Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Design Secure Architectures practice sets

SAA-C03 Design Secure Architectures • Complete Question Bank

SAA-C03 Design Secure Architectures — All Questions With Answers

Complete SAA-C03 Design Secure Architectures question bank — all 0 questions with answers and detailed explanations.

336
Questions
Free
No signup
Certifications/SAA-C03/Practice Test/Design Secure Architectures/All Questions
Question 1easymultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function needs to read the current value of exactly one AWS Secrets Manager secret at startup. Which least-privilege IAM permission (action and resource scope) should you grant to the Lambda execution role?

Question 2easymultiple choice
Read the full Design Secure Architectures explanation →

A security team requires that every object uploaded to s3://secure-bucket/uploads/ must be encrypted using SSE-KMS with a specific customer-managed KMS key. Which S3 bucket policy condition approach best enforces this requirement for PutObject requests?

Question 3mediummultiple choice
Read the full Design Secure Architectures explanation →

An application in Account B (IAM role arn:aws:iam::account-b:role/app-read) reads objects from an S3 bucket in Account A. The bucket uses SSE-KMS with a customer-managed KMS key in Account A. Object reads consistently fail with an error that includes "AccessDenied" and "kms:Decrypt".

The IAM permissions in Account B for kms:Decrypt are correct, but the requests still fail.

Which change will most directly fix the failure?

Question 4mediummultiple choice
Read the full Design Secure Architectures explanation →

A server assumes an IAM role and must read export objects only from this prefix in an S3 bucket: s3://customer-data/exports/acme/ . The application also needs to list the objects under that exact prefix so it can discover which export folders exist. The application performs ListBucket requests with Prefix set to exactly "exports/acme/".

The current role policy allows s3:ListBucket on the bucket ARN without a prefix condition, and security reports the role can list other tenants’ export object keys.

Which IAM policy change best enforces least privilege for both ListBucket and GetObject?

Question 5hardmulti select
Read the full Design Secure Architectures explanation →

A platform team lets project administrators create IAM roles for workloads in their own AWS accounts, but every role must stay inside a fixed security baseline. The organization also wants to block all member accounts from using AWS Regions outside us-east-1 and us-west-2. Which three controls should be used? Select three.

Question 6easymultiple choice
Read the full Design Secure Architectures explanation →

A company serves private images stored in S3 through Amazon CloudFront. Only authenticated users should be able to access each image, and access should expire after 1 hour. Which CloudFront feature best meets this requirement?

Question 7hardmulti select
Read the full NAT/PAT explanation →

A batch job runs on EC2 instances in isolated private subnets with no NAT Gateway. The job uses STS AssumeRole to access an operations account and then retrieves a secret from AWS Secrets Manager. After a network hardening change, both calls fail. Which two interface VPC endpoints should be created? Select two.

Question 8mediummultiple choice
Read the full Design Secure Architectures explanation →

A backend service uses an IAM role to read files from an S3 bucket. It must only read objects under s3://prod-reporting/incoming/ but currently receives AccessDenied (403) on GetObject for that prefix.

The role already has this statement: - Action: s3:ListBucket - Resource: arn:aws:s3:::prod-reporting

Which policy statement would most directly follow least privilege to allow only the required reads under the incoming prefix?

Question 9hardmulti select
Read the full Design Secure Architectures explanation →

A third-party payroll vendor in another AWS account must assume a role in your account to write a daily settlement file to Amazon S3. You want to prevent confused-deputy attacks and make every assumed session traceable in CloudTrail back to an individual vendor user. Which three trust-policy or session controls should be used? Select three.

Question 10mediummultiple choice
Read the full Design Secure Architectures explanation →

A SaaS vendor will access your AWS resources by assuming an IAM role in your account. You want to prevent confused-deputy attacks and ensure the vendor can only assume the role using an agreed external identifier.

Your role trust policy currently allows sts:AssumeRole from the vendor’s principal, but it does not include any external ID protection. Which change is the best next step?

Question 11mediummultiple choice
Study the full ACL explanation →

You use Amazon CloudFront in front of a private content S3 origin. To mitigate an OWASP Top 10 issue, you created a WAF web ACL and associated it to the CloudFront distribution, but attacks are still reaching the origin.

CloudWatch logs show the web ACL rules never match for the CloudFront requests.

What is the most likely configuration mistake?

Question 12hardmulti select
Read the full NAT/PAT explanation →

A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.

Question 13easymultiple choice
Read the full Design Secure Architectures explanation →

A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?

Question 14easymultiple choice
Read the full Design Secure Architectures explanation →

You want to protect an Application Load Balancer (ALB) from common web exploits using AWS WAF. The application is not using CloudFront. Which AWS WAF deployment scope should you choose so the WAF rules apply to the ALB?

Question 15easymultiple choice
Read the full Design Secure Architectures explanation →

You use a customer managed AWS KMS key (CMK) to encrypt objects in an S3 bucket using SSE-KMS. A specific IAM role must be able to decrypt objects. Where should you grant kms:Decrypt permissions so that the role can decrypt data encrypted with that CMK?

Question 16mediummultiple choice
Read the full Design Secure Architectures explanation →

A team wants detective controls to investigate suspected exfiltration from an S3 bucket. They need to know when objects are accessed (GetObject) and also when new encrypted objects are written.

They already enabled AWS CloudTrail for management events, but their investigation shows no visibility into object-level reads/writes in the logs they review.

Which CloudTrail configuration change most directly provides the missing object-level visibility?

Question 17easymultiple choice
Read the full Design Secure Architectures explanation →

You manage multiple AWS accounts under AWS Organizations. A compliance requirement states: no account is allowed to create new IAM access keys for IAM users. Local administrators may attempt to override permissions. Which mechanism should you use to enforce this guardrail across all accounts?

Question 18easymultiple choice
Read the full Design Secure Architectures explanation →

A CI pipeline needs to upload build artifacts only to s3://ci-artifacts/uploads/*. You also want the pipeline to list only objects under uploads/ to verify that the upload succeeded. Which IAM policy approach is the best fit for least privilege?

Question 19hardmulti select
Read the full Design Secure Architectures explanation →

Security responders suspect exfiltration from an Amazon S3 bucket that stores sensitive reports encrypted with a customer managed KMS key. They need to identify which IAM principal downloaded each object and whether any principals called KMS Decrypt on the key during the same time window. Which two detective controls should be enabled? Select two.

Question 20mediummultiple choice
Read the full Design Secure Architectures explanation →

Your company requires that all requests to an S3 bucket use HTTPS and that all objects uploaded to the bucket are encrypted at rest. You manage the S3 bucket policy and want enforcement that does not rely on application code compliance.

Which bucket policy change best enforces both requirements?

Question 21hardmulti select
Read the full Design Secure Architectures explanation →

A reporting application in Account B must read files from an S3 bucket in Account A. The bucket contains objects encrypted with a customer managed KMS key in Account A. The application role in Account B already has an identity policy allowing s3:GetObject on the bucket prefix, but requests still fail with AccessDenied. Which two changes are required for the application to read the objects? Select two.

Question 22easymultiple choice
Read the full Design Secure Architectures explanation →

Your company allows application teams to create IAM roles. Each team must be prevented from granting permissions beyond a defined per-role baseline, even if they attach overly permissive identity-based policies to the role. Which AWS feature best enforces this ceiling at the IAM role level?

Question 23hardmulti select
Read the full Design Secure Architectures explanation →

A public web application sits behind Amazon CloudFront with an Application Load Balancer as the origin. The security team wants all edge traffic inspected by AWS WAF and also wants to prevent anyone on the internet from reaching the ALB directly. Which two changes should be made? Select two.

Question 24easymultiple choice
Read the full Design Secure Architectures explanation →

Account A hosts an IAM role that Account B developers must assume for a limited task. You want to require MFA for anyone assuming the role. Which trust policy condition most directly enforces that requirement for sts:AssumeRole?

Question 25easymultiple choice
Read the full Design Secure Architectures explanation →

Your organization hosts an internet-facing application behind an Amazon CloudFront distribution. You want to mitigate common web exploits (for example, SQL injection and XSS) at the edge. Which action is the most appropriate way to do this using AWS services?

Question 26easymultiple choice
Read the full Design Secure Architectures explanation →

A web application behind an Application Load Balancer (ALB) currently allows client connections over HTTP (port 80). The security policy requires all client traffic to use HTTPS. What is the best ALB change to enforce this requirement?

Question 27easymultiple choice
Read the full NAT/PAT explanation →

You have an EC2 instance in private subnets with no NAT Gateway. The instance must access an Amazon S3 bucket (for example, to read configuration files) without sending traffic to the public internet. What VPC endpoint type should you use for S3?

Question 28hardmulti select
Read the full Design Secure Architectures explanation →

A marketing portal serves private PDF files stored in Amazon S3 through CloudFront. Users authenticate to the portal first, and each download link must expire after one hour. The S3 origin must never be directly reachable from the internet. Which three actions should be used? Select three.

Question 29mediummultiple choice
Read the full NAT/PAT explanation →

A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager.

Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?

Question 30mediummultiple choice
Read the full Design Secure Architectures explanation →

Your team hosts a private web app on an S3 bucket and serves it through CloudFront using a modern Origin Access Control (OAC). After deployment, users receive HTTP 403 from CloudFront with the S3 origin error "AccessDenied".

Which S3 bucket policy change best aligns with CloudFront OAC so the distribution can fetch objects privately?

Question 31mediummultiple choice
Study the full ACL explanation →

You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests.

Which change most likely fixes the issue?

Question 32mediummultiple choice
Read the full Design Secure Architectures explanation →

A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used.

Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging.

Which approach best satisfies the requirement?

Question 33mediummultiple choice
Read the full Design Secure Architectures explanation →

A SaaS vendor needs temporary access to an S3 bucket in your AWS account to read customer exports. The vendor will assume an IAM role you created. During integration testing, the vendor reports that their AssumeRole requests succeed, but your security team is concerned about the possibility of confused-deputy attacks. Which trust policy approach most directly mitigates this risk?

Question 34mediummultiple choice
Read the full NAT/PAT explanation →

Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com".

Which change most directly resolves this while keeping instances private?

Question 35mediummultiple choice
Read the full Design Secure Architectures explanation →

Company A runs an internal app in account A. The app needs to upload objects to an S3 bucket in account B. When the app calls S3, it receives AccessDenied for s3:PutObject. The team already created an IAM role in account B named UploadRole with a policy allowing s3:PutObject. They did not yet set up any trust relationship. Which change most directly fixes the access problem with least privilege?

Question 36mediummultiple choice
Study the full ACL explanation →

An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports.

Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports.

What is the most likely reason the traffic fails, and what should be updated?

Question 37mediummultiple choice
Read the full Design Secure Architectures explanation →

A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole".

What is the most appropriate fix?

Question 38easymultiple choice
Read the full Design Secure Architectures explanation →

A CI/CD pipeline needs to deploy to your production environment. Security requires that the pipeline uses temporary credentials (not long-lived access keys) and only has permissions to read a specific set of parameters from AWS Systems Manager Parameter Store and write application logs to CloudWatch Logs. What is the best AWS approach?

Question 39mediummultiple choice
Read the full NAT/PAT explanation →

An application runs on EC2 instances in private subnets in a VPC. There is no NAT gateway. The instances need to download objects from S3 over HTTPS and also call DynamoDB. The security group outbound rules allow TCP 443 to the VPC endpoint addresses. After deployment, the app times out when connecting to S3, but it can reach DynamoDB. Which single change is most likely to restore S3 connectivity?

Question 40mediummultiple choice
Review the full subnetting walkthrough →

A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.

Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.

Which architecture best meets these requirements?

Question 41mediummultiple choice
Read the full Design Secure Architectures explanation →

A company uses IAM permission boundaries to prevent developers from escalating privileges. The security team created a permission boundary that allows only read-only actions on most AWS services, but teams can still manage their own resources. A developer can create an IAM role with broad permissions, and the boundary does not appear to be restricting it. Which corrective action best aligns with how permission boundaries work?

Question 42mediummultiple choice
Read the full Design Secure Architectures explanation →

Your company has an internal service hosted behind a Network Load Balancer (NLB) in VPC 10.0.0.0/16. A consumer team in a different VPC (10.1.0.0/16) must call the service without using the public internet. You want private connectivity using AWS PrivateLink. Which configuration best enables least-privilege access while keeping the traffic private?

Question 43mediummultiple choice
Read the full Design Secure Architectures explanation →

An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?

Question 44mediummultiple choice
Read the full Design Secure Architectures explanation →

Your CI system assumes an IAM role RoleForDeploy using STS AssumeRole and includes a session tag called Project=blue. The role’s permissions policy uses an ABAC condition like aws:PrincipalTag/Project to allow access only to resources tagged with the same project.

AssumeRole succeeds, but deployments fail with AccessDenied. CloudTrail shows the role was assumed, yet the effective session does not contain the Project tag.

Which change most directly fixes this issue?

Question 45mediummultiple choice
Read the full NAT/PAT explanation →

A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?

Question 46easymultiple choice
Read the full Design Secure Architectures explanation →

A team stores important documents in Amazon S3. They want to recover earlier versions if someone overwrites or deletes a file by mistake. What should they enable?

Question 47mediummultiple choice
Read the full Design Secure Architectures explanation →

A platform team wants application developers to create IAM roles for their ECS tasks, but security must guarantee that no role created by those developers can ever exceed a predefined permission set. The developers also should not be able to attach broader permissions to themselves later. What should the team implement?

Question 48mediummultiple choice
Read the full NAT/PAT explanation →

An engineering team runs application servers in private subnets. The instances must download patches and software packages from Amazon S3, but the company does not want the traffic to traverse the internet or a NAT gateway. Which design should they use?

Question 49mediummultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, why is the IAM role still receiving AccessDenied even though it has AdministratorAccess attached?

Exhibit

AWS Organizations policy summary:

Root OU: Full access
Production OU: SCP attached

SCP content:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": ["ec2:CreateSnapshot", "ec2:DeleteSnapshot"],
      "Resource": "*"
    }
  ]
}

CloudTrail event:
- userIdentity: arn:aws:iam::444455556666:role/OpsAdmin
- eventName: CreateSnapshot
- errorCode: AccessDenied
- errorMessage: action denied by organizations service control policy
Question 50hardmulti select
Read the full Design Secure Architectures explanation →

A startup has an HTTP API with highly unpredictable traffic from mobile devices. Each request performs lightweight validation, writes an event record, and triggers downstream notifications. The current EC2 fleet stays mostly idle, and the team wants to reduce infrastructure management and pay only for usage. Which two changes best fit the requirement? Select two.

Question 51mediummulti select
Read the full DNS explanation →

A company runs a customer portal in us-east-1 and a warm standby in us-west-2. The DNS name must send users to us-east-1 while it is healthy and automatically switch to us-west-2 if the primary application endpoint stops responding. Which two actions should the architect take? Select two.

Question 52mediummulti select
Read the full Design Secure Architectures explanation →

A web application uses Amazon RDS for MySQL in a Multi-AZ deployment. During a planned maintenance event, the team wants to understand which two statements about failover are accurate so they can design connection handling correctly. Which two statements are accurate? Select two.

Question 53hardmulti select
Read the full Design Secure Architectures explanation →

A studio keeps 4 PB of completed video projects in Amazon S3. Editors work on active projects for about 60 days, auditors occasionally review the same objects for several months, and legal policy requires retention for 7 years. Retrieval of very old files can take hours. Which three actions should the architect recommend? Select three.

Question 54easymultiple choice
Read the full Design Secure Architectures explanation →

Several EC2 instances in different Availability Zones need to read and write the same shared file system. The file storage should stay available if one AZ has a problem. Which service should the team choose?

Question 55easymultiple choice
Read the full Design Secure Architectures explanation →

A single EC2 instance hosts a database that needs low-latency block storage and a persistent volume that remains attached to the instance. Which AWS storage service is the best fit?

Question 56mediummultiple choice
Read the full Design Secure Architectures explanation →

A mobile app reads the same product catalog items repeatedly throughout the day. The DynamoDB table is already properly keyed, but read latency is still a problem during sales events. The team can tolerate eventually consistent reads and wants the least disruptive change. What should they add?

Question 57hardmulti select
Read the full Design Secure Architectures explanation →

A company runs a steady inventory API on AWS Fargate and AWS Lambda during the day, plus a nightly batch render farm on EC2 that can be interrupted and retried. The finance team wants the lowest predictable discount for the always-on compute and the lowest possible cost for the batch jobs. Which two purchasing choices should the architect recommend? Select two.

Question 58mediummultiple choice
Read the full Design Secure Architectures explanation →

A team runs an application on Amazon EC2 that connects to an Aurora database. The database password must rotate automatically every 30 days, and the application should retrieve the current secret at runtime using an IAM role. Which AWS service is the best fit?

Question 59hardmatching
Read the full Design Secure Architectures explanation →

Match each database availability event to the AWS failover behavior that best describes it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The standby in another Availability Zone is promoted, and the same database endpoint remains in use after a brief reconnect.

Aurora promotes another healthy instance to writer while the shared storage layer stays intact across Availability Zones.

A manual failover can be triggered so the standby becomes primary before the reboot finishes.

Only that reader is removed from the reader set; the cluster can still serve read traffic through the remaining healthy readers.

Question 60easymultiple choice
Read the full Design Secure Architectures explanation →

A team runs a CPU-intensive image processing service on Amazon EC2. The service spends most of its time resizing and compressing images, and the team wants the best price-performance starting point for compute-heavy work. Which EC2 instance family should they choose?

Question 61easymultiple choice
Read the full Design Secure Architectures explanation →

A production application stores critical data on an Amazon EBS volume. The team wants a simple backup method that allows the volume to be restored later if the server is lost. What should they use?

Question 62mediummultiple choice
Read the full Design Secure Architectures explanation →

A high-frequency trading analytics service runs on several EC2 instances in the same Availability Zone. The application exchanges small messages between nodes and is sensitive to microsecond-level network latency. Which design best meets the requirement?

Question 63easymultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function processes CPU-heavy JSON transformations and often runs slower than expected. The team wants to improve performance without changing the code. What should they try first?

Question 64mediummultiple choice
Read the full Design Secure Architectures explanation →

A legacy market-data service runs on EC2 and exposes a custom TCP protocol. Clients must connect over TCP with very low latency, and the team wants static IP addresses at the load-balancing layer. Which AWS service is the best fit?

Question 65easymultiple choice
Read the full Design Secure Architectures explanation →

A database administrator wants a regular backup of an Amazon RDS database so the team can restore to a recent point in time if needed. Which AWS feature should they use?

Question 66hardmulti select
Read the full Design Secure Architectures explanation →

A company operates 40 AWS accounts and wants chargeback by application, environment, and business unit. Finance needs detailed line items, and engineering wants consistent monthly reports without manual spreadsheet work. The current tagging scheme is inconsistent, and many resources are missing billing metadata. Which three actions should the architect recommend? Select three.

Question 67easymultiple choice
Read the full Design Secure Architectures explanation →

An order-processing application becomes slow when traffic spikes. The frontend should stay responsive even if downstream workers are temporarily overloaded. What should the team add to the design?

Question 68mediummultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, what is the most appropriate change to restore application access while keeping encryption at rest with customer-managed KMS controls?

Exhibit

Application log excerpt:

2026-04-11T09:14:22Z ERROR S3 GetObject failed: AccessDenied
2026-04-11T09:14:22Z ERROR KMS Decrypt failed for key arn:aws:kms:us-east-1:111122223333:key/abcd-1234

Current setup:
- S3 bucket default encryption: SSE-KMS
- EC2 application role: AppServerRole
- Bucket policy allows s3:GetObject for AppServerRole
- KMS key policy currently allows only the account root principal
- No direct KMS permissions are attached to AppServerRole
Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A media company has users around the world uploading 1 to 5 GB files directly to a single Amazon S3 bucket. Upload times are slow from distant regions, but the app must keep using S3 as the destination. What should the architects enable to improve upload performance?

Question 70mediummultiple choice
Read the full Design Secure Architectures explanation →

A backup process restores a 2 TB production database from an EBS snapshot onto a new volume. During the first hours after restore, the application sees slow reads whenever previously unused blocks are accessed. What is the best way to avoid this performance issue in future restores?

Question 71mediummultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, what is the most appropriate fix so the workload in Account A can access the S3 bucket in Account B without using long-lived access keys?

Exhibit

Cross-account access attempt:

Account A:
- EC2 instance profile role: arn:aws:iam::111122223333:role/AppRole
- Identity policy allows s3:GetObject on arn:aws:s3:::shared-data-bucket/*

Account B:
- Bucket policy currently allows the account root principal only
- Application log shows: AccessDenied when calling GetObject on shared-data-bucket
- Security requirement: no static credentials; access must be revocable centrally
Question 72mediummultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, which AWS service should the team use so the database password can rotate automatically every 30 days and the application can retrieve it securely at runtime?

Exhibit

Application configuration excerpt:

DB_HOST=db-prod.abc123.us-east-1.rds.amazonaws.com
DB_USER=app_user
DB_PASSWORD=stored_in_env_var

Operational requirement:
- Password must rotate automatically every 30 days
- Application should retrieve the current password securely when starting connections
- Security wants a managed service that stores versions of the secret and supports rotation workflows
Question 73hardmulti select
Read the full Design Secure Architectures explanation →

A company has three workloads. First, a stable EC2 application will remain on the same instance family for at least one year. Second, an ECS service on Fargate may shift between launch types but has steady baseline usage. Third, a fault-tolerant nightly batch job can be interrupted and restarted. Which three pricing choices should the architect recommend? Select three.

Question 74hardmulti select
Read the full Design Secure Architectures explanation →

A development environment runs a small web app on EC2 and an Amazon RDS database, but it is used only on weekdays during office hours. The team wants to minimize spend and can tolerate a short startup delay after the environment is started. Which two changes should the architect recommend? Select two.

Question 75easymultiple choice
Read the full Design Secure Architectures explanation →

A stateless web application runs on Amazon EC2 instances across two Availability Zones. The team wants unhealthy instances to be removed automatically and replaced without manual action. What is the best solution?

Question 76mediummultiple choice
Read the full Design Secure Architectures explanation →

An order-quote Lambda function is invoked directly by API Gateway. Traffic is predictable during the business day, and the first request after scaling from zero causes unacceptable latency. The team wants to keep the current architecture and reduce cold-start impact. Which configuration should they use?

Question 77mediummultiple choice
Read the full Design Secure Architectures explanation →

A website serves mostly cacheable images, CSS, and JavaScript from an ALB. Users in Europe and Asia report slower page loads, and the ALB receives far more requests than expected. The team also wants text assets compressed automatically. Which change is the best first step?

Question 78easymultiple choice
Review the full routing breakdown →

A company has a primary application in us-east-1 and a standby environment in us-west-2. Users should go to the primary site while it is healthy and automatically switch to the standby site if the primary fails. Which Route 53 routing policy should they use?

Question 79easymultiple choice
Read the full Design Secure Architectures explanation →

A company runs Amazon RDS for MySQL in a Multi-AZ configuration. If the primary database instance fails, what is the expected behavior?

Question 80mediummultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function in Account A must upload reports to an S3 bucket in Account B. Security does not want long-lived access keys anywhere, and the access should be easy to revoke from Account B. Which approach is best?

Question 81easymultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, what should the architect recommend to reduce inter-node latency for this workload?

Exhibit

Application topology:
- 4 Amazon EC2 instances run in a single Availability Zone
- Each node exchanges small TCP messages with every other node
- 99th percentile message latency increased after adding two more nodes
- Instances currently launch in the default placement

CloudWatch note:
Network throughput is not saturated, but packet round-trip time between instances is higher than expected.
Question 82hardmatching
Read the full Design Secure Architectures explanation →

Match each operational condition to the load balancing or Auto Scaling behavior that should occur.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The target is marked unhealthy by the ALB health check and removed from routing until it passes again.

The Auto Scaling health check grace period prevents premature termination while startup work completes.

Instances that fail load balancer health checks are considered unhealthy by the group and are replaced automatically.

The health check verifies protocol and port reachability rather than an HTTP response body or status code.

Using EC2 health checks allows Auto Scaling to replace the instance even when the app itself has not reported an error.

Question 83mediummultiple choice
Read the full Design Secure Architectures explanation →

A public web application is fronted by Amazon CloudFront and an ALB. The team is seeing SQL injection attempts and bursts of malicious HTTP requests that increase origin load. They want to block common web attacks before they reach the ALB. What should they do?

Question 84mediummultiple choice
Read the full Design Secure Architectures explanation →

An e-commerce application uses Aurora MySQL. Writes are modest, but the product-detail page generates many read-only queries and the writer instance CPU is high. The application can tolerate a small amount of replication lag on those reads. What should the team do?

Question 85mediummultiple choice
Read the full Design Secure Architectures explanation →

A finance application stores invoices in Amazon S3. Security requires that the data be encrypted with a key they control, and they want the ability to disable access quickly if the application is suspected of compromise. Developers do not want to manage encryption in application code. Which solution best meets these requirements?

Question 86mediummultiple choice
Read the full Design Secure Architectures explanation →

A security operations team wants continuous compliance checks for AWS resources. They need to know when an EBS volume becomes unencrypted or when a security group starts allowing SSH from 0.0.0.0/0. Which AWS service should they use?

Question 87mediummultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, which AWS service should the security team enable to continuously discover sensitive data stored inside Amazon S3 objects?

Exhibit

Security review notes:

- S3 bucket contains employee records, exports, and uploaded documents
- Team wants to find objects that contain personally identifiable information
- A sample report shows files with patterns resembling SSNs and bank account numbers
- The team needs ongoing classification findings, not just API activity logs
Question 88easymultiple choice
Read the full Design Secure Architectures explanation →

A company hosts static images, CSS, and JavaScript files in an Amazon S3 bucket. Users around the world report slow page loads, and the origin receives many repeated requests for the same files. What should the team use to improve performance?

Question 89hardmulti select
Read the full Design Secure Architectures explanation →

A media company stores raw project files in Amazon S3. Files are accessed heavily for the first 60 days, occasionally for legal review during the next six months, and must be retained for 7 years. Retrieval for the oldest files can take hours. Which three actions should the architect recommend? Select three.

Question 90mediummultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what is the best way to let private EC2 instances reach Amazon S3 and AWS Systems Manager without sending traffic through the internet or a NAT gateway?

Exhibit

Network design excerpt:

VPC: 10.40.0.0/16
Private subnet route table:
- 10.40.0.0/16 local
- 0.0.0.0/0 -> nat-0c91f2a7d3b1e3

Instance behavior:
- patching scripts fail when downloading packages from S3
- AWS Systems Manager Session Manager shows: 'Target not connected'
- Security team wants to remove NAT gateway usage for these workloads
Question 91hardmulti select
Read the full Design Secure Architectures explanation →

The web tier of an online scheduling app runs on an Auto Scaling group behind an ALB. Traffic spikes every weekday at 13:00 when a corporate newsletter is sent. CloudWatch shows CPU averages 18% outside that window, and the current fleet uses larger instances than the load test requires. The application is stateless and can scale out in a few minutes. Which two changes should the architect recommend? Select two.

Question 92easymultiple choice
Read the full Design Secure Architectures explanation →

A company wants to protect a critical application from a full Region outage. The secondary Region should keep only a small amount of infrastructure running most of the time to control cost. Which disaster recovery strategy fits best?

Question 93mediummultiple choice
Read the full Design Secure Architectures explanation →

A company uses AWS Organizations and has separate development, test, and production accounts. The security team wants to ensure that no one in the sandbox organizational unit can disable AWS CloudTrail or delete the central audit bucket, even if an account administrator creates permissive IAM policies later. Which control should they use?

Question 94mediummultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, what should the security team implement so developers can create AWS Lambda execution roles, but no developer-created role can ever exceed the approved permission set?

Network Topology
$ aws iam create-rolerole-name dev-lambda-role \$ aws iam attach-role-policyassume-role-policy-document file://trust-lambda.jsonpolicy-arn arn:aws:iam::aws:policy/AdministratorAccessDeveloper workflow output:Security requirement:
Question 95easymultiple choice
Read the full Design Secure Architectures explanation →

A mobile app reads the same product details many times per minute from Amazon DynamoDB. The table design is already correct, but repeated reads are still causing noticeable latency. Which service should the team add to improve read performance?

Question 96mediummultiple choice
Read the full Design Secure Architectures explanation →

A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies.

Which design best meets all requirements?

Question 97mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present.

Which IAM design best meets these requirements?

Question 98mediummultiple choice
Read the full NAT/PAT explanation →

A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.

Which architecture best satisfies these requirements?

Question 99hardmultiple choice
Study the full ACL explanation →

Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?

Exhibit

Bucket configuration for arn:aws:s3:::corp-shared-data:
- S3 Block Public Access: enabled
- Object Ownership: BucketOwnerEnforced
- ACLs: disabled

Bucket policy excerpt:
- 17 separate statements grant GetObject and PutObject to different team roles
- Each statement uses a team-specific prefix condition

Audit note:
"A recent policy edit granted Team B access to Team C's uploads for 18 minutes before rollback."
Question 100hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, a workload in private subnets must reach only Amazon S3 and AWS Secrets Manager. The team wants to eliminate internet exposure for those calls and reduce NAT gateway charges. What change should be made?

Exhibit

Private subnet route table rtb-priv:
- 10.0.0.0/16 local
- 0.0.0.0/0 -> nat-0a12bc34

Application logs:
2026-04-20T10:14:11Z ERROR could not reach https://secretsmanager.us-east-1.amazonaws.com:443
2026-04-20T10:14:11Z ERROR timeout after 30s while downloading s3://company-artifacts-builds

Finance note:
"NAT data processing charges increased 42% last month."
Question 101mediummulti select
Study the full ACL explanation →

A data lake stores raw files in a single Amazon S3 bucket that is shared by three internal analytics teams. Each team should access only its own prefix, and the company wants to eliminate ACL management because objects come from multiple producers. Which three changes should the architect make? Select three.

Question 102mediummulti select
Read the full NAT/PAT explanation →

A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.

Question 103mediummultiple choice
Read the full Design Secure Architectures explanation →

Company A stores encrypted log files in its S3 bucket using SSE-KMS with a customer-managed KMS key. A partner application in Company B uploads objects into Company A's bucket using an IAM role in Company B. Uploads fail with an error indicating KMS access is denied (kms:Encrypt not authorized). Neither the partner IAM policy nor the S3 bucket policy currently mentions KMS.

What is the most secure and correct change to allow cross-account uploads to succeed?

Question 104mediummulti select
Read the full Design Secure Architectures explanation →

A containerized service on Amazon ECS connects to a database with a password that must never be stored in plaintext or hardcoded in the image. The application reads the password at startup and occasionally reconnects later, so it needs to retrieve the current secret when needed. Which three actions should the architect take? Select three.

Question 105mediummulti select
Read the full Design Secure Architectures explanation →

A startup runs an API on Amazon EC2. The instance must read items from one DynamoDB table and upload logs to one S3 bucket. Platform engineers also need a way to create new application roles, but those roles must never exceed a predefined set of permissions. Which three actions should the architect take? Select three.

Question 106mediummulti select
Study the full ACL explanation →

A company stores customer invoices in an Amazon S3 bucket. The application must keep the bucket private, ACLs should not be used, and customers should receive temporary download links for individual invoices. Which three changes should the architect make? Select three.

Question 107hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, the platform team wants developers to create application roles for Lambda and ECS, but no developer-created role may ever exceed the approved permission set. Which change best meets this requirement?

Exhibit

Current IAM policy attached to arn:aws:iam::123456789012:role/AppProvisioner:
- iam:CreateRole
- iam:AttachRolePolicy
- iam:PutRolePolicy
- iam:PassRole

Observed issue:
Developers created arn:aws:iam::123456789012:role/BatchJobRole and attached broad S3 and KMS permissions.
Audit note: "Need delegated role creation with a hard upper bound on permissions."
Question 108mediummultiple choice
Read the full Design Secure Architectures explanation →

A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions.

Which solution best meets these requirements?

Question 109mediummulti select
Read the full Design Secure Architectures explanation →

A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.

Question 110mediummultiple choice
Read the full Design Secure Architectures explanation →

A media platform stores originals in an S3 bucket. The application must: (1) prevent any public access to the bucket, (2) allow authenticated users to upload and download objects using presigned URLs, and (3) enforce that all requests use HTTPS and only touch objects under the user-specific prefix (for example, s3://media-originals/user-123/*). The bucket currently allows uploads but sometimes returns 403 AccessDenied for presigned URLs.

Which change is the best fix while meeting the security requirements?

Question 111hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a partner account uploads encrypted objects to a central S3 bucket and later reads them back. The S3 permissions are correct, but the requests still fail. What change is required so the partner workload can use the customer-managed KMS key safely?

Exhibit

CloudTrail event summary:
- eventSource: kms.amazonaws.com
- eventName: Decrypt
- errorCode: AccessDeniedException
- userIdentity: arn:aws:sts::444455556666:assumed-role/PartnerUploadRole/partner-app
- requestParameters.keyId: arn:aws:kms:us-east-1:111122223333:key/6b2f-9a7c

Current CMK key policy excerpt in account 111122223333:
{
  "Sid": "EnableRootPermissionsOnly",
  "Effect": "Allow",
  "Principal": { "AWS": "arn:aws:iam::111122223333:root" },
  "Action": "kms:*",
  "Resource": "*"
}
Question 112mediummultiple choice
Read the full Design Secure Architectures explanation →

Company A stores encrypted log files in its S3 bucket using SSE-KMS with a customer-managed KMS key. A partner application in Company B uploads objects into Company A's bucket using an IAM role in Company B. Uploads fail with an error indicating KMS access is denied (kms:Encrypt not authorized). Neither the partner IAM policy nor the S3 bucket policy currently mentions KMS.

What is the most secure and correct change to allow cross-account uploads to succeed?

Question 113mediummultiple choice
Read the full Design Secure Architectures explanation →

A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions.

Which solution best meets these requirements?

Question 114mediummulti select
Study the full ACL explanation →

A data lake stores raw files in a single Amazon S3 bucket that is shared by three internal analytics teams. Each team should access only its own prefix, and the company wants to eliminate ACL management because objects come from multiple producers. Which three changes should the architect make? Select three.

Question 115mediummulti select
Study the full ACL explanation →

A company stores customer invoices in an Amazon S3 bucket. The application must keep the bucket private, ACLs should not be used, and customers should receive temporary download links for individual invoices. Which three changes should the architect make? Select three.

Question 116mediummultiple choice
Read the full Design Secure Architectures explanation →

A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies.

Which design best meets all requirements?

Question 117mediummultiple choice
Read the full NAT/PAT explanation →

A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.

Which architecture best satisfies these requirements?

Question 118mediummulti select
Read the full Design Secure Architectures explanation →

A containerized service on Amazon ECS connects to a database with a password that must never be stored in plaintext or hardcoded in the image. The application reads the password at startup and occasionally reconnects later, so it needs to retrieve the current secret when needed. Which three actions should the architect take? Select three.

Question 119mediummultiple choice
Read the full Design Secure Architectures explanation →

A media platform stores originals in an S3 bucket. The application must: (1) prevent any public access to the bucket, (2) allow authenticated users to upload and download objects using presigned URLs, and (3) enforce that all requests use HTTPS and only touch objects under the user-specific prefix (for example, s3://media-originals/user-123/*). The bucket currently allows uploads but sometimes returns 403 AccessDenied for presigned URLs.

Which change is the best fix while meeting the security requirements?

Question 120hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a partner account uploads encrypted objects to a central S3 bucket and later reads them back. The S3 permissions are correct, but the requests still fail. What change is required so the partner workload can use the customer-managed KMS key safely?

Exhibit

CloudTrail event summary:
- eventSource: kms.amazonaws.com
- eventName: Decrypt
- errorCode: AccessDeniedException
- userIdentity: arn:aws:sts::444455556666:assumed-role/PartnerUploadRole/partner-app
- requestParameters.keyId: arn:aws:kms:us-east-1:111122223333:key/6b2f-9a7c

Current CMK key policy excerpt in account 111122223333:
{
  "Sid": "EnableRootPermissionsOnly",
  "Effect": "Allow",
  "Principal": { "AWS": "arn:aws:iam::111122223333:root" },
  "Action": "kms:*",
  "Resource": "*"
}
Question 121mediummulti select
Read the full Design Secure Architectures explanation →

A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.

Question 122hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, the platform team wants developers to create application roles for Lambda and ECS, but no developer-created role may ever exceed the approved permission set. Which change best meets this requirement?

Exhibit

Current IAM policy attached to arn:aws:iam::123456789012:role/AppProvisioner:
- iam:CreateRole
- iam:AttachRolePolicy
- iam:PutRolePolicy
- iam:PassRole

Observed issue:
Developers created arn:aws:iam::123456789012:role/BatchJobRole and attached broad S3 and KMS permissions.
Audit note: "Need delegated role creation with a hard upper bound on permissions."
Question 123hardmultiple choice
Study the full ACL explanation →

Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?

Exhibit

Bucket configuration for arn:aws:s3:::corp-shared-data:
- S3 Block Public Access: enabled
- Object Ownership: BucketOwnerEnforced
- ACLs: disabled

Bucket policy excerpt:
- 17 separate statements grant GetObject and PutObject to different team roles
- Each statement uses a team-specific prefix condition

Audit note:
"A recent policy edit granted Team B access to Team C's uploads for 18 minutes before rollback."
Question 124mediummulti select
Read the full NAT/PAT explanation →

A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.

Question 125mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present.

Which IAM design best meets these requirements?

Question 126hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, a workload in private subnets must reach only Amazon S3 and AWS Secrets Manager. The team wants to eliminate internet exposure for those calls and reduce NAT gateway charges. What change should be made?

Exhibit

Private subnet route table rtb-priv:
- 10.0.0.0/16 local
- 0.0.0.0/0 -> nat-0a12bc34

Application logs:
2026-04-20T10:14:11Z ERROR could not reach https://secretsmanager.us-east-1.amazonaws.com:443
2026-04-20T10:14:11Z ERROR timeout after 30s while downloading s3://company-artifacts-builds

Finance note:
"NAT data processing charges increased 42% last month."
Question 127mediummulti select
Read the full Design Secure Architectures explanation →

A startup runs an API on Amazon EC2. The instance must read items from one DynamoDB table and upload logs to one S3 bucket. Platform engineers also need a way to create new application roles, but those roles must never exceed a predefined set of permissions. Which three actions should the architect take? Select three.

Question 128mediummultiple choice
Read the full Design Secure Architectures explanation →

Your company has an internal service hosted behind a Network Load Balancer (NLB) in VPC 10.0.0.0/16. A consumer team in a different VPC (10.1.0.0/16) must call the service without using the public internet. You want private connectivity using AWS PrivateLink. Which configuration best enables least-privilege access while keeping the traffic private?

Question 129easymultiple choice
Read the full Design Secure Architectures explanation →

A CI/CD pipeline needs to deploy to your production environment. Security requires that the pipeline uses temporary credentials (not long-lived access keys) and only has permissions to read a specific set of parameters from AWS Systems Manager Parameter Store and write application logs to CloudWatch Logs. What is the best AWS approach?

Question 130mediummultiple choice
Review the full subnetting walkthrough →

A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.

Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.

Which architecture best meets these requirements?

Question 131mediummultiple choice
Read the full Design Secure Architectures explanation →

Company A runs an internal app in account A. The app needs to upload objects to an S3 bucket in account B. When the app calls S3, it receives AccessDenied for s3:PutObject. The team already created an IAM role in account B named UploadRole with a policy allowing s3:PutObject. They did not yet set up any trust relationship. Which change most directly fixes the access problem with least privilege?

Question 132mediummultiple choice
Read the full Design Secure Architectures explanation →

An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?

Question 133mediummultiple choice
Read the full NAT/PAT explanation →

An application runs on EC2 instances in private subnets in a VPC. There is no NAT gateway. The instances need to download objects from S3 over HTTPS and also call DynamoDB. The security group outbound rules allow TCP 443 to the VPC endpoint addresses. After deployment, the app times out when connecting to S3, but it can reach DynamoDB. Which single change is most likely to restore S3 connectivity?

Question 134mediummultiple choice
Read the full NAT/PAT explanation →

Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com".

Which change most directly resolves this while keeping instances private?

Question 135mediummultiple choice
Read the full Design Secure Architectures explanation →

A company uses IAM permission boundaries to prevent developers from escalating privileges. The security team created a permission boundary that allows only read-only actions on most AWS services, but teams can still manage their own resources. A developer can create an IAM role with broad permissions, and the boundary does not appear to be restricting it. Which corrective action best aligns with how permission boundaries work?

Question 136mediummultiple choice
Read the full Design Secure Architectures explanation →

A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used.

Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging.

Which approach best satisfies the requirement?

Question 137mediummultiple choice
Study the full ACL explanation →

An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports.

Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports.

What is the most likely reason the traffic fails, and what should be updated?

Question 138mediummultiple choice
Read the full Design Secure Architectures explanation →

A SaaS vendor needs temporary access to an S3 bucket in your AWS account to read customer exports. The vendor will assume an IAM role you created. During integration testing, the vendor reports that their AssumeRole requests succeed, but your security team is concerned about the possibility of confused-deputy attacks. Which trust policy approach most directly mitigates this risk?

Question 139mediummultiple choice
Read the full Design Secure Architectures explanation →

A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole".

What is the most appropriate fix?

Question 140mediummultiple choice
Study the full ACL explanation →

You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests.

Which change most likely fixes the issue?

Question 141mediummultiple choice
Read the full Design Secure Architectures explanation →

Your CI system assumes an IAM role RoleForDeploy using STS AssumeRole and includes a session tag called Project=blue. The role’s permissions policy uses an ABAC condition like aws:PrincipalTag/Project to allow access only to resources tagged with the same project.

AssumeRole succeeds, but deployments fail with AccessDenied. CloudTrail shows the role was assumed, yet the effective session does not contain the Project tag.

Which change most directly fixes this issue?

Question 142mediummultiple choice
Read the full NAT/PAT explanation →

A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?

Question 143mediummultiple choice
Read the full Design Secure Architectures explanation →

An S3 bucket in account A uses default server-side encryption with an AWS KMS customer-managed key (CMK) in account A. A team created an IAM role in account B that is allowed by IAM policy to perform s3:GetObject on the bucket. When the account B role tries to read objects, it fails with: AccessDeniedException: 'User is not authorized to perform kms:Decrypt'. Which change is most likely to fix the issue?

Question 144mediummultiple choice
Read the full NAT/PAT explanation →

Your security team needs to detect and alert on any attempt to change sensitive policies, specifically S3 bucket policy changes and KMS key policy changes. The team wants alerts within minutes, and logs must be centrally retained for forensics. Which design best meets these detective control requirements using AWS-native services?

Question 145mediummultiple choice
Read the full Design Secure Architectures explanation →

A CI pipeline in account A uploads build artifacts to an S3 bucket (arn:aws:s3:::build-artifacts-prod) under the prefix teamA/. The pipeline must not be able to list other prefixes, and it must only upload objects under teamA/. Which IAM policy design best enforces least privilege for this requirement?

Question 146mediummultiple choice
Read the full Design Secure Architectures explanation →

Account C wants engineers to access a role (RoleInAccountA) in account A using STS AssumeRole. Security policy requires that (1) only engineers from account C can assume the role, (2) they must provide an external ID value, and (3) the session must be MFA-authenticated. Which change is most appropriate in the RoleInAccountA trust policy to meet all three requirements?

Question 147mediummultiple choice
Read the full Design Secure Architectures explanation →

In an AWS Organizations environment, developers create IAM roles using an automation tool. The security team wants to guarantee that even if a developer attaches an overly permissive inline policy, the role cannot exceed a fixed set of allowed actions. The team already uses permission boundaries on each role. The tool’s role-creation API call succeeds, but one developer’s new role can still delete production S3 buckets. What is the most likely reason, and what should be corrected?

Question 148mediummultiple choice
Read the full Design Secure Architectures explanation →

Account B has an IAM role that includes kms:Decrypt for a specific KMS key ARN in account A. However, when the role tries to read an S3 object encrypted with that CMK, the application fails with AccessDenied: not authorized to perform kms:Decrypt. CloudTrail shows the KMS API call is denied by key policy. What is the most secure and correct fix?

Question 149mediummultiple choice
Read the full Design Secure Architectures explanation →

A security requirement states: all uploads to an S3 bucket must (1) use TLS in transit and (2) use server-side encryption with AWS KMS (SSE-KMS) using the CMK key id 'abcd-1234'; otherwise the upload should be rejected. A developer reports that uploads are succeeding even though clients are sometimes using non-encrypted requests. Which bucket policy approach most directly enforces both controls?

Question 150mediummultiple choice
Read the full Design Secure Architectures explanation →

You have an S3 bucket that stores customer-specific private files. You want to serve these files through CloudFront, where clients must use signed cookies (or signed URLs) to access the content. In addition, you need to block common web exploits and rate-limit suspicious traffic at the edge. Which design best meets these requirements?

Question 151mediummultiple choice
Read the full Design Secure Architectures explanation →

An application encrypts data directly with AWS KMS using an encryption context. Your KMS key policy includes a condition that allows kms:Decrypt only when the encryption context contains: "purpose" = "myapp-secrets" After a deployment, decryption fails. CloudTrail shows kms:Decrypt was called, but it was denied by the key policy due to the encryption context condition. What is the best fix?

Question 152mediummultiple choice
Read the full Design Secure Architectures explanation →

You serve private reports stored in an S3 bucket through CloudFront. After a recent change, users report that they can access the S3 object URLs directly (bypassing CloudFront), which violates your design. You want to ensure S3 objects are readable only through CloudFront using Origin Access Control (OAC), even if someone guesses the S3 URL. Which update best enforces this at the S3 bucket level?

Question 153mediummultiple choice
Read the full Design Secure Architectures explanation →

A backend service in AWS uses an IAM role to upload large files to an S3 bucket using multipart upload. The upload typically succeeds, but it intermittently fails during cleanup with this error: "AccessDenied: User is not authorized to perform: s3:AbortMultipartUpload" The role identity policy currently allows only: - s3:PutObject on arn:aws:s3:::my-bucket/uploads/* - s3:ListBucket on arn:aws:s3:::my-bucket with a prefix condition What is the best least-privilege change to fix the cleanup failure?

Question 154mediummultiple choice
Read the full Design Secure Architectures explanation →

Account A hosts a role named AppReadRole. Account B needs to access it using STS AssumeRole. Account A’s role trust policy includes this condition: - StringEquals: { "sts:ExternalId": "b-7f9a" } When Account B runs: aws sts assume-role --role-arn arn:aws:iam::111111111111:role/AppReadRole --role-session-name test the call fails with: "AccessDenied: ExternalId mismatch". What should Account B change?

Question 155mediummultiple choice
Read the full Design Secure Architectures explanation →

Your organization uses IAM permission boundaries to prevent engineers from escalating privileges. An automated pipeline creates an IAM role for an application deployment and attaches a permission boundary. After deployment, the pipeline reports that the role could create a new KMS key. The permission boundary policy attached to the role allows only (for a specific KMS key ARN, prod-key): - kms:Decrypt - kms:DescribeKey There is no Allow statement for: - iam:CreateKey - kms:CreateKey What is the most likely reason the role was still able to create a KMS key?

Question 156mediummultiple choice
Read the full Design Secure Architectures explanation →

An AWS Organizations setup uses an SCP to enforce that developers can read only non-production secrets. A developer role in a member account is correctly configured with an identity policy that allows: - secretsmanager:GetSecretValue on arn:aws:secretsmanager:us-east-1:222222222222:secret:app/* However, the developer gets AccessDenied with an error message mentioning an organization policy (SCP). The SCP includes this Deny statement: "Deny secretsmanager:GetSecretValue on * unless secretsmanager:ResourceTag/environment equals 'dev'". Which change best restores access for secrets tagged environment=dev while still blocking prod secrets?

Question 157mediummultiple choice
Review the full subnetting walkthrough →

A company wants S3 access to be available only from private connectivity. They created an Interface VPC Endpoint for S3 (that provides private connectivity from their VPC to S3) and configured the application to use it from private subnets. The IAM role allows: - s3:GetObject on arn:aws:s3:::confidential-bucket/reports/* However, requests fail with AccessDenied. The S3 bucket policy includes an allow statement that permits GetObject only if: - aws:SourceVpce equals "vpce-0abc12345def6789" After redeploying the VPC endpoint, the application still uses the same IAM permissions but gets AccessDenied. What change is most likely to fix the issue?

Question 158mediummultiple choice
Read the full Design Secure Architectures explanation →

A microservice reads a secret from AWS Secrets Manager using its task role (ServiceRole). The secret is configured to use a customer-managed CMK. In production, the service fails with AccessDeniedException on GetSecretValue. CloudTrail shows that Secrets Manager attempted kms:Decrypt but was denied. Which IAM policy change is most appropriate to fix the failure while keeping least privilege?

Question 159mediummultiple choice
Read the full Design Secure Architectures explanation →

A batch process uploads artifacts to an Amazon S3 bucket using multipart uploads. The bucket policy contains a statement that explicitly denies PutObject and CreateMultipartUpload unless the request uses server-side encryption with AWS KMS (SSE-KMS) and includes these request headers/parameters: x-amz-server-side-encryption=aws:kms and x-amz-server-side-encryption-aws-kms-key-id set to a specific CMK. After the process was updated, uploads intermittently fail with AccessDenied errors. Which change is the best way to make uploads succeed while still meeting the bucket policy's encryption requirement?

Question 160mediummultiple choice
Read the full Design Secure Architectures explanation →

Account A has an IAM role named FinanceDataRole that is assumed by a principal in Account B. The role’s trust policy includes a condition requiring sts:ExternalId to equal "Fin-2026-Q2". A developer in Account B calls AssumeRole but receives an error: AccessDenied: ExternalId mismatch. The security team requires that you do not remove the ExternalId condition. What is the correct remediation?

Question 161mediummultiple choice
Read the full Design Secure Architectures explanation →

Your organization uses IAM permission boundaries to prevent privilege escalation. A deployment role was created with a permission boundary. After an incident, you discover that an operator was later able to remove or change the permission boundary (the operator has iam:PutRolePermissionsBoundary permissions). You need to ensure operators cannot remove or change the permission boundary after it is set. What is the best security control to add?

Question 162mediummultiple choice
Read the full Design Secure Architectures explanation →

In AWS Organizations, a Service Control Policy (SCP) denies kms:Decrypt on a production CMK for all principals in the Finance OU. A developer in the Finance OU created/updated an IAM policy that allows secrets access, but the application still fails with AccessDenied due to the SCP. You must enable only the Finance OU to decrypt that specific CMK while keeping the SCP restrictions for other OUs. What is the correct remediation?

Question 163mediummultiple choice
Read the full Design Secure Architectures explanation →

A service reads encrypted data from Amazon S3. The S3 objects use a customer-managed CMK. The IAM role used by the service has kms:Decrypt in its identity policy, but decryption fails with a KMS error stating the role is not authorized to perform kms:CreateGrant. The CMK’s key policy allows kms:Decrypt for the role but does not include kms:CreateGrant. What is the most appropriate change to resolve the failure while preserving least privilege?

Question 164mediummultiple choice
Read the full Design Secure Architectures explanation →

A microservice running in ECS retrieves a secret from AWS Secrets Manager. The secret is encrypted with a customer-managed CMK. An administrator re-keyed the secret to a new CMK (the key ARN changed), but kept the same KMS alias name. After re-keying, the service fails with an error from KMS: AccessDenied for kms:Decrypt. The ECS task role’s IAM policy still grants kms:Decrypt but only for the old CMK ARN. What is the best remediation to restore access while maintaining least privilege?

Question 165mediummultiple choice
Read the full Design Secure Architectures explanation →

A static website uses an Amazon S3 bucket as the origin for an Amazon CloudFront distribution. The team accidentally configured the S3 bucket policy to allow s3:GetObject to Principal "*", so objects are accessible via direct S3 URLs. They want to ensure objects are retrievable only through CloudFront. What is the best corrective action?

Question 166mediummultiple choice
Read the full NAT/PAT explanation →

A microservice runs in private subnets and must read exactly one AWS Secrets Manager secret using its IAM task role: arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/db-pass-AbCdEf Security requires that every Secrets Manager API call comes only through a specific Interface VPC Endpoint (vpce-0a1b2c3d4e5f6g7h), and must not be reachable over any other network path. Which IAM policy change best enforces this requirement?

Question 167mediummultiple choice
Read the full Design Secure Architectures explanation →

A customer-managed KMS key (CMK) encrypts SQS messages. A consumer service uses an IAM role that includes kms:Decrypt permission for that CMK. After a security change, the consumer fails with: "AccessDeniedException: kms:Decrypt is not allowed" CloudTrail indicates the KMS request is reaching KMS, but the CMK key policy no longer includes the consumer role (or its principal). What is the best fix?

Question 168mediummultiple choice
Read the full Design Secure Architectures explanation →

Account Y provides a role named AnalyticsReadOnly to engineers in Account X. The role trust policy currently allows sts:AssumeRole from the Account X principal. A new security requirement states that only STS sessions created with MFA are allowed to assume the role. Which trust policy condition is the best choice to enforce MFA for sts:AssumeRole?

Question 169mediummultiple choice
Read the full Design Secure Architectures explanation →

Your AWS Organization uses a Service Control Policy (SCP) that includes a Deny statement for secretsmanager:GetSecretValue for all member accounts in the "Finance" OU when requests are made outside us-east-1. An application role has an IAM policy that allows secretsmanager:GetSecretValue for the required secret in us-west-2. In us-west-2, requests fail with AccessDenied. What is the most appropriate action?

Question 170mediummultiple choice
Read the full Design Secure Architectures explanation →

A deployment engineer created an IAM role for an automation workflow (AppDeployRole). The role has an attached identity policy that allows iam:CreateRole for specific resource ARNs. However, the role is also created with a permission boundary named DeployBoundary. The DeployBoundary policy currently does not include the iam:CreateRole action. During execution, the automation fails with AccessDenied for iam:CreateRole, even though the attached identity policy allows it. What is the best fix?

Question 171mediummultiple choice
Read the full Design Secure Architectures explanation →

A company stores private customer documents in an S3 bucket. They want only CloudFront to be able to read objects from the bucket (no direct S3 URL access), even if the bucket name and object key are known. Which configuration best meets this requirement?

Question 172mediummultiple choice
Read the full Design Secure Architectures explanation →

Company A (account 1111) hosts an IAM role (RoleInAccountA) that is assumed by a workload in Company B (account 2222) using sts:AssumeRole. Security requires that only Company B’s intended workload can assume the role, even if another principal in account 2222 tries to assume it. The trust policy already restricts who can assume the role to account 2222. What additional trust policy condition most directly satisfies this requirement?

Question 173mediummultiple choice
Read the full Design Secure Architectures explanation →

A CI/CD system creates an IAM role (CICDRole) used for deployments. Your organization uses IAM permission boundaries to prevent developers from granting themselves higher privileges. After an incident, you discover that CICDRole can perform unintended IAM actions because the role’s identity policy includes broad permissions. Which change most directly ensures permission boundaries continue to restrict CICDRole regardless of what is later added to the role’s identity policies?

Question 174mediummultiple choice
Read the full Design Secure Architectures explanation →

Account 3000 owns a customer-managed KMS key (key-K). A data processing team in account 4000 needs to decrypt data encrypted with key-K. The role in account 4000 already has an identity policy allowing kms:Decrypt on key-K. Despite this, decrypt requests fail with an AccessDenied error referencing KMS. What is the most likely missing authorization step?

Question 175mediummultiple choice
Read the full NAT/PAT explanation →

A microservice runs in private subnets with no NAT gateway. It must retrieve a secret from AWS Secrets Manager. Security requires that traffic to Secrets Manager stays within AWS’s private network (no public internet egress). The IAM role already grants secretsmanager:GetSecretValue for the needed secret. What is the best network setup to meet the requirement?

Question 176easymultiple choice
Read the full NAT/PAT explanation →

A company runs EC2 instances in private subnets and needs to access Amazon S3 objects without using a NAT gateway. They want the traffic to stay within AWS private networking as much as possible (no internet egress). Which VPC endpoint type should they create for Amazon S3?

Question 177easymultiple choice
Read the full Design Secure Architectures explanation →

You must ensure that all requests to an S3 bucket use TLS (HTTPS). Which S3 bucket policy approach best enforces this requirement for S3 access?

Question 178easymultiple choice
Read the full Design Secure Architectures explanation →

Your AWS Organizations environment has an SCP that explicitly denies kms:Decrypt for principals in the Production OU. A member account IAM policy for a user grants kms:Decrypt on the required KMS key. If that user attempts kms:Decrypt, what happens?

Question 179easymultiple choice
Read the full Design Secure Architectures explanation →

A microservice needs to read exactly one secret value from AWS Secrets Manager. Which IAM permission statement provides the best least-privilege approach to allow the microservice to retrieve that secret value?

Question 180easymultiple choice
Read the full Design Secure Architectures explanation →

A company has an Amazon S3 bucket for sensitive reports. They must ensure that any object uploaded with s3:PutObject is encrypted using AWS KMS (SSE-KMS). Which S3 bucket policy approach best enforces this by denying uploads that do not use SSE-KMS?

Question 181easymultiple choice
Read the full Design Secure Architectures explanation →

Account A hosts an IAM role (RoleInAccountA). The trust policy in Account A correctly allows a specific principal from Account B to call sts:AssumeRole. However, when Account B’s application calls sts:AssumeRole, it receives an AccessDenied error. What is the most likely missing requirement in Account B?

Question 182easymultiple choice
Read the full Design Secure Architectures explanation →

A service role has an IAM policy granting kms:Decrypt for a specific AWS KMS key. The application still fails to decrypt with an AccessDenied error. What change most directly fixes this when the KMS key policy is missing the role’s permissions?

Question 183easymultiple choice
Read the full NAT/PAT explanation →

Your application runs in private subnets with no NAT gateway. It needs to call AWS Secrets Manager to retrieve secrets. For private connectivity without internet egress, which VPC endpoint type should you create for AWS Secrets Manager?

Question 184easymultiple choice
Read the full Design Secure Architectures explanation →

A company stores private report PDFs in an S3 bucket. They want users to access PDFs only through CloudFront. Even if someone knows the S3 object URL, direct S3 access must fail. What is the best S3 bucket policy approach?

Question 185easymultiple choice
Read the full Design Secure Architectures explanation →

Your company uses an OIDC identity provider to let users assume an IAM role without long-term AWS credentials. In the IAM role trust policy, which STS action must be allowed to support this type of federation?

Question 186easymultiple choice
Read the full Design Secure Architectures explanation →

A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?

Question 187easymultiple choice
Read the full Design Secure Architectures explanation →

A public API is served through an Application Load Balancer and protected by AWS WAF. The team wants AWS to automatically block clients that send too many requests from the same IP address within a short time window. Which AWS WAF feature is the best fit?

Question 188easymultiple choice
Read the full Design Secure Architectures explanation →

An S3 bucket uses a customer-managed KMS key as the default for SSE-KMS encryption. A service role will upload objects using s3:PutObject. Assuming the role already has permission to write to the bucket, which KMS permission is most directly required for the role to let S3 encrypt the object during upload?

Question 189easymultiple choice
Read the full Design Secure Architectures explanation →

A containerized service needs to read exactly one secret value from AWS Secrets Manager. The secret’s ARN is already known, and the secret is encrypted with the AWS-managed KMS key for Secrets Manager, so no separate KMS permissions are needed for this question. The service does not need to list secrets, create secrets, rotate them, or write updates. What is the most least-privilege IAM permission statement to grant the service role?

Question 190easymultiple choice
Read the full Design Secure Architectures explanation →

A security team needs an audit trail to investigate suspicious API activity across multiple AWS accounts. Which AWS approach best provides centralized visibility into who did what, when, for service API calls?

Question 191easymultiple choice
Read the full Design Secure Architectures explanation →

An internal web application must require encrypted client connections. The company currently has an ALB listener on port 80 (HTTP), and users can access the application over plain HTTP. What is the best change to ensure all client traffic uses HTTPS?

Question 192hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a workload in Account B must assume a role in Account A. Security requires that only the specific role arn:aws:iam::444455556666:role/PipelineExecRole can assume it, and only when the caller supplies the external ID acct-b-prod-7788. Which change best satisfies the requirement with the least privilege?

Exhibit

Current trust policy in Account A:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::444455556666:root"},
      "Action": "sts:AssumeRole"
    }
  ]
}

CloudTrail entry from Account A:
{
  "eventSource": "sts.amazonaws.com",
  "eventName": "AssumeRole",
  "userIdentity": {
    "type": "AssumedRole",
    "arn": "arn:aws:sts::444455556666:assumed-role/OtherRole/automation"
  },
  "errorCode": "AccessDenied"
}
Question 193hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, an automation pipeline in several member accounts creates IAM roles for application deployments. Security says no future role may exceed the approved boundary arn:aws:iam::123456789012:policy/DeployBoundary, even if someone later attaches AdministratorAccess. What should you implement to enforce this across the organization?

Exhibit

CloudTrail event for a newly created role:
{
  "eventSource": "iam.amazonaws.com",
  "eventName": "CreateRole",
  "requestParameters": {
    "roleName": "AppDeployRole",
    "permissionsBoundary": null,
    "assumeRolePolicyDocument": "..."
  },
  "userIdentity": {
    "arn": "arn:aws:sts::111122223333:assumed-role/AutomationRole/ci-run-9841"
  }
}

Current guardrails:
- Developers can call iam:CreateRole
- The automation tool sometimes omits the permissions boundary field
- The organization uses AWS Organizations with multiple member accounts
Question 194hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, an application role in Account B can reach an S3 bucket in Account A, but reads fail with AccessDenied on KMS. The bucket objects use SSE-KMS with a customer managed key in Account A. What change is required so the application can decrypt the objects while keeping the access restricted?

Exhibit

S3 bucket policy in Account A:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::222233334444:role/AppReadRole"},
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::finance-archive/*"
    }
  ]
}

KMS key policy for key arn:aws:kms:us-east-1:111122223333:key/abcd-1111:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::111122223333:root"},
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}

Application IAM policy in Account B:
{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": "arn:aws:s3:::finance-archive/*"
}
Question 195hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, an EC2 application runs in private subnets with no NAT gateway and must retrieve a secret from AWS Secrets Manager. The secret uses a customer managed KMS key. Which change will allow the application to reach the service while keeping traffic off the internet?

Exhibit

VPC configuration:
- Subnet-Private-A route table: local 10.0.0.0/16 only
- Subnet-Private-B route table: local 10.0.0.0/16 only
- No 0.0.0.0/0 route to an Internet Gateway or NAT Gateway

Existing endpoints:
- com.amazonaws.us-east-1.s3 (Gateway endpoint)

Application log:
ERROR: Unable to retrieve secret arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/api/db
ERROR: connect timeout to secretsmanager.us-east-1.amazonaws.com
ERROR: KMS Decrypt access not completed
Question 196hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, users must access private PDF reports only through CloudFront. Direct requests to the S3 object URL must fail, and the bucket should not be publicly readable. Which solution is the best fit?

Exhibit

Current S3 bucket policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::reports-private/*"
    }
  ]
}

CloudFront distribution:
- Origin: s3://reports-private
- Viewer protocol policy: Redirect HTTP to HTTPS
- No origin access identity or origin access control configured

Security requirement:
- Clients must use CloudFront signed URLs or signed cookies
- S3 object URLs must not be directly accessible
Question 197hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, the security team needs to detect and alert on both successful and failed attempts to change S3 bucket policies and KMS key policies across the organization. Which solution best meets that requirement?

Exhibit

Current audit configuration:
- AWS Config recorder is enabled in one account only
- CloudTrail trail captures management events in us-east-1 only
- No EventBridge rules or SNS alerts are configured

Recent activity:
{
  "eventSource": "s3.amazonaws.com",
  "eventName": "PutBucketPolicy",
  "errorCode": "AccessDenied",
  "userIdentity": {"arn": "arn:aws:iam::999900001111:user/temp-admin"}
}
{
  "eventSource": "kms.amazonaws.com",
  "eventName": "PutKeyPolicy",
  "errorCode": null,
  "userIdentity": {"arn": "arn:aws:iam::999900001111:role/SecurityOps"}
}
Question 198hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a public API is behind CloudFront and is experiencing bursts of requests from the same client IP, causing upstream saturation. The team wants AWS to automatically block that IP when the request rate becomes excessive while keeping enforcement as close to the client as possible. Which control should they add?

Exhibit

CloudFront access log excerpt:
2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 112ms
2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 109ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 111ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 108ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 110ms

Security requirement:
- Automatically mitigate high-rate requests from a single source IP
- Keep the protection at the edge
Question 199hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a CI pipeline assumes a shared deployment role in Account A. The role can access several artifact prefixes, but this pipeline must only upload to teamA/prod/ and decrypt using a single KMS key for this execution. Changing the shared role would affect other pipelines. Which approach should the pipeline use?

Exhibit

Shared role policy in Account A:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "kms:Decrypt"],
      "Resource": [
        "arn:aws:s3:::artifact-bucket/*",
        "arn:aws:kms:us-east-1:111122223333:key/KEY-AAAA"
      ]
    }
  ]
}

AssumeRole call from the pipeline:
- Role ARN: arn:aws:iam::111122223333:role/SharedDeployRole
- Session name: build-7412
- No session policy currently supplied
Question 200hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, a company wants EC2 instances in private subnets to access Amazon S3 without using a NAT gateway, and bucket access must be allowed only when requests come through the approved VPC endpoint. Which design is the most appropriate?

Exhibit

Route table for private subnet:
Destination        Target
10.0.0.0/16        local
pl-68a54001        vpce-s3-gateway

S3 bucket policy draft:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRequestsNotFromEndpoint",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::app-data", "arn:aws:s3:::app-data/*"],
      "Condition": {
        "StringNotEquals": {"aws:SourceVpce": "vpce-0a1b2c3d4e5f6a7b8"}
      }
    }
  ]
}

Application log:
GET s3://app-data/config.json failed before endpoint change
GET s3://app-data/config.json succeeded after endpoint change
Question 201hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a batch platform in Account B must assume a role in Account A. Only the specific role arn:aws:iam::222233334444:role/BatchRunner should be allowed to assume it, and the design must prevent any other role in Account B from reusing the same external ID. Which change best meets the requirement?

Exhibit

{
  "role_arn": "arn:aws:iam::111122223333:role/InboundExportRole",
  "trust_policy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {"AWS": "arn:aws:iam::222233334444:root"},
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {"sts:ExternalId": "acctB-export-91"}
        }
      }
    ]
  },
  "cloudtrail_event": {
    "eventName": "AssumeRole",
    "userIdentity": "arn:aws:iam::222233334444:role/BatchRunner",
    "errorCode": "AccessDenied",
    "errorMessage": "Not authorized to perform sts:AssumeRole on resource arn:aws:iam::111122223333:role/InboundExportRole"
  }
}
Question 202hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, an application in the same AWS account can upload and read objects in an S3 bucket encrypted with a customer managed KMS key, but GetObject fails with an AccessDenied error from AWS KMS. The IAM role already has s3:GetObject, s3:PutObject, kms:Decrypt, and kms:GenerateDataKey permissions. What change most directly fixes the issue while preserving least privilege?

Exhibit

{
  "bucket": "arn:aws:s3:::secure-reports-prod",
  "object_encryption": "SSE-KMS",
  "role_policy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": ["s3:GetObject", "s3:PutObject"],
        "Resource": "arn:aws:s3:::secure-reports-prod/*"
      },
      {
        "Effect": "Allow",
        "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
        "Resource": "arn:aws:kms:us-east-1:111122223333:key/abcd-1234"
      }
    ]
  },
  "cloudtrail_event": {
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "errorCode": "AccessDenied",
    "errorMessage": "The key policy does not allow this principal to use the specified KMS key"
  },
  "key_policy_summary": "Only the account root principal is allowed; no application roles are listed"
}
Question 203hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, an application runs in private subnets without a NAT gateway and must retrieve a secret from AWS Secrets Manager. Security requires the traffic to stay on the AWS network and not traverse the public internet. What is the best solution?

Exhibit

{
  "subnet_route_table": [
    {"destination": "10.0.0.0/16", "target": "local"},
    {"destination": "0.0.0.0/0", "target": "-"}
  ],
  "dns_test": {
    "command": "nslookup secretsmanager.us-east-1.amazonaws.com",
    "result": "Name: secretsmanager.us-east-1.amazonaws.com\nAddress: 54.239.28.82"
  },
  "application_log": [
    "2026-04-18T12:10:04Z ERROR GetSecretValue timed out after 3000 ms",
    "2026-04-18T12:10:04Z INFO calling https://secretsmanager.us-east-1.amazonaws.com"
  ]
}
Question 204hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a company stores sensitive PDFs in S3 and serves them through CloudFront. Direct requests to the S3 object URL must fail, but CloudFront should still be able to fetch the files securely. Which solution best satisfies the requirement?

Exhibit

{
  "current_state": {
    "bucket_public_access_block": true,
    "bucket_policy": "Allows s3:GetObject to Principal * for debugging",
    "cloudfront_distribution": "d123example.cloudfront.net",
    "direct_s3_test": "https://secure-pdfs-prod.s3.us-east-1.amazonaws.com/manuals/q4.pdf returns 200"
  }
}
Question 205hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, the security team wants centralized detection and alerting for both successful and failed attempts to change S3 bucket policies and KMS key policies across multiple accounts. Which approach best meets the requirement?

Exhibit

{
  "cloudtrail_samples": [
    {
      "account": "111122223333",
      "eventName": "PutBucketPolicy",
      "eventSource": "s3.amazonaws.com",
      "errorCode": null
    },
    {
      "account": "444455556666",
      "eventName": "PutKeyPolicy",
      "eventSource": "kms.amazonaws.com",
      "errorCode": "AccessDenied"
    }
  ],
  "current_controls": {
    "member_accounts": 12,
    "central_security_account": true,
    "cloudwatch_logs": "not enabled for CloudTrail",
    "eventbridge_rules": "none"
  }
}
Question 206hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?

Exhibit

{
  "current_state": {
    "approved_boundary": "arn:aws:iam::111122223333:policy/ApprovedAppBoundary",
    "developer_role_policy": ["iam:CreateRole", "iam:PutRolePolicy", "iam:AttachRolePolicy"],
    "incident": "A new role was created without a permissions boundary and attached an overly permissive policy"
  },
  "desired_state": "All future roles must be created with ApprovedAppBoundary"
}
Question 207hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a public API is behind CloudFront. A single client IP is sending bursts of requests that are overwhelming the origin, and the team wants AWS to automatically mitigate the abuse at the edge without changing the application code. What should the team do?

Exhibit

{
  "cloudfront_log_sample": [
    "2026-04-27T09:14:01Z c-ip=203.0.113.44 uri=/api/search 1",
    "2026-04-27T09:14:02Z c-ip=203.0.113.44 uri=/api/search 1",
    "2026-04-27T09:14:02Z c-ip=203.0.113.44 uri=/api/search 1"
  ],
  "origin_metrics": {
    "5xxErrorRate": "spiking",
    "ALBRequestCount": "high",
    "single_source_ip_percentage": "82%"
  },
  "waf_status": "No Web ACL associated with the CloudFront distribution"
}
Question 208hardmultiple choice
Read the full Design Secure Architectures explanation →

Based on the exhibit, a central deployment role in Account A is assumed by several CI/CD pipelines from Account B. The role must remain reusable, but the team wants the TeamA pipeline to upload artifacts only to s3://artifact-bucket/teamA/prod/ without creating a separate IAM role. What is the best approach?

Network Topology
"assume_role_command": "aws sts assume-rolerole-arn arn:aws:iam::111122223333:role/CentralDeployRolerole-session-name teamA-ci","role_policy": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": "s3:PutObject","Resource": "arn:aws:s3:::artifact-bucket/*"},
Question 209easymultiple choice
Read the full Design Secure Architectures explanation →

A microservice runs on an EC2 instance using an instance role. It must retrieve exactly one secret value from AWS Secrets Manager. The secret ARN is arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/dbPassword-AbCdEf. The secret is encrypted with the default AWS-managed Secrets Manager KMS key (alias/aws/secretsmanager). Which IAM policy statement provides the best least-privilege access?

Question 210easymultiple choice
Read the full Design Secure Architectures explanation →

Company A must allow workloads in Company B to assume an IAM role in Company A (RoleInA). To mitigate confused-deputy attacks, a Security requirement is to use an External ID. Company A should restrict who can assume RoleInA. Which trust-policy configuration is the best choice?

Question 211easymultiple choice
Read the full Design Secure Architectures explanation →

A cross-account IAM role in Account B reads encrypted S3 objects from Account A. The objects use SSE-KMS with a customer-managed KMS key in Account A. Account B can successfully call s3:GetObject, but decryption fails with an AccessDeniedException from KMS. What change most directly fixes the issue?

Question 212easymultiple choice
Read the full NAT/PAT explanation →

You have EC2 instances in private subnets with no NAT gateway. They must retrieve secrets from AWS Secrets Manager without sending traffic to the public internet. Which VPC endpoint type is the correct choice for connecting to AWS Secrets Manager?

Question 213easymultiple choice
Read the full Design Secure Architectures explanation →

An internal web application is exposed through an Application Load Balancer (ALB). The ALB currently has only an HTTP listener on port 80. Security requires that all client traffic be encrypted in transit. What is the best next step?

Question 214easymultiple choice
Read the full Design Secure Architectures explanation →

A company serves a public API through a CloudFront distribution. They want to automatically block common web exploits (for example, OWASP Top 10–style threats) without building custom detection logic. Which AWS service configuration best meets the goal?

Question 215mediummulti select
Read the full Design Secure Architectures explanation →

A company stores sensitive PDFs in Amazon S3 and serves them through CloudFront. Users must access PDFs only through CloudFront, and direct S3 URL requests must fail. Which three changes should be implemented? Select three.

Question 216mediummulti select
Read the full Design Secure Architectures explanation →

An application in Account B reads objects from an Amazon S3 bucket in Account A. The bucket uses SSE-KMS with a customer managed key in Account A. The role in Account B already has s3:GetObject, but downloads fail with AccessDenied on decrypt. Which two changes are required for the role to read the object successfully? Select two.

Question 217mediummulti select
Review the full subnetting walkthrough →

A workload in private subnets must upload logs to Amazon S3 and retrieve one secret from AWS Secrets Manager. The security team forbids internet egress and wants the lowest operational overhead. Which two VPC endpoints should be created? Select two.

Question 218mediummulti select
Read the full NAT/PAT explanation →

A software vendor in Account B must assume a role in Account A to process support tickets. Security wants to prevent confused deputy attacks. Which two configurations are required for this access pattern to work safely? Select two.

Question 219mediummulti select
Read the full Design Secure Architectures explanation →

An organization lets application teams create IAM roles in member accounts. Security wants every newly created role to stay within an approved permission ceiling, and teams must not be able to remove that ceiling later. Which two controls best meet the requirement? Select two.

Question 220mediummulti select
Read the full Design Secure Architectures explanation →

A public API is delivered through CloudFront and an Application Load Balancer. The security team wants AWS to automatically block repetitive bursts from the same client IP and also reduce exposure to common web exploits without custom code. Which two AWS WAF features should be enabled? Select two.

Question 221hardmultiple choice
Read the full Design Secure Architectures explanation →

A SaaS vendor’s automation account in Account B needs to assume a role in a customer account in Account A to read a specific S3 bucket and publish a deployment status file. The customer is worried about confused deputy attacks because multiple customers use the same vendor software. Which trust-policy design best meets the requirement?

Question 222hardmultiple choice
Read the full Design Secure Architectures explanation →

A platform team lets application teams create IAM roles in member accounts through Infrastructure as Code. Security says every new role must stay within a centrally approved permission ceiling, even if someone later attaches broader managed policies or inline policies. Which control should be used to enforce that maximum permission set?

Question 223hardmultiple choice
Read the full NAT/PAT explanation →

An application runs in private subnets and must download objects from Amazon S3 and read one secret from AWS Secrets Manager. NAT gateways are prohibited, and traffic must not traverse the public internet. The secret uses a customer managed KMS key. Which design is best?

Question 224mediummultiple choice
Read the full Design Secure Architectures explanation →

A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

Question 225hardmulti select
Review the full subnetting walkthrough →

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use?

Question 226mediummultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function for a order processing API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

Question 227hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a financial reporting platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

Question 228mediummultiple choice
Read the full Design Secure Architectures explanation →

A web application for a healthcare document service is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

Question 229mediummultiple choice
Read the full NAT/PAT explanation →

A partner company needs read-only access to reports in an S3 bucket for a B2B file exchange site. The partner has its own AWS account. What is the most secure scalable access pattern?

Question 230hardmultiple choice
Read the full Design Secure Architectures explanation →

A mobile banking backend uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

Question 231mediummultiple choice
Read the full Design Secure Architectures explanation →

A public API for a customer analytics portal is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

Question 232hardmulti select
Read the full Design Secure Architectures explanation →

A company is encrypting sensitive S3 data for a IoT ingestion API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Question 233mediummultiple choice
Read the full Design Secure Architectures explanation →

Developers for a e-learning platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

Question 234hardmultiple choice
Read the full Design Secure Architectures explanation →

A claims portal must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

Question 235mediummultiple choice
Read the full Design Secure Architectures explanation →

A company hosts a image sharing application on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

Question 236mediummultiple choice
Read the full Design Secure Architectures explanation →

A order processing API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

Question 237hardmulti select
Read the full Design Secure Architectures explanation →

A financial reporting platform uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Question 238mediummultiple choice
Read the full Design Secure Architectures explanation →

A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

Question 239hardmulti select
Review the full subnetting walkthrough →

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The design must avoid adding custom operational scripts.

Question 240mediummultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function for a mobile banking backend needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

Question 241hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a customer analytics portal. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

Question 242mediummultiple choice
Read the full Design Secure Architectures explanation →

A web application for a IoT ingestion API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

Question 243mediummultiple choice
Read the full NAT/PAT explanation →

A partner company needs read-only access to reports in an S3 bucket for a e-learning platform. The partner has its own AWS account. What is the most secure scalable access pattern?

Question 244hardmultiple choice
Read the full Design Secure Architectures explanation →

A claims portal uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

Question 245mediummultiple choice
Read the full Design Secure Architectures explanation →

A public API for a image sharing application is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

Question 246hardmulti select
Read the full Design Secure Architectures explanation →

A company is encrypting sensitive S3 data for a order processing API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Question 247mediummultiple choice
Read the full Design Secure Architectures explanation →

Developers for a financial reporting platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

Question 248hardmultiple choice
Read the full Design Secure Architectures explanation →

A healthcare document service must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

Question 249mediummultiple choice
Read the full Design Secure Architectures explanation →

A company hosts a B2B file exchange site on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

Question 250mediummultiple choice
Read the full Design Secure Architectures explanation →

A mobile banking backend stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

Question 251hardmulti select
Read the full Design Secure Architectures explanation →

A customer analytics portal uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Question 252mediummultiple choice
Read the full Design Secure Architectures explanation →

A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

Question 253hardmulti select
Read the full NAT/PAT explanation →

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The architecture review board prefers a managed AWS-native control.

Question 254mediummultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function for a claims portal needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

Question 255hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a image sharing application. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

Question 256mediummultiple choice
Read the full Design Secure Architectures explanation →

A web application for a order processing API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

Question 257mediummultiple choice
Read the full NAT/PAT explanation →

A partner company needs read-only access to reports in an S3 bucket for a financial reporting platform. The partner has its own AWS account. What is the most secure scalable access pattern?

Question 258hardmultiple choice
Read the full Design Secure Architectures explanation →

A healthcare document service uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

Question 259mediummultiple choice
Read the full Design Secure Architectures explanation →

A public API for a B2B file exchange site is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

Question 260hardmulti select
Read the full Design Secure Architectures explanation →

A company is encrypting sensitive S3 data for a mobile banking backend with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Question 261mediummultiple choice
Read the full Design Secure Architectures explanation →

Developers for a customer analytics portal need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

Question 262hardmultiple choice
Read the full Design Secure Architectures explanation →

A IoT ingestion API must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

Question 263mediummultiple choice
Read the full Design Secure Architectures explanation →

A company hosts a e-learning platform on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

Question 264mediummultiple choice
Read the full Design Secure Architectures explanation →

A claims portal stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

Question 265hardmulti select
Read the full Design Secure Architectures explanation →

A image sharing application uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Question 266mediummultiple choice
Read the full Design Secure Architectures explanation →

A solutions architect is designing an S3 bucket for a order processing API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

Question 267hardmulti select
Review the full subnetting walkthrough →

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The team wants the control to be enforceable during normal operations.

Question 268mediummultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function for a healthcare document service needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

Question 269hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a B2B file exchange site. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

Question 270mediummultiple choice
Read the full Design Secure Architectures explanation →

A web application for a mobile banking backend is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

Question 271mediummultiple choice
Read the full NAT/PAT explanation →

A partner company needs read-only access to reports in an S3 bucket for a customer analytics portal. The partner has its own AWS account. What is the most secure scalable access pattern?

Question 272hardmultiple choice
Read the full Design Secure Architectures explanation →

A IoT ingestion API uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

Question 273mediummultiple choice
Read the full Design Secure Architectures explanation →

A public API for a e-learning platform is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

Question 274hardmulti select
Read the full Design Secure Architectures explanation →

A company is encrypting sensitive S3 data for a claims portal with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Question 275mediummultiple choice
Read the full Design Secure Architectures explanation →

Developers for a image sharing application need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

Question 276hardmultiple choice
Read the full Design Secure Architectures explanation →

A order processing API must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

Question 277mediummultiple choice
Read the full Design Secure Architectures explanation →

A company hosts a financial reporting platform on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

Question 278mediummultiple choice
Read the full Design Secure Architectures explanation →

A healthcare document service stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

Question 279hardmulti select
Read the full Design Secure Architectures explanation →

A B2B file exchange site uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Question 280mediummultiple choice
Read the full Design Secure Architectures explanation →

A solutions architect is designing an S3 bucket for a mobile banking backend. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

Question 281hardmulti select
Review the full subnetting walkthrough →

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The business wants to avoid a reactive-only remediation approach.

Question 282mediummultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function for a IoT ingestion API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

Question 283hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a e-learning platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

Question 284mediummultiple choice
Read the full Design Secure Architectures explanation →

A web application for a claims portal is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

Question 285mediummultiple choice
Read the full NAT/PAT explanation →

A partner company needs read-only access to reports in an S3 bucket for a image sharing application. The partner has its own AWS account. What is the most secure scalable access pattern?

Question 286hardmultiple choice
Read the full Design Secure Architectures explanation →

A order processing API uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

Question 287mediummultiple choice
Read the full Design Secure Architectures explanation →

A public API for a financial reporting platform is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

Question 288hardmulti select
Read the full Design Secure Architectures explanation →

A company is encrypting sensitive S3 data for a healthcare document service with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Question 289mediummultiple choice
Read the full Design Secure Architectures explanation →

Developers for a B2B file exchange site need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

Question 290hardmultiple choice
Read the full Design Secure Architectures explanation →

A mobile banking backend must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

Question 291mediummultiple choice
Read the full Design Secure Architectures explanation →

A company hosts a customer analytics portal on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

Question 292mediummultiple choice
Read the full Design Secure Architectures explanation →

A IoT ingestion API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

Question 293hardmulti select
Read the full Design Secure Architectures explanation →

A e-learning platform uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Question 294mediummultiple choice
Read the full Design Secure Architectures explanation →

A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

Question 295hardmulti select
Review the full subnetting walkthrough →

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The implementation must work across routine deployments without manual intervention.

Question 296mediummultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function for a order processing API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used? The design must avoid adding custom operational scripts.

Question 297hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a financial reporting platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy? The design must avoid adding custom operational scripts.

Question 298mediummultiple choice
Read the full Design Secure Architectures explanation →

A web application for a healthcare document service is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy? The design must avoid adding custom operational scripts.

Question 299mediummultiple choice
Read the full NAT/PAT explanation →

A partner company needs read-only access to reports in an S3 bucket for a B2B file exchange site. The partner has its own AWS account. What is the most secure scalable access pattern? The design must avoid adding custom operational scripts.

Question 300hardmultiple choice
Read the full Design Secure Architectures explanation →

A mobile banking backend uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend? The design must avoid adding custom operational scripts.

Question 301mediummultiple choice
Read the full Design Secure Architectures explanation →

A public API for a customer analytics portal is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used? The design must avoid adding custom operational scripts.

Question 302hardmulti select
Read the full Design Secure Architectures explanation →

A company is encrypting sensitive S3 data for a IoT ingestion API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals? The design must avoid adding custom operational scripts.

Question 303mediummultiple choice
Read the full Design Secure Architectures explanation →

Developers for a e-learning platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best? The design must avoid adding custom operational scripts.

Question 304hardmultiple choice
Read the full Design Secure Architectures explanation →

A claims portal must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control? The design must avoid adding custom operational scripts.

Question 305mediummultiple choice
Read the full Design Secure Architectures explanation →

A company hosts a image sharing application on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use? The design must avoid adding custom operational scripts.

Question 306mediummultiple choice
Read the full Design Secure Architectures explanation →

A order processing API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured? The design must avoid adding custom operational scripts.

Question 307hardmulti select
Read the full Design Secure Architectures explanation →

A financial reporting platform uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly? The design must avoid adding custom operational scripts.

Question 308mediummultiple choice
Read the full Design Secure Architectures explanation →

A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

Question 309hardmulti select
Review the full subnetting walkthrough →

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The security team requires the decision to be auditable.

Question 310mediummultiple choice
Read the full Design Secure Architectures explanation →

A Lambda function for a mobile banking backend needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used? The design must avoid adding custom operational scripts.

Question 311hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a customer analytics portal. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy? The design must avoid adding custom operational scripts.

Question 312mediummultiple choice
Read the full Design Secure Architectures explanation →

A web application for a IoT ingestion API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy? The design must avoid adding custom operational scripts.

Question 313mediummultiple choice
Read the full NAT/PAT explanation →

A partner company needs read-only access to reports in an S3 bucket for a e-learning platform. The partner has its own AWS account. What is the most secure scalable access pattern? The design must avoid adding custom operational scripts.

Question 314hardmultiple choice
Read the full Design Secure Architectures explanation →

A claims portal uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend? The design must avoid adding custom operational scripts.

Question 315mediummultiple choice
Read the full Design Secure Architectures explanation →

A public API for a image sharing application is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used? The design must avoid adding custom operational scripts.

Question 316hardmulti select
Read the full Design Secure Architectures explanation →

A company is encrypting sensitive S3 data for a order processing API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals? The design must avoid adding custom operational scripts.

Question 317mediummultiple choice
Read the full Design Secure Architectures explanation →

Developers for a financial reporting platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best? The design must avoid adding custom operational scripts.

Question 318hardmultiple choice
Read the full Design Secure Architectures explanation →

A healthcare document service must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control? The design must avoid adding custom operational scripts.

Question 319mediummultiple choice
Read the full Design Secure Architectures explanation →

A company hosts a B2B file exchange site on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use? The design must avoid adding custom operational scripts.

Question 320mediummultiple choice
Read the full Design Secure Architectures explanation →

A mobile banking backend stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured? The design must avoid adding custom operational scripts.

Question 321hardmulti select
Read the full Design Secure Architectures explanation →

A customer analytics portal uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly? The design must avoid adding custom operational scripts.

Question 322mediummultiple choice
Read the full Design Secure Architectures explanation →

A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

Question 323mediummultiple choice
Read the full Design Secure Architectures explanation →

A company stores RDS database credentials in AWS Systems Manager Parameter Store as SecureString parameters. The security team requires that database passwords rotate automatically every 30 days. Which change should a solutions architect recommend?

Question 324hardmultiple choice
Read the full Design Secure Architectures explanation →

A financial services company must store audit logs in S3 for 7 years and ensure that no one — including the AWS account root user — can delete or overwrite the logs during the retention period. Which S3 Object Lock configuration should a solutions architect use?

Question 325hardmultiple choice
Read the full Design Secure Architectures explanation →

A company uses AWS Organizations and wants to prevent any account in the organization from launching resources in regions other than us-east-1 and eu-west-1. This restriction must apply even if an administrator in a member account grants full IAM permissions. Which approach should a solutions architect use?

Question 326mediummulti select
Read the full Design Secure Architectures explanation →

A company is designing a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), an Amazon EC2 Auto Scaling group for the web tier, and an Amazon RDS for MySQL database. The security team requires that the web tier instances have no public IP addresses and that all outbound traffic to the internet is blocked, except for specific software updates from a trusted vendor. Which three steps should be taken to meet these requirements? (Choose three.)

Question 327mediummulti select
Read the full Design Secure Architectures explanation →

A financial services company is migrating sensitive customer data to Amazon S3. The data must be encrypted at rest using a customer-managed key stored in AWS KMS, with automatic rotation every 90 days. The company also needs to prevent any access to the data from outside the corporate network, except for approved AWS services. Which three steps should be taken to meet these requirements? (Choose three.)

Question 328mediummulti select
Read the full Design Secure Architectures explanation →

A company is deploying a serverless application using AWS Lambda functions that process credit card transactions. The application stores data in Amazon DynamoDB and sends notifications through Amazon SNS. Compliance requirements mandate that all data in transit and at rest is encrypted, and that no AWS Lambda function can access resources in other AWS accounts. Which three steps should be taken to meet these requirements? (Choose three.)

Question 329mediummulti select
Read the full Design Secure Architectures explanation →

A company is designing a secure CI/CD pipeline on AWS. Developers push code to AWS CodeCommit, which triggers AWS CodePipeline to build and deploy applications to Amazon EC2 instances running in a VPC. The security team requires that all code is scanned for secrets and vulnerabilities before deployment, and that deployment artifacts are encrypted at rest in Amazon S3. Which three steps should be taken to meet these requirements? (Choose three.)

Question 330mediummulti select
Read the full Design Secure Architectures explanation →

A company is hosting a web application on Amazon ECS Fargate behind an Application Load Balancer. The application needs to authenticate users using Amazon Cognito and store session data in Amazon ElastiCache for Redis. The security team mandates that all traffic between the ALB and ECS tasks must not traverse the public internet, and that session data in ElastiCache is encrypted at rest. Which three steps should be taken to meet these requirements? (Choose three.)

Question 331mediummulti select
Review the full subnetting walkthrough →

A company has a workload running on Amazon EC2 instances that need to securely communicate with an Amazon SQS queue and an Amazon DynamoDB table. The EC2 instances are in a private subnet without internet access. The security team wants to ensure that no traffic leaves the AWS network. Which three steps should be taken to meet these requirements? (Choose three.)

Question 332mediummulti select
Review the full subnetting walkthrough →

A company is designing a secure multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets, and the EC2 instances need to access an Amazon RDS database in a separate private subnet. The company must ensure that all traffic is encrypted in transit and that only necessary access is allowed. Which of the following steps should the company take to meet these requirements? (Choose four.)

Question 333mediummulti select
Read the full Design Secure Architectures explanation →

A company is building a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must meet strict security and compliance requirements. The company needs to ensure that all data stored in DynamoDB is encrypted at rest using a customer-managed key, that the Lambda function can only access the specific DynamoDB table it needs, and that API requests are authenticated and authorized. Which of the following actions should the company take? (Choose four.)

Question 334mediumdrag order
Read the full Design Secure Architectures explanation →

Arrange the steps to create an encrypted Amazon EBS volume from scratch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 335mediumdrag order
Read the full Design Secure Architectures explanation →

Arrange the steps for a cross-region Amazon S3 replication configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 336mediumdrag order
Read the full Design Secure Architectures explanation →

Arrange the steps to implement a disaster recovery plan using AWS Elastic Disaster Recovery (DRS).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SAA-C03 Practice Test 1 — 10 Questions→SAA-C03 Practice Test 2 — 10 Questions→SAA-C03 Practice Test 3 — 10 Questions→SAA-C03 Practice Test 4 — 10 Questions→SAA-C03 Practice Test 5 — 10 Questions→SAA-C03 Practice Exam 1 — 20 Questions→SAA-C03 Practice Exam 2 — 20 Questions→SAA-C03 Practice Exam 3 — 20 Questions→SAA-C03 Practice Exam 4 — 20 Questions→Free SAA-C03 Practice Test 1 — 30 Questions→Free SAA-C03 Practice Test 2 — 30 Questions→Free SAA-C03 Practice Test 3 — 30 Questions→SAA-C03 Practice Questions 1 — 50 Questions→SAA-C03 Practice Questions 2 — 50 Questions→SAA-C03 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Design Secure ArchitecturesDesign Resilient ArchitecturesDesign High-Performing ArchitecturesDesign Cost-Optimized Architectures

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Design Secure Architectures setsAll Design Secure Architectures questionsSAA-C03 Practice Hub