SAA-C03 Design Secure Architectures • Complete Question Bank
Complete SAA-C03 Design Secure Architectures question bank — all 0 questions with answers and detailed explanations.
An application in Account B (IAM role arn:aws:iam::account-b:role/app-read) reads objects from an S3 bucket in Account A. The bucket uses SSE-KMS with a customer-managed KMS key in Account A. Object reads consistently fail with an error that includes "AccessDenied" and "kms:Decrypt".
The IAM permissions in Account B for kms:Decrypt are correct, but the requests still fail.
Which change will most directly fix the failure?
A server assumes an IAM role and must read export objects only from this prefix in an S3 bucket: s3://customer-data/exports/acme/ . The application also needs to list the objects under that exact prefix so it can discover which export folders exist. The application performs ListBucket requests with Prefix set to exactly "exports/acme/".
The current role policy allows s3:ListBucket on the bucket ARN without a prefix condition, and security reports the role can list other tenants’ export object keys.
Which IAM policy change best enforces least privilege for both ListBucket and GetObject?
A backend service uses an IAM role to read files from an S3 bucket. It must only read objects under s3://prod-reporting/incoming/ but currently receives AccessDenied (403) on GetObject for that prefix.
The role already has this statement: - Action: s3:ListBucket - Resource: arn:aws:s3:::prod-reporting
Which policy statement would most directly follow least privilege to allow only the required reads under the incoming prefix?
A SaaS vendor will access your AWS resources by assuming an IAM role in your account. You want to prevent confused-deputy attacks and ensure the vendor can only assume the role using an agreed external identifier.
Your role trust policy currently allows sts:AssumeRole from the vendor’s principal, but it does not include any external ID protection. Which change is the best next step?
You use Amazon CloudFront in front of a private content S3 origin. To mitigate an OWASP Top 10 issue, you created a WAF web ACL and associated it to the CloudFront distribution, but attacks are still reaching the origin.
CloudWatch logs show the web ACL rules never match for the CloudFront requests.
What is the most likely configuration mistake?
A team wants detective controls to investigate suspected exfiltration from an S3 bucket. They need to know when objects are accessed (GetObject) and also when new encrypted objects are written.
They already enabled AWS CloudTrail for management events, but their investigation shows no visibility into object-level reads/writes in the logs they review.
Which CloudTrail configuration change most directly provides the missing object-level visibility?
Your company requires that all requests to an S3 bucket use HTTPS and that all objects uploaded to the bucket are encrypted at rest. You manage the S3 bucket policy and want enforcement that does not rely on application code compliance.
Which bucket policy change best enforces both requirements?
A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager.
Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?
Your team hosts a private web app on an S3 bucket and serves it through CloudFront using a modern Origin Access Control (OAC). After deployment, users receive HTTP 403 from CloudFront with the S3 origin error "AccessDenied".
Which S3 bucket policy change best aligns with CloudFront OAC so the distribution can fetch objects privately?
You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests.
Which change most likely fixes the issue?
A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used.
Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging.
Which approach best satisfies the requirement?
Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com".
Which change most directly resolves this while keeping instances private?
An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports.
Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports.
What is the most likely reason the traffic fails, and what should be updated?
A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole".
What is the most appropriate fix?
A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.
Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.
Which architecture best meets these requirements?
Your CI system assumes an IAM role RoleForDeploy using STS AssumeRole and includes a session tag called Project=blue. The role’s permissions policy uses an ABAC condition like aws:PrincipalTag/Project to allow access only to resources tagged with the same project.
AssumeRole succeeds, but deployments fail with AccessDenied. CloudTrail shows the role was assumed, yet the effective session does not contain the Project tag.
Which change most directly fixes this issue?
AWS Organizations policy summary:
Root OU: Full access
Production OU: SCP attached
SCP content:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ["ec2:CreateSnapshot", "ec2:DeleteSnapshot"],
"Resource": "*"
}
]
}
CloudTrail event:
- userIdentity: arn:aws:iam::444455556666:role/OpsAdmin
- eventName: CreateSnapshot
- errorCode: AccessDenied
- errorMessage: action denied by organizations service control policyDrag a concept onto its matching description — or click a concept then click the description.
The standby in another Availability Zone is promoted, and the same database endpoint remains in use after a brief reconnect.
Aurora promotes another healthy instance to writer while the shared storage layer stays intact across Availability Zones.
A manual failover can be triggered so the standby becomes primary before the reboot finishes.
Only that reader is removed from the reader set; the cluster can still serve read traffic through the remaining healthy readers.
Application log excerpt: 2026-04-11T09:14:22Z ERROR S3 GetObject failed: AccessDenied 2026-04-11T09:14:22Z ERROR KMS Decrypt failed for key arn:aws:kms:us-east-1:111122223333:key/abcd-1234 Current setup: - S3 bucket default encryption: SSE-KMS - EC2 application role: AppServerRole - Bucket policy allows s3:GetObject for AppServerRole - KMS key policy currently allows only the account root principal - No direct KMS permissions are attached to AppServerRole
Cross-account access attempt: Account A: - EC2 instance profile role: arn:aws:iam::111122223333:role/AppRole - Identity policy allows s3:GetObject on arn:aws:s3:::shared-data-bucket/* Account B: - Bucket policy currently allows the account root principal only - Application log shows: AccessDenied when calling GetObject on shared-data-bucket - Security requirement: no static credentials; access must be revocable centrally
Application configuration excerpt: DB_HOST=db-prod.abc123.us-east-1.rds.amazonaws.com DB_USER=app_user DB_PASSWORD=stored_in_env_var Operational requirement: - Password must rotate automatically every 30 days - Application should retrieve the current password securely when starting connections - Security wants a managed service that stores versions of the secret and supports rotation workflows
Application topology: - 4 Amazon EC2 instances run in a single Availability Zone - Each node exchanges small TCP messages with every other node - 99th percentile message latency increased after adding two more nodes - Instances currently launch in the default placement CloudWatch note: Network throughput is not saturated, but packet round-trip time between instances is higher than expected.
Drag a concept onto its matching description — or click a concept then click the description.
The target is marked unhealthy by the ALB health check and removed from routing until it passes again.
The Auto Scaling health check grace period prevents premature termination while startup work completes.
Instances that fail load balancer health checks are considered unhealthy by the group and are replaced automatically.
The health check verifies protocol and port reachability rather than an HTTP response body or status code.
Using EC2 health checks allows Auto Scaling to replace the instance even when the app itself has not reported an error.
Security review notes: - S3 bucket contains employee records, exports, and uploaded documents - Team wants to find objects that contain personally identifiable information - A sample report shows files with patterns resembling SSNs and bank account numbers - The team needs ongoing classification findings, not just API activity logs
Network design excerpt: VPC: 10.40.0.0/16 Private subnet route table: - 10.40.0.0/16 local - 0.0.0.0/0 -> nat-0c91f2a7d3b1e3 Instance behavior: - patching scripts fail when downloading packages from S3 - AWS Systems Manager Session Manager shows: 'Target not connected' - Security team wants to remove NAT gateway usage for these workloads
A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies.
Which design best meets all requirements?
An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present.
Which IAM design best meets these requirements?
A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.
Which architecture best satisfies these requirements?
Bucket configuration for arn:aws:s3:::corp-shared-data: - S3 Block Public Access: enabled - Object Ownership: BucketOwnerEnforced - ACLs: disabled Bucket policy excerpt: - 17 separate statements grant GetObject and PutObject to different team roles - Each statement uses a team-specific prefix condition Audit note: "A recent policy edit granted Team B access to Team C's uploads for 18 minutes before rollback."
Private subnet route table rtb-priv: - 10.0.0.0/16 local - 0.0.0.0/0 -> nat-0a12bc34 Application logs: 2026-04-20T10:14:11Z ERROR could not reach https://secretsmanager.us-east-1.amazonaws.com:443 2026-04-20T10:14:11Z ERROR timeout after 30s while downloading s3://company-artifacts-builds Finance note: "NAT data processing charges increased 42% last month."
Company A stores encrypted log files in its S3 bucket using SSE-KMS with a customer-managed KMS key. A partner application in Company B uploads objects into Company A's bucket using an IAM role in Company B. Uploads fail with an error indicating KMS access is denied (kms:Encrypt not authorized). Neither the partner IAM policy nor the S3 bucket policy currently mentions KMS.
What is the most secure and correct change to allow cross-account uploads to succeed?
Current IAM policy attached to arn:aws:iam::123456789012:role/AppProvisioner: - iam:CreateRole - iam:AttachRolePolicy - iam:PutRolePolicy - iam:PassRole Observed issue: Developers created arn:aws:iam::123456789012:role/BatchJobRole and attached broad S3 and KMS permissions. Audit note: "Need delegated role creation with a hard upper bound on permissions."
A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions.
Which solution best meets these requirements?
A media platform stores originals in an S3 bucket. The application must: (1) prevent any public access to the bucket, (2) allow authenticated users to upload and download objects using presigned URLs, and (3) enforce that all requests use HTTPS and only touch objects under the user-specific prefix (for example, s3://media-originals/user-123/*). The bucket currently allows uploads but sometimes returns 403 AccessDenied for presigned URLs.
Which change is the best fix while meeting the security requirements?
CloudTrail event summary:
- eventSource: kms.amazonaws.com
- eventName: Decrypt
- errorCode: AccessDeniedException
- userIdentity: arn:aws:sts::444455556666:assumed-role/PartnerUploadRole/partner-app
- requestParameters.keyId: arn:aws:kms:us-east-1:111122223333:key/6b2f-9a7c
Current CMK key policy excerpt in account 111122223333:
{
"Sid": "EnableRootPermissionsOnly",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111122223333:root" },
"Action": "kms:*",
"Resource": "*"
}Company A stores encrypted log files in its S3 bucket using SSE-KMS with a customer-managed KMS key. A partner application in Company B uploads objects into Company A's bucket using an IAM role in Company B. Uploads fail with an error indicating KMS access is denied (kms:Encrypt not authorized). Neither the partner IAM policy nor the S3 bucket policy currently mentions KMS.
What is the most secure and correct change to allow cross-account uploads to succeed?
A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions.
Which solution best meets these requirements?
A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies.
Which design best meets all requirements?
A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.
Which architecture best satisfies these requirements?
A media platform stores originals in an S3 bucket. The application must: (1) prevent any public access to the bucket, (2) allow authenticated users to upload and download objects using presigned URLs, and (3) enforce that all requests use HTTPS and only touch objects under the user-specific prefix (for example, s3://media-originals/user-123/*). The bucket currently allows uploads but sometimes returns 403 AccessDenied for presigned URLs.
Which change is the best fix while meeting the security requirements?
CloudTrail event summary:
- eventSource: kms.amazonaws.com
- eventName: Decrypt
- errorCode: AccessDeniedException
- userIdentity: arn:aws:sts::444455556666:assumed-role/PartnerUploadRole/partner-app
- requestParameters.keyId: arn:aws:kms:us-east-1:111122223333:key/6b2f-9a7c
Current CMK key policy excerpt in account 111122223333:
{
"Sid": "EnableRootPermissionsOnly",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111122223333:root" },
"Action": "kms:*",
"Resource": "*"
}Current IAM policy attached to arn:aws:iam::123456789012:role/AppProvisioner: - iam:CreateRole - iam:AttachRolePolicy - iam:PutRolePolicy - iam:PassRole Observed issue: Developers created arn:aws:iam::123456789012:role/BatchJobRole and attached broad S3 and KMS permissions. Audit note: "Need delegated role creation with a hard upper bound on permissions."
Bucket configuration for arn:aws:s3:::corp-shared-data: - S3 Block Public Access: enabled - Object Ownership: BucketOwnerEnforced - ACLs: disabled Bucket policy excerpt: - 17 separate statements grant GetObject and PutObject to different team roles - Each statement uses a team-specific prefix condition Audit note: "A recent policy edit granted Team B access to Team C's uploads for 18 minutes before rollback."
An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present.
Which IAM design best meets these requirements?
Private subnet route table rtb-priv: - 10.0.0.0/16 local - 0.0.0.0/0 -> nat-0a12bc34 Application logs: 2026-04-20T10:14:11Z ERROR could not reach https://secretsmanager.us-east-1.amazonaws.com:443 2026-04-20T10:14:11Z ERROR timeout after 30s while downloading s3://company-artifacts-builds Finance note: "NAT data processing charges increased 42% last month."
A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.
Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.
Which architecture best meets these requirements?
Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com".
Which change most directly resolves this while keeping instances private?
A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used.
Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging.
Which approach best satisfies the requirement?
An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports.
Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports.
What is the most likely reason the traffic fails, and what should be updated?
A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole".
What is the most appropriate fix?
You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests.
Which change most likely fixes the issue?
Your CI system assumes an IAM role RoleForDeploy using STS AssumeRole and includes a session tag called Project=blue. The role’s permissions policy uses an ABAC condition like aws:PrincipalTag/Project to allow access only to resources tagged with the same project.
AssumeRole succeeds, but deployments fail with AccessDenied. CloudTrail shows the role was assumed, yet the effective session does not contain the Project tag.
Which change most directly fixes this issue?
Current trust policy in Account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::444455556666:root"},
"Action": "sts:AssumeRole"
}
]
}
CloudTrail entry from Account A:
{
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"userIdentity": {
"type": "AssumedRole",
"arn": "arn:aws:sts::444455556666:assumed-role/OtherRole/automation"
},
"errorCode": "AccessDenied"
}CloudTrail event for a newly created role:
{
"eventSource": "iam.amazonaws.com",
"eventName": "CreateRole",
"requestParameters": {
"roleName": "AppDeployRole",
"permissionsBoundary": null,
"assumeRolePolicyDocument": "..."
},
"userIdentity": {
"arn": "arn:aws:sts::111122223333:assumed-role/AutomationRole/ci-run-9841"
}
}
Current guardrails:
- Developers can call iam:CreateRole
- The automation tool sometimes omits the permissions boundary field
- The organization uses AWS Organizations with multiple member accountsS3 bucket policy in Account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::222233334444:role/AppReadRole"},
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::finance-archive/*"
}
]
}
KMS key policy for key arn:aws:kms:us-east-1:111122223333:key/abcd-1111:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
}
]
}
Application IAM policy in Account B:
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::finance-archive/*"
}VPC configuration: - Subnet-Private-A route table: local 10.0.0.0/16 only - Subnet-Private-B route table: local 10.0.0.0/16 only - No 0.0.0.0/0 route to an Internet Gateway or NAT Gateway Existing endpoints: - com.amazonaws.us-east-1.s3 (Gateway endpoint) Application log: ERROR: Unable to retrieve secret arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/api/db ERROR: connect timeout to secretsmanager.us-east-1.amazonaws.com ERROR: KMS Decrypt access not completed
Current S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::reports-private/*"
}
]
}
CloudFront distribution:
- Origin: s3://reports-private
- Viewer protocol policy: Redirect HTTP to HTTPS
- No origin access identity or origin access control configured
Security requirement:
- Clients must use CloudFront signed URLs or signed cookies
- S3 object URLs must not be directly accessibleCurrent audit configuration:
- AWS Config recorder is enabled in one account only
- CloudTrail trail captures management events in us-east-1 only
- No EventBridge rules or SNS alerts are configured
Recent activity:
{
"eventSource": "s3.amazonaws.com",
"eventName": "PutBucketPolicy",
"errorCode": "AccessDenied",
"userIdentity": {"arn": "arn:aws:iam::999900001111:user/temp-admin"}
}
{
"eventSource": "kms.amazonaws.com",
"eventName": "PutKeyPolicy",
"errorCode": null,
"userIdentity": {"arn": "arn:aws:iam::999900001111:role/SecurityOps"}
}CloudFront access log excerpt: 2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 112ms 2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 109ms 2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 111ms 2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 108ms 2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 110ms Security requirement: - Automatically mitigate high-rate requests from a single source IP - Keep the protection at the edge
Shared role policy in Account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject", "kms:Decrypt"],
"Resource": [
"arn:aws:s3:::artifact-bucket/*",
"arn:aws:kms:us-east-1:111122223333:key/KEY-AAAA"
]
}
]
}
AssumeRole call from the pipeline:
- Role ARN: arn:aws:iam::111122223333:role/SharedDeployRole
- Session name: build-7412
- No session policy currently suppliedRoute table for private subnet:
Destination Target
10.0.0.0/16 local
pl-68a54001 vpce-s3-gateway
S3 bucket policy draft:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyRequestsNotFromEndpoint",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::app-data", "arn:aws:s3:::app-data/*"],
"Condition": {
"StringNotEquals": {"aws:SourceVpce": "vpce-0a1b2c3d4e5f6a7b8"}
}
}
]
}
Application log:
GET s3://app-data/config.json failed before endpoint change
GET s3://app-data/config.json succeeded after endpoint change{
"role_arn": "arn:aws:iam::111122223333:role/InboundExportRole",
"trust_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::222233334444:root"},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {"sts:ExternalId": "acctB-export-91"}
}
}
]
},
"cloudtrail_event": {
"eventName": "AssumeRole",
"userIdentity": "arn:aws:iam::222233334444:role/BatchRunner",
"errorCode": "AccessDenied",
"errorMessage": "Not authorized to perform sts:AssumeRole on resource arn:aws:iam::111122223333:role/InboundExportRole"
}
}{
"bucket": "arn:aws:s3:::secure-reports-prod",
"object_encryption": "SSE-KMS",
"role_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::secure-reports-prod/*"
},
{
"Effect": "Allow",
"Action": ["kms:Decrypt", "kms:GenerateDataKey"],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/abcd-1234"
}
]
},
"cloudtrail_event": {
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"errorCode": "AccessDenied",
"errorMessage": "The key policy does not allow this principal to use the specified KMS key"
},
"key_policy_summary": "Only the account root principal is allowed; no application roles are listed"
}{
"subnet_route_table": [
{"destination": "10.0.0.0/16", "target": "local"},
{"destination": "0.0.0.0/0", "target": "-"}
],
"dns_test": {
"command": "nslookup secretsmanager.us-east-1.amazonaws.com",
"result": "Name: secretsmanager.us-east-1.amazonaws.com\nAddress: 54.239.28.82"
},
"application_log": [
"2026-04-18T12:10:04Z ERROR GetSecretValue timed out after 3000 ms",
"2026-04-18T12:10:04Z INFO calling https://secretsmanager.us-east-1.amazonaws.com"
]
}{
"current_state": {
"bucket_public_access_block": true,
"bucket_policy": "Allows s3:GetObject to Principal * for debugging",
"cloudfront_distribution": "d123example.cloudfront.net",
"direct_s3_test": "https://secure-pdfs-prod.s3.us-east-1.amazonaws.com/manuals/q4.pdf returns 200"
}
}{
"cloudtrail_samples": [
{
"account": "111122223333",
"eventName": "PutBucketPolicy",
"eventSource": "s3.amazonaws.com",
"errorCode": null
},
{
"account": "444455556666",
"eventName": "PutKeyPolicy",
"eventSource": "kms.amazonaws.com",
"errorCode": "AccessDenied"
}
],
"current_controls": {
"member_accounts": 12,
"central_security_account": true,
"cloudwatch_logs": "not enabled for CloudTrail",
"eventbridge_rules": "none"
}
}{
"current_state": {
"approved_boundary": "arn:aws:iam::111122223333:policy/ApprovedAppBoundary",
"developer_role_policy": ["iam:CreateRole", "iam:PutRolePolicy", "iam:AttachRolePolicy"],
"incident": "A new role was created without a permissions boundary and attached an overly permissive policy"
},
"desired_state": "All future roles must be created with ApprovedAppBoundary"
}{
"cloudfront_log_sample": [
"2026-04-27T09:14:01Z c-ip=203.0.113.44 uri=/api/search 1",
"2026-04-27T09:14:02Z c-ip=203.0.113.44 uri=/api/search 1",
"2026-04-27T09:14:02Z c-ip=203.0.113.44 uri=/api/search 1"
],
"origin_metrics": {
"5xxErrorRate": "spiking",
"ALBRequestCount": "high",
"single_source_ip_percentage": "82%"
},
"waf_status": "No Web ACL associated with the CloudFront distribution"
}Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.