Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security and Compliance practice sets

DOP-C02 Security and Compliance • Complete Question Bank

DOP-C02 Security and Compliance — All Questions With Answers

Complete DOP-C02 Security and Compliance question bank — all 0 questions with answers and detailed explanations.

288
Questions
Free
No signup
Certifications/DOP-C02/Practice Test/Security and Compliance/All Questions
Question 1mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Organizations with multiple accounts. The Security team wants to centrally manage IAM roles that can be assumed by users in member accounts. Which solution should be used to enforce that only specific roles can be assumed across accounts, while ensuring that the policy updates are automatically applied to all accounts?

Question 2hardmultiple choice
Read the full Security and Compliance explanation →

A company is running a critical application on an Amazon EC2 instance that needs to access an S3 bucket. The application must use temporary credentials that automatically rotate. The DevOps engineer must ensure that the credentials are never stored on disk. Which approach meets these requirements?

Question 3easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to ensure that all API calls made to AWS are recorded for auditing purposes. Which AWS service should be used?

Question 4mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific attribute in their SAML assertion can decrypt the data. Which KMS key policy should be used?

Question 5hardmultiple choice
Read the full Security and Compliance explanation →

A company has a requirement to rotate database credentials every 30 days for an Amazon RDS for MySQL instance. The credentials are currently stored in AWS Secrets Manager. The DevOps engineer needs to implement automatic rotation without modifying the application code. Which solution should be used?

Question 6mediummulti select
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple accounts. The Security team wants to prevent member accounts from disabling AWS CloudTrail or deleting CloudTrail log files. Which TWO actions should the Security team take in the organization's management account? (Choose TWO.)

Question 7hardmulti select
Read the full Security and Compliance explanation →

A DevOps team is designing a CI/CD pipeline that deploys a web application on Amazon ECS. The application must be compliant with PCI DSS, which requires encryption of data at rest and in transit, and logging of all access. Which THREE actions should the team implement to meet these requirements? (Choose THREE.)

Question 8hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a multi-account environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies all actions on DynamoDB tables unless the request includes a specific tag "Environment": "Production". The development team has an IAM role with full DynamoDB access in their account. When they try to create a DynamoDB table using the AWS CLI, they receive an access denied error. They are certain they included the tag. The DevOps engineer reviews the SCP and finds that it uses the condition key "aws:RequestTag". However, the engineer notices that the SCP also denies access if the request does not include the tag for tagging actions. What is the most likely reason for the access denied error?

Question 9easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all new member accounts automatically receive a specific AWS Config rule to require encryption on Amazon EBS volumes. Which solution meets this requirement with the least operational overhead?

Question 10mediummulti select
Read the full Security and Compliance explanation →

A financial services company is migrating its applications to AWS. The compliance team requires that all Amazon S3 buckets containing personally identifiable information (PII) must have server-side encryption enabled and block public access. The DevOps team discovers that some S3 buckets are not compliant. Which TWO actions should the team take to enforce these requirements automatically for all current and future buckets? (Select TWO.)

Question 11hardmultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer applies the S3 bucket policy shown in the exhibit to enforce encryption and secure transport. After applying the policy, users report that they can still upload objects without encryption. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryption",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": true
        }
      }
    },
    {
      "Sid": "AllowSSL",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 12mediumdrag order
Read the full Security and Compliance explanation →

Drag and drop the steps to set up an AWS CloudFormation stack with a nested stack.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 13mediummatching
Read the full Security and Compliance explanation →

Match each AWS security and identity service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages users, groups, roles, and permissions

Creates and manages encryption keys

Rotates and manages secrets like database credentials

DDoS protection service

Web application firewall

Question 14easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS KMS to encrypt data in S3. They want to audit who used which KMS key and when. Which AWS service should they use?

Question 15mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to securely store database credentials for an application running on EC2. The credentials must be rotated automatically every 30 days. Which solution meets these requirements?

Question 16hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. They need a preventive control that applies to all current and future accounts. Which approach should they use?

Question 17easymultiple choice
Read the full Security and Compliance explanation →

A developer wants to grant an EC2 instance read-only access to a specific S3 bucket. Which AWS mechanism should they use to securely provide credentials to the instance?

Question 18mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest and access should be limited to the security team. Which solution is MOST secure and scalable?

Question 19hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a web application on EC2 behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting (XSS) attacks. Which AWS service should they use?

Question 20easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to ensure that all API calls made to AWS are logged for compliance. The logs must be stored in S3 for at least 7 years. Which AWS service should they use?

Question 21mediummultiple choice
Read the full Security and Compliance explanation →

A company has a multi-account AWS environment using AWS Organizations. They want to centrally manage user access to all accounts using single sign-on (SSO) and enforce multi-factor authentication (MFA). Which service should they use?

Question 22hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CloudFormation to deploy infrastructure. They need to ensure that all resources created by CloudFormation are tagged with a 'CostCenter' tag. The tag must be applied automatically to all resources in the stack. What should they do?

Question 23mediummulti select
Read the full Security and Compliance explanation →

A security engineer is designing a secure VPC architecture for a web application. The application must be isolated from the internet and only accessible through a load balancer. Which TWO actions should the engineer take?

Question 24hardmulti select
Read the full Security and Compliance explanation →

A company is migrating to AWS and needs to comply with PCI DSS. They must encrypt all data at rest and in transit. Which THREE services or features should they use?

Question 25easymulti select
Read the full Security and Compliance explanation →

A DevOps engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which TWO methods can achieve this?

Question 26mediummultiple choice
Read the full Security and Compliance explanation →

A company requires that all access to their S3 buckets be encrypted in transit. Which configuration achieves this?

Question 27hardmultiple choice
Read the full NAT/PAT explanation →

A company's security team notices that an IAM user has permissions to terminate EC2 instances but should only be allowed to stop them. The current policy allows ec2:TerminateInstances. What is the most secure way to prevent termination while allowing stop?

Question 28easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to store secrets such as database passwords for a serverless application. Which AWS service is most appropriate?

Question 29mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS KMS to encrypt data in S3. The security team requires that the key material be rotated every 90 days. What should be done to meet this requirement?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. They launch an EC2 instance in a private subnet that needs to download patches from the internet. Which solution is MOST secure and scalable?

Question 31mediummultiple choice
Read the full Security and Compliance explanation →

A security audit reveals that EC2 instances have security groups with overly permissive inbound rules allowing all traffic (0.0.0.0/0) on SSH port 22. What is the BEST way to remediate this at scale?

Question 32easymultiple choice
Read the full Security and Compliance explanation →

A company wants to centralize logging of all API calls made within their AWS account for auditing. Which service should they use?

Question 33mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is designing a CI/CD pipeline that deploys to production. The security team mandates that all code changes must be reviewed and signed off by two senior developers before deployment. How can this be enforced?

Question 34hardmultiple choice
Read the full Security and Compliance explanation →

A company has an AWS Lambda function that processes sensitive data. The function needs to access an RDS database with credentials stored in Secrets Manager. What is the MOST secure way to grant the Lambda function access to the secret?

Question 35mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions can be taken to protect an S3 bucket from being publicly accessible? (Select TWO.)

Question 36hardmulti select
Read the full Security and Compliance explanation →

Which THREE measures can be taken to ensure that EC2 instances are compliant with a security policy that requires all instances to be in a VPC with specific tags? (Select THREE.)

Question 37easymulti select
Read the full Security and Compliance explanation →

Which TWO AWS services can be used to manage and rotate database credentials automatically? (Select TWO.)

Question 38mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role can create or modify VPCs, but should allow VPC usage for existing VPCs. Which SCP should be attached to the root OU?

Question 39easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer must ensure that all API calls in an AWS account are logged for compliance. The logs should be stored in an S3 bucket with server-side encryption enabled. Which two services should be used together to meet these requirements?

Question 40hardmultiple choice
Read the full NAT/PAT explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across accounts are encrypted with AWS KMS. Which combination of controls should be used to enforce this?

Question 41mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. What is the most likely cause?

Question 42easymultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the destination account is 222222222222. Which policy should be attached to the S3 bucket?

Question 43hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that EBS snapshots are shared with another account without exposing the underlying data. What is the correct approach?

Question 44mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS WAF to protect a web application behind an Application Load Balancer. The security team notices an increase in false positives blocking legitimate traffic. Which action should be taken to reduce false positives while maintaining security?

Question 45easymultiple choice
Read the full Security and Compliance explanation →

A company needs to store sensitive data in Amazon S3 with encryption at rest. Which option provides the MOST control over the encryption keys?

Question 46hardmultiple choice
Read the full Security and Compliance explanation →

A company has a Lambda function that processes sensitive data and needs to access an RDS database. The security team requires that the database credentials are automatically rotated every 30 days. Which service should be used to store and rotate the credentials?

Question 47mediummulti select
Read the full Security and Compliance explanation →

A company is using AWS CloudTrail to log API events. The security team wants to ensure that log files are tamper-proof and available for incident investigation. Which TWO actions should be taken? (Choose TWO.)

Question 48hardmulti select
Read the full Security and Compliance explanation →

A company has an IAM policy that allows users to manage their own passwords and MFA devices. The policy includes a condition that requires MFA for all API operations except for changing passwords and MFA. Which THREE statements are true about this policy? (Choose THREE.)

Question 49mediummulti select
Read the full Security and Compliance explanation →

A company wants to audit all changes to IAM policies in their AWS account. Which THREE services can be used to capture and alert on IAM policy changes? (Choose THREE.)

Question 50easymultiple choice
Read the full Security and Compliance explanation →

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. Which AWS service can automatically manage the encryption keys with minimal configuration?

Question 51mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to ensure that EC2 instances can access an S3 bucket without storing AWS credentials on the instances. Which solution meets this requirement?

Question 52hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting attacks. Which AWS service should be integrated with the ALB?

Question 53mediummultiple choice
Read the full Security and Compliance explanation →

A company's security team requires that all API calls to AWS are logged for audit purposes. Which service should be enabled to capture and store these logs?

Question 54hardmultiple choice
Read the full Security and Compliance explanation →

A company wants to enforce that S3 buckets are not publicly accessible. Which AWS service can continuously monitor and automatically remediate non-compliant buckets?

Question 55easymultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer needs to grant cross-account access to an S3 bucket in Account A for a user in Account B. Which combination of policies is required?

Question 56mediummultiple choice
Read the full Security and Compliance explanation →

A security audit reveals that an IAM user has long-term access keys that have not been rotated in over 90 days. What is the most secure way to enforce key rotation?

Question 57hardmultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all data in transit between on-premises and AWS is encrypted. Which AWS service provides a dedicated network connection with encryption?

Question 58mediummultiple choice
Read the full Security and Compliance explanation →

A company needs to store audit logs for 7 years to meet compliance requirements. Which S3 storage class is the most cost-effective for long-term archival?

Question 59mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions should a DevOps engineer take to secure an AWS account root user? (Choose 2.)

Question 60hardmulti select
Read the full Security and Compliance explanation →

Which THREE services can be used to protect a VPC from malicious traffic? (Choose 3.)

Question 61easymulti select
Read the full Security and Compliance explanation →

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple accounts? (Choose 2.)

Question 62hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An S3 bucket policy is configured as shown. A user from IP 192.0.2.10 is unable to download an object from the bucket. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 63mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A CloudTrail trail named ManagementTrail is configured as shown. Which events will be logged?

Network Topology
$ aws cloudtrail get-event-selectorstrail-name ManagementTrailRefer to the exhibit."EventSelectors": ["ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": []
Question 64easymultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A KMS key policy is configured as shown. What does this policy allow?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/CrossAccountRole"
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }
      }
    }
  ]
}
Question 65easymultiple choice
Read the full Security and Compliance explanation →

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with AWS Key Management Service (SSE-KMS) and enforce that all new objects are encrypted. Which bucket policy statement should be added?

Question 66mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to allow an EC2 instance to write logs to CloudWatch Logs. The instance is configured with an instance profile that has the following IAM role attached. Which additional policy is required?

Question 67hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CodePipeline to deploy applications. The pipeline source is an S3 bucket that receives artifacts from a third-party vendor. The DevOps team needs to ensure that only artifacts signed by the vendor's KMS key are deployed. Which approach meets this requirement?

Question 68easymultiple choice
Read the full Security and Compliance explanation →

An organization needs to audit all AWS API calls made in their account for compliance purposes. Which AWS service should they enable?

Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A company has an S3 bucket containing sensitive data. They need to ensure that all access to the bucket is logged and that any unauthorized access attempts are immediately notified. Which combination of services should be used?

Question 70hardmultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is designing a CI/CD pipeline that builds a Docker image and pushes it to Amazon ECR. The pipeline must scan the image for vulnerabilities before deployment. Which service should be integrated?

Question 71easymultiple choice
Read the full Security and Compliance explanation →

A company wants to centrally manage and apply policies across multiple AWS accounts in an AWS Organization. Which service should be used to define and enforce compliance rules?

Question 72mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps team is deploying a web application on EC2 behind an Application Load Balancer. They need to encrypt traffic between the ALB and the EC2 instances. Which action should they take?

Question 73hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. Which configuration change is MOST likely to resolve the issue?

Question 74mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions can be taken to secure an Amazon S3 bucket that contains confidential data? (Choose TWO.)

Question 75hardmulti select
Review the full subnetting walkthrough →

Which THREE components are necessary to implement a secure VPC with a public subnet and a private subnet that hosts a database? (Choose THREE.)

Question 76easymulti select
Read the full Security and Compliance explanation →

Which TWO AWS services can be used to manage secrets and database credentials securely? (Choose TWO.)

Question 77mediummultiple choice
Read the full Security and Compliance explanation →

A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using customer-managed KMS keys. Additionally, any attempt to upload an unencrypted object must be denied. Which S3 bucket policy should be used?

Question 78easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is configuring AWS Config rules to detect non-compliant security groups. The rule should trigger if any security group allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS managed Config rule should be used?

Question 79hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all new S3 buckets created in any account within the organization are configured with block public access enabled. Which approach is the most scalable and least operationally burdensome?

Question 80mediummultiple choice
Read the full Security and Compliance explanation →

A company is migrating a legacy application to AWS. The application requires cross-account access to an S3 bucket in a different AWS account. The security team wants to follow the principle of least privilege. How should the DevOps engineer configure the access?

Question 81easymultiple choice
Read the full Security and Compliance explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?

Question 82hardmultiple choice
Read the full Security and Compliance explanation →

A company has a CloudFormation stack that creates an S3 bucket and an EC2 instance. The bucket policy must be updated to grant the EC2 instance read access. The DevOps engineer uses a custom resource backed by a Lambda function. However, the stack update fails because the Lambda function does not have permissions to update the bucket policy. What should the engineer do to resolve this issue while following security best practices?

Question 83mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CodePipeline to deploy a web application. The pipeline includes a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team requires that all artifacts be encrypted at rest and in transit. Which configuration ensures encryption for all stages?

Question 84easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to ensure that all API calls made to AWS services are logged for auditing purposes. Which AWS service should be enabled?

Question 85mediummultiple choice
Read the full Security and Compliance explanation →

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team requires that all data be encrypted at rest and that automated backups are also encrypted. Which configuration meets these requirements?

Question 86mediummulti select
Read the full Security and Compliance explanation →

A company is designing a secure CI/CD pipeline using AWS CodePipeline. The pipeline must comply with the principle of least privilege for IAM permissions. Which TWO actions should the DevOps engineer take? (Choose TWO.)

Question 87hardmulti select
Read the full Security and Compliance explanation →

A security audit reveals that an S3 bucket contains objects that are publicly accessible. The DevOps engineer must prevent any future public access to the bucket and all objects within it. Which THREE actions should the engineer take? (Choose THREE.)

Question 88easymulti select
Read the full Security and Compliance explanation →

A company wants to protect its AWS account credentials. Which TWO practices are recommended by AWS? (Choose TWO.)

Question 89hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from 'example-bucket' from an IP address 10.0.0.5. However, the request is denied. What is the most likely reason?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 90mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A DevOps engineer created an IAM role 'MyLambdaRole' for a Lambda function. The Lambda function needs to write logs to CloudWatch Logs. However, the function is not able to create log streams. What is the most likely missing configuration?

Network Topology
$ aws iam get-rolerole-name MyLambdaRoleRefer to the exhibit."Role": {"Path": "/","RoleName": "MyLambdaRole","Arn": "arn:aws:iam::123456789012:role/MyLambdaRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"Service": "lambda.amazonaws.com"},"Action": "sts:AssumeRole"
Question 91hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance with the tag 'Environment=production' in us-east-1. What will happen?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:TerminateInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/Environment": "production"
        }
      }
    }
  ]
}
Question 92mediummultiple choice
Read the full Security and Compliance explanation →

A company is migrating a legacy application to AWS. The application requires a shared file system accessible from multiple EC2 instances. The compliance team mandates encryption at rest and in transit, with automatic key rotation. Which storage solution meets these requirements?

Question 93hardmultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to ensure that an S3 bucket policy enforces encryption in transit for all access. Which policy statement should be added?

Question 94easymultiple choice
Read the full Security and Compliance explanation →

A company wants to centrally manage user access to multiple AWS accounts using federated identity. Which AWS service should be used to create a single sign-on (SSO) solution?

Question 95mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps team uses AWS CodePipeline to deploy a web application. Security scanning must be integrated into the pipeline to check for vulnerabilities before deployment to production. Which action should be taken?

Question 96hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every 365 days. Which type of KMS key should be used?

Question 97easymultiple choice
Read the full Security and Compliance explanation →

An application running on EC2 needs to access an S3 bucket. To follow the principle of least privilege, what is the recommended approach?

Question 98mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CloudTrail to log API calls. The security team needs to ensure that log files are tamper-proof and can be used to verify integrity. Which feature should be enabled?

Question 99hardmultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is troubleshooting a failed AWS CodeBuild project. The build fails with an error indicating that the IAM role does not have permission to describe Amazon ECR repositories. The role used by CodeBuild has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ecr:GetAuthorizationToken","ecr:BatchCheckLayerAvailability","ecr:GetDownloadUrlForLayer","ecr:BatchGetImage"],"Resource":"*"}]}. What is the missing permission?

Question 100easymultiple choice
Read the full Security and Compliance explanation →

A company wants to automatically detect and respond to suspicious activity in their AWS account. Which service should be used to generate alerts based on threat intelligence?

Question 101mediummulti select
Read the full Security and Compliance explanation →

A company needs to audit all changes to IAM policies in their AWS account. Which services can be used to track and log these changes? (Select TWO.)

Question 102hardmulti select
Read the full Security and Compliance explanation →

A security team wants to enforce that all Amazon S3 buckets in the organization are encrypted at rest. Which actions can achieve this? (Select THREE.)

Question 103easymulti select
Read the full Security and Compliance explanation →

Which AWS services can be used to protect a web application from common web exploits like SQL injection and cross-site scripting? (Select TWO.)

Question 104mediummultiple choice
Study the full ACL explanation →

A DevOps engineer created the IAM policy shown in the exhibit and attached it to a user. The user tries to upload an object to my-bucket without specifying the ACL. Why does the upload fail?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 105hardmultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer executed the CLI command shown in the exhibit. After creation, the security team requires that the log files be encrypted with a KMS key that is rotated every 90 days. The current key is a customer managed key with automatic rotation enabled set to 365 days. What should the engineer do to meet the requirement?

Network Topology
aws cloudtrail create-trailname my-trails3-bucket-name my-bucketenable-log-file-validationkms-key-id arn:aws:kms:us-east-1:123456789012:key/abc123Refer to the exhibit.
Question 106easymultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. This S3 bucket policy allows the root user of account 111122223333 to perform which actions?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}
Question 107mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CodePipeline to deploy a web application. The deployment includes an EC2 instance running behind an Application Load Balancer. The security team requires that all data in transit to the application be encrypted. Which configuration best meets this requirement without breaking the deployment?

Question 108hardmultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer is configuring AWS Config to detect changes to security group rules. The engineer wants to receive near-real-time notifications when a security group rule that allows inbound SSH traffic is created. Which combination of services and configurations should the engineer use? (Choose the best answer.)

Question 109easymultiple choice
Read the full Security and Compliance explanation →

A company has a security policy requiring that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. The DevOps engineer needs to enforce this policy. What is the simplest way to achieve this?

Question 110hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail logs. What is the most effective way to enforce this control?

Question 111easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is designing an AWS Lambda function that needs to read secrets from AWS Secrets Manager. What is the most secure way to provide the Lambda function access to the secret?

Question 112mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CodeBuild to build and test code. The security team requires that all build artifacts be encrypted at rest. Which action should the DevOps engineer take to meet this requirement?

Question 113hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that any changes to IAM roles must be reviewed and approved by a security engineer before deployment. The DevOps engineer needs to implement a gating mechanism. Which approach should the engineer use?

Question 114easymultiple choice
Read the full Security and Compliance explanation →

A company is using Amazon S3 to store sensitive data. The security team mandates that all data must be encrypted at rest using server-side encryption with AWS Key Management Service (SSE-KMS). The DevOps engineer must ensure that any new objects uploaded to the bucket are automatically encrypted. What should the engineer do?

Question 115mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to grant cross-account access to an S3 bucket in Account A for users in Account B. The users in Account B must be able to list objects and read them. What is the most secure way to configure this access?

Question 116hardmulti select
Read the full Security and Compliance explanation →

A company is using AWS Lambda to process sensitive data. The security team requires that the Lambda function only be invoked from within a specific VPC and that the function's environment variables be encrypted at rest. Which TWO actions should the DevOps engineer take to meet these requirements?

Question 117mediummulti select
Read the full Security and Compliance explanation →

A company is using AWS Secrets Manager to rotate database credentials automatically. The DevOps engineer needs to ensure that the rotation process is secure and does not cause downtime. Which THREE steps should the engineer take?

Question 118easymulti select
Read the full Security and Compliance explanation →

A DevOps engineer is tasked with auditing all AWS API calls made in the account for compliance purposes. The engineer needs to ensure that the audit logs are tamper-proof and stored cost-effectively. Which TWO services should the engineer use?

Question 119hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy is attached to an IAM user. Which of the following actions will be allowed by this policy?

Exhibit

Refer to the exhibit.

IAM Policy JSON:
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeInstances",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }
  ]
}
```
Question 120hardmultiple choice
Read the full Security and Compliance explanation →

A company has a multi-account AWS environment managed by AWS Organizations. The DevOps team uses AWS CloudFormation StackSets to deploy a standard VPC across all member accounts. The security team has noticed that in some accounts, the VPC is being modified after deployment, allowing inbound SSH access from the internet. The team wants to automatically detect and remediate these changes. The current setup includes: AWS Config enabled in all accounts with a rule that checks for unrestricted SSH access; an SNS topic in the management account that receives compliance change notifications; and a Lambda function in the management account that can remediate by updating the security group rules. However, the remediation is not working consistently. What is the most likely reason, and what is the best solution?

Question 121mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Secrets Manager to store database credentials for a multi-tier application. The application runs on EC2 instances in an Auto Scaling group. The DevOps engineer has configured the instances to retrieve the secret at boot time using a script that calls the AWS CLI. Recently, the security team discovered that the secret was exposed in the instance's user data logs. The engineer needs to implement a more secure method to access the secret without storing it in user data. The application code can be modified. The environment uses IAM roles for EC2. Which solution best meets the security requirements?

Question 122mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which KMS key type should the company use to meet this requirement without manual intervention?

Question 123easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to grant an IAM user temporary access to an S3 bucket for exactly one hour. Which AWS service should be used to generate temporary credentials?

Question 124hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user requests an object from the 'example-bucket' bucket, specifically from the 'confidential' folder, over HTTP (not HTTPS). The source IP is within the 10.0.0.0/24 range. What will be the result of this request?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/confidential/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 125mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Secrets Manager to store database credentials. The security team requires that secrets be automatically rotated every 30 days. Which rotation strategy should the engineer configure to meet this requirement with minimal operational overhead?

Question 126hardmultiple choice
Study the full ACL explanation →

A company is deploying a multi-tier application on AWS. The web tier must be publicly accessible, but the application tier must only be accessible from the web tier. The database tier should not be accessible from the internet at all. Which combination of security groups and network ACLs should be used?

Question 127mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to encrypt data in transit between an Application Load Balancer (ALB) and backend EC2 instances. The application uses HTTPS. What is the simplest way to achieve this encryption?

Question 128easymultiple choice
Read the full Security and Compliance explanation →

A company wants to ensure that all S3 buckets are encrypted at rest by default. Which S3 feature should be enabled at the bucket level to automatically encrypt new objects?

Question 129hardmultiple choice
Read the full Security and Compliance explanation →

A company uses Amazon Inspector to scan EC2 instances for vulnerabilities. The security team discovers that a critical vulnerability is present on an instance, but the instance is part of an Auto Scaling group. What is the MOST efficient way to remediate this vulnerability while ensuring the Auto Scaling group remains operational?

Question 130mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions should a DevOps engineer take to prevent an S3 bucket from being publicly accessible? (Choose two.)

Question 131hardmulti select
Read the full Security and Compliance explanation →

Which THREE of the following are best practices for managing IAM roles in AWS Organizations? (Choose three.)

Question 132easymulti select
Read the full Security and Compliance explanation →

Which TWO AWS services can be used to monitor for unauthorized API calls in an AWS account? (Choose two.)

Question 133hardmulti select
Read the full Security and Compliance explanation →

Which THREE of the following are valid methods to enforce encryption at rest for Amazon EBS volumes? (Choose three.)

Question 134mediummulti select
Read the full Security and Compliance explanation →

Which TWO of the following are benefits of using AWS Certificate Manager (ACM) to manage SSL/TLS certificates? (Choose two.)

Question 135hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a production application on Amazon ECS with Fargate launch type. The application uses an RDS MySQL database. The security team requires that all traffic between the application and the database be encrypted in transit. Currently, the database security group allows inbound traffic from the ECS tasks' security group on port 3306 (MySQL). The application uses the standard MySQL client connection without SSL. After enabling SSL on the RDS instance, the application starts failing to connect. The error logs show 'SSL connection error: protocol version mismatch'. The application runs on a custom Docker image based on Amazon Linux 2. The DevOps engineer needs to fix the connection issue. Which course of action should the engineer take?

Question 136mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Lambda functions to process sensitive data from an SQS queue. The Lambda function writes results to an S3 bucket. The security team requires that all data at rest in S3 be encrypted with a customer managed KMS key, and that the Lambda function only have access to decrypt the queue messages and encrypt the S3 objects. An IAM role is attached to the Lambda function. The engineer has configured the KMS key policy to allow the Lambda role to use the key. However, the Lambda function fails to write to S3 with a 'KMS access denied' error. The engineer verified that the S3 bucket has default encryption enabled with the same KMS key. Which additional step is most likely required?

Question 137easymultiple choice
Read the full Security and Compliance explanation →

A startup wants to provide temporary, limited-privilege AWS access to external contractors who will assist with a project. The contractors do not have AWS accounts. The company wants to avoid creating IAM users for each contractor. They need a solution that allows contractors to log in to the AWS Management Console for a limited time. Which AWS service should the engineer use?

Question 138hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. The instances currently use a self-signed certificate for the backend HTTPS listener. The engineer notices that the ALB health checks are failing, and the error message indicates 'TLS handshake failed'. The health check is configured as HTTPS. What should the engineer do to resolve the health check failure while maintaining encryption?

Question 139easymulti select
Read the full Security and Compliance explanation →

A company wants to enable AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The security team requires that logs be encrypted at rest and that any unauthorized deletion of log files be prevented. Which TWO actions should the security team take? (Choose TWO.)

Question 140mediummulti select
Read the full Security and Compliance explanation →

A company uses AWS CodePipeline for CI/CD. The security team requires that all code changes be scanned for secrets before deployment. The pipeline consists of a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team wants to automatically scan for secrets and block the pipeline if any secrets are found. Which THREE actions should the team take? (Choose THREE.)

Question 141hardmultiple choice
Study the full ACL explanation →

A company runs a web application on Amazon ECS with Fargate launch type behind an Application Load Balancer (ALB). The application uses an RDS MySQL database. The security team performed a penetration test and discovered that the application is vulnerable to SQL injection. The development team has deployed a WAF web ACL to the ALB that includes rules to block SQL injection attacks. However, after the deployment, the application started returning 403 errors for legitimate requests, and the security team needs to investigate. The team also wants to ensure that only approved AWS services can access the RDS database. The current security groups are configured with a rule that allows inbound traffic from the ALB security group to the RDS database on port 3306. Which combination of actions should the security team take to resolve the issue and improve the security posture?

Question 142mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Lambda to process sensitive data stored in Amazon S3. The Lambda function is triggered by S3 object creation events. The security team requires that all data in transit be encrypted using TLS 1.2 or higher. The Lambda function currently uses the AWS SDK to download objects from S3 using HTTP (not HTTPS). The team also needs to ensure that the Lambda function only accesses S3 objects that are encrypted with a specific AWS KMS key. The Lambda execution role already has permissions to decrypt with that KMS key. Which combination of actions should the security team take to meet the requirements?

Question 143hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CloudFormation to manage infrastructure as code. The security team requires that all changes to CloudFormation stacks be reviewed and approved before execution. The team has enabled StackSets to deploy stacks across multiple accounts. A junior developer accidentally runs a stack update that modifies a production security group, opening SSH access to 0.0.0.0/0. The security team wants to prevent this type of incident in the future. They need a solution that enforces a mandatory approval workflow for all stack updates, while still allowing automated deployments from approved CI/CD pipelines. Which solution meets these requirements?

Question 144mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon Inspector to assess the security of EC2 instances. The security team receives an alert that a high-severity vulnerability (CVE-2023-XXXX) was found on an EC2 instance running a critical application. The application is behind an Application Load Balancer (ALB) and uses an Auto Scaling group. The vulnerability has a known patch, but patching requires a reboot. The security team needs to remediate the vulnerability with minimal downtime. Which approach should the team take?

Question 145easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Secrets Manager to store database credentials. The security team wants to automatically rotate secrets every 30 days. The database is an Amazon RDS for PostgreSQL instance. The team has configured automatic rotation with a Lambda function that updates the password in RDS and Secrets Manager. However, after the first rotation, the application starts getting database connection errors. The application uses a connection string with the secret ARN and retrieves the secret from Secrets Manager at startup using the AWS SDK. Which of the following is the most likely cause of the connection errors?

Question 146hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts are encrypted with AES-256 (SSE-S3) and that public access is blocked. The team wants to use a preventive control that automatically remediates non-compliant buckets. Which solution should the security team implement?

Question 147easymultiple choice
Read the full Security and Compliance explanation →

A company uses Amazon CloudWatch Logs to store application logs. The security team requires that logs be encrypted at rest using a customer-managed AWS KMS key. The team has enabled encryption on the CloudWatch Logs log group using a KMS key. However, after enabling encryption, the application fails to write logs to the log group. The application uses an IAM role that has the following permissions: logs:CreateLogStream, logs:PutLogEvents, and logs:DescribeLogStreams. Which additional permission does the application need?

Question 148mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CloudTrail to log API activity. The security team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and alerted. What is the MOST secure and efficient way to achieve this?

Question 149easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is designing a CI/CD pipeline that deploys code to an EC2 instance. The engineer needs to securely store and retrieve database credentials used by the application. Which AWS service should be used?

Question 150hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to block traffic from known malicious IP addresses before it reaches the ALB. What is the MOST effective approach?

Question 151mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to centralize IAM user management across multiple AWS accounts. The company currently uses individual IAM users in each account. What is the BEST practice for centralized access control?

Question 152easymultiple choice
Read the full Security and Compliance explanation →

A company has an S3 bucket with sensitive data. The security team requires that all data uploaded to the bucket be automatically encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). How can this be enforced?

Question 153hardmultiple choice
Read the full Security and Compliance explanation →

A DevOps team uses AWS CodePipeline to deploy a web application. The application stores user session data in an ElastiCache Redis cluster. The security team mandates that all data in transit between the application and Redis must be encrypted. What should the team do?

Question 154mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CodeBuild as part of its CI/CD pipeline. The build projects need to access a private Amazon ECR repository to pull Docker images. What is the MOST secure way to grant CodeBuild access to ECR?

Question 155easymultiple choice
Read the full Security and Compliance explanation →

A security engineer needs to audit who accessed a specific S3 object and from which IP address over the past 30 days. Which AWS service should be used?

Question 156mediummultiple choice
Read the full Security and Compliance explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all unused IAM users are automatically identified and removed after 90 days of inactivity. What is the MOST effective solution?

Question 157mediummulti select
Read the full Security and Compliance explanation →

A company needs to ensure that an EC2 instance can only be launched using a specific Amazon Machine Image (AMI) that has been approved by the security team. Which TWO actions should be taken?

Question 158hardmulti select
Read the full Security and Compliance explanation →

A company uses AWS KMS to encrypt data at rest in S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which THREE steps should be taken?

Question 159mediummulti select
Read the full Security and Compliance explanation →

A company wants to implement a least-privilege security model for its IAM users. Which TWO practices should be applied?

Question 160mediummultiple choice
Read the full Security and Compliance explanation →

A company is deploying a web application on AWS and needs to ensure that all traffic to the application is encrypted in transit. The application runs behind an Application Load Balancer (ALB). Which configuration should be used to enforce HTTPS-only access?

Question 161easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to securely store database credentials for an application running on Amazon ECS. Which AWS service should be used to manage the credentials and provide them to the ECS tasks?

Question 162hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS. Which approach should be used to ensure compliance?

Question 163easymultiple choice
Read the full Security and Compliance explanation →

A developer needs to allow an EC2 instance to read from an S3 bucket. Which is the most secure way to grant this access?

Question 164mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt sensitive data stored in Amazon S3. The security team wants to ensure that the KMS keys cannot be deleted accidentally. What should be done?

Question 165hardmulti select
Read the full NAT/PAT explanation →

A company is using AWS CloudTrail to log API calls across all accounts in AWS Organizations. The security team wants to ensure that CloudTrail logs are not tampered with and are available for forensic analysis. Which combination of actions should be taken? (Choose TWO.)

Question 166mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CodeBuild to build and test code. The build process needs to access a private Amazon RDS database to run integration tests. What is the most secure way to provide database credentials to the build project?

Question 167easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to allow an AWS Lambda function to write logs to Amazon CloudWatch Logs. What should the engineer do?

Question 168mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CodePipeline to deploy applications. The pipeline must deploy to an Amazon ECS cluster. The security team requires that all deployment actions be logged and auditable. Which configuration should be used?

Question 169hardmulti select
Read the full Security and Compliance explanation →

A security team wants to automatically detect and remediate S3 buckets that are publicly accessible across multiple AWS accounts. Which solution is MOST efficient and scalable? (Choose THREE.)

Question 170mediummulti select
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. What should be done? (Choose TWO.)

Question 171easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to rotate database credentials stored in AWS Secrets Manager automatically every 30 days. What is the simplest way to achieve this?

Question 172hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from the S3 bucket 'example-bucket' from an IP address of 10.1.2.3. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 173mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An EC2 instance with the IAM role MyAppRole is running. An application on the instance tries to delete an object from the S3 bucket 'example-bucket'. What will happen?

Network Topology
$ aws iam get-role-policyrole-name MyAppRolepolicy-name S3AccessRefer to the exhibit."RoleName": "MyAppRole","PolicyName": "S3Access","PolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::example-bucket"},"Action": "s3:GetObject","Resource": "arn:aws:s3:::example-bucket/*"
Question 174mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A security engineer sees this CloudTrail event. What action did the user 'admin' perform?

Network Topology
# aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNameRefer to the exhibit."Events": ["EventId": "example-event-id","EventName": "CreateKey","EventTime": "2023-01-15T10:00:00Z","Username": "admin","Resources": ["ResourceName": "arn:aws:kms:us-east-1:123456789012:key/abc123","ResourceType": "AWS::KMS::Key"],"CloudTrailEvent": "{\"requestParameters\":{\"keyUsage\":\"ENCRYPT_DECRYPT\",\"keySpec\":\"SYMMETRIC_DEFAULT\"}}"
Question 175easymultiple choice
Read the full NAT/PAT explanation →

A company wants to automate patching of EC2 instances running Amazon Linux 2 while ensuring compliance with security policies. Which AWS service should be used?

Question 176mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to enforce encryption in transit for all traffic between a fleet of EC2 instances and an Application Load Balancer (ALB). The ALB is configured with a TLS listener. Which step should the engineer take to ensure end-to-end encryption?

Question 177hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with multiple accounts. The security team requires that all newly created S3 buckets in any account automatically have default encryption enabled and block public access. Which solution is MOST operationally efficient?

Question 178easymultiple choice
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt data at rest for S3 objects. The security team wants to rotate the KMS key annually. Which action should the team take to implement automatic key rotation?

Question 179mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps team is deploying a web application on EC2 instances behind an ALB. The application must authenticate users using an external identity provider (IdP) that supports SAML 2.0. Which solution provides the simplest integration with the ALB?

Question 180hardmultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all EC2 instances must be launched with an IAM role that provides least privilege access. A DevOps engineer needs to enforce this across the organization. Which approach is MOST effective?

Question 181easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Secrets Manager to store database credentials. The security team needs to automatically rotate the secrets every 30 days. Which action should be taken?

Question 182mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline deploys a critical application. Which security practice should the engineer implement to prevent unauthorized changes to the pipeline?

Question 183hardmultiple choice
Read the full Security and Compliance explanation →

A company is subject to regulatory compliance that requires all access to S3 buckets to be logged and monitored. The company has thousands of buckets. Which solution is MOST scalable and cost-effective?

Question 184easymulti select
Read the full Security and Compliance explanation →

Which TWO actions can help protect an AWS account's root user? (Choose TWO.)

Question 185mediummulti select
Read the full Security and Compliance explanation →

Which THREE are components of the AWS Shared Responsibility Model? (Choose THREE.)

Question 186hardmulti select
Read the full Security and Compliance explanation →

A DevOps team is designing a solution to encrypt data at rest for an Amazon RDS for MySQL database. Which TWO actions should the team take? (Choose TWO.)

Question 187easymultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A DevOps engineer attaches the IAM policy to an IAM user. The user reports being unable to download objects from the S3 bucket. What is the likely cause?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 188mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. The command is run to investigate a potential security incident. The output shows no events. Which of the following is the MOST likely reason?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2025-03-01T00:00:00Zend-time 2025-03-02T00:00:00Zregion us-east-1Refer to the exhibit.
Question 189hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. The S3 bucket policy is applied to a bucket. An application attempts to upload an object to the bucket using HTTP (not HTTPS). What will happen?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 190easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally enforce that S3 buckets in all accounts block public access. Which policy should be attached to the root organizational unit to achieve this?

Question 191mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to store database credentials for an application running on Amazon ECS. The credentials must be automatically rotated every 30 days and encrypted at rest. Which solution meets these requirements with the LEAST operational overhead?

Question 192hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet but must not be directly accessible from the internet. Which configuration allows this?

Question 193easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CodeBuild for CI/CD. The build project needs to access a private S3 bucket to download artifacts. What is the MOST secure way to grant access?

Question 194mediummultiple choice
Read the full NAT/PAT explanation →

An organization has a compliance requirement to automatically detect and alert on any IAM user creation in all AWS accounts. Which combination of services should be used to meet this requirement?

Question 195hardmultiple choice
Read the full Security and Compliance explanation →

A company's security team suspects that an attacker has compromised an IAM user's access keys. The keys were used to launch instances in an unauthorized region. What is the FASTEST way to mitigate the threat?

Question 196easymultiple choice
Read the full Security and Compliance explanation →

A developer needs to give a Lambda function read-only access to a DynamoDB table. What is the BEST practice to grant this permission?

Question 197mediummultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using server-side encryption with customer-managed keys (SSE-KMS). When uploading an object via the AWS CLI, which parameter must be included to enforce this?

Question 198hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CodePipeline with an S3 source action. The pipeline must be triggered only when a new object is uploaded to a specific prefix, and the pipeline should not have access to objects outside that prefix. Which configuration meets these requirements?

Question 199mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions are effective ways to protect an AWS account root user? (Choose 2)

Question 200hardmulti select
Read the full Security and Compliance explanation →

Which THREE are features of AWS Key Management Service (KMS) that help with compliance requirements? (Choose 3)

Question 201easymulti select
Read the full Security and Compliance explanation →

Which TWO are best practices for securing an Amazon RDS database? (Choose 2)

Question 202mediummultiple choice
Read the full Security and Compliance explanation →

An IAM policy is attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' even though they are connecting from within the 10.0.0.0/16 IP range. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 203hardmultiple choice
Read the full Security and Compliance explanation →

A key policy for a KMS customer managed key includes the above statement. An IAM role 'AdminRole' in account 123456789012 is allowed to decrypt. However, when the role attempts to decrypt data, it receives an access denied error. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}
Question 204mediummultiple choice
Read the full Security and Compliance explanation →

A security engineer runs the above CLI command to investigate IAM user 'Bob'. The output shows Bob logged in and then created a new IAM user. Which additional information should the engineer look for to determine if this was a security incident?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=Usernamestart-time 2024-01-01T00:00:00Zend-time 2024-01-31T23:59:59ZRefer to the exhibit.Output:"Events": ["EventId": "example-id","EventName": "ConsoleLogin","Username": "Bob","EventTime": "2024-01-15T10:30:00Z","CloudTrailEvent": "..."},"EventId": "example-id2","EventName": "CreateUser","EventTime": "2024-01-15T10:31:00Z",
Question 205mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role in any account can create or modify VPCs. Which SCP should be applied to the root OU?

Question 206easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is configuring AWS CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are encrypted at rest using a customer-managed KMS key. What is the correct way to achieve this?

Question 207hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CodePipeline to deploy a web application to an Auto Scaling group. The security team requires that all artifacts in the pipeline be encrypted at rest. The pipeline uses an S3 bucket as the artifact store. Which combination of actions should the DevOps engineer take to meet this requirement with minimal operational overhead?

Question 208mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The pipeline must scan container images for vulnerabilities before deploying to Amazon ECS. Which service should the engineer use to perform the vulnerability scan?

Question 209hardmultiple choice
Read the full Security and Compliance explanation →

An organization uses AWS Key Management Service (KMS) with customer-managed keys. The security policy requires automatic key rotation every year. A DevOps engineer notices that the key material is not rotating as expected. What is the most likely cause?

Question 210easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation function is failing with a permission error. Which IAM policy should be attached to the Lambda execution role to allow Secrets Manager to invoke the rotation function?

Question 211mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is troubleshooting a failed CodeBuild project. The build fails with an error: 'Access Denied: Unable to put object to S3.' The build project has an S3 bucket as the artifact store. What should the engineer do to resolve this issue?

Question 212hardmultiple choice
Read the full Security and Compliance explanation →

An organization wants to enforce that all Amazon S3 buckets are encrypted with SSE-S3. Which AWS service can be used to automatically remediate non-compliant buckets?

Question 213easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to temporarily grant an external auditor read-only access to a specific S3 bucket for 24 hours. What is the most secure way to grant this access?

Question 214mediummulti select
Read the full Security and Compliance explanation →

A DevOps engineer is designing a secure CI/CD pipeline. Which TWO of the following are best practices for securing secrets in the pipeline?

Question 215hardmulti select
Read the full Security and Compliance explanation →

A company wants to monitor and detect anomalous API calls in their AWS account. Which THREE AWS services should they use together to achieve this?

Question 216mediummulti select
Read the full Security and Compliance explanation →

A DevOps engineer is tasked with encrypting data at rest for an Amazon RDS for MySQL database. Which TWO methods can achieve this?

Question 217mediummultiple choice
Read the full Security and Compliance explanation →

The IAM policy above is attached to a user. The user tries to stop an EC2 instance. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:TerminateInstances",
      "Resource": "*"
    }
  ]
}
Question 218hardmultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer runs the command above and gets the output shown. The engineer then tries to delete a versioned object from the bucket without using MFA. What will happen?

Network Topology
$ aws s3api get-bucket-versioningbucket my-bucketRefer to the exhibit."Status": "Enabled","MFADelete": "Enabled"
Question 219easymultiple choice
Read the full Security and Compliance explanation →

The AWS Config rule 's3-bucket-ssl-requests-only' returns NON_COMPLIANT for the bucket 'my-bucket'. What does this mean?

Network Topology
$ aws configservice get-compliance-details-by-config-ruleconfig-rule-name s3-bucket-ssl-requests-onlyRefer to the exhibit."ComplianceDetails": ["ResourceType": "AWS::S3::Bucket","ResourceId": "my-bucket","AwsRegion": "us-east-1","ComplianceType": "NON_COMPLIANT"
Question 220mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service should be used to implement this rotation?

Question 221hardmultiple choice
Read the full Security and Compliance explanation →

A company needs to audit all changes to security groups in a multi-account environment. The logs must be centrally stored and immutable. Which solution meets these requirements with minimal operational overhead?

Question 222easymultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the target account is 222222222222. Which combination of a bucket policy and an IAM policy correctly grants the target account access?

Question 223hardmultiple choice
Read the full Security and Compliance explanation →

Given the above AWS CLI command output, which actions are allowed for the specified policy?

Network Topology
aws iam simulate-custom-policypolicy-input-list '{"Version":"2012-10-17"action-names ec2:DescribeInstances s3:GetObject s3:ListBucketresource-arns arn:aws:s3:::my-bucketRefer to the exhibit.```
Question 224easymultiple choice
Read the full NAT/PAT explanation →

A company has an Amazon RDS for MySQL database that stores sensitive data. The security team requires encryption at rest and in transit. Which combination of options meets these requirements?

Question 225mediummultiple choice
Read the full Security and Compliance explanation →

An S3 bucket has the above bucket policy. What is the effect of this policy?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonHTTPS",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 226hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can make changes to Amazon CloudWatch Logs configurations. Which approach should be used?

Question 227mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to securely store and automatically rotate database credentials for a web application running on Amazon ECS. Which solution should be used?

Question 228easymultiple choice
Read the full Security and Compliance explanation →

Given the above IAM policy, which action is permitted?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction"
    }
  ]
}
```
Question 229mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)

Question 230hardmulti select
Read the full Security and Compliance explanation →

Which THREE AWS services can be used to centrally manage and enforce security policies across multiple accounts in AWS Organizations? (Select THREE.)

Question 231easymulti select
Read the full Security and Compliance explanation →

Which TWO measures can be taken to protect data at rest in Amazon S3? (Select TWO.)

Question 232mediummultiple choice
Read the full Security and Compliance explanation →

An S3 bucket has the above bucket policy. What is the net effect on GetObject requests?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-public-bucket/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-public-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
```
Question 233hardmultiple choice
Read the full NAT/PAT explanation →

A company needs to enforce that all EC2 instances launched in an AWS account use a specific Amazon Machine Image (AMI) that is approved by the security team. Which combination of services should be used?

Question 234easymultiple choice
Read the full Security and Compliance explanation →

A company wants to centrally manage and audit access to AWS KMS keys across multiple accounts. Which AWS feature should be used?

Question 235easymultiple choice
Read the full Security and Compliance explanation →

A company wants to ensure that all API calls made within its AWS account are logged for auditing purposes. Which AWS service should be enabled to meet this requirement?

Question 236mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption key be managed by AWS and rotated automatically. Which encryption option should be used?

Question 237hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to restrict the use of specific instance types across all accounts to reduce costs and enforce compliance. Which approach should be used?

Question 238easymultiple choice
Read the full Security and Compliance explanation →

A company is using Amazon RDS for MySQL and needs to encrypt the database at rest. Which action should be taken to enable encryption?

Question 239mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer receives an alert that an EC2 instance has been compromised. The instance is part of an Auto Scaling group. What is the first step the engineer should take to isolate the instance?

Question 240hardmultiple choice
Read the full NAT/PAT explanation →

A company requires that all secrets (e.g., database passwords) used by Lambda functions be rotated automatically every 30 days. Which combination of services should be used?

Question 241easymultiple choice
Read the full Security and Compliance explanation →

An organization wants to grant cross-account access to an S3 bucket in Account A to a user in Account B. Which policy configuration is required?

Question 242mediummultiple choice
Read the full Security and Compliance explanation →

A security audit reveals that an S3 bucket contains objects that are not encrypted. The bucket is configured with default encryption using SSE-S3. What is the most likely reason that objects are unencrypted?

Question 243hardmultiple choice
Read the full Security and Compliance explanation →

A company has a requirement to store audit logs for 7 years. The logs are currently stored in Amazon S3 and are accessed infrequently. Which storage class provides the lowest cost while meeting the retention requirement?

Question 244mediummulti select
Read the full Security and Compliance explanation →

A company is designing a secure CI/CD pipeline. Which TWO actions should be taken to protect secrets (e.g., API keys) used in the pipeline? (Choose TWO.)

Question 245hardmulti select
Read the full Security and Compliance explanation →

A DevOps team needs to enforce that all S3 buckets in an AWS account are encrypted at rest. Which THREE steps should be taken to achieve this? (Choose THREE.)

Question 246easymulti select
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt data. Which TWO statements about AWS KMS key rotation are correct? (Choose TWO.)

Question 247mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A security team wants to enforce that passwords expire after 60 days. Which action should be taken?

Exhibit

Refer to the exhibit.

CLI command:
aws iam get-account-password-policy

Output:
{
    "PasswordPolicy": {
        "MinimumPasswordLength": 8,
        "RequireSymbols": true,
        "RequireNumbers": true,
        "RequireUppercaseCharacters": true,
        "RequireLowercaseCharacters": true,
        "AllowUsersToChangePassword": true,
        "ExpirePasswords": true,
        "MaxPasswordAge": 90
    }
}
Question 248hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A user outside the 192.0.2.0/24 IP range attempts to get an object from example-bucket. What will happen?

Exhibit

Refer to the exhibit.

IAM Policy JSON:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::example-bucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        }
    ]
}
Question 249mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most likely security concern?

Exhibit

Refer to the exhibit.

CloudTrail log entry:
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Root",
        "principalId": "123456789012",
        "arn": "arn:aws:iam::123456789012:root",
        "accountId": "123456789012"
    },
    "eventTime": "2024-03-15T14:30:00Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "PutBucketPolicy",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "203.0.113.5",
    "userAgent": "[S3Console]",
    "requestParameters": {
        "bucketPolicy": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": "*",
                    "Action": "s3:GetObject",
                    "Resource": "arn:aws:s3:::my-bucket/*"
                }
            ]
        }
    },
    "responseElements": null,
    "eventType": "AwsApiCall"
}
Question 250mediummultiple choice
Read the full Security and Compliance explanation →

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A Security Engineer needs to ensure that the EC2 instances can only access the specific S3 bucket and no other AWS services. Which solution meets these requirements?

Question 251hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with multiple accounts. The Security team needs to enforce that all newly created S3 buckets in any account are configured with server-side encryption (SSE-S3 or SSE-KMS) and block public access. Which approach should be used?

Question 252easymultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer needs to securely store and automatically rotate database credentials for a MySQL RDS instance. The credentials should be accessible to a Lambda function without hardcoding them. Which AWS service should be used?

Question 253mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CodeBuild to build and test code. The build process requires access to a private PyPI repository hosted on an internal network. The CodeBuild project is configured with a VPC. However, the build fails with a timeout error when trying to connect to the PyPI repository. The security group for the CodeBuild project allows outbound HTTPS to 0.0.0.0/0. What is the most likely cause?

Question 254hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CodePipeline to deploy a web application across multiple AWS accounts using CloudFormation stack sets. The pipeline is in the tools account, and it deploys to production account. The security team requires that all CloudFormation changes to production account be reviewed and approved by a senior engineer. Which approach meets this requirement?

Question 255easymultiple choice
Read the full Security and Compliance explanation →

A company needs to ensure that all API calls made to AWS are encrypted in transit. Which of the following is the correct way to enforce this?

Question 256mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CodeCommit for source control. A developer accidentally committed a file containing AWS access keys. The keys have been removed from the file, but the commit history still contains them. What is the most secure way to remove the keys from the repository?

Question 257hardmultiple choice
Read the full Security and Compliance explanation →

A company uses a centralized AWS KMS customer master key (CMK) in the security account to encrypt data in S3 buckets across multiple accounts. The S3 buckets are accessed by EC2 instances in the same accounts. The security team wants to ensure that the CMK can only be used by authorized IAM roles in the member accounts. Which policy configuration should be used?

Question 258easymultiple choice
Read the full Security and Compliance explanation →

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to achieve this?

Question 259mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions should a DevOps engineer take to secure a web application running on EC2 instances behind an Application Load Balancer? (Choose two.)

Question 260hardmulti select
Read the full Security and Compliance explanation →

Which THREE measures can be taken to protect sensitive data stored in an Amazon S3 bucket? (Choose three.)

Question 261mediummulti select
Read the full Security and Compliance explanation →

Which TWO AWS services can be used to monitor and detect unauthorized access to AWS resources? (Choose two.)

Question 262hardmultiple choice
Read the full Security and Compliance explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies the creation of IAM users and roles with full admin access. The SCP is attached to all accounts. However, a DevOps engineer in a member account reports that they are able to create an IAM role with an administrator access policy attached. The engineer uses the AWS Management Console to create the role. The SCP is confirmed to be in place. What is the most likely reason the SCP is not preventing the role creation?

Question 263mediummultiple choice
Read the full Security and Compliance explanation →

A company runs a critical application on EC2 instances that need to access an S3 bucket with sensitive data. The security team has enabled S3 bucket policies that require TLS for all requests (aws:SecureTransport). The application is failing to access the S3 bucket, and logs show errors like 'Access Denied'. The application uses the AWS SDK to make requests. What is the most likely cause of the failure?

Question 264mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt data at rest in Amazon S3. The Security team requires that all encryption keys be automatically rotated annually. Which key type should be used to meet this requirement?

Question 265hardmultiple choice
Read the full NAT/PAT explanation →

A DevOps team is deploying a multi-tier application on AWS. The application must comply with PCI DSS. Which combination of services should be used to encrypt data in transit between the web tier and the application tier?

Question 266easymultiple choice
Read the full Security and Compliance explanation →

A company wants to securely store database credentials used by an application running on Amazon EC2. The credentials should be automatically rotated every 90 days. Which AWS service should be used?

Question 267mediummultiple choice
Read the full Security and Compliance explanation →

An organization uses AWS Organizations with multiple accounts. The Security team needs to enforce a policy that prohibits the creation of S3 buckets with public access in any account. Which policy type should be used?

Question 268mediummultiple choice
Read the full Security and Compliance explanation →

A DevOps engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket. The instance has an IAM role attached with a policy that allows s3:GetObject. The S3 bucket policy explicitly denies access to the instance's role. What is the result?

Question 269hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CodePipeline to deploy a web application. The pipeline uses artifacts stored in an S3 bucket. The Security team requires that all artifacts be encrypted in transit and at rest, and that the pipeline only access the bucket using a specific VPC endpoint. Which configuration meets these requirements?

Question 270easymultiple choice
Read the full Security and Compliance explanation →

A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest using a KMS key. Which solution is the MOST secure and scalable?

Question 271hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an S3 bucket. The Security team requires that the application never uses long-term credentials and that access is scoped to the specific ECS task. Which approach should be used?

Question 272mediummulti select
Read the full Security and Compliance explanation →

A company wants to monitor and detect suspicious API activity across all AWS accounts in an organization. Which TWO services should be used together?

Question 273hardmulti select
Read the full Security and Compliance explanation →

A company needs to enforce that all IAM users must use multi-factor authentication (MFA) to perform any AWS Console actions. Which TWO steps should be taken to enforce this?

Question 274mediummulti select
Read the full Security and Compliance explanation →

A company uses AWS CodeBuild to build and test code. The build jobs need to access a private S3 bucket to download dependencies. Which THREE steps are required to securely grant access?

Question 275hardmulti select
Read the full Security and Compliance explanation →

A company's Security team wants to detect and alert on the creation of IAM users with console access. Which THREE services should be used?

Question 276hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with 20 accounts. The Security team has configured AWS CloudTrail to deliver logs from all accounts to a central S3 bucket (central-bucket). The bucket policy allows CloudTrail to write objects and uses SSE-S3 encryption. Recently, auditors found that some log files were missing for a few hours. The CloudTrail console shows that trails are enabled in all accounts. The central-bucket has default encryption enabled. What is the MOST likely cause of the missing logs?

Question 277mediummultiple choice
Read the full Security and Compliance explanation →

A company runs a production application on EC2 instances behind an Application Load Balancer (ALB). The application handles sensitive data. The Security team wants to encrypt all traffic between the ALB and the EC2 instances using TLS. They have created a self-signed certificate on each instance. However, the ALB health checks are failing with a 502 error. The instances are healthy when accessed directly via SSH. What is the MOST likely cause?

Question 278easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Secrets Manager to store database credentials for a legacy application running on an on-premises server. The application retrieves the secret via the AWS SDK. Recently, the database password was rotated in Secrets Manager, but the application continued to use the old password and failed to connect. The application code is correct and uses the latest SDK. The IAM role attached to the server has the secretsmanager:GetSecretValue permission. What is the MOST likely cause?

Question 279mediummulti select
Read the full Security and Compliance explanation →

A company uses AWS Organizations with SCPs to enforce security policies. The security team needs to ensure that no IAM user or role can disable AWS CloudTrail or delete CloudTrail logs. Which TWO approaches should be combined to achieve this? (Choose TWO.)

Question 280hardmulti select
Read the full Security and Compliance explanation →

A company is designing a secure CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline must deploy to an EC2 Auto Scaling group across multiple AWS accounts. The security requirements include: (1) no hardcoded credentials, (2) least privilege for cross-account access, (3) encrypted artifacts. Which THREE steps should the DevOps engineer implement? (Choose THREE.)

Question 281easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with multiple accounts. The security team has implemented an SCP that denies the creation of IAM users. However, a developer in the 'development' account was able to create an IAM user. The DevOps engineer is asked to investigate. The SCP is attached to the root organizational unit (OU) and also to the 'development' OU. The 'development' account is a member of the 'development' OU. The SCP effect is 'Deny' on the 'iam:CreateUser' action. The developer's IAM permissions are managed by an IAM policy that allows 'iam:*'. The engineer checks CloudTrail and sees that the CreateUser API call succeeded. What is the most likely reason?

Question 282mediummultiple choice
Read the full Security and Compliance explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic to the ALB must be encrypted (HTTPS) and that the ALB must only accept traffic from CloudFront. The DevOps engineer has configured CloudFront with an origin pointing to the ALB, and the ALB has a listener on port 443 with a valid SSL certificate. The engineer also added a security group rule to the ALB that allows HTTPS traffic only from CloudFront's IP ranges. However, users are reporting intermittent 503 errors. The engineer checks CloudFront logs and sees that some requests are failing with 'Origin Connect Error'. What is the most likely cause?

Question 283hardmultiple choice
Read the full Security and Compliance explanation →

A company is migrating to AWS and has a requirement to encrypt all data at rest and in transit. They are using AWS KMS with Customer Master Keys (CMKs) for encryption. The DevOps engineer has set up an S3 bucket with default encryption using SSE-KMS. The bucket policy allows access only to a specific IAM role. The engineer also enabled S3 bucket versioning and MFA Delete. However, when the engineer tries to download an object using the AWS CLI with the IAM role, the command fails with 'AccessDenied'. The IAM role has the following permissions: s3:GetObject, s3:ListBucket, kms:Decrypt, kms:DescribeKey. What is the most likely missing permission?

Question 284easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CloudTrail to log all API calls across multiple accounts. The logs are stored in an S3 bucket in the management account. The security team wants to ensure that the logs are not tampered with and that any unauthorized modification is detected. The DevOps engineer has enabled CloudTrail log file integrity validation. The engineer also sets up an S3 lifecycle policy to transition logs to Glacier after 90 days. Additionally, the engineer enables S3 server access logging and sends the logs to a different bucket. A few months later, the security team suspects that some logs have been deleted. The engineer checks the CloudTrail digest files and finds that the latest digest file is missing. What is the most likely cause?

Question 285mediummultiple choice
Review the full subnetting walkthrough →

A company is using AWS CodeBuild to build and test a Java application. The build process requires access to a private Maven repository hosted on an internal HTTPS server. The DevOps engineer has configured CodeBuild to use a VPC and placed the build environment in a private subnet. The security group for the build environment allows outbound HTTPS to the Maven repository's security group. The Maven repository server is in the same VPC but in a different private subnet. The build fails with a 'Connection refused' error when trying to download dependencies. The engineer checks the security group rules and confirms they are correct. What is the most likely cause?

Question 286hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a critical application on AWS Lambda that processes sensitive data. The security team mandates that all data must be encrypted at rest and in transit. The Lambda function uses an environment variable to store a database password. The DevOps engineer has enabled encryption of environment variables using a KMS CMK. The Lambda function also needs to decrypt the password at runtime. The engineer attaches an IAM role to the Lambda function with permissions to decrypt using the KMS key. However, when the function executes, it fails with an error 'AccessDeniedException' when trying to decrypt the environment variable. The engineer checks the IAM role and confirms that it has kms:Decrypt permission. The KMS key policy allows the root user full access. What is the most likely cause?

Question 287easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation is configured to occur every 30 days. The DevOps engineer notices that the latest secret version is not being used by the application after rotation. The application is an EC2 instance that retrieves the secret using the AWS SDK. The engineer checks the secret and sees that the rotation succeeded and the new version is marked as 'AWSCURRENT'. The EC2 instance role has permissions to retrieve the secret. What is the most likely reason the application is still using the old secret?

Question 288mediummultiple choice
Read the full Security and Compliance explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in all accounts are encrypted with SSE-S3. They plan to use an SCP to deny the creation of unencrypted buckets. The DevOps engineer writes an SCP with a Deny effect for s3:PutBucketEncryption without a condition. However, when testing, an administrator in a member account is able to create a bucket without encryption. The engineer checks CloudTrail and sees that the bucket was created with a PutBucket call that did not include the x-amz-server-side-encryption header. What is the most likely reason the SCP did not prevent this?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

DOP-C02 Practice Test 1 — 10 Questions→DOP-C02 Practice Test 2 — 10 Questions→DOP-C02 Practice Test 3 — 10 Questions→DOP-C02 Practice Test 4 — 10 Questions→DOP-C02 Practice Test 5 — 10 Questions→DOP-C02 Practice Exam 1 — 20 Questions→DOP-C02 Practice Exam 2 — 20 Questions→DOP-C02 Practice Exam 3 — 20 Questions→DOP-C02 Practice Exam 4 — 20 Questions→Free DOP-C02 Practice Test 1 — 30 Questions→Free DOP-C02 Practice Test 2 — 30 Questions→Free DOP-C02 Practice Test 3 — 30 Questions→DOP-C02 Practice Questions 1 — 50 Questions→DOP-C02 Practice Questions 2 — 50 Questions→DOP-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuration Management and IaCResilient Cloud SolutionsMonitoring and LoggingIncident and Event ResponseSecurity and ComplianceSDLC Automation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security and Compliance setsAll Security and Compliance questionsDOP-C02 Practice Hub