Try 10 focused AWS SCS-C03 questions on Security Foundations and Governance, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
| Field | Detail |
|---|---|
| Exam route | AWS SCS-C03 |
| Topic area | Security Foundations and Governance |
| Blueprint weight | 14% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security Foundations and Governance for AWS SCS-C03. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 14% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Security Foundations and Governance
A security team must deploy the same AWS-native baseline resources, including AWS Config rules and IAM roles, to 120 accounts in AWS Organizations. The deployment must target specific OUs, automatically include future accounts in those OUs, minimize standing cross-account credentials, and keep change history in AWS-native deployment records. Which approach is the BEST security decision?
Options:
A. Use AWS Service Catalog portfolios for each OU
B. Use CloudFormation StackSets with service-managed permissions
C. Create separate CloudFormation stacks manually in each account
D. Run a third-party IaC tool from a central admin IAM user
Best answer: B
Explanation: CloudFormation StackSets is the strongest fit for centrally deploying standardized AWS resources across many AWS accounts when the targets are AWS Organizations OUs. With service-managed permissions, StackSets integrates with Organizations trusted access and can automatically deploy stack instances to new accounts added to the selected OUs. This reduces custom cross-account credential handling and keeps deployment status and change history in AWS-native records. Third-party IaC tools can be appropriate for broader multi-cloud workflows or existing standardized pipelines, but the stated requirements favor native OU targeting and automatic account enrollment.
Topic: Security Foundations and Governance
A company has 60 AWS accounts that were created manually by different application teams. The security team must reduce workload blast radius, deploy baseline controls consistently to new accounts, provide auditors with centralized compliance evidence, and route findings to a central SecOps account. Which governance improvement is the best security decision?
Options:
A. Move all workloads into one shared account and separate teams by VPC and IAM paths
B. Create a central logging account and keep account creation and controls unchanged
C. Deploy an AWS Control Tower landing zone with organization-wide baselines and delegated security administration
D. Let each team deploy the same CloudFormation templates in its own account manually
Best answer: C
Explanation: The strongest governance improvement is to standardize the multi-account foundation with AWS Organizations and AWS Control Tower. Control Tower supports managed account vending, OU-based preventive and detective controls, and consistent baseline deployment for new and existing accounts. Centralized logging, AWS Config aggregation, and delegated administration for services such as Security Hub help SecOps monitor findings and help auditors collect evidence without depending on each application team’s manual setup. This approach preserves workload isolation while making governance repeatable. A logging-only change improves visibility but does not solve account strategy or control consistency.
Topic: Security Foundations and Governance
A company has 75 AWS accounts in AWS Organizations. The security team must deploy the same baseline resources to all production accounts and automatically include new production accounts. Templates must fail deployment if required tags or encryption settings are missing. Application teams must not receive broad administrative permissions. Which is the BEST security decision?
Options:
A. Use a CI/CD pipeline to run CloudFormation Guard and deploy CloudFormation StackSets to Organizations OUs.
B. Use AWS Config conformance packs to detect missing tags and encryption after deployment.
C. Give each application team an admin role to deploy the baseline template in its account.
D. Store the template in Amazon S3 and ask account owners to launch it manually.
Best answer: A
Explanation: CloudFormation StackSets with service-managed permissions can deploy standardized infrastructure as code across accounts and OUs in AWS Organizations, including automatic deployment to newly added accounts. CloudFormation Guard adds a preventive control by validating templates against required security rules, such as mandatory tags and encryption settings, before deployment. Running both from a controlled CI/CD pipeline preserves change history and avoids giving application teams broad permissions. This pattern supports consistency, least privilege, and secure governance at organization scale.
Topic: Security Foundations and Governance
A security team owns a multi-account AWS deployment pipeline that deploys CloudFormation templates for application teams. New compliance requirements state that S3 buckets must block public access and use SSE-KMS, and noncompliant templates must be rejected before stack creation. The team wants centrally versioned rules with minimal pipeline changes. Which action is the BEST security decision?
Options:
A. Require manual security approval for every stack update.
B. Run CloudFormation Guard in the pipeline with custom security rules.
C. Use AWS Config rules to detect noncompliant buckets after deployment.
D. Rely on default cfn-lint checks for all template validation.
Best answer: B
Explanation: CloudFormation Guard is designed to validate infrastructure-as-code templates against policy-as-code rules, such as requiring S3 Block Public Access and SSE-KMS before a CloudFormation stack is created. This fits the requirement to reject noncompliant templates early and keep security rules centrally versioned. cfn-lint is useful for template syntax, resource schema, and some best-practice checks, but default linting does not replace explicit organization security policy validation. Detecting drift or noncompliance after deployment is valuable governance, but it misses the stated preventive control requirement.
Topic: Security Foundations and Governance
A security engineer reviews compliance coverage for an AWS Organizations environment.
Exhibit: Audit note
Organization: 45 workload accounts
Security account: AWS Config aggregator = all accounts, all enabled Regions
Observed rule: s3-bucket-public-read-prohibited
Evaluations visible: 6 accounts, us-east-1 only
CloudTrail: PutConfigRule events in those 6 accounts/us-east-1
No PutOrganizationConfigRule events found
What is the best next action supported by this evidence?
Options:
A. Deploy an AWS Config organization rule in each enabled Region
B. Enable GuardDuty S3 Protection for all accounts
C. Treat missing evaluations as compliant resources
D. Create a new multi-account AWS Config aggregator
Best answer: A
Explanation: An AWS Config aggregator centralizes evaluation results, but it does not create rules or cause resources to be evaluated. The evidence shows the managed rule was added with PutConfigRule only in six member accounts in us-east-1, and there is no organization-level rule deployment. To detect noncompliant S3 buckets across the organization, deploy an AWS Config organization rule, or an organization conformance pack, in each enabled Region where coverage is required. Also ensure AWS Config recording is enabled in the target accounts and Regions. The key implication is incomplete evaluation scope, not proof of compliance outside the visible results.
Topic: Security Foundations and Governance
A company uses AWS Organizations with AWS Config enabled in all member accounts and Security Hub delegated administration in a security account. A Config rule flags S3 buckets that allow public read access. The buckets can contain regulated data, so noncompliant buckets must be remediated within minutes, application owners must be notified, and audit evidence must remain centralized. The solution must avoid broad administrator access in member accounts. Which remediation approach is the best security decision?
Options:
A. Grant the security account administrator access and delete noncompliant buckets immediately.
B. Create an SCP that blocks all future S3 bucket policy changes.
C. Use Config automatic remediation with a least-privilege SSM Automation role and EventBridge notifications.
D. Run a daily Lambda inventory job in each account and email a CSV report.
Best answer: C
Explanation: AWS Config is the right control point for detecting and remediating resource noncompliance. For this scenario, Config automatic remediation can invoke a Systems Manager Automation runbook, such as applying S3 Block Public Access, by assuming a remediation role with only the permissions needed for the target action. Security Hub can continue to centralize findings from member accounts, while EventBridge rules can route compliance-change or finding events to AWS User Notifications, Amazon SNS, or an incident workflow for owner and security-team notification. This meets the timing, audit-evidence, and least-privilege constraints. Preventive controls such as SCPs can reduce recurrence, but they do not remediate the currently noncompliant buckets or provide the required owner notification workflow by themselves.
Topic: Security Foundations and Governance
A company is moving 80 workloads into AWS accounts managed by AWS Organizations. Security needs resource-level ABAC for deployment roles, finance needs monthly cost allocation by product and cost center, and compliance needs reports that identify regulated-data resources. Tags must be created consistently through IaC pipelines and must not expose sensitive values. Which tagging strategy is the BEST security decision?
Options:
A. Store customer identifiers in tags so compliance reports can directly identify regulated records.
B. Rely on account names and AWS-generated cost tags instead of resource tags.
C. Standardize non-sensitive tags, enforce them in IaC and tag policies, activate cost allocation tags, and use them for ABAC and reporting.
D. Allow each workload team to define its own tags and map them manually during audits.
Best answer: C
Explanation: A strong AWS tagging strategy uses a controlled taxonomy with required, non-sensitive keys such as Application, Environment, Owner, CostCenter, and DataClassification. IaC pipelines should apply tags consistently, while AWS Organizations tag policies and pipeline checks help standardize allowed keys and values. Activated cost allocation tags support finance reporting, and IAM ABAC can compare principal tags to resource tags for least-privilege access. Compliance teams can then query tags with services such as AWS Config or reporting tools to identify regulated-data resources. Tags should not contain secrets, personal data, or customer-specific sensitive values because tags can appear in billing, logs, APIs, and reports.
Topic: Security Foundations and Governance
A company is preparing for a SOC 2 audit across 25 AWS accounts in AWS Organizations. The security team must continuously collect evidence from AWS service activity and configuration checks, organize the evidence by audit control, and give internal control owners a way to review evidence before producing the auditor package. The team wants minimum custom data processing. Which solution is the BEST security decision?
Options:
A. Export AWS CloudTrail logs to Amazon S3 and query control evidence with Amazon Athena.
B. Deploy AWS Config conformance packs and provide compliance snapshots only.
C. Create an AWS Audit Manager assessment from a SOC 2 framework and enable evidence collection across the organization.
D. Enable AWS Security Hub standards and send all findings to the auditor.
Best answer: C
Explanation: AWS Audit Manager is designed for audit evidence collection and organization. An assessment based on a standard or custom framework maps control requirements to AWS evidence sources such as AWS CloudTrail activity, AWS Config evaluations, and supported AWS service data. In a multi-account environment, Audit Manager can work with AWS Organizations so evidence is collected centrally and grouped by control set for review. Control owners can review evidence and the team can generate assessment reports for auditors. CloudTrail, Security Hub, and AWS Config are useful evidence sources, but by themselves they do not provide the same control-mapped audit workflow.
Topic: Security Foundations and Governance
An organization aggregates AWS Config evaluations into Security Hub. A production account generated this evidence:
Source: AWS Config
Rule: s3-bucket-public-read-prohibited
Resource: arn:aws:s3:::prod-report-archive
Compliance: NON_COMPLIANT
Security Hub workflow: NEW
Owner tag: FinanceData
Governance note: Production remediation must notify the resource owner and use an approved runbook.
Which next action is best supported by the evidence?
Options:
A. Declare a confirmed data breach and rotate all account credentials
B. Delete the bucket to stop possible data exposure
C. Suppress the Security Hub finding until the next Config evaluation
D. Notify the owner and run the approved S3 public-access remediation
Best answer: D
Explanation: AWS Config and Security Hub findings support governance-driven remediation, but they do not automatically prove compromise. Here, the specific resource is noncompliant with a public-read prevention rule, and the governance note requires notifying the resource owner and using an approved runbook. A typical implementation would use an EventBridge rule or Security Hub automation to route the finding, notify the FinanceData owner and security team, and start an approved remediation such as an SSM Automation document or AWS Config remediation action to remove public access. The response should fix the noncompliance while preserving the correct scope and notification process.
Topic: Security Foundations and Governance
A company is preparing for a SOC 2 audit. The security team must continuously collect, organize, and map evidence from AWS accounts to the audit control framework. The team also wants to avoid confusing this requirement with a workload design review. Which AWS service best satisfies the audit evidence requirement?
Options:
A. AWS Well-Architected Tool
B. AWS Security Hub
C. AWS Trusted Advisor
D. AWS Audit Manager
Best answer: D
Explanation: AWS Audit Manager is the governance service designed to collect, organize, and assess evidence for audits against control frameworks such as SOC 2. It helps map AWS resource configurations and activity to controls so teams can prepare audit-ready evidence. This differs from an architectural best-practice assessment: the AWS Well-Architected Tool evaluates workload design against best-practice pillars, but it is not an audit evidence collection system. The key distinction is evidence management for compliance versus design review for architecture improvement.
Use the AWS SCS-C03 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try AWS SCS-C03 on Web View AWS SCS-C03 Practice Test
Use the practice page above for mixed-topic practice, timed mocks, explanations, and app access.