Secure architecture questions test IAM policies, VPC security controls, encryption at rest and in transit, and the right AWS security service for a given threat.
Start practicing
Design Secure Architectures — choose a session length
Free · No account required
Domain overview
Use this page to practise secure architecture questions. The most common mistake is confusing the responsibility boundary — know which security controls AWS manages and which are your responsibility.
Exam objectives
IAM policies: identity-based, resource-based, permission boundaries.
VPC security: security groups vs NACLs, route tables, VPC endpoints.
Encryption: KMS, SSE-S3, SSE-KMS, client-side encryption.
AWS security services: GuardDuty, Inspector, Macie, Shield, WAF.
Security groups are stateful; NACLs are stateless.
KMS manages keys; it does not encrypt data directly.
GuardDuty detects threats; Inspector assesses vulnerabilities; Macie finds sensitive data.
A VPC endpoint keeps traffic off the public internet; it does not encrypt traffic.
Click any question to see the full explanation and answer options, or start a focused practice session above.
A Lambda function needs to read the current value of exactly one AWS Secrets Manager secret at startup. Which least-privilege IAM permission (action and resource scope) should you grant to the Lambda execution role?
2A security team requires that every object uploaded to s3://secure-bucket/uploads/ must be encrypted using SSE-KMS with a specific customer-managed KMS key. Which S3 bucket policy condition approach best enforces this requirement for PutObject requests?
3An application in Account B (IAM role arn:aws:iam::account-b:role/app-read) reads objects from an S3 bucket in Account A. The bucket uses SSE-KMS with a customer-managed KMS key in Account A. Object reads consistently fail with an error that includes "AccessDenied" and "kms:Decrypt". The IAM permissions in Account B for kms:Decrypt are correct, but the requests still fail. Which change will most directly fix the failure?
4A server assumes an IAM role and must read export objects only from this prefix in an S3 bucket: s3://customer-data/exports/acme/ . The application also needs to list the objects under that exact prefix so it can discover which export folders exist. The application performs ListBucket requests with Prefix set to exactly "exports/acme/". The current role policy allows s3:ListBucket on the bucket ARN without a prefix condition, and security reports the role can list other tenants’ export object keys. Which IAM policy change best enforces least privilege for both ListBucket and GetObject?
5A platform team lets project administrators create IAM roles for workloads in their own AWS accounts, but every role must stay inside a fixed security baseline. The organization also wants to block all member accounts from using AWS Regions outside us-east-1 and us-west-2. Which three controls should be used? Select three.
6A company serves private images stored in S3 through Amazon CloudFront. Only authenticated users should be able to access each image, and access should expire after 1 hour. Which CloudFront feature best meets this requirement?
7A batch job runs on EC2 instances in isolated private subnets with no NAT Gateway. The job uses STS AssumeRole to access an operations account and then retrieves a secret from AWS Secrets Manager. After a network hardening change, both calls fail. Which two interface VPC endpoints should be created? Select two.
8A backend service uses an IAM role to read files from an S3 bucket. It must only read objects under s3://prod-reporting/incoming/ but currently receives AccessDenied (403) on GetObject for that prefix. The role already has this statement: - Action: s3:ListBucket - Resource: arn:aws:s3:::prod-reporting Which policy statement would most directly follow least privilege to allow only the required reads under the incoming prefix?
9A third-party payroll vendor in another AWS account must assume a role in your account to write a daily settlement file to Amazon S3. You want to prevent confused-deputy attacks and make every assumed session traceable in CloudTrail back to an individual vendor user. Which three trust-policy or session controls should be used? Select three.
10A SaaS vendor will access your AWS resources by assuming an IAM role in your account. You want to prevent confused-deputy attacks and ensure the vendor can only assume the role using an agreed external identifier. Your role trust policy currently allows sts:AssumeRole from the vendor’s principal, but it does not include any external ID protection. Which change is the best next step?
11You use Amazon CloudFront in front of a private content S3 origin. To mitigate an OWASP Top 10 issue, you created a WAF web ACL and associated it to the CloudFront distribution, but attacks are still reaching the origin. CloudWatch logs show the web ACL rules never match for the CloudFront requests. What is the most likely configuration mistake?
12A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.
13A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
14You want to protect an Application Load Balancer (ALB) from common web exploits using AWS WAF. The application is not using CloudFront. Which AWS WAF deployment scope should you choose so the WAF rules apply to the ALB?
15You use a customer managed AWS KMS key (CMK) to encrypt objects in an S3 bucket using SSE-KMS. A specific IAM role must be able to decrypt objects. Where should you grant kms:Decrypt permissions so that the role can decrypt data encrypted with that CMK?
16A team wants detective controls to investigate suspected exfiltration from an S3 bucket. They need to know when objects are accessed (GetObject) and also when new encrypted objects are written. They already enabled AWS CloudTrail for management events, but their investigation shows no visibility into object-level reads/writes in the logs they review. Which CloudTrail configuration change most directly provides the missing object-level visibility?
17You manage multiple AWS accounts under AWS Organizations. A compliance requirement states: no account is allowed to create new IAM access keys for IAM users. Local administrators may attempt to override permissions. Which mechanism should you use to enforce this guardrail across all accounts?
18A CI pipeline needs to upload build artifacts only to s3://ci-artifacts/uploads/*. You also want the pipeline to list only objects under uploads/ to verify that the upload succeeded. Which IAM policy approach is the best fit for least privilege?
19Security responders suspect exfiltration from an Amazon S3 bucket that stores sensitive reports encrypted with a customer managed KMS key. They need to identify which IAM principal downloaded each object and whether any principals called KMS Decrypt on the key during the same time window. Which two detective controls should be enabled? Select two.
20Your company requires that all requests to an S3 bucket use HTTPS and that all objects uploaded to the bucket are encrypted at rest. You manage the S3 bucket policy and want enforcement that does not rely on application code compliance. Which bucket policy change best enforces both requirements?
21A reporting application in Account B must read files from an S3 bucket in Account A. The bucket contains objects encrypted with a customer managed KMS key in Account A. The application role in Account B already has an identity policy allowing s3:GetObject on the bucket prefix, but requests still fail with AccessDenied. Which two changes are required for the application to read the objects? Select two.
22Your company allows application teams to create IAM roles. Each team must be prevented from granting permissions beyond a defined per-role baseline, even if they attach overly permissive identity-based policies to the role. Which AWS feature best enforces this ceiling at the IAM role level?
23A public web application sits behind Amazon CloudFront with an Application Load Balancer as the origin. The security team wants all edge traffic inspected by AWS WAF and also wants to prevent anyone on the internet from reaching the ALB directly. Which two changes should be made? Select two.
24Account A hosts an IAM role that Account B developers must assume for a limited task. You want to require MFA for anyone assuming the role. Which trust policy condition most directly enforces that requirement for sts:AssumeRole?
25Your organization hosts an internet-facing application behind an Amazon CloudFront distribution. You want to mitigate common web exploits (for example, SQL injection and XSS) at the edge. Which action is the most appropriate way to do this using AWS services?
26A web application behind an Application Load Balancer (ALB) currently allows client connections over HTTP (port 80). The security policy requires all client traffic to use HTTPS. What is the best ALB change to enforce this requirement?
27You have an EC2 instance in private subnets with no NAT Gateway. The instance must access an Amazon S3 bucket (for example, to read configuration files) without sending traffic to the public internet. What VPC endpoint type should you use for S3?
28A marketing portal serves private PDF files stored in Amazon S3 through CloudFront. Users authenticate to the portal first, and each download link must expire after one hour. The S3 origin must never be directly reachable from the internet. Which three actions should be used? Select three.
29A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager. Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?
30Your team hosts a private web app on an S3 bucket and serves it through CloudFront using a modern Origin Access Control (OAC). After deployment, users receive HTTP 403 from CloudFront with the S3 origin error "AccessDenied". Which S3 bucket policy change best aligns with CloudFront OAC so the distribution can fetch objects privately?
31You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests. Which change most likely fixes the issue?
32A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used. Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging. Which approach best satisfies the requirement?
33A SaaS vendor needs temporary access to an S3 bucket in your AWS account to read customer exports. The vendor will assume an IAM role you created. During integration testing, the vendor reports that their AssumeRole requests succeed, but your security team is concerned about the possibility of confused-deputy attacks. Which trust policy approach most directly mitigates this risk?
34Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com". Which change most directly resolves this while keeping instances private?
35Company A runs an internal app in account A. The app needs to upload objects to an S3 bucket in account B. When the app calls S3, it receives AccessDenied for s3:PutObject. The team already created an IAM role in account B named UploadRole with a policy allowing s3:PutObject. They did not yet set up any trust relationship. Which change most directly fixes the access problem with least privilege?
36An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports. Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports. What is the most likely reason the traffic fails, and what should be updated?
37A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole". What is the most appropriate fix?
38A CI/CD pipeline needs to deploy to your production environment. Security requires that the pipeline uses temporary credentials (not long-lived access keys) and only has permissions to read a specific set of parameters from AWS Systems Manager Parameter Store and write application logs to CloudWatch Logs. What is the best AWS approach?
39An application runs on EC2 instances in private subnets in a VPC. There is no NAT gateway. The instances need to download objects from S3 over HTTPS and also call DynamoDB. The security group outbound rules allow TCP 443 to the VPC endpoint addresses. After deployment, the app times out when connecting to S3, but it can reach DynamoDB. Which single change is most likely to restore S3 connectivity?
40A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible. Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking. Which architecture best meets these requirements?
41A company uses IAM permission boundaries to prevent developers from escalating privileges. The security team created a permission boundary that allows only read-only actions on most AWS services, but teams can still manage their own resources. A developer can create an IAM role with broad permissions, and the boundary does not appear to be restricting it. Which corrective action best aligns with how permission boundaries work?
42Your company has an internal service hosted behind a Network Load Balancer (NLB) in VPC 10.0.0.0/16. A consumer team in a different VPC (10.1.0.0/16) must call the service without using the public internet. You want private connectivity using AWS PrivateLink. Which configuration best enables least-privilege access while keeping the traffic private?
43An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?
44Your CI system assumes an IAM role RoleForDeploy using STS AssumeRole and includes a session tag called Project=blue. The role’s permissions policy uses an ABAC condition like aws:PrincipalTag/Project to allow access only to resources tagged with the same project. AssumeRole succeeds, but deployments fail with AccessDenied. CloudTrail shows the role was assumed, yet the effective session does not contain the Project tag. Which change most directly fixes this issue?
45A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?
46A team stores important documents in Amazon S3. They want to recover earlier versions if someone overwrites or deletes a file by mistake. What should they enable?
47A platform team wants application developers to create IAM roles for their ECS tasks, but security must guarantee that no role created by those developers can ever exceed a predefined permission set. The developers also should not be able to attach broader permissions to themselves later. What should the team implement?
48An engineering team runs application servers in private subnets. The instances must download patches and software packages from Amazon S3, but the company does not want the traffic to traverse the internet or a NAT gateway. Which design should they use?
49Based on the exhibit, why is the IAM role still receiving AccessDenied even though it has AdministratorAccess attached?
50A startup has an HTTP API with highly unpredictable traffic from mobile devices. Each request performs lightweight validation, writes an event record, and triggers downstream notifications. The current EC2 fleet stays mostly idle, and the team wants to reduce infrastructure management and pay only for usage. Which two changes best fit the requirement? Select two.
51A company runs a customer portal in us-east-1 and a warm standby in us-west-2. The DNS name must send users to us-east-1 while it is healthy and automatically switch to us-west-2 if the primary application endpoint stops responding. Which two actions should the architect take? Select two.
52A web application uses Amazon RDS for MySQL in a Multi-AZ deployment. During a planned maintenance event, the team wants to understand which two statements about failover are accurate so they can design connection handling correctly. Which two statements are accurate? Select two.
53A studio keeps 4 PB of completed video projects in Amazon S3. Editors work on active projects for about 60 days, auditors occasionally review the same objects for several months, and legal policy requires retention for 7 years. Retrieval of very old files can take hours. Which three actions should the architect recommend? Select three.
54Several EC2 instances in different Availability Zones need to read and write the same shared file system. The file storage should stay available if one AZ has a problem. Which service should the team choose?
55A single EC2 instance hosts a database that needs low-latency block storage and a persistent volume that remains attached to the instance. Which AWS storage service is the best fit?
56A mobile app reads the same product catalog items repeatedly throughout the day. The DynamoDB table is already properly keyed, but read latency is still a problem during sales events. The team can tolerate eventually consistent reads and wants the least disruptive change. What should they add?
57A company runs a steady inventory API on AWS Fargate and AWS Lambda during the day, plus a nightly batch render farm on EC2 that can be interrupted and retried. The finance team wants the lowest predictable discount for the always-on compute and the lowest possible cost for the batch jobs. Which two purchasing choices should the architect recommend? Select two.
58A team runs an application on Amazon EC2 that connects to an Aurora database. The database password must rotate automatically every 30 days, and the application should retrieve the current secret at runtime using an IAM role. Which AWS service is the best fit?
59Match each database availability event to the AWS failover behavior that best describes it.
60A team runs a CPU-intensive image processing service on Amazon EC2. The service spends most of its time resizing and compressing images, and the team wants the best price-performance starting point for compute-heavy work. Which EC2 instance family should they choose?
61A production application stores critical data on an Amazon EBS volume. The team wants a simple backup method that allows the volume to be restored later if the server is lost. What should they use?
62A high-frequency trading analytics service runs on several EC2 instances in the same Availability Zone. The application exchanges small messages between nodes and is sensitive to microsecond-level network latency. Which design best meets the requirement?
63A Lambda function processes CPU-heavy JSON transformations and often runs slower than expected. The team wants to improve performance without changing the code. What should they try first?
64A legacy market-data service runs on EC2 and exposes a custom TCP protocol. Clients must connect over TCP with very low latency, and the team wants static IP addresses at the load-balancing layer. Which AWS service is the best fit?
65A database administrator wants a regular backup of an Amazon RDS database so the team can restore to a recent point in time if needed. Which AWS feature should they use?
66A company operates 40 AWS accounts and wants chargeback by application, environment, and business unit. Finance needs detailed line items, and engineering wants consistent monthly reports without manual spreadsheet work. The current tagging scheme is inconsistent, and many resources are missing billing metadata. Which three actions should the architect recommend? Select three.
67An order-processing application becomes slow when traffic spikes. The frontend should stay responsive even if downstream workers are temporarily overloaded. What should the team add to the design?
68Based on the exhibit, what is the most appropriate change to restore application access while keeping encryption at rest with customer-managed KMS controls?
69A media company has users around the world uploading 1 to 5 GB files directly to a single Amazon S3 bucket. Upload times are slow from distant regions, but the app must keep using S3 as the destination. What should the architects enable to improve upload performance?
70A backup process restores a 2 TB production database from an EBS snapshot onto a new volume. During the first hours after restore, the application sees slow reads whenever previously unused blocks are accessed. What is the best way to avoid this performance issue in future restores?
71Based on the exhibit, what is the most appropriate fix so the workload in Account A can access the S3 bucket in Account B without using long-lived access keys?
72Based on the exhibit, which AWS service should the team use so the database password can rotate automatically every 30 days and the application can retrieve it securely at runtime?
73A company has three workloads. First, a stable EC2 application will remain on the same instance family for at least one year. Second, an ECS service on Fargate may shift between launch types but has steady baseline usage. Third, a fault-tolerant nightly batch job can be interrupted and restarted. Which three pricing choices should the architect recommend? Select three.
74A development environment runs a small web app on EC2 and an Amazon RDS database, but it is used only on weekdays during office hours. The team wants to minimize spend and can tolerate a short startup delay after the environment is started. Which two changes should the architect recommend? Select two.
75A stateless web application runs on Amazon EC2 instances across two Availability Zones. The team wants unhealthy instances to be removed automatically and replaced without manual action. What is the best solution?
76An order-quote Lambda function is invoked directly by API Gateway. Traffic is predictable during the business day, and the first request after scaling from zero causes unacceptable latency. The team wants to keep the current architecture and reduce cold-start impact. Which configuration should they use?
77A website serves mostly cacheable images, CSS, and JavaScript from an ALB. Users in Europe and Asia report slower page loads, and the ALB receives far more requests than expected. The team also wants text assets compressed automatically. Which change is the best first step?
78A company has a primary application in us-east-1 and a standby environment in us-west-2. Users should go to the primary site while it is healthy and automatically switch to the standby site if the primary fails. Which Route 53 routing policy should they use?
79A company runs Amazon RDS for MySQL in a Multi-AZ configuration. If the primary database instance fails, what is the expected behavior?
80A Lambda function in Account A must upload reports to an S3 bucket in Account B. Security does not want long-lived access keys anywhere, and the access should be easy to revoke from Account B. Which approach is best?
81Based on the exhibit, what should the architect recommend to reduce inter-node latency for this workload?
82Match each operational condition to the load balancing or Auto Scaling behavior that should occur.
83A public web application is fronted by Amazon CloudFront and an ALB. The team is seeing SQL injection attempts and bursts of malicious HTTP requests that increase origin load. They want to block common web attacks before they reach the ALB. What should they do?
84An e-commerce application uses Aurora MySQL. Writes are modest, but the product-detail page generates many read-only queries and the writer instance CPU is high. The application can tolerate a small amount of replication lag on those reads. What should the team do?
85A finance application stores invoices in Amazon S3. Security requires that the data be encrypted with a key they control, and they want the ability to disable access quickly if the application is suspected of compromise. Developers do not want to manage encryption in application code. Which solution best meets these requirements?
86A security operations team wants continuous compliance checks for AWS resources. They need to know when an EBS volume becomes unencrypted or when a security group starts allowing SSH from 0.0.0.0/0. Which AWS service should they use?
87Based on the exhibit, which AWS service should the security team enable to continuously discover sensitive data stored inside Amazon S3 objects?
88A company hosts static images, CSS, and JavaScript files in an Amazon S3 bucket. Users around the world report slow page loads, and the origin receives many repeated requests for the same files. What should the team use to improve performance?
89A media company stores raw project files in Amazon S3. Files are accessed heavily for the first 60 days, occasionally for legal review during the next six months, and must be retained for 7 years. Retrieval for the oldest files can take hours. Which three actions should the architect recommend? Select three.
90Based on the exhibit, what is the best way to let private EC2 instances reach Amazon S3 and AWS Systems Manager without sending traffic through the internet or a NAT gateway?
91The web tier of an online scheduling app runs on an Auto Scaling group behind an ALB. Traffic spikes every weekday at 13:00 when a corporate newsletter is sent. CloudWatch shows CPU averages 18% outside that window, and the current fleet uses larger instances than the load test requires. The application is stateless and can scale out in a few minutes. Which two changes should the architect recommend? Select two.
92A company wants to protect a critical application from a full Region outage. The secondary Region should keep only a small amount of infrastructure running most of the time to control cost. Which disaster recovery strategy fits best?
93A company uses AWS Organizations and has separate development, test, and production accounts. The security team wants to ensure that no one in the sandbox organizational unit can disable AWS CloudTrail or delete the central audit bucket, even if an account administrator creates permissive IAM policies later. Which control should they use?
94Based on the exhibit, what should the security team implement so developers can create AWS Lambda execution roles, but no developer-created role can ever exceed the approved permission set?
95A mobile app reads the same product details many times per minute from Amazon DynamoDB. The table design is already correct, but repeated reads are still causing noticeable latency. Which service should the team add to improve read performance?
96A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies. Which design best meets all requirements?
97An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present. Which IAM design best meets these requirements?
98A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services. Which architecture best satisfies these requirements?
99Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?
100Based on the exhibit, a workload in private subnets must reach only Amazon S3 and AWS Secrets Manager. The team wants to eliminate internet exposure for those calls and reduce NAT gateway charges. What change should be made?
101A data lake stores raw files in a single Amazon S3 bucket that is shared by three internal analytics teams. Each team should access only its own prefix, and the company wants to eliminate ACL management because objects come from multiple producers. Which three changes should the architect make? Select three.
102A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.
103Company A stores encrypted log files in its S3 bucket using SSE-KMS with a customer-managed KMS key. A partner application in Company B uploads objects into Company A's bucket using an IAM role in Company B. Uploads fail with an error indicating KMS access is denied (kms:Encrypt not authorized). Neither the partner IAM policy nor the S3 bucket policy currently mentions KMS. What is the most secure and correct change to allow cross-account uploads to succeed?
104A containerized service on Amazon ECS connects to a database with a password that must never be stored in plaintext or hardcoded in the image. The application reads the password at startup and occasionally reconnects later, so it needs to retrieve the current secret when needed. Which three actions should the architect take? Select three.
105A startup runs an API on Amazon EC2. The instance must read items from one DynamoDB table and upload logs to one S3 bucket. Platform engineers also need a way to create new application roles, but those roles must never exceed a predefined set of permissions. Which three actions should the architect take? Select three.
106A company stores customer invoices in an Amazon S3 bucket. The application must keep the bucket private, ACLs should not be used, and customers should receive temporary download links for individual invoices. Which three changes should the architect make? Select three.
107Based on the exhibit, the platform team wants developers to create application roles for Lambda and ECS, but no developer-created role may ever exceed the approved permission set. Which change best meets this requirement?
108A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions. Which solution best meets these requirements?
109A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.
110A media platform stores originals in an S3 bucket. The application must: (1) prevent any public access to the bucket, (2) allow authenticated users to upload and download objects using presigned URLs, and (3) enforce that all requests use HTTPS and only touch objects under the user-specific prefix (for example, s3://media-originals/user-123/*). The bucket currently allows uploads but sometimes returns 403 AccessDenied for presigned URLs. Which change is the best fix while meeting the security requirements?
111Based on the exhibit, a partner account uploads encrypted objects to a central S3 bucket and later reads them back. The S3 permissions are correct, but the requests still fail. What change is required so the partner workload can use the customer-managed KMS key safely?
112Company A stores encrypted log files in its S3 bucket using SSE-KMS with a customer-managed KMS key. A partner application in Company B uploads objects into Company A's bucket using an IAM role in Company B. Uploads fail with an error indicating KMS access is denied (kms:Encrypt not authorized). Neither the partner IAM policy nor the S3 bucket policy currently mentions KMS. What is the most secure and correct change to allow cross-account uploads to succeed?
113A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions. Which solution best meets these requirements?
114A data lake stores raw files in a single Amazon S3 bucket that is shared by three internal analytics teams. Each team should access only its own prefix, and the company wants to eliminate ACL management because objects come from multiple producers. Which three changes should the architect make? Select three.
115A company stores customer invoices in an Amazon S3 bucket. The application must keep the bucket private, ACLs should not be used, and customers should receive temporary download links for individual invoices. Which three changes should the architect make? Select three.
116A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies. Which design best meets all requirements?
117A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services. Which architecture best satisfies these requirements?
118A containerized service on Amazon ECS connects to a database with a password that must never be stored in plaintext or hardcoded in the image. The application reads the password at startup and occasionally reconnects later, so it needs to retrieve the current secret when needed. Which three actions should the architect take? Select three.
119A media platform stores originals in an S3 bucket. The application must: (1) prevent any public access to the bucket, (2) allow authenticated users to upload and download objects using presigned URLs, and (3) enforce that all requests use HTTPS and only touch objects under the user-specific prefix (for example, s3://media-originals/user-123/*). The bucket currently allows uploads but sometimes returns 403 AccessDenied for presigned URLs. Which change is the best fix while meeting the security requirements?
120Based on the exhibit, a partner account uploads encrypted objects to a central S3 bucket and later reads them back. The S3 permissions are correct, but the requests still fail. What change is required so the partner workload can use the customer-managed KMS key safely?
121A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.
122Based on the exhibit, the platform team wants developers to create application roles for Lambda and ECS, but no developer-created role may ever exceed the approved permission set. Which change best meets this requirement?
123Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?
124A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.
125An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present. Which IAM design best meets these requirements?
126Based on the exhibit, a workload in private subnets must reach only Amazon S3 and AWS Secrets Manager. The team wants to eliminate internet exposure for those calls and reduce NAT gateway charges. What change should be made?
127A startup runs an API on Amazon EC2. The instance must read items from one DynamoDB table and upload logs to one S3 bucket. Platform engineers also need a way to create new application roles, but those roles must never exceed a predefined set of permissions. Which three actions should the architect take? Select three.
128Your company has an internal service hosted behind a Network Load Balancer (NLB) in VPC 10.0.0.0/16. A consumer team in a different VPC (10.1.0.0/16) must call the service without using the public internet. You want private connectivity using AWS PrivateLink. Which configuration best enables least-privilege access while keeping the traffic private?
129A CI/CD pipeline needs to deploy to your production environment. Security requires that the pipeline uses temporary credentials (not long-lived access keys) and only has permissions to read a specific set of parameters from AWS Systems Manager Parameter Store and write application logs to CloudWatch Logs. What is the best AWS approach?
130A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible. Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking. Which architecture best meets these requirements?
131Company A runs an internal app in account A. The app needs to upload objects to an S3 bucket in account B. When the app calls S3, it receives AccessDenied for s3:PutObject. The team already created an IAM role in account B named UploadRole with a policy allowing s3:PutObject. They did not yet set up any trust relationship. Which change most directly fixes the access problem with least privilege?
132An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?
133An application runs on EC2 instances in private subnets in a VPC. There is no NAT gateway. The instances need to download objects from S3 over HTTPS and also call DynamoDB. The security group outbound rules allow TCP 443 to the VPC endpoint addresses. After deployment, the app times out when connecting to S3, but it can reach DynamoDB. Which single change is most likely to restore S3 connectivity?
134Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com". Which change most directly resolves this while keeping instances private?
135A company uses IAM permission boundaries to prevent developers from escalating privileges. The security team created a permission boundary that allows only read-only actions on most AWS services, but teams can still manage their own resources. A developer can create an IAM role with broad permissions, and the boundary does not appear to be restricting it. Which corrective action best aligns with how permission boundaries work?
136A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used. Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging. Which approach best satisfies the requirement?
137An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports. Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports. What is the most likely reason the traffic fails, and what should be updated?
138A SaaS vendor needs temporary access to an S3 bucket in your AWS account to read customer exports. The vendor will assume an IAM role you created. During integration testing, the vendor reports that their AssumeRole requests succeed, but your security team is concerned about the possibility of confused-deputy attacks. Which trust policy approach most directly mitigates this risk?
139A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole". What is the most appropriate fix?
140You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests. Which change most likely fixes the issue?
141Your CI system assumes an IAM role RoleForDeploy using STS AssumeRole and includes a session tag called Project=blue. The role’s permissions policy uses an ABAC condition like aws:PrincipalTag/Project to allow access only to resources tagged with the same project. AssumeRole succeeds, but deployments fail with AccessDenied. CloudTrail shows the role was assumed, yet the effective session does not contain the Project tag. Which change most directly fixes this issue?
142A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?
143An S3 bucket in account A uses default server-side encryption with an AWS KMS customer-managed key (CMK) in account A. A team created an IAM role in account B that is allowed by IAM policy to perform s3:GetObject on the bucket. When the account B role tries to read objects, it fails with: AccessDeniedException: 'User is not authorized to perform kms:Decrypt'. Which change is most likely to fix the issue?
144Your security team needs to detect and alert on any attempt to change sensitive policies, specifically S3 bucket policy changes and KMS key policy changes. The team wants alerts within minutes, and logs must be centrally retained for forensics. Which design best meets these detective control requirements using AWS-native services?
145A CI pipeline in account A uploads build artifacts to an S3 bucket (arn:aws:s3:::build-artifacts-prod) under the prefix teamA/. The pipeline must not be able to list other prefixes, and it must only upload objects under teamA/. Which IAM policy design best enforces least privilege for this requirement?
146Account C wants engineers to access a role (RoleInAccountA) in account A using STS AssumeRole. Security policy requires that (1) only engineers from account C can assume the role, (2) they must provide an external ID value, and (3) the session must be MFA-authenticated. Which change is most appropriate in the RoleInAccountA trust policy to meet all three requirements?
147In an AWS Organizations environment, developers create IAM roles using an automation tool. The security team wants to guarantee that even if a developer attaches an overly permissive inline policy, the role cannot exceed a fixed set of allowed actions. The team already uses permission boundaries on each role. The tool’s role-creation API call succeeds, but one developer’s new role can still delete production S3 buckets. What is the most likely reason, and what should be corrected?
148Account B has an IAM role that includes kms:Decrypt for a specific KMS key ARN in account A. However, when the role tries to read an S3 object encrypted with that CMK, the application fails with AccessDenied: not authorized to perform kms:Decrypt. CloudTrail shows the KMS API call is denied by key policy. What is the most secure and correct fix?
149A security requirement states: all uploads to an S3 bucket must (1) use TLS in transit and (2) use server-side encryption with AWS KMS (SSE-KMS) using the CMK key id 'abcd-1234'; otherwise the upload should be rejected. A developer reports that uploads are succeeding even though clients are sometimes using non-encrypted requests. Which bucket policy approach most directly enforces both controls?
150You have an S3 bucket that stores customer-specific private files. You want to serve these files through CloudFront, where clients must use signed cookies (or signed URLs) to access the content. In addition, you need to block common web exploits and rate-limit suspicious traffic at the edge. Which design best meets these requirements?
151An application encrypts data directly with AWS KMS using an encryption context. Your KMS key policy includes a condition that allows kms:Decrypt only when the encryption context contains: "purpose" = "myapp-secrets" After a deployment, decryption fails. CloudTrail shows kms:Decrypt was called, but it was denied by the key policy due to the encryption context condition. What is the best fix?
152You serve private reports stored in an S3 bucket through CloudFront. After a recent change, users report that they can access the S3 object URLs directly (bypassing CloudFront), which violates your design. You want to ensure S3 objects are readable only through CloudFront using Origin Access Control (OAC), even if someone guesses the S3 URL. Which update best enforces this at the S3 bucket level?
153A backend service in AWS uses an IAM role to upload large files to an S3 bucket using multipart upload. The upload typically succeeds, but it intermittently fails during cleanup with this error: "AccessDenied: User is not authorized to perform: s3:AbortMultipartUpload" The role identity policy currently allows only: - s3:PutObject on arn:aws:s3:::my-bucket/uploads/* - s3:ListBucket on arn:aws:s3:::my-bucket with a prefix condition What is the best least-privilege change to fix the cleanup failure?
154Account A hosts a role named AppReadRole. Account B needs to access it using STS AssumeRole. Account A’s role trust policy includes this condition: - StringEquals: { "sts:ExternalId": "b-7f9a" } When Account B runs: aws sts assume-role --role-arn arn:aws:iam::111111111111:role/AppReadRole --role-session-name test the call fails with: "AccessDenied: ExternalId mismatch". What should Account B change?
155Your organization uses IAM permission boundaries to prevent engineers from escalating privileges. An automated pipeline creates an IAM role for an application deployment and attaches a permission boundary. After deployment, the pipeline reports that the role could create a new KMS key. The permission boundary policy attached to the role allows only (for a specific KMS key ARN, prod-key): - kms:Decrypt - kms:DescribeKey There is no Allow statement for: - iam:CreateKey - kms:CreateKey What is the most likely reason the role was still able to create a KMS key?
156An AWS Organizations setup uses an SCP to enforce that developers can read only non-production secrets. A developer role in a member account is correctly configured with an identity policy that allows: - secretsmanager:GetSecretValue on arn:aws:secretsmanager:us-east-1:222222222222:secret:app/* However, the developer gets AccessDenied with an error message mentioning an organization policy (SCP). The SCP includes this Deny statement: "Deny secretsmanager:GetSecretValue on * unless secretsmanager:ResourceTag/environment equals 'dev'". Which change best restores access for secrets tagged environment=dev while still blocking prod secrets?
157A company wants S3 access to be available only from private connectivity. They created an Interface VPC Endpoint for S3 (that provides private connectivity from their VPC to S3) and configured the application to use it from private subnets. The IAM role allows: - s3:GetObject on arn:aws:s3:::confidential-bucket/reports/* However, requests fail with AccessDenied. The S3 bucket policy includes an allow statement that permits GetObject only if: - aws:SourceVpce equals "vpce-0abc12345def6789" After redeploying the VPC endpoint, the application still uses the same IAM permissions but gets AccessDenied. What change is most likely to fix the issue?
158A microservice reads a secret from AWS Secrets Manager using its task role (ServiceRole). The secret is configured to use a customer-managed CMK. In production, the service fails with AccessDeniedException on GetSecretValue. CloudTrail shows that Secrets Manager attempted kms:Decrypt but was denied. Which IAM policy change is most appropriate to fix the failure while keeping least privilege?
159A batch process uploads artifacts to an Amazon S3 bucket using multipart uploads. The bucket policy contains a statement that explicitly denies PutObject and CreateMultipartUpload unless the request uses server-side encryption with AWS KMS (SSE-KMS) and includes these request headers/parameters: x-amz-server-side-encryption=aws:kms and x-amz-server-side-encryption-aws-kms-key-id set to a specific CMK. After the process was updated, uploads intermittently fail with AccessDenied errors. Which change is the best way to make uploads succeed while still meeting the bucket policy's encryption requirement?
160Account A has an IAM role named FinanceDataRole that is assumed by a principal in Account B. The role’s trust policy includes a condition requiring sts:ExternalId to equal "Fin-2026-Q2". A developer in Account B calls AssumeRole but receives an error: AccessDenied: ExternalId mismatch. The security team requires that you do not remove the ExternalId condition. What is the correct remediation?
161Your organization uses IAM permission boundaries to prevent privilege escalation. A deployment role was created with a permission boundary. After an incident, you discover that an operator was later able to remove or change the permission boundary (the operator has iam:PutRolePermissionsBoundary permissions). You need to ensure operators cannot remove or change the permission boundary after it is set. What is the best security control to add?
162In AWS Organizations, a Service Control Policy (SCP) denies kms:Decrypt on a production CMK for all principals in the Finance OU. A developer in the Finance OU created/updated an IAM policy that allows secrets access, but the application still fails with AccessDenied due to the SCP. You must enable only the Finance OU to decrypt that specific CMK while keeping the SCP restrictions for other OUs. What is the correct remediation?
163A service reads encrypted data from Amazon S3. The S3 objects use a customer-managed CMK. The IAM role used by the service has kms:Decrypt in its identity policy, but decryption fails with a KMS error stating the role is not authorized to perform kms:CreateGrant. The CMK’s key policy allows kms:Decrypt for the role but does not include kms:CreateGrant. What is the most appropriate change to resolve the failure while preserving least privilege?
164A microservice running in ECS retrieves a secret from AWS Secrets Manager. The secret is encrypted with a customer-managed CMK. An administrator re-keyed the secret to a new CMK (the key ARN changed), but kept the same KMS alias name. After re-keying, the service fails with an error from KMS: AccessDenied for kms:Decrypt. The ECS task role’s IAM policy still grants kms:Decrypt but only for the old CMK ARN. What is the best remediation to restore access while maintaining least privilege?
165A static website uses an Amazon S3 bucket as the origin for an Amazon CloudFront distribution. The team accidentally configured the S3 bucket policy to allow s3:GetObject to Principal "*", so objects are accessible via direct S3 URLs. They want to ensure objects are retrievable only through CloudFront. What is the best corrective action?
166A microservice runs in private subnets and must read exactly one AWS Secrets Manager secret using its IAM task role: arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/db-pass-AbCdEf Security requires that every Secrets Manager API call comes only through a specific Interface VPC Endpoint (vpce-0a1b2c3d4e5f6g7h), and must not be reachable over any other network path. Which IAM policy change best enforces this requirement?
167A customer-managed KMS key (CMK) encrypts SQS messages. A consumer service uses an IAM role that includes kms:Decrypt permission for that CMK. After a security change, the consumer fails with: "AccessDeniedException: kms:Decrypt is not allowed" CloudTrail indicates the KMS request is reaching KMS, but the CMK key policy no longer includes the consumer role (or its principal). What is the best fix?
168Account Y provides a role named AnalyticsReadOnly to engineers in Account X. The role trust policy currently allows sts:AssumeRole from the Account X principal. A new security requirement states that only STS sessions created with MFA are allowed to assume the role. Which trust policy condition is the best choice to enforce MFA for sts:AssumeRole?
169Your AWS Organization uses a Service Control Policy (SCP) that includes a Deny statement for secretsmanager:GetSecretValue for all member accounts in the "Finance" OU when requests are made outside us-east-1. An application role has an IAM policy that allows secretsmanager:GetSecretValue for the required secret in us-west-2. In us-west-2, requests fail with AccessDenied. What is the most appropriate action?
170A deployment engineer created an IAM role for an automation workflow (AppDeployRole). The role has an attached identity policy that allows iam:CreateRole for specific resource ARNs. However, the role is also created with a permission boundary named DeployBoundary. The DeployBoundary policy currently does not include the iam:CreateRole action. During execution, the automation fails with AccessDenied for iam:CreateRole, even though the attached identity policy allows it. What is the best fix?
171A company stores private customer documents in an S3 bucket. They want only CloudFront to be able to read objects from the bucket (no direct S3 URL access), even if the bucket name and object key are known. Which configuration best meets this requirement?
172Company A (account 1111) hosts an IAM role (RoleInAccountA) that is assumed by a workload in Company B (account 2222) using sts:AssumeRole. Security requires that only Company B’s intended workload can assume the role, even if another principal in account 2222 tries to assume it. The trust policy already restricts who can assume the role to account 2222. What additional trust policy condition most directly satisfies this requirement?
173A CI/CD system creates an IAM role (CICDRole) used for deployments. Your organization uses IAM permission boundaries to prevent developers from granting themselves higher privileges. After an incident, you discover that CICDRole can perform unintended IAM actions because the role’s identity policy includes broad permissions. Which change most directly ensures permission boundaries continue to restrict CICDRole regardless of what is later added to the role’s identity policies?
174Account 3000 owns a customer-managed KMS key (key-K). A data processing team in account 4000 needs to decrypt data encrypted with key-K. The role in account 4000 already has an identity policy allowing kms:Decrypt on key-K. Despite this, decrypt requests fail with an AccessDenied error referencing KMS. What is the most likely missing authorization step?
175A microservice runs in private subnets with no NAT gateway. It must retrieve a secret from AWS Secrets Manager. Security requires that traffic to Secrets Manager stays within AWS’s private network (no public internet egress). The IAM role already grants secretsmanager:GetSecretValue for the needed secret. What is the best network setup to meet the requirement?
176A company runs EC2 instances in private subnets and needs to access Amazon S3 objects without using a NAT gateway. They want the traffic to stay within AWS private networking as much as possible (no internet egress). Which VPC endpoint type should they create for Amazon S3?
177You must ensure that all requests to an S3 bucket use TLS (HTTPS). Which S3 bucket policy approach best enforces this requirement for S3 access?
178Your AWS Organizations environment has an SCP that explicitly denies kms:Decrypt for principals in the Production OU. A member account IAM policy for a user grants kms:Decrypt on the required KMS key. If that user attempts kms:Decrypt, what happens?
179A microservice needs to read exactly one secret value from AWS Secrets Manager. Which IAM permission statement provides the best least-privilege approach to allow the microservice to retrieve that secret value?
180A company has an Amazon S3 bucket for sensitive reports. They must ensure that any object uploaded with s3:PutObject is encrypted using AWS KMS (SSE-KMS). Which S3 bucket policy approach best enforces this by denying uploads that do not use SSE-KMS?
181Account A hosts an IAM role (RoleInAccountA). The trust policy in Account A correctly allows a specific principal from Account B to call sts:AssumeRole. However, when Account B’s application calls sts:AssumeRole, it receives an AccessDenied error. What is the most likely missing requirement in Account B?
182A service role has an IAM policy granting kms:Decrypt for a specific AWS KMS key. The application still fails to decrypt with an AccessDenied error. What change most directly fixes this when the KMS key policy is missing the role’s permissions?
183Your application runs in private subnets with no NAT gateway. It needs to call AWS Secrets Manager to retrieve secrets. For private connectivity without internet egress, which VPC endpoint type should you create for AWS Secrets Manager?
184A company stores private report PDFs in an S3 bucket. They want users to access PDFs only through CloudFront. Even if someone knows the S3 object URL, direct S3 access must fail. What is the best S3 bucket policy approach?
185Your company uses an OIDC identity provider to let users assume an IAM role without long-term AWS credentials. In the IAM role trust policy, which STS action must be allowed to support this type of federation?
186A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?
187A public API is served through an Application Load Balancer and protected by AWS WAF. The team wants AWS to automatically block clients that send too many requests from the same IP address within a short time window. Which AWS WAF feature is the best fit?
188An S3 bucket uses a customer-managed KMS key as the default for SSE-KMS encryption. A service role will upload objects using s3:PutObject. Assuming the role already has permission to write to the bucket, which KMS permission is most directly required for the role to let S3 encrypt the object during upload?
189A containerized service needs to read exactly one secret value from AWS Secrets Manager. The secret’s ARN is already known, and the secret is encrypted with the AWS-managed KMS key for Secrets Manager, so no separate KMS permissions are needed for this question. The service does not need to list secrets, create secrets, rotate them, or write updates. What is the most least-privilege IAM permission statement to grant the service role?
190A security team needs an audit trail to investigate suspicious API activity across multiple AWS accounts. Which AWS approach best provides centralized visibility into who did what, when, for service API calls?
191An internal web application must require encrypted client connections. The company currently has an ALB listener on port 80 (HTTP), and users can access the application over plain HTTP. What is the best change to ensure all client traffic uses HTTPS?
192Based on the exhibit, a workload in Account B must assume a role in Account A. Security requires that only the specific role arn:aws:iam::444455556666:role/PipelineExecRole can assume it, and only when the caller supplies the external ID acct-b-prod-7788. Which change best satisfies the requirement with the least privilege?
193Based on the exhibit, an automation pipeline in several member accounts creates IAM roles for application deployments. Security says no future role may exceed the approved boundary arn:aws:iam::123456789012:policy/DeployBoundary, even if someone later attaches AdministratorAccess. What should you implement to enforce this across the organization?
194Based on the exhibit, an application role in Account B can reach an S3 bucket in Account A, but reads fail with AccessDenied on KMS. The bucket objects use SSE-KMS with a customer managed key in Account A. What change is required so the application can decrypt the objects while keeping the access restricted?
195Based on the exhibit, an EC2 application runs in private subnets with no NAT gateway and must retrieve a secret from AWS Secrets Manager. The secret uses a customer managed KMS key. Which change will allow the application to reach the service while keeping traffic off the internet?
196Based on the exhibit, users must access private PDF reports only through CloudFront. Direct requests to the S3 object URL must fail, and the bucket should not be publicly readable. Which solution is the best fit?
197Based on the exhibit, the security team needs to detect and alert on both successful and failed attempts to change S3 bucket policies and KMS key policies across the organization. Which solution best meets that requirement?
198Based on the exhibit, a public API is behind CloudFront and is experiencing bursts of requests from the same client IP, causing upstream saturation. The team wants AWS to automatically block that IP when the request rate becomes excessive while keeping enforcement as close to the client as possible. Which control should they add?
199Based on the exhibit, a CI pipeline assumes a shared deployment role in Account A. The role can access several artifact prefixes, but this pipeline must only upload to teamA/prod/ and decrypt using a single KMS key for this execution. Changing the shared role would affect other pipelines. Which approach should the pipeline use?
200Based on the exhibit, a company wants EC2 instances in private subnets to access Amazon S3 without using a NAT gateway, and bucket access must be allowed only when requests come through the approved VPC endpoint. Which design is the most appropriate?
201Based on the exhibit, a batch platform in Account B must assume a role in Account A. Only the specific role arn:aws:iam::222233334444:role/BatchRunner should be allowed to assume it, and the design must prevent any other role in Account B from reusing the same external ID. Which change best meets the requirement?
202Based on the exhibit, an application in the same AWS account can upload and read objects in an S3 bucket encrypted with a customer managed KMS key, but GetObject fails with an AccessDenied error from AWS KMS. The IAM role already has s3:GetObject, s3:PutObject, kms:Decrypt, and kms:GenerateDataKey permissions. What change most directly fixes the issue while preserving least privilege?
203Based on the exhibit, an application runs in private subnets without a NAT gateway and must retrieve a secret from AWS Secrets Manager. Security requires the traffic to stay on the AWS network and not traverse the public internet. What is the best solution?
204Based on the exhibit, a company stores sensitive PDFs in S3 and serves them through CloudFront. Direct requests to the S3 object URL must fail, but CloudFront should still be able to fetch the files securely. Which solution best satisfies the requirement?
205Based on the exhibit, the security team wants centralized detection and alerting for both successful and failed attempts to change S3 bucket policies and KMS key policies across multiple accounts. Which approach best meets the requirement?
206Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?
207Based on the exhibit, a public API is behind CloudFront. A single client IP is sending bursts of requests that are overwhelming the origin, and the team wants AWS to automatically mitigate the abuse at the edge without changing the application code. What should the team do?
208Based on the exhibit, a central deployment role in Account A is assumed by several CI/CD pipelines from Account B. The role must remain reusable, but the team wants the TeamA pipeline to upload artifacts only to s3://artifact-bucket/teamA/prod/ without creating a separate IAM role. What is the best approach?
209A microservice runs on an EC2 instance using an instance role. It must retrieve exactly one secret value from AWS Secrets Manager. The secret ARN is arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/dbPassword-AbCdEf. The secret is encrypted with the default AWS-managed Secrets Manager KMS key (alias/aws/secretsmanager). Which IAM policy statement provides the best least-privilege access?
210Company A must allow workloads in Company B to assume an IAM role in Company A (RoleInA). To mitigate confused-deputy attacks, a Security requirement is to use an External ID. Company A should restrict who can assume RoleInA. Which trust-policy configuration is the best choice?
211A cross-account IAM role in Account B reads encrypted S3 objects from Account A. The objects use SSE-KMS with a customer-managed KMS key in Account A. Account B can successfully call s3:GetObject, but decryption fails with an AccessDeniedException from KMS. What change most directly fixes the issue?
212You have EC2 instances in private subnets with no NAT gateway. They must retrieve secrets from AWS Secrets Manager without sending traffic to the public internet. Which VPC endpoint type is the correct choice for connecting to AWS Secrets Manager?
213An internal web application is exposed through an Application Load Balancer (ALB). The ALB currently has only an HTTP listener on port 80. Security requires that all client traffic be encrypted in transit. What is the best next step?
214A company serves a public API through a CloudFront distribution. They want to automatically block common web exploits (for example, OWASP Top 10–style threats) without building custom detection logic. Which AWS service configuration best meets the goal?
215A company stores sensitive PDFs in Amazon S3 and serves them through CloudFront. Users must access PDFs only through CloudFront, and direct S3 URL requests must fail. Which three changes should be implemented? Select three.
216An application in Account B reads objects from an Amazon S3 bucket in Account A. The bucket uses SSE-KMS with a customer managed key in Account A. The role in Account B already has s3:GetObject, but downloads fail with AccessDenied on decrypt. Which two changes are required for the role to read the object successfully? Select two.
217A workload in private subnets must upload logs to Amazon S3 and retrieve one secret from AWS Secrets Manager. The security team forbids internet egress and wants the lowest operational overhead. Which two VPC endpoints should be created? Select two.
218A software vendor in Account B must assume a role in Account A to process support tickets. Security wants to prevent confused deputy attacks. Which two configurations are required for this access pattern to work safely? Select two.
219An organization lets application teams create IAM roles in member accounts. Security wants every newly created role to stay within an approved permission ceiling, and teams must not be able to remove that ceiling later. Which two controls best meet the requirement? Select two.
220A public API is delivered through CloudFront and an Application Load Balancer. The security team wants AWS to automatically block repetitive bursts from the same client IP and also reduce exposure to common web exploits without custom code. Which two AWS WAF features should be enabled? Select two.
221A SaaS vendor’s automation account in Account B needs to assume a role in a customer account in Account A to read a specific S3 bucket and publish a deployment status file. The customer is worried about confused deputy attacks because multiple customers use the same vendor software. Which trust-policy design best meets the requirement?
222A platform team lets application teams create IAM roles in member accounts through Infrastructure as Code. Security says every new role must stay within a centrally approved permission ceiling, even if someone later attaches broader managed policies or inline policies. Which control should be used to enforce that maximum permission set?
223An application runs in private subnets and must download objects from Amazon S3 and read one secret from AWS Secrets Manager. NAT gateways are prohibited, and traffic must not traverse the public internet. The secret uses a customer managed KMS key. Which design is best?
224A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
225A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use?
226A Lambda function for a order processing API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?
227An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a financial reporting platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?
228A web application for a healthcare document service is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?
229A partner company needs read-only access to reports in an S3 bucket for a B2B file exchange site. The partner has its own AWS account. What is the most secure scalable access pattern?
230A mobile banking backend uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?
231A public API for a customer analytics portal is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?
232A company is encrypting sensitive S3 data for a IoT ingestion API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
233Developers for a e-learning platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?
234A claims portal must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?
235A company hosts a image sharing application on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?
236A order processing API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?
237A financial reporting platform uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?
238A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
239A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The design must avoid adding custom operational scripts.
240A Lambda function for a mobile banking backend needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?
241An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a customer analytics portal. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?
242A web application for a IoT ingestion API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?
243A partner company needs read-only access to reports in an S3 bucket for a e-learning platform. The partner has its own AWS account. What is the most secure scalable access pattern?
244A claims portal uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?
245A public API for a image sharing application is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?
246A company is encrypting sensitive S3 data for a order processing API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
247Developers for a financial reporting platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?
248A healthcare document service must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?
249A company hosts a B2B file exchange site on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?
250A mobile banking backend stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?
251A customer analytics portal uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?
252A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
253A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The architecture review board prefers a managed AWS-native control.
254A Lambda function for a claims portal needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?
255An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a image sharing application. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?
256A web application for a order processing API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?
257A partner company needs read-only access to reports in an S3 bucket for a financial reporting platform. The partner has its own AWS account. What is the most secure scalable access pattern?
258A healthcare document service uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?
259A public API for a B2B file exchange site is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?
260A company is encrypting sensitive S3 data for a mobile banking backend with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
261Developers for a customer analytics portal need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?
262A IoT ingestion API must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?
263A company hosts a e-learning platform on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?
264A claims portal stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?
265A image sharing application uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?
266A solutions architect is designing an S3 bucket for a order processing API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
267A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The team wants the control to be enforceable during normal operations.
268A Lambda function for a healthcare document service needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?
269An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a B2B file exchange site. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?
270A web application for a mobile banking backend is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?
271A partner company needs read-only access to reports in an S3 bucket for a customer analytics portal. The partner has its own AWS account. What is the most secure scalable access pattern?
272A IoT ingestion API uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?
273A public API for a e-learning platform is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?
274A company is encrypting sensitive S3 data for a claims portal with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
275Developers for a image sharing application need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?
276A order processing API must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?
277A company hosts a financial reporting platform on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?
278A healthcare document service stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?
279A B2B file exchange site uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?
280A solutions architect is designing an S3 bucket for a mobile banking backend. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
281A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The business wants to avoid a reactive-only remediation approach.
282A Lambda function for a IoT ingestion API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?
283An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a e-learning platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?
284A web application for a claims portal is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?
285A partner company needs read-only access to reports in an S3 bucket for a image sharing application. The partner has its own AWS account. What is the most secure scalable access pattern?
286A order processing API uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?
287A public API for a financial reporting platform is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?
288A company is encrypting sensitive S3 data for a healthcare document service with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?
289Developers for a B2B file exchange site need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?
290A mobile banking backend must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?
291A company hosts a customer analytics portal on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?
292A IoT ingestion API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?
293A e-learning platform uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?
294A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.
295A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The implementation must work across routine deployments without manual intervention.
296A Lambda function for a order processing API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used? The design must avoid adding custom operational scripts.
297An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a financial reporting platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy? The design must avoid adding custom operational scripts.
298A web application for a healthcare document service is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy? The design must avoid adding custom operational scripts.
299A partner company needs read-only access to reports in an S3 bucket for a B2B file exchange site. The partner has its own AWS account. What is the most secure scalable access pattern? The design must avoid adding custom operational scripts.
300A mobile banking backend uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend? The design must avoid adding custom operational scripts.
Deep-dive questions
The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.
Secure architecture questions test IAM policies, VPC security controls, encryption at rest and in transit, and the right AWS security service for a given threat.
The Courseiva SAA-C03 question bank contains 300 questions in the Design Secure Architectures domain, covering the 30% of the exam attributed to this domain in the official Amazon Web Services blueprint. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Design Secure Architectures domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included