Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Security, Compliance and Governance practice sets

ANS-C01 Network Security, Compliance and Governance • Complete Question Bank

ANS-C01 Network Security, Compliance and Governance — All Questions With Answers

Complete ANS-C01 Network Security, Compliance and Governance question bank — all 0 questions with answers and detailed explanations.

421
Questions
Free
No signup
Certifications/ANS-C01/Practice Test/Network Security, Compliance and Governance/All Questions
Question 1mediummultiple choice
Review the full routing breakdown →

A company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?

Question 2hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The company requires that all VPC flow logs be delivered to a central S3 bucket in the security account. The security engineer has created a bucket policy that grants the necessary permissions. However, flow logs from member accounts are failing to be delivered. What is the most likely cause?

Question 3easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffic between its on-premises network and AWS. Which solution meets this requirement?

Question 4hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet for software updates. The company wants to ensure that all outbound traffic goes through a single, highly available IP address for whitelisting purposes. Which solution should be used?

Question 5mediummultiple choice
Study the full ACL explanation →

A company wants to audit all changes made to security groups and network ACLs in its AWS account. Which AWS service should be used to capture these API calls?

Question 6mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A security engineer is designing a security group configuration for a web application that consists of an Application Load Balancer (ALB), Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS database. Which TWO actions should the engineer take to follow security best practices? (Choose TWO.)

Question 7hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The company requires that all traffic between VPCs must be inspected by a centralized security appliance in a shared services VPC. The security appliance must receive traffic for both directions (ingress and egress). Which THREE components are required to achieve this? (Choose THREE.)

Question 8hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM role can be created without an approved custom trust policy. Which SCP should be attached to the root OU to enforce this requirement?

Question 9easymultiple choice
Read the full VPN explanation →

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The security team wants to ensure that traffic between the on-premises network and the VPC is encrypted using IPSec. Which solution meets this requirement?

Question 10mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. An application running in a private subnet needs to access an S3 bucket to read and write data. The security team wants to ensure that traffic to S3 does not traverse the internet. Which solution should the team implement?

Question 11mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. A security engineer discovers that an EC2 instance was compromised via SSH. The engineer needs to identify which IAM user created the overly permissive security group rule. Which AWS service or feature should the engineer use?

Question 12hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The security team needs to centralize inspection of all traffic between VPCs using a third-party firewall appliance in a shared services VPC. What is the most scalable and highly available design?

Question 13mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The security team wants to implement a web application firewall to protect against common web exploits. Which TWO AWS services can be used together to achieve this?

Question 14hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a VPC that hosts a multi-tier application. The security team requires that the web tier can only be accessed from the internet, the application tier can only be accessed from the web tier, and the database tier can only be accessed from the application tier. Additionally, the team needs to ensure that no traffic can bypass these controls. Which THREE actions should the team take?

Question 15easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

An IAM policy is attached to a user. What is the effect when the user attempts to launch an EC2 instance of type m5.large?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceType": "t2.micro"
                }
            }
        }
    ]
}
Question 16mediummultiple choice
Review the full subnetting walkthrough →

A security engineer runs tcpdump on an EC2 instance (10.0.1.5) and sees the output above. The instance is in a private subnet with a security group that allows inbound HTTPS from 0.0.0.0/0. The instance is behind a Network Load Balancer (NLB) that has a public IP. The engineer is unable to establish an HTTPS connection from the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

[root@ip-10-0-1-5 ~]# tcpdump -i eth0 -n port 443
09:32:15.123456 IP 203.0.113.5.34567 > 10.0.1.5.443: Flags [S], seq 12345, win 65535, options [mss 1460], length 0
09:32:15.123456 IP 10.0.1.5.443 > 203.0.113.5.34567: Flags [S.], seq 54321, ack 12346, win 65535, options [mss 1460], length 0
09:32:15.123456 IP 203.0.113.5.34567 > 10.0.1.5.443: Flags [.], ack 54322, win 65535, length 0
Question 17mediummultiple choice
Read the full VPN explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application must be accessible only from a specific AWS Client VPN endpoint. The security team has configured the ALB security group to allow inbound traffic from the Client VPN CIDR range, but users report that they can still access the application from outside the VPN. What is the MOST likely cause of this issue?

Question 18hardmultiple choice
Read the full VPN explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. The security team wants to inspect all traffic between VPCs using a centralized inspection VPC with third-party firewall appliances. Which architecture ensures that traffic from VPC A to VPC B is routed through the inspection VPC?

Question 19easymultiple choice
Read the full NAT/PAT explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. The bucket policy should deny requests that do not originate from the VPC. Which condition key should be used in the bucket policy?

Question 20mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The security team needs to centrally manage and enforce network security policies across all accounts. Which TWO services or features can be used to centrally enforce network security controls? (Choose TWO.)

Question 21hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company attaches the above bucket policy to an S3 bucket. A user from the IP range 203.0.113.0/24 makes a request over HTTPS (TLS) to download an object from the bucket. Will the request succeed?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 22hardmultiple choice
Read the full DNS explanation →

A company has deployed a multi-tier application in a VPC with public and private subnets. The web tier runs on EC2 instances in public subnets, and the application tier runs on EC2 instances in private subnets. The application tier must only accept traffic from the web tier security group. The security group for the application tier has an inbound rule allowing HTTP traffic from the web tier security group. However, the application team reports that the web tier instances cannot connect to the application tier instances. The network administrator has verified that the web tier instances can resolve the private DNS names of the application tier instances, and the route tables are correctly configured. What is the MOST likely cause of the connectivity issue?

Question 23mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The security team wants to inspect all traffic between the private subnets and the internet using a centralized inspection VPC. The company uses AWS Network Firewall and wants to ensure that traffic cannot bypass the firewall. Which TWO actions should the company take? (Choose TWO.)

Question 24hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer created the above S3 bucket policy to grant public read access to objects in the 'confidential/' prefix. However, users report that they receive 'Access Denied' errors when trying to access objects that have the tag 'classification: public'. What is the most likely cause?

Exhibit

Refer to the exhibit.

Resource Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws:s3:::example-bucket/confidential/*",
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/classification": "public"
        }
      }
    }
  ]
}
Question 25easymultiple choice
Review the full subnetting walkthrough →

A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) across multiple Availability Zones. The application uses a MySQL database on an RDS instance in a private subnet. Security compliance requires that all traffic between the ALB and EC2 instances must be encrypted. The security team finds that the ALB currently sends traffic to the EC2 instances using HTTP on port 80. The EC2 security group allows inbound HTTP traffic from the ALB security group. The team needs to implement encryption with minimal changes and without disrupting the application. Which solution meets these requirements?

Question 26mediumdrag order
Read the full Network Security, Compliance and Governance explanation →

Order the steps to troubleshoot an AWS Direct Connect virtual interface that is in the 'down' state:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediumdrag order
Read the full NAT/PAT explanation →

Order the steps to migrate a VPC from using an Internet Gateway to a NAT gateway for outbound-only internet access:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediumdrag order
Read the full Network Security, Compliance and Governance explanation →

Order the steps to troubleshoot an inter-Region VPC peering connection that is not working:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediummatching
Read the full Network Security, Compliance and Governance explanation →

Match each AWS networking feature to its purpose for high availability or fault tolerance.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Static public IP that can be remapped to another instance

DNS-based routing to healthy endpoints

Distributes traffic evenly across all registered targets in all AZs

Improves availability and performance using Anycast IPs

Captures IP traffic information for troubleshooting

Question 30mediummatching
Read the full Network Security, Compliance and Governance explanation →

Match each AWS networking service to the OSI layer it primarily operates at.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 4 (Transport)

Layer 7 (Application)

Layer 3 and 4 (Network and Transport)

Layer 3 (Network)

Layer 2 (Data Link) or Layer 1 (Physical)

Question 31mediummatching
Read the full Network Security, Compliance and Governance explanation →

Match each AWS Direct Connect virtual interface type to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access to VPCs using private IP addresses

Access to public AWS services (e.g., S3, DynamoDB) using public IPs

Connect to a Direct Connect Gateway for multiple VPCs

Virtual interface provisioned by an AWS Direct Connect Partner

Encrypted virtual interface using MACsec

Question 32mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to restrict access to an Amazon S3 bucket so that only traffic from a specific AWS Direct Connect virtual interface (VIF) can access it. Which combination of steps should the company take?

Question 33easymultiple choice
Review the full routing breakdown →

A security engineer needs to ensure that all internet-bound traffic from a VPC is inspected by a third-party firewall appliance before reaching the internet. The firewall is deployed in a separate VPC. Which AWS service should the engineer use to route traffic from the source VPC to the firewall VPC?

Question 34hardmultiple choice
Read the full VPN explanation →

A company has a hybrid network with an AWS Site-to-Site VPN connection to an on-premises data center. The network team wants to ensure that only encrypted traffic is sent over the internet between the two sites. The VPC has a virtual private gateway attached. When testing, they discover that some traffic is going over the internet without encryption. Which configuration change should be made to enforce encryption?

Question 35easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to block incoming traffic from specific IP addresses at the edge of the AWS network before it reaches the application load balancer. Which AWS service should be used?

Question 36mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They have an AWS Network Firewall deployed in a firewall subnet. They want to inspect all outbound traffic from the VPC to the internet. Currently, the VPC route table has a default route (0.0.0.0/0) pointing to an internet gateway. What routing change is required to route outbound traffic through the firewall?

Question 37hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

An organization has a requirement that all cross-account access to Amazon S3 buckets must be logged and monitored. The security team has enabled AWS CloudTrail and S3 server access logs. However, they notice that some cross-account access attempts are not being logged. Which additional step should be taken to ensure all cross-account access is logged?

Question 38easymultiple choice
Review the full subnetting walkthrough →

A company wants to centrally manage and enforce security policies across multiple AWS accounts and VPCs. They need to ensure that all VPCs have a specific set of rules, such as disabling public subnets. Which AWS service should be used?

Question 39mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Amazon RDS for MySQL database in a private subnet. The database should only be accessible from a specific fleet of EC2 instances in the same VPC. Which combination of security controls should be used to meet this requirement?

Question 40hardmultiple choice
Open the full BGP breakdown →

A company has a VPC with a CIDR block of 10.0.0.0/16. They have an AWS Site-to-Site VPN connection to an on-premises network with a CIDR of 192.168.0.0/16. The VPN is configured with dynamic routing (BGP). The on-premises network advertises a route to 192.168.0.0/16 via BGP. The VPC route table has a static route to 192.168.0.0/16 pointing to a virtual private gateway. The company also has a Direct Connect connection to the same on-premises network advertising the same CIDR. The VPC route table has a static route to 192.168.0.0/16 pointing to a Direct Connect virtual interface. Which route will be used for traffic destined to 192.168.0.0/16?

Question 41mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-tier application. The web tier must be accessible from the internet, but the application and database tiers must not. Which TWO design choices meet these requirements? (Choose two.)

Question 42hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). They have an AWS Network Firewall deployed in a firewall subnet. They want to inspect all traffic between subnet A and subnet B. Which TWO actions are required? (Choose two.)

Question 43mediummulti select
Read the full NAT/PAT explanation →

A company needs to log all network traffic between EC2 instances in a VPC for security analysis. They want to capture metadata about traffic, including source and destination IP, ports, protocol, and packet counts. Which THREE AWS services or features can be used to achieve this? (Choose three.)

Question 44mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security team has attached the above IAM policy to a user. The user tries to add an inbound rule to a security group that allows traffic from 0.0.0.0/0. The request is denied. However, the user is able to add a rule allowing traffic from 203.0.113.10. Which statement explains this behavior?

Exhibit

Refer to the exhibit.

Exhibit (IAM Policy JSON):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSecurityGroups",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "ec2:AuthorizeSecurityGroupIngress",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:AuthorizeSecurityGroupIngress": "0.0.0.0/0"
        }
      }
    }
  ]
}
Question 45hardmultiple choice
Review the full subnetting walkthrough →

A network engineer has created a gateway VPC endpoint for S3 as shown in the exhibit. The endpoint is associated with route table rtb-12345678. An EC2 instance in a subnet that uses route table rtb-12345678 tries to download an object from my-bucket. The request fails with an access denied error. Which change should the engineer make to resolve the issue?

Network Topology
$ aws ec2 describe-vpc-endpointsvpc-endpoint-ids vpce-12345678Refer to the exhibit.Exhibit (AWS CLI output):"VpcEndpoints": ["VpcEndpointId": "vpce-12345678","VpcEndpointType": "Gateway","ServiceName": "com.amazonaws.us-east-1.s3","VpcId": "vpc-0a1b2c3d4e5f6g7h8","RouteTableIds": ["rtb-12345678"],"PolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": "*","Action": ["s3:GetObject"],"Resource": ["arn:aws:s3:::my-bucket/*"],"Condition": {"StringEquals": {"aws:SourceVpc": "vpc-0a1b2c3d4e5f6g7h8"},"CreationTimestamp": "2023-01-01T00:00:00Z"
Question 46easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A CloudFormation stack was created with the above snippet. An administrator notices that the EC2 instance can receive HTTP traffic from the internet, but cannot access the internet itself (e.g., to download updates). What is the most likely cause?

Exhibit

Refer to the exhibit.

Exhibit (CloudFormation snippet):
Resources:
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP from anywhere
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-12345678
      InstanceType: t2.micro
      SecurityGroupIds:
        - !Ref MySecurityGroup
Question 47mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with SCPs to restrict access. The security team needs to prevent users in the 'Developers' OU from disabling AWS Config or modifying its rules. Which SCP effect should be used?

Question 48hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is designing a hub-and-spoke network in AWS. The security team requires that all traffic between VPCs in different spokes must be inspected by a third-party firewall deployed in the hub VPC. Which architecture meets this requirement with minimal complexity?

Question 49easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS WAF to protect its web application. The security team wants to block requests that contain SQL injection attempts. Which WAF rule type should be used?

Question 50hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Shield Advanced for DDoS protection. During an attack, they notice that legitimate traffic is being throttled. Which configuration change should be made to reduce false positives while maintaining protection?

Question 51mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is deploying a multi-tier application in a VPC. The web servers must be accessible from the internet, but the database servers must not be. Which architecture meets these requirements?

Question 52easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company needs to encrypt data at rest in Amazon S3. Which AWS service manages the encryption keys?

Question 53mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to audit all changes to security group rules in their AWS account. Which AWS service should be used to record these changes?

Question 54hardmultiple choice
Review the full routing breakdown →

A company uses AWS Direct Connect to connect their on-premises network to AWS. They want to encrypt all traffic between their on-premises router and the AWS Direct Connect location. Which solution should they implement?

Question 55easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company needs to block traffic from a specific IP address range in their VPC. Which component should be used?

Question 56mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to implement a defense-in-depth strategy for a web application hosted on AWS. Which TWO services should they use to protect against common web exploits and DDoS attacks?

Question 57hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-account environment using AWS Organizations. They need to centrally manage and enforce security policies across all accounts. Which THREE services should they consider?

Question 58easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company is using Amazon S3 to store sensitive data. They want to ensure that data is encrypted at rest and that access is logged. Which TWO services should they enable?

Question 59mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to restrict access to its S3 bucket so that only objects uploaded with server-side encryption using AWS KMS (SSE-KMS) are allowed. Which bucket policy condition should be used?

Question 60easymultiple choice
Review the full subnetting walkthrough →

A security team requires that all traffic between Amazon EC2 instances in different subnets of a VPC be logged. Which AWS service should be used to capture and log the traffic?

Question 61hardmultiple choice
Read the full VPN explanation →

A company has a hybrid network with an AWS Direct Connect connection to a VPC. They also have a site-to-site VPN connection as a backup. The VPC routing tables are configured with a route to the on-premises CIDR via the virtual private gateway. The network engineer notices that traffic from the VPC to on-premises is not using the Direct Connect connection even when it is healthy. What is the most likely cause?

Question 62easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to allow its developers to access Amazon RDS databases from their on-premises network without traversing the public internet. Which solution meets this requirement?

Question 63mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has an AWS Lambda function that needs to access an S3 bucket in the same AWS account. The Lambda function is configured to use the VPC default execution role. The S3 bucket policy denies all principals except those explicitly allowed. The Lambda function cannot access the bucket. What should be done to resolve this issue?

Question 64hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-account AWS environment using AWS Organizations. They need to centrally manage and enforce VPC security group rules across all accounts. Which service should they use?

Question 65mediummultiple choice
Review the full subnetting walkthrough →

A company wants to ensure that all traffic to and from its Amazon EC2 instances in a VPC is inspected by a third-party security appliance. The instances are in private subnets and must maintain their private IP addresses. Which solution should be used?

Question 66easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS WAF to protect a web application behind an Application Load Balancer. They want to block requests from a specific IP address range. Which component should they use?

Question 67hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They have peered this VPC with another VPC using a VPC Peering connection. The peered VPC has a CIDR of 10.0.0.0/16 (overlapping). The company wants to allow communication between specific instances in both VPCs without changing the CIDRs. What should they do?

Question 68mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has an AWS Direct Connect connection and wants to ensure that all traffic from its VPC to an S3 bucket in another region stays within the AWS network. How should this be accomplished?

Question 69hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to monitor and log all changes to security group rules in their AWS account for compliance purposes. Which TWO services can be used together to achieve this?

Question 70mediummulti select
Review the full subnetting walkthrough →

A company is designing a network security solution for a VPC that hosts a multi-tier web application. The web servers are in a public subnet, and the application servers are in a private subnet. The company wants to ensure that the web servers can only be accessed on port 443 from the internet, and the application servers can only be accessed from the web servers on port 3306. Which THREE components should be configured?

Question 71mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Organizations and wants to centrally manage and enforce the use of VPC endpoints for S3 across all accounts. Which THREE services/tools can be combined to achieve this?

Question 72mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with SCPs to restrict access. The security team wants to ensure that no IAM user or role can disable AWS Shield Advanced protections. Which SCP effect should be used?

Question 73hardmultiple choice
Read the full VPN explanation →

A company needs to securely connect an on-premises data center to AWS using multiple VPN tunnels. The security team requires that all traffic between the VPC and on-premises be encrypted and that the tunnels use a second authentication mechanism beyond pre-shared keys. Which solution meets these requirements?

Question 74easymultiple choice
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The company requires that all outbound traffic from private subnets to the internet must go through a single IP address for logging and compliance. Which service should be used?

Question 75mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS WAF to protect a web application behind an Application Load Balancer. The security team notices that a specific IP address is generating a high number of requests and wants to block it immediately. What is the MOST efficient way to block this IP address?

Question 76hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is migrating a legacy application to AWS. The application requires that all network traffic between two VPCs be inspected by a third-party firewall appliance. The firewall must be able to inspect traffic bidirectionally and automatically fail over if the appliance becomes unhealthy. Which architecture meets these requirements?

Question 77easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer is configuring AWS CloudTrail to log all management events across all regions. The logs must be stored in an S3 bucket that is encrypted with an AWS KMS key. Which bucket policy element is required to allow CloudTrail to write logs?

Question 78mediummultiple choice
Review the full subnetting walkthrough →

A company's security team is investigating a potential data exfiltration incident. They notice that an EC2 instance in a private subnet is making HTTPS connections to an unknown external IP address. The instance's security group only allows outbound HTTPS to a specific set of IPs. What is the MOST likely cause of the traffic?

Question 79hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Shield Advanced for DDoS protection. During an attack, the security team notices that legitimate traffic is being throttled. They want to allow certain known IP addresses to bypass Shield Advanced rate-based rules. What should they do?

Question 80easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to ensure that all IAM users have multi-factor authentication (MFA) enabled. Which AWS service can be used to enforce this policy?

Question 81mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO statements are correct regarding the use of AWS Network Firewall? (Choose 2)

Question 82hardmulti select
Read the full Network Security, Compliance and Governance explanation →

Which THREE actions can AWS Config perform to help with network security compliance? (Choose 3)

Question 83mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO features are provided by AWS Shield Advanced that are not available in AWS Shield Standard? (Choose 2)

Question 84mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive data that should only be accessible from the corporate network (192.0.2.0/24). What is a potential security issue with this policy?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 85hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A network engineer is troubleshooting connectivity issues from an EC2 instance in subnet-11111111. The instance can send traffic outbound, but cannot receive inbound HTTPS traffic from the internet. What is the likely cause?

Network Topology
$ aws ec2 describe-network-aclsnetwork-acl-id acl-12345678Refer to the exhibit."NetworkAcls": ["Associations": ["NetworkAclAssociationId": "aclassoc-11111111","NetworkAclId": "acl-12345678","SubnetId": "subnet-11111111"],"Entries": ["CidrBlock": "0.0.0.0/0","Egress": false,"Protocol": "6","RuleAction": "allow","RuleNumber": 100,"PortRange": {"From": 443,"To": 443},"Protocol": "-1","RuleAction": "deny","RuleNumber": 32766,"PortRange": {}"Egress": true,
Question 86mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A security engineer applies this SCP to an AWS account. What is the effect of this policy?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 87mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all Amazon S3 buckets in the organization are encrypted at rest. Which policy should be attached to the root organizational unit to enforce this requirement?

Question 88hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team needs to block a specific IP address range that has been launching DDoS attacks. The solution must be implemented at the network edge, before traffic reaches the ALB. What should the security team do?

Question 89easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The security team wants to allow instances in a private subnet to download software updates from the internet but prevent inbound internet traffic. Which AWS service should be used?

Question 90mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-tier application. The web tier must be accessible from the internet, while the application and database tiers must be isolated. The security team wants to minimize the attack surface. Which design should they choose?

Question 91hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network team wants to ensure that traffic between the on-premises network and AWS is encrypted. Which solution meets this requirement?

Question 92easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer needs to centrally manage and enforce rules for network traffic between VPCs in a large AWS environment. Which AWS service provides this capability?

Question 93mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has an AWS account with multiple VPCs. The security team wants to ensure that no VPC has an internet gateway attached. Which AWS service can be used to automatically detect and remediate non-compliant VPCs?

Question 94hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is migrating a legacy application to AWS. The application requires that all traffic between the web and application tiers be encrypted, but the application does not support TLS. What should a network engineer do to meet this requirement without modifying the application?

Question 95easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to audit all changes to security group rules in a VPC. Which AWS service should be used to record these changes?

Question 96mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-account environment using AWS Organizations. The security team needs to enforce that all VPCs use a specific set of security group rules for inbound SSH access. Which TWO steps should the team take? (Choose two.)

Question 97hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The security team wants to inspect all traffic leaving the VPC to the internet for malicious activity. Which THREE services should be used together to achieve this? (Choose three.)

Question 98easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to secure data at rest in an Amazon S3 bucket. Which TWO of the following can be used to achieve this? (Choose two.)

Question 99hardmultiple choice
Review the full subnetting walkthrough →

A security engineer created the S3 bucket policy shown. After applying it, users from the 10.0.0.0/16 network (VPC CIDR) are able to access objects, but external users from 203.0.113.0/24 receive 'Access Denied' even though they are using HTTPS. What is the likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/16",
            "203.0.113.0/24"
          ]
        },
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
Question 100mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer reviews VPC Flow Logs and sees the entries shown. The last entry shows a REJECT for traffic from 203.0.113.5 to 10.0.1.5 on port 443. However, the third entry shows ACCEPT for traffic from 10.0.1.5 to 203.0.113.5 on port 443. What is the most likely reason for the REJECT?

Exhibit

Refer to the exhibit.

[VPC Flow Logs output]
2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 443 443 6 10 1000 1620000000 1620000010 ACCEPT OK
2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 22 22 6 5 500 1620000010 1620000020 ACCEPT OK
2 123456789010 eni-12345678 10.0.1.5 203.0.113.5 443 443 6 20 2000 1620000020 1620000030 ACCEPT OK
2 123456789010 eni-12345678 203.0.113.5 10.0.1.5 443 443 6 15 1500 1620000030 1620000040 REJECT OK
Question 101hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A network administrator attached the IAM policy shown to a user. The user tries to create an internet gateway in us-east-1 without any tags. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc",
        "ec2:CreateSubnet",
        "ec2:CreateInternetGateway",
        "ec2:AttachInternetGateway",
        "ec2:CreateRouteTable",
        "ec2:CreateRoute"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "ec2:CreateInternetGateway",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:ResourceTag/purpose": "production"
        }
      }
    }
  ]
}
Question 102mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to restrict access to an S3 bucket so that only traffic from a specific AWS account is allowed. Which S3 bucket policy condition key should be used to achieve this?

Question 103easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. They want to allow instances in the private subnet to download software updates from the internet while preventing inbound traffic from the internet. Which AWS service should they use?

Question 104hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS WAF to protect a web application. They notice that some malicious requests are being allowed. After investigating, they find that the requests have valid AWS WAF tokens but the payloads are obfuscated. Which WAF configuration should be reviewed to improve detection?

Question 105mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer needs to audit all API calls made in an AWS account for compliance. The engineer wants to capture the source IP address and the user agent for each call. Which AWS service should be used?

Question 106hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to enforce that all traffic between subnets must be inspected by a security appliance deployed in a centralized inspection VPC. Which AWS feature should be used to route traffic to the inspection VPC without changing the routing on each subnet?

Question 107easymultiple choice
Read the full NAT/PAT explanation →

A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its backend targets. Which AWS service should be used to terminate TLS at the ALB and re-encrypt traffic to the targets?

Question 108mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. They launch an EC2 instance in the private subnet that needs to access an S3 bucket in the same region. Which approach provides the most secure and cost-effective access?

Question 109hardmultiple choice
Review the full routing breakdown →

A company uses AWS Network Firewall to inspect traffic. They notice that some traffic is bypassing the firewall. The VPC has a route table with a default route (0.0.0.0/0) pointing to the firewall endpoint. Which configuration could cause traffic to bypass the firewall?

Question 110easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company needs to provide temporary, limited-privilege credentials to users so they can access AWS resources from mobile apps. Which AWS service should they use?

Question 111mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-account environment using AWS Organizations. Which TWO services can be used to centrally manage security policies across all accounts?

Question 112hardmulti select
Read the full VPN explanation →

A company wants to secure network traffic between on-premises data centers and AWS using AWS Site-to-Site VPN. Which TWO components are required to establish a VPN connection?

Question 113mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to monitor and log all network traffic within a VPC for security analysis. Which THREE services can be used to achieve this?

Question 114hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A company applies this bucket policy to an S3 bucket. Users in a different VPC with IP range 10.0.0.0/16 are able to access objects, but users in a different VPC with IP range 10.1.0.0/16 cannot. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
```
Question 115mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network engineer examines the network ACL for a subnet. Which statement best describes the effect of this network ACL?

Network Topology
$ aws ec2 describe-network-aclsregion us-east-1Refer to the exhibit.```"NetworkAcls": ["Associations": ["NetworkAclId": "acl-12345","SubnetId": "subnet-abc"],"Entries": ["CidrBlock": "0.0.0.0/0","Egress": false,"Protocol": "6","RuleAction": "allow","RuleNumber": 100},"Protocol": "-1","RuleAction": "deny","RuleNumber": 32767"Egress": true,"NetworkAclId": "acl-12345"
Question 116easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A company applies this bucket policy to an S3 bucket. What is the effect of the policy?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
```
Question 117mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets have server-side encryption enabled. Which SCP should be applied to the root OU?

Question 118hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer is designing a VPC with private subnets for workloads that must not have direct internet access. However, the workloads need to download patches from a specific third-party vendor's IP range. Which solution minimizes the attack surface?

Question 119easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer notices that a security group allows inbound SSH from 0.0.0.0/0. Which immediate action should be taken to reduce risk?

Question 120mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Direct Connect to connect its on-premises network to AWS. The security team wants to encrypt all traffic traversing the Direct Connect link. Which solution should be used?

Question 121hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket. The security team wants to ensure that traffic to S3 does not traverse the internet. Which solution meets this requirement?

Question 122easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

Which AWS service can be used to centrally manage and enforce security group rules across multiple accounts in AWS Organizations?

Question 123mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is designing a multi-VPC architecture with VPC peering. They need to ensure that traffic between VPCs is encrypted. What should they do?

Question 124hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is troubleshooting connectivity issues. An EC2 instance cannot access the internet. The instance is in a private subnet with a route table that has a default route (0.0.0.0/0) pointing to a NAT gateway. The NAT gateway is in a public subnet with an Elastic IP. The security group allows all outbound traffic. What is the most likely cause?

Question 125mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to use AWS Certificate Manager (ACM) to provide a TLS certificate for a website hosted on an ALB. The domain is example.com, and the certificate must be renewed automatically. Which type of certificate should be requested?

Question 126mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO actions should be taken to secure an EC2 instance that is used as a bastion host? (Choose 2)

Question 127hardmulti select
Read the full VPN explanation →

Which THREE components are required to establish a site-to-site VPN connection between an on-premises network and AWS? (Choose 3)

Question 128easymulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO statements about AWS WAF are accurate? (Choose 2)

Question 129hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

An IAM policy is created and attached to a user. The user reports they cannot stop a production EC2 instance. What is the most likely reason?

Exhibit

Refer to the exhibit.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Environment": "production"
                }
            }
        }
    ]
}
```
Question 130mediummultiple choice
Review the full subnetting walkthrough →

A network security engineer is reviewing the NACL configuration. An EC2 instance in the subnet associated with this NACL is not receiving SSH connections from the internet. What is the issue?

Network Topology
$ aws ec2 describe-network-aclsregion us-east-1Refer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-12345","Entries": ["RuleNumber": 100,"Protocol": "6","PortRange": {"From": 22,"To": 22},"CidrBlock": "0.0.0.0/0","RuleAction": "allow","Egress": false"RuleNumber": 200,"RuleAction": "deny",
Question 131easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security group is configured as shown. An EC2 instance in the same VPC with IP 10.0.1.50 can connect to the instance on port 443. An on-premises client with IP 203.0.113.5 cannot connect. What is the most likely reason?

Network Topology
$ aws ec2 describe-security-groupsgroup-ids sg-12345Refer to the exhibit.```"SecurityGroups": ["GroupId": "sg-12345","IpPermissions": ["IpProtocol": "tcp","FromPort": 443,"ToPort": 443,"IpRanges": ["CidrIp": "10.0.0.0/16"
Question 132mediummultiple choice
Read the full VPN explanation →

A company wants to securely connect an on-premises data center to a VPC using AWS Site-to-Site VPN. The security team requires that all traffic between the on-premises network and the VPC be encrypted and that the VPN tunnel be highly available. Which design BEST meets these requirements?

Question 133hardmultiple choice
Study the full ACL explanation →

A security engineer is designing a network ACL for a public-facing web application in a VPC. The application uses an Application Load Balancer (ALB) in a public subnet, web servers in private subnets, and an RDS database in a private subnet. The engineer needs to allow HTTPS traffic from the internet to the ALB, and allow the ALB to forward traffic to the web servers on port 8080. The web servers need to query the database on port 3306. Which network ACL configuration should the engineer implement for the private subnet containing the web servers?

Question 134easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across the organization are encrypted with SSE-S3. Which control mechanism should they use?

Question 135mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to ensure that traffic between VPCs is inspected by a centralized security appliance running in a security VPC. Which configuration should be used?

Question 136hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to minimize data transfer costs and avoid exposing the private instance to inbound traffic from the internet. Which solution meets these requirements?

Question 137easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to audit all network traffic to and from an EC2 instance for compliance. The security team needs to capture full packet contents, including headers and payload, and store them in Amazon S3 for analysis. Which AWS service should they use?

Question 138mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC. The security team wants to block a list of known malicious IP addresses from accessing the application. Which service should they use to implement this protection?

Question 139hardmultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network team notices that the BGP session between the on-premises router and the AWS virtual private gateway (VGW) is flapping. The on-premises router is configured to advertise a specific prefix. Which configuration change is MOST likely to stabilize the BGP session?

Question 140easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer needs to ensure that all traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the engineer do to meet this requirement?

Question 141mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A network engineer is troubleshooting connectivity issues between an EC2 instance and an RDS database in the same VPC. The EC2 instance can connect to the database, but the connection is slow. Which TWO actions should the engineer take to diagnose the issue? (Choose TWO.)

Question 142hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a multi-account architecture using AWS Organizations. They want to centrally manage and enforce network security policies across all accounts. Which THREE services or features should they use together to achieve this? (Choose THREE.)

Question 143easymulti select
Read the full Network Security, Compliance and Governance explanation →

A security engineer needs to capture and analyze network traffic between two EC2 instances in the same VPC for troubleshooting. The engineer wants to capture full packets and store them for later analysis. Which TWO AWS services can be used together to accomplish this? (Choose TWO.)

Question 144easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to restrict access to an S3 bucket so that only objects with server-side encryption using AWS KMS (SSE-KMS) can be uploaded. Which bucket policy condition should be used?

Question 145mediummultiple choice
Review the full subnetting walkthrough →

A security engineer is designing a network firewall solution for a VPC with multiple subnets. The solution must inspect traffic between instances in the same VPC, including traffic within the same subnet. Which AWS service should be used?

Question 146hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization have block public access enabled. Which approach should be used?

Question 147easymultiple choice
Read the full VPN explanation →

A company has a requirement to encrypt all data in transit between its on-premises network and AWS over a VPN connection. Which solution provides encryption in transit?

Question 148mediummultiple choice
Review the full subnetting walkthrough →

A security engineer needs to allow an EC2 instance in a private subnet to access an S3 bucket without traversing the internet. Which solution meets this requirement?

Question 149hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS CloudFormation to deploy resources. The security team wants to ensure that no IAM user can modify the stack set if they are not authorized via a specific IAM policy. Which feature should be used?

Question 150easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to centrally manage and enforce security rules for all VPCs in a multi-account environment. Which AWS service should be used?

Question 151mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

An application running on EC2 instances needs to access a DynamoDB table. The security team requires that traffic does not traverse the internet. Which solution should be used?

Question 152hardmultiple choice
Read the full NAT/PAT explanation →

A company needs to ensure that all API calls to AWS services are logged and monitored for suspicious activity. Additionally, any API call that creates a security group rule should trigger an immediate notification. Which combination of services should be used?

Question 153mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO actions should be taken to secure a VPC that hosts a web application? (Choose TWO.)

Question 154hardmulti select
Read the full Network Security, Compliance and Governance explanation →

Which THREE services can be used to detect and protect against DDoS attacks? (Choose THREE.)

Question 155easymulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO are valid methods to encrypt data at rest in Amazon S3? (Choose TWO.)

Question 156mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A security engineer applies this S3 bucket policy. What is the result of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 157hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A network engineer reviews the NACL entries for a subnet. What is the effect of this NACL on inbound traffic?

Network Topology
$ aws ec2 describe-network-aclsnetwork-acl-id acl-12345678query 'NetworkAcls[0].Entries'Refer to the exhibit."RuleNumber": 100,"Protocol": "6","RuleAction": "allow","Egress": false,"CidrBlock": "10.0.0.0/16","PortRange": {"From": 22,"To": 22},"RuleNumber": 200,"CidrBlock": "0.0.0.0/0","From": 443,"To": 443"RuleNumber": 300,"Protocol": "-1","RuleAction": "deny","CidrBlock": "0.0.0.0/0""Egress": true,"From": 1024,"To": 65535
Question 158easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. An EC2 instance is associated with the IAM role shown. Which action can the EC2 instance perform?

Network Topology
$ aws iam get-role-policyrole-name EC2-S3-Accesspolicy-name S3ReadOnlyAccessRefer to the exhibit."RoleName": "EC2-S3-Access","PolicyName": "S3ReadOnlyAccess","PolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": ["s3:Get*","s3:List*"],"Resource": "*"
Question 159mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with SCPs to restrict access. The security team notices that users in the 'Developers' account can launch EC2 instances with public IP addresses, even though the SCP denies ec2:AssociateAddress. What is the most likely reason?

Question 160hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. They launch an Application Load Balancer (ALB) in the public subnets and targets in private subnets. Security requirements dictate that the targets should only accept traffic from the ALB. Which security group configuration meets this requirement?

Question 161easymultiple choice
Review the full routing breakdown →

A company is designing a network security architecture for a multi-account AWS environment. They need to centrally inspect and filter traffic between VPCs using a third-party firewall appliance. Which AWS service should they use to route traffic through the inspection VPC?

Question 162mediummultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity between an EC2 instance in a private subnet and an S3 bucket. The instance has a VPC gateway endpoint for S3, and the route table has a route to the endpoint. The security group for the instance allows all outbound traffic. However, the instance cannot access the S3 bucket. What is the most likely cause?

Question 163hardmultiple choice
Review the full subnetting walkthrough →

A company has a requirement to encrypt all data in transit between EC2 instances and an RDS database. The database is in a private subnet, and the application connects using an SSL connection. The security team wants to ensure that even if the network is compromised, the data remains confidential. What additional measure should be taken?

Question 164mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Shield Advanced and AWS WAF to protect its web application. The security team notices that some legitimate traffic is being blocked. They want to allow traffic from a specific set of IP addresses used by their partners. How can they ensure that partner traffic is not blocked by WAF rules?

Question 165easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to audit all changes to security groups in their AWS account. Which AWS service should they use to track API calls that modify security groups?

Question 166hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with multiple subnets. They deploy a Network Firewall to inspect traffic. The firewall is configured with a stateful rule that allows outbound HTTP traffic to any destination. However, traffic from an EC2 instance in a private subnet to an external web server fails. The route table for the private subnet has a default route pointing to the firewall endpoint. What is the likely issue?

Question 167mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Certificate Manager (ACM) to provision SSL/TLS certificates for their Application Load Balancer (ALB). They want to ensure that the ALB only accepts connections using TLS 1.2 or higher. How should they configure this?

Question 168mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-tier application. They need to ensure that the web tier can only communicate with the app tier on port 443, and the app tier can only communicate with the database tier on port 3306. Which TWO actions should they take? (Choose TWO.)

Question 169hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets and uses AWS Transit Gateway to connect to on-premises via AWS Direct Connect. They want to implement network segmentation so that certain VPCs can only communicate with specific on-premises networks. Which THREE components should they use? (Choose THREE.)

Question 170mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a security group configuration for a three-tier application. The web servers must be accessible from the internet on ports 80 and 443. The application servers must only communicate with the web servers on port 8080. The database servers must only communicate with the application servers on port 3306. Which TWO of the following are best practices for implementing this with security groups? (Choose TWO.)

Question 171hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

An IAM policy is applied to a user. The user reports that they cannot run 'aws ec2 describe-instances --region eu-west-1' but can run the same command in us-east-1. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:Describe*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }
  ]
}
Question 172mediummultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity from an EC2 instance in subnet-12345678 to a server on the internet. The instance has a public IP and a security group allowing all outbound traffic. However, traffic fails. Based on the exhibit, what is the issue?

Network Topology
$ aws ec2 describe-network-aclsregion us-east-1Refer to the exhibit."NetworkAcls": ["Associations": ["NetworkAclAssociationId": "aclassoc-12345678","NetworkAclId": "acl-12345678","SubnetId": "subnet-12345678"],"Entries": ["CidrBlock": "0.0.0.0/0","Egress": false,"Protocol": "6","RuleAction": "allow","RuleNumber": 100},"Protocol": "-1","RuleAction": "deny","RuleNumber": 32766"Egress": true,
Question 173easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A network engineer runs the above command and sees that VPC Flow Logs are configured for a VPC. The engineer wants to analyze rejected traffic to troubleshoot a connectivity issue. Which field in the flow log records should they examine?

Network Topology
$ aws ec2 describe-flow-logsregion us-east-1Refer to the exhibit."FlowLogs": ["FlowLogId": "fl-12345678","ResourceId": "vpc-12345678","TrafficType": "ALL","LogDestinationType": "cloud-watch-logs","LogGroupName": "vpc-flow-logs","DeliverLogsPermissionArn": "arn:aws:iam::123456789012:role/FlowLogsRole"
Question 174mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with multiple accounts and wants to centrally manage VPC security group rules. They need to enforce that no security group allows inbound SSH (port 22) from 0.0.0.0/0. Which service should they use to automatically detect and remediate noncompliant security groups?

Question 175hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application must only accept traffic from known corporate IP addresses, but the company also needs to allow healthy traffic from AWS health checkers. Which architecture meets these requirements securely?

Question 176easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer needs to audit all API calls that modify security group rules in a VPC. Which AWS service should be used to record these API calls?

Question 177hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is designing a multi-account AWS environment using AWS Organizations. They want to restrict the use of certain instance types across all accounts. Which approach should they use to enforce this policy?

Question 178mediummultiple choice
Review the full subnetting walkthrough →

A company has deployed a web application on an EC2 instance that needs to access an S3 bucket and a DynamoDB table. The instance is in a private subnet. Which approach meets the security best practice of avoiding long-lived credentials on the instance?

Question 179easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to encrypt data at rest in an S3 bucket. Which AWS service can manage the encryption keys if the company wants to use server-side encryption with AWS KMS?

Question 180mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. They have an EC2 instance in a private subnet that needs to access the internet for software updates. Which solution provides internet access while keeping the instance private?

Question 181hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. They want to ensure that only traffic from specific on-premises IP ranges is allowed into the production VPC. Which approach should they use?

Question 182easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to audit all network traffic to and from EC2 instances for security analysis. Which AWS service should they enable?

Question 183mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a security group configuration for a three-tier web application (web, application, database). The web tier is accessible from the internet. Which TWO rules should be applied to meet security best practices?

Question 184hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to implement a defense-in-depth strategy for a web application hosted on AWS. Which THREE services should they combine to protect against common web attacks and network threats?

Question 185easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company needs to encrypt data in transit between an Application Load Balancer and EC2 instances. Which TWO actions should they take?

Question 186hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company runs a multi-tier application on AWS. The web tier consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application tier runs on EC2 instances in a separate Auto Scaling group, and the database tier uses an Amazon RDS MySQL instance. All resources are in the same VPC. The security team has identified that the application tier instances are receiving traffic from unknown IP addresses on port 22 (SSH). The team wants to ensure that only the web tier instances can communicate with the application tier on the application port (8080), and only from a specific security group. Additionally, the database tier should only accept traffic from the application tier on port 3306. Currently, the security groups are configured as follows: Web-SG allows inbound from 0.0.0.0/0 on ports 80 and 443; App-SG allows inbound from 0.0.0.0/0 on port 8080 and from 0.0.0.0/0 on port 22; DB-SG allows inbound from 0.0.0.0/0 on port 3306. The team has also noticed that the web tier instances can be accessed via SSH from the internet. Which course of action should the team take to remediate the security issues?

Question 187mediummultiple choice
Review the full subnetting walkthrough →

A security engineer must ensure that all traffic between an application running on Amazon EC2 and an Amazon RDS database is encrypted in transit. The VPC has a public subnet for the EC2 instance and a private subnet for the RDS database. What is the MOST secure way to enforce encryption for this traffic?

Question 188easymultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with a public subnet for web servers and a private subnet for database servers. The web servers must be able to access the internet for software updates, but the database servers must not have direct internet access. Which solution meets these requirements?

Question 189hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets across the organization are encrypted with AWS KMS. Which approach should be used to enforce this policy?

Question 190mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A company has an S3 bucket policy that denies PutObject if the object is not encrypted with SSE-KMS. However, uploads are still being allowed without encryption. What is the most likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::important-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 191easymultiple choice
Read the full NAT/PAT explanation →

A company is using AWS WAF to protect its web application. The security team wants to block requests that contain SQL injection patterns. Which WAF rule type should be used?

Question 192mediummultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting connectivity issues between an on-premises network and an Amazon VPC over an AWS Direct Connect connection. The on-premises network uses BGP to advertise routes to the VPC. The VPC is associated with a virtual private gateway (VGW). The on-premises network can reach resources in the VPC, but VPC resources cannot reach on-premises resources. What is the most likely cause?

Question 193hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. An IAM role ARN is shown. A security engineer wants to allow an EC2 instance to assume this role. What is required for the EC2 instance to successfully assume the role?

Exhibit

arn:aws:iam::123456789012:role/AdminRole
Question 194easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is deploying a web application in a VPC and wants to protect it from common web exploits like cross-site scripting (XSS). Which AWS service should be used to filter and monitor HTTP requests?

Question 195mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an internet gateway and wants to restrict outbound traffic from a private subnet to only allow traffic to specific AWS services, such as S3 and DynamoDB. Which solution should be used?

Question 196mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO of the following are valid methods to secure data at rest in Amazon S3? (Choose two.)

Question 197hardmulti select
Read the full Network Security, Compliance and Governance explanation →

Which THREE of the following are best practices for securing a VPC? (Choose three.)

Question 198mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO of the following are valid ways to encrypt data in transit between an on-premises data center and an Amazon VPC? (Choose two.)

Question 199hardmultiple choice
Open the full BGP breakdown →

A company has a hybrid network architecture with an AWS Direct Connect connection between its on-premises data center and an Amazon VPC. The VPC has a single private subnet with Amazon EC2 instances running a critical application. The on-premises network uses BGP to advertise a route for the VPC's CIDR (10.0.0.0/16) to the on-premises routers. Recently, the company added a new application in a second VPC (VPC-B) with CIDR 10.1.0.0/16 and peered it with the original VPC (VPC-A). After the peering, users on-premises can still reach resources in VPC-A, but cannot reach resources in VPC-B. The VPC-A route table has a route for VPC-B's CIDR pointing to the peering connection. The VPC-B route table has a route for VPC-A's CIDR pointing to the peering connection. The on-premises routers have a static route for VPC-B's CIDR pointing to the Direct Connect virtual interface. What is the most likely cause of the issue?

Question 200mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to implement a centralized inspection architecture where all traffic between VPCs must be inspected by a security appliance (e.g., firewall) deployed in a dedicated inspection VPC. Currently, traffic flows directly between VPCs using the Transit Gateway. Which architecture change would enforce that all inter-VPC traffic passes through the inspection VPC?

Question 201mediummultiple choice
Review the full subnetting walkthrough →

A company hosts a multi-tier web application in a VPC. The web servers are in a public subnet, and the application servers are in a private subnet. The application servers need to access a third-party API over the internet. The company wants to ensure that the application servers' IP addresses are not exposed to the internet, and that all outbound traffic to the internet is logged. Additionally, the company wants to restrict outbound traffic to only the specific API endpoints. Which solution should be used?

Question 202easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which policy type should be used?

Question 203mediummultiple choice
Read the full VPN explanation →

A security engineer is designing a hybrid network with an AWS Site-to-Site VPN. The company requires that all traffic between the on-premises network and VPC be encrypted in transit. Which configuration ensures this requirement is met?

Question 204hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has multiple AWS accounts under AWS Organizations. The security team wants to centrally log all network traffic that is denied by security group rules across all accounts. Which approach meets this requirement with the least operational overhead?

Question 205mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Direct Connect to connect its data center to a VPC. The security team wants to ensure that only the on-premises network can initiate connections to EC2 instances in the VPC, but the EC2 instances should be allowed to initiate outbound connections to the internet. Which configuration should be implemented?

Question 206easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The public subnet hosts a web server that must be accessible from the internet. The private subnet hosts a database that should only be accessible from the web server. Which security group configuration should be used?

Question 207hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that the web servers only accept traffic from the ALB and that the ALB only accepts traffic from the internet on ports 80 and 443. Additionally, the web servers should be able to make outbound connections to the internet for updates. Which combination of security group rules meets these requirements?

Question 208mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A network engineer is troubleshooting connectivity issues between two VPCs that are peered. The VPCs are in the same region and the peering connection is in the 'active' state. Security groups in both VPCs allow all traffic. However, instances in VPC A cannot reach instances in VPC B. What is the most likely cause?

Question 209hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket for backups. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should be used?

Question 210mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS WAF to protect its web application from common exploits. The security team notices that a specific IP address is generating a high volume of requests and should be blocked immediately. Which action should be taken?

Question 211easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to encrypt all data in transit between its on-premises data center and AWS. Which two services or features can provide encryption for data in transit?

Question 212mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a VPC that hosts a multi-tier application. The security team wants to implement defense in depth. Which three layers of security should be configured?

Question 213hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets and is using Network Access Analyzer to identify unintended network access. It reports that an EC2 instance in a private subnet has a route to an internet gateway. Which two actions should be taken to remediate this?

Question 214mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A company has attached the IAM policy to an S3 bucket named example-bucket. Users report they cannot access objects in the bucket even when coming from the allowed IP range. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 215hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A network engineer is analyzing a VPC Flow Log record from a VPC with CIDR 10.0.0.0/16. The record indicates a REJECT action. Which component is most likely blocking the traffic?

Exhibit

vpc-flow-log-1234567890 2 123456789010 eni-1234567890abcdef 10.0.1.5 10.0.2.10 12345 80 6 100 2000 1625097600 1625097660 REJECT OK
Question 216mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. The public subnet contains a NAT gateway and a bastion host. The private subnet contains several EC2 instances that need to download software updates from the internet. The security team has configured the following: - A security group on the EC2 instances allows outbound traffic to 0.0.0.0/0 on ports 443 and 80. - The private subnet's route table has a default route (0.0.0.0/0) pointing to the NAT gateway. - The NAT gateway is in the public subnet with an Elastic IP and its security group allows inbound traffic from the private subnet CIDR on ports 443 and 80, and outbound to 0.0.0.0/0 on all ports. Despite this, the EC2 instances cannot reach the internet. What is the most likely cause?

Question 217hardmultiple choice
Review the full subnetting walkthrough →

A company has a hybrid network with an AWS Transit Gateway connecting multiple VPCs and an on-premises data center via AWS Direct Connect. The security team requires that all traffic between VPCs must be inspected by a centralized firewall appliance deployed in a security VPC. They have configured a Transit Gateway with a route table that has blackhole routes for all VPC CIDRs except the security VPC, and the security VPC appliance performs inspection and returns traffic to the Transit Gateway. Recently, they added a new VPC for a critical application. After configuration, some traffic from the new VPC to other VPCs is being dropped. The network engineer verifies that the Transit Gateway route table includes a blackhole route for the new VPC's CIDR and that the security VPC's firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

Question 218hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS and that bucket policies restrict access to specific IAM roles. They have created an SCP that denies s3:PutBucketPolicy unless the bucket is encrypted with KMS (using a condition) and restricts the PutBucketPolicy action to a specific role. After applying the SCP, the development team reports that they cannot update bucket policies even when using the allowed role. The SCP is attached to the root OU. The allowed role is in the dev account and has full S3 permissions via an IAM policy. What is the most likely reason for the failure?

Question 219hardmultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN for remote access. They want to ensure that only clients with a valid client certificate can connect, and that traffic is routed through a centralized inspection VPC. The VPN endpoint is configured with mutual authentication using server and client certificates. The route table in the VPN VPC has a default route pointing to an AWS Network Firewall endpoint in the inspection VPC. Users report that they can connect to the VPN but cannot access any internal resources. The network engineer checks the Client VPN endpoint configuration and confirms that the authorization rules allow access to the internal CIDR (10.0.0.0/8). What is the most likely cause?

Question 220mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Network Firewall to inspect traffic between VPCs in a transit gateway setup. They have a rule group that allows HTTP and HTTPS traffic to a web server in a production VPC. Recently, the security team added a new Suricata IPS rule to block traffic from a specific IP address. After deploying the updated rule group, they notice that all traffic to the web server is being dropped, even from allowed IPs. The firewall logs show the new rule is triggering for all traffic, not just the specific IP. What is the most likely cause?

Question 221mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Shield Advanced to protect their web application against DDoS attacks. They have configured automatic application layer DDoS mitigation with AWS WAF. During a recent attack, the application experienced increased latency, and some legitimate users were blocked. The security team reviews the WAF logs and finds that many requests from legitimate IPs were rate-limited. The team had set a rate-based rule with a threshold of 100 requests per 5 minutes. What is the most likely reason legitimate users were blocked?

Question 222easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to securely store and manage secrets such as database passwords and API keys. They need to automatically rotate secrets every 30 days and ensure that only specific IAM roles can access them. Which AWS service should they use?

Question 223easymultiple choice
Read the full NAT/PAT explanation →

A company has an S3 bucket that stores sensitive documents. They need to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Additionally, they want to prevent any uploads that do not specify the required KMS key. Which combination of bucket policy and default encryption should they implement?

Question 224easymultiple choice
Read the full VPN explanation →

A company wants to allow their employees to access internal web applications hosted on EC2 instances in a private subnet. The employees are outside the corporate network and connect via the internet. Which AWS service would provide secure, managed remote access without requiring a VPN client on each employee's device?

Question 225mediummultiple choice
Review the full routing breakdown →

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs is encrypted in transit. They also want to minimize changes to existing VPC route tables. Which solution should they use?

Question 226hardmultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect to connect their on-premises network to AWS. They have a VPC with a virtual private gateway (VGW) and a private VIF attached to it. They recently added a second Direct Connect connection for redundancy. Both connections are active and advertised via BGP. The on-premises network uses BGP with the same AS number. After configuration, they notice that traffic is not load-balanced as expected; instead, all traffic flows through one connection. What is the most likely cause?

Question 227mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to audit all changes to security groups in their AWS account. They need to be notified whenever a security group rule is added, modified, or removed. They also want to see who made the change. Which solution should they implement?

Question 228easymultiple choice
Read the full NAT/PAT explanation →

A company wants to restrict access to their S3 bucket so that only users from their corporate network (with a specific IP range) can read objects. They also want to ensure that the objects are encrypted in transit. Which combination of bucket policy and encryption should they use?

Question 229mediummulti select
Read the full NAT/PAT explanation →

A company uses AWS WAF to protect their web application. They have a rate-based rule that blocks IPs after 100 requests in 5 minutes. However, they notice that legitimate users behind a corporate NAT gateway are being blocked because the aggregate traffic from the NAT IP exceeds the threshold. Which TWO actions would resolve this issue without compromising security? (Choose TWO.)

Question 230easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to securely store database credentials and automatically rotate them every 90 days. Which TWO AWS services can work together to achieve this? (Choose TWO.)

Question 231hardmulti select
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. They use a NAT Gateway in the public subnet to allow instances in the private subnet to access the internet. The security team wants to ensure that all outbound traffic from the private subnet is logged and inspected. Which THREE services should they use together to achieve this? (Choose THREE.)

Question 232hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company has a multi-account AWS environment managed via AWS Organizations. The security team needs to enforce that all Amazon S3 buckets across the organization are encrypted with AWS KMS using a specific customer managed key (CMK) from the security account. Currently, some accounts have S3 buckets with SSE-S3 encryption or no encryption. The security team must not be able to read the data in the buckets, but must be able to detect and remediate non-compliant buckets. The solution must use AWS native services and minimize operational overhead. Which combination of actions should the security team take?

Question 233mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon VPC with a public subnet and a private subnet. The public subnet has a NAT gateway. The private subnet has an Amazon RDS for MySQL database. The security team wants to ensure that the database is not accessible from the internet, but they need to allow a specific on-premises network (IP range 203.0.113.0/24) to connect to the database for maintenance. The company also wants to restrict outbound traffic from the database to only necessary AWS services (e.g., S3 for backups) and deny all other outbound traffic. Which configuration should the security team implement?

Question 234mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer needs to block traffic from a specific country from reaching an Application Load Balancer. Which AWS service should be used to accomplish this?

Question 235easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to centrally inspect and filter traffic between VPCs using a third-party firewall appliance. Which architecture should be used?

Question 236hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets need to access the internet through a NAT gateway. The security team wants to ensure that traffic from the private subnets cannot bypass the NAT gateway. Which configuration should be used?

Question 237mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS CloudFormation to deploy a stack that includes an S3 bucket with a bucket policy that restricts access to a specific VPC endpoint. The stack fails to create, and the error indicates that the bucket policy contains an invalid principal. Which principal should be used to restrict access to a VPC endpoint?

Question 238easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Shield Advanced to protect against DDoS attacks. The security team wants to receive notifications when an attack is detected. Which service should be used to send these notifications?

Question 239hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across Availability Zones. An application uses a Network Load Balancer (NLB) to distribute traffic to instances. The security team notices that traffic from a specific client IP is being dropped. The NLB access logs show the client IP, but the target instances do not receive the traffic. What is the most likely cause?

Question 240mediummultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN to allow remote employees to access resources in a VPC. The security team wants to enforce multi-factor authentication (MFA) for all VPN connections. Which configuration should be used?

Question 241easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all data is encrypted at rest. Which S3 bucket property should be enabled?

Question 242hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is behind a NAT gateway in the public subnet. The security team wants to allow only outbound HTTPS traffic from the instance. Which configuration should be used?

Question 243mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-tier application. Which TWO of the following are best practices for implementing defense in depth?

Question 244hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Direct Connect to connect on-premises to AWS. The security team wants to encrypt all traffic traversing the Direct Connect link. Which TWO options can achieve this?

Question 245easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company needs to audit network traffic in a VPC for compliance. Which THREE AWS services can be used to capture and analyze network traffic?

Question 246hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to ensure that traffic between VPCs is inspected by a centralized firewall appliance in a inspection VPC. Which architecture meets this requirement?

Question 247mediummultiple choice
Review the full subnetting walkthrough →

A network engineer is designing a security group for a web application that must allow inbound HTTPS traffic from the internet and outbound traffic to an RDS MySQL database. The web servers are in a public subnet and the RDS database is in a private subnet. What is the most secure way to configure the security groups?

Question 248easymultiple choice
Study the full ACL explanation →

A company wants to block inbound traffic from a specific IP address range (203.0.113.0/24) at the VPC level using AWS WAF. Which resource should the AWS WAF web ACL be associated with?

Question 249hardmultiple choice
Review the full routing breakdown →

A company uses AWS Certificate Manager (ACM) to issue a public SSL/TLS certificate for a domain hosted on Route 53. The certificate is used by an Application Load Balancer. After renewal, the ALB continues to serve the old certificate. What is the most likely cause?

Question 250mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The public subnet hosts a NAT gateway. The private subnet hosts EC2 instances that need to download patches from the internet. The EC2 instances have a security group that allows outbound HTTPS to 0.0.0.0/0. What additional configuration is required?

Question 251easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security team needs to audit all network traffic entering and leaving a VPC. Which AWS service should be used to capture IP traffic information?

Question 252hardmultiple choice
Read the full VPN explanation →

A company uses AWS Site-to-Site VPN to connect its on-premises network to a VPC. The VPN tunnel is up, but traffic from on-premises cannot reach EC2 instances in the VPC. The EC2 instances have a security group that allows inbound ICMP from the on-premises CIDR. What is the most likely cause?

Question 253mediummultiple choice
Study the full ACL explanation →

A company wants to allow a specific IAM user to manage network ACLs for a specific VPC only. Which IAM policy action should be used?

Question 254easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to block outgoing traffic from a specific EC2 instance to the internet, except for HTTPS traffic to a specific API endpoint. Which AWS service can enforce this at the instance level?

Question 255hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company needs to ensure that all outbound traffic from a VPC goes through a centralized inspection appliance in a different VPC. Which TWO actions must be taken to achieve this?

Question 256mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which THREE of the following are valid ways to restrict access to an S3 bucket that is accessed by EC2 instances in a VPC?

Question 257easymulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO of the following are best practices for securing a VPC?

Question 258mediummultiple choice
Review the full routing breakdown →

A company is using AWS Transit Gateway to connect multiple VPCs. The security team wants to inspect all traffic between VPCs with a third-party firewall appliance deployed in a centralized inspection VPC. What is the MOST efficient way to route traffic to the inspection VPC?

Question 259hardmultiple choice
Review the full subnetting walkthrough →

A company needs to meet compliance requirements that mandate encryption of all data in transit between EC2 instances in the same VPC. The instances are in different subnets and communicate using TCP port 443. Which solution should a network engineer implement?

Question 260easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. A security engineer needs to restrict access to only the company's public IP range (203.0.113.0/24). What is the correct way to modify the security group rule?

Question 261hardmultiple choice
Review the full routing breakdown →

A company is deploying an AWS Network Firewall in a centralized inspection VPC and needs to send traffic from multiple VPCs through it. The VPCs are attached to a Transit Gateway. What configuration is required to route traffic to the firewall?

Question 262easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which AWS service should be used to provide internet access to instances in the private subnets without assigning public IP addresses?

Question 263mediummultiple choice
Study the full ACL explanation →

A security engineer is designing a network ACL for a public subnet. The subnet hosts a web server on port 443. Which inbound and outbound rules should be configured to allow HTTPS traffic from the internet? (Assume default deny all rule.)

Question 264hardmultiple choice
Read the full VPN explanation →

A company has a requirement to audit all network traffic leaving a VPC. The traffic includes traffic to the internet, to on-premises via VPN, and to other VPCs via Transit Gateway. Which AWS service can capture and log all outbound traffic for compliance analysis?

Question 265easymultiple choice
Read the full VPN explanation →

A company wants to securely connect an on-premises data center to an AWS VPC over the internet using IPsec. Which AWS service should be used?

Question 266mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A network engineer needs to ensure that all traffic between two VPCs (VPC A and VPC B) is encrypted in transit. The VPCs are in the same region and are connected via a VPC peering connection. What should the engineer do?

Question 267mediummulti select
Review the full subnetting walkthrough →

A company is implementing a network security solution for a VPC that contains a web application. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The company wants to protect against common web exploits and also filter outbound traffic from the instances. Which TWO services should be used together?

Question 268hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a multi-VPC architecture with AWS Transit Gateway. The security requirements include: (1) all inter-VPC traffic must be inspected by a central firewall, (2) traffic to the internet must egress through a centralized egress VPC, and (3) traffic to on-premises via Direct Connect must go through the same inspection firewall. Which THREE components are required to meet these requirements?

Question 269mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A security team needs to implement a solution to detect and alert on suspicious network traffic within a VPC. The solution should analyze VPC Flow Logs and generate findings for potential threats. Which THREE AWS services can be used together to achieve this?

Question 270mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic to the application be inspected by a third-party firewall appliance for compliance. The firewall appliance must be deployed in a separate VPC and must inspect traffic without introducing a single point of failure. Which architecture meets these requirements?

Question 271hardmultiple choice
Study the full ACL explanation →

A company's security team notices that a VPC flow log record shows an outbound connection from a private EC2 instance to an IP address in a restricted country. The security group allows outbound 0.0.0.0/0 for TCP 443. The network ACL allows outbound traffic to 0.0.0.0/0 on ephemeral ports. The company uses AWS Network Firewall with a firewall policy that has a stateful rule group that denies traffic to the restricted country. The flow log shows the traffic was accepted. What is the most likely cause?

Question 272easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to securely connect an on-premises data center to a VPC in AWS. The connection must be encrypted and use the public internet. The company has a moderate volume of traffic and needs a quick setup. Which solution meets these requirements?

Question 273mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no VPC in any account can have an internet gateway attached. Which option meets this requirement?

Question 274hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to use a proxy server running on an EC2 instance in the public subnet. The security group for the proxy server must allow inbound HTTP/HTTPS from the instance in the private subnet. The security group for the private instance must allow outbound HTTP/HTTPS to the proxy server. However, the private instance cannot connect to the proxy. What is the most likely cause?

Question 275easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company needs to audit all changes to security groups in a VPC. Which AWS service should be used?

Question 276mediummultiple choice
Study the full ACL explanation →

A company has a VPC with multiple subnets. The network ACL for a subnet is configured to deny all inbound traffic. A security group attached to an EC2 instance in that subnet allows SSH from a specific IP range. Will SSH traffic from that IP range reach the instance?

Question 277hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Shield Advanced to protect its web application from DDoS attacks. The application is fronted by Amazon CloudFront and an Application Load Balancer. The security team wants to receive notifications when a DDoS attack is detected. Which AWS service should be used to receive these notifications?

Question 278easymultiple choice
Review the full subnetting walkthrough →

A company wants to allow a specific IP address range to access an EC2 instance in a private subnet using a bastion host. The bastion host is in a public subnet. Which security group configuration is correct?

Question 279mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. The VPC contains a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to use a VPC endpoint for S3. Which TWO configurations are required?

Question 280mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A security engineer is designing a network security solution for a multi-tier application. The web tier must be accessible from the internet on ports 80 and 443. The application tier must only accept traffic from the web tier. The database tier must only accept traffic from the application tier on port 3306. Which THREE network access control mechanisms should be used?

Question 281hardmulti select
Review the full subnetting walkthrough →

A company is designing a network architecture for a highly sensitive application that must meet strict compliance requirements. The application is deployed in a VPC with multiple subnets. The company needs to ensure that all traffic between subnets is encrypted and that no traffic can bypass the encryption. Which THREE steps should be taken?

Question 282mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Direct Connect to connect its on-premises network to VPCs in multiple AWS accounts. The company wants to ensure that traffic from the on-premises network can only access specific VPCs based on the source IP address. Which AWS service should be used to enforce this segmentation?

Question 283hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. An application in the private subnet needs to access an S3 bucket. Which design meets security best practices without exposing the application to the internet?

Question 284easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer needs to audit all changes to security group rules in an AWS account. Which AWS service should be used to record these changes?

Question 285mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that no security group allows inbound SSH (port 22) from 0.0.0.0/0. Which policy type should be used?

Question 286hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to connect to the internet for patching. The security team wants to minimize the attack surface. Which solution should be used?

Question 287easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A network engineer needs to block traffic from a specific IP address to an EC2 instance. Which component should be modified?

Question 288mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is deploying a web application behind an Application Load Balancer (ALB). The application must only accept traffic from the ALB. Which security group configuration should be used for the EC2 instances?

Question 289hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to centrally manage and enforce VPC security group rules across multiple accounts in AWS Organizations. Which AWS service should be used?

Question 290easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to encrypt data in transit between an on-premises data center and AWS. Which service provides a dedicated encrypted connection?

Question 291hardmulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The company requires that instances in the private subnet can initiate outbound connections to the internet but cannot receive inbound connections from the internet. Which TWO components are necessary? (Choose 2)

Question 292mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to inspect traffic between VPCs in the same region using a third-party security appliance. Which THREE components are needed? (Choose 3)

Question 293easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company needs to log all network traffic to and from EC2 instances for security analysis. Which TWO services can capture this data? (Choose 2)

Question 294mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centrally enforce that no Amazon S3 buckets are publicly accessible across all accounts. Which solution meets this requirement with the least operational overhead?

Question 295hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets need to access the internet through a NAT Gateway. The security team wants to ensure that traffic from the private subnets to the internet is logged and inspected for malicious activity. Which solution meets these requirements?

Question 296easymultiple choice
Read the full VPN explanation →

A company wants to allow its employees to securely access internal web applications hosted in a VPC without using a VPN. The solution must authenticate users against the company's Active Directory and apply fine-grained access controls. Which AWS service should be used?

Question 297hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a multi-account architecture. They need to centralize VPC flow logs from all accounts into a single Amazon S3 bucket in the security account. The logs must be encrypted at rest using a customer-managed KMS key in the security account. Which combination of steps is required?

Question 298mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Certificate Manager (ACM) to issue certificates for a fleet of Application Load Balancers. The security team requires that only specific IAM roles can request, renew, or delete ACM certificates. Which policy type should be used to enforce this?

Question 299easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS CloudHSM to store sensitive encryption keys. Which of the following is a security best practice for managing the HSM?

Question 300hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has a VPC with multiple security groups. An EC2 instance in security group A needs to communicate with an RDS instance in security group B on port 3306. The security team wants to minimize exposure. What should the inbound rule in security group B be?

Question 301mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to inspect all traffic between VPCs and on-premises using a centralized firewall appliance. Which architecture meets this requirement?

Question 302easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to restrict access to an Amazon S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy element should be used?

Question 303hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-account environment using AWS Organizations. The security team needs to ensure that all internet-bound traffic from VPCs in the organization goes through a centralized egress VPC where it is inspected by a firewall. Which TWO steps are required to enforce this?

Question 304mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is building a serverless application using Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. The security team requires that all API requests are authenticated and authorized, and that the Lambda function has only the necessary permissions to access DynamoDB. Which THREE steps should be taken?

Question 305easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The security team needs to protect the application from common web exploits like SQL injection and cross-site scripting. Which TWO AWS services should be used together?

Question 306mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations with SCPs to enforce security controls. The security team wants to prevent users from disabling Amazon GuardDuty or modifying its configuration in any member account. Which SCP effect should be used?

Question 307hardmultiple choice
Review the full routing breakdown →

A company is designing a network security architecture for a multi-account AWS environment using AWS Transit Gateway. They need to ensure that all traffic between VPCs must be inspected by a centralized security appliance (e.g., firewall) in a shared services VPC. Which routing design meets this requirement?

Question 308easymultiple choice
Read the full NAT/PAT explanation →

A company is using AWS WAF to protect a web application. They want to block requests that originate from known malicious IP addresses. Which WAF rule type should be used?

Question 309mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Shield Advanced for DDoS protection. They want to receive near real-time notifications when a DDoS attack is detected. Which AWS service should be used to trigger the notification?

Question 310hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer is troubleshooting an issue where Amazon Inspector is not finding any vulnerabilities in an EC2 instance. The instance has the AWS Systems Manager Agent (SSM Agent) installed and is managed by AWS Systems Manager. What is the most likely reason for Inspector not reporting findings?

Question 311easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to enforce that all Amazon S3 buckets in an AWS account are encrypted at rest. Which AWS service can be used to automatically detect and report unencrypted buckets?

Question 312mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The security team wants to block all outbound traffic to the internet from the private subnets except for traffic to an AWS service like Amazon S3. Which configuration should be used?

Question 313hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Certificate Manager (ACM) to manage SSL/TLS certificates for an Application Load Balancer (ALB). The security team notices that an ACM-issued certificate is about to expire. How can they automate renewal?

Question 314mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses an AWS Network Firewall to inspect traffic between VPCs and the internet. They want to allow outbound HTTPS traffic only to specific domains. Which rule configuration should be used?

Question 315hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A security engineer is designing a network security architecture for a hybrid cloud environment. The company has an AWS Direct Connect connection to its on-premises data center. They want to ensure that all traffic between on-premises and AWS is encrypted and that the encryption is enforced at the network layer. Which TWO solutions should the engineer consider?

Question 316mediummulti select
Read the full DNS explanation →

A company has a security requirement to log and monitor all DNS queries made by EC2 instances in a VPC. Which TWO AWS solutions can meet this requirement?

Question 317easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to protect its web application running on Amazon EC2 behind an Application Load Balancer (ALB) from common web exploits like SQL injection and cross-site scripting (XSS). Which THREE AWS services should be used together to provide comprehensive protection?

Question 318hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer attaches the above IAM policy to an IAM user. The user then attempts to launch an EC2 instance from an IP address outside the 10.0.0.0/8 range. What will happen?

Exhibit

Refer to the exhibit.

Exhibit: IAM Policy JSON
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```
Question 319mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer reviews the CloudTrail log entry above. What security concern does this event raise?

Exhibit

Refer to the exhibit.

Exhibit: CloudWatch Logs Log Entry
```
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "Root",
    "principalId": "123456789012",
    "arn": "arn:aws:iam::123456789012:root",
    "accountId": "123456789012"
  },
  "eventTime": "2023-11-01T12:00:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "CreateSecurityGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.5",
  "userAgent": "console.amazonaws.com",
  "requestParameters": {
    "groupName": "test-sg",
    "groupDescription": "Test security group"
  },
  "responseElements": {
    "groupId": "sg-12345678"
  }
}
```
Question 320mediummultiple choice
Review the full subnetting walkthrough →

A security engineer reviews the NACL entries above for a subnet. Which statement about incoming SSH traffic (port 22) is correct?

Network Topology
$ aws ec2 describe-network-aclsregion us-east-1Refer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-12345678","VpcId": "vpc-12345678","Entries": ["RuleNumber": 100,"Protocol": "6","RuleAction": "allow","Egress": false,"CidrBlock": "0.0.0.0/0","PortRange": {"From": 22,"To": 22},"RuleNumber": 200,"RuleAction": "deny","RuleNumber": 300,"CidrBlock": "10.0.0.0/8",
Question 321mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with public and private subnets. They need to allow instances in the private subnet to access the internet for software updates while preventing inbound internet traffic. Which AWS service should they use?

Question 322hardmultiple choice
Study the full ACL explanation →

A security engineer is configuring Network Access Control Lists (NACLs) for a VPC with multiple subnets. The engineer wants to block SSH access (port 22) from a specific IP range 10.0.0.0/8 to the entire VPC CIDR (172.16.0.0/16). What is the most effective approach?

Question 323easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They require that the encryption keys are managed by AWS and rotated automatically. Which encryption option should they choose?

Question 324mediummultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that any tampering with logs is detectable. Which combination of services should they use?

Question 325hardmultiple choice
Read the full VPN explanation →

A company has a VPC with a VPN connection to an on-premises data center. They want to ensure that traffic between the VPC and on-premises is encrypted and authenticated. Which two components are required to establish the VPN tunnel?

Question 326mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS WAF to protect a web application behind an Application Load Balancer. They want to block requests that contain SQL injection attacks. Which WAF rule type should they use?

Question 327easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company needs to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. Which policy element should be used in an IAM policy to deny access if MFA is not present?

Question 328hardmultiple choice
Read the full DNS explanation →

A company is using Amazon Route 53 for DNS resolution. They want to restrict access to a private hosted zone so that only authorized VPCs can query it. Which configuration should they use?

Question 329mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Shield Advanced to protect against DDoS attacks. They want to receive notifications when an attack is detected. Which AWS service should they integrate with to receive notifications?

Question 330mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to securely store secrets such as database credentials and API keys. Which TWO AWS services can be used for this purpose? (Choose two.)

Question 331hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-tier web application. Which THREE best practices should they implement? (Choose three.)

Question 332easymulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO statements about AWS Key Management Service (KMS) are correct? (Choose two.)

Question 333easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is deploying a web application that must be accessible over the internet from specific IP addresses only. The application runs behind an Application Load Balancer (ALB) in a VPC. Which AWS service should be used to restrict access to the ALB based on source IP addresses?

Question 334mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. The company wants to ensure that all outbound traffic is logged and that only specific destinations are allowed. Which solution meets these requirements?

Question 335hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer is designing a network architecture for a multi-account AWS environment using AWS Organizations. The company requires that all inter-VPC traffic be inspected by a centralized firewall appliance. Which solution provides the most scalable and maintainable inspection architecture?

Question 336mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO actions can be used to improve the security of an Amazon S3 bucket that contains sensitive data? (Choose two.)

Question 337hardmulti select
Read the full VPN explanation →

Which THREE components are necessary to enable encryption in transit for traffic between an on-premises data center and an Amazon VPC over AWS Site-to-Site VPN? (Choose three.)

Question 338easymulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO AWS services can be used to monitor and log network traffic in a VPC for security analysis? (Choose two.)

Question 339hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. An AWS IAM policy is attached to an IAM role used by a network administrator. The policy is intended to allow the role to accept a VPC peering connection request only if the accepter VPC is vpc-0abcdef1234567890. However, the administrator reports that the policy does not work as expected. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowVPCAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/AdminRole"
            },
            "Action": "ec2:AcceptVpcPeeringConnection",
            "Resource": "arn:aws:ec2:us-east-1:123456789012:vpc-peering-connection/*",
            "Condition": {
                "StringEquals": {
                    "ec2:AccepterVpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0abcdef1234567890"
                }
            }
        }
    ]
}
```
Question 340mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A network engineer has configured VPC Flow Logs for a VPC and is verifying the logs. The flow logs are being delivered to CloudWatch Logs, but the engineer notices that the logs do not contain the 'srcaddr' and 'dstaddr' fields. What is the most likely cause?

Network Topology
$ aws ec2 describe-flow-logsfilter "Name=log-group-nameRefer to the exhibit.```"FlowLogs": ["CreationTime": "2024-01-15T10:00:00Z","DeliverLogsPermissionArn": "arn:aws:iam::123456789012:role/FlowLogRole","FlowLogId": "fl-12345678","FlowLogStatus": "ACTIVE","LogGroupName": "my-flow-log","ResourceId": "vpc-0abcdef1234567890","TrafficType": "ALL","LogDestinationType": "cloud-watch-logs","MaxAggregationInterval": 60
Question 341hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A company has an S3 bucket policy that allows public read access only from a specific IP range (203.0.113.0/24). Users outside this range report that they can still access objects in the bucket. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "203.0.113.0/24"
                }
            }
        }
    ]
}
```
Question 342easymultiple choice
Study the full ACL explanation →

A company wants to restrict access to an EC2 instance such that only traffic from a specific security group (sg-12345678) can reach it. The instance is in a VPC with default network ACLs. What should the security group rule for the instance be?

Question 343mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to avoid using a NAT gateway and ensure that traffic does not traverse the internet. Which solution should be used?

Question 344hardmultiple choice
Review the full subnetting walkthrough →

A security team is designing a network architecture that must meet PCI DSS compliance. They have a VPC with multiple subnets and need to ensure that all traffic between subnets is inspected by a stateful firewall. The solution must also support scalability and high availability. Which AWS service should they use?

Question 345mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Organizations and has multiple VPCs in different accounts. They want to centrally manage network firewall rules for all VPCs using a single firewall policy. Which AWS service should they use?

Question 346easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to encrypt all data in transit between its on-premises data center and AWS. They are using AWS Direct Connect for connectivity. Which additional configuration is required to ensure encryption?

Question 347mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO measures can be taken to protect an AWS account's root user credentials? (Choose two.)

Question 348hardmulti select
Read the full Network Security, Compliance and Governance explanation →

Which THREE components are required to enable AWS Shield Advanced automatic application layer DDoS mitigation for an Application Load Balancer? (Choose three.)

Question 349mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet containing a NAT gateway and a private subnet with EC2 instances. The EC2 instances need to access an S3 bucket. The security team wants to log all S3 API calls made by the instances. Which approach should be used?

Question 350easymultiple choice
Read the full NAT/PAT explanation →

A company wants to block outbound traffic from a VPC to the internet except through a NAT Gateway for updates to specific software repositories. Which AWS service should be used to control outbound traffic?

Question 351mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security team needs to log all rejected traffic to an internet-facing Network Load Balancer (NLB) for compliance. Which configuration should they use?

Question 352hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has a multi-account AWS environment using AWS Organizations. They need to enforce that all newly created S3 buckets are encrypted with SSE-KMS using a specific KMS key. Which policy should they use?

Question 353mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has a VPC peered with another VPC in a different account. They want to ensure that only specific ports are allowed from the peered VPC to their application servers. Which configuration should they use?

Question 354hardmulti select
Review the full subnetting walkthrough →

A company is using AWS Direct Connect to connect their on-premises network to AWS. They need to ensure that traffic from a specific on-premises subnet can only access a specific VPC subnet. Which two components must be configured? (Choose two.)

Question 355easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company needs to audit all changes to security groups in their AWS account. Which AWS service should they use?

Question 356mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with multiple subnets. They want to block all traffic from the internet to their private subnets, but allow outbound internet traffic from those subnets through a NAT Gateway. Which configuration should they use?

Question 357hardmultiple choice
Review the full routing breakdown →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs is inspected by a security appliance in a centralized inspection VPC. How should they configure the Transit Gateway route tables?

Question 358easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which type of policy should they use?

Question 359mediummulti select
Review the full subnetting walkthrough →

A security engineer notices that an EC2 instance in a public subnet is receiving inbound SSH traffic from a range of IP addresses that should be blocked. Which two actions should the engineer take to troubleshoot? (Choose two.)

Question 360hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an internet-facing Application Load Balancer (ALB) that routes traffic to EC2 instances in private subnets. The security team wants to block traffic from specific geographic regions. Which AWS service should they use?

Question 361mediummultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN to provide remote access to their VPC. They want to ensure that only authenticated users from their corporate Active Directory can access the VPN. Which authentication method should they use?

Question 362easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to block inbound SSH traffic to all EC2 instances in a VPC while allowing all other traffic. Which security group rule should be configured?

Question 363mediummultiple choice
Review the full routing breakdown →

A company uses AWS Transit Gateway to connect multiple VPCs. Security requirements mandate that traffic between VPCs must be inspected by a centralized firewall appliance in a dedicated inspection VPC. What is the MOST efficient way to route traffic to the inspection VPC?

Question 364hardmulti select
Read the full NAT/PAT explanation →

A company's security team is designing a solution to restrict S3 bucket access based on the requester's network. The company has a set of on-premises IP ranges and wants to ensure that only requests originating from those IPs can access the bucket. Which combination of actions should be taken? (Choose TWO.)

Question 365mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is designing a security group rule to allow outbound HTTPS traffic (TCP 443) to a specific external service IP range 203.0.113.0/24. The security group is attached to a fleet of EC2 instances. Which rule should be added?

Question 366mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to audit all Network Load Balancer (NLB) operations performed in their AWS account. Which AWS service should they use?

Question 367hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a VPC with public and private subnets. The private subnets need to access Amazon S3 and Amazon DynamoDB. The company wants to minimize data transfer costs and avoid using a NAT gateway. What is the MOST cost-effective solution?

Question 368easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is troubleshooting why an EC2 instance cannot communicate with the internet. The instance is in a private subnet with a route table that has a default route (0.0.0.0/0) pointing to a NAT gateway. The security group for the instance allows all outbound traffic. What should the engineer check NEXT?

Question 369mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to restrict access to an S3 bucket so that only requests originating from a specific AWS account can read objects. Which bucket policy condition should be used?

Question 370hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets and uses AWS Network Firewall to inspect traffic. The security team notices that traffic to a specific IP (10.0.0.10) is being dropped unexpectedly. The firewall policy has a stateful rule group that allows all traffic. What is the MOST likely cause?

Question 371mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company's security team is designing a network architecture for a multi-tier application. The web tier must be accessible from the internet, while the application and database tiers must be isolated. Which TWO actions should be taken to meet these requirements?

Question 372hardmulti select
Review the full subnetting walkthrough →

A company needs to ensure that all outbound internet traffic from a VPC goes through a centralized inspection appliance. The VPC has multiple subnets. Which THREE steps are required to implement this?

Question 373easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to encrypt all data in transit between an Application Load Balancer (ALB) and its target EC2 instances. Which TWO actions should be taken?

Question 374hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

Refer to the exhibit. A company has attached this bucket policy to an S3 bucket. An EC2 instance in VPC vpc-12345 is trying to access the bucket but is getting access denied. The EC2 instance has a public IP of 198.51.100.10. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "vpc-12345"
        }
      }
    }
  ]
}
Question 375mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network engineer runs the above command and sees this network ACL configuration. The subnet associated with this ACL contains an EC2 instance that is failing to receive inbound HTTP traffic (TCP 80) from the internet. What is the MOST likely cause?

Network Topology
$ aws ec2 describe-network-aclsfilters Name=association.subnet-idRefer to the exhibit."NetworkAcls": ["Associations": ["NetworkAclAssociationId": "aclassoc-12345","NetworkAclId": "acl-67890","SubnetId": "subnet-12345"],"Entries": ["CidrBlock": "0.0.0.0/0","Egress": false,"Protocol": "6","RuleAction": "deny","RuleNumber": 100},"Protocol": "-1","RuleAction": "allow","RuleNumber": 200"Egress": true,"RuleNumber": 300
Question 376hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical application on EC2 instances in a VPC. The application needs to send data to an S3 bucket and an SQS queue, both in the same AWS account. The security team requires that all traffic to these AWS services must stay within the AWS network and not traverse the internet. The VPC has private subnets with no NAT gateway or Internet Gateway. The EC2 instances have an IAM role that grants necessary permissions. The S3 bucket and SQS queue are configured with bucket policies and queue policies that deny all access except from the VPC. However, the application is failing to send data to both S3 and SQS. What should the network engineer do to resolve this issue?

Question 377mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS WAF to protect its web application. The security team notices that the WAF logs show a high number of requests from a specific IP address range that are being blocked by the SQL injection rule. However, the application team reports that legitimate users from that IP range are unable to access the application. Which action should the security team take to resolve this issue while maintaining security?

Question 378hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A financial services company is required to encrypt all data at rest and in transit. They have an Amazon S3 bucket with server-side encryption enabled (SSE-S3) and are using HTTPS for all API calls. During an audit, the auditor points out that the bucket policy does not explicitly deny requests that do not use HTTPS. Which of the following should the company add to the bucket policy to enforce HTTPS?

Question 379easymultiple choice
Read the full NAT/PAT explanation →

A company has deployed a VPC with public and private subnets. They have an Internet Gateway attached to the VPC and a NAT Gateway in the public subnet. The private subnet instances need to download patches from the internet. Which configuration ensures that the private instances can reach the internet while preventing inbound traffic from the internet?

Question 380mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Shield Advanced to protect against DDoS attacks. They notice that some legitimate traffic is being throttled during a DDoS event. The security team wants to ensure that legitimate traffic from specific business partners is not affected. Which action should they take?

Question 381hardmultiple choice
Review the full routing breakdown →

A company is setting up a cross-account VPC peering connection between VPC A (account 1) and VPC B (account 2). The security team wants to ensure that only specific TCP ports are allowed between the VPCs. They have configured the route tables and the VPC peering connection is active. Which additional configuration is required to enforce the port restriction?

Question 382easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Secrets Manager to store database credentials. They want to ensure that the credentials are automatically rotated every 30 days. Which configuration is required?

Question 383mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They have an Application Load Balancer (ALB) in a public subnet and a web server fleet in private subnets. The security team wants to ensure that only the ALB can communicate with the web servers. Which security group configuration should be used?

Question 384hardmultiple choice
Read the full VPN explanation →

A company is using AWS Direct Connect to connect their on-premises network to AWS. They have a virtual private gateway (VGW) attached to their VPC and a Direct Connect virtual interface (VIF) configured. They want to use AWS Site-to-Site VPN as a backup connection. Which configuration ensures that traffic automatically uses the VPN if the Direct Connect connection fails?

Question 385easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to centrally manage firewall rules across multiple VPCs in different AWS accounts. Which AWS service should they use?

Question 386mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a network security architecture for a multi-tier application. They want to ensure that the web tier can communicate with the application tier only on specific ports, and the application tier can communicate with the database tier only on specific ports. Which TWO configurations should be implemented?

Question 387hardmulti select
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across the organization are encrypted with SSE-S3 or SSE-KMS. Which THREE steps should they take to implement this policy?

Question 388easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company is deploying a web application that must be accessible over HTTPS only. They are using an Application Load Balancer (ALB) with an SSL certificate from AWS Certificate Manager (ACM). Which TWO configurations are necessary to ensure that only HTTPS traffic reaches the application?

Question 389hardmultiple choice
Study the full ACL explanation →

A company has a VPC with CIDR 10.0.0.0/16. They have public subnets (10.0.1.0/24, 10.0.2.0/24) and private subnets (10.0.3.0/24, 10.0.4.0/24) in two Availability Zones. An Internet Gateway is attached to the VPC, and a NAT Gateway is in public subnet 10.0.1.0/24. The private subnets route 0.0.0.0/0 to the NAT Gateway. The security team notices that instances in private subnet 10.0.3.0/24 can reach the internet, but instances in private subnet 10.0.4.0/24 cannot. Both private subnets have the same route table configuration. The network ACLs for both private subnets are set to allow all inbound and outbound traffic. What is the most likely cause of the issue?

Question 390mediummultiple choice
Read the full VPN explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. They have a central inspection VPC that uses AWS Network Firewall to inspect traffic. The security team wants to ensure that all traffic between VPCs and between VPCs and on-premises is routed through the inspection VPC. They have created a transit gateway route table for each VPC and the Direct Connect/VPN attachments. They have configured the route tables to propagate routes from the inspection VPC's attachment. However, traffic is still bypassing the inspection VPC. What should the security team do to ensure traffic is inspected?

Question 391easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application stores files in an S3 bucket. The security team wants to ensure that the EC2 instances can only access the specific S3 bucket and no other AWS services. They have created an IAM role for the EC2 instances with a policy that grants s3:PutObject and s3:GetObject on the specific bucket. They have also attached a VPC endpoint for S3 to the VPC and added a bucket policy that allows access only from the VPC endpoint. Despite this, the EC2 instances can still access other S3 buckets. What is the most likely reason?

Question 392mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with private subnets for databases and public subnets for web servers. They need to allow the web servers to make outbound internet requests for software updates but prevent inbound traffic from the internet. Which configuration should they use?

Question 393hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between two VPCs connected via a VPC Peering connection. The VPCs are in different accounts. The security groups in both VPCs allow traffic between the CIDRs. The route tables have the appropriate entries. However, instances in VPC A cannot communicate with instances in VPC B. What is the most likely cause?

Question 394easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy should they use?

Question 395mediummultiple choice
Read the full VPN explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via a VPN. They want to ensure that traffic between VPCs is inspected by a centralized security appliance. How should they design the network?

Question 396hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from an S3 bucket in the same AWS region. The company wants to ensure that traffic does not traverse the internet. Which solution is MOST cost-effective?

Question 397easymultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that only authorized users can access them. Which combination of actions should they take?

Question 398mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company wants to allow an external auditor to access a specific EC2 instance in their VPC for a limited time. The auditor will connect via SSH from a known IP address. What is the MOST secure way to grant access?

Question 399hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company has a Direct Connect connection to AWS. They want to encrypt all traffic between their on-premises network and their VPC. Which solution meets this requirement?

Question 400easymultiple choice
Read the full Network Security, Compliance and Governance explanation →

A security engineer reviews the above security group configuration for a web server. What is a security concern with this configuration?

Network Topology
aws ec2 describe-security-groupsgroup-ids sg-12345678Refer to the exhibit.```"SecurityGroups": ["GroupName": "web-sg","GroupId": "sg-12345678","VpcId": "vpc-1a2b3c4d","IpPermissions": ["FromPort": 80,"ToPort": 80,"IpProtocol": "tcp","IpRanges": ["CidrIp": "0.0.0.0/0"},"FromPort": 22,"ToPort": 22,"CidrIp": "10.0.0.0/8"],"IpPermissionsEgress": ["IpProtocol": "-1",
Question 401mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company applies the above S3 bucket policy. An administrator reports that an application using the AWS SDK is unable to upload objects to the bucket from an EC2 instance in the same account. The EC2 instance has an IAM role with s3:PutObject permission. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
```
Question 402hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A CloudFormation stack created a VPC Gateway Endpoint for S3 with the above policy. An EC2 instance in the VPC is unable to download objects from the S3 bucket using the AWS CLI. The instance has an IAM role with s3:GetObject permission. What is the most likely cause?

Network Topology
aws cloudformation describe-stacksstack-name my-stackquery 'Stacks[0].Outputs'Refer to the exhibit.```"OutputKey": "VPCEndpointId","OutputValue": "vpce-0a1b2c3d4e5f67890",},"OutputKey": "VPCEndpointPolicy","OutputValue": "{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::my-bucket/*\"]}]}"
Question 403mediummulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO actions improve the security of an AWS account's root user? (Choose two.)

Question 404hardmulti select
Read the full Network Security, Compliance and Governance explanation →

Which THREE are valid methods to secure data in transit between a VPC and an on-premises network over the internet? (Choose three.)

Question 405easymulti select
Read the full Network Security, Compliance and Governance explanation →

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple accounts? (Choose two.)

Question 406mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. They have a web application running on EC2 instances in an Auto Scaling group in the public subnets. The application needs to read and write data to an S3 bucket. They want to ensure that traffic to S3 does not traverse the internet. The security team also requires that all traffic to S3 be logged. The current setup uses a NAT Gateway for outbound internet access. However, the NAT Gateway is a single point of failure and costs are high. They want to replace it with a more cost-effective and highly available solution that meets the logging requirement. What should they do?

Question 407easymulti select
Read the full Network Security, Compliance and Governance explanation →

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which TWO actions should be taken? (Choose two.)

Question 408easymulti select
Read the full Network Security, Compliance and Governance explanation →

A security team needs to block outbound traffic from an EC2 instance to known malicious IP addresses while allowing all other outbound traffic. Which THREE steps should be taken? (Choose three.)

Question 409mediummulti select
Read the full Network Security, Compliance and Governance explanation →

A company is designing a multi-account AWS environment using AWS Organizations. They need to enforce that all new S3 buckets created across accounts have encryption enabled and block public access. Which TWO approaches meet these requirements? (Choose two.)

Question 410mediummulti select
Review the full routing breakdown →

A network engineer is troubleshooting connectivity between two VPCs connected via a VPC peering connection. Security groups and NACLs are configured correctly. The engineer verifies that the route tables have the necessary entries. However, traffic from an EC2 instance in VPC A to an RDS instance in VPC B fails. Which TWO additional checks should be performed? (Choose two.)

Question 411hardmulti select
Review the full subnetting walkthrough →

A financial services company must meet PCI DSS compliance. They have a VPC with public and private subnets. The private subnets host applications that process credit card data. The security team wants to ensure that no data leaves the VPC to the internet except through a controlled egress point. Which THREE measures should be implemented? (Choose three.)

Question 412hardmulti select
Read the full VPN explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to ensure that traffic between VPCs is inspected by a third-party firewall appliance deployed in a centralized inspection VPC. Which THREE steps are required? (Choose three.)

Question 413easymultiple choice
Study the full ACL explanation →

A company hosts a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The security team wants to block a list of known malicious IP addresses from accessing the application. They have already created an AWS WAF web ACL and associated it with the ALB. What is the MOST efficient way to block the IP addresses?

Question 414easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet containing a NAT gateway and a private subnet containing EC2 instances. The EC2 instances need to download patches from the internet. The security team wants to ensure that the EC2 instances cannot initiate outbound connections to any other internet destinations. What should the network engineer do?

Question 415mediummultiple choice
Study the full ACL explanation →

A company has a production VPC with a public subnet and a private subnet. The private subnet hosts a database instance that should be accessible only from the application servers in the same VPC. The security team has configured the database security group to allow inbound traffic on port 3306 from the application security group. However, the application servers cannot connect to the database. The network ACLs are configured with default allow all rules. What is the MOST likely cause?

Question 416mediummultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no EC2 instance in any account can be launched with a public IP address unless it is in a specific VPC. Which solution will meet this requirement?

Question 417mediummultiple choice
Study the full ACL explanation →

A company has a VPC with a public subnet and a private subnet. They have a web server in the public subnet and a database in the private subnet. The web server needs to communicate with the database on port 3306. Security groups are configured as follows: Web server SG allows inbound HTTP/HTTPS from 0.0.0.0/0 and outbound to database SG on port 3306. Database SG allows inbound from web server SG on port 3306. However, the web server cannot connect. Network ACLs are default. What is the issue?

Question 418hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection to AWS with a private VIF to a VPC. They also have a VPN connection as a backup. The BGP sessions are established. They want to ensure that traffic from on-premises to the VPC prefers the Direct Connect path over the VPN. The on-premises router is advertising the same prefix to both connections. What should the network engineer configure on the AWS side?

Question 419hardmultiple choice
Review the full routing breakdown →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a security requirement that all traffic between VPCs must be inspected by a third-party firewall deployed in a central inspection VPC. The Transit Gateway has route tables configured with blackhole routes for inter-VPC traffic, and the inspection VPC has the firewall. However, traffic is not being inspected; it is being dropped. What is the MOST likely cause?

Question 420hardmultiple choice
Study the full ACL explanation →

A company has a VPC with a public subnet hosting a web server and a private subnet hosting a database. The web server must connect to the database on port 3306. Security groups are configured: Web SG allows inbound HTTP/HTTPS from 0.0.0.0/0 and outbound to DB SG on port 3306. DB SG allows inbound from Web SG on port 3306. Network ACLs are default. The web server can connect to the database, but the security team notices that the database is also receiving connections from an unexpected IP address. What is the MOST likely cause?

Question 421hardmultiple choice
Read the full Network Security, Compliance and Governance explanation →

A company uses AWS Shield Advanced to protect their web application against DDoS attacks. They have a CloudFront distribution and an Application Load Balancer (ALB) as origins. They want to receive notifications when a DDoS attack is detected. What is the MOST comprehensive way to set up notifications?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

ANS-C01 Practice Test 1 — 10 Questions→ANS-C01 Practice Test 2 — 10 Questions→ANS-C01 Practice Test 3 — 10 Questions→ANS-C01 Practice Test 4 — 10 Questions→ANS-C01 Practice Test 5 — 10 Questions→ANS-C01 Practice Exam 1 — 20 Questions→ANS-C01 Practice Exam 2 — 20 Questions→ANS-C01 Practice Exam 3 — 20 Questions→ANS-C01 Practice Exam 4 — 20 Questions→Free ANS-C01 Practice Test 1 — 30 Questions→Free ANS-C01 Practice Test 2 — 30 Questions→Free ANS-C01 Practice Test 3 — 30 Questions→ANS-C01 Practice Questions 1 — 50 Questions→ANS-C01 Practice Questions 2 — 50 Questions→ANS-C01 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Network Management and OperationsNetwork Security, Compliance and GovernanceNetwork DesignNetwork Implementation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Security, Compliance and Governance setsAll Network Security, Compliance and Governance questionsANS-C01 Practice Hub