Practice DOP-C02 Security and Compliance questions with full explanations on every answer.
Start practicing
Security and Compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is using AWS Organizations with multiple accounts. The Security team wants to centrally manage IAM roles that can be assumed by users in member accounts. Which solution should be used to enforce that only specific roles can be assumed across accounts, while ensuring that the policy updates are automatically applied to all accounts?
2A company is running a critical application on an Amazon EC2 instance that needs to access an S3 bucket. The application must use temporary credentials that automatically rotate. The DevOps engineer must ensure that the credentials are never stored on disk. Which approach meets these requirements?
3A DevOps engineer needs to ensure that all API calls made to AWS are recorded for auditing purposes. Which AWS service should be used?
4A company uses AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific attribute in their SAML assertion can decrypt the data. Which KMS key policy should be used?
5A company has a requirement to rotate database credentials every 30 days for an Amazon RDS for MySQL instance. The credentials are currently stored in AWS Secrets Manager. The DevOps engineer needs to implement automatic rotation without modifying the application code. Which solution should be used?
6A company uses AWS Organizations to manage multiple accounts. The Security team wants to prevent member accounts from disabling AWS CloudTrail or deleting CloudTrail log files. Which TWO actions should the Security team take in the organization's management account? (Choose TWO.)
7A DevOps team is designing a CI/CD pipeline that deploys a web application on Amazon ECS. The application must be compliant with PCI DSS, which requires encryption of data at rest and in transit, and logging of all access. Which THREE actions should the team implement to meet these requirements? (Choose THREE.)
8A company runs a multi-account environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies all actions on DynamoDB tables unless the request includes a specific tag "Environment": "Production". The development team has an IAM role with full DynamoDB access in their account. When they try to create a DynamoDB table using the AWS CLI, they receive an access denied error. They are certain they included the tag. The DevOps engineer reviews the SCP and finds that it uses the condition key "aws:RequestTag". However, the engineer notices that the SCP also denies access if the request does not include the tag for tagging actions. What is the most likely reason for the access denied error?
9A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all new member accounts automatically receive a specific AWS Config rule to require encryption on Amazon EBS volumes. Which solution meets this requirement with the least operational overhead?
10A financial services company is migrating its applications to AWS. The compliance team requires that all Amazon S3 buckets containing personally identifiable information (PII) must have server-side encryption enabled and block public access. The DevOps team discovers that some S3 buckets are not compliant. Which TWO actions should the team take to enforce these requirements automatically for all current and future buckets? (Select TWO.)
11A DevOps engineer applies the S3 bucket policy shown in the exhibit to enforce encryption and secure transport. After applying the policy, users report that they can still upload objects without encryption. What is the most likely cause?
12Drag and drop the steps to set up an AWS CloudFormation stack with a nested stack.
13Match each AWS security and identity service to its function.
14A company uses AWS KMS to encrypt data in S3. They want to audit who used which KMS key and when. Which AWS service should they use?
15A DevOps engineer needs to securely store database credentials for an application running on EC2. The credentials must be rotated automatically every 30 days. Which solution meets these requirements?
16A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. They need a preventive control that applies to all current and future accounts. Which approach should they use?
17A developer wants to grant an EC2 instance read-only access to a specific S3 bucket. Which AWS mechanism should they use to securely provide credentials to the instance?
18A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest and access should be limited to the security team. Which solution is MOST secure and scalable?
19A company runs a web application on EC2 behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting (XSS) attacks. Which AWS service should they use?
20A DevOps engineer needs to ensure that all API calls made to AWS are logged for compliance. The logs must be stored in S3 for at least 7 years. Which AWS service should they use?
21A company has a multi-account AWS environment using AWS Organizations. They want to centrally manage user access to all accounts using single sign-on (SSO) and enforce multi-factor authentication (MFA). Which service should they use?
22A company is using AWS CloudFormation to deploy infrastructure. They need to ensure that all resources created by CloudFormation are tagged with a 'CostCenter' tag. The tag must be applied automatically to all resources in the stack. What should they do?
23A security engineer is designing a secure VPC architecture for a web application. The application must be isolated from the internet and only accessible through a load balancer. Which TWO actions should the engineer take?
24A company is migrating to AWS and needs to comply with PCI DSS. They must encrypt all data at rest and in transit. Which THREE services or features should they use?
25A DevOps engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which TWO methods can achieve this?
26A company requires that all access to their S3 buckets be encrypted in transit. Which configuration achieves this?
27A company's security team notices that an IAM user has permissions to terminate EC2 instances but should only be allowed to stop them. The current policy allows ec2:TerminateInstances. What is the most secure way to prevent termination while allowing stop?
28A DevOps engineer needs to store secrets such as database passwords for a serverless application. Which AWS service is most appropriate?
29A company uses AWS KMS to encrypt data in S3. The security team requires that the key material be rotated every 90 days. What should be done to meet this requirement?
30A company has a VPC with public and private subnets. They launch an EC2 instance in a private subnet that needs to download patches from the internet. Which solution is MOST secure and scalable?
31A security audit reveals that EC2 instances have security groups with overly permissive inbound rules allowing all traffic (0.0.0.0/0) on SSH port 22. What is the BEST way to remediate this at scale?
32A company wants to centralize logging of all API calls made within their AWS account for auditing. Which service should they use?
33A DevOps engineer is designing a CI/CD pipeline that deploys to production. The security team mandates that all code changes must be reviewed and signed off by two senior developers before deployment. How can this be enforced?
34A company has an AWS Lambda function that processes sensitive data. The function needs to access an RDS database with credentials stored in Secrets Manager. What is the MOST secure way to grant the Lambda function access to the secret?
35Which TWO actions can be taken to protect an S3 bucket from being publicly accessible? (Select TWO.)
36Which THREE measures can be taken to ensure that EC2 instances are compliant with a security policy that requires all instances to be in a VPC with specific tags? (Select THREE.)
37Which TWO AWS services can be used to manage and rotate database credentials automatically? (Select TWO.)
38A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role can create or modify VPCs, but should allow VPC usage for existing VPCs. Which SCP should be attached to the root OU?
39A DevOps engineer must ensure that all API calls in an AWS account are logged for compliance. The logs should be stored in an S3 bucket with server-side encryption enabled. Which two services should be used together to meet these requirements?
40A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across accounts are encrypted with AWS KMS. Which combination of controls should be used to enforce this?
41A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. What is the most likely cause?
42A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the destination account is 222222222222. Which policy should be attached to the S3 bucket?
43A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that EBS snapshots are shared with another account without exposing the underlying data. What is the correct approach?
44A company uses AWS WAF to protect a web application behind an Application Load Balancer. The security team notices an increase in false positives blocking legitimate traffic. Which action should be taken to reduce false positives while maintaining security?
45A company needs to store sensitive data in Amazon S3 with encryption at rest. Which option provides the MOST control over the encryption keys?
46A company has a Lambda function that processes sensitive data and needs to access an RDS database. The security team requires that the database credentials are automatically rotated every 30 days. Which service should be used to store and rotate the credentials?
47A company is using AWS CloudTrail to log API events. The security team wants to ensure that log files are tamper-proof and available for incident investigation. Which TWO actions should be taken? (Choose TWO.)
48A company has an IAM policy that allows users to manage their own passwords and MFA devices. The policy includes a condition that requires MFA for all API operations except for changing passwords and MFA. Which THREE statements are true about this policy? (Choose THREE.)
49A company wants to audit all changes to IAM policies in their AWS account. Which THREE services can be used to capture and alert on IAM policy changes? (Choose THREE.)
50A company wants to encrypt data at rest in Amazon S3 using server-side encryption. Which AWS service can automatically manage the encryption keys with minimal configuration?
51A DevOps engineer needs to ensure that EC2 instances can access an S3 bucket without storing AWS credentials on the instances. Which solution meets this requirement?
52A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting attacks. Which AWS service should be integrated with the ALB?
53A company's security team requires that all API calls to AWS are logged for audit purposes. Which service should be enabled to capture and store these logs?
54A company wants to enforce that S3 buckets are not publicly accessible. Which AWS service can continuously monitor and automatically remediate non-compliant buckets?
55A DevOps engineer needs to grant cross-account access to an S3 bucket in Account A for a user in Account B. Which combination of policies is required?
56A security audit reveals that an IAM user has long-term access keys that have not been rotated in over 90 days. What is the most secure way to enforce key rotation?
57A company's security policy requires that all data in transit between on-premises and AWS is encrypted. Which AWS service provides a dedicated network connection with encryption?
58A company needs to store audit logs for 7 years to meet compliance requirements. Which S3 storage class is the most cost-effective for long-term archival?
59Which TWO actions should a DevOps engineer take to secure an AWS account root user? (Choose 2.)
60Which THREE services can be used to protect a VPC from malicious traffic? (Choose 3.)
61Which TWO AWS services can be used to centrally manage and enforce security policies across multiple accounts? (Choose 2.)
62Refer to the exhibit. An S3 bucket policy is configured as shown. A user from IP 192.0.2.10 is unable to download an object from the bucket. What is the most likely cause?
63Refer to the exhibit. A CloudTrail trail named ManagementTrail is configured as shown. Which events will be logged?
64Refer to the exhibit. A KMS key policy is configured as shown. What does this policy allow?
65A company wants to encrypt data at rest in Amazon S3 using server-side encryption with AWS Key Management Service (SSE-KMS) and enforce that all new objects are encrypted. Which bucket policy statement should be added?
66A DevOps engineer needs to allow an EC2 instance to write logs to CloudWatch Logs. The instance is configured with an instance profile that has the following IAM role attached. Which additional policy is required?
67A company is using AWS CodePipeline to deploy applications. The pipeline source is an S3 bucket that receives artifacts from a third-party vendor. The DevOps team needs to ensure that only artifacts signed by the vendor's KMS key are deployed. Which approach meets this requirement?
68An organization needs to audit all AWS API calls made in their account for compliance purposes. Which AWS service should they enable?
69A company has an S3 bucket containing sensitive data. They need to ensure that all access to the bucket is logged and that any unauthorized access attempts are immediately notified. Which combination of services should be used?
70A DevOps engineer is designing a CI/CD pipeline that builds a Docker image and pushes it to Amazon ECR. The pipeline must scan the image for vulnerabilities before deployment. Which service should be integrated?
71A company wants to centrally manage and apply policies across multiple AWS accounts in an AWS Organization. Which service should be used to define and enforce compliance rules?
72A DevOps team is deploying a web application on EC2 behind an Application Load Balancer. They need to encrypt traffic between the ALB and the EC2 instances. Which action should they take?
73A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. Which configuration change is MOST likely to resolve the issue?
74Which TWO actions can be taken to secure an Amazon S3 bucket that contains confidential data? (Choose TWO.)
75Which THREE components are necessary to implement a secure VPC with a public subnet and a private subnet that hosts a database? (Choose THREE.)
76Which TWO AWS services can be used to manage secrets and database credentials securely? (Choose TWO.)
77A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using customer-managed KMS keys. Additionally, any attempt to upload an unencrypted object must be denied. Which S3 bucket policy should be used?
78A DevOps engineer is configuring AWS Config rules to detect non-compliant security groups. The rule should trigger if any security group allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS managed Config rule should be used?
79A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all new S3 buckets created in any account within the organization are configured with block public access enabled. Which approach is the most scalable and least operationally burdensome?
80A company is migrating a legacy application to AWS. The application requires cross-account access to an S3 bucket in a different AWS account. The security team wants to follow the principle of least privilege. How should the DevOps engineer configure the access?
81A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?
82A company has a CloudFormation stack that creates an S3 bucket and an EC2 instance. The bucket policy must be updated to grant the EC2 instance read access. The DevOps engineer uses a custom resource backed by a Lambda function. However, the stack update fails because the Lambda function does not have permissions to update the bucket policy. What should the engineer do to resolve this issue while following security best practices?
83A company is using AWS CodePipeline to deploy a web application. The pipeline includes a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team requires that all artifacts be encrypted at rest and in transit. Which configuration ensures encryption for all stages?
84A DevOps engineer needs to ensure that all API calls made to AWS services are logged for auditing purposes. Which AWS service should be enabled?
85A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team requires that all data be encrypted at rest and that automated backups are also encrypted. Which configuration meets these requirements?
86A company is designing a secure CI/CD pipeline using AWS CodePipeline. The pipeline must comply with the principle of least privilege for IAM permissions. Which TWO actions should the DevOps engineer take? (Choose TWO.)
87A security audit reveals that an S3 bucket contains objects that are publicly accessible. The DevOps engineer must prevent any future public access to the bucket and all objects within it. Which THREE actions should the engineer take? (Choose THREE.)
88A company wants to protect its AWS account credentials. Which TWO practices are recommended by AWS? (Choose TWO.)
89Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from 'example-bucket' from an IP address 10.0.0.5. However, the request is denied. What is the most likely reason?
90Refer to the exhibit. A DevOps engineer created an IAM role 'MyLambdaRole' for a Lambda function. The Lambda function needs to write logs to CloudWatch Logs. However, the function is not able to create log streams. What is the most likely missing configuration?
91Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance with the tag 'Environment=production' in us-east-1. What will happen?
92A company is migrating a legacy application to AWS. The application requires a shared file system accessible from multiple EC2 instances. The compliance team mandates encryption at rest and in transit, with automatic key rotation. Which storage solution meets these requirements?
93A DevOps engineer needs to ensure that an S3 bucket policy enforces encryption in transit for all access. Which policy statement should be added?
94A company wants to centrally manage user access to multiple AWS accounts using federated identity. Which AWS service should be used to create a single sign-on (SSO) solution?
95A DevOps team uses AWS CodePipeline to deploy a web application. Security scanning must be integrated into the pipeline to check for vulnerabilities before deployment to production. Which action should be taken?
96A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every 365 days. Which type of KMS key should be used?
97An application running on EC2 needs to access an S3 bucket. To follow the principle of least privilege, what is the recommended approach?
98A company is using AWS CloudTrail to log API calls. The security team needs to ensure that log files are tamper-proof and can be used to verify integrity. Which feature should be enabled?
99A DevOps engineer is troubleshooting a failed AWS CodeBuild project. The build fails with an error indicating that the IAM role does not have permission to describe Amazon ECR repositories. The role used by CodeBuild has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ecr:GetAuthorizationToken","ecr:BatchCheckLayerAvailability","ecr:GetDownloadUrlForLayer","ecr:BatchGetImage"],"Resource":"*"}]}. What is the missing permission?
100A company wants to automatically detect and respond to suspicious activity in their AWS account. Which service should be used to generate alerts based on threat intelligence?
101A company needs to audit all changes to IAM policies in their AWS account. Which services can be used to track and log these changes? (Select TWO.)
102A security team wants to enforce that all Amazon S3 buckets in the organization are encrypted at rest. Which actions can achieve this? (Select THREE.)
103Which AWS services can be used to protect a web application from common web exploits like SQL injection and cross-site scripting? (Select TWO.)
104A DevOps engineer created the IAM policy shown in the exhibit and attached it to a user. The user tries to upload an object to my-bucket without specifying the ACL. Why does the upload fail?
105A DevOps engineer executed the CLI command shown in the exhibit. After creation, the security team requires that the log files be encrypted with a KMS key that is rotated every 90 days. The current key is a customer managed key with automatic rotation enabled set to 365 days. What should the engineer do to meet the requirement?
106Refer to the exhibit. This S3 bucket policy allows the root user of account 111122223333 to perform which actions?
107A company uses AWS CodePipeline to deploy a web application. The deployment includes an EC2 instance running behind an Application Load Balancer. The security team requires that all data in transit to the application be encrypted. Which configuration best meets this requirement without breaking the deployment?
108A DevOps engineer is configuring AWS Config to detect changes to security group rules. The engineer wants to receive near-real-time notifications when a security group rule that allows inbound SSH traffic is created. Which combination of services and configurations should the engineer use? (Choose the best answer.)
109A company has a security policy requiring that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. The DevOps engineer needs to enforce this policy. What is the simplest way to achieve this?
110A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail logs. What is the most effective way to enforce this control?
111A DevOps engineer is designing an AWS Lambda function that needs to read secrets from AWS Secrets Manager. What is the most secure way to provide the Lambda function access to the secret?
112A company uses AWS CodeBuild to build and test code. The security team requires that all build artifacts be encrypted at rest. Which action should the DevOps engineer take to meet this requirement?
113A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that any changes to IAM roles must be reviewed and approved by a security engineer before deployment. The DevOps engineer needs to implement a gating mechanism. Which approach should the engineer use?
114A company is using Amazon S3 to store sensitive data. The security team mandates that all data must be encrypted at rest using server-side encryption with AWS Key Management Service (SSE-KMS). The DevOps engineer must ensure that any new objects uploaded to the bucket are automatically encrypted. What should the engineer do?
115A DevOps engineer needs to grant cross-account access to an S3 bucket in Account A for users in Account B. The users in Account B must be able to list objects and read them. What is the most secure way to configure this access?
116A company is using AWS Lambda to process sensitive data. The security team requires that the Lambda function only be invoked from within a specific VPC and that the function's environment variables be encrypted at rest. Which TWO actions should the DevOps engineer take to meet these requirements?
117A company is using AWS Secrets Manager to rotate database credentials automatically. The DevOps engineer needs to ensure that the rotation process is secure and does not cause downtime. Which THREE steps should the engineer take?
118A DevOps engineer is tasked with auditing all AWS API calls made in the account for compliance purposes. The engineer needs to ensure that the audit logs are tamper-proof and stored cost-effectively. Which TWO services should the engineer use?
119Refer to the exhibit. An IAM policy is attached to an IAM user. Which of the following actions will be allowed by this policy?
120A company has a multi-account AWS environment managed by AWS Organizations. The DevOps team uses AWS CloudFormation StackSets to deploy a standard VPC across all member accounts. The security team has noticed that in some accounts, the VPC is being modified after deployment, allowing inbound SSH access from the internet. The team wants to automatically detect and remediate these changes. The current setup includes: AWS Config enabled in all accounts with a rule that checks for unrestricted SSH access; an SNS topic in the management account that receives compliance change notifications; and a Lambda function in the management account that can remediate by updating the security group rules. However, the remediation is not working consistently. What is the most likely reason, and what is the best solution?
121A company is using AWS Secrets Manager to store database credentials for a multi-tier application. The application runs on EC2 instances in an Auto Scaling group. The DevOps engineer has configured the instances to retrieve the secret at boot time using a script that calls the AWS CLI. Recently, the security team discovered that the secret was exposed in the instance's user data logs. The engineer needs to implement a more secure method to access the secret without storing it in user data. The application code can be modified. The environment uses IAM roles for EC2. Which solution best meets the security requirements?
122A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which KMS key type should the company use to meet this requirement without manual intervention?
123A DevOps engineer needs to grant an IAM user temporary access to an S3 bucket for exactly one hour. Which AWS service should be used to generate temporary credentials?
124Refer to the exhibit. An IAM policy is attached to a user. The user requests an object from the 'example-bucket' bucket, specifically from the 'confidential' folder, over HTTP (not HTTPS). The source IP is within the 10.0.0.0/24 range. What will be the result of this request?
125A company uses AWS Secrets Manager to store database credentials. The security team requires that secrets be automatically rotated every 30 days. Which rotation strategy should the engineer configure to meet this requirement with minimal operational overhead?
126A company is deploying a multi-tier application on AWS. The web tier must be publicly accessible, but the application tier must only be accessible from the web tier. The database tier should not be accessible from the internet at all. Which combination of security groups and network ACLs should be used?
127A DevOps engineer needs to encrypt data in transit between an Application Load Balancer (ALB) and backend EC2 instances. The application uses HTTPS. What is the simplest way to achieve this encryption?
128A company wants to ensure that all S3 buckets are encrypted at rest by default. Which S3 feature should be enabled at the bucket level to automatically encrypt new objects?
129A company uses Amazon Inspector to scan EC2 instances for vulnerabilities. The security team discovers that a critical vulnerability is present on an instance, but the instance is part of an Auto Scaling group. What is the MOST efficient way to remediate this vulnerability while ensuring the Auto Scaling group remains operational?
130Which TWO actions should a DevOps engineer take to prevent an S3 bucket from being publicly accessible? (Choose two.)
131Which THREE of the following are best practices for managing IAM roles in AWS Organizations? (Choose three.)
132Which TWO AWS services can be used to monitor for unauthorized API calls in an AWS account? (Choose two.)
133Which THREE of the following are valid methods to enforce encryption at rest for Amazon EBS volumes? (Choose three.)
134Which TWO of the following are benefits of using AWS Certificate Manager (ACM) to manage SSL/TLS certificates? (Choose two.)
135A company runs a production application on Amazon ECS with Fargate launch type. The application uses an RDS MySQL database. The security team requires that all traffic between the application and the database be encrypted in transit. Currently, the database security group allows inbound traffic from the ECS tasks' security group on port 3306 (MySQL). The application uses the standard MySQL client connection without SSL. After enabling SSL on the RDS instance, the application starts failing to connect. The error logs show 'SSL connection error: protocol version mismatch'. The application runs on a custom Docker image based on Amazon Linux 2. The DevOps engineer needs to fix the connection issue. Which course of action should the engineer take?
136A company uses AWS Lambda functions to process sensitive data from an SQS queue. The Lambda function writes results to an S3 bucket. The security team requires that all data at rest in S3 be encrypted with a customer managed KMS key, and that the Lambda function only have access to decrypt the queue messages and encrypt the S3 objects. An IAM role is attached to the Lambda function. The engineer has configured the KMS key policy to allow the Lambda role to use the key. However, the Lambda function fails to write to S3 with a 'KMS access denied' error. The engineer verified that the S3 bucket has default encryption enabled with the same KMS key. Which additional step is most likely required?
137A startup wants to provide temporary, limited-privilege AWS access to external contractors who will assist with a project. The contractors do not have AWS accounts. The company wants to avoid creating IAM users for each contractor. They need a solution that allows contractors to log in to the AWS Management Console for a limited time. Which AWS service should the engineer use?
138A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. The instances currently use a self-signed certificate for the backend HTTPS listener. The engineer notices that the ALB health checks are failing, and the error message indicates 'TLS handshake failed'. The health check is configured as HTTPS. What should the engineer do to resolve the health check failure while maintaining encryption?
139A company wants to enable AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The security team requires that logs be encrypted at rest and that any unauthorized deletion of log files be prevented. Which TWO actions should the security team take? (Choose TWO.)
140A company uses AWS CodePipeline for CI/CD. The security team requires that all code changes be scanned for secrets before deployment. The pipeline consists of a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team wants to automatically scan for secrets and block the pipeline if any secrets are found. Which THREE actions should the team take? (Choose THREE.)
141A company runs a web application on Amazon ECS with Fargate launch type behind an Application Load Balancer (ALB). The application uses an RDS MySQL database. The security team performed a penetration test and discovered that the application is vulnerable to SQL injection. The development team has deployed a WAF web ACL to the ALB that includes rules to block SQL injection attacks. However, after the deployment, the application started returning 403 errors for legitimate requests, and the security team needs to investigate. The team also wants to ensure that only approved AWS services can access the RDS database. The current security groups are configured with a rule that allows inbound traffic from the ALB security group to the RDS database on port 3306. Which combination of actions should the security team take to resolve the issue and improve the security posture?
142A company uses AWS Lambda to process sensitive data stored in Amazon S3. The Lambda function is triggered by S3 object creation events. The security team requires that all data in transit be encrypted using TLS 1.2 or higher. The Lambda function currently uses the AWS SDK to download objects from S3 using HTTP (not HTTPS). The team also needs to ensure that the Lambda function only accesses S3 objects that are encrypted with a specific AWS KMS key. The Lambda execution role already has permissions to decrypt with that KMS key. Which combination of actions should the security team take to meet the requirements?
143A company uses AWS CloudFormation to manage infrastructure as code. The security team requires that all changes to CloudFormation stacks be reviewed and approved before execution. The team has enabled StackSets to deploy stacks across multiple accounts. A junior developer accidentally runs a stack update that modifies a production security group, opening SSH access to 0.0.0.0/0. The security team wants to prevent this type of incident in the future. They need a solution that enforces a mandatory approval workflow for all stack updates, while still allowing automated deployments from approved CI/CD pipelines. Which solution meets these requirements?
144A company uses Amazon Inspector to assess the security of EC2 instances. The security team receives an alert that a high-severity vulnerability (CVE-2023-XXXX) was found on an EC2 instance running a critical application. The application is behind an Application Load Balancer (ALB) and uses an Auto Scaling group. The vulnerability has a known patch, but patching requires a reboot. The security team needs to remediate the vulnerability with minimal downtime. Which approach should the team take?
145A company uses AWS Secrets Manager to store database credentials. The security team wants to automatically rotate secrets every 30 days. The database is an Amazon RDS for PostgreSQL instance. The team has configured automatic rotation with a Lambda function that updates the password in RDS and Secrets Manager. However, after the first rotation, the application starts getting database connection errors. The application uses a connection string with the secret ARN and retrieves the secret from Secrets Manager at startup using the AWS SDK. Which of the following is the most likely cause of the connection errors?
146A company runs a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts are encrypted with AES-256 (SSE-S3) and that public access is blocked. The team wants to use a preventive control that automatically remediates non-compliant buckets. Which solution should the security team implement?
147A company uses Amazon CloudWatch Logs to store application logs. The security team requires that logs be encrypted at rest using a customer-managed AWS KMS key. The team has enabled encryption on the CloudWatch Logs log group using a KMS key. However, after enabling encryption, the application fails to write logs to the log group. The application uses an IAM role that has the following permissions: logs:CreateLogStream, logs:PutLogEvents, and logs:DescribeLogStreams. Which additional permission does the application need?
148A company is using AWS CloudTrail to log API activity. The security team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and alerted. What is the MOST secure and efficient way to achieve this?
149A DevOps engineer is designing a CI/CD pipeline that deploys code to an EC2 instance. The engineer needs to securely store and retrieve database credentials used by the application. Which AWS service should be used?
150A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to block traffic from known malicious IP addresses before it reaches the ALB. What is the MOST effective approach?
151A company wants to centralize IAM user management across multiple AWS accounts. The company currently uses individual IAM users in each account. What is the BEST practice for centralized access control?
152A company has an S3 bucket with sensitive data. The security team requires that all data uploaded to the bucket be automatically encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). How can this be enforced?
153A DevOps team uses AWS CodePipeline to deploy a web application. The application stores user session data in an ElastiCache Redis cluster. The security team mandates that all data in transit between the application and Redis must be encrypted. What should the team do?
154A company is using AWS CodeBuild as part of its CI/CD pipeline. The build projects need to access a private Amazon ECR repository to pull Docker images. What is the MOST secure way to grant CodeBuild access to ECR?
155A security engineer needs to audit who accessed a specific S3 object and from which IP address over the past 30 days. Which AWS service should be used?
156A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all unused IAM users are automatically identified and removed after 90 days of inactivity. What is the MOST effective solution?
157A company needs to ensure that an EC2 instance can only be launched using a specific Amazon Machine Image (AMI) that has been approved by the security team. Which TWO actions should be taken?
158A company uses AWS KMS to encrypt data at rest in S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which THREE steps should be taken?
159A company wants to implement a least-privilege security model for its IAM users. Which TWO practices should be applied?
160A company is deploying a web application on AWS and needs to ensure that all traffic to the application is encrypted in transit. The application runs behind an Application Load Balancer (ALB). Which configuration should be used to enforce HTTPS-only access?
161A DevOps engineer needs to securely store database credentials for an application running on Amazon ECS. Which AWS service should be used to manage the credentials and provide them to the ECS tasks?
162A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS. Which approach should be used to ensure compliance?
163A developer needs to allow an EC2 instance to read from an S3 bucket. Which is the most secure way to grant this access?
164A company is using AWS KMS to encrypt sensitive data stored in Amazon S3. The security team wants to ensure that the KMS keys cannot be deleted accidentally. What should be done?
165A company is using AWS CloudTrail to log API calls across all accounts in AWS Organizations. The security team wants to ensure that CloudTrail logs are not tampered with and are available for forensic analysis. Which combination of actions should be taken? (Choose TWO.)
166A company uses AWS CodeBuild to build and test code. The build process needs to access a private Amazon RDS database to run integration tests. What is the most secure way to provide database credentials to the build project?
167A DevOps engineer needs to allow an AWS Lambda function to write logs to Amazon CloudWatch Logs. What should the engineer do?
168A company uses AWS CodePipeline to deploy applications. The pipeline must deploy to an Amazon ECS cluster. The security team requires that all deployment actions be logged and auditable. Which configuration should be used?
169A security team wants to automatically detect and remediate S3 buckets that are publicly accessible across multiple AWS accounts. Which solution is MOST efficient and scalable? (Choose THREE.)
170A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. What should be done? (Choose TWO.)
171A DevOps engineer needs to rotate database credentials stored in AWS Secrets Manager automatically every 30 days. What is the simplest way to achieve this?
172Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from the S3 bucket 'example-bucket' from an IP address of 10.1.2.3. What will happen?
173Refer to the exhibit. An EC2 instance with the IAM role MyAppRole is running. An application on the instance tries to delete an object from the S3 bucket 'example-bucket'. What will happen?
174Refer to the exhibit. A security engineer sees this CloudTrail event. What action did the user 'admin' perform?
175A company wants to automate patching of EC2 instances running Amazon Linux 2 while ensuring compliance with security policies. Which AWS service should be used?
176A DevOps engineer needs to enforce encryption in transit for all traffic between a fleet of EC2 instances and an Application Load Balancer (ALB). The ALB is configured with a TLS listener. Which step should the engineer take to ensure end-to-end encryption?
177A company uses AWS Organizations with multiple accounts. The security team requires that all newly created S3 buckets in any account automatically have default encryption enabled and block public access. Which solution is MOST operationally efficient?
178A company is using AWS KMS to encrypt data at rest for S3 objects. The security team wants to rotate the KMS key annually. Which action should the team take to implement automatic key rotation?
179A DevOps team is deploying a web application on EC2 instances behind an ALB. The application must authenticate users using an external identity provider (IdP) that supports SAML 2.0. Which solution provides the simplest integration with the ALB?
180A company's security policy requires that all EC2 instances must be launched with an IAM role that provides least privilege access. A DevOps engineer needs to enforce this across the organization. Which approach is MOST effective?
181A company uses AWS Secrets Manager to store database credentials. The security team needs to automatically rotate the secrets every 30 days. Which action should be taken?
182A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline deploys a critical application. Which security practice should the engineer implement to prevent unauthorized changes to the pipeline?
183A company is subject to regulatory compliance that requires all access to S3 buckets to be logged and monitored. The company has thousands of buckets. Which solution is MOST scalable and cost-effective?
184Which TWO actions can help protect an AWS account's root user? (Choose TWO.)
185Which THREE are components of the AWS Shared Responsibility Model? (Choose THREE.)
186A DevOps team is designing a solution to encrypt data at rest for an Amazon RDS for MySQL database. Which TWO actions should the team take? (Choose TWO.)
187Refer to the exhibit. A DevOps engineer attaches the IAM policy to an IAM user. The user reports being unable to download objects from the S3 bucket. What is the likely cause?
188Refer to the exhibit. The command is run to investigate a potential security incident. The output shows no events. Which of the following is the MOST likely reason?
189Refer to the exhibit. The S3 bucket policy is applied to a bucket. An application attempts to upload an object to the bucket using HTTP (not HTTPS). What will happen?
190A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally enforce that S3 buckets in all accounts block public access. Which policy should be attached to the root organizational unit to achieve this?
191A DevOps engineer needs to store database credentials for an application running on Amazon ECS. The credentials must be automatically rotated every 30 days and encrypted at rest. Which solution meets these requirements with the LEAST operational overhead?
192A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet but must not be directly accessible from the internet. Which configuration allows this?
193A company uses AWS CodeBuild for CI/CD. The build project needs to access a private S3 bucket to download artifacts. What is the MOST secure way to grant access?
194An organization has a compliance requirement to automatically detect and alert on any IAM user creation in all AWS accounts. Which combination of services should be used to meet this requirement?
195A company's security team suspects that an attacker has compromised an IAM user's access keys. The keys were used to launch instances in an unauthorized region. What is the FASTEST way to mitigate the threat?
196A developer needs to give a Lambda function read-only access to a DynamoDB table. What is the BEST practice to grant this permission?
197A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using server-side encryption with customer-managed keys (SSE-KMS). When uploading an object via the AWS CLI, which parameter must be included to enforce this?
198A company is using AWS CodePipeline with an S3 source action. The pipeline must be triggered only when a new object is uploaded to a specific prefix, and the pipeline should not have access to objects outside that prefix. Which configuration meets these requirements?
199Which TWO actions are effective ways to protect an AWS account root user? (Choose 2)
200Which THREE are features of AWS Key Management Service (KMS) that help with compliance requirements? (Choose 3)
201Which TWO are best practices for securing an Amazon RDS database? (Choose 2)
202An IAM policy is attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' even though they are connecting from within the 10.0.0.0/16 IP range. What is the MOST likely reason?
203A key policy for a KMS customer managed key includes the above statement. An IAM role 'AdminRole' in account 123456789012 is allowed to decrypt. However, when the role attempts to decrypt data, it receives an access denied error. What is the MOST likely cause?
204A security engineer runs the above CLI command to investigate IAM user 'Bob'. The output shows Bob logged in and then created a new IAM user. Which additional information should the engineer look for to determine if this was a security incident?
205A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role in any account can create or modify VPCs. Which SCP should be applied to the root OU?
206A DevOps engineer is configuring AWS CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are encrypted at rest using a customer-managed KMS key. What is the correct way to achieve this?
207A company uses AWS CodePipeline to deploy a web application to an Auto Scaling group. The security team requires that all artifacts in the pipeline be encrypted at rest. The pipeline uses an S3 bucket as the artifact store. Which combination of actions should the DevOps engineer take to meet this requirement with minimal operational overhead?
208A DevOps engineer is designing a CI/CD pipeline for a microservices application. The pipeline must scan container images for vulnerabilities before deploying to Amazon ECS. Which service should the engineer use to perform the vulnerability scan?
209An organization uses AWS Key Management Service (KMS) with customer-managed keys. The security policy requires automatic key rotation every year. A DevOps engineer notices that the key material is not rotating as expected. What is the most likely cause?
210A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation function is failing with a permission error. Which IAM policy should be attached to the Lambda execution role to allow Secrets Manager to invoke the rotation function?
211A DevOps engineer is troubleshooting a failed CodeBuild project. The build fails with an error: 'Access Denied: Unable to put object to S3.' The build project has an S3 bucket as the artifact store. What should the engineer do to resolve this issue?
212An organization wants to enforce that all Amazon S3 buckets are encrypted with SSE-S3. Which AWS service can be used to automatically remediate non-compliant buckets?
213A DevOps engineer needs to temporarily grant an external auditor read-only access to a specific S3 bucket for 24 hours. What is the most secure way to grant this access?
214A DevOps engineer is designing a secure CI/CD pipeline. Which TWO of the following are best practices for securing secrets in the pipeline?
215A company wants to monitor and detect anomalous API calls in their AWS account. Which THREE AWS services should they use together to achieve this?
216A DevOps engineer is tasked with encrypting data at rest for an Amazon RDS for MySQL database. Which TWO methods can achieve this?
217The IAM policy above is attached to a user. The user tries to stop an EC2 instance. What will happen?
218A DevOps engineer runs the command above and gets the output shown. The engineer then tries to delete a versioned object from the bucket without using MFA. What will happen?
219The AWS Config rule 's3-bucket-ssl-requests-only' returns NON_COMPLIANT for the bucket 'my-bucket'. What does this mean?
220A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service should be used to implement this rotation?
221A company needs to audit all changes to security groups in a multi-account environment. The logs must be centrally stored and immutable. Which solution meets these requirements with minimal operational overhead?
222A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the target account is 222222222222. Which combination of a bucket policy and an IAM policy correctly grants the target account access?
223Given the above AWS CLI command output, which actions are allowed for the specified policy?
224A company has an Amazon RDS for MySQL database that stores sensitive data. The security team requires encryption at rest and in transit. Which combination of options meets these requirements?
225An S3 bucket has the above bucket policy. What is the effect of this policy?
226A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can make changes to Amazon CloudWatch Logs configurations. Which approach should be used?
227A DevOps engineer needs to securely store and automatically rotate database credentials for a web application running on Amazon ECS. Which solution should be used?
228Given the above IAM policy, which action is permitted?
229Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)
230Which THREE AWS services can be used to centrally manage and enforce security policies across multiple accounts in AWS Organizations? (Select THREE.)
231Which TWO measures can be taken to protect data at rest in Amazon S3? (Select TWO.)
232An S3 bucket has the above bucket policy. What is the net effect on GetObject requests?
233A company needs to enforce that all EC2 instances launched in an AWS account use a specific Amazon Machine Image (AMI) that is approved by the security team. Which combination of services should be used?
234A company wants to centrally manage and audit access to AWS KMS keys across multiple accounts. Which AWS feature should be used?
235A company wants to ensure that all API calls made within its AWS account are logged for auditing purposes. Which AWS service should be enabled to meet this requirement?
236A DevOps engineer needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption key be managed by AWS and rotated automatically. Which encryption option should be used?
237A company uses AWS Organizations with multiple accounts. The security team wants to restrict the use of specific instance types across all accounts to reduce costs and enforce compliance. Which approach should be used?
238A company is using Amazon RDS for MySQL and needs to encrypt the database at rest. Which action should be taken to enable encryption?
239A DevOps engineer receives an alert that an EC2 instance has been compromised. The instance is part of an Auto Scaling group. What is the first step the engineer should take to isolate the instance?
240A company requires that all secrets (e.g., database passwords) used by Lambda functions be rotated automatically every 30 days. Which combination of services should be used?
241An organization wants to grant cross-account access to an S3 bucket in Account A to a user in Account B. Which policy configuration is required?
242A security audit reveals that an S3 bucket contains objects that are not encrypted. The bucket is configured with default encryption using SSE-S3. What is the most likely reason that objects are unencrypted?
243A company has a requirement to store audit logs for 7 years. The logs are currently stored in Amazon S3 and are accessed infrequently. Which storage class provides the lowest cost while meeting the retention requirement?
244A company is designing a secure CI/CD pipeline. Which TWO actions should be taken to protect secrets (e.g., API keys) used in the pipeline? (Choose TWO.)
245A DevOps team needs to enforce that all S3 buckets in an AWS account are encrypted at rest. Which THREE steps should be taken to achieve this? (Choose THREE.)
246A company is using AWS KMS to encrypt data. Which TWO statements about AWS KMS key rotation are correct? (Choose TWO.)
247Refer to the exhibit. A security team wants to enforce that passwords expire after 60 days. Which action should be taken?
248Refer to the exhibit. A user outside the 192.0.2.0/24 IP range attempts to get an object from example-bucket. What will happen?
249Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most likely security concern?
250A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A Security Engineer needs to ensure that the EC2 instances can only access the specific S3 bucket and no other AWS services. Which solution meets these requirements?
251A company uses AWS Organizations with multiple accounts. The Security team needs to enforce that all newly created S3 buckets in any account are configured with server-side encryption (SSE-S3 or SSE-KMS) and block public access. Which approach should be used?
252A DevOps engineer needs to securely store and automatically rotate database credentials for a MySQL RDS instance. The credentials should be accessible to a Lambda function without hardcoding them. Which AWS service should be used?
253A company uses AWS CodeBuild to build and test code. The build process requires access to a private PyPI repository hosted on an internal network. The CodeBuild project is configured with a VPC. However, the build fails with a timeout error when trying to connect to the PyPI repository. The security group for the CodeBuild project allows outbound HTTPS to 0.0.0.0/0. What is the most likely cause?
254A company is using AWS CodePipeline to deploy a web application across multiple AWS accounts using CloudFormation stack sets. The pipeline is in the tools account, and it deploys to production account. The security team requires that all CloudFormation changes to production account be reviewed and approved by a senior engineer. Which approach meets this requirement?
255A company needs to ensure that all API calls made to AWS are encrypted in transit. Which of the following is the correct way to enforce this?
256A company is using AWS CodeCommit for source control. A developer accidentally committed a file containing AWS access keys. The keys have been removed from the file, but the commit history still contains them. What is the most secure way to remove the keys from the repository?
257A company uses a centralized AWS KMS customer master key (CMK) in the security account to encrypt data in S3 buckets across multiple accounts. The S3 buckets are accessed by EC2 instances in the same accounts. The security team wants to ensure that the CMK can only be used by authorized IAM roles in the member accounts. Which policy configuration should be used?
258A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to achieve this?
259Which TWO actions should a DevOps engineer take to secure a web application running on EC2 instances behind an Application Load Balancer? (Choose two.)
260Which THREE measures can be taken to protect sensitive data stored in an Amazon S3 bucket? (Choose three.)
261Which TWO AWS services can be used to monitor and detect unauthorized access to AWS resources? (Choose two.)
262A company has a multi-account AWS environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies the creation of IAM users and roles with full admin access. The SCP is attached to all accounts. However, a DevOps engineer in a member account reports that they are able to create an IAM role with an administrator access policy attached. The engineer uses the AWS Management Console to create the role. The SCP is confirmed to be in place. What is the most likely reason the SCP is not preventing the role creation?
263A company runs a critical application on EC2 instances that need to access an S3 bucket with sensitive data. The security team has enabled S3 bucket policies that require TLS for all requests (aws:SecureTransport). The application is failing to access the S3 bucket, and logs show errors like 'Access Denied'. The application uses the AWS SDK to make requests. What is the most likely cause of the failure?
264A company is using AWS KMS to encrypt data at rest in Amazon S3. The Security team requires that all encryption keys be automatically rotated annually. Which key type should be used to meet this requirement?
265A DevOps team is deploying a multi-tier application on AWS. The application must comply with PCI DSS. Which combination of services should be used to encrypt data in transit between the web tier and the application tier?
266A company wants to securely store database credentials used by an application running on Amazon EC2. The credentials should be automatically rotated every 90 days. Which AWS service should be used?
267An organization uses AWS Organizations with multiple accounts. The Security team needs to enforce a policy that prohibits the creation of S3 buckets with public access in any account. Which policy type should be used?
268A DevOps engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket. The instance has an IAM role attached with a policy that allows s3:GetObject. The S3 bucket policy explicitly denies access to the instance's role. What is the result?
269A company uses AWS CodePipeline to deploy a web application. The pipeline uses artifacts stored in an S3 bucket. The Security team requires that all artifacts be encrypted in transit and at rest, and that the pipeline only access the bucket using a specific VPC endpoint. Which configuration meets these requirements?
270A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest using a KMS key. Which solution is the MOST secure and scalable?
271A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an S3 bucket. The Security team requires that the application never uses long-term credentials and that access is scoped to the specific ECS task. Which approach should be used?
272A company wants to monitor and detect suspicious API activity across all AWS accounts in an organization. Which TWO services should be used together?
273A company needs to enforce that all IAM users must use multi-factor authentication (MFA) to perform any AWS Console actions. Which TWO steps should be taken to enforce this?
274A company uses AWS CodeBuild to build and test code. The build jobs need to access a private S3 bucket to download dependencies. Which THREE steps are required to securely grant access?
275A company's Security team wants to detect and alert on the creation of IAM users with console access. Which THREE services should be used?
276A company uses AWS Organizations with 20 accounts. The Security team has configured AWS CloudTrail to deliver logs from all accounts to a central S3 bucket (central-bucket). The bucket policy allows CloudTrail to write objects and uses SSE-S3 encryption. Recently, auditors found that some log files were missing for a few hours. The CloudTrail console shows that trails are enabled in all accounts. The central-bucket has default encryption enabled. What is the MOST likely cause of the missing logs?
277A company runs a production application on EC2 instances behind an Application Load Balancer (ALB). The application handles sensitive data. The Security team wants to encrypt all traffic between the ALB and the EC2 instances using TLS. They have created a self-signed certificate on each instance. However, the ALB health checks are failing with a 502 error. The instances are healthy when accessed directly via SSH. What is the MOST likely cause?
278A company uses AWS Secrets Manager to store database credentials for a legacy application running on an on-premises server. The application retrieves the secret via the AWS SDK. Recently, the database password was rotated in Secrets Manager, but the application continued to use the old password and failed to connect. The application code is correct and uses the latest SDK. The IAM role attached to the server has the secretsmanager:GetSecretValue permission. What is the MOST likely cause?
279A company uses AWS Organizations with SCPs to enforce security policies. The security team needs to ensure that no IAM user or role can disable AWS CloudTrail or delete CloudTrail logs. Which TWO approaches should be combined to achieve this? (Choose TWO.)
280A company is designing a secure CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline must deploy to an EC2 Auto Scaling group across multiple AWS accounts. The security requirements include: (1) no hardcoded credentials, (2) least privilege for cross-account access, (3) encrypted artifacts. Which THREE steps should the DevOps engineer implement? (Choose THREE.)
281A company uses AWS Organizations with multiple accounts. The security team has implemented an SCP that denies the creation of IAM users. However, a developer in the 'development' account was able to create an IAM user. The DevOps engineer is asked to investigate. The SCP is attached to the root organizational unit (OU) and also to the 'development' OU. The 'development' account is a member of the 'development' OU. The SCP effect is 'Deny' on the 'iam:CreateUser' action. The developer's IAM permissions are managed by an IAM policy that allows 'iam:*'. The engineer checks CloudTrail and sees that the CreateUser API call succeeded. What is the most likely reason?
282A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic to the ALB must be encrypted (HTTPS) and that the ALB must only accept traffic from CloudFront. The DevOps engineer has configured CloudFront with an origin pointing to the ALB, and the ALB has a listener on port 443 with a valid SSL certificate. The engineer also added a security group rule to the ALB that allows HTTPS traffic only from CloudFront's IP ranges. However, users are reporting intermittent 503 errors. The engineer checks CloudFront logs and sees that some requests are failing with 'Origin Connect Error'. What is the most likely cause?
283A company is migrating to AWS and has a requirement to encrypt all data at rest and in transit. They are using AWS KMS with Customer Master Keys (CMKs) for encryption. The DevOps engineer has set up an S3 bucket with default encryption using SSE-KMS. The bucket policy allows access only to a specific IAM role. The engineer also enabled S3 bucket versioning and MFA Delete. However, when the engineer tries to download an object using the AWS CLI with the IAM role, the command fails with 'AccessDenied'. The IAM role has the following permissions: s3:GetObject, s3:ListBucket, kms:Decrypt, kms:DescribeKey. What is the most likely missing permission?
284A company uses AWS CloudTrail to log all API calls across multiple accounts. The logs are stored in an S3 bucket in the management account. The security team wants to ensure that the logs are not tampered with and that any unauthorized modification is detected. The DevOps engineer has enabled CloudTrail log file integrity validation. The engineer also sets up an S3 lifecycle policy to transition logs to Glacier after 90 days. Additionally, the engineer enables S3 server access logging and sends the logs to a different bucket. A few months later, the security team suspects that some logs have been deleted. The engineer checks the CloudTrail digest files and finds that the latest digest file is missing. What is the most likely cause?
285A company is using AWS CodeBuild to build and test a Java application. The build process requires access to a private Maven repository hosted on an internal HTTPS server. The DevOps engineer has configured CodeBuild to use a VPC and placed the build environment in a private subnet. The security group for the build environment allows outbound HTTPS to the Maven repository's security group. The Maven repository server is in the same VPC but in a different private subnet. The build fails with a 'Connection refused' error when trying to download dependencies. The engineer checks the security group rules and confirms they are correct. What is the most likely cause?
286A company runs a critical application on AWS Lambda that processes sensitive data. The security team mandates that all data must be encrypted at rest and in transit. The Lambda function uses an environment variable to store a database password. The DevOps engineer has enabled encryption of environment variables using a KMS CMK. The Lambda function also needs to decrypt the password at runtime. The engineer attaches an IAM role to the Lambda function with permissions to decrypt using the KMS key. However, when the function executes, it fails with an error 'AccessDeniedException' when trying to decrypt the environment variable. The engineer checks the IAM role and confirms that it has kms:Decrypt permission. The KMS key policy allows the root user full access. What is the most likely cause?
287A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation is configured to occur every 30 days. The DevOps engineer notices that the latest secret version is not being used by the application after rotation. The application is an EC2 instance that retrieves the secret using the AWS SDK. The engineer checks the secret and sees that the rotation succeeded and the new version is marked as 'AWSCURRENT'. The EC2 instance role has permissions to retrieve the secret. What is the most likely reason the application is still using the old secret?
288A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in all accounts are encrypted with SSE-S3. They plan to use an SCP to deny the creation of unencrypted buckets. The DevOps engineer writes an SCP with a Deny effect for s3:PutBucketEncryption without a condition. However, when testing, an administrator in a member account is able to create a bucket without encryption. The engineer checks CloudTrail and sees that the bucket was created with a PutBucket call that did not include the x-amz-server-side-encryption header. What is the most likely reason the SCP did not prevent this?
The Security and Compliance domain covers the key concepts tested in this area of the DOP-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all DOP-C02 domains — no account required.
The Courseiva DOP-C02 question bank contains 288 questions in the Security and Compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included