Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsANS-C01DomainsNetwork Security, Compliance and Governance
ANS-C01Free — No Signup

Network Security, Compliance and Governance

Practice ANS-C01 Network Security, Compliance and Governance questions with full explanations on every answer.

421questions

Start practicing

Network Security, Compliance and Governance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

ANS-C01 Domains

Network Management and OperationsNetwork Security, Compliance and GovernanceNetwork DesignNetwork Implementation

Practice Network Security, Compliance and Governance questions

10Q20Q30Q50Q

ANS-C01 Network Security, Compliance and Governance questions (showing 300 of 421)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?

2

A security engineer is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The company requires that all VPC flow logs be delivered to a central S3 bucket in the security account. The security engineer has created a bucket policy that grants the necessary permissions. However, flow logs from member accounts are failing to be delivered. What is the most likely cause?

3

A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffic between its on-premises network and AWS. Which solution meets this requirement?

4

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet for software updates. The company wants to ensure that all outbound traffic goes through a single, highly available IP address for whitelisting purposes. Which solution should be used?

5

A company wants to audit all changes made to security groups and network ACLs in its AWS account. Which AWS service should be used to capture these API calls?

6

A security engineer is designing a security group configuration for a web application that consists of an Application Load Balancer (ALB), Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS database. Which TWO actions should the engineer take to follow security best practices? (Choose TWO.)

7

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The company requires that all traffic between VPCs must be inspected by a centralized security appliance in a shared services VPC. The security appliance must receive traffic for both directions (ingress and egress). Which THREE components are required to achieve this? (Choose THREE.)

8

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM role can be created without an approved custom trust policy. Which SCP should be attached to the root OU to enforce this requirement?

9

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The security team wants to ensure that traffic between the on-premises network and the VPC is encrypted using IPSec. Which solution meets this requirement?

10

A company has a VPC with public and private subnets. An application running in a private subnet needs to access an S3 bucket to read and write data. The security team wants to ensure that traffic to S3 does not traverse the internet. Which solution should the team implement?

11

A company has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. A security engineer discovers that an EC2 instance was compromised via SSH. The engineer needs to identify which IAM user created the overly permissive security group rule. Which AWS service or feature should the engineer use?

12

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The security team needs to centralize inspection of all traffic between VPCs using a third-party firewall appliance in a shared services VPC. What is the most scalable and highly available design?

13

A company has a VPC with public and private subnets. The security team wants to implement a web application firewall to protect against common web exploits. Which TWO AWS services can be used together to achieve this?

14

A company is designing a network security architecture for a VPC that hosts a multi-tier application. The security team requires that the web tier can only be accessed from the internet, the application tier can only be accessed from the web tier, and the database tier can only be accessed from the application tier. Additionally, the team needs to ensure that no traffic can bypass these controls. Which THREE actions should the team take?

15

An IAM policy is attached to a user. What is the effect when the user attempts to launch an EC2 instance of type m5.large?

16

A security engineer runs tcpdump on an EC2 instance (10.0.1.5) and sees the output above. The instance is in a private subnet with a security group that allows inbound HTTPS from 0.0.0.0/0. The instance is behind a Network Load Balancer (NLB) that has a public IP. The engineer is unable to establish an HTTPS connection from the internet. What is the most likely cause?

17

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application must be accessible only from a specific AWS Client VPN endpoint. The security team has configured the ALB security group to allow inbound traffic from the Client VPN CIDR range, but users report that they can still access the application from outside the VPN. What is the MOST likely cause of this issue?

18

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. The security team wants to inspect all traffic between VPCs using a centralized inspection VPC with third-party firewall appliances. Which architecture ensures that traffic from VPC A to VPC B is routed through the inspection VPC?

19

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. The bucket policy should deny requests that do not originate from the VPC. Which condition key should be used in the bucket policy?

20

A company is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The security team needs to centrally manage and enforce network security policies across all accounts. Which TWO services or features can be used to centrally enforce network security controls? (Choose TWO.)

21

A company attaches the above bucket policy to an S3 bucket. A user from the IP range 203.0.113.0/24 makes a request over HTTPS (TLS) to download an object from the bucket. Will the request succeed?

22

A company has deployed a multi-tier application in a VPC with public and private subnets. The web tier runs on EC2 instances in public subnets, and the application tier runs on EC2 instances in private subnets. The application tier must only accept traffic from the web tier security group. The security group for the application tier has an inbound rule allowing HTTP traffic from the web tier security group. However, the application team reports that the web tier instances cannot connect to the application tier instances. The network administrator has verified that the web tier instances can resolve the private DNS names of the application tier instances, and the route tables are correctly configured. What is the MOST likely cause of the connectivity issue?

23

A company has a VPC with public and private subnets. The security team wants to inspect all traffic between the private subnets and the internet using a centralized inspection VPC. The company uses AWS Network Firewall and wants to ensure that traffic cannot bypass the firewall. Which TWO actions should the company take? (Choose TWO.)

24

A security engineer created the above S3 bucket policy to grant public read access to objects in the 'confidential/' prefix. However, users report that they receive 'Access Denied' errors when trying to access objects that have the tag 'classification: public'. What is the most likely cause?

25

A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) across multiple Availability Zones. The application uses a MySQL database on an RDS instance in a private subnet. Security compliance requires that all traffic between the ALB and EC2 instances must be encrypted. The security team finds that the ALB currently sends traffic to the EC2 instances using HTTP on port 80. The EC2 security group allows inbound HTTP traffic from the ALB security group. The team needs to implement encryption with minimal changes and without disrupting the application. Which solution meets these requirements?

26

Order the steps to troubleshoot an AWS Direct Connect virtual interface that is in the 'down' state:

27

Order the steps to migrate a VPC from using an Internet Gateway to a NAT gateway for outbound-only internet access:

28

Order the steps to troubleshoot an inter-Region VPC peering connection that is not working:

29

Match each AWS networking feature to its purpose for high availability or fault tolerance.

30

Match each AWS networking service to the OSI layer it primarily operates at.

31

Match each AWS Direct Connect virtual interface type to its use case.

32

A company wants to restrict access to an Amazon S3 bucket so that only traffic from a specific AWS Direct Connect virtual interface (VIF) can access it. Which combination of steps should the company take?

33

A security engineer needs to ensure that all internet-bound traffic from a VPC is inspected by a third-party firewall appliance before reaching the internet. The firewall is deployed in a separate VPC. Which AWS service should the engineer use to route traffic from the source VPC to the firewall VPC?

34

A company has a hybrid network with an AWS Site-to-Site VPN connection to an on-premises data center. The network team wants to ensure that only encrypted traffic is sent over the internet between the two sites. The VPC has a virtual private gateway attached. When testing, they discover that some traffic is going over the internet without encryption. Which configuration change should be made to enforce encryption?

35

A company wants to block incoming traffic from specific IP addresses at the edge of the AWS network before it reaches the application load balancer. Which AWS service should be used?

36

A company has a VPC with multiple subnets. They have an AWS Network Firewall deployed in a firewall subnet. They want to inspect all outbound traffic from the VPC to the internet. Currently, the VPC route table has a default route (0.0.0.0/0) pointing to an internet gateway. What routing change is required to route outbound traffic through the firewall?

37

An organization has a requirement that all cross-account access to Amazon S3 buckets must be logged and monitored. The security team has enabled AWS CloudTrail and S3 server access logs. However, they notice that some cross-account access attempts are not being logged. Which additional step should be taken to ensure all cross-account access is logged?

38

A company wants to centrally manage and enforce security policies across multiple AWS accounts and VPCs. They need to ensure that all VPCs have a specific set of rules, such as disabling public subnets. Which AWS service should be used?

39

A company has an Amazon RDS for MySQL database in a private subnet. The database should only be accessible from a specific fleet of EC2 instances in the same VPC. Which combination of security controls should be used to meet this requirement?

40

A company has a VPC with a CIDR block of 10.0.0.0/16. They have an AWS Site-to-Site VPN connection to an on-premises network with a CIDR of 192.168.0.0/16. The VPN is configured with dynamic routing (BGP). The on-premises network advertises a route to 192.168.0.0/16 via BGP. The VPC route table has a static route to 192.168.0.0/16 pointing to a virtual private gateway. The company also has a Direct Connect connection to the same on-premises network advertising the same CIDR. The VPC route table has a static route to 192.168.0.0/16 pointing to a Direct Connect virtual interface. Which route will be used for traffic destined to 192.168.0.0/16?

41

A company is designing a network security architecture for a multi-tier application. The web tier must be accessible from the internet, but the application and database tiers must not. Which TWO design choices meet these requirements? (Choose two.)

42

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). They have an AWS Network Firewall deployed in a firewall subnet. They want to inspect all traffic between subnet A and subnet B. Which TWO actions are required? (Choose two.)

43

A company needs to log all network traffic between EC2 instances in a VPC for security analysis. They want to capture metadata about traffic, including source and destination IP, ports, protocol, and packet counts. Which THREE AWS services or features can be used to achieve this? (Choose three.)

44

A security team has attached the above IAM policy to a user. The user tries to add an inbound rule to a security group that allows traffic from 0.0.0.0/0. The request is denied. However, the user is able to add a rule allowing traffic from 203.0.113.10. Which statement explains this behavior?

45

A network engineer has created a gateway VPC endpoint for S3 as shown in the exhibit. The endpoint is associated with route table rtb-12345678. An EC2 instance in a subnet that uses route table rtb-12345678 tries to download an object from my-bucket. The request fails with an access denied error. Which change should the engineer make to resolve the issue?

46

A CloudFormation stack was created with the above snippet. An administrator notices that the EC2 instance can receive HTTP traffic from the internet, but cannot access the internet itself (e.g., to download updates). What is the most likely cause?

47

A company uses AWS Organizations with SCPs to restrict access. The security team needs to prevent users in the 'Developers' OU from disabling AWS Config or modifying its rules. Which SCP effect should be used?

48

A company is designing a hub-and-spoke network in AWS. The security team requires that all traffic between VPCs in different spokes must be inspected by a third-party firewall deployed in the hub VPC. Which architecture meets this requirement with minimal complexity?

49

A company uses AWS WAF to protect its web application. The security team wants to block requests that contain SQL injection attempts. Which WAF rule type should be used?

50

A company uses AWS Shield Advanced for DDoS protection. During an attack, they notice that legitimate traffic is being throttled. Which configuration change should be made to reduce false positives while maintaining protection?

51

A company is deploying a multi-tier application in a VPC. The web servers must be accessible from the internet, but the database servers must not be. Which architecture meets these requirements?

52

A company needs to encrypt data at rest in Amazon S3. Which AWS service manages the encryption keys?

53

A company wants to audit all changes to security group rules in their AWS account. Which AWS service should be used to record these changes?

54

A company uses AWS Direct Connect to connect their on-premises network to AWS. They want to encrypt all traffic between their on-premises router and the AWS Direct Connect location. Which solution should they implement?

55

A company needs to block traffic from a specific IP address range in their VPC. Which component should be used?

56

A company wants to implement a defense-in-depth strategy for a web application hosted on AWS. Which TWO services should they use to protect against common web exploits and DDoS attacks?

57

A company is designing a network security architecture for a multi-account environment using AWS Organizations. They need to centrally manage and enforce security policies across all accounts. Which THREE services should they consider?

58

A company is using Amazon S3 to store sensitive data. They want to ensure that data is encrypted at rest and that access is logged. Which TWO services should they enable?

59

A company wants to restrict access to its S3 bucket so that only objects uploaded with server-side encryption using AWS KMS (SSE-KMS) are allowed. Which bucket policy condition should be used?

60

A security team requires that all traffic between Amazon EC2 instances in different subnets of a VPC be logged. Which AWS service should be used to capture and log the traffic?

61

A company has a hybrid network with an AWS Direct Connect connection to a VPC. They also have a site-to-site VPN connection as a backup. The VPC routing tables are configured with a route to the on-premises CIDR via the virtual private gateway. The network engineer notices that traffic from the VPC to on-premises is not using the Direct Connect connection even when it is healthy. What is the most likely cause?

62

A company wants to allow its developers to access Amazon RDS databases from their on-premises network without traversing the public internet. Which solution meets this requirement?

63

A company has an AWS Lambda function that needs to access an S3 bucket in the same AWS account. The Lambda function is configured to use the VPC default execution role. The S3 bucket policy denies all principals except those explicitly allowed. The Lambda function cannot access the bucket. What should be done to resolve this issue?

64

A company is designing a network security architecture for a multi-account AWS environment using AWS Organizations. They need to centrally manage and enforce VPC security group rules across all accounts. Which service should they use?

65

A company wants to ensure that all traffic to and from its Amazon EC2 instances in a VPC is inspected by a third-party security appliance. The instances are in private subnets and must maintain their private IP addresses. Which solution should be used?

66

A company is using AWS WAF to protect a web application behind an Application Load Balancer. They want to block requests from a specific IP address range. Which component should they use?

67

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They have peered this VPC with another VPC using a VPC Peering connection. The peered VPC has a CIDR of 10.0.0.0/16 (overlapping). The company wants to allow communication between specific instances in both VPCs without changing the CIDRs. What should they do?

68

A company has an AWS Direct Connect connection and wants to ensure that all traffic from its VPC to an S3 bucket in another region stays within the AWS network. How should this be accomplished?

69

A company wants to monitor and log all changes to security group rules in their AWS account for compliance purposes. Which TWO services can be used together to achieve this?

70

A company is designing a network security solution for a VPC that hosts a multi-tier web application. The web servers are in a public subnet, and the application servers are in a private subnet. The company wants to ensure that the web servers can only be accessed on port 443 from the internet, and the application servers can only be accessed from the web servers on port 3306. Which THREE components should be configured?

71

A company is using AWS Organizations and wants to centrally manage and enforce the use of VPC endpoints for S3 across all accounts. Which THREE services/tools can be combined to achieve this?

72

A company uses AWS Organizations with SCPs to restrict access. The security team wants to ensure that no IAM user or role can disable AWS Shield Advanced protections. Which SCP effect should be used?

73

A company needs to securely connect an on-premises data center to AWS using multiple VPN tunnels. The security team requires that all traffic between the VPC and on-premises be encrypted and that the tunnels use a second authentication mechanism beyond pre-shared keys. Which solution meets these requirements?

74

A security engineer is designing a VPC with public and private subnets. The company requires that all outbound traffic from private subnets to the internet must go through a single IP address for logging and compliance. Which service should be used?

75

A company uses AWS WAF to protect a web application behind an Application Load Balancer. The security team notices that a specific IP address is generating a high number of requests and wants to block it immediately. What is the MOST efficient way to block this IP address?

76

A company is migrating a legacy application to AWS. The application requires that all network traffic between two VPCs be inspected by a third-party firewall appliance. The firewall must be able to inspect traffic bidirectionally and automatically fail over if the appliance becomes unhealthy. Which architecture meets these requirements?

77

A security engineer is configuring AWS CloudTrail to log all management events across all regions. The logs must be stored in an S3 bucket that is encrypted with an AWS KMS key. Which bucket policy element is required to allow CloudTrail to write logs?

78

A company's security team is investigating a potential data exfiltration incident. They notice that an EC2 instance in a private subnet is making HTTPS connections to an unknown external IP address. The instance's security group only allows outbound HTTPS to a specific set of IPs. What is the MOST likely cause of the traffic?

79

A company uses AWS Shield Advanced for DDoS protection. During an attack, the security team notices that legitimate traffic is being throttled. They want to allow certain known IP addresses to bypass Shield Advanced rate-based rules. What should they do?

80

A company wants to ensure that all IAM users have multi-factor authentication (MFA) enabled. Which AWS service can be used to enforce this policy?

81

Which TWO statements are correct regarding the use of AWS Network Firewall? (Choose 2)

82

Which THREE actions can AWS Config perform to help with network security compliance? (Choose 3)

83

Which TWO features are provided by AWS Shield Advanced that are not available in AWS Shield Standard? (Choose 2)

84

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive data that should only be accessible from the corporate network (192.0.2.0/24). What is a potential security issue with this policy?

85

Refer to the exhibit. A network engineer is troubleshooting connectivity issues from an EC2 instance in subnet-11111111. The instance can send traffic outbound, but cannot receive inbound HTTPS traffic from the internet. What is the likely cause?

86

Refer to the exhibit. A security engineer applies this SCP to an AWS account. What is the effect of this policy?

87

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all Amazon S3 buckets in the organization are encrypted at rest. Which policy should be attached to the root organizational unit to enforce this requirement?

88

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team needs to block a specific IP address range that has been launching DDoS attacks. The solution must be implemented at the network edge, before traffic reaches the ALB. What should the security team do?

89

A company has a VPC with public and private subnets. The security team wants to allow instances in a private subnet to download software updates from the internet but prevent inbound internet traffic. Which AWS service should be used?

90

A company is designing a network security architecture for a multi-tier application. The web tier must be accessible from the internet, while the application and database tiers must be isolated. The security team wants to minimize the attack surface. Which design should they choose?

91

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network team wants to ensure that traffic between the on-premises network and AWS is encrypted. Which solution meets this requirement?

92

A security engineer needs to centrally manage and enforce rules for network traffic between VPCs in a large AWS environment. Which AWS service provides this capability?

93

A company has an AWS account with multiple VPCs. The security team wants to ensure that no VPC has an internet gateway attached. Which AWS service can be used to automatically detect and remediate non-compliant VPCs?

94

A company is migrating a legacy application to AWS. The application requires that all traffic between the web and application tiers be encrypted, but the application does not support TLS. What should a network engineer do to meet this requirement without modifying the application?

95

A company wants to audit all changes to security group rules in a VPC. Which AWS service should be used to record these changes?

96

A company is designing a network security architecture for a multi-account environment using AWS Organizations. The security team needs to enforce that all VPCs use a specific set of security group rules for inbound SSH access. Which TWO steps should the team take? (Choose two.)

97

A company has a VPC with public and private subnets. The security team wants to inspect all traffic leaving the VPC to the internet for malicious activity. Which THREE services should be used together to achieve this? (Choose three.)

98

A company wants to secure data at rest in an Amazon S3 bucket. Which TWO of the following can be used to achieve this? (Choose two.)

99

A security engineer created the S3 bucket policy shown. After applying it, users from the 10.0.0.0/16 network (VPC CIDR) are able to access objects, but external users from 203.0.113.0/24 receive 'Access Denied' even though they are using HTTPS. What is the likely cause?

100

A security engineer reviews VPC Flow Logs and sees the entries shown. The last entry shows a REJECT for traffic from 203.0.113.5 to 10.0.1.5 on port 443. However, the third entry shows ACCEPT for traffic from 10.0.1.5 to 203.0.113.5 on port 443. What is the most likely reason for the REJECT?

101

A network administrator attached the IAM policy shown to a user. The user tries to create an internet gateway in us-east-1 without any tags. What will happen?

102

A company wants to restrict access to an S3 bucket so that only traffic from a specific AWS account is allowed. Which S3 bucket policy condition key should be used to achieve this?

103

A company has a VPC with public and private subnets. They want to allow instances in the private subnet to download software updates from the internet while preventing inbound traffic from the internet. Which AWS service should they use?

104

A company uses AWS WAF to protect a web application. They notice that some malicious requests are being allowed. After investigating, they find that the requests have valid AWS WAF tokens but the payloads are obfuscated. Which WAF configuration should be reviewed to improve detection?

105

A security engineer needs to audit all API calls made in an AWS account for compliance. The engineer wants to capture the source IP address and the user agent for each call. Which AWS service should be used?

106

A company has a VPC with multiple subnets. They want to enforce that all traffic between subnets must be inspected by a security appliance deployed in a centralized inspection VPC. Which AWS feature should be used to route traffic to the inspection VPC without changing the routing on each subnet?

107

A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its backend targets. Which AWS service should be used to terminate TLS at the ALB and re-encrypt traffic to the targets?

108

A company has a VPC with a public subnet and a private subnet. They launch an EC2 instance in the private subnet that needs to access an S3 bucket in the same region. Which approach provides the most secure and cost-effective access?

109

A company uses AWS Network Firewall to inspect traffic. They notice that some traffic is bypassing the firewall. The VPC has a route table with a default route (0.0.0.0/0) pointing to the firewall endpoint. Which configuration could cause traffic to bypass the firewall?

110

A company needs to provide temporary, limited-privilege credentials to users so they can access AWS resources from mobile apps. Which AWS service should they use?

111

A company is designing a network security architecture for a multi-account environment using AWS Organizations. Which TWO services can be used to centrally manage security policies across all accounts?

112

A company wants to secure network traffic between on-premises data centers and AWS using AWS Site-to-Site VPN. Which TWO components are required to establish a VPN connection?

113

A company wants to monitor and log all network traffic within a VPC for security analysis. Which THREE services can be used to achieve this?

114

Refer to the exhibit. A company applies this bucket policy to an S3 bucket. Users in a different VPC with IP range 10.0.0.0/16 are able to access objects, but users in a different VPC with IP range 10.1.0.0/16 cannot. What is the most likely cause?

115

Refer to the exhibit. A network engineer examines the network ACL for a subnet. Which statement best describes the effect of this network ACL?

116

Refer to the exhibit. A company applies this bucket policy to an S3 bucket. What is the effect of the policy?

117

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets have server-side encryption enabled. Which SCP should be applied to the root OU?

118

A network engineer is designing a VPC with private subnets for workloads that must not have direct internet access. However, the workloads need to download patches from a specific third-party vendor's IP range. Which solution minimizes the attack surface?

119

A security engineer notices that a security group allows inbound SSH from 0.0.0.0/0. Which immediate action should be taken to reduce risk?

120

A company uses AWS Direct Connect to connect its on-premises network to AWS. The security team wants to encrypt all traffic traversing the Direct Connect link. Which solution should be used?

121

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket. The security team wants to ensure that traffic to S3 does not traverse the internet. Which solution meets this requirement?

122

Which AWS service can be used to centrally manage and enforce security group rules across multiple accounts in AWS Organizations?

123

A company is designing a multi-VPC architecture with VPC peering. They need to ensure that traffic between VPCs is encrypted. What should they do?

124

A security engineer is troubleshooting connectivity issues. An EC2 instance cannot access the internet. The instance is in a private subnet with a route table that has a default route (0.0.0.0/0) pointing to a NAT gateway. The NAT gateway is in a public subnet with an Elastic IP. The security group allows all outbound traffic. What is the most likely cause?

125

A company wants to use AWS Certificate Manager (ACM) to provide a TLS certificate for a website hosted on an ALB. The domain is example.com, and the certificate must be renewed automatically. Which type of certificate should be requested?

126

Which TWO actions should be taken to secure an EC2 instance that is used as a bastion host? (Choose 2)

127

Which THREE components are required to establish a site-to-site VPN connection between an on-premises network and AWS? (Choose 3)

128

Which TWO statements about AWS WAF are accurate? (Choose 2)

129

An IAM policy is created and attached to a user. The user reports they cannot stop a production EC2 instance. What is the most likely reason?

130

A network security engineer is reviewing the NACL configuration. An EC2 instance in the subnet associated with this NACL is not receiving SSH connections from the internet. What is the issue?

131

A security group is configured as shown. An EC2 instance in the same VPC with IP 10.0.1.50 can connect to the instance on port 443. An on-premises client with IP 203.0.113.5 cannot connect. What is the most likely reason?

132

A company wants to securely connect an on-premises data center to a VPC using AWS Site-to-Site VPN. The security team requires that all traffic between the on-premises network and the VPC be encrypted and that the VPN tunnel be highly available. Which design BEST meets these requirements?

133

A security engineer is designing a network ACL for a public-facing web application in a VPC. The application uses an Application Load Balancer (ALB) in a public subnet, web servers in private subnets, and an RDS database in a private subnet. The engineer needs to allow HTTPS traffic from the internet to the ALB, and allow the ALB to forward traffic to the web servers on port 8080. The web servers need to query the database on port 3306. Which network ACL configuration should the engineer implement for the private subnet containing the web servers?

134

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across the organization are encrypted with SSE-S3. Which control mechanism should they use?

135

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to ensure that traffic between VPCs is inspected by a centralized security appliance running in a security VPC. Which configuration should be used?

136

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to minimize data transfer costs and avoid exposing the private instance to inbound traffic from the internet. Which solution meets these requirements?

137

A company wants to audit all network traffic to and from an EC2 instance for compliance. The security team needs to capture full packet contents, including headers and payload, and store them in Amazon S3 for analysis. Which AWS service should they use?

138

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC. The security team wants to block a list of known malicious IP addresses from accessing the application. Which service should they use to implement this protection?

139

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network team notices that the BGP session between the on-premises router and the AWS virtual private gateway (VGW) is flapping. The on-premises router is configured to advertise a specific prefix. Which configuration change is MOST likely to stabilize the BGP session?

140

A security engineer needs to ensure that all traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the engineer do to meet this requirement?

141

A network engineer is troubleshooting connectivity issues between an EC2 instance and an RDS database in the same VPC. The EC2 instance can connect to the database, but the connection is slow. Which TWO actions should the engineer take to diagnose the issue? (Choose TWO.)

142

A company is designing a multi-account architecture using AWS Organizations. They want to centrally manage and enforce network security policies across all accounts. Which THREE services or features should they use together to achieve this? (Choose THREE.)

143

A security engineer needs to capture and analyze network traffic between two EC2 instances in the same VPC for troubleshooting. The engineer wants to capture full packets and store them for later analysis. Which TWO AWS services can be used together to accomplish this? (Choose TWO.)

144

A company wants to restrict access to an S3 bucket so that only objects with server-side encryption using AWS KMS (SSE-KMS) can be uploaded. Which bucket policy condition should be used?

145

A security engineer is designing a network firewall solution for a VPC with multiple subnets. The solution must inspect traffic between instances in the same VPC, including traffic within the same subnet. Which AWS service should be used?

146

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization have block public access enabled. Which approach should be used?

147

A company has a requirement to encrypt all data in transit between its on-premises network and AWS over a VPN connection. Which solution provides encryption in transit?

148

A security engineer needs to allow an EC2 instance in a private subnet to access an S3 bucket without traversing the internet. Which solution meets this requirement?

149

A company uses AWS CloudFormation to deploy resources. The security team wants to ensure that no IAM user can modify the stack set if they are not authorized via a specific IAM policy. Which feature should be used?

150

A company wants to centrally manage and enforce security rules for all VPCs in a multi-account environment. Which AWS service should be used?

151

An application running on EC2 instances needs to access a DynamoDB table. The security team requires that traffic does not traverse the internet. Which solution should be used?

152

A company needs to ensure that all API calls to AWS services are logged and monitored for suspicious activity. Additionally, any API call that creates a security group rule should trigger an immediate notification. Which combination of services should be used?

153

Which TWO actions should be taken to secure a VPC that hosts a web application? (Choose TWO.)

154

Which THREE services can be used to detect and protect against DDoS attacks? (Choose THREE.)

155

Which TWO are valid methods to encrypt data at rest in Amazon S3? (Choose TWO.)

156

Refer to the exhibit. A security engineer applies this S3 bucket policy. What is the result of this policy?

157

Refer to the exhibit. A network engineer reviews the NACL entries for a subnet. What is the effect of this NACL on inbound traffic?

158

Refer to the exhibit. An EC2 instance is associated with the IAM role shown. Which action can the EC2 instance perform?

159

A company uses AWS Organizations with SCPs to restrict access. The security team notices that users in the 'Developers' account can launch EC2 instances with public IP addresses, even though the SCP denies ec2:AssociateAddress. What is the most likely reason?

160

A company has a VPC with public and private subnets. They launch an Application Load Balancer (ALB) in the public subnets and targets in private subnets. Security requirements dictate that the targets should only accept traffic from the ALB. Which security group configuration meets this requirement?

161

A company is designing a network security architecture for a multi-account AWS environment. They need to centrally inspect and filter traffic between VPCs using a third-party firewall appliance. Which AWS service should they use to route traffic through the inspection VPC?

162

A security engineer is troubleshooting connectivity between an EC2 instance in a private subnet and an S3 bucket. The instance has a VPC gateway endpoint for S3, and the route table has a route to the endpoint. The security group for the instance allows all outbound traffic. However, the instance cannot access the S3 bucket. What is the most likely cause?

163

A company has a requirement to encrypt all data in transit between EC2 instances and an RDS database. The database is in a private subnet, and the application connects using an SSL connection. The security team wants to ensure that even if the network is compromised, the data remains confidential. What additional measure should be taken?

164

A company uses AWS Shield Advanced and AWS WAF to protect its web application. The security team notices that some legitimate traffic is being blocked. They want to allow traffic from a specific set of IP addresses used by their partners. How can they ensure that partner traffic is not blocked by WAF rules?

165

A company wants to audit all changes to security groups in their AWS account. Which AWS service should they use to track API calls that modify security groups?

166

A company has a VPC with multiple subnets. They deploy a Network Firewall to inspect traffic. The firewall is configured with a stateful rule that allows outbound HTTP traffic to any destination. However, traffic from an EC2 instance in a private subnet to an external web server fails. The route table for the private subnet has a default route pointing to the firewall endpoint. What is the likely issue?

167

A company uses AWS Certificate Manager (ACM) to provision SSL/TLS certificates for their Application Load Balancer (ALB). They want to ensure that the ALB only accepts connections using TLS 1.2 or higher. How should they configure this?

168

A company is designing a network security architecture for a multi-tier application. They need to ensure that the web tier can only communicate with the app tier on port 443, and the app tier can only communicate with the database tier on port 3306. Which TWO actions should they take? (Choose TWO.)

169

A company has a VPC with multiple subnets and uses AWS Transit Gateway to connect to on-premises via AWS Direct Connect. They want to implement network segmentation so that certain VPCs can only communicate with specific on-premises networks. Which THREE components should they use? (Choose THREE.)

170

A company is designing a security group configuration for a three-tier application. The web servers must be accessible from the internet on ports 80 and 443. The application servers must only communicate with the web servers on port 8080. The database servers must only communicate with the application servers on port 3306. Which TWO of the following are best practices for implementing this with security groups? (Choose TWO.)

171

An IAM policy is applied to a user. The user reports that they cannot run 'aws ec2 describe-instances --region eu-west-1' but can run the same command in us-east-1. What is the most likely reason?

172

A network engineer is troubleshooting connectivity from an EC2 instance in subnet-12345678 to a server on the internet. The instance has a public IP and a security group allowing all outbound traffic. However, traffic fails. Based on the exhibit, what is the issue?

173

A network engineer runs the above command and sees that VPC Flow Logs are configured for a VPC. The engineer wants to analyze rejected traffic to troubleshoot a connectivity issue. Which field in the flow log records should they examine?

174

A company uses AWS Organizations with multiple accounts and wants to centrally manage VPC security group rules. They need to enforce that no security group allows inbound SSH (port 22) from 0.0.0.0/0. Which service should they use to automatically detect and remediate noncompliant security groups?

175

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application must only accept traffic from known corporate IP addresses, but the company also needs to allow healthy traffic from AWS health checkers. Which architecture meets these requirements securely?

176

A security engineer needs to audit all API calls that modify security group rules in a VPC. Which AWS service should be used to record these API calls?

177

A company is designing a multi-account AWS environment using AWS Organizations. They want to restrict the use of certain instance types across all accounts. Which approach should they use to enforce this policy?

178

A company has deployed a web application on an EC2 instance that needs to access an S3 bucket and a DynamoDB table. The instance is in a private subnet. Which approach meets the security best practice of avoiding long-lived credentials on the instance?

179

A company wants to encrypt data at rest in an S3 bucket. Which AWS service can manage the encryption keys if the company wants to use server-side encryption with AWS KMS?

180

A company has a VPC with public and private subnets. They have an EC2 instance in a private subnet that needs to access the internet for software updates. Which solution provides internet access while keeping the instance private?

181

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. They want to ensure that only traffic from specific on-premises IP ranges is allowed into the production VPC. Which approach should they use?

182

A company wants to audit all network traffic to and from EC2 instances for security analysis. Which AWS service should they enable?

183

A company is designing a security group configuration for a three-tier web application (web, application, database). The web tier is accessible from the internet. Which TWO rules should be applied to meet security best practices?

184

A company wants to implement a defense-in-depth strategy for a web application hosted on AWS. Which THREE services should they combine to protect against common web attacks and network threats?

185

A company needs to encrypt data in transit between an Application Load Balancer and EC2 instances. Which TWO actions should they take?

186

A company runs a multi-tier application on AWS. The web tier consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application tier runs on EC2 instances in a separate Auto Scaling group, and the database tier uses an Amazon RDS MySQL instance. All resources are in the same VPC. The security team has identified that the application tier instances are receiving traffic from unknown IP addresses on port 22 (SSH). The team wants to ensure that only the web tier instances can communicate with the application tier on the application port (8080), and only from a specific security group. Additionally, the database tier should only accept traffic from the application tier on port 3306. Currently, the security groups are configured as follows: Web-SG allows inbound from 0.0.0.0/0 on ports 80 and 443; App-SG allows inbound from 0.0.0.0/0 on port 8080 and from 0.0.0.0/0 on port 22; DB-SG allows inbound from 0.0.0.0/0 on port 3306. The team has also noticed that the web tier instances can be accessed via SSH from the internet. Which course of action should the team take to remediate the security issues?

187

A security engineer must ensure that all traffic between an application running on Amazon EC2 and an Amazon RDS database is encrypted in transit. The VPC has a public subnet for the EC2 instance and a private subnet for the RDS database. What is the MOST secure way to enforce encryption for this traffic?

188

A company is designing a VPC with a public subnet for web servers and a private subnet for database servers. The web servers must be able to access the internet for software updates, but the database servers must not have direct internet access. Which solution meets these requirements?

189

A company is using AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets across the organization are encrypted with AWS KMS. Which approach should be used to enforce this policy?

190

Refer to the exhibit. A company has an S3 bucket policy that denies PutObject if the object is not encrypted with SSE-KMS. However, uploads are still being allowed without encryption. What is the most likely reason?

191

A company is using AWS WAF to protect its web application. The security team wants to block requests that contain SQL injection patterns. Which WAF rule type should be used?

192

A network engineer is troubleshooting connectivity issues between an on-premises network and an Amazon VPC over an AWS Direct Connect connection. The on-premises network uses BGP to advertise routes to the VPC. The VPC is associated with a virtual private gateway (VGW). The on-premises network can reach resources in the VPC, but VPC resources cannot reach on-premises resources. What is the most likely cause?

193

Refer to the exhibit. An IAM role ARN is shown. A security engineer wants to allow an EC2 instance to assume this role. What is required for the EC2 instance to successfully assume the role?

194

A company is deploying a web application in a VPC and wants to protect it from common web exploits like cross-site scripting (XSS). Which AWS service should be used to filter and monitor HTTP requests?

195

A company has a VPC with an internet gateway and wants to restrict outbound traffic from a private subnet to only allow traffic to specific AWS services, such as S3 and DynamoDB. Which solution should be used?

196

Which TWO of the following are valid methods to secure data at rest in Amazon S3? (Choose two.)

197

Which THREE of the following are best practices for securing a VPC? (Choose three.)

198

Which TWO of the following are valid ways to encrypt data in transit between an on-premises data center and an Amazon VPC? (Choose two.)

199

A company has a hybrid network architecture with an AWS Direct Connect connection between its on-premises data center and an Amazon VPC. The VPC has a single private subnet with Amazon EC2 instances running a critical application. The on-premises network uses BGP to advertise a route for the VPC's CIDR (10.0.0.0/16) to the on-premises routers. Recently, the company added a new application in a second VPC (VPC-B) with CIDR 10.1.0.0/16 and peered it with the original VPC (VPC-A). After the peering, users on-premises can still reach resources in VPC-A, but cannot reach resources in VPC-B. The VPC-A route table has a route for VPC-B's CIDR pointing to the peering connection. The VPC-B route table has a route for VPC-A's CIDR pointing to the peering connection. The on-premises routers have a static route for VPC-B's CIDR pointing to the Direct Connect virtual interface. What is the most likely cause of the issue?

200

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to implement a centralized inspection architecture where all traffic between VPCs must be inspected by a security appliance (e.g., firewall) deployed in a dedicated inspection VPC. Currently, traffic flows directly between VPCs using the Transit Gateway. Which architecture change would enforce that all inter-VPC traffic passes through the inspection VPC?

201

A company hosts a multi-tier web application in a VPC. The web servers are in a public subnet, and the application servers are in a private subnet. The application servers need to access a third-party API over the internet. The company wants to ensure that the application servers' IP addresses are not exposed to the internet, and that all outbound traffic to the internet is logged. Additionally, the company wants to restrict outbound traffic to only the specific API endpoints. Which solution should be used?

202

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which policy type should be used?

203

A security engineer is designing a hybrid network with an AWS Site-to-Site VPN. The company requires that all traffic between the on-premises network and VPC be encrypted in transit. Which configuration ensures this requirement is met?

204

A company has multiple AWS accounts under AWS Organizations. The security team wants to centrally log all network traffic that is denied by security group rules across all accounts. Which approach meets this requirement with the least operational overhead?

205

A company uses AWS Direct Connect to connect its data center to a VPC. The security team wants to ensure that only the on-premises network can initiate connections to EC2 instances in the VPC, but the EC2 instances should be allowed to initiate outbound connections to the internet. Which configuration should be implemented?

206

A company has a VPC with public and private subnets. The public subnet hosts a web server that must be accessible from the internet. The private subnet hosts a database that should only be accessible from the web server. Which security group configuration should be used?

207

A company is deploying a multi-tier web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that the web servers only accept traffic from the ALB and that the ALB only accepts traffic from the internet on ports 80 and 443. Additionally, the web servers should be able to make outbound connections to the internet for updates. Which combination of security group rules meets these requirements?

208

A network engineer is troubleshooting connectivity issues between two VPCs that are peered. The VPCs are in the same region and the peering connection is in the 'active' state. Security groups in both VPCs allow all traffic. However, instances in VPC A cannot reach instances in VPC B. What is the most likely cause?

209

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket for backups. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should be used?

210

A company uses AWS WAF to protect its web application from common exploits. The security team notices that a specific IP address is generating a high volume of requests and should be blocked immediately. Which action should be taken?

211

A company wants to encrypt all data in transit between its on-premises data center and AWS. Which two services or features can provide encryption for data in transit?

212

A company is designing a network security architecture for a VPC that hosts a multi-tier application. The security team wants to implement defense in depth. Which three layers of security should be configured?

213

A company has a VPC with multiple subnets and is using Network Access Analyzer to identify unintended network access. It reports that an EC2 instance in a private subnet has a route to an internet gateway. Which two actions should be taken to remediate this?

214

Refer to the exhibit. A company has attached the IAM policy to an S3 bucket named example-bucket. Users report they cannot access objects in the bucket even when coming from the allowed IP range. What is the most likely cause?

215

Refer to the exhibit. A network engineer is analyzing a VPC Flow Log record from a VPC with CIDR 10.0.0.0/16. The record indicates a REJECT action. Which component is most likely blocking the traffic?

216

A company has a VPC with a public subnet and a private subnet. The public subnet contains a NAT gateway and a bastion host. The private subnet contains several EC2 instances that need to download software updates from the internet. The security team has configured the following: - A security group on the EC2 instances allows outbound traffic to 0.0.0.0/0 on ports 443 and 80. - The private subnet's route table has a default route (0.0.0.0/0) pointing to the NAT gateway. - The NAT gateway is in the public subnet with an Elastic IP and its security group allows inbound traffic from the private subnet CIDR on ports 443 and 80, and outbound to 0.0.0.0/0 on all ports. Despite this, the EC2 instances cannot reach the internet. What is the most likely cause?

217

A company has a hybrid network with an AWS Transit Gateway connecting multiple VPCs and an on-premises data center via AWS Direct Connect. The security team requires that all traffic between VPCs must be inspected by a centralized firewall appliance deployed in a security VPC. They have configured a Transit Gateway with a route table that has blackhole routes for all VPC CIDRs except the security VPC, and the security VPC appliance performs inspection and returns traffic to the Transit Gateway. Recently, they added a new VPC for a critical application. After configuration, some traffic from the new VPC to other VPCs is being dropped. The network engineer verifies that the Transit Gateway route table includes a blackhole route for the new VPC's CIDR and that the security VPC's firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

218

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS and that bucket policies restrict access to specific IAM roles. They have created an SCP that denies s3:PutBucketPolicy unless the bucket is encrypted with KMS (using a condition) and restricts the PutBucketPolicy action to a specific role. After applying the SCP, the development team reports that they cannot update bucket policies even when using the allowed role. The SCP is attached to the root OU. The allowed role is in the dev account and has full S3 permissions via an IAM policy. What is the most likely reason for the failure?

219

A company is using AWS Client VPN for remote access. They want to ensure that only clients with a valid client certificate can connect, and that traffic is routed through a centralized inspection VPC. The VPN endpoint is configured with mutual authentication using server and client certificates. The route table in the VPN VPC has a default route pointing to an AWS Network Firewall endpoint in the inspection VPC. Users report that they can connect to the VPN but cannot access any internal resources. The network engineer checks the Client VPN endpoint configuration and confirms that the authorization rules allow access to the internal CIDR (10.0.0.0/8). What is the most likely cause?

220

A company uses AWS Network Firewall to inspect traffic between VPCs in a transit gateway setup. They have a rule group that allows HTTP and HTTPS traffic to a web server in a production VPC. Recently, the security team added a new Suricata IPS rule to block traffic from a specific IP address. After deploying the updated rule group, they notice that all traffic to the web server is being dropped, even from allowed IPs. The firewall logs show the new rule is triggering for all traffic, not just the specific IP. What is the most likely cause?

221

A company uses AWS Shield Advanced to protect their web application against DDoS attacks. They have configured automatic application layer DDoS mitigation with AWS WAF. During a recent attack, the application experienced increased latency, and some legitimate users were blocked. The security team reviews the WAF logs and finds that many requests from legitimate IPs were rate-limited. The team had set a rate-based rule with a threshold of 100 requests per 5 minutes. What is the most likely reason legitimate users were blocked?

222

A company wants to securely store and manage secrets such as database passwords and API keys. They need to automatically rotate secrets every 30 days and ensure that only specific IAM roles can access them. Which AWS service should they use?

223

A company has an S3 bucket that stores sensitive documents. They need to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Additionally, they want to prevent any uploads that do not specify the required KMS key. Which combination of bucket policy and default encryption should they implement?

224

A company wants to allow their employees to access internal web applications hosted on EC2 instances in a private subnet. The employees are outside the corporate network and connect via the internet. Which AWS service would provide secure, managed remote access without requiring a VPN client on each employee's device?

225

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs is encrypted in transit. They also want to minimize changes to existing VPC route tables. Which solution should they use?

226

A company uses AWS Direct Connect to connect their on-premises network to AWS. They have a VPC with a virtual private gateway (VGW) and a private VIF attached to it. They recently added a second Direct Connect connection for redundancy. Both connections are active and advertised via BGP. The on-premises network uses BGP with the same AS number. After configuration, they notice that traffic is not load-balanced as expected; instead, all traffic flows through one connection. What is the most likely cause?

227

A company wants to audit all changes to security groups in their AWS account. They need to be notified whenever a security group rule is added, modified, or removed. They also want to see who made the change. Which solution should they implement?

228

A company wants to restrict access to their S3 bucket so that only users from their corporate network (with a specific IP range) can read objects. They also want to ensure that the objects are encrypted in transit. Which combination of bucket policy and encryption should they use?

229

A company uses AWS WAF to protect their web application. They have a rate-based rule that blocks IPs after 100 requests in 5 minutes. However, they notice that legitimate users behind a corporate NAT gateway are being blocked because the aggregate traffic from the NAT IP exceeds the threshold. Which TWO actions would resolve this issue without compromising security? (Choose TWO.)

230

A company wants to securely store database credentials and automatically rotate them every 90 days. Which TWO AWS services can work together to achieve this? (Choose TWO.)

231

A company has a VPC with public and private subnets. They use a NAT Gateway in the public subnet to allow instances in the private subnet to access the internet. The security team wants to ensure that all outbound traffic from the private subnet is logged and inspected. Which THREE services should they use together to achieve this? (Choose THREE.)

232

A financial services company has a multi-account AWS environment managed via AWS Organizations. The security team needs to enforce that all Amazon S3 buckets across the organization are encrypted with AWS KMS using a specific customer managed key (CMK) from the security account. Currently, some accounts have S3 buckets with SSE-S3 encryption or no encryption. The security team must not be able to read the data in the buckets, but must be able to detect and remediate non-compliant buckets. The solution must use AWS native services and minimize operational overhead. Which combination of actions should the security team take?

233

A company is using Amazon VPC with a public subnet and a private subnet. The public subnet has a NAT gateway. The private subnet has an Amazon RDS for MySQL database. The security team wants to ensure that the database is not accessible from the internet, but they need to allow a specific on-premises network (IP range 203.0.113.0/24) to connect to the database for maintenance. The company also wants to restrict outbound traffic from the database to only necessary AWS services (e.g., S3 for backups) and deny all other outbound traffic. Which configuration should the security team implement?

234

A security engineer needs to block traffic from a specific country from reaching an Application Load Balancer. Which AWS service should be used to accomplish this?

235

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to centrally inspect and filter traffic between VPCs using a third-party firewall appliance. Which architecture should be used?

236

A company has a VPC with public and private subnets. The private subnets need to access the internet through a NAT gateway. The security team wants to ensure that traffic from the private subnets cannot bypass the NAT gateway. Which configuration should be used?

237

A company is using AWS CloudFormation to deploy a stack that includes an S3 bucket with a bucket policy that restricts access to a specific VPC endpoint. The stack fails to create, and the error indicates that the bucket policy contains an invalid principal. Which principal should be used to restrict access to a VPC endpoint?

238

A company is using AWS Shield Advanced to protect against DDoS attacks. The security team wants to receive notifications when an attack is detected. Which service should be used to send these notifications?

239

A company has a VPC with multiple subnets across Availability Zones. An application uses a Network Load Balancer (NLB) to distribute traffic to instances. The security team notices that traffic from a specific client IP is being dropped. The NLB access logs show the client IP, but the target instances do not receive the traffic. What is the most likely cause?

240

A company is using AWS Client VPN to allow remote employees to access resources in a VPC. The security team wants to enforce multi-factor authentication (MFA) for all VPN connections. Which configuration should be used?

241

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all data is encrypted at rest. Which S3 bucket property should be enabled?

242

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is behind a NAT gateway in the public subnet. The security team wants to allow only outbound HTTPS traffic from the instance. Which configuration should be used?

243

A company is designing a network security architecture for a multi-tier application. Which TWO of the following are best practices for implementing defense in depth?

244

A company is using AWS Direct Connect to connect on-premises to AWS. The security team wants to encrypt all traffic traversing the Direct Connect link. Which TWO options can achieve this?

245

A company needs to audit network traffic in a VPC for compliance. Which THREE AWS services can be used to capture and analyze network traffic?

246

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to ensure that traffic between VPCs is inspected by a centralized firewall appliance in a inspection VPC. Which architecture meets this requirement?

247

A network engineer is designing a security group for a web application that must allow inbound HTTPS traffic from the internet and outbound traffic to an RDS MySQL database. The web servers are in a public subnet and the RDS database is in a private subnet. What is the most secure way to configure the security groups?

248

A company wants to block inbound traffic from a specific IP address range (203.0.113.0/24) at the VPC level using AWS WAF. Which resource should the AWS WAF web ACL be associated with?

249

A company uses AWS Certificate Manager (ACM) to issue a public SSL/TLS certificate for a domain hosted on Route 53. The certificate is used by an Application Load Balancer. After renewal, the ALB continues to serve the old certificate. What is the most likely cause?

250

A company has a VPC with public and private subnets. The public subnet hosts a NAT gateway. The private subnet hosts EC2 instances that need to download patches from the internet. The EC2 instances have a security group that allows outbound HTTPS to 0.0.0.0/0. What additional configuration is required?

251

A security team needs to audit all network traffic entering and leaving a VPC. Which AWS service should be used to capture IP traffic information?

252

A company uses AWS Site-to-Site VPN to connect its on-premises network to a VPC. The VPN tunnel is up, but traffic from on-premises cannot reach EC2 instances in the VPC. The EC2 instances have a security group that allows inbound ICMP from the on-premises CIDR. What is the most likely cause?

253

A company wants to allow a specific IAM user to manage network ACLs for a specific VPC only. Which IAM policy action should be used?

254

A company wants to block outgoing traffic from a specific EC2 instance to the internet, except for HTTPS traffic to a specific API endpoint. Which AWS service can enforce this at the instance level?

255

A company needs to ensure that all outbound traffic from a VPC goes through a centralized inspection appliance in a different VPC. Which TWO actions must be taken to achieve this?

256

Which THREE of the following are valid ways to restrict access to an S3 bucket that is accessed by EC2 instances in a VPC?

257

Which TWO of the following are best practices for securing a VPC?

258

A company is using AWS Transit Gateway to connect multiple VPCs. The security team wants to inspect all traffic between VPCs with a third-party firewall appliance deployed in a centralized inspection VPC. What is the MOST efficient way to route traffic to the inspection VPC?

259

A company needs to meet compliance requirements that mandate encryption of all data in transit between EC2 instances in the same VPC. The instances are in different subnets and communicate using TCP port 443. Which solution should a network engineer implement?

260

A company has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. A security engineer needs to restrict access to only the company's public IP range (203.0.113.0/24). What is the correct way to modify the security group rule?

261

A company is deploying an AWS Network Firewall in a centralized inspection VPC and needs to send traffic from multiple VPCs through it. The VPCs are attached to a Transit Gateway. What configuration is required to route traffic to the firewall?

262

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which AWS service should be used to provide internet access to instances in the private subnets without assigning public IP addresses?

263

A security engineer is designing a network ACL for a public subnet. The subnet hosts a web server on port 443. Which inbound and outbound rules should be configured to allow HTTPS traffic from the internet? (Assume default deny all rule.)

264

A company has a requirement to audit all network traffic leaving a VPC. The traffic includes traffic to the internet, to on-premises via VPN, and to other VPCs via Transit Gateway. Which AWS service can capture and log all outbound traffic for compliance analysis?

265

A company wants to securely connect an on-premises data center to an AWS VPC over the internet using IPsec. Which AWS service should be used?

266

A network engineer needs to ensure that all traffic between two VPCs (VPC A and VPC B) is encrypted in transit. The VPCs are in the same region and are connected via a VPC peering connection. What should the engineer do?

267

A company is implementing a network security solution for a VPC that contains a web application. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The company wants to protect against common web exploits and also filter outbound traffic from the instances. Which TWO services should be used together?

268

A company is designing a multi-VPC architecture with AWS Transit Gateway. The security requirements include: (1) all inter-VPC traffic must be inspected by a central firewall, (2) traffic to the internet must egress through a centralized egress VPC, and (3) traffic to on-premises via Direct Connect must go through the same inspection firewall. Which THREE components are required to meet these requirements?

269

A security team needs to implement a solution to detect and alert on suspicious network traffic within a VPC. The solution should analyze VPC Flow Logs and generate findings for potential threats. Which THREE AWS services can be used together to achieve this?

270

A company runs a web application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic to the application be inspected by a third-party firewall appliance for compliance. The firewall appliance must be deployed in a separate VPC and must inspect traffic without introducing a single point of failure. Which architecture meets these requirements?

271

A company's security team notices that a VPC flow log record shows an outbound connection from a private EC2 instance to an IP address in a restricted country. The security group allows outbound 0.0.0.0/0 for TCP 443. The network ACL allows outbound traffic to 0.0.0.0/0 on ephemeral ports. The company uses AWS Network Firewall with a firewall policy that has a stateful rule group that denies traffic to the restricted country. The flow log shows the traffic was accepted. What is the most likely cause?

272

A company wants to securely connect an on-premises data center to a VPC in AWS. The connection must be encrypted and use the public internet. The company has a moderate volume of traffic and needs a quick setup. Which solution meets these requirements?

273

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no VPC in any account can have an internet gateway attached. Which option meets this requirement?

274

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to use a proxy server running on an EC2 instance in the public subnet. The security group for the proxy server must allow inbound HTTP/HTTPS from the instance in the private subnet. The security group for the private instance must allow outbound HTTP/HTTPS to the proxy server. However, the private instance cannot connect to the proxy. What is the most likely cause?

275

A company needs to audit all changes to security groups in a VPC. Which AWS service should be used?

276

A company has a VPC with multiple subnets. The network ACL for a subnet is configured to deny all inbound traffic. A security group attached to an EC2 instance in that subnet allows SSH from a specific IP range. Will SSH traffic from that IP range reach the instance?

277

A company uses AWS Shield Advanced to protect its web application from DDoS attacks. The application is fronted by Amazon CloudFront and an Application Load Balancer. The security team wants to receive notifications when a DDoS attack is detected. Which AWS service should be used to receive these notifications?

278

A company wants to allow a specific IP address range to access an EC2 instance in a private subnet using a bastion host. The bastion host is in a public subnet. Which security group configuration is correct?

279

A company has a VPC with a CIDR of 10.0.0.0/16. The VPC contains a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to use a VPC endpoint for S3. Which TWO configurations are required?

280

A security engineer is designing a network security solution for a multi-tier application. The web tier must be accessible from the internet on ports 80 and 443. The application tier must only accept traffic from the web tier. The database tier must only accept traffic from the application tier on port 3306. Which THREE network access control mechanisms should be used?

281

A company is designing a network architecture for a highly sensitive application that must meet strict compliance requirements. The application is deployed in a VPC with multiple subnets. The company needs to ensure that all traffic between subnets is encrypted and that no traffic can bypass the encryption. Which THREE steps should be taken?

282

A company is using AWS Direct Connect to connect its on-premises network to VPCs in multiple AWS accounts. The company wants to ensure that traffic from the on-premises network can only access specific VPCs based on the source IP address. Which AWS service should be used to enforce this segmentation?

283

A company has a VPC with public and private subnets. An application in the private subnet needs to access an S3 bucket. Which design meets security best practices without exposing the application to the internet?

284

A security engineer needs to audit all changes to security group rules in an AWS account. Which AWS service should be used to record these changes?

285

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that no security group allows inbound SSH (port 22) from 0.0.0.0/0. Which policy type should be used?

286

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to connect to the internet for patching. The security team wants to minimize the attack surface. Which solution should be used?

287

A network engineer needs to block traffic from a specific IP address to an EC2 instance. Which component should be modified?

288

A company is deploying a web application behind an Application Load Balancer (ALB). The application must only accept traffic from the ALB. Which security group configuration should be used for the EC2 instances?

289

A company wants to centrally manage and enforce VPC security group rules across multiple accounts in AWS Organizations. Which AWS service should be used?

290

A company wants to encrypt data in transit between an on-premises data center and AWS. Which service provides a dedicated encrypted connection?

291

A security engineer is designing a VPC with public and private subnets. The company requires that instances in the private subnet can initiate outbound connections to the internet but cannot receive inbound connections from the internet. Which TWO components are necessary? (Choose 2)

292

A company wants to inspect traffic between VPCs in the same region using a third-party security appliance. Which THREE components are needed? (Choose 3)

293

A company needs to log all network traffic to and from EC2 instances for security analysis. Which TWO services can capture this data? (Choose 2)

294

A company uses AWS Organizations with multiple accounts. The security team wants to centrally enforce that no Amazon S3 buckets are publicly accessible across all accounts. Which solution meets this requirement with the least operational overhead?

295

A company has a VPC with public and private subnets. The private subnets need to access the internet through a NAT Gateway. The security team wants to ensure that traffic from the private subnets to the internet is logged and inspected for malicious activity. Which solution meets these requirements?

296

A company wants to allow its employees to securely access internal web applications hosted in a VPC without using a VPN. The solution must authenticate users against the company's Active Directory and apply fine-grained access controls. Which AWS service should be used?

297

A company is designing a multi-account architecture. They need to centralize VPC flow logs from all accounts into a single Amazon S3 bucket in the security account. The logs must be encrypted at rest using a customer-managed KMS key in the security account. Which combination of steps is required?

298

A company uses AWS Certificate Manager (ACM) to issue certificates for a fleet of Application Load Balancers. The security team requires that only specific IAM roles can request, renew, or delete ACM certificates. Which policy type should be used to enforce this?

299

A company is using AWS CloudHSM to store sensitive encryption keys. Which of the following is a security best practice for managing the HSM?

300

A company has a VPC with multiple security groups. An EC2 instance in security group A needs to communicate with an RDS instance in security group B on port 3306. The security team wants to minimize exposure. What should the inbound rule in security group B be?

Practice all 300 Network Security, Compliance and Governance questions

Other ANS-C01 exam domains

Network Management and OperationsNetwork DesignNetwork Implementation

Frequently asked questions

What does the Network Security, Compliance and Governance domain cover on the ANS-C01 exam?

The Network Security, Compliance and Governance domain covers the key concepts tested in this area of the ANS-C01 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all ANS-C01 domains — no account required.

How many Network Security, Compliance and Governance questions are in the ANS-C01 question bank?

The Courseiva ANS-C01 question bank contains 300 questions in the Network Security, Compliance and Governance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Network Security, Compliance and Governance for ANS-C01?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Network Security, Compliance and Governance questions for ANS-C01?

Yes — the session launcher on this page draws questions exclusively from the Network Security, Compliance and Governance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your ANS-C01 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide