compliance
A company runs a web application on Amazon EC2 instances. To allow the application to read objects from a private Amazon S3 bucket, developers currently store long‑lived AWS access keys in the application’s configuration file on each instance. The security team wants to remove hardcoded credentials, reduce manual key rotation, and follow AWS credential management best practices. What is the most appropriate change the company should make?
Options:
A. Create a new IAM user specifically for the application, generate new access keys, and restrict the user by IP address to only allow requests from the EC2 instances.
B. Encrypt the existing access keys with AWS KMS and keep the encrypted values in the configuration file, decrypting them when the application starts.
C. Attach an IAM role to the EC2 instances with a policy that grants only the required S3 permissions, and update the application to use the role’s temporary credentials.
D. Store the existing access keys in an encrypted S3 object and have the application download and cache them in memory when it starts.
Best answer: C
Explanation: The best way to avoid hardcoded AWS credentials on EC2 and reduce manual rotation is to use an IAM role attached to the instances. IAM roles provide temporary security credentials that are automatically rotated and made available to the application through the instance metadata service. This follows AWS best practices for credential management and supports least privilege by attaching only the necessary S3 permissions. As a result, there is no need to store or distribute long‑lived access keys in configuration files or source code.
The alternative options still rely on long‑lived access keys, just stored or protected in different ways. They shift where the keys live but do not eliminate static credentials or automate rotation, so they do not fully satisfy the security team’s goals.
Topic: Security and Compliance
A company is creating a security onboarding guide for teams that launch Amazon EC2 instances. The security architect shares the following summary of responsibilities.
Exhibit:
| Task | Responsible party |
|---|---|
| Securing physical data centers and hardware | AWS |
| Patching the EC2 operating system | Customer |
| Configuring EC2 security groups | Customer |
| Managing customer-managed KMS keys for S3 data | Customer |
A project manager then drafts this statement for the guide:
“For EC2, AWS will handle all security tasks below the application, so our team only needs to manage the application code and data.”
Based on the information in the exhibit, which clarification should the security architect add to correct this misunderstanding?
Options:
A. Clarify that AWS, not the team, is responsible for creating and rotating KMS keys used to encrypt data in Amazon S3.
B. Explain that the team is also responsible for patching the EC2 operating system and configuring security groups; AWS only secures the underlying physical infrastructure.
C. Clarify that the team is also responsible for physically securing the data centers where EC2 hosts run to meet compliance requirements.
D. Confirm that the statement is accurate because AWS is responsible for all security tasks below the application layer for EC2 instances.
Best answer: B
Explanation: The shared responsibility model divides security tasks between AWS and the customer. In the exhibit, AWS is responsible for securing the physical data centers and hardware, while the customer is responsible for tasks such as patching the EC2 operating system, configuring EC2 security groups, and managing customer-managed KMS keys for S3 data.
The project manager’s statement wrongly suggests that AWS handles “all security tasks below the application” for EC2. Rows 2 and 3 of the exhibit show that operating system patching and security group configuration are specifically Customer responsibilities. The best clarification is to correct this misconception by stating that the team must still manage these parts of the stack, while AWS focuses on the underlying infrastructure.
Topic: Security and Compliance
A company is new to AWS and is writing a security responsibilities document for its workloads in the cloud. Which of the following statements about security responsibilities should the company NOT include in this document? (Select TWO.)
Options:
A. AWS automatically classifies all data stored in Amazon S3 buckets and applies the correct access controls for the company.
B. The company is responsible for keeping its custom application code secure, including validating user input and handling user authentication correctly.
C. The company must manage who can sign in to the AWS Management Console and what actions each identity can perform.
D. AWS is responsible for managing user accounts and permissions inside the company’s business applications that run on AWS.
E. The company is responsible for deciding which data is sensitive and configuring IAM policies and S3 bucket policies to protect it.
Correct answers: A and D
Explanation: Under the AWS shared responsibility model, AWS is responsible for the security of the cloud (such as the physical infrastructure, networking, and managed service foundations), while customers are responsible for security in the cloud. Security in the cloud includes tasks like data classification, identity and access management, and application-level security controls. Any statement that shifts these customer responsibilities onto AWS misrepresents the model and should not appear in a security responsibilities document.
Topic: Security and Compliance
A company’s public website hosted on AWS has recently experienced a volumetric DDoS attack. The security team wants a managed AWS solution that automatically helps protect the website from future DDoS attacks with minimal ongoing administration. Which of the following actions/solutions will meet these requirements? (Select TWO.)
Options:
A. Enable AWS Shield Advanced on the Application Load Balancer that fronts the website.
B. Place the website behind an Amazon CloudFront distribution, which automatically receives AWS Shield Standard protection.
C. Add more restrictive rules to the VPC network ACL to block traffic from specific IP addresses.
D. Tighten the inbound rules of the web server’s security group to allow only HTTP and HTTPS traffic.
E. Use AWS Config to monitor security group changes and revert unauthorized updates.
Correct answers: A and B
Explanation: DDoS attacks are large-scale attempts to overwhelm an application or network with traffic. AWS provides specialized, managed DDoS protection through AWS Shield, which is tightly integrated with edge and load-balancing services. While security groups and network ACLs are important for basic access control, they do not automatically detect or mitigate volumetric DDoS attacks. The best answers are the options that use AWS Shield directly or indirectly as a managed DDoS protection layer.
Topic: Security and Compliance
A healthcare startup is launching an app for patients in a single country where laws require that medical records stay within national borders and be auditable for regulators. The company must both keep data in-country and show that its cloud provider meets healthcare compliance standards. Which of the following actions/solutions will meet these requirements? (Select TWO.)
Options:
A. Rely on AWS to automatically move medical records between Regions for resilience, since AWS is responsible for all compliance controls.
B. Deploy patient-data workloads in an AWS Region that is physically located in the required country.
C. Choose the AWS Region with the lowest pricing, even if it is located outside the patient’s country.
D. Use Amazon CloudFront so that all medical records are cached at edge locations around the world for faster global access.
E. Use AWS Artifact to download AWS compliance reports and certifications to share with internal auditors and regulators.
Correct answers: B and E
Explanation: Compliance requirements often depend on both geography and industry, such as healthcare data needing to stay within a specific country and meeting strict audit requirements. In this scenario, the organization must ensure data residency by choosing an appropriate AWS Region and must also provide evidence that AWS itself meets relevant compliance standards.
Deploying the workload in an AWS Region located in the required country directly addresses the geographic data residency law. Using AWS Artifact gives the company access to AWS compliance reports and certifications that can be shared with auditors and regulators, helping demonstrate that AWS services used are built on compliant infrastructure.
Other choices either ignore the geographic legal requirement, inappropriately spread sensitive data across borders, or misunderstand the shared responsibility model by assuming AWS alone handles all compliance duties for customer data and workloads.
Topic: Security and Compliance
Which of the following are AWS-authored resources that provide official security best-practice guidance? (Select TWO.)
Options:
A. Unreviewed answers on general-purpose developer forums
B. Tutorial videos from third-party training channels with no AWS review
C. AWS security whitepapers published on the official AWS website
D. AWS Well-Architected Framework: Security Pillar documentation
E. Articles on an independent community-run AWS blog
Correct answers: C and D
Explanation: AWS publishes official security guidance so customers can follow consistent best practices when securing workloads in the cloud. Key examples include the AWS Well-Architected Framework, especially the Security Pillar, and AWS-authored security whitepapers available on the AWS website. While community blogs, forums, and third-party videos can supplement learning, they are not authoritative sources of AWS security best practices.
Use the AWS CLF-C02 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try AWS CLF-C02 on Web View AWS CLF-C02 Practice Test
Read the AWS CLF-C02 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.