Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsDOP-C02DomainsSecurity and Compliance
DOP-C02Free — No Signup

Security and Compliance

Practice DOP-C02 Security and Compliance questions with full explanations on every answer.

288questions

Start practicing

Security and Compliance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

DOP-C02 Domains

Configuration Management and IaCResilient Cloud SolutionsMonitoring and LoggingIncident and Event ResponseSecurity and ComplianceSDLC Automation

Practice Security and Compliance questions

10Q20Q30Q50Q

All DOP-C02 Security and Compliance questions (288)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is using AWS Organizations with multiple accounts. The Security team wants to centrally manage IAM roles that can be assumed by users in member accounts. Which solution should be used to enforce that only specific roles can be assumed across accounts, while ensuring that the policy updates are automatically applied to all accounts?

2

A company is running a critical application on an Amazon EC2 instance that needs to access an S3 bucket. The application must use temporary credentials that automatically rotate. The DevOps engineer must ensure that the credentials are never stored on disk. Which approach meets these requirements?

3

A DevOps engineer needs to ensure that all API calls made to AWS are recorded for auditing purposes. Which AWS service should be used?

4

A company uses AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific attribute in their SAML assertion can decrypt the data. Which KMS key policy should be used?

5

A company has a requirement to rotate database credentials every 30 days for an Amazon RDS for MySQL instance. The credentials are currently stored in AWS Secrets Manager. The DevOps engineer needs to implement automatic rotation without modifying the application code. Which solution should be used?

6

A company uses AWS Organizations to manage multiple accounts. The Security team wants to prevent member accounts from disabling AWS CloudTrail or deleting CloudTrail log files. Which TWO actions should the Security team take in the organization's management account? (Choose TWO.)

7

A DevOps team is designing a CI/CD pipeline that deploys a web application on Amazon ECS. The application must be compliant with PCI DSS, which requires encryption of data at rest and in transit, and logging of all access. Which THREE actions should the team implement to meet these requirements? (Choose THREE.)

8

A company runs a multi-account environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies all actions on DynamoDB tables unless the request includes a specific tag "Environment": "Production". The development team has an IAM role with full DynamoDB access in their account. When they try to create a DynamoDB table using the AWS CLI, they receive an access denied error. They are certain they included the tag. The DevOps engineer reviews the SCP and finds that it uses the condition key "aws:RequestTag". However, the engineer notices that the SCP also denies access if the request does not include the tag for tagging actions. What is the most likely reason for the access denied error?

9

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all new member accounts automatically receive a specific AWS Config rule to require encryption on Amazon EBS volumes. Which solution meets this requirement with the least operational overhead?

10

A financial services company is migrating its applications to AWS. The compliance team requires that all Amazon S3 buckets containing personally identifiable information (PII) must have server-side encryption enabled and block public access. The DevOps team discovers that some S3 buckets are not compliant. Which TWO actions should the team take to enforce these requirements automatically for all current and future buckets? (Select TWO.)

11

A DevOps engineer applies the S3 bucket policy shown in the exhibit to enforce encryption and secure transport. After applying the policy, users report that they can still upload objects without encryption. What is the most likely cause?

12

Drag and drop the steps to set up an AWS CloudFormation stack with a nested stack.

13

Match each AWS security and identity service to its function.

14

A company uses AWS KMS to encrypt data in S3. They want to audit who used which KMS key and when. Which AWS service should they use?

15

A DevOps engineer needs to securely store database credentials for an application running on EC2. The credentials must be rotated automatically every 30 days. Which solution meets these requirements?

16

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. They need a preventive control that applies to all current and future accounts. Which approach should they use?

17

A developer wants to grant an EC2 instance read-only access to a specific S3 bucket. Which AWS mechanism should they use to securely provide credentials to the instance?

18

A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest and access should be limited to the security team. Which solution is MOST secure and scalable?

19

A company runs a web application on EC2 behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting (XSS) attacks. Which AWS service should they use?

20

A DevOps engineer needs to ensure that all API calls made to AWS are logged for compliance. The logs must be stored in S3 for at least 7 years. Which AWS service should they use?

21

A company has a multi-account AWS environment using AWS Organizations. They want to centrally manage user access to all accounts using single sign-on (SSO) and enforce multi-factor authentication (MFA). Which service should they use?

22

A company is using AWS CloudFormation to deploy infrastructure. They need to ensure that all resources created by CloudFormation are tagged with a 'CostCenter' tag. The tag must be applied automatically to all resources in the stack. What should they do?

23

A security engineer is designing a secure VPC architecture for a web application. The application must be isolated from the internet and only accessible through a load balancer. Which TWO actions should the engineer take?

24

A company is migrating to AWS and needs to comply with PCI DSS. They must encrypt all data at rest and in transit. Which THREE services or features should they use?

25

A DevOps engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which TWO methods can achieve this?

26

A company requires that all access to their S3 buckets be encrypted in transit. Which configuration achieves this?

27

A company's security team notices that an IAM user has permissions to terminate EC2 instances but should only be allowed to stop them. The current policy allows ec2:TerminateInstances. What is the most secure way to prevent termination while allowing stop?

28

A DevOps engineer needs to store secrets such as database passwords for a serverless application. Which AWS service is most appropriate?

29

A company uses AWS KMS to encrypt data in S3. The security team requires that the key material be rotated every 90 days. What should be done to meet this requirement?

30

A company has a VPC with public and private subnets. They launch an EC2 instance in a private subnet that needs to download patches from the internet. Which solution is MOST secure and scalable?

31

A security audit reveals that EC2 instances have security groups with overly permissive inbound rules allowing all traffic (0.0.0.0/0) on SSH port 22. What is the BEST way to remediate this at scale?

32

A company wants to centralize logging of all API calls made within their AWS account for auditing. Which service should they use?

33

A DevOps engineer is designing a CI/CD pipeline that deploys to production. The security team mandates that all code changes must be reviewed and signed off by two senior developers before deployment. How can this be enforced?

34

A company has an AWS Lambda function that processes sensitive data. The function needs to access an RDS database with credentials stored in Secrets Manager. What is the MOST secure way to grant the Lambda function access to the secret?

35

Which TWO actions can be taken to protect an S3 bucket from being publicly accessible? (Select TWO.)

36

Which THREE measures can be taken to ensure that EC2 instances are compliant with a security policy that requires all instances to be in a VPC with specific tags? (Select THREE.)

37

Which TWO AWS services can be used to manage and rotate database credentials automatically? (Select TWO.)

38

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role can create or modify VPCs, but should allow VPC usage for existing VPCs. Which SCP should be attached to the root OU?

39

A DevOps engineer must ensure that all API calls in an AWS account are logged for compliance. The logs should be stored in an S3 bucket with server-side encryption enabled. Which two services should be used together to meet these requirements?

40

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across accounts are encrypted with AWS KMS. Which combination of controls should be used to enforce this?

41

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. What is the most likely cause?

42

A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the destination account is 222222222222. Which policy should be attached to the S3 bucket?

43

A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that EBS snapshots are shared with another account without exposing the underlying data. What is the correct approach?

44

A company uses AWS WAF to protect a web application behind an Application Load Balancer. The security team notices an increase in false positives blocking legitimate traffic. Which action should be taken to reduce false positives while maintaining security?

45

A company needs to store sensitive data in Amazon S3 with encryption at rest. Which option provides the MOST control over the encryption keys?

46

A company has a Lambda function that processes sensitive data and needs to access an RDS database. The security team requires that the database credentials are automatically rotated every 30 days. Which service should be used to store and rotate the credentials?

47

A company is using AWS CloudTrail to log API events. The security team wants to ensure that log files are tamper-proof and available for incident investigation. Which TWO actions should be taken? (Choose TWO.)

48

A company has an IAM policy that allows users to manage their own passwords and MFA devices. The policy includes a condition that requires MFA for all API operations except for changing passwords and MFA. Which THREE statements are true about this policy? (Choose THREE.)

49

A company wants to audit all changes to IAM policies in their AWS account. Which THREE services can be used to capture and alert on IAM policy changes? (Choose THREE.)

50

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. Which AWS service can automatically manage the encryption keys with minimal configuration?

51

A DevOps engineer needs to ensure that EC2 instances can access an S3 bucket without storing AWS credentials on the instances. Which solution meets this requirement?

52

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting attacks. Which AWS service should be integrated with the ALB?

53

A company's security team requires that all API calls to AWS are logged for audit purposes. Which service should be enabled to capture and store these logs?

54

A company wants to enforce that S3 buckets are not publicly accessible. Which AWS service can continuously monitor and automatically remediate non-compliant buckets?

55

A DevOps engineer needs to grant cross-account access to an S3 bucket in Account A for a user in Account B. Which combination of policies is required?

56

A security audit reveals that an IAM user has long-term access keys that have not been rotated in over 90 days. What is the most secure way to enforce key rotation?

57

A company's security policy requires that all data in transit between on-premises and AWS is encrypted. Which AWS service provides a dedicated network connection with encryption?

58

A company needs to store audit logs for 7 years to meet compliance requirements. Which S3 storage class is the most cost-effective for long-term archival?

59

Which TWO actions should a DevOps engineer take to secure an AWS account root user? (Choose 2.)

60

Which THREE services can be used to protect a VPC from malicious traffic? (Choose 3.)

61

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple accounts? (Choose 2.)

62

Refer to the exhibit. An S3 bucket policy is configured as shown. A user from IP 192.0.2.10 is unable to download an object from the bucket. What is the most likely cause?

63

Refer to the exhibit. A CloudTrail trail named ManagementTrail is configured as shown. Which events will be logged?

64

Refer to the exhibit. A KMS key policy is configured as shown. What does this policy allow?

65

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with AWS Key Management Service (SSE-KMS) and enforce that all new objects are encrypted. Which bucket policy statement should be added?

66

A DevOps engineer needs to allow an EC2 instance to write logs to CloudWatch Logs. The instance is configured with an instance profile that has the following IAM role attached. Which additional policy is required?

67

A company is using AWS CodePipeline to deploy applications. The pipeline source is an S3 bucket that receives artifacts from a third-party vendor. The DevOps team needs to ensure that only artifacts signed by the vendor's KMS key are deployed. Which approach meets this requirement?

68

An organization needs to audit all AWS API calls made in their account for compliance purposes. Which AWS service should they enable?

69

A company has an S3 bucket containing sensitive data. They need to ensure that all access to the bucket is logged and that any unauthorized access attempts are immediately notified. Which combination of services should be used?

70

A DevOps engineer is designing a CI/CD pipeline that builds a Docker image and pushes it to Amazon ECR. The pipeline must scan the image for vulnerabilities before deployment. Which service should be integrated?

71

A company wants to centrally manage and apply policies across multiple AWS accounts in an AWS Organization. Which service should be used to define and enforce compliance rules?

72

A DevOps team is deploying a web application on EC2 behind an Application Load Balancer. They need to encrypt traffic between the ALB and the EC2 instances. Which action should they take?

73

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. Which configuration change is MOST likely to resolve the issue?

74

Which TWO actions can be taken to secure an Amazon S3 bucket that contains confidential data? (Choose TWO.)

75

Which THREE components are necessary to implement a secure VPC with a public subnet and a private subnet that hosts a database? (Choose THREE.)

76

Which TWO AWS services can be used to manage secrets and database credentials securely? (Choose TWO.)

77

A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using customer-managed KMS keys. Additionally, any attempt to upload an unencrypted object must be denied. Which S3 bucket policy should be used?

78

A DevOps engineer is configuring AWS Config rules to detect non-compliant security groups. The rule should trigger if any security group allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS managed Config rule should be used?

79

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all new S3 buckets created in any account within the organization are configured with block public access enabled. Which approach is the most scalable and least operationally burdensome?

80

A company is migrating a legacy application to AWS. The application requires cross-account access to an S3 bucket in a different AWS account. The security team wants to follow the principle of least privilege. How should the DevOps engineer configure the access?

81

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?

82

A company has a CloudFormation stack that creates an S3 bucket and an EC2 instance. The bucket policy must be updated to grant the EC2 instance read access. The DevOps engineer uses a custom resource backed by a Lambda function. However, the stack update fails because the Lambda function does not have permissions to update the bucket policy. What should the engineer do to resolve this issue while following security best practices?

83

A company is using AWS CodePipeline to deploy a web application. The pipeline includes a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team requires that all artifacts be encrypted at rest and in transit. Which configuration ensures encryption for all stages?

84

A DevOps engineer needs to ensure that all API calls made to AWS services are logged for auditing purposes. Which AWS service should be enabled?

85

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team requires that all data be encrypted at rest and that automated backups are also encrypted. Which configuration meets these requirements?

86

A company is designing a secure CI/CD pipeline using AWS CodePipeline. The pipeline must comply with the principle of least privilege for IAM permissions. Which TWO actions should the DevOps engineer take? (Choose TWO.)

87

A security audit reveals that an S3 bucket contains objects that are publicly accessible. The DevOps engineer must prevent any future public access to the bucket and all objects within it. Which THREE actions should the engineer take? (Choose THREE.)

88

A company wants to protect its AWS account credentials. Which TWO practices are recommended by AWS? (Choose TWO.)

89

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from 'example-bucket' from an IP address 10.0.0.5. However, the request is denied. What is the most likely reason?

90

Refer to the exhibit. A DevOps engineer created an IAM role 'MyLambdaRole' for a Lambda function. The Lambda function needs to write logs to CloudWatch Logs. However, the function is not able to create log streams. What is the most likely missing configuration?

91

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance with the tag 'Environment=production' in us-east-1. What will happen?

92

A company is migrating a legacy application to AWS. The application requires a shared file system accessible from multiple EC2 instances. The compliance team mandates encryption at rest and in transit, with automatic key rotation. Which storage solution meets these requirements?

93

A DevOps engineer needs to ensure that an S3 bucket policy enforces encryption in transit for all access. Which policy statement should be added?

94

A company wants to centrally manage user access to multiple AWS accounts using federated identity. Which AWS service should be used to create a single sign-on (SSO) solution?

95

A DevOps team uses AWS CodePipeline to deploy a web application. Security scanning must be integrated into the pipeline to check for vulnerabilities before deployment to production. Which action should be taken?

96

A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every 365 days. Which type of KMS key should be used?

97

An application running on EC2 needs to access an S3 bucket. To follow the principle of least privilege, what is the recommended approach?

98

A company is using AWS CloudTrail to log API calls. The security team needs to ensure that log files are tamper-proof and can be used to verify integrity. Which feature should be enabled?

99

A DevOps engineer is troubleshooting a failed AWS CodeBuild project. The build fails with an error indicating that the IAM role does not have permission to describe Amazon ECR repositories. The role used by CodeBuild has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ecr:GetAuthorizationToken","ecr:BatchCheckLayerAvailability","ecr:GetDownloadUrlForLayer","ecr:BatchGetImage"],"Resource":"*"}]}. What is the missing permission?

100

A company wants to automatically detect and respond to suspicious activity in their AWS account. Which service should be used to generate alerts based on threat intelligence?

101

A company needs to audit all changes to IAM policies in their AWS account. Which services can be used to track and log these changes? (Select TWO.)

102

A security team wants to enforce that all Amazon S3 buckets in the organization are encrypted at rest. Which actions can achieve this? (Select THREE.)

103

Which AWS services can be used to protect a web application from common web exploits like SQL injection and cross-site scripting? (Select TWO.)

104

A DevOps engineer created the IAM policy shown in the exhibit and attached it to a user. The user tries to upload an object to my-bucket without specifying the ACL. Why does the upload fail?

105

A DevOps engineer executed the CLI command shown in the exhibit. After creation, the security team requires that the log files be encrypted with a KMS key that is rotated every 90 days. The current key is a customer managed key with automatic rotation enabled set to 365 days. What should the engineer do to meet the requirement?

106

Refer to the exhibit. This S3 bucket policy allows the root user of account 111122223333 to perform which actions?

107

A company uses AWS CodePipeline to deploy a web application. The deployment includes an EC2 instance running behind an Application Load Balancer. The security team requires that all data in transit to the application be encrypted. Which configuration best meets this requirement without breaking the deployment?

108

A DevOps engineer is configuring AWS Config to detect changes to security group rules. The engineer wants to receive near-real-time notifications when a security group rule that allows inbound SSH traffic is created. Which combination of services and configurations should the engineer use? (Choose the best answer.)

109

A company has a security policy requiring that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. The DevOps engineer needs to enforce this policy. What is the simplest way to achieve this?

110

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail logs. What is the most effective way to enforce this control?

111

A DevOps engineer is designing an AWS Lambda function that needs to read secrets from AWS Secrets Manager. What is the most secure way to provide the Lambda function access to the secret?

112

A company uses AWS CodeBuild to build and test code. The security team requires that all build artifacts be encrypted at rest. Which action should the DevOps engineer take to meet this requirement?

113

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that any changes to IAM roles must be reviewed and approved by a security engineer before deployment. The DevOps engineer needs to implement a gating mechanism. Which approach should the engineer use?

114

A company is using Amazon S3 to store sensitive data. The security team mandates that all data must be encrypted at rest using server-side encryption with AWS Key Management Service (SSE-KMS). The DevOps engineer must ensure that any new objects uploaded to the bucket are automatically encrypted. What should the engineer do?

115

A DevOps engineer needs to grant cross-account access to an S3 bucket in Account A for users in Account B. The users in Account B must be able to list objects and read them. What is the most secure way to configure this access?

116

A company is using AWS Lambda to process sensitive data. The security team requires that the Lambda function only be invoked from within a specific VPC and that the function's environment variables be encrypted at rest. Which TWO actions should the DevOps engineer take to meet these requirements?

117

A company is using AWS Secrets Manager to rotate database credentials automatically. The DevOps engineer needs to ensure that the rotation process is secure and does not cause downtime. Which THREE steps should the engineer take?

118

A DevOps engineer is tasked with auditing all AWS API calls made in the account for compliance purposes. The engineer needs to ensure that the audit logs are tamper-proof and stored cost-effectively. Which TWO services should the engineer use?

119

Refer to the exhibit. An IAM policy is attached to an IAM user. Which of the following actions will be allowed by this policy?

120

A company has a multi-account AWS environment managed by AWS Organizations. The DevOps team uses AWS CloudFormation StackSets to deploy a standard VPC across all member accounts. The security team has noticed that in some accounts, the VPC is being modified after deployment, allowing inbound SSH access from the internet. The team wants to automatically detect and remediate these changes. The current setup includes: AWS Config enabled in all accounts with a rule that checks for unrestricted SSH access; an SNS topic in the management account that receives compliance change notifications; and a Lambda function in the management account that can remediate by updating the security group rules. However, the remediation is not working consistently. What is the most likely reason, and what is the best solution?

121

A company is using AWS Secrets Manager to store database credentials for a multi-tier application. The application runs on EC2 instances in an Auto Scaling group. The DevOps engineer has configured the instances to retrieve the secret at boot time using a script that calls the AWS CLI. Recently, the security team discovered that the secret was exposed in the instance's user data logs. The engineer needs to implement a more secure method to access the secret without storing it in user data. The application code can be modified. The environment uses IAM roles for EC2. Which solution best meets the security requirements?

122

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which KMS key type should the company use to meet this requirement without manual intervention?

123

A DevOps engineer needs to grant an IAM user temporary access to an S3 bucket for exactly one hour. Which AWS service should be used to generate temporary credentials?

124

Refer to the exhibit. An IAM policy is attached to a user. The user requests an object from the 'example-bucket' bucket, specifically from the 'confidential' folder, over HTTP (not HTTPS). The source IP is within the 10.0.0.0/24 range. What will be the result of this request?

125

A company uses AWS Secrets Manager to store database credentials. The security team requires that secrets be automatically rotated every 30 days. Which rotation strategy should the engineer configure to meet this requirement with minimal operational overhead?

126

A company is deploying a multi-tier application on AWS. The web tier must be publicly accessible, but the application tier must only be accessible from the web tier. The database tier should not be accessible from the internet at all. Which combination of security groups and network ACLs should be used?

127

A DevOps engineer needs to encrypt data in transit between an Application Load Balancer (ALB) and backend EC2 instances. The application uses HTTPS. What is the simplest way to achieve this encryption?

128

A company wants to ensure that all S3 buckets are encrypted at rest by default. Which S3 feature should be enabled at the bucket level to automatically encrypt new objects?

129

A company uses Amazon Inspector to scan EC2 instances for vulnerabilities. The security team discovers that a critical vulnerability is present on an instance, but the instance is part of an Auto Scaling group. What is the MOST efficient way to remediate this vulnerability while ensuring the Auto Scaling group remains operational?

130

Which TWO actions should a DevOps engineer take to prevent an S3 bucket from being publicly accessible? (Choose two.)

131

Which THREE of the following are best practices for managing IAM roles in AWS Organizations? (Choose three.)

132

Which TWO AWS services can be used to monitor for unauthorized API calls in an AWS account? (Choose two.)

133

Which THREE of the following are valid methods to enforce encryption at rest for Amazon EBS volumes? (Choose three.)

134

Which TWO of the following are benefits of using AWS Certificate Manager (ACM) to manage SSL/TLS certificates? (Choose two.)

135

A company runs a production application on Amazon ECS with Fargate launch type. The application uses an RDS MySQL database. The security team requires that all traffic between the application and the database be encrypted in transit. Currently, the database security group allows inbound traffic from the ECS tasks' security group on port 3306 (MySQL). The application uses the standard MySQL client connection without SSL. After enabling SSL on the RDS instance, the application starts failing to connect. The error logs show 'SSL connection error: protocol version mismatch'. The application runs on a custom Docker image based on Amazon Linux 2. The DevOps engineer needs to fix the connection issue. Which course of action should the engineer take?

136

A company uses AWS Lambda functions to process sensitive data from an SQS queue. The Lambda function writes results to an S3 bucket. The security team requires that all data at rest in S3 be encrypted with a customer managed KMS key, and that the Lambda function only have access to decrypt the queue messages and encrypt the S3 objects. An IAM role is attached to the Lambda function. The engineer has configured the KMS key policy to allow the Lambda role to use the key. However, the Lambda function fails to write to S3 with a 'KMS access denied' error. The engineer verified that the S3 bucket has default encryption enabled with the same KMS key. Which additional step is most likely required?

137

A startup wants to provide temporary, limited-privilege AWS access to external contractors who will assist with a project. The contractors do not have AWS accounts. The company wants to avoid creating IAM users for each contractor. They need a solution that allows contractors to log in to the AWS Management Console for a limited time. Which AWS service should the engineer use?

138

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. The instances currently use a self-signed certificate for the backend HTTPS listener. The engineer notices that the ALB health checks are failing, and the error message indicates 'TLS handshake failed'. The health check is configured as HTTPS. What should the engineer do to resolve the health check failure while maintaining encryption?

139

A company wants to enable AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The security team requires that logs be encrypted at rest and that any unauthorized deletion of log files be prevented. Which TWO actions should the security team take? (Choose TWO.)

140

A company uses AWS CodePipeline for CI/CD. The security team requires that all code changes be scanned for secrets before deployment. The pipeline consists of a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team wants to automatically scan for secrets and block the pipeline if any secrets are found. Which THREE actions should the team take? (Choose THREE.)

141

A company runs a web application on Amazon ECS with Fargate launch type behind an Application Load Balancer (ALB). The application uses an RDS MySQL database. The security team performed a penetration test and discovered that the application is vulnerable to SQL injection. The development team has deployed a WAF web ACL to the ALB that includes rules to block SQL injection attacks. However, after the deployment, the application started returning 403 errors for legitimate requests, and the security team needs to investigate. The team also wants to ensure that only approved AWS services can access the RDS database. The current security groups are configured with a rule that allows inbound traffic from the ALB security group to the RDS database on port 3306. Which combination of actions should the security team take to resolve the issue and improve the security posture?

142

A company uses AWS Lambda to process sensitive data stored in Amazon S3. The Lambda function is triggered by S3 object creation events. The security team requires that all data in transit be encrypted using TLS 1.2 or higher. The Lambda function currently uses the AWS SDK to download objects from S3 using HTTP (not HTTPS). The team also needs to ensure that the Lambda function only accesses S3 objects that are encrypted with a specific AWS KMS key. The Lambda execution role already has permissions to decrypt with that KMS key. Which combination of actions should the security team take to meet the requirements?

143

A company uses AWS CloudFormation to manage infrastructure as code. The security team requires that all changes to CloudFormation stacks be reviewed and approved before execution. The team has enabled StackSets to deploy stacks across multiple accounts. A junior developer accidentally runs a stack update that modifies a production security group, opening SSH access to 0.0.0.0/0. The security team wants to prevent this type of incident in the future. They need a solution that enforces a mandatory approval workflow for all stack updates, while still allowing automated deployments from approved CI/CD pipelines. Which solution meets these requirements?

144

A company uses Amazon Inspector to assess the security of EC2 instances. The security team receives an alert that a high-severity vulnerability (CVE-2023-XXXX) was found on an EC2 instance running a critical application. The application is behind an Application Load Balancer (ALB) and uses an Auto Scaling group. The vulnerability has a known patch, but patching requires a reboot. The security team needs to remediate the vulnerability with minimal downtime. Which approach should the team take?

145

A company uses AWS Secrets Manager to store database credentials. The security team wants to automatically rotate secrets every 30 days. The database is an Amazon RDS for PostgreSQL instance. The team has configured automatic rotation with a Lambda function that updates the password in RDS and Secrets Manager. However, after the first rotation, the application starts getting database connection errors. The application uses a connection string with the secret ARN and retrieves the secret from Secrets Manager at startup using the AWS SDK. Which of the following is the most likely cause of the connection errors?

146

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts are encrypted with AES-256 (SSE-S3) and that public access is blocked. The team wants to use a preventive control that automatically remediates non-compliant buckets. Which solution should the security team implement?

147

A company uses Amazon CloudWatch Logs to store application logs. The security team requires that logs be encrypted at rest using a customer-managed AWS KMS key. The team has enabled encryption on the CloudWatch Logs log group using a KMS key. However, after enabling encryption, the application fails to write logs to the log group. The application uses an IAM role that has the following permissions: logs:CreateLogStream, logs:PutLogEvents, and logs:DescribeLogStreams. Which additional permission does the application need?

148

A company is using AWS CloudTrail to log API activity. The security team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and alerted. What is the MOST secure and efficient way to achieve this?

149

A DevOps engineer is designing a CI/CD pipeline that deploys code to an EC2 instance. The engineer needs to securely store and retrieve database credentials used by the application. Which AWS service should be used?

150

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to block traffic from known malicious IP addresses before it reaches the ALB. What is the MOST effective approach?

151

A company wants to centralize IAM user management across multiple AWS accounts. The company currently uses individual IAM users in each account. What is the BEST practice for centralized access control?

152

A company has an S3 bucket with sensitive data. The security team requires that all data uploaded to the bucket be automatically encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). How can this be enforced?

153

A DevOps team uses AWS CodePipeline to deploy a web application. The application stores user session data in an ElastiCache Redis cluster. The security team mandates that all data in transit between the application and Redis must be encrypted. What should the team do?

154

A company is using AWS CodeBuild as part of its CI/CD pipeline. The build projects need to access a private Amazon ECR repository to pull Docker images. What is the MOST secure way to grant CodeBuild access to ECR?

155

A security engineer needs to audit who accessed a specific S3 object and from which IP address over the past 30 days. Which AWS service should be used?

156

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all unused IAM users are automatically identified and removed after 90 days of inactivity. What is the MOST effective solution?

157

A company needs to ensure that an EC2 instance can only be launched using a specific Amazon Machine Image (AMI) that has been approved by the security team. Which TWO actions should be taken?

158

A company uses AWS KMS to encrypt data at rest in S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which THREE steps should be taken?

159

A company wants to implement a least-privilege security model for its IAM users. Which TWO practices should be applied?

160

A company is deploying a web application on AWS and needs to ensure that all traffic to the application is encrypted in transit. The application runs behind an Application Load Balancer (ALB). Which configuration should be used to enforce HTTPS-only access?

161

A DevOps engineer needs to securely store database credentials for an application running on Amazon ECS. Which AWS service should be used to manage the credentials and provide them to the ECS tasks?

162

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS. Which approach should be used to ensure compliance?

163

A developer needs to allow an EC2 instance to read from an S3 bucket. Which is the most secure way to grant this access?

164

A company is using AWS KMS to encrypt sensitive data stored in Amazon S3. The security team wants to ensure that the KMS keys cannot be deleted accidentally. What should be done?

165

A company is using AWS CloudTrail to log API calls across all accounts in AWS Organizations. The security team wants to ensure that CloudTrail logs are not tampered with and are available for forensic analysis. Which combination of actions should be taken? (Choose TWO.)

166

A company uses AWS CodeBuild to build and test code. The build process needs to access a private Amazon RDS database to run integration tests. What is the most secure way to provide database credentials to the build project?

167

A DevOps engineer needs to allow an AWS Lambda function to write logs to Amazon CloudWatch Logs. What should the engineer do?

168

A company uses AWS CodePipeline to deploy applications. The pipeline must deploy to an Amazon ECS cluster. The security team requires that all deployment actions be logged and auditable. Which configuration should be used?

169

A security team wants to automatically detect and remediate S3 buckets that are publicly accessible across multiple AWS accounts. Which solution is MOST efficient and scalable? (Choose THREE.)

170

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. What should be done? (Choose TWO.)

171

A DevOps engineer needs to rotate database credentials stored in AWS Secrets Manager automatically every 30 days. What is the simplest way to achieve this?

172

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from the S3 bucket 'example-bucket' from an IP address of 10.1.2.3. What will happen?

173

Refer to the exhibit. An EC2 instance with the IAM role MyAppRole is running. An application on the instance tries to delete an object from the S3 bucket 'example-bucket'. What will happen?

174

Refer to the exhibit. A security engineer sees this CloudTrail event. What action did the user 'admin' perform?

175

A company wants to automate patching of EC2 instances running Amazon Linux 2 while ensuring compliance with security policies. Which AWS service should be used?

176

A DevOps engineer needs to enforce encryption in transit for all traffic between a fleet of EC2 instances and an Application Load Balancer (ALB). The ALB is configured with a TLS listener. Which step should the engineer take to ensure end-to-end encryption?

177

A company uses AWS Organizations with multiple accounts. The security team requires that all newly created S3 buckets in any account automatically have default encryption enabled and block public access. Which solution is MOST operationally efficient?

178

A company is using AWS KMS to encrypt data at rest for S3 objects. The security team wants to rotate the KMS key annually. Which action should the team take to implement automatic key rotation?

179

A DevOps team is deploying a web application on EC2 instances behind an ALB. The application must authenticate users using an external identity provider (IdP) that supports SAML 2.0. Which solution provides the simplest integration with the ALB?

180

A company's security policy requires that all EC2 instances must be launched with an IAM role that provides least privilege access. A DevOps engineer needs to enforce this across the organization. Which approach is MOST effective?

181

A company uses AWS Secrets Manager to store database credentials. The security team needs to automatically rotate the secrets every 30 days. Which action should be taken?

182

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline deploys a critical application. Which security practice should the engineer implement to prevent unauthorized changes to the pipeline?

183

A company is subject to regulatory compliance that requires all access to S3 buckets to be logged and monitored. The company has thousands of buckets. Which solution is MOST scalable and cost-effective?

184

Which TWO actions can help protect an AWS account's root user? (Choose TWO.)

185

Which THREE are components of the AWS Shared Responsibility Model? (Choose THREE.)

186

A DevOps team is designing a solution to encrypt data at rest for an Amazon RDS for MySQL database. Which TWO actions should the team take? (Choose TWO.)

187

Refer to the exhibit. A DevOps engineer attaches the IAM policy to an IAM user. The user reports being unable to download objects from the S3 bucket. What is the likely cause?

188

Refer to the exhibit. The command is run to investigate a potential security incident. The output shows no events. Which of the following is the MOST likely reason?

189

Refer to the exhibit. The S3 bucket policy is applied to a bucket. An application attempts to upload an object to the bucket using HTTP (not HTTPS). What will happen?

190

A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally enforce that S3 buckets in all accounts block public access. Which policy should be attached to the root organizational unit to achieve this?

191

A DevOps engineer needs to store database credentials for an application running on Amazon ECS. The credentials must be automatically rotated every 30 days and encrypted at rest. Which solution meets these requirements with the LEAST operational overhead?

192

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet but must not be directly accessible from the internet. Which configuration allows this?

193

A company uses AWS CodeBuild for CI/CD. The build project needs to access a private S3 bucket to download artifacts. What is the MOST secure way to grant access?

194

An organization has a compliance requirement to automatically detect and alert on any IAM user creation in all AWS accounts. Which combination of services should be used to meet this requirement?

195

A company's security team suspects that an attacker has compromised an IAM user's access keys. The keys were used to launch instances in an unauthorized region. What is the FASTEST way to mitigate the threat?

196

A developer needs to give a Lambda function read-only access to a DynamoDB table. What is the BEST practice to grant this permission?

197

A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using server-side encryption with customer-managed keys (SSE-KMS). When uploading an object via the AWS CLI, which parameter must be included to enforce this?

198

A company is using AWS CodePipeline with an S3 source action. The pipeline must be triggered only when a new object is uploaded to a specific prefix, and the pipeline should not have access to objects outside that prefix. Which configuration meets these requirements?

199

Which TWO actions are effective ways to protect an AWS account root user? (Choose 2)

200

Which THREE are features of AWS Key Management Service (KMS) that help with compliance requirements? (Choose 3)

201

Which TWO are best practices for securing an Amazon RDS database? (Choose 2)

202

An IAM policy is attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' even though they are connecting from within the 10.0.0.0/16 IP range. What is the MOST likely reason?

203

A key policy for a KMS customer managed key includes the above statement. An IAM role 'AdminRole' in account 123456789012 is allowed to decrypt. However, when the role attempts to decrypt data, it receives an access denied error. What is the MOST likely cause?

204

A security engineer runs the above CLI command to investigate IAM user 'Bob'. The output shows Bob logged in and then created a new IAM user. Which additional information should the engineer look for to determine if this was a security incident?

205

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role in any account can create or modify VPCs. Which SCP should be applied to the root OU?

206

A DevOps engineer is configuring AWS CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are encrypted at rest using a customer-managed KMS key. What is the correct way to achieve this?

207

A company uses AWS CodePipeline to deploy a web application to an Auto Scaling group. The security team requires that all artifacts in the pipeline be encrypted at rest. The pipeline uses an S3 bucket as the artifact store. Which combination of actions should the DevOps engineer take to meet this requirement with minimal operational overhead?

208

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The pipeline must scan container images for vulnerabilities before deploying to Amazon ECS. Which service should the engineer use to perform the vulnerability scan?

209

An organization uses AWS Key Management Service (KMS) with customer-managed keys. The security policy requires automatic key rotation every year. A DevOps engineer notices that the key material is not rotating as expected. What is the most likely cause?

210

A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation function is failing with a permission error. Which IAM policy should be attached to the Lambda execution role to allow Secrets Manager to invoke the rotation function?

211

A DevOps engineer is troubleshooting a failed CodeBuild project. The build fails with an error: 'Access Denied: Unable to put object to S3.' The build project has an S3 bucket as the artifact store. What should the engineer do to resolve this issue?

212

An organization wants to enforce that all Amazon S3 buckets are encrypted with SSE-S3. Which AWS service can be used to automatically remediate non-compliant buckets?

213

A DevOps engineer needs to temporarily grant an external auditor read-only access to a specific S3 bucket for 24 hours. What is the most secure way to grant this access?

214

A DevOps engineer is designing a secure CI/CD pipeline. Which TWO of the following are best practices for securing secrets in the pipeline?

215

A company wants to monitor and detect anomalous API calls in their AWS account. Which THREE AWS services should they use together to achieve this?

216

A DevOps engineer is tasked with encrypting data at rest for an Amazon RDS for MySQL database. Which TWO methods can achieve this?

217

The IAM policy above is attached to a user. The user tries to stop an EC2 instance. What will happen?

218

A DevOps engineer runs the command above and gets the output shown. The engineer then tries to delete a versioned object from the bucket without using MFA. What will happen?

219

The AWS Config rule 's3-bucket-ssl-requests-only' returns NON_COMPLIANT for the bucket 'my-bucket'. What does this mean?

220

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service should be used to implement this rotation?

221

A company needs to audit all changes to security groups in a multi-account environment. The logs must be centrally stored and immutable. Which solution meets these requirements with minimal operational overhead?

222

A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the target account is 222222222222. Which combination of a bucket policy and an IAM policy correctly grants the target account access?

223

Given the above AWS CLI command output, which actions are allowed for the specified policy?

224

A company has an Amazon RDS for MySQL database that stores sensitive data. The security team requires encryption at rest and in transit. Which combination of options meets these requirements?

225

An S3 bucket has the above bucket policy. What is the effect of this policy?

226

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can make changes to Amazon CloudWatch Logs configurations. Which approach should be used?

227

A DevOps engineer needs to securely store and automatically rotate database credentials for a web application running on Amazon ECS. Which solution should be used?

228

Given the above IAM policy, which action is permitted?

229

Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)

230

Which THREE AWS services can be used to centrally manage and enforce security policies across multiple accounts in AWS Organizations? (Select THREE.)

231

Which TWO measures can be taken to protect data at rest in Amazon S3? (Select TWO.)

232

An S3 bucket has the above bucket policy. What is the net effect on GetObject requests?

233

A company needs to enforce that all EC2 instances launched in an AWS account use a specific Amazon Machine Image (AMI) that is approved by the security team. Which combination of services should be used?

234

A company wants to centrally manage and audit access to AWS KMS keys across multiple accounts. Which AWS feature should be used?

235

A company wants to ensure that all API calls made within its AWS account are logged for auditing purposes. Which AWS service should be enabled to meet this requirement?

236

A DevOps engineer needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption key be managed by AWS and rotated automatically. Which encryption option should be used?

237

A company uses AWS Organizations with multiple accounts. The security team wants to restrict the use of specific instance types across all accounts to reduce costs and enforce compliance. Which approach should be used?

238

A company is using Amazon RDS for MySQL and needs to encrypt the database at rest. Which action should be taken to enable encryption?

239

A DevOps engineer receives an alert that an EC2 instance has been compromised. The instance is part of an Auto Scaling group. What is the first step the engineer should take to isolate the instance?

240

A company requires that all secrets (e.g., database passwords) used by Lambda functions be rotated automatically every 30 days. Which combination of services should be used?

241

An organization wants to grant cross-account access to an S3 bucket in Account A to a user in Account B. Which policy configuration is required?

242

A security audit reveals that an S3 bucket contains objects that are not encrypted. The bucket is configured with default encryption using SSE-S3. What is the most likely reason that objects are unencrypted?

243

A company has a requirement to store audit logs for 7 years. The logs are currently stored in Amazon S3 and are accessed infrequently. Which storage class provides the lowest cost while meeting the retention requirement?

244

A company is designing a secure CI/CD pipeline. Which TWO actions should be taken to protect secrets (e.g., API keys) used in the pipeline? (Choose TWO.)

245

A DevOps team needs to enforce that all S3 buckets in an AWS account are encrypted at rest. Which THREE steps should be taken to achieve this? (Choose THREE.)

246

A company is using AWS KMS to encrypt data. Which TWO statements about AWS KMS key rotation are correct? (Choose TWO.)

247

Refer to the exhibit. A security team wants to enforce that passwords expire after 60 days. Which action should be taken?

248

Refer to the exhibit. A user outside the 192.0.2.0/24 IP range attempts to get an object from example-bucket. What will happen?

249

Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most likely security concern?

250

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A Security Engineer needs to ensure that the EC2 instances can only access the specific S3 bucket and no other AWS services. Which solution meets these requirements?

251

A company uses AWS Organizations with multiple accounts. The Security team needs to enforce that all newly created S3 buckets in any account are configured with server-side encryption (SSE-S3 or SSE-KMS) and block public access. Which approach should be used?

252

A DevOps engineer needs to securely store and automatically rotate database credentials for a MySQL RDS instance. The credentials should be accessible to a Lambda function without hardcoding them. Which AWS service should be used?

253

A company uses AWS CodeBuild to build and test code. The build process requires access to a private PyPI repository hosted on an internal network. The CodeBuild project is configured with a VPC. However, the build fails with a timeout error when trying to connect to the PyPI repository. The security group for the CodeBuild project allows outbound HTTPS to 0.0.0.0/0. What is the most likely cause?

254

A company is using AWS CodePipeline to deploy a web application across multiple AWS accounts using CloudFormation stack sets. The pipeline is in the tools account, and it deploys to production account. The security team requires that all CloudFormation changes to production account be reviewed and approved by a senior engineer. Which approach meets this requirement?

255

A company needs to ensure that all API calls made to AWS are encrypted in transit. Which of the following is the correct way to enforce this?

256

A company is using AWS CodeCommit for source control. A developer accidentally committed a file containing AWS access keys. The keys have been removed from the file, but the commit history still contains them. What is the most secure way to remove the keys from the repository?

257

A company uses a centralized AWS KMS customer master key (CMK) in the security account to encrypt data in S3 buckets across multiple accounts. The S3 buckets are accessed by EC2 instances in the same accounts. The security team wants to ensure that the CMK can only be used by authorized IAM roles in the member accounts. Which policy configuration should be used?

258

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to achieve this?

259

Which TWO actions should a DevOps engineer take to secure a web application running on EC2 instances behind an Application Load Balancer? (Choose two.)

260

Which THREE measures can be taken to protect sensitive data stored in an Amazon S3 bucket? (Choose three.)

261

Which TWO AWS services can be used to monitor and detect unauthorized access to AWS resources? (Choose two.)

262

A company has a multi-account AWS environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies the creation of IAM users and roles with full admin access. The SCP is attached to all accounts. However, a DevOps engineer in a member account reports that they are able to create an IAM role with an administrator access policy attached. The engineer uses the AWS Management Console to create the role. The SCP is confirmed to be in place. What is the most likely reason the SCP is not preventing the role creation?

263

A company runs a critical application on EC2 instances that need to access an S3 bucket with sensitive data. The security team has enabled S3 bucket policies that require TLS for all requests (aws:SecureTransport). The application is failing to access the S3 bucket, and logs show errors like 'Access Denied'. The application uses the AWS SDK to make requests. What is the most likely cause of the failure?

264

A company is using AWS KMS to encrypt data at rest in Amazon S3. The Security team requires that all encryption keys be automatically rotated annually. Which key type should be used to meet this requirement?

265

A DevOps team is deploying a multi-tier application on AWS. The application must comply with PCI DSS. Which combination of services should be used to encrypt data in transit between the web tier and the application tier?

266

A company wants to securely store database credentials used by an application running on Amazon EC2. The credentials should be automatically rotated every 90 days. Which AWS service should be used?

267

An organization uses AWS Organizations with multiple accounts. The Security team needs to enforce a policy that prohibits the creation of S3 buckets with public access in any account. Which policy type should be used?

268

A DevOps engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket. The instance has an IAM role attached with a policy that allows s3:GetObject. The S3 bucket policy explicitly denies access to the instance's role. What is the result?

269

A company uses AWS CodePipeline to deploy a web application. The pipeline uses artifacts stored in an S3 bucket. The Security team requires that all artifacts be encrypted in transit and at rest, and that the pipeline only access the bucket using a specific VPC endpoint. Which configuration meets these requirements?

270

A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest using a KMS key. Which solution is the MOST secure and scalable?

271

A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an S3 bucket. The Security team requires that the application never uses long-term credentials and that access is scoped to the specific ECS task. Which approach should be used?

272

A company wants to monitor and detect suspicious API activity across all AWS accounts in an organization. Which TWO services should be used together?

273

A company needs to enforce that all IAM users must use multi-factor authentication (MFA) to perform any AWS Console actions. Which TWO steps should be taken to enforce this?

274

A company uses AWS CodeBuild to build and test code. The build jobs need to access a private S3 bucket to download dependencies. Which THREE steps are required to securely grant access?

275

A company's Security team wants to detect and alert on the creation of IAM users with console access. Which THREE services should be used?

276

A company uses AWS Organizations with 20 accounts. The Security team has configured AWS CloudTrail to deliver logs from all accounts to a central S3 bucket (central-bucket). The bucket policy allows CloudTrail to write objects and uses SSE-S3 encryption. Recently, auditors found that some log files were missing for a few hours. The CloudTrail console shows that trails are enabled in all accounts. The central-bucket has default encryption enabled. What is the MOST likely cause of the missing logs?

277

A company runs a production application on EC2 instances behind an Application Load Balancer (ALB). The application handles sensitive data. The Security team wants to encrypt all traffic between the ALB and the EC2 instances using TLS. They have created a self-signed certificate on each instance. However, the ALB health checks are failing with a 502 error. The instances are healthy when accessed directly via SSH. What is the MOST likely cause?

278

A company uses AWS Secrets Manager to store database credentials for a legacy application running on an on-premises server. The application retrieves the secret via the AWS SDK. Recently, the database password was rotated in Secrets Manager, but the application continued to use the old password and failed to connect. The application code is correct and uses the latest SDK. The IAM role attached to the server has the secretsmanager:GetSecretValue permission. What is the MOST likely cause?

279

A company uses AWS Organizations with SCPs to enforce security policies. The security team needs to ensure that no IAM user or role can disable AWS CloudTrail or delete CloudTrail logs. Which TWO approaches should be combined to achieve this? (Choose TWO.)

280

A company is designing a secure CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline must deploy to an EC2 Auto Scaling group across multiple AWS accounts. The security requirements include: (1) no hardcoded credentials, (2) least privilege for cross-account access, (3) encrypted artifacts. Which THREE steps should the DevOps engineer implement? (Choose THREE.)

281

A company uses AWS Organizations with multiple accounts. The security team has implemented an SCP that denies the creation of IAM users. However, a developer in the 'development' account was able to create an IAM user. The DevOps engineer is asked to investigate. The SCP is attached to the root organizational unit (OU) and also to the 'development' OU. The 'development' account is a member of the 'development' OU. The SCP effect is 'Deny' on the 'iam:CreateUser' action. The developer's IAM permissions are managed by an IAM policy that allows 'iam:*'. The engineer checks CloudTrail and sees that the CreateUser API call succeeded. What is the most likely reason?

282

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic to the ALB must be encrypted (HTTPS) and that the ALB must only accept traffic from CloudFront. The DevOps engineer has configured CloudFront with an origin pointing to the ALB, and the ALB has a listener on port 443 with a valid SSL certificate. The engineer also added a security group rule to the ALB that allows HTTPS traffic only from CloudFront's IP ranges. However, users are reporting intermittent 503 errors. The engineer checks CloudFront logs and sees that some requests are failing with 'Origin Connect Error'. What is the most likely cause?

283

A company is migrating to AWS and has a requirement to encrypt all data at rest and in transit. They are using AWS KMS with Customer Master Keys (CMKs) for encryption. The DevOps engineer has set up an S3 bucket with default encryption using SSE-KMS. The bucket policy allows access only to a specific IAM role. The engineer also enabled S3 bucket versioning and MFA Delete. However, when the engineer tries to download an object using the AWS CLI with the IAM role, the command fails with 'AccessDenied'. The IAM role has the following permissions: s3:GetObject, s3:ListBucket, kms:Decrypt, kms:DescribeKey. What is the most likely missing permission?

284

A company uses AWS CloudTrail to log all API calls across multiple accounts. The logs are stored in an S3 bucket in the management account. The security team wants to ensure that the logs are not tampered with and that any unauthorized modification is detected. The DevOps engineer has enabled CloudTrail log file integrity validation. The engineer also sets up an S3 lifecycle policy to transition logs to Glacier after 90 days. Additionally, the engineer enables S3 server access logging and sends the logs to a different bucket. A few months later, the security team suspects that some logs have been deleted. The engineer checks the CloudTrail digest files and finds that the latest digest file is missing. What is the most likely cause?

285

A company is using AWS CodeBuild to build and test a Java application. The build process requires access to a private Maven repository hosted on an internal HTTPS server. The DevOps engineer has configured CodeBuild to use a VPC and placed the build environment in a private subnet. The security group for the build environment allows outbound HTTPS to the Maven repository's security group. The Maven repository server is in the same VPC but in a different private subnet. The build fails with a 'Connection refused' error when trying to download dependencies. The engineer checks the security group rules and confirms they are correct. What is the most likely cause?

286

A company runs a critical application on AWS Lambda that processes sensitive data. The security team mandates that all data must be encrypted at rest and in transit. The Lambda function uses an environment variable to store a database password. The DevOps engineer has enabled encryption of environment variables using a KMS CMK. The Lambda function also needs to decrypt the password at runtime. The engineer attaches an IAM role to the Lambda function with permissions to decrypt using the KMS key. However, when the function executes, it fails with an error 'AccessDeniedException' when trying to decrypt the environment variable. The engineer checks the IAM role and confirms that it has kms:Decrypt permission. The KMS key policy allows the root user full access. What is the most likely cause?

287

A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation is configured to occur every 30 days. The DevOps engineer notices that the latest secret version is not being used by the application after rotation. The application is an EC2 instance that retrieves the secret using the AWS SDK. The engineer checks the secret and sees that the rotation succeeded and the new version is marked as 'AWSCURRENT'. The EC2 instance role has permissions to retrieve the secret. What is the most likely reason the application is still using the old secret?

288

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in all accounts are encrypted with SSE-S3. They plan to use an SCP to deny the creation of unencrypted buckets. The DevOps engineer writes an SCP with a Deny effect for s3:PutBucketEncryption without a condition. However, when testing, an administrator in a member account is able to create a bucket without encryption. The engineer checks CloudTrail and sees that the bucket was created with a PutBucket call that did not include the x-amz-server-side-encryption header. What is the most likely reason the SCP did not prevent this?

Practice all 288 Security and Compliance questions

Other DOP-C02 exam domains

Configuration Management and IaCResilient Cloud SolutionsMonitoring and LoggingIncident and Event ResponseSDLC Automation

Frequently asked questions

What does the Security and Compliance domain cover on the DOP-C02 exam?

The Security and Compliance domain covers the key concepts tested in this area of the DOP-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all DOP-C02 domains — no account required.

How many Security and Compliance questions are in the DOP-C02 question bank?

The Courseiva DOP-C02 question bank contains 288 questions in the Security and Compliance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security and Compliance for DOP-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security and Compliance questions for DOP-C02?

Yes — the session launcher on this page draws questions exclusively from the Security and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your DOP-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

DVA-C02SOA-C02SAP-C02