Detailed Exam Domain Coverage

To successfully pass the certification exam, you must master the core areas defined by the official curriculum. This practice test bundle provides comprehensive coverage across all four testing domains:

• Domain 1: Governance (30%)

  • Aligning AWS environments with governance and regulatory requirements.

  • Implementing industry-standard security and compliance frameworks.

• Domain 2: Risk (25%)

  • Executing continuous risk assessment and risk management strategies.

  • Selecting, deploying, and monitoring security and compliance controls.

• Domain 3: Compliance (20%)

  • Navigating complex compliance frameworks and international regulations.

  • Preparing for, executing, and analyzing security and compliance auditing.

• Domain 4: Infrastructure and Data Protection (25%)

  • Designing infrastructure security and ensuring architectural compliance.

  • Enforcing data protection, privacy standards, and advanced encryption methods.

Course Description

Earning the AWS Certified in Governance, Risk and Compliance (CGRC) - Specialty certification is a definitive milestone for professionals who design, architect, and maintain scalable, secure, and compliant cloud environments. Because the official exam demands a deep, practical understanding of how security controls map to cloud infrastructure, rote memorization is rarely enough to pass.

I designed this comprehensive practice exam bank to close the gap between theoretical knowledge and exam-day readiness. With 1,500 original, high-quality questions, this resource mirrors the depth, scenario-based structure, and complexity of the actual test. Every single question features an exhaustive breakdown of the correct answer alongside detailed explanations for why the incorrect options fail to meet the criteria. This ensures you learn the underlying architectural and compliance principles rather than just memorizing answers.

By working through these realistic scenarios, you will identify your knowledge gaps across the four core exam domains: Governance, Risk, Compliance, and Infrastructure and Data Protection. Whether you are validating your current cloud security strategies or sharpening your risk management skills, these tests provide the rigorous practice needed to build confidence and pass on your very first attempt.

Sample Practice Questions Preview

Question 1: Infrastructure and Data Protection

A financial institution must store highly sensitive data in an Amazon S3 bucket. Regulatory requirements state that the data must be encrypted at rest, the encryption keys must be rotated annually, and key usage must be strictly audited. Which solution meets these requirements with the least operational overhead?

• Options:

  1. Use S3 Managed Keys (SSE-S3) with automatic rotation enabled.

  2. Use AWS KMS keys (SSE-KMS) with a customer managed key and enable automatic key rotation.

  3. Use AWS KMS keys (SSE-KMS) with an AWS managed key.

  4. Use Server-Side Encryption with Customer-Provided Keys (SSE-C) and manage rotation on-premises.

  5. Encrypt the data client-side using a custom script before uploading to Amazon S3.

  6. Use AWS CloudHSM to generate and manually rotate keys every 12 months.

• Correct Answer: Option 2

• Explanations:

  • Option 2 is correct: Customer managed keys in AWS KMS support automatic annual rotation. AWS KMS automatically tracks key usage via AWS CloudTrail, satisfying the strict auditing requirement with minimal operational overhead.

  • Option 1 is incorrect: While SSE-S3 handles encryption automatically, it uses a unique key per object and does not give the user control over key rotation schedules or direct key auditing logs required for strict compliance.

  • Option 3 is incorrect: AWS managed keys are automatically rotated every three years (or per service specs) rather than annually, which fails to meet the specific 12-month compliance requirement.

  • Option 4 is incorrect: SSE-C transfers the entire burden of key storage, rotation, and usage auditing to your on-premises infrastructure, significantly increasing operational overhead.

  • Option 5 is incorrect: Client-side encryption with custom scripting introduces massive operational overhead, risk of script failure, and complex key management issues.

  • Option 6 is incorrect: CloudHSM requires manual management of HSM instances, backups, and key rotation, which represents a high level of operational overhead compared to AWS KMS.

Question 2: Governance

An enterprise needs to ensure that all AWS accounts within their AWS Organizations structure adhere strictly to a specific set of security baselines. Specifically, no IAM user should be allowed to create an S3 bucket without specific compliance tags. What is the most effective governance mechanism to enforce this across all accounts?

• Options:

  1. Deploy an IAM Permission Boundary on every individual IAM user across all accounts.

  2. Implement a Service Control Policy (SCP) at the root level of AWS Organizations that denies the s3:CreateBucket action if the required tags are missing.

  3. Configure an AWS Config rule to automatically delete any non-compliant S3 buckets.

  4. Create a centralized AWS Lambda function triggered by Amazon CloudWatch Events to remediate untagged buckets.

  5. Use an AWS Systems Manager Automation document to check for tags daily.

  6. Apply an IAM group policy to all administrative groups preventing untagged bucket creation.

• Correct Answer: Option 2

• Explanations:

  • Option 2 is correct: Service Control Policies (SCPs) offer centralized control over the maximum available permissions for all accounts in an organization. An SCP can globally enforce that bucket creation actions fail unless proper tags are specified, acting as an absolute guardrail.

  • Option 1 is incorrect: Managing permission boundaries individually across multiple accounts scales poorly and introduces a high probability of configuration drift and oversight.

  • Option 3 is incorrect: AWS Config rules act as a detective and reactive control. The bucket is still temporarily created, which violates the strict preventative compliance requirement.

  • Option 4 is incorrect: Like AWS Config, this is a reactive approach. The resource is created before remediation takes place, leaving a temporary window of non-compliance.

  • Option 5 is incorrect: A daily check leaves a wide window of vulnerability where non-compliant, untagged resources can exist undetected.

  • Option 6 is incorrect: IAM group policies only apply to users within that specific account group and cannot reliably restrict root users or prevent administrative drift across multiple independent AWS accounts.

Question 3: Risk

During a routine risk assessment, an organization identifies that its legacy application servers running on AWS EC2 use outdated TLS protocols ($1.0$ and $1.1$). A full application refactor to support TLS $1.2$ or higher will take six months. Which risk management strategy and immediate technical compensating control should the risk officer recommend?

• Options:

  1. Avoid the risk by shutting down the application servers immediately until the refactor is complete.

  2. Accept the risk completely for the six-month period since a fix is planned.

  3. Mitigate the risk by placing an Application Load Balancer (ALB) in front of the servers, terminating TLS at the ALB using a secure security policy, and routing traffic to the backends via HTTP.

  4. Transfer the risk by purchasing a cybersecurity insurance policy to cover potential breaches over the next six months.

  5. Mitigate the risk by configuring security groups to block all inbound public internet access on port 443.

  6. Mitigate the risk by migrating the application to Amazon S3 static website hosting.

• Correct Answer: Option 3

• Explanations:

  • Option 3 is correct: This is a classic risk mitigation strategy using a compensating control. Offloading TLS termination to an Application Load Balancer allows you to enforce modern TLS versions ($1.2$ and $1.3$) toward the public internet immediately, protecting data in transit without modifying the legacy backend application code.

  • Option 1 is incorrect: Shutting down a production system introduces severe business disruption and financial loss, making risk avoidance an impractical solution for a running application.

  • Option 2 is incorrect: Accepting a known security vulnerability involving broken cryptographic protocols without any compensating controls leaves the organization exposed to active exploitation and compliance failures.

  • Option 4 is incorrect: While insurance transfers financial liability, it does not fix the security flaw or stop an active data breach, meaning the operational risk remains unaddressed.

  • Option 5 is incorrect: Blocking port 443 entirely breaks the application's functionality for legitimate users, rendering the service useless.

  • Option 6 is incorrect: A legacy application running on EC2 servers cannot simply be shifted to Amazon S3 static hosting, as S3 does not execute server-side application logic.

Welcome to the Training Academy

Welcome to the Mock Exam Practice Tests Academy to help you prepare for your AWS Certified in Governance, Risk and Compliance (CGRC) - Specialty exam.

• Unrestricted Access: You can retake the exams as many times as you want to track your progress and build speed.

• 100% Original Content: This is a huge original question bank built from scratch to align with the latest official exam Blueprints.

• Direct Instructor Support: You get support from instructors if you have questions or need clarification on complex compliance scenarios.

• Granular Explanations: Each question has a detailed explanation mapping out why answers are right or wrong to solidify your architectural understanding.

• Study On the Go: Fully mobile-compatible with the Udemy app so you can practice anytime, anywhere.

We hope that by now you're convinced! And there are a lot more questions inside the course.