Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security practice sets

DVA-C02 Security • Complete Question Bank

DVA-C02 Security — All Questions With Answers

Complete DVA-C02 Security question bank — all 0 questions with answers and detailed explanations.

429
Questions
Free
No signup
Certifications/DVA-C02/Practice Test/Security/All Questions
Question 1mediummultiple choice
Read the full Security explanation →

A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?

Question 2hardmultiple choice
Read the full Security explanation →

A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?

Question 3hardmultiple choice
Read the full Security explanation →

A developer needs to grant a user in another AWS account (Account B) read-only access to objects in an Amazon S3 bucket owned by Account A. The developer has already added a bucket policy that grants s3:GetObject access to the IAM user in Account B. However, the user in Account B still gets Access Denied when trying to read objects. What additional configuration is required?

Question 4hardmultiple choice
Read the full Security explanation →

A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?

Question 5mediummultiple choice
Read the full Security explanation →

A developer is building a mobile application that uses Amazon Cognito for user authentication. After a user signs in, the application needs to access an Amazon DynamoDB table. The developer has set up an identity pool with an authenticated role. The IAM role attached to the authenticated identity has a policy allowing the required DynamoDB actions. However, users report that they cannot perform DynamoDB operations. What is the MOST likely cause of this issue?

Question 6hardmultiple choice
Read the full Security explanation →

A company uses a customer managed AWS KMS key to encrypt sensitive data stored in DynamoDB. A Lambda function reads from the DynamoDB table and needs to decrypt the data. The Lambda function's execution role has an IAM policy that allows kms:Decrypt on the key. However, access is denied. What must the developer add to the KMS key policy to resolve the issue?

Question 7hardmultiple choice
Read the full Security explanation →

A company has an AWS Lambda function that processes sensitive financial data. The function uses environment variables to store database connection strings. A security audit requires that all sensitive data be encrypted at rest and in transit. The developer must ensure that the environment variables are encrypted with a customer-managed key that is rotated quarterly. What should the developer do?

Question 8mediummultiple choice
Read the full Security explanation →

A company has an Amazon S3 bucket (Bucket-A) in Account A that contains sensitive data. A developer in Account B needs read-only access to objects in Bucket-A. The developer in Account A added a bucket policy granting s3:GetObject to the IAM user in Account B. However, the IAM user in Account B still receives Access Denied errors. What additional step is required?

Question 9hardmultiple choice
Read the full Security explanation →

A company uses an Amazon S3 bucket to store sensitive documents. The security team requires that all objects uploaded to the bucket must be encrypted at rest using server-side encryption with a customer-managed KMS key (SSE-KMS). A developer needs to enforce this by denying any PutObject request that does not specify the required encryption. Which bucket policy condition should be used?

Question 10mediummultiple choice
Read the full Security explanation →

A company stores sensitive data in Amazon S3. The security team requires that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). The developer needs to enforce that any PutObject request that does not specify the 'x-amz-server-side-encryption' header with value 'aws:kms' is denied. Which S3 bucket policy condition should be used?

Question 11easymultiple choice
Read the full Security explanation →

A developer in Account A has an Amazon S3 bucket that contains sensitive data. The developer wants to grant an IAM user in Account B read-only access to objects in the bucket. The developer has added a bucket policy in Account A that grants s3:GetObject access to the IAM user's ARN. However, the IAM user in Account B still receives Access Denied errors. What additional configuration is required?

Question 12mediummultiple choice
Read the full Security explanation →

A company runs an application on Amazon EC2 that needs to securely store database credentials. The security team requires that credentials be automatically rotated every 30 days to reduce the risk of compromise. The application must be able to retrieve the credentials at startup without storing them in code or configuration files. Which AWS service should the developer use?

Question 13hardmultiple choice
Read the full Security explanation →

A company wants to grant a third-party vendor access to an Amazon S3 bucket in the company's AWS account. The vendor has their own AWS account. The company requires the vendor to include a unique identifier in each request to verify their identity before granting access. Which policy element should the company include in the S3 bucket policy?

Question 14mediummultiple choice
Read the full Security explanation →

A company is developing a web application that runs on Amazon EC2 instances. The application needs to access an Amazon DynamoDB table to store and retrieve data. The security team requires that no IAM users or roles should be used; instead, the application must use temporary credentials that are automatically rotated. Which approach should the developer use to securely grant access to DynamoDB?

Question 15hardmultiple choice
Read the full Security explanation →

A company uses AWS Secrets Manager to store database credentials. The credentials must be automatically rotated every 30 days. The developer needs to configure rotation without exposing the secret to any IAM user directly. Which configuration steps should the developer take?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?

Question 17hardmultiple choice
Read the full Security explanation →

A developer is storing an API secret for a third-party service in AWS Secrets Manager. The secret needs to be accessed by an AWS Lambda function that runs in a VPC. The Lambda function must have the minimum required permissions. Which IAM policy statement should the developer attach to the Lambda execution role?

Question 18hardmultiple choice
Read the full Security explanation →

A developer is building an application that needs to read a secret API key from AWS Secrets Manager. The application runs on an EC2 instance that is part of an Auto Scaling group. The developer wants to ensure that only this application can retrieve the secret. Which set of steps should the developer take?

Question 19mediummultiple choice
Read the full Security explanation →

A developer is designing an application that will process credit card payments and store them temporarily in an Amazon DynamoDB table. The developer must ensure that the payment data is encrypted at rest and that the encryption key is managed by the company's security team using AWS KMS. Which type of encryption should the developer enable on the DynamoDB table?

Question 20hardmultiple choice
Read the full Security explanation →

A company uses AWS KMS customer master keys (CMKs) to encrypt sensitive data in Amazon S3. A compliance requirement mandates that the backing keys for the CMKs be automatically rotated every year. The developer must implement this with minimal operational overhead. Which solution meets the requirement?

Question 21hardmultiple choice
Read the full Security explanation →

A developer needs to grant read-only access to objects in an S3 bucket (in Account A) to an IAM role in Account B. The bucket uses server-side encryption with AWS KMS (SSE-KMS) using a customer managed key (CMK) in Account A. Which of the following is REQUIRED for the cross-account access to succeed?

Question 22mediummultiple choice
Read the full Security explanation →

A company manages multiple AWS accounts using AWS Organizations. A developer needs to allow an IAM role in the production account to read objects from an S3 bucket in the development account. The bucket is encrypted with an AWS KMS customer managed key (CMK) in the development account. Which of the following is required to enable this cross-account access?

Question 23mediummultiple choice
Read the full Security explanation →

A company stores sensitive documents in an Amazon S3 bucket. The security team requires that all objects uploaded must be encrypted at rest using a specific customer-managed AWS KMS key (key-id: 1234-5678). The developer must enforce this by denying any PutObject request that does not use the correct key. Which S3 bucket policy condition should be used?

Question 24hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with multiple accounts. A developer needs to grant an IAM user in Account A (111111111111) read-only access to an S3 bucket in Account B (222222222222). The bucket is encrypted with SSE-S3. Which combination of policies is required for cross-account access?

Question 25mediummultiple choice
Read the full Security explanation →

A company has an S3 bucket that stores sensitive data. They want to ensure that any object uploaded to the bucket is automatically encrypted with server-side encryption using AWS KMS (SSE-KMS). They also want to deny any uploads that do not specify the correct encryption. Which bucket policy condition should be used to enforce this requirement?

Question 26mediummultiple choice
Read the full Security explanation →

A developer is deploying a containerized application on Amazon ECS with the Fargate launch type. The application needs to read data from an Amazon S3 bucket. The developer wants to follow the principle of least privilege. How should the developer grant the necessary permissions to the ECS tasks?

Question 27hardmultiple choice
Read the full Security explanation →

A company has an IAM policy that allows access to an S3 bucket only if the request comes from a specific VPC endpoint. The developer notices that requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

Question 28mediummultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all objects uploaded to a specific S3 bucket must be encrypted with a specific KMS key (key ID: xyz). The developer needs to enforce this by denying any PutObject request that does not use the correct key. Which bucket policy condition should be used?

Question 29mediummultiple choice
Read the full Security explanation →

A company stores application logs in an Amazon S3 bucket. The security team requires that all objects uploaded to the bucket must be encrypted at rest using an AWS KMS key. The developer needs to enforce this by denying any PutObject request that does not use the required encryption. Which bucket policy condition should be used?

Question 30hardmultiple choice
Read the full Security explanation →

A company stores sensitive data in Amazon S3. A developer needs to implement a solution that automatically encrypts objects at rest using a key that is rotated annually. The developer must minimize operational overhead. Which solution meets these requirements?

Question 31mediummultiple choice
Read the full Security explanation →

A developer launches an Amazon EC2 instance that needs to read and write data to an Amazon DynamoDB table. The developer must follow the principle of least privilege and ensure that no long-term credentials are stored on the instance. Which approach should the developer use?

Question 32easymultiple choice
Read the full Security explanation →

A company requires that all data in Amazon S3 be encrypted at rest using server-side encryption with a customer-managed KMS key. The developer needs to ensure that any object uploaded without the x-amz-server-side-encryption header set to aws:kms is denied. How can this be enforced?

Question 33mediummultiple choice
Read the full Security explanation →

A developer needs to allow users from another AWS account (account ID: 123456789012) to read objects in an S3 bucket owned by the developer's account. The developer wants to use a bucket policy and does not want to create IAM users in the other account. Which bucket policy statement achieves this securely?

Question 34mediummultiple choice
Read the full Security explanation →

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption. The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not include the server-side encryption header. Which IAM condition key should be used?

Question 35mediummultiple choice
Read the full Security explanation →

A company runs an application on Amazon EC2 instances that need to read files from an Amazon S3 bucket. The developer must grant access to the S3 bucket without storing long-term credentials on the instances. Which approach should the developer use?

Question 36mediummultiple choice
Read the full Security explanation →

A company has an S3 bucket that stores sensitive data. The data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to ensure that only a specific IAM role in the same account can decrypt the objects. Which configuration should the developer implement?

Question 37mediummultiple choice
Read the full Security explanation →

A developer needs to grant an IAM user in the same AWS account access to a specific object in an S3 bucket. The bucket policy currently grants access only to the bucket owner (the root account). Which identity-based policy statement should the developer add to the IAM user's permissions?

Question 38hardmultiple choice
Read the full Security explanation →

A developer wants to enforce that all requests to an Amazon S3 bucket must use HTTPS (TLS). The bucket is used for static website hosting. Which bucket policy condition should be used to deny requests that do not use HTTPS?

Question 39easymultiple choice
Read the full Security explanation →

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption with a specific AWS KMS customer managed key (CMK). The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not use the specified KMS key. Which IAM condition key should be used?

Question 40mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Amazon S3 bucket that stores sensitive documents. The security team wants to ensure that all GET requests to the bucket are authenticated and that the requester does not have public access. Which combination of S3 features should the developer implement?

Question 41easymultiple choice
Read the full Security explanation →

A developer needs to grant cross-account access to an Amazon S3 bucket. The developer's AWS account (Account A) owns the bucket, and a user in another account (Account B) needs to write objects to it. The developer has already added a bucket policy that grants the user in Account B permissions. What additional step is required?

Question 42mediummultiple choice
Read the full Security explanation →

A developer is deploying an application on Amazon EC2 instances that need to securely retrieve secrets from AWS Secrets Manager. What is the MOST secure way to provide the necessary permissions without hardcoding credentials?

Question 43easymultiple choice
Read the full Security explanation →

A company requires that all objects uploaded to an Amazon S3 bucket are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The developer wants to enforce this with a bucket policy. Which condition key and value should be used in the policy to deny uploads that do not meet this requirement?

Question 44hardmultiple choice
Read the full Security explanation →

A company requires that all API calls to create an Amazon S3 bucket must include a specific tag (e.g., 'CostCenter'). Which IAM policy condition key should a developer use to enforce this requirement?

Question 45mediummultiple choice
Study the full ACL explanation →

A company has an S3 bucket containing confidential data. The security team wants to ensure that the bucket is never publicly accessible, even if a bucket policy or ACL is incorrectly set to allow public access. Which S3 feature should the developer enable?

Question 46mediummultiple choice
Read the full Security explanation →

A company wants to store database credentials securely and rotate them automatically on a schedule. The credentials are used by an AWS Lambda function to access an Amazon RDS instance. Which AWS service should the developer use to meet these requirements?

Question 47easymultiple choice
Read the full Security explanation →

A developer needs to grant an IAM role in the same AWS account read-only access to objects in a specific S3 bucket. The bucket is configured with a bucket policy that has an explicit Deny statement denying all principals except the root user. Which approach should the developer use to grant the required access?

Question 48mediummultiple choice
Read the full Security explanation →

A developer needs to grant temporary access to an Amazon S3 bucket for a user from a different AWS account. The developer wants to use the most secure method that does not require sharing long-term credentials. Which approach should the developer take?

Question 49mediummultiple choice
Read the full Security explanation →

A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role has permissions to access an S3 bucket. Which policy is required in the developer's account to enable this cross-account access?

Question 50easymultiple choice
Read the full Security explanation →

A developer runs an application on Amazon EC2 that needs to securely store database credentials (username and password). The security team requires that the credentials be automatically rotated every 30 days. Which AWS service should the developer use to store and automatically rotate the credentials?

Question 51easymultiple choice
Read the full Security explanation →

A developer stores database credentials for an application running on Amazon EC2. The security team requires that the credentials be automatically rotated every 30 days to reduce the risk of compromise. Which AWS service should the developer use to store and automatically rotate the credentials?

Question 52mediummultiple choice
Read the full Security explanation →

A company wants to enforce multi-factor authentication (MFA) for all users accessing the AWS Management Console. The company has an existing IAM setup with users and groups. Which approach should the developer recommend to enforce MFA?

Question 53easymultiple choice
Read the full Security explanation →

A company needs to grant another AWS account read-only access to an S3 bucket. The developer wants to use a bucket policy without requiring IAM users in the trusted account. Which resource-based policy statement should the developer add to the bucket?

Question 54easymultiple choice
Read the full Security explanation →

A company runs an application on Amazon EC2 instances that need to read data from an Amazon DynamoDB table. The developer must grant access to DynamoDB without storing any long-term credentials on the instance. Which approach should the developer use?

Question 55mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to restrict access to an Amazon S3 bucket so that only requests originating from a specific Amazon VPC are allowed. The bucket is in the same AWS account as the VPC. Which configuration should the developer implement?

Question 56mediummultiple choice
Read the full Security explanation →

A developer is creating a web application that uses Amazon Cognito for user authentication. The application needs to verify the identity of users before allowing access to the API. Which Cognito feature should the developer use?

Question 57mediummultiple choice
Read the full Security explanation →

A developer is building a REST API with Amazon API Gateway and needs to authorize requests based on a custom JSON Web Token (JWT) that includes claims for user roles. Which authorization mechanism should the developer use?

Question 58easymultiple choice
Read the full Security explanation →

A developer wants to grant a user in a different AWS account access to an S3 bucket. The developer has written a bucket policy that allows the user's IAM user ARN. However, the access is still denied. What is the most likely reason?

Question 59easymultiple choice
Study the full ACL explanation →

A company wants to ensure that no Amazon S3 buckets in the AWS account can be made publicly accessible, even if a bucket policy or ACL is later configured to allow public access. Which AWS feature should the developer enable to enforce this at the account level?

Question 60easymultiple choice
Read the full Security explanation →

A developer is building a REST API using API Gateway and AWS Lambda. The API must only be accessible by authenticated users who belong to a specific group within an Amazon Cognito user pool. Which API Gateway authorization mechanism should the developer use?

Question 61easymultiple choice
Read the full Security explanation →

A developer needs to grant cross-account access to an S3 bucket for an IAM user from another AWS account. The developer has added a bucket policy that allows the user's ARN. However, the user still cannot access the bucket. What additional step is required?

Question 62easymultiple choice
Read the full Security explanation →

A company wants to enforce that all IAM users use multi-factor authentication (MFA) when accessing the AWS Management Console. Which IAM policy condition key should be used in a policy attached to each user or group to deny access if MFA is not present?

Question 63easymultiple choice
Read the full Security explanation →

A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to encrypt data in transit between the client and the ALB. Which AWS service should be used to manage the SSL/TLS certificate?

Question 64easymultiple choice
Read the full Security explanation →

A company stores sensitive customer data in Amazon S3. The security policy requires that all data be encrypted at rest using server-side encryption with a customer-managed AWS KMS key. Which S3 server-side encryption option should the developer use?

Question 65easymultiple choice
Read the full Security explanation →

A developer needs to store a database password for an AWS Lambda function. The password must be encrypted at rest with a customer-managed key that can be rotated manually. Which solution meets these requirements with minimal operational overhead?

Question 66hardmultiple choice
Read the full Security explanation →

An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer type is most appropriate?

Question 67mediummulti select
Read the full Security explanation →

A Lambda function needs to decrypt data encrypted with a customer managed KMS key. Which two permissions are commonly required?

Question 68hardmultiple choice
Read the full Security explanation →

A developer stores database credentials in Secrets Manager. The application sometimes receives AccessDeniedException from Lambda after secret rotation. What should be checked first?

Question 69mediummultiple choice
Read the full Security explanation →

A mobile application must let authenticated users upload only to their own S3 prefix. Which approach best follows least privilege?

Question 70hardmultiple choice
Read the full Security explanation →

An application receives webhooks from a partner. The developer must verify that each request was signed by the partner and not modified in transit. What should the application validate?

Question 71mediummultiple choice
Read the full Security explanation →

A developer needs to call AWS APIs from application code running on EC2. Which credential source should the AWS SDK use by default?

Question 72hardmultiple choice
Read the full Security explanation →

An S3 bucket policy allows GetObject from another account, but objects encrypted with SSE-KMS still return AccessDenied. Which additional authorization is required?

Question 73mediummultiple choice
Read the full Security explanation →

A developer needs to prevent accidental public access to all S3 buckets in an account. Which account-level control should be enabled?

Question 74hardmultiple choice
Read the full Security explanation →

A Lambda function in a VPC must retrieve secrets from Secrets Manager without traversing the public internet. Which configuration should be used?

Question 75hardmulti select
Read the full Security explanation →

A developer uses API Gateway with Cognito. Which two token validations are important when authorizing API access?

Question 76mediummulti select
Read the full Security explanation →

An application in ECS Fargate needs to read a secret and decrypt it with KMS. Which two permissions/configurations are needed?

Question 77hardmulti select
Read the full Security explanation →

A developer needs to securely distribute temporary AWS credentials to authenticated mobile users. Which two components are commonly involved?

Question 78mediummulti select
Study the full AAA explanation →

A team wants to prevent secrets from being committed to source control and reduce blast radius if a secret is exposed. Which two practices help?

Question 79mediumdrag order
Read the full Security explanation →

Drag and drop the steps to deploy a containerized application using AWS ECS with Fargate in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 80mediumdrag order
Read the full Security explanation →

Drag and drop the steps to implement a disaster recovery plan using cross-region replication for S3 in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 81mediumdrag order
Read the full Security explanation →

Drag and drop the steps to set up a DynamoDB table with auto scaling in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 82mediummatching
Read the full Security explanation →

Match each AWS tool or feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure as Code

PaaS for web apps

Automated code deployment

Distributed tracing

Key management encryption

Question 83mediummatching
Read the full Security explanation →

Match each AWS CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Copy objects to/from S3

Invoke a Lambda function

Insert an item into DynamoDB

Deploy a CloudFormation stack

List EC2 instances

Question 84mediummatching
Read the full Security explanation →

Match each DynamoDB concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Primary key for hashing

Range key for ordering

Alternate access pattern

Same partition key, different sort

In-memory cache for DynamoDB

Question 85mediummultiple choice
Read the full Security explanation →

A company wants to securely store secrets for a Lambda function. Which AWS service should they use?

Question 86easymultiple choice
Read the full Security explanation →

A developer needs to allow an EC2 instance to read items from a DynamoDB table. Which is the best practice for granting permissions?

Question 87hardmultiple choice
Read the full Security explanation →

A company uses AWS KMS with customer managed keys to encrypt S3 objects. The security team requires automatic key rotation. What must the developer do to enable rotation?

Question 88mediummultiple choice
Read the full Security explanation →

A developer is writing a Lambda function that needs to access an RDS database. The function currently fails with a timeout. What is the most likely cause?

Question 89easymultiple choice
Read the full Security explanation →

An application running on EC2 needs to access an S3 bucket. What is the most secure way to grant access?

Question 90hardmultiple choice
Read the full Security explanation →

A company wants to audit all API calls made to AWS. Which service should be used to collect and store these logs?

Question 91mediummultiple choice
Read the full Security explanation →

A developer receives an AccessDenied error when trying to upload a file to an S3 bucket that has a bucket policy requiring encryption in transit. What is the most likely cause?

Question 92easymultiple choice
Read the full Security explanation →

A developer needs to securely store database credentials for a serverless application. Which service should be used?

Question 93hardmultiple choice
Read the full Security explanation →

A company has an S3 bucket with versioning enabled. A developer accidentally deleted an object. What must be done to recover it?

Question 94mediummulti select
Read the full Security explanation →

Which TWO are best practices for securing an AWS account? (Choose 2)

Question 95hardmulti select
Read the full Security explanation →

Which THREE are valid methods to encrypt data at rest in Amazon S3? (Choose 3)

Question 96easymulti select
Read the full Security explanation →

Which TWO actions are required to enable server-side encryption for an Amazon RDS instance? (Choose 2)

Question 97hardmultiple choice
Read the full Security explanation →

A developer attached the above IAM policy to an IAM user. The user tries to download an object from example-bucket using the AWS CLI without specifying server-side encryption. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 98mediummultiple choice
Read the full Security explanation →

A developer runs the commands above. The key is disabled. An application that uses this key to encrypt S3 objects starts failing. What should the developer do to fix the issue?

Network Topology
$ aws kms describe-keykey-id 1234abcd-12ab-34cd-56ef-1234567890abRefer to the exhibit.$ aws kms list-keys"Keys": ["KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab","KeyArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab""KeyMetadata": {"KeyManager": "CUSTOMER","KeyState": "Disabled"
Question 99hardmultiple choice
Read the full Security explanation →

A developer receives the above error when trying to launch an EC2 instance. What is the most likely cause?

Exhibit

Refer to the exhibit.

Error: User: arn:aws:iam::123456789012:user/Developer is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1:123456789012:instance/* with an explicit deny in a service control policy
Question 100mediummultiple choice
Read the full Security explanation →

A developer is building a serverless application using AWS Lambda. The application needs to access a DynamoDB table and an S3 bucket. What is the MOST secure way to provide the necessary permissions?

Question 101easymultiple choice
Read the full Security explanation →

A company wants to encrypt data at rest in Amazon S3. Which AWS service can be used to manage the encryption keys?

Question 102hardmultiple choice
Read the full Security explanation →

A developer is tasked with rotating database credentials stored in AWS Secrets Manager for an RDS MySQL instance. The rotation must occur automatically every 30 days. What is the BEST approach?

Question 103mediummultiple choice
Read the full Security explanation →

A developer is creating a new IAM policy to allow an application to read objects from a specific S3 bucket and write logs to a CloudWatch log group. Which policy statement is correct?

Question 104easymultiple choice
Read the full Security explanation →

A developer needs to securely pass a secret API key to an AWS Lambda function. What is the MOST secure and recommended approach?

Question 105mediummultiple choice
Read the full Security explanation →

A company is using AWS CodeCommit for source control. Developers need to access the repository from their local machines. Which authentication method is recommended for secure access?

Question 106hardmultiple choice
Read the full NAT/PAT explanation →

A developer notices that an IAM user has permissions to terminate EC2 instances, but the user should only be allowed to stop instances. The developer needs to update the policy to prevent termination while allowing stop. Which IAM policy statement should be added?

Question 107easymultiple choice
Read the full Security explanation →

A developer wants to encrypt data in transit between an application and an S3 bucket. Which option achieves this?

Question 108hardmultiple choice
Read the full Security explanation →

A company has an S3 bucket with a policy that denies access to all users. The bucket owner wants to grant read access to a specific IAM user. What must be done?

Question 109mediummulti select
Read the full Security explanation →

A developer is designing a system that must meet the following security requirements: (1) Encrypt data at rest in S3, (2) Automatically rotate encryption keys annually, (3) Use an encryption key that is managed by AWS. Which services or features should the developer use? (Choose TWO.)

Question 110hardmulti select
Read the full Security explanation →

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket despite having an IAM role with the correct permissions attached. Which THREE steps should the developer take to diagnose the issue?

Question 111easymulti select
Read the full Security explanation →

Which TWO of the following are best practices for securing AWS account root user?

Question 112mediummulti select
Read the full Security explanation →

A developer is using AWS Lambda and needs to ensure that the function can access an RDS database securely. Which THREE steps should be taken?

Question 113mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from my-bucket that was uploaded without server-side encryption. What happens?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        }
    ]
}
Question 114hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer in account 111111111111 tries to assume a role in account 123456789012. The error occurs. What is the MOST likely cause?

Network Topology
$ aws sts assume-rolerole-arn arn:aws:iam::123456789012:role/cross-account-rolerole-session-name testRefer to the exhibit.
Question 115mediummultiple choice
Review the full routing breakdown →

A company is using an Application Load Balancer (ALB) to route traffic to a set of EC2 instances. The security team wants to ensure that only traffic from the ALB can reach the instances. Which security group configuration should be used?

Question 116easymultiple choice
Read the full Security explanation →

A developer needs to grant an IAM user access to an S3 bucket for read-only operations. Which IAM policy action should be used?

Question 117hardmultiple choice
Read the full Security explanation →

A company has an S3 bucket configured with server-side encryption using AWS KMS (SSE-KMS). An application running on EC2 with an appropriate IAM role is unable to write objects to the bucket. The error message indicates an access denied error. Which additional permission is most likely required?

Question 118mediummultiple choice
Read the full Security explanation →

A developer is building a serverless application using AWS Lambda and needs to securely store database credentials. Which AWS service should be used to store and retrieve the credentials?

Question 119hardmultiple choice
Read the full Security explanation →

A company wants to encrypt data at rest in an Amazon RDS for PostgreSQL database. The database is already running, and the company wants to enable encryption without significant downtime. Which approach should be taken?

Question 120easymultiple choice
Read the full NAT/PAT explanation →

A developer needs to allow an IAM user to stop and start EC2 instances but not terminate them. Which IAM policy effect and action combination should be used?

Question 121mediummultiple choice
Read the full Security explanation →

A company is using Amazon Cognito for user authentication. The developers need to add multi-factor authentication (MFA) for security. Which Cognito feature should be enabled?

Question 122hardmultiple choice
Read the full Security explanation →

A developer is troubleshooting an issue where an S3 bucket policy is not granting cross-account access to a user in another AWS account. The bucket policy uses a Principal element with the AWS account ID. What is the most likely reason for the failure?

Question 123easymultiple choice
Read the full NAT/PAT explanation →

A company wants to ensure that all data in transit between a web application and its users is encrypted. Which AWS service can provide SSL/TLS termination?

Question 124mediummulti select
Read the full Security explanation →

Which TWO actions can help protect an S3 bucket from data leaks? (Choose two.)

Question 125hardmulti select
Read the full Security explanation →

Which THREE are best practices for managing IAM users and roles? (Choose three.)

Question 126easymulti select
Read the full Security explanation →

Which TWO services can be used to encrypt data at rest in Amazon S3? (Choose two.)

Question 127mediummultiple choice
Read the full Security explanation →

A company is using an S3 bucket to store sensitive data. They want to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What is the most secure way to enforce this?

Question 128hardmultiple choice
Read the full Security explanation →

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with an attached policy that allows s3:GetObject on the bucket. However, the application is receiving Access Denied errors. What is a likely cause?

Question 129easymultiple choice
Read the full Security explanation →

A developer needs to securely store database credentials for an application running on AWS Lambda. Which AWS service should they use?

Question 130hardmultiple choice
Read the full Security explanation →

A company is using AWS KMS to encrypt data in S3. They want to ensure that only specific IAM roles can decrypt the data, even if the IAM role has full S3 access. What should they do?

Question 131mediummultiple choice
Read the full Security explanation →

A developer is building an application that uploads files to S3. The application uses an IAM user with access keys. The developer wants to rotate the access keys regularly. Which approach is the most secure?

Question 132easymultiple choice
Read the full Security explanation →

A company wants to give a third-party auditor read-only access to their AWS account for compliance purposes. What is the most appropriate way to grant this access?

Question 133hardmultiple choice
Read the full Security explanation →

A developer is using AWS Lambda to process sensitive data. The Lambda function needs to access a DynamoDB table that is encrypted with a customer-managed CMK. The developer is using the default Lambda execution role. What must be done to allow Lambda to decrypt the DynamoDB table?

Question 134mediummultiple choice
Read the full Security explanation →

A developer is configuring a load balancer in front of an EC2 instance running a web application. The application needs to authenticate users via an identity provider. Which AWS service should the developer use to handle authentication and authorization?

Question 135easymultiple choice
Read the full Security explanation →

A company wants to encrypt data in transit between an EC2 instance and an S3 bucket. What should they do?

Question 136hardmulti select
Read the full Security explanation →

A developer is designing a microservices architecture where each service communicates over HTTPS. They need to ensure that only authorized services can invoke each other. Which TWO services can be used to manage authentication and authorization between services?

Question 137easymulti select
Read the full Security explanation →

A developer is storing secrets such as database passwords. Which TWO AWS services can be used to securely store and retrieve secrets?

Question 138mediummulti select
Read the full Security explanation →

A company wants to ensure that only encrypted connections are used to access their S3 bucket. Which THREE methods can be used to enforce this?

Question 139mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they can access objects in the S3 bucket from their office IP address (192.0.2.15) but cannot access from home (203.0.113.5). What is the most likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 140hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. An IAM role has the attached policy. A developer is writing an application that will upload objects to the S3 bucket using server-side encryption with AWS KMS (SSE-KMS). The application is failing with an Access Denied error when trying to upload. What is the missing permission?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:ReEncrypt",
        "kms:GenerateDataKey*"
      ],
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}
Question 141hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer is trying to query a DynamoDB table from a Lambda function that uses an execution role named MyRole. The Lambda function is failing with the error shown. Which step should the developer take to resolve this?

Exhibit

Error: AccessDenied: User: arn:aws:sts::123456789012:assumed-role/MyRole/MySession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:123456789012:table/MyTable because no identity-based policy allows the dynamodb:Query action
Question 142easymultiple choice
Read the full Security explanation →

A developer is creating an IAM policy to allow an EC2 instance to access an S3 bucket. Which AWS service should the developer use to securely provide credentials to the EC2 instance?

Question 143mediummultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt data at rest in S3. The security team wants to audit all use of the KMS key, including decryption operations. What should the developer enable?

Question 144hardmultiple choice
Read the full Security explanation →

A developer is building a serverless application with AWS Lambda that needs to read from an Amazon DynamoDB table. The Lambda function is in a VPC. What is the MOST secure way to grant the Lambda function access to DynamoDB?

Question 145easymultiple choice
Read the full Security explanation →

A developer needs to allow an IAM user to temporarily access an AWS account for 12 hours. The developer must not create long-term credentials. What should the developer use?

Question 146mediummultiple choice
Read the full Security explanation →

A company is using AWS CodePipeline to deploy a web application. The pipeline must securely store and use database credentials. Which AWS service should the developer use to store the credentials and retrieve them during deployment?

Question 147hardmultiple choice
Read the full Security explanation →

A developer is deploying an application on EC2 that must access an S3 bucket. The developer wants to avoid hard-coding credentials. What is the MOST secure way to grant access?

Question 148easymultiple choice
Read the full Security explanation →

A developer needs to encrypt data in an S3 bucket. The company requires that the encryption key be managed by AWS but with the ability to audit key usage. Which S3 encryption option should the developer use?

Question 149mediummultiple choice
Read the full Security explanation →

A developer is using Amazon API Gateway with a Lambda authorizer to secure a REST API. The developer wants to pass user context from the authorizer to the backend Lambda function. How should the developer accomplish this?

Question 150hardmultiple choice
Read the full Security explanation →

A company has a multi-account architecture using AWS Organizations. The security team wants to centrally manage IAM policies that apply to all accounts. Which AWS feature should the developer use?

Question 151mediummulti select
Read the full Security explanation →

A developer is implementing a solution to encrypt data in transit for a web application running on an Application Load Balancer (ALB). Which TWO actions should the developer take?

Question 152easymulti select
Read the full Security explanation →

A developer wants to ensure that an S3 bucket is not publicly accessible. Which TWO measures should the developer implement?

Question 153hardmulti select
Read the full Security explanation →

A developer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline must deploy to multiple AWS accounts. Which THREE components are required to securely deploy across accounts?

Question 154easymultiple choice
Read the full Security explanation →

The exhibit shows an S3 bucket policy. If an IAM user in the same AWS account attempts to download an object from the bucket from IP address 203.0.113.5, what will happen?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 155mediummultiple choice
Read the full Security explanation →

A developer ran the AWS CLI command shown in the exhibit. What is the most likely cause of the error?

Network Topology
$ aws kms create-keyorigin AWS_CLOUDHSMkey-spec RSA_4096Refer to the exhibit.
Question 156hardmultiple choice
Read the full Security explanation →

The exhibit shows an IAM policy attached to a Lambda function's execution role. When the Lambda function tries to decrypt data using the KMS key, it receives an access denied error. What is the most likely cause?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-..."
    }
  ]
}
Question 157mediummultiple choice
Read the full Security explanation →

A developer needs to allow an EC2 instance to read objects from a specific S3 bucket. Which is the MOST secure way to grant permissions?

Question 158hardmultiple choice
Read the full Security explanation →

A company wants to allow cross-account access to a DynamoDB table. They set up an IAM role in Account A (table owner) and allow Account B's users to assume the role. Which additional step is required?

Question 159easymultiple choice
Read the full Security explanation →

A developer is encrypting an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). What is a benefit of using SSE-KMS over SSE-S3?

Question 160mediummultiple choice
Read the full Security explanation →

A developer set up a Lambda function that reads from an SQS queue and processes messages. The function sometimes times out. How can the developer improve security while minimizing execution time?

Question 161hardmultiple choice
Read the full Security explanation →

An application uses a custom KMS key to encrypt data. The application runs on an EC2 instance. To decrypt data, the application must call KMS. What is the BEST practice to securely provide the KMS key ID to the application?

Question 162easymultiple choice
Read the full Security explanation →

A developer wants to ensure that an S3 bucket only allows HTTPS requests. What S3 bucket policy condition should be used?

Question 163mediummultiple choice
Read the full Security explanation →

A developer is deploying an application with AWS CodeDeploy. The application needs to access a database password. Which service should be used to securely store and retrieve the password?

Question 164hardmultiple choice
Read the full Security explanation →

A company uses AWS KMS with imported key material. The key material is expired. What must the developer do to continue using the KMS key?

Question 165easymultiple choice
Read the full Security explanation →

A developer needs to grant least-privilege access to a Lambda function to write logs to CloudWatch Logs. Which IAM policy effect should be used?

Question 166mediummulti select
Read the full Security explanation →

Which TWO actions are recommended to secure an S3 bucket? (Choose 2)

Question 167hardmulti select
Read the full Security explanation →

Which THREE are valid methods to authenticate to AWS APIs? (Choose 3)

Question 168easymulti select
Read the full Security explanation →

Which TWO are features of AWS Identity and Access Management (IAM)? (Choose 2)

Question 169hardmultiple choice
Read the full Security explanation →

A developer attached the above IAM policy to an IAM user. The user is trying to get an object from the bucket 'example-bucket' from an on-premises machine with public IP 203.0.113.5. What will happen?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "10.0.0.1/32"
                }
            }
        }
    ]
}
Question 170mediummultiple choice
Read the full Security explanation →

A developer runs the above command and gets the output shown. What is the developer verifying?

Network Topology
$ aws s3api get-object-attributesbucket my-bucketkey confidential.pdfobject-attributes ObjectSize ETagRefer to the exhibit."ETag": "\"abc123\"","ObjectSize": 2048
Question 171hardmultiple choice
Read the full Security explanation →

A developer attaches the above S3 bucket policy to my-bucket. A user tries to upload an object using HTTP (not HTTPS). What will happen?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "BoolIfExists": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
Question 172easymultiple choice
Read the full Security explanation →

A developer is troubleshooting an S3 bucket policy that is denying all access. The policy has an explicit Deny for s3:PutObject. What is the most likely reason for the denial even though an Allow exists?

Question 173mediummultiple choice
Read the full Security explanation →

A company wants to securely store database credentials for a Lambda function. Which AWS service should be used?

Question 174hardmultiple choice
Read the full Security explanation →

A developer is designing a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. Which security group configuration meets these requirements?

Question 175easymultiple choice
Read the full Security explanation →

A developer needs to grant an IAM user access to an S3 bucket owned by another AWS account. Which method should be used?

Question 176mediummultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt data at rest. A developer wants to allow a Lambda function to decrypt data using a KMS key. What is the minimum permissions required?

Question 177hardmultiple choice
Read the full Security explanation →

A developer is using an S3 bucket to store sensitive files. The bucket policy includes a condition that requires TLS for all requests. A user reports that they can access the bucket via the AWS Management Console but not via an application using HTTP. What is the likely issue?

Question 178easymultiple choice
Read the full Security explanation →

A developer needs to allow an EC2 instance to access an S3 bucket without storing credentials on the instance. Which approach is the most secure?

Question 179mediummultiple choice
Read the full Security explanation →

A company is using AWS CloudTrail to monitor API activity. A developer notices that some actions are not logged. What is a possible reason?

Question 180hardmultiple choice
Read the full Security explanation →

A developer is building a serverless application using API Gateway and Lambda. The API must be accessed only by authenticated users from a specific AWS Cognito User Pool. Which method should be used?

Question 181mediummulti select
Read the full Security explanation →

A developer wants to encrypt data in an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). Which TWO steps are required?

Question 182hardmulti select
Read the full Security explanation →

A company has an IAM policy that allows s3:GetObject for all users in the account. However, a specific user is receiving access denied errors. Which TWO possible causes should the developer investigate?

Question 183easymulti select
Read the full Security explanation →

A developer is tasked with securing a legacy application that stores secrets in environment variables. Which THREE AWS services can be used to improve the security posture?

Question 184easymultiple choice
Read the full Security explanation →

A developer attaches this IAM policy to an IAM user. The user is trying to access an object in example-bucket from an IP address 203.0.113.5. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 185mediummultiple choice
Read the full Security explanation →

A developer runs the AWS CLI command to decrypt a file using a KMS key. What is the most likely cause of the error?

Network Topology
$ aws kms decryptciphertext-blob fileb://encryptedkey-id 1234abcd-12ab-34cd-56ef-1234567890abRefer to the exhibit.
Question 186hardmultiple choice
Read the full Security explanation →

A developer attaches this IAM policy. What happens when the developer attempts to launch a t2.micro instance?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances",
        "ec2:DescribeInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}
Question 187mediummultiple choice
Read the full Security explanation →

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be rotated automatically every 12 months. Which type of KMS key should be used?

Question 188easymultiple choice
Read the full Security explanation →

A developer is creating an IAM policy for an Amazon S3 bucket that must allow read access to a specific object only. Which policy element should be used to restrict access to the object?

Question 189hardmultiple choice
Read the full Security explanation →

A developer is troubleshooting access to an Amazon S3 bucket. The bucket policy allows access to the developer's IAM role, but the developer receives an Access Denied error when trying to upload objects. The developer is using an IAM user with access keys for API calls. What is the most likely cause?

Question 190mediummultiple choice
Read the full Security explanation →

A company uses AWS Secrets Manager to store database credentials. The application runs on Amazon EC2 instances with an IAM role attached. How should the application retrieve the secret securely?

Question 191easymultiple choice
Read the full Security explanation →

A developer needs to allow an Amazon EC2 instance to send messages to an Amazon SQS queue. What is the most secure way to grant this access?

Question 192hardmultiple choice
Read the full Security explanation →

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to write logs to CloudWatch Logs. Which of the following is required to allow this?

Question 193mediummultiple choice
Read the full Security explanation →

A company wants to encrypt data in transit between an on-premises application and an Amazon RDS instance. Which of the following should be implemented?

Question 194easymultiple choice
Read the full Security explanation →

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The developer wants to restrict access to the API so that only authenticated users can invoke it. Which API Gateway feature should be used?

Question 195mediummultiple choice
Read the full Security explanation →

A developer is deploying a web application on Amazon ECS with a Fargate launch type. The application needs to securely access an Amazon DynamoDB table. How should the developer grant permissions?

Question 196hardmulti select
Read the full Security explanation →

A company is designing a secure CI/CD pipeline using AWS CodePipeline and AWS CodeBuild. The pipeline must securely store and access sensitive parameters (e.g., API keys) used during the build. Which TWO services can be used to securely store and retrieve these parameters?

Question 197mediummulti select
Read the full Security explanation →

A developer is creating an IAM policy to allow access to an Amazon DynamoDB table. The policy must allow the user to read and write items, but not to delete the table or modify its schema. Which TWO DynamoDB actions should be included in the policy?

Question 198easymulti select
Read the full Security explanation →

A developer needs to encrypt data at rest in an Amazon S3 bucket. Which THREE options are available for server-side encryption?

Question 199mediummultiple choice
Read the full Security explanation →

A developer attached the IAM policy above to an IAM user. What is the effect when the user tries to download an object from the 'confidential' folder in 'example-bucket'?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/confidential/*"
    }
  ]
}
Question 200hardmultiple choice
Read the full Security explanation →

A developer attached the managed policy above to an IAM role used by an application. The application tries to decrypt data using a KMS key that has an encryption context of {"department": "finance"}. However, the request fails with access denied. What is the most likely reason?

Network Topology
$ aws iam get-account-authorization-detailsfilter ManagedPolicyRefer to the exhibit...."PolicyName": "CustomPolicy","PolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": "kms:Decrypt","Resource": "*","Condition": {"StringEquals": {"kms:EncryptionContext:department": "finance"
Question 201hardmultiple choice
Read the full Security explanation →

The above resource-based policy is attached to an SQS queue. An application running on an EC2 instance with the IAM role 'AppRole' tries to send a message to the queue but receives an access denied error. What is the most likely cause?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AppRole"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue"
    }
  ]
}
Question 202hardmultiple choice
Read the full Security explanation →

A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout error after 30 seconds. The developer checked the Lambda logs and saw that the function is making network calls to the database but never receives a response. What is the MOST likely cause?

Question 203easymultiple choice
Read the full Security explanation →

A developer wants to grant an IAM user permissions to list all S3 buckets in the account, but deny access to a specific bucket named 'confidential-data'. Which IAM policy should be attached?

Question 204mediummultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated automatically every year. Which solution meets this requirement with the LEAST operational overhead?

Question 205hardmultiple choice
Read the full Security explanation →

A developer is deploying a web application on EC2 instances behind an Application Load Balancer. The application needs to authenticate users via a third-party identity provider (IdP) that supports OpenID Connect (OIDC). The developer wants to offload authentication to the ALB. Which configuration is required?

Question 206easymultiple choice
Read the full Security explanation →

A company wants to store sensitive data in S3. The data must be encrypted at rest using server-side encryption with a key that is automatically rotated annually. Which S3 encryption option should be used?

Question 207mediummultiple choice
Read the full Security explanation →

A developer is building a serverless application using API Gateway and Lambda. The API must be accessible only from a specific VPC. How can the developer achieve this?

Question 208hardmultiple choice
Read the full Security explanation →

A company uses IAM roles to grant permissions to EC2 instances. The security team notices that an instance is using a role that has administrator privileges, which is a security risk. What is the BEST way to restrict the instance's permissions without disrupting the application?

Question 209easymultiple choice
Read the full Security explanation →

A developer needs to grant an IAM user the ability to create and manage CloudFormation stacks. Which IAM policy action should be allowed?

Question 210mediummultiple choice
Read the full Security explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with SSE-S3. What is the MOST effective way to enforce this?

Question 211mediummulti select
Read the full Security explanation →

A developer is using AWS KMS to encrypt data. Which of the following are true about customer master keys (CMKs)? (Choose TWO.)

Question 212hardmulti select
Read the full Security explanation →

A company is deploying a web application on EC2 instances behind an ALB. The application needs to authenticate users using a corporate identity provider that supports SAML 2.0. Which of the following are required to configure this? (Choose THREE.)

Question 213easymulti select
Read the full Security explanation →

A developer needs to securely store database credentials and retrieve them programmatically from a Lambda function. Which AWS services can be used for this purpose? (Choose TWO.)

Question 214hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer attached this bucket policy to an S3 bucket named 'my-bucket'. The IAM role 'AppRole' is used by an application running on EC2 instances with an IP address of 192.0.2.10. The application tries to upload an object to 'my-bucket/confidential/report.pdf'. Will the upload succeed?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AppRole"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/confidential/*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 215mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer ran the above commands to inspect a KMS key. What can be determined about this key?

Network Topology
$ aws kms describe-keykey-id 1234abcd-12ab-34cd-56ef-1234567890abRefer to the exhibit.$ aws kms list-keys"Keys": ["KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab","KeyArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab""KeyMetadata": {"AWSAccountId": "123456789012","Arn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab","CreationDate": "2023-01-15T10:00:00+00:00","Enabled": true,"Description": "","KeyUsage": "ENCRYPT_DECRYPT","KeyState": "Enabled","Origin": "AWS_KMS","KeyManager": "CUSTOMER","CustomerMasterKeySpec": "SYMMETRIC_DEFAULT","EncryptionAlgorithms": ["SYMMETRIC_DEFAULT"],"MultiRegion": false
Question 216easymultiple choice
Read the full Security explanation →

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from 'example-bucket' from an IP address of 10.0.1.5. Will the download succeed?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 217mediummultiple choice
Read the full Security explanation →

A company is using AWS Lambda to process sensitive data. The Lambda function needs to access an S3 bucket in the same account. What is the BEST practice for granting permissions?

Question 218hardmultiple choice
Read the full Security explanation →

A developer is troubleshooting an application that uses an IAM role to access DynamoDB. The application is running on an EC2 instance and intermittently fails with an AccessDenied error. The IAM role has the following policy attached. What is the MOST likely cause?

Question 219easymultiple choice
Read the full Security explanation →

A developer needs to securely store database credentials for a serverless application. Which service should be used?

Question 220mediummultiple choice
Read the full NAT/PAT explanation →

A company's S3 bucket contains sensitive data. The security team requires that all data be encrypted at rest. Which combination of actions will enforce encryption for all objects written to the bucket?

Question 221hardmultiple choice
Read the full Security explanation →

A developer is deploying an application on EC2 instances behind an Application Load Balancer (ALB). The application must authenticate users using an identity provider (IdP) that supports OpenID Connect (OIDC). What is the MOST secure way to offload authentication to the ALB?

Question 222easymultiple choice
Read the full Security explanation →

A developer needs to grant an IAM user the ability to create and manage EC2 instances, but only in the us-east-1 region. Which IAM policy statement should be used?

Question 223mediummultiple choice
Read the full Security explanation →

A company is using AWS Key Management Service (KMS) to encrypt data in S3. The security team wants to ensure that only the company's AWS account can access the KMS key. What should be done?

Question 224hardmultiple choice
Read the full Security explanation →

A developer is building a serverless application using AWS Lambda and API Gateway. The API should be accessible only from a specific VPC. What is the MOST secure way to achieve this?

Question 225easymultiple choice
Read the full Security explanation →

A developer wants to allow an IAM user to rotate their own access keys. Which IAM policy action should be included?

Question 226mediummulti select
Read the full Security explanation →

A company is using AWS CloudTrail to monitor API activity. Which TWO actions are required to ensure the integrity and security of the log files?

Question 227hardmulti select
Read the full Security explanation →

A developer is designing a system that stores sensitive user data in DynamoDB. The data must be encrypted at rest and in transit. Which THREE actions should the developer take?

Question 228mediummulti select
Read the full Security explanation →

A developer is using IAM roles to grant permissions to an EC2 instance. Which TWO statements are true about IAM roles for EC2?

Question 229hardmultiple choice
Read the full Security explanation →

A company runs a web application on EC2 instances in an Auto Scaling group. The application uses an IAM role to access an S3 bucket that stores user uploads. Recently, the security team discovered that some uploaded files contain malicious content. The team wants to implement a solution that automatically scans new objects for malware and blocks access if threats are detected. The solution must be cost-effective and minimize latency for legitimate uploads. The developer is tasked with designing this solution. Which approach should the developer take?

Question 230mediummultiple choice
Read the full Security explanation →

A developer is building a mobile application that uses Amazon Cognito User Pools for authentication. The app needs to access a REST API hosted on AWS. The developer wants to use Cognito to authorize API requests. The API Gateway is configured with a Cognito User Pool authorizer. However, when testing, the API returns a 401 Unauthorized error even though the user is authenticated. The developer verified that the user exists in the user pool and the ID token is valid. What is the MOST likely cause and solution?

Question 231easymultiple choice
Read the full Security explanation →

A company has an S3 bucket that contains sensitive financial data. The security team requires that all access to the bucket be logged for audit purposes. The developer needs to enable logging that captures who accessed the bucket, the actions performed, and the source IP addresses. The logs must be stored in a separate bucket for security. Which solution meets these requirements?

Question 232mediummultiple choice
Read the full Security explanation →

A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that all objects uploaded to the bucket are automatically encrypted using server-side encryption with AWS KMS (SSE-KMS). A developer uploads an object without specifying any encryption header. The upload succeeds, but the object is not encrypted. What is the most likely cause?

Question 233hardmultiple choice
Read the full Security explanation →

A developer is configuring cross-account access to an S3 bucket. The bucket in Account A has a bucket policy granting access to an IAM role in Account B. The IAM role's trust policy allows the developer's IAM user in Account B to assume the role. When the developer tries to access the bucket from Account B using the assumed role, they receive an Access Denied error. Which additional step is required to resolve this?

Question 234easymultiple choice
Read the full Security explanation →

A developer needs to allow an EC2 instance to access an S3 bucket securely without storing long-term credentials on the instance. Which AWS service should be used to provide temporary credentials?

Question 235mediummultiple choice
Read the full Security explanation →

A company's security policy requires that all data in transit between an Application Load Balancer (ALB) and its backend EC2 instances be encrypted. The ALB currently uses HTTPS listeners. What configuration ensures encryption between the ALB and targets?

Question 236hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. An IAM policy attached to a user includes the above statement. The user uploads an object to the S3 bucket without specifying any encryption header. What is the outcome?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 237easymultiple choice
Read the full Security explanation →

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to read the files and write results to a DynamoDB table. What is the MOST secure way to grant the necessary permissions?

Question 238mediummultiple choice
Read the full NAT/PAT explanation →

A developer needs to encrypt secrets (database passwords) that are used by an application running on EC2. The application retrieves the secrets at startup. Which combination of services provides the MOST secure and manageable solution?

Question 239mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets contain Amazon RDS databases. Which TWO actions are required to secure the database instances?

Question 240hardmulti select
Read the full Security explanation →

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application requires that only authenticated users can invoke the API, and the data must be encrypted at rest. Which THREE steps should the developer take?

Question 241easymulti select
Read the full Security explanation →

A developer is using AWS KMS to encrypt data. Which TWO are valid operations that can be performed using KMS?

Question 242mediummulti select
Read the full Security explanation →

A company wants to audit access to their S3 buckets. Which TWO services can be used to log and monitor S3 API calls?

Question 243hardmulti select
Read the full Security explanation →

A developer is deploying an application on EC2 that must access an S3 bucket and an SQS queue. The developer wants to follow the principle of least privilege. Which THREE steps should be taken?

Question 244hardmultiple choice
Read the full Security explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer. The security team discovers that the application is vulnerable to SQL injection attacks. The team wants to implement a web application firewall (WAF) to block these attacks. The architecture includes an ALB, EC2 instances in an Auto Scaling group, and an RDS database. The ALB currently has a listener on port 443 with an SSL certificate. The developer must integrate AWS WAF with minimal changes to the existing infrastructure. Which action should the developer take?

Question 245mediummultiple choice
Read the full Security explanation →

A developer is managing an application that uses Amazon S3 to store user-uploaded images. The application generates thumbnails using AWS Lambda and stores them in a separate S3 bucket. The security team requires that all objects in both buckets be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The developer has configured the Lambda function to use an IAM role with permissions to call KMS Encrypt and Decrypt. However, when a user uploads an image, the Lambda function fails to write the thumbnail with an 'Access Denied' error. The upload bucket has default encryption set to SSE-KMS. What is the MOST likely cause of the failure?

Question 246easymultiple choice
Read the full Security explanation →

A developer needs to share an S3 bucket with a third-party AWS account. The third-party will upload files to the bucket using their own IAM users. The developer creates a bucket policy that grants s3:PutObject to the third-party account's root user. However, the third-party reports that their IAM users cannot upload files. What is the MOST likely reason?

Question 247hardmultiple choice
Read the full Security explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets across all accounts have server-side encryption enabled. They have created an SCP that denies the s3:PutBucketAcl action unless the request includes the x-amz-server-side-encryption header. However, some application teams report that they cannot create buckets even when they include the required header. What is the MOST likely cause of this issue?

Question 248hardmultiple choice
Read the full Security explanation →

A developer is deploying a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party OIDC provider. The developer wants to minimize latency and avoid managing sessions. What is the BEST approach to achieve this?

Question 249mediummultiple choice
Read the full Security explanation →

A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that the encryption keys be rotated every 90 days and that access to the keys be auditable. Which solution meets these requirements with the LEAST operational overhead?

Question 250mediummultiple choice
Read the full Security explanation →

A developer is building a web application that stores user session data in an ElastiCache Redis cluster. The cluster is in a VPC and is not publicly accessible. The developer needs to ensure that data in transit is encrypted. What should the developer do?

Question 251easymultiple choice
Read the full Security explanation →

A company has a DynamoDB table that stores personally identifiable information (PII). A developer needs to allow a Lambda function to read and write to this table. What is the MOST secure way to grant the Lambda function access?

Question 252easymultiple choice
Read the full Security explanation →

A developer is creating a new IAM policy to allow users to list objects in a specific S3 bucket. The policy must follow the principle of least privilege. Which policy statement should the developer use?

Question 253mediummultiple choice
Read the full Security explanation →

A company uses AWS Secrets Manager to rotate database credentials. The rotation process uses a Lambda function that updates the secret. The developer notices that the rotation sometimes fails because the Lambda function does not have permission to update the secret. What is the MOST likely cause?

Question 254hardmultiple choice
Read the full Security explanation →

A developer is deploying an application on Amazon ECS with Fargate. The application needs to access an S3 bucket that contains sensitive data. The developer wants to avoid storing AWS credentials in the container image. What is the MOST secure way to grant the application access to the S3 bucket?

Question 255easymultiple choice
Read the full Security explanation →

A developer needs to allow a user to deploy AWS CloudFormation stacks but restrict the user from creating or modifying IAM resources. Which IAM policy should the developer attach to the user?

Question 256mediummultiple choice
Read the full Security explanation →

A company has an S3 bucket that stores log files. The bucket policy grants the AWSServiceRoleForSSO service role write access. However, the logs are not being written. What is the MOST likely reason?

Question 257hardmulti select
Read the full Security explanation →

A developer is designing a system that uses AWS KMS to encrypt data. Which of the following are valid ways to grant a user permission to decrypt data using a KMS key? (Select TWO.)

Question 258mediummulti select
Read the full Security explanation →

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which of the following are true about RDS encryption? (Select THREE.)

Question 259mediummultiple choice
Read the full NAT/PAT explanation →

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A security audit reveals that the S3 bucket policy allows access from any AWS account. Which combination of actions should be taken to secure the bucket?

Question 260hardmultiple choice
Read the full Security explanation →

A developer is configuring cross-account access for an S3 bucket. The source account (111111111111) wants to allow the target account (222222222222) to write objects to the bucket. The developer attaches the following bucket policy. However, the write operation fails with AccessDenied. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::222222222222:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 261easymultiple choice
Read the full Security explanation →

A developer wants to securely store database credentials used by a Lambda function. The credentials should be automatically rotated every 90 days. Which service should be used?

Question 262mediummultiple choice
Read the full Security explanation →

A company has an S3 bucket that stores sensitive customer data. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS. Additionally, they want to enforce that objects are not uploaded without encryption. Which bucket policy should be used?

Question 263hardmultiple choice
Read the full Security explanation →

A Lambda function needs to read from a DynamoDB table and send messages to an SQS queue. The function's IAM role should follow the principle of least privilege. Which policy statement should be attached to the role?

Question 264easymultiple choice
Read the full Security explanation →

A developer is using the AWS CLI to upload a file to an S3 bucket with server-side encryption. The bucket is configured with default encryption (SSE-S3). The developer wants to ensure the object is encrypted with SSE-KMS instead. What should the developer do?

Question 265mediummultiple choice
Review the full subnetting walkthrough →

An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet without internet access. Which method should be used to grant the instance access to DynamoDB securely?

Question 266hardmultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt data in S3. The security team wants to ensure that all KMS keys are rotated every year. Which action should be taken?

Question 267easymultiple choice
Read the full Security explanation →

A developer needs to allow an IAM user to perform only specific actions on an S3 bucket. Which type of policy should be attached to the IAM user?

Question 268mediummulti select
Read the full Security explanation →

A company wants to audit all API calls made in their AWS account for security analysis. Which TWO services should be used together to achieve this?

Question 269hardmulti select
Read the full Security explanation →

A developer is designing a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party identity provider (IdP). Which TWO services can be used to manage user authentication?

Question 270mediummulti select
Read the full Security explanation →

A company stores sensitive data in an S3 bucket. The security team requires that all data be encrypted at rest and in transit. Which THREE measures should be implemented?

Question 271hardmulti select
Read the full Security explanation →

A developer is troubleshooting an AccessDenied error when a Lambda function tries to write to CloudWatch Logs. The function's IAM role includes the following policy. Which TWO missing permissions are causing the error? (Choose TWO.)

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup"
      ],
      "Resource": "*"
    }
  ]
}
Question 272easymulti select
Read the full Security explanation →

A company wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which THREE actions are required?

Question 273hardmultiple choice
Review the full subnetting walkthrough →

A company runs a containerized application on Amazon ECS using Fargate. The application needs to access an S3 bucket to read configuration files and a DynamoDB table to store session state. The ECS task role is configured with the following IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [

"s3:GetObject", "dynamodb:PutItem", "dynamodb:GetItem"

],
      "Resource": "*"
    }
  ]
}

The application fails to read from the S3 bucket and write to DynamoDB. The error messages indicate AccessDenied. The S3 bucket has a bucket policy that denies all access unless the request includes a specific aws:SourceIp condition. The DynamoDB table has a resource-based policy that allows access only from the VPC endpoint. The ECS tasks are running in a private subnet with a VPC endpoint for DynamoDB but no VPC endpoint for S3. Which action should be taken to resolve the errors?

Question 274mediummultiple choice
Read the full Security explanation →

A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout. Which action should be taken to resolve this issue?

Question 275easymultiple choice
Read the full Security explanation →

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which IAM policy statement should be attached?

Question 276hardmultiple choice
Read the full Security explanation →

A developer is using AWS KMS to encrypt data in an S3 bucket. The developer wants to ensure that the S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) by default. Which configuration should be applied?

Question 277mediummultiple choice
Read the full Security explanation →

A company uses AWS IAM roles to grant permissions to EC2 instances. An application running on an instance fails to access an S3 bucket. The IAM role has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. What is the likely cause?

Question 278easymultiple choice
Read the full Security explanation →

A developer wants to securely store database credentials for a Lambda function. Which AWS service should be used?

Question 279hardmultiple choice
Read the full Security explanation →

A company uses AWS CloudTrail to log all API calls. The security team wants to be notified immediately when an IAM user creates a new access key. Which solution is most efficient?

Question 280mediummultiple choice
Read the full Security explanation →

A developer needs to allow an EC2 instance to read from a DynamoDB table. Which is the best practice to grant permissions?

Question 281easymultiple choice
Read the full NAT/PAT explanation →

A developer is building a web application that must encrypt data in transit between the client and the server. Which AWS service should be used to offload SSL/TLS termination?

Question 282hardmultiple choice
Read the full NAT/PAT explanation →

A company has an S3 bucket that contains sensitive data. The security team requires that all objects uploaded to the bucket must be encrypted at rest using AWS KMS. Which combination of actions will enforce this?

Question 283mediummulti select
Read the full Security explanation →

A developer is configuring a Lambda function to access a DynamoDB table in a VPC. Which TWO steps are required to ensure the Lambda function can securely access DynamoDB? (Select TWO.)

Question 284hardmulti select
Read the full Security explanation →

A security audit reveals that an S3 bucket is publicly accessible. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. Which TWO actions should be taken to remediate this issue? (Select TWO.)

Question 285easymulti select
Read the full Security explanation →

A developer is creating an IAM policy for a Lambda function that needs to read from an SQS queue and write to a DynamoDB table. Which THREE permissions are required? (Select THREE.)

Question 286mediummultiple choice
Read the full Security explanation →

Given the IAM policy above, what is the effective permission for an IAM user?

Exhibit

Refer to the exhibit.
IAM Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}
Question 287hardmultiple choice
Read the full Security explanation →

Based on the CloudTrail log entry, which security concern should be investigated?

Exhibit

Refer to the exhibit.
CloudTrail log entry:
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "AssumedRole",
    "arn": "arn:aws:sts::123456789012:assumed-role/AdminRole/MySession",
    "accountId": "123456789012",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "arn": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "attributes": {
        "creationDate": "2024-01-15T10:00:00Z",
        "mfaAuthenticated": "false"
      }
    }
  },
  "eventTime": "2024-01-15T10:05:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "RunInstances",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.5",
  "userAgent": "console.amazonaws.com",
  "requestParameters": {
    "instancesSet": {
      "items": [
        {
          "imageId": "ami-0abcdef1234567890"
        }
      ]
    }
  }
}
Question 288easymultiple choice
Read the full Security explanation →

What is required for the Lambda function to access the code in the S3 bucket?

Exhibit

Refer to the exhibit.
CloudFormation template snippet:
Resources:
  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: my-code-bucket
        S3Key: my-function.zip
      Role: arn:aws:iam::123456789012:role/LambdaExecutionRole
      Runtime: python3.9
      Handler: index.handler
Question 289mediummultiple choice
Read the full Security explanation →

A developer is configuring an S3 bucket to host a static website. The bucket policy allows public read access. However, users receive a 403 Forbidden error when accessing the website. What is the most likely cause?

Question 290easymultiple choice
Read the full Security explanation →

A developer needs to grant a Lambda function read-only access to an S3 bucket. Which IAM entity should be used to attach the permissions?

Question 291hardmultiple choice
Review the full subnetting walkthrough →

An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet. What is the most secure way to grant access without using long-lived credentials?

Question 292mediummultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt S3 objects. A developer needs to allow an IAM user to decrypt objects but not encrypt them. Which IAM policy action should be allowed?

Question 293hardmultiple choice
Read the full Security explanation →

A developer is using AWS Secrets Manager to rotate database credentials automatically. The rotation fails with the error 'The secret value is not valid JSON.' What is the most likely cause?

Question 294easymultiple choice
Read the full Security explanation →

A developer needs to enforce encryption in transit for all traffic between an application and an RDS database. Which configuration should be used?

Question 295mediummultiple choice
Read the full Security explanation →

A developer has an IAM policy that allows 's3:GetObject' for a specific S3 bucket. However, when the developer tries to download an object using the AWS CLI, access is denied. What could be the issue?

Question 296easymultiple choice
Read the full Security explanation →

A developer wants to securely store API keys for a third-party service and retrieve them at runtime in a Lambda function. Which AWS service should be used?

Question 297hardmultiple choice
Read the full Security explanation →

A company's S3 bucket policy includes a condition that uses 'aws:SourceIp' to restrict access to a specific IP range. However, requests from that IP range are still denied. What is a possible reason?

Question 298mediummulti select
Read the full Security explanation →

A developer is designing a system that must meet PCI DSS compliance. Which THREE AWS services can help with logging and monitoring security events?

Question 299hardmulti select
Read the full Security explanation →

Which TWO actions should a developer take to securely manage database credentials in a serverless application?

Question 300easymulti select
Read the full Security explanation →

Which THREE practices help protect data at rest in Amazon S3?

Question 301mediummulti select
Read the full Security explanation →

A developer is troubleshooting an issue where an IAM user cannot perform 's3:ListBucket' on a bucket. Which TWO factors could cause this denial?

Question 302hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. An IAM policy allows s3:GetObject for a bucket only from a specific IP range. A developer accesses the bucket from a laptop with IP address 192.0.2.55, but access is denied. What is the most likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 303mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer runs the AWS CLI command to decrypt a file using a KMS key. The command fails with an AccessDeniedException. What is the most likely cause?

Network Topology
$ aws kms decryptciphertext-blob fileb://encrypted.txtoutput textquery Plaintext
Question 304mediummultiple choice
Read the full Security explanation →

A company requires that all data in an S3 bucket be encrypted at rest. The security team wants to enforce that only objects encrypted with AWS KMS are allowed. Which S3 bucket policy condition key should be used to deny PutObject requests if the object is not encrypted with KMS?

Question 305hardmultiple choice
Read the full Security explanation →

A developer is using IAM roles for Amazon EC2 to grant permissions to an application. The application makes API calls to DynamoDB and S3. After deploying, the application fails to access DynamoDB. The developer verifies the IAM role has the correct DynamoDB permissions. What is the most likely cause?

Question 306easymultiple choice
Read the full Security explanation →

A developer needs to securely store database credentials for a Lambda function. The credentials must be automatically rotated every 90 days. Which AWS service should be used?

Question 307mediummultiple choice
Read the full Security explanation →

A company hosts a web application on EC2 instances behind an ALB. The application uses cookies to track user sessions. The security team is concerned about session hijacking. Which action should be taken to protect the cookies?

Question 308hardmultiple choice
Read the full Security explanation →

An organization wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. The security team needs to deny any console access if MFA is not enabled. Which IAM policy statement should be used?

Question 309easymultiple choice
Read the full Security explanation →

A developer is building a serverless application using AWS Lambda. The Lambda function needs to write logs to CloudWatch Logs. What is the recommended way to grant the necessary permissions?

Question 310mediummultiple choice
Read the full Security explanation →

A company is using Amazon S3 to store sensitive documents. The security team requires that all access to the bucket be logged for audit purposes. Which feature should be enabled?

Question 311hardmultiple choice
Read the full Security explanation →

An application running on EC2 instances in an Auto Scaling group needs to access an S3 bucket. The security team wants to avoid storing long-term AWS credentials on the instances. Which approach should be used?

Question 312easymultiple choice
Read the full Security explanation →

A developer needs to allow an EC2 instance to access a DynamoDB table. Which IAM entity should be attached to the EC2 instance?

Question 313mediummulti select
Read the full Security explanation →

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. Which options are managed by AWS KMS? (Choose TWO.)

Question 314hardmulti select
Read the full Security explanation →

A developer is designing a system to store sensitive user data in Amazon S3. The data must be encrypted at rest and the encryption keys must be rotated annually. Which services can be used to meet these requirements? (Choose THREE.)

Question 315easymulti select
Read the full Security explanation →

Which of the following are valid ways to secure access to an Amazon S3 bucket? (Choose TWO.)

Question 316mediummultiple choice
Read the full Security explanation →

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The bucket policy allows s3:GetObject for the instance's IAM role, but the application is still getting access denied errors. What is the MOST likely cause?

Question 317hardmultiple choice
Read the full Security explanation →

A company uses AWS Secrets Manager to rotate database credentials for an RDS MySQL instance. The rotation Lambda function fails with the error: 'Secret is scheduled for deletion.' What is the MOST likely cause?

Question 318easymultiple choice
Read the full Security explanation →

A developer needs to grant an IAM user access to list objects in an S3 bucket named 'app-data'. Which IAM policy statement should be used?

Question 319mediummultiple choice
Read the full Security explanation →

A company is using AWS CodeCommit and wants to ensure that all commits are signed with GPG keys. Which approach should be used to enforce this?

Question 320hardmultiple choice
Read the full Security explanation →

A developer is deploying a Lambda function that needs to write logs to CloudWatch Logs. The function's execution role has the AWSLambdaBasicExecutionRole managed policy attached. However, logs are not being written. What is the MOST likely reason?

Question 321easymultiple choice
Read the full Security explanation →

A developer needs to securely store database credentials for a serverless application. Which AWS service should be used?

Question 322hardmultiple choice
Read the full Security explanation →

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The bucket policy also grants access to the role. An application running on the instance is unable to read objects. The instance has the correct instance profile. What is the MOST likely cause?

Question 323mediummultiple choice
Read the full Security explanation →

A developer is creating a Lambda function that requires access to a DynamoDB table. The function will be invoked by an Amazon API Gateway REST API. What is the BEST way to secure this architecture?

Question 324easymultiple choice
Read the full Security explanation →

A company wants to encrypt data at rest in an S3 bucket using server-side encryption. Which option provides the MOST control over the encryption key?

Question 325mediummulti select
Read the full Security explanation →

A developer is building a web application that uses Amazon Cognito for user authentication. Which TWO actions should be taken to secure the application?

Question 326hardmulti select
Read the full Security explanation →

A company uses AWS KMS to encrypt data in S3. The security team wants to ensure that only specific IAM roles can decrypt the data. Which THREE steps should be taken?

Question 327easymulti select
Read the full Security explanation →

A developer needs to securely transfer files from an on-premises server to an S3 bucket. Which TWO methods meet the security requirements?

Question 328hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer has attached this resource-based policy to an S3 bucket. The Lambda function 'my-function' is still getting access denied when trying to read objects from the bucket. What is the MOST likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
        }
      }
    }
  ]
}
Question 329mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer ran this CLI command and received the output shown. The application is retrieving the secret but getting an authentication error from the database. What is the MOST likely issue?

Network Topology
aws secretsmanager get-secret-valuesecret-id MySecret"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-abc123","Name": "MySecret","VersionId": "abcd-1234","SecretString": "{\"username\":\"admin\",\"password\":\"P@ssw0rd\"}","VersionStages": ["AWSCURRENT"],"CreatedDate": 1620000000.0
Question 330easymultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer attached this bucket policy to an S3 bucket. Users from the 192.0.2.0/24 network can access objects, but users from a different network (203.0.113.0/24) get access denied. What change should be made to allow both networks?

Exhibit

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        }
    ]
}
Question 331easymultiple choice
Read the full Security explanation →

A company is using AWS KMS to encrypt sensitive data stored in S3. The security team wants to ensure that only a specific IAM role can decrypt the data. What is the most secure way to achieve this?

Question 332mediummultiple choice
Read the full Security explanation →

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket even though the instance has an IAM role with full S3 access. The instance can access the internet. What is the most likely cause?

Question 333hardmultiple choice
Read the full Security explanation →

A company uses AWS Lambda to process sensitive data. The Lambda function needs to access an RDS database with a password stored in AWS Secrets Manager. The function currently retrieves the secret using the AWS SDK. What is the best practice to secure this setup?

Question 334easymultiple choice
Read the full Security explanation →

A developer needs to grant a Lambda function permission to write logs to CloudWatch Logs. Which IAM entity should be used?

Question 335mediummultiple choice
Read the full Security explanation →

An application running on EC2 needs to access an S3 bucket. The security team wants to avoid using long-term access keys. What is the most secure approach?

Question 336hardmultiple choice
Read the full Security explanation →

A company uses AWS CloudFormation to deploy resources. The templates are stored in an S3 bucket. A developer wants to ensure that only authorized users can create stacks from these templates. What should be implemented?

Question 337easymultiple choice
Read the full Security explanation →

A developer is building a web application that must encrypt data in transit. Which AWS service should be used to manage SSL/TLS certificates?

Question 338mediummultiple choice
Read the full Security explanation →

A company has a requirement to automatically rotate database credentials every 30 days. Which AWS service can meet this requirement with minimal development effort?

Question 339hardmultiple choice
Read the full Security explanation →

A developer is debugging an issue where an IAM user cannot list objects in an S3 bucket. The user has the following IAM policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example-bucket" } ] }. What is missing?

Question 340easymulti select
Read the full Security explanation →

Which TWO actions are valid ways to encrypt data at rest in Amazon S3? (Choose TWO.)

Question 341mediummulti select
Read the full Security explanation →

Which THREE components are required to enable encryption in transit for an Application Load Balancer? (Choose THREE.)

Question 342hardmulti select
Read the full Security explanation →

Which TWO security best practices should be applied when using AWS Lambda? (Choose TWO.)

Question 343easymultiple choice
Read the full Security explanation →

An IAM user has the above IAM policy attached. What is the effect?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 344mediummultiple choice
Read the full Security explanation →

A developer created the above IAM role for a Lambda function. The function needs to write logs to CloudWatch Logs. What is missing?

Network Topology
$ aws iam get-rolerole-name MyLambdaExecutionRoleRefer to the exhibit."Role": {"Path": "/","RoleName": "MyLambdaExecutionRole","Arn": "arn:aws:iam::123456789012:role/MyLambdaExecutionRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"Service": "lambda.amazonaws.com"},"Action": "sts:AssumeRole""Description": "","MaxSessionDuration": 3600,"RoleLastUsed": null
Question 345hardmultiple choice
Read the full Security explanation →

A developer applied the above bucket policy to an S3 bucket. What is the outcome?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonHttps",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 346easymultiple choice
Read the full Security explanation →

A developer needs to securely store database credentials for a Lambda function. Which AWS service should be used?

Question 347mediummultiple choice
Read the full Security explanation →

An application uses IAM roles to grant EC2 instances access to S3. The developer notices that the application works correctly in one account but fails with access denied in another account. What is the most likely cause?

Question 348hardmultiple choice
Read the full Security explanation →

A company uses AWS CodePipeline with a cross-account action that deploys to an S3 bucket in another account. The deployment fails with 'Access Denied'. The pipeline role has permissions to assume a role in the target account, and the target role has S3 putObject permissions. What additional configuration is required?

Question 349easymultiple choice
Read the full Security explanation →

A developer wants to securely transmit secrets to an EC2 instance at launch. Which approach is recommended?

Question 350mediummultiple choice
Read the full Security explanation →

A developer is creating an IAM policy to allow a Lambda function to write logs to CloudWatch. Which policy should be attached to the Lambda execution role?

Question 351hardmultiple choice
Read the full Security explanation →

A developer is troubleshooting an IAM policy that is not working as expected. The policy has an Allow effect for s3:PutObject but the user gets AccessDenied. The user also has a Deny policy attached. What is the most likely reason?

Question 352easymultiple choice
Read the full Security explanation →

Which AWS service provides a managed, rotating secret store for database credentials?

Question 353mediummultiple choice
Read the full Security explanation →

A developer is building a serverless application using API Gateway and Lambda. The developer needs to authenticate users with a JWT token. Which API Gateway feature should be used?

Question 354hardmultiple choice
Read the full Security explanation →

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with KMS (SSE-KMS). They want to ensure that only certain IAM roles can decrypt objects. What must be configured?

Question 355easymulti select
Read the full Security explanation →

A developer is creating an IAM policy for an EC2 instance to allow it to read from an S3 bucket. Which of the following are required? (Choose TWO.)

Question 356mediummulti select
Read the full Security explanation →

A company is using AWS CodeBuild to build a Docker image and push it to Amazon ECR. Which permissions are required for the CodeBuild service role? (Choose THREE.)

Question 357hardmulti select
Read the full Security explanation →

A developer needs to securely expose an API running on an EC2 instance behind an Application Load Balancer. The API should only be accessible to authenticated users via a custom authorization header. Which steps should be taken? (Choose TWO.)

Question 358mediummultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated every 90 days. Which key type should the company use to meet this requirement with minimal operational overhead?

Question 359easymultiple choice
Read the full Security explanation →

A developer is creating an IAM policy to allow an EC2 instance to read objects from a specific S3 bucket named 'my-app-data'. The policy should be attached to an IAM role that will be assumed by the EC2 instance. Which policy statement meets this requirement?

Question 360hardmultiple choice
Read the full Security explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer. The application uses a PostgreSQL database on RDS. The security team requires that database credentials never be stored in application code or configuration files. Which solution meets this requirement?

Question 361mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer applies this IAM policy to an IAM user. What is the effective result when the user attempts to download an object from the 'confidential' folder in the 'my-company-data' bucket?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-company-data/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-company-data/confidential/*"
    }
  ]
}
```
Question 362easymultiple choice
Read the full Security explanation →

A developer is troubleshooting an issue where an IAM role assumed by an EC2 instance does not have permission to call the DynamoDB PutItem API. The role has a policy that allows all DynamoDB actions on a specific table. Which of the following is the most likely cause?

Question 363hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer runs the AWS CLI command to decrypt a file using a KMS key alias 'my-key' and receives the error shown. The developer has an IAM policy that allows 'kms:Decrypt' on 'arn:aws:kms:us-east-1:123456789012:key/abcd1234-...'. Which additional step is required to resolve this error?

Network Topology
$ aws kms decryptciphertext-blob fileb://encrypted.binkey-id alias/my-keyRefer to the exhibit.```
Question 364mediummultiple choice
Read the full Security explanation →

A company wants to encrypt data in transit between an Application Load Balancer and its EC2 instances. The instances run a custom web server. Which configuration should the developer implement?

Question 365easymultiple choice
Read the full Security explanation →

A developer needs to grant cross-account access to an S3 bucket owned by Account A to a user in Account B. Which approach is the most secure?

Question 366mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer deploys this CloudFormation template. The Lambda function needs to write objects to an S3 bucket named 'my-app-bucket'. What must the developer add to the template?

Exhibit

Refer to the exhibit.

```yaml
# CloudFormation template snippet
Resources:
  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code: ...
      Handler: index.handler
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime: python3.9
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: LambdaPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: logs:*
                Resource: '*'
```
Question 367mediummulti select
Read the full Security explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets are encrypted with AES-256 (SSE-S3) and that no public access is allowed. Which TWO methods can be used to enforce these requirements across all accounts? (Choose TWO.)

Question 368hardmulti select
Read the full Security explanation →

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must authenticate users using a third-party OIDC identity provider and authorize each request. Which THREE steps should the developer take? (Choose THREE.)

Question 369easymulti select
Read the full Security explanation →

A developer is tasked with encrypting data at rest for an Amazon RDS for MySQL database. The developer wants to use AWS KMS for key management. Which TWO configurations are valid? (Choose TWO.)

Question 370mediummulti select
Read the full Security explanation →

A company needs to store application secrets such as database passwords and API keys. The secrets must be automatically rotated every 30 days. Which THREE AWS services or features can be used together to meet this requirement? (Choose THREE.)

Question 371hardmulti select
Read the full Security explanation →

A developer is deploying an application that uses Amazon SQS queues. The messages contain sensitive data that must be encrypted at rest. Which TWO actions should the developer take? (Choose TWO.)

Question 372mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer created an IAM role for a Lambda function. When the Lambda function invokes, it fails with an access denied error when trying to write logs to CloudWatch Logs. What is the most likely cause?

Network Topology
$ aws iam get-rolerole-name MyAppRoleRefer to the exhibit.```"Role": {"Path": "/","RoleName": "MyAppRole","Arn": "arn:aws:iam::123456789012:role/MyAppRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"Service": "lambda.amazonaws.com"},"Action": "sts:AssumeRole"
Question 373mediummultiple choice
Read the full Security explanation →

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The role's trust policy allows the EC2 service, and the permissions policy grants s3:GetObject on the bucket. The application on the instance receives 'Access Denied' errors when trying to read objects. What is the most likely cause?

Question 374easymultiple choice
Read the full Security explanation →

A developer is building a serverless application using AWS Lambda functions that need to read and write to an Amazon DynamoDB table. What is the best practice for granting the Lambda function access to DynamoDB?

Question 375hardmultiple choice
Read the full Security explanation →

A company is designing a multi-account strategy using AWS Organizations. They want to enable cross-account access for developers using IAM roles. Each developer has an IAM user in the 'developers' account. The 'production' account has an IAM role 'AdminRole' that can be assumed by the 'developers' account. Which trust policy should be attached to 'AdminRole'?

Question 376mediummultiple choice
Read the full Security explanation →

A developer is using AWS Secrets Manager to store database credentials. The application runs on EC2 and needs to retrieve the secret. Which approach is the most secure?

Question 377hardmultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt data in Amazon S3. They have a Customer Master Key (CMK) with key rotation enabled. The S3 bucket has default encryption using SSE-KMS with this CMK. An application writes objects to the bucket. Which statement about the encryption is correct?

Question 378easymultiple choice
Read the full NAT/PAT explanation →

A developer needs to grant an IAM user in Account A access to an S3 bucket in Account B. What is the correct combination of policies?

Question 379mediummultiple choice
Read the full Security explanation →

A developer is troubleshooting an issue where an AWS Lambda function cannot write logs to Amazon CloudWatch Logs. The Lambda function has an execution role with a policy that allows logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Which additional configuration is likely missing?

Question 380hardmultiple choice
Read the full Security explanation →

An application uses Amazon Cognito user pools for authentication. A developer wants to restrict access to an API Gateway endpoint to only authenticated users from a specific user pool. What is the best approach?

Question 381easymultiple choice
Read the full Security explanation →

A developer is using AWS Certificate Manager (ACM) to provision an SSL/TLS certificate for a website hosted on CloudFront. The certificate must be renewed automatically. What is the correct action?

Question 382mediummulti select
Read the full Security explanation →

A company wants to encrypt data at rest in Amazon RDS for MySQL. Which TWO actions should be taken?

Question 383hardmulti select
Read the full Security explanation →

A developer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline deploys a Lambda function. Which THREE practices should be followed to ensure security?

Question 384easymulti select
Read the full Security explanation →

Which TWO AWS services can be used to protect an application running on EC2 from common web exploits like SQL injection and cross-site scripting?

Question 385mediummultiple choice
Read the full Security explanation →

An IAM policy is attached to a user. The user tries to delete an object in 'example-bucket' from IP address 198.51.100.5. What happens?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket/*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 386hardmultiple choice
Read the full Security explanation →

An EC2 instance is running with an IAM instance profile. The application on the instance is trying to access an S3 bucket, but receives 'Access Denied'. The instance profile has a role with a policy that allows s3:GetObject on the bucket. What is a likely cause?

Network Topology
$ aws ec2 describe-instancesinstance-id i-1234567890abcdef0query 'Reservations[0].Instances[0].IamInstanceProfile'Refer to the exhibit."Arn": "arn:aws:iam::123456789012:instance-profile/MyProfile","Id": "AIPAIXXXXXXXXXXXXXX"
Question 387easymultiple choice
Read the full Security explanation →

A developer runs a CloudTrail lookup command and sees a CreateKey event. What does this event represent?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamequery 'Events[0]'Refer to the exhibit."EventId": "abc123","EventName": "CreateKey","ReadOnly": false,"Username": "admin","EventTime": "2024-01-01T00:00:00Z","Resources": [{"ResourceName": "my-key", "ResourceType": "AWS::KMS::Key"}]
Question 388mediummultiple choice
Read the full Security explanation →

A developer is building a serverless application using AWS Lambda and API Gateway. The Lambda function needs to access a DynamoDB table that stores sensitive customer data. The developer wants to follow the principle of least privilege. Which IAM role configuration should be used?

Question 389hardmultiple choice
Read the full Security explanation →

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated automatically every 365 days. Which type of KMS key should be used?

Question 390easymultiple choice
Read the full Security explanation →

A developer needs to securely store database credentials used by an application running on EC2. Which AWS service should be used?

Question 391mediummultiple choice
Read the full Security explanation →

A company wants to allow cross-account access to an S3 bucket in Account A from a role in Account B. The S3 bucket policy in Account A allows the role's ARN. However, access is denied. What is the most likely missing step?

Question 392hardmultiple choice
Read the full Security explanation →

An application running on EC2 needs to access an S3 bucket. The developer has assigned an IAM role to the EC2 instance with a policy that allows s3:GetObject on the bucket. However, the application is still getting access denied errors. What should the developer check?

Question 393easymultiple choice
Read the full Security explanation →

A developer wants to encrypt data in transit between an API Gateway REST API and its clients. Which configuration should be used?

Question 394mediummultiple choice
Read the full Security explanation →

A company is using AWS CodeCommit and wants to ensure that all commits are signed with a GPG key. What must the developer configure?

Question 395hardmultiple choice
Read the full Security explanation →

A Lambda function needs to write logs to CloudWatch Logs. The developer attaches an IAM role with a policy that allows logs:CreateLogGroup and logs:PutLogEvents. However, logs are not appearing. What is the most likely cause?

Question 396easymultiple choice
Read the full Security explanation →

A developer needs to generate temporary credentials for a user to access an S3 bucket for 30 minutes. Which AWS service should be used?

Question 397mediummulti select
Read the full Security explanation →

A company is implementing a CI/CD pipeline using AWS CodePipeline and CodeBuild. The pipeline deploys a serverless application. Which TWO actions should be taken to securely manage the database credentials used by the application?

Question 398hardmulti select
Read the full Security explanation →

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket. The instance has an IAM role with a policy that allows s3:GetObject on the bucket. Which TWO additional checks should the developer perform to resolve the issue?

Question 399mediummulti select
Read the full Security explanation →

A company is using AWS Lambda functions that access an RDS database. Which THREE practices should be followed to secure the database credentials?

Question 400hardmultiple choice
Read the full Security explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted using SSE-KMS with a specific KMS key from the central security account. They also want to prevent any unencrypted bucket creation. A developer in the development account creates a new S3 bucket and enables default encryption using SSE-S3. The bucket creation succeeds, but the security team wants to prevent this. The developer argues that the bucket still encrypts data at rest. Compliance requires SSE-KMS only. What should the security team do to enforce this policy across all accounts?

Question 401mediummultiple choice
Read the full Security explanation →

A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The developer creates a certificate in AWS Certificate Manager (ACM) and associates it with the ALB listener on port 443. However, when users access the application, they receive a browser warning that the connection is not secure. The ALB is configured with a default SSL/TLS policy. What is the most likely cause of the issue?

Question 402easymultiple choice
Read the full Security explanation →

A company has a centralized logging solution where all EC2 instances send logs to a CloudWatch Logs group in a central account. The EC2 instances are in a different account (App Account). The developer configures the CloudWatch agent on the instances with the necessary IAM role. However, logs are not appearing in the central account's log group. The IAM role in the App Account has permissions to put logs to the central account's log group. What is the most likely missing configuration?

Question 403mediummultiple choice
Read the full Security explanation →

A company uses an S3 bucket to store sensitive customer data. The bucket policy currently allows access to a specific IAM role used by an EC2 instance. A security audit reveals that the bucket is also accessible from an external AWS account. Which action should the security team take to restrict access to only the intended role?

Question 404hardmultiple choice
Read the full Security explanation →

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with a policy that allows s3:GetObject on the bucket. However, the application receives an AccessDenied error. The bucket policy is as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AppRole"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

The EC2 instance is using the correct IAM role. What is the most likely cause of the error?

Question 405easymultiple choice
Read the full Security explanation →

A developer needs to securely store database credentials for a Lambda function. The credentials should be automatically rotated every 30 days. Which AWS service should the developer use?

Question 406hardmultiple choice
Read the full Security explanation →

A company uses an AWS Lambda function to process files uploaded to an S3 bucket. The Lambda function needs to read the files and write results to a DynamoDB table. The Lambda function is configured with an IAM role that has policies allowing s3:GetObject on the bucket and dynamodb:PutItem on the table. Despite correct permissions, the function fails with an AccessDenied error when trying to put items. What is the most likely cause?

Question 407mediummultiple choice
Read the full Security explanation →

A developer is designing a serverless application using API Gateway, Lambda, and DynamoDB. The API must authenticate users using a JWT token. Which API Gateway feature should the developer use to validate the JWT before invoking the Lambda function?

Question 408easymultiple choice
Read the full Security explanation →

A company wants to encrypt data at rest in an S3 bucket. Which AWS service can provide encryption keys that are managed by AWS and rotated automatically?

Question 409hardmultiple choice
Read the full Security explanation →

A developer is deploying an application on EC2 instances behind an Application Load Balancer. The application must support mutual TLS (mTLS) authentication between clients and the load balancer. Which configuration is required?

Question 410mediummulti select
Read the full Security explanation →

A company is using AWS KMS to encrypt data in S3. Which TWO actions are required to allow an IAM user to decrypt objects in a specific S3 bucket?

Question 411hardmulti select
Read the full Security explanation →

A developer is configuring an S3 bucket to host a static website. The bucket must be accessible to anyone on the internet, but only for reading objects. Which THREE steps are necessary? (Choose THREE.)

Question 412mediummulti select
Read the full Security explanation →

A company wants to securely store database credentials for a Lambda function. The credentials must be automatically rotated. Which TWO services should be used together?

Question 413hardmultiple choice
Read the full Security explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AES-256 using SSE-S3. They also want to automatically remediate any bucket that is created without encryption. The team currently uses AWS CloudFormation StackSets to deploy resources. They need a solution that does not require manual intervention. Which approach should be taken?

Question 414mediummultiple choice
Read the full Security explanation →

A developer is building a serverless application that processes personally identifiable information (PII). The application uses API Gateway, Lambda, and DynamoDB. The developer needs to ensure that the PII is encrypted at rest in DynamoDB. The company already uses AWS KMS with a customer-managed key for other services. The developer wants to reuse the same KMS key for DynamoDB. After enabling encryption with the KMS key, the Lambda function fails to write to the table with an AccessDenied error. The Lambda execution role has dynamodb:PutItem permission. What is the most likely cause?

Question 415easymultiple choice
Read the full Security explanation →

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The application needs to authenticate users using a third-party identity provider that supports SAML 2.0. The company wants to use AWS Identity and Access Management (IAM) to manage user permissions. Which solution should the developer implement?

Question 416mediummultiple choice
Read the full Security explanation →

A developer is using AWS CodePipeline to deploy a web application. The pipeline includes a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage using CodeDeploy to EC2 instances. The application stores sensitive data in an S3 bucket. The developer needs to ensure that the S3 bucket is only accessible from the EC2 instances and not from any other AWS service or account. The EC2 instances have an IAM role that allows s3:GetObject. What additional configuration is required?

Question 417hardmultiple choice
Read the full Security explanation →

A company has a legacy application running on an EC2 instance that stores database credentials in a plain text configuration file. The security team requires that credentials be stored securely and rotated every 90 days. The developer must minimize changes to the application code. The application currently reads the configuration file from the file system. Which solution meets these requirements?

Question 418mediummultiple choice
Read the full Security explanation →

A company is using an S3 bucket to store sensitive documents. They need to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS. The bucket policy must enforce encryption by denying uploads that do not specify the required encryption. Which bucket policy statement should be added?

Question 419hardmultiple choice
Read the full Security explanation →

A developer is troubleshooting an IAM policy that is supposed to allow a Lambda function to read objects from an S3 bucket. The Lambda function role has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::example-bucket/*","arn:aws:s3:::example-bucket"]}]}. Despite this, the Lambda function receives an AccessDenied error when trying to read objects. What is the most likely cause?

Question 420easymultiple choice
Read the full Security explanation →

An application running on EC2 instances needs to access an S3 bucket securely. Which of the following is the BEST practice for managing credentials?

Question 421easymultiple choice
Read the full Security explanation →

A developer needs to allow an IAM user to manage only their own access keys (create, list, update, delete). Which IAM policy statement achieves this?

Question 422hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. An S3 bucket policy is set as shown. A developer tries to download an object from my-bucket using the AWS CLI from an IP address in the 203.0.113.0/24 range. What will happen?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}
Question 423mediummultiple choice
Read the full Security explanation →

A company wants to use AWS KMS to encrypt data in an S3 bucket. They need to rotate the CMK annually. Which key type should they use to enable automatic rotation?

Question 424mediummultiple choice
Read the full Security explanation →

A developer is using CloudFront to serve content from an S3 bucket. The bucket contains sensitive data and should only be accessible through CloudFront. How can the developer enforce this?

Question 425easymultiple choice
Read the full Security explanation →

A developer needs to temporarily grant an IAM user permissions to perform a specific task. The permissions should expire after 12 hours. Which approach should the developer use?

Question 426hardmultiple choice
Read the full Security explanation →

A company has a requirement that all API calls to AWS must be logged and monitored for suspicious activity. They want to receive alerts when root account activity is detected. Which AWS service and configuration should they use?

Question 427easymultiple choice
Read the full Security explanation →

A developer is designing a web application that will run on EC2 instances behind an Application Load Balancer. The application needs to authenticate users. Which service should the developer use to manage user identities and provide single sign-on?

Question 428hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A developer runs an AWS CLI command on an EC2 instance and receives the error shown. The instance has an IAM role attached with the necessary permissions. What is the most likely cause of this error?

Exhibit

Error: Unable to locate credentials. You can configure credentials by running "aws configure".
Question 429mediummultiple choice
Read the full Security explanation →

A developer needs to encrypt secrets such as database passwords used by an application running on EC2. Which AWS service should be used to securely store and rotate these secrets?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

DVA-C02 Practice Test 1 — 10 Questions→DVA-C02 Practice Test 2 — 10 Questions→DVA-C02 Practice Test 3 — 10 Questions→DVA-C02 Practice Test 4 — 10 Questions→DVA-C02 Practice Test 5 — 10 Questions→DVA-C02 Practice Exam 1 — 20 Questions→DVA-C02 Practice Exam 2 — 20 Questions→DVA-C02 Practice Exam 3 — 20 Questions→DVA-C02 Practice Exam 4 — 20 Questions→Free DVA-C02 Practice Test 1 — 30 Questions→Free DVA-C02 Practice Test 2 — 30 Questions→Free DVA-C02 Practice Test 3 — 30 Questions→DVA-C02 Practice Questions 1 — 50 Questions→DVA-C02 Practice Questions 2 — 50 Questions→DVA-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Development with AWS ServicesSecurityDeploymentTroubleshooting and Optimization

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security setsAll Security questionsDVA-C02 Practice Hub