Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Management and Security Governance practice sets

SCS-C02 Management and Security Governance • Complete Question Bank

SCS-C02 Management and Security Governance — All Questions With Answers

Complete SCS-C02 Management and Security Governance question bank — all 0 questions with answers and detailed explanations.

262
Questions
Free
No signup
Certifications/SCS-C02/Practice Test/Management and Security Governance/All Questions
Question 1mediummultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?

Question 2easymultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?

Question 3hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?

Question 4mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to use AWS CloudTrail to log all API activity across multiple accounts in AWS Organizations. Which configuration meets the requirement of centralized logging with minimal operational overhead?

Question 5easymultiple choice
Read the full Management and Security Governance explanation →

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?

Question 6hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with SCPs. The security team wants to ensure that no IAM user can be created without MFA. Which SCP should be applied at the root OU?

Question 7mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to ensure that all EC2 instances launched in a development account are tagged with a cost center. What is the most effective way to enforce this?

Question 8easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to centrally manage access keys for IAM users. Which AWS service can generate and rotate access keys automatically?

Question 9mediummulti select
Read the full Management and Security Governance explanation →

A company uses AWS Config to record resources. Which TWO actions can be taken to automatically remediate non-compliant resources detected by AWS Config rules?

Question 10hardmulti select
Read the full Management and Security Governance explanation →

A company wants to implement least privilege access for a data analytics team that uses Amazon Athena to query data in S3. Which THREE steps should be taken?

Question 11mediummulti select
Read the full Management and Security Governance explanation →

A security engineer is designing a solution to protect sensitive data in S3. Which THREE mechanisms can be used to enforce encryption at rest?

Question 12hardmultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A security engineer applies this bucket policy to an S3 bucket. A user without HTTPS tries to download an object. What is the outcome?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 13mediummultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A role has two policies attached. The custom policy includes an Allow for s3:PutObject. An IAM user assumes this role and tries to upload a file to S3. What happens?

Network Topology
$ aws iam list-attached-role-policiesrole-name MyRoleRefer to the exhibit."AttachedPolicies": ["PolicyName": "AmazonS3ReadOnlyAccess","PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"},"PolicyName": "MyCustomPolicy","PolicyArn": "arn:aws:iam::123456789012:policy/MyCustomPolicy"
Question 14hardmultiple choice
Study the full ACL explanation →

A company runs a multi-account AWS environment using AWS Organizations. The security team uses AWS Config to monitor compliance. Recently, they noticed that a developer in the 'development' account created an S3 bucket that is publicly accessible. The security team wants to prevent this in the future by automatically remediating any public S3 bucket. They have an SCP that denies s3:PutBucketPublicAccessBlock, but developers are still making buckets public by using bucket ACLs. The security team wants to implement a solution that automatically fixes any bucket that becomes public. Which solution should they choose?

Question 15mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with a single management account and multiple member accounts. The security team needs to ensure that all member accounts automatically deploy AWS Config rules to audit security group configurations. Which solution meets this requirement with minimal operational overhead?

Question 16hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer is designing a solution to monitor and remediate non-compliant resources across multiple AWS accounts. The company uses AWS Organizations and wants to enforce that any S3 bucket with public read access is automatically remediated. The solution must be centralized and scalable. Which approach should the engineer take?

Question 17easymultiple choice
Read the full Management and Security Governance explanation →

A startup uses a single AWS account for development. The developer has full administrative access and accidentally deleted an S3 bucket containing critical data. The security team wants to prevent similar incidents without hindering agility. What is the MOST effective control?

Question 18mediummultiple choice
Read the full Management and Security Governance explanation →

A company has multiple AWS accounts managed through AWS Organizations. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI). Which governance control should be implemented?

Question 19easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to use AWS CloudFormation to manage infrastructure. The security team requires that all templates are scanned for security vulnerabilities before deployment. Which service should be integrated into the pipeline?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise uses AWS Organizations with hundreds of accounts. The security team needs to enforce that all accounts have AWS CloudTrail enabled and logs are delivered to a centralized S3 bucket in the management account. The team also wants to ensure that no account can disable CloudTrail or delete the bucket. Which combination of controls meets these requirements?

Question 21easymultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. Which configuration should be used?

Question 22mediummulti select
Read the full Management and Security Governance explanation →

A security engineer is designing a governance framework for a multi-account AWS environment. The framework must enforce the principle of least privilege for cross-account access. Which TWO strategies should be implemented?

Question 23hardmulti select
Read the full Management and Security Governance explanation →

A company's security team is implementing controls to meet PCI DSS compliance. The environment includes Amazon EC2, RDS, and S3. Which THREE controls should be implemented to address logging and monitoring requirements?

Question 24hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer attaches the above SCP to an OU containing development accounts. The engineer expects that only t3.micro instances can be launched, but developers report that they cannot launch any EC2 instances. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": "t3.micro"
        }
      }
    }
  ]
}
Question 25mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer reviews the above CloudTrail event. Which action should the engineer take FIRST to mitigate a potential security issue?

Exhibit

Refer to the exhibit.

[CloudTrail event snippet]
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "Root",
    "arn": "arn:aws:iam::123456789012:root",
    "accountId": "123456789012"
  },
  "eventTime": "2024-03-15T12:34:56Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "PutBucketPolicy",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.5",
  "userAgent": "[S3Console/1.0]",
  "requestParameters": {
    "bucketName": "my-critical-bucket",
    "bucketPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::my-critical-bucket/*"
        }
      ]
    }
  },
  "responseElements": null
}
Question 26hardmultiple choice
Read the full Management and Security Governance explanation →

A global e-commerce company operates in three AWS Regions: us-east-1, eu-west-1, and ap-southeast-1. The company uses AWS Organizations with 50 member accounts grouped by business unit. The security team recently discovered that several S3 buckets containing customer data were accidentally made public due to misconfigured bucket policies. The team wants to implement a preventive control that blocks any S3 bucket from becoming public across all accounts, while still allowing authorized cross-account access. The solution must be centrally managed and not require changes to existing IAM policies. Additionally, the team needs to be notified immediately when a public bucket is attempted. Which solution meets all requirements?

Question 27mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts and wants to ensure that all newly created S3 buckets have encryption enabled. The Security team needs a solution that automatically remediates non-compliant buckets without manual intervention. What should they do?

Question 28hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer is designing a centralized logging solution for a multi-account AWS environment. They need to ensure log files are tamper-proof and cannot be deleted or modified by anyone, including the root user of any account. Which configuration meets these requirements?

Question 29mediummulti select
Read the full Management and Security Governance explanation →

Which TWO of the following are valid methods to centrally manage security policies and enforce compliance across multiple AWS accounts? (Choose two.)

Question 30hardmultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. An organization applies this SCP to an OU containing a developer account. A developer in that account tries to launch an m5.large instance using the AWS Management Console. What is the outcome?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceType": ["t2.micro", "t2.small"]
                }
            }
        }
    ]
}
Question 31easymultiple choice
Read the full Management and Security Governance explanation →

A company has a three-tier web application running on AWS. The application consists of an Application Load Balancer (ALB), an EC2 Auto Scaling group for web servers, and an RDS MySQL database. The Security team recently discovered that the database is publicly accessible from the internet. They need to remediate this immediately while minimizing downtime. The database is critical for the application, and the application must remain available. The team has identified that the database security group currently allows inbound traffic from 0.0.0.0/0 on port 3306. The web servers are in a security group named 'web-sg'. The database security group is named 'db-sg'. The team wants to restrict access to only the ALB and the web servers. Which action should the team take to resolve the issue with the least downtime?

Question 32easymultiple choice
Read the full NAT/PAT explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the organization have multi-factor authentication (MFA) enabled. Which combination of actions should be taken to enforce this requirement?

Question 33mediummulti select
Read the full Management and Security Governance explanation →

A security engineer is designing a governance framework for a multi-account AWS environment. The engineer needs to ensure that all accounts comply with the principle of least privilege for IAM roles and that any non-compliant resources are automatically reported. Which two AWS services should the engineer use together to achieve this? (Choose TWO.)

Question 34hardmultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A security engineer applied the bucket policy shown. What is the effect of this policy?

Exhibit

Refer to the exhibit. An IAM policy attached to an S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 35mediumdrag order
Read the full Management and Security Governance explanation →

Drag and drop the steps to configure Amazon GuardDuty for multi-account security in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 36mediumdrag order
Read the full Management and Security Governance explanation →

Drag and drop the steps to set up a secure S3 bucket with encryption and access control in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 37mediummatching
Read the full Management and Security Governance explanation →

Match each AWS security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful firewall at instance level

Stateless firewall at subnet level

Centralized management of firewall rules

Managed firewall for VPCs

Question 38mediummatching
Read the full Management and Security Governance explanation →

Match each AWS VPC flow log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic for a VPC

Capture IP traffic for a subnet

Capture IP traffic for a network interface

Capture IP traffic for a transit gateway

Question 39mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce that all S3 buckets across the organization have block public access enabled. Which policy should be used?

Question 40hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer notices that an IAM role in the production account is being assumed by a user from another AWS account, which violates the principle of least privilege. The role's trust policy allows the root user of the external account. What is the MOST secure way to restrict access to only a specific user in the external account?

Question 41easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to automatically detect and remediate S3 buckets that are publicly accessible. Which AWS service can be used to evaluate bucket policies against a defined rule and trigger an automated response?

Question 42mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with all features enabled. The security team wants to ensure that no IAM users are created in any account. Which approach should be used?

Question 43hardmultiple choice
Read the full Management and Security Governance explanation →

A company's security team needs to enforce encryption at rest for all RDS instances in the production account. They have enabled mandatory encryption using a service control policy. What else must be done to ensure existing unencrypted RDS instances are encrypted?

Question 44easymultiple choice
Read the full Management and Security Governance explanation →

A company needs to audit all changes to IAM policies in their AWS account for compliance. Which AWS service should be enabled to record the API calls that modify IAM policies?

Question 45mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer notices that an S3 bucket contains objects that are accessible to authenticated users from other AWS accounts. The bucket policy allows access to the 'aws:SourceArn' condition that references an Amazon Resource Name (ARN) from another account. What is the MOST effective way to restrict access to only users from the company's own account?

Question 46hardmultiple choice
Read the full Management and Security Governance explanation →

A company's security team is implementing a data classification policy for S3 objects using S3 Object Tags. They need to ensure that any object uploaded without the required 'classification' tag is automatically denied. Which S3 bucket policy condition should be used?

Question 47easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to centrally manage and enforce backup policies for all EC2 instances across multiple AWS accounts. Which AWS service should be used?

Question 48mediummulti select
Read the full Management and Security Governance explanation →

A company uses AWS Organizations and wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail log files from S3. Which TWO actions should the security team take? (Choose TWO.)

Question 49hardmulti select
Read the full Management and Security Governance explanation →

A security team needs to ensure that all IAM users in a production account use multi-factor authentication (MFA) before accessing the AWS Management Console. Which THREE steps should be taken? (Choose THREE.)

Question 50mediummulti select
Read the full Management and Security Governance explanation →

A company uses AWS KMS to encrypt sensitive data. The security team needs to ensure that KMS keys cannot be deleted accidentally. Which TWO actions should be taken? (Choose TWO.)

Question 51hardmultiple choice
Read the full Management and Security Governance explanation →

An IAM policy is used to grant access to an S3 bucket. The policy condition requires that objects be retrieved using AES256 encryption. However, users can still download objects without specifying encryption. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 52mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer is reviewing the CloudTrail configuration for a trail named 'management-trail'. The engineer needs to ensure that all S3 object-level operations in the bucket 'my-bucket' are logged. What is the issue with the current configuration?

Network Topology
$ aws cloudtrail get-event-selectorstrail-name management-trailRefer to the exhibit."EventSelectors": ["ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": ["Type": "AWS::S3::Object","Values": ["arn:aws:s3:::my-bucket/logs/"]
Question 53easymultiple choice
Read the full Management and Security Governance explanation →

An S3 bucket policy is created as shown. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 54mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer notices that an IAM user has permissions that exceed their job requirements. The engineer wants to implement the principle of least privilege. Which IAM feature should be used to grant only the necessary permissions?

Question 55hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that no account can disable a specific security service, such as AWS Config, across all accounts. Which approach should be used?

Question 56easymultiple choice
Read the full Management and Security Governance explanation →

A developer has created an S3 bucket policy that grants public read access. The security team wants to prevent any S3 bucket from becoming public. Which AWS service can enforce this restriction across all accounts?

Question 57mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to centrally manage IAM users and allow them to access multiple AWS accounts using a single set of credentials. Which AWS service should be used?

Question 58hardmultiple choice
Read the full NAT/PAT explanation →

A security team needs to enforce that all EC2 instances launched in a specific AWS account use only approved AMIs. Which combination of services can enforce this requirement?

Question 59easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to automate the enforcement of security best practices across all AWS accounts. Which AWS service provides pre-built rules for security compliance?

Question 60mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer discovers that an IAM user has a policy that allows them to delete any S3 bucket in the account. The engineer wants to audit all delete actions performed by this user. Which AWS service should be used?

Question 61hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations and wants to restrict the use of specific AWS services in member accounts. For example, they want to block the use of Amazon Redshift. Which policy type should be used?

Question 62easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to automatically detect and respond to unauthorized API calls in an AWS account. Which two services should be used together?

Question 63mediummulti select
Read the full Management and Security Governance explanation →

Which TWO actions can be taken to enforce the principle of least privilege for IAM users in an AWS account? (Choose two.)

Question 64hardmulti select
Read the full Management and Security Governance explanation →

Which THREE are benefits of using AWS CloudTrail for security governance? (Choose three.)

Question 65easymulti select
Read the full Management and Security Governance explanation →

Which TWO are valid methods to centrally manage multiple AWS accounts? (Choose two.)

Question 66mediummultiple choice
Read the full Management and Security Governance explanation →

A company requires that all IAM users in the Security team must use multi-factor authentication (MFA) to access the AWS Management Console. The company has enabled MFA for all users, but the Security team administrator reports that some users can still sign in without MFA. Which action should the administrator take to enforce MFA for all sign-ins?

Question 67easymultiple choice
Read the full Management and Security Governance explanation →

A developer needs to grant an IAM user read-only access to an S3 bucket containing sensitive data. The bucket is encrypted with an AWS KMS customer managed key. Which set of permissions must be included in the IAM policy?

Question 68hardmultiple choice
Read the full NAT/PAT explanation →

A company's Security team is using AWS Organizations with a consolidated billing account. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. Which combination of actions should the security team take? (Choose the best answer.)

Question 69mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centrally manage IAM policies across all accounts. Which AWS feature should the team use to enforce permissions across member accounts?

Question 70easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to grant an EC2 instance access to an S3 bucket without storing long-term credentials on the instance. Which approach should the engineer use?

Question 71hardmultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS Organizations with SCPs. The management account has an SCP that denies access to all EC2 actions. A developer in a member account tries to launch an EC2 instance but receives an authorization error. The developer has an IAM policy that allows ec2:RunInstances. What is the most likely cause of the error?

Question 72mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to ensure that IAM users with console access have strong passwords. Which IAM password policy setting should the company configure to enforce the use of at least one uppercase letter?

Question 73easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to audit all API calls made in an AWS account for the past 90 days. Which AWS service should the engineer use?

Question 74hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys can only be used by specific IAM roles and that key usage is logged. Which combination of actions should the team take? (Choose the best answer.)

Question 75mediummulti select
Read the full Management and Security Governance explanation →

Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)

Question 76hardmulti select
Read the full Management and Security Governance explanation →

Which THREE measures should a security team implement to detect and respond to potential security incidents in an AWS environment? (Select THREE.)

Question 77easymulti select
Read the full Management and Security Governance explanation →

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple AWS accounts? (Select TWO.)

Question 78mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization block public access. Which policy should be attached to the root organizational unit to achieve this?

Question 79hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer notices that an IAM user has been performing suspicious actions in an AWS account. The engineer needs to generate a credential report to identify the age of the user's access keys. Which AWS CLI command should the engineer run?

Question 80easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to centrally manage and enforce security policies across all accounts in AWS Organizations. Which AWS service should be used to define and apply guardrails?

Question 81mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer is designing a solution to automatically remediate non-compliant resources in an AWS account. The engineer needs to trigger an AWS Lambda function when an EC2 instance is launched without the required tags. Which AWS service should be used to detect the non-compliant resource and invoke the Lambda function?

Question 82hardmultiple choice
Read the full Management and Security Governance explanation →

An organization has a requirement to retain all AWS CloudTrail logs for at least 7 years for compliance. Currently, logs are stored in an S3 bucket with default settings. What is the MOST cost-effective way to meet the retention requirement?

Question 83easymultiple choice
Read the full Management and Security Governance explanation →

A company's security team wants to receive alerts when an IAM user creates a new access key. Which AWS service can be used to monitor and notify on this specific API call?

Question 84mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a cross-account access policy. The engineer has an S3 bucket in Account A and wants to grant read access to a user in Account B. Which combination of policies is required?

Question 85hardmultiple choice
Read the full Management and Security Governance explanation →

An organization uses AWS Organizations and wants to restrict the use of specific EC2 instance types across all member accounts. Which policy type should be used to enforce this restriction?

Question 86easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to log all API calls made in their AWS account for auditing. Which AWS service should be enabled to capture these logs?

Question 87mediummulti select
Read the full Management and Security Governance explanation →

A security engineer is reviewing the following IAM policy attached to a role. Which TWO actions are allowed by this policy? (Choose two.)

Question 88hardmulti select
Read the full Management and Security Governance explanation →

A company is implementing AWS Organizations with multiple accounts. Which THREE are benefits of using service control policies (SCPs)? (Choose three.)

Question 89easymulti select
Read the full Management and Security Governance explanation →

Which TWO AWS services can be used to detect and alert on suspicious API activity in real-time? (Choose two.)

Question 90mediummultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A security engineer attaches this S3 bucket policy to an S3 bucket. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "BoolIfExists": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 91hardmultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A security engineer runs the get-trail-status command for a CloudTrail trail. The engineer notices that LatestCloudWatchLogsDeliveryTime is null. What does this indicate?

Network Topology
$ aws cloudtrail get-trail-statusname my-trailRefer to the exhibit."IsLogging": true,"LatestDeliveryTime": 1630000000.0,"LatestNotificationTime": 1630000000.0,"StartLoggingTime": 1620000000.0,"StopLoggingTime": null,"LatestCloudWatchLogsDeliveryTime": null,"LatestDigestDeliveryTime": 1630000000.0,"LatestDeliveryAttemptTime": "2021-08-26T12:00:00Z","LatestNotificationAttemptTime": "2021-08-26T12:00:00Z","LatestNotificationAttemptSucceeded": "SUCCEEDED","LatestDeliveryAttemptSucceeded": "SUCCEEDED","TimeLoggingStarted": "2021-08-26T12:00:00Z","TimeLoggingStopped": null
Question 92mediummultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A security engineer creates this IAM policy for a user. Which action can the user perform?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/analyst"
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }
      }
    }
  ]
}
Question 93mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to enforce that all IAM users in an AWS account must have multi-factor authentication (MFA) enabled. Which AWS service can be used to automatically detect and remediate non-compliant users?

Question 94easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to centrally manage and enforce security policies across multiple AWS accounts in an organization. Which AWS service should they use?

Question 95hardmultiple choice
Read the full Management and Security Governance explanation →

A company's security team discovers that an IAM role has been assumed from an unexpected external AWS account. Which AWS service can be used to analyze the trust policy and identify unintended access?

Question 96mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to automatically detect and notify about any S3 buckets that have public read access. Which combination of services should be used?

Question 97hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to ensure that all new IAM users are created with a strong password policy enforced. Which action should be taken?

Question 98easymultiple choice
Read the full Management and Security Governance explanation →

A security team wants to audit all changes to IAM policies in the AWS account. Which AWS service should be used to track these changes?

Question 99mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that no account can disable Amazon GuardDuty. Which SCP should be applied?

Question 100hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer notices that an S3 bucket policy allows access to a principal from another AWS account. Which AWS feature can be used to check if this external access is intended?

Question 101easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to run a security assessment that checks for vulnerabilities in an EC2 instance. Which AWS service should be used?

Question 102mediummulti select
Read the full Management and Security Governance explanation →

Which TWO actions should a security engineer take to ensure that an S3 bucket is not publicly accessible? (Choose two.)

Question 103mediummulti select
Read the full Management and Security Governance explanation →

Which THREE AWS services can be used to detect and alert on suspicious API activity in an AWS account? (Choose three.)

Question 104hardmulti select
Read the full Management and Security Governance explanation →

Which TWO AWS services can be used to enforce that specific resource types (e.g., EC2 instances) are tagged with a 'CostCenter' tag? (Choose two.)

Question 105mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to enforce that all IAM users in its AWS account use multi-factor authentication (MFA) for console login. Which action should be taken to ensure compliance?

Question 106easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to ensure that an Amazon S3 bucket is not publicly accessible. Which AWS service can be used to continuously monitor and alert if the bucket becomes public?

Question 107hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to prevent members of the 'Developers' group from modifying IAM roles in any account. What is the most effective way to enforce this restriction?

Question 108mediummultiple choice
Read the full Management and Security Governance explanation →

A company requires that all Amazon EC2 instances be launched only with an approved Amazon Machine Image (AMI) that has been hardened by the security team. Which AWS service should be used to enforce this requirement?

Question 109easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to automate the response to an AWS CloudTrail log event that indicates a potential security threat. Which AWS service would be most appropriate to orchestrate the automated response?

Question 110hardmultiple choice
Study the full ACL explanation →

A company has an AWS account with a single VPC and multiple subnets. The security team wants to ensure that no network ACL (NACL) allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS service can be used to detect and alert on such non-compliant NACLs?

Question 111mediummultiple choice
Read the full Management and Security Governance explanation →

A company needs to audit all changes to IAM policies in its AWS account. Which AWS service should be used to record the change history of IAM policies?

Question 112easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to generate a report of all AWS Identity and Access Management (IAM) users who have not used their access keys in the last 90 days. Which AWS service can provide this information?

Question 113mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations and wants to restrict the AWS Regions in which resources can be created across all member accounts. Which mechanism should be used?

Question 114mediummulti select
Read the full Management and Security Governance explanation →

A security engineer needs to implement a solution to detect and alert on suspicious API calls in an AWS account. Which TWO AWS services should be integrated to achieve this? (Choose two.)

Question 115hardmulti select
Read the full Management and Security Governance explanation →

A company wants to centrally manage and enforce security policies across multiple AWS accounts using AWS Organizations. Which THREE actions should be taken? (Choose three.)

Question 116easymulti select
Read the full Management and Security Governance explanation →

A company needs to ensure that its S3 buckets are not publicly accessible. Which TWO AWS services can be used to detect and report on public S3 buckets? (Choose two.)

Question 117mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all newly created accounts automatically have AWS CloudTrail enabled, with logs delivered to a centralized S3 bucket. Which solution meets these requirements with the least operational overhead?

Question 118easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to audit all IAM role creations across an AWS account. Which AWS service should be used to log these API calls?

Question 119hardmultiple choice
Read the full Management and Security Governance explanation →

A company has a requirement that all access keys for IAM users must be rotated every 90 days. A security engineer needs to implement an automated solution to identify and disable keys that are older than 90 days. Which approach meets the requirement with the least operational overhead?

Question 120mediummultiple choice
Read the full Management and Security Governance explanation →

An IAM policy is attached to a user. The user reports that they cannot list objects in the bucket 'example-bucket' from their home office IP address 203.0.113.50. What is the most likely cause?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    }
  ]
}
Question 121easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to grant cross-account access to an S3 bucket owned by Account A to a user in Account B. The bucket policy in Account A allows access from Account B. What additional configuration is required?

Question 122hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer notices that CloudTrail logs are not being delivered to the S3 bucket for the past 2 hours. The output of 'get-trail-status' is shown. What is the most likely cause?

Network Topology
aws cloudtrail get-trail-statusname management-trailRefer to the exhibit."IsLogging": true,"LatestDeliveryTime": 1625097600.0,"LatestNotificationTime": 1625097600.0,"StartLoggingTime": 1625000000.0,"StopLoggingTime": null,"LatestCloudWatchLogsDeliveryTime": 1625097600.0,"LatestDigestDeliveryTime": 1625097600.0,"LatestDeliveryAttemptTime": "2021-07-01T00:00:00Z","LatestNotificationAttemptTime": "2021-07-01T00:00:00Z","LatestDeliveryAttemptSucceeded": "2021-07-01T00:00:00Z","LatestNotificationAttemptSucceeded": "2021-07-01T00:00:00Z","TimeLoggingStarted": "2021-06-30T00:00:00Z","TimeLoggingStopped": null
Question 123easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. Which AWS service can be used to enforce this requirement?

Question 124mediummultiple choice
Read the full Management and Security Governance explanation →

A security team needs to centralize audit logs from multiple AWS accounts into a single S3 bucket. The solution must be scalable and support future account additions. Which approach meets these requirements?

Question 125hardmultiple choice
Read the full Management and Security Governance explanation →

This SCP is attached to an organizational unit (OU). A developer in an account within the OU tries to launch a t2.small instance. What is the outcome?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}
Question 126mediummulti select
Read the full Management and Security Governance explanation →

A security engineer is designing a data encryption strategy for an S3 bucket that contains sensitive information. Which TWO of the following are valid options for enforcing encryption at rest?

Question 127hardmulti select
Read the full Management and Security Governance explanation →

A company has a security requirement that any Amazon RDS database must be encrypted at rest. Which TWO actions should be taken to enforce this requirement?

Question 128easymulti select
Read the full Management and Security Governance explanation →

A security engineer needs to grant a user read-only access to an S3 bucket. Which THREE of the following are required in the IAM policy?

Question 129hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations to manage 50 accounts. The security team has enabled AWS CloudTrail in the management account with an organization trail that delivers logs to a central S3 bucket. The bucket policy grants necessary permissions to CloudTrail. Recently, the security team noticed that logs from two member accounts stopped appearing in the bucket. Other accounts continue to deliver logs correctly. The CloudTrail status in the management account shows that the trail is logging and deliveries are succeeding. The security team checked the CloudTrail configuration in the affected member accounts and found that they do not have any trails configured. The IAM roles used for CloudTrail in the management account have sufficient permissions. What is the most likely cause of the missing logs?

Question 130mediummultiple choice
Read the full Management and Security Governance explanation →

A company has a single AWS account with multiple IAM users. The security team wants to enforce that all users use MFA for API calls. An IAM policy is created that denies all actions unless MFA is present. The policy is attached to all users. However, users report that they can still make API calls without MFA. The security team reviews the policy and confirms it is correct. What is the most likely reason the policy is not being enforced?

Question 131easymultiple choice
Read the full Management and Security Governance explanation →

A company has an AWS account with multiple S3 buckets that contain sensitive data. The security team wants to ensure that no public access is granted to any bucket. The team has enabled AWS Config and set up a rule to detect public buckets. The rule reports that all buckets are compliant. However, during a security review, a team member finds that one bucket has a bucket policy that grants 's3:GetObject' to 'Principal': '*'. Why did the AWS Config rule not detect this?

Question 132mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer is auditing an S3 bucket policy that allows cross-account access. The engineer wants to ensure that only encrypted connections are permitted. Which condition should be added to the policy?

Question 133hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with all features enabled. The security team needs to ensure that no member account can disable AWS CloudTrail logging or delete CloudTrail logs stored in S3. Which combination of preventive controls should be implemented?

Question 134easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer is designing a system to centrally manage IAM users and roles across multiple AWS accounts. The company uses AWS Organizations. Which AWS service should be used to manage permissions across accounts?

Question 135mediummultiple choice
Read the full Management and Security Governance explanation →

A company has a requirement to automatically rotate secrets for an RDS database every 90 days. The secrets are stored in AWS Secrets Manager. Which resource should be configured to perform the rotation?

Question 136hardmulti select
Read the full Management and Security Governance explanation →

A security engineer is designing a logging solution for a multi-account environment using AWS Organizations. The solution must meet the following requirements: - Logs from all accounts must be centrally stored and immutable. - Only the security team should be able to delete logs. - Logs must be encrypted at rest. Which TWO steps should the engineer take to meet these requirements? (Choose TWO.)

Question 137mediummulti select
Read the full Management and Security Governance explanation →

A security engineer is implementing a data classification policy for an S3 bucket that contains sensitive customer data. The policy requires that all objects be encrypted at rest using AWS KMS and that any attempt to upload an unencrypted object be denied. Which THREE steps should the engineer take to enforce this policy? (Choose THREE.)

Question 138easymulti select
Read the full Management and Security Governance explanation →

A company is using AWS Organizations and wants to restrict the use of specific AWS services in member accounts. Which TWO approaches can be used to enforce these restrictions? (Choose TWO.)

Question 139mediummulti select
Read the full Management and Security Governance explanation →

A security engineer needs to ensure that all API calls in an AWS account are logged and that the logs are encrypted at rest and retained for at least 7 years. Which THREE steps should the engineer take? (Choose THREE.)

Question 140mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to read objects from an S3 bucket only from the office IP range 192.0.2.0/24. However, the user reports that they can access objects from any IP address. What is the most likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
```
Question 141hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer runs the above CloudTrail lookup command to investigate a change to the S3 bucket policy. The command only returns one event, but the engineer knows that the bucket policy was changed multiple times. What is the most likely reason?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=ResourceNamemax-results 1Refer to the exhibit.```"Events": ["EventId": "example-event-id","EventName": "PutBucketPolicy","ReadOnly": false,"Username": "admin","EventTime": "2023-04-01T12:00:00Z","Resources": ["ResourceName": "my-bucket","ResourceType": "AWS::S3::Bucket"
Question 142hardmultiple choice
Read the full Management and Security Governance explanation →

A company has a single AWS account with multiple IAM users. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They attach an IAM policy that denies all actions if the user does not have MFA. However, after attaching the policy, some users report that they are unable to perform any actions even after authenticating with MFA. The policy uses the condition "aws:MultiFactorAuthPresent": "false". The security team verifies that the users have MFA enabled and are using it. What is the most likely cause of this issue?

Question 143mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that the logs are delivered to a centralized S3 bucket in the management account. The team creates an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail. Additionally, they enable CloudTrail organizational trail. However, after some time, they discover that one member account has disabled CloudTrail. What is the most likely reason this happened?

Question 144easymultiple choice
Read the full Management and Security Governance explanation →

A startup is deploying a web application on AWS. The application runs on EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that all traffic to the EC2 instances is encrypted. They configure the ALB to listen on HTTPS (port 443) and forward traffic to the EC2 instances on HTTP (port 80). Additionally, they create a security group for the EC2 instances that only allows inbound traffic from the ALB's security group on port 80. However, a security audit reveals that the traffic between the ALB and EC2 instances is not encrypted. Which step should the security team take to encrypt the traffic between the ALB and EC2 instances?

Question 145mediummultiple choice
Read the full Management and Security Governance explanation →

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security engineer tests the configuration and finds that requests from the VPC endpoint are being denied. The bucket policy contains the following condition: "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-12345678" } }. The VPC endpoint ID is correct. The engineer also confirms that the VPC endpoint policy allows the necessary S3 actions. What is the most likely reason for the denial?

Question 146hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations and has a requirement to enforce that all EC2 instances launched in any account must have a specific tag "Environment" with value "Production". The security team wants to prevent any instance without this tag from being launched. They implement a service control policy (SCP) that denies the ec2:RunInstances action if the request does not include the required tag. However, they find that users are still able to launch instances without the tag. The SCP is attached to the root OU. The team also has an IAM policy that allows ec2:RunInstances with no conditions. What is the most likely reason the SCP is not preventing the launches?

Question 147hardmultiple choice
Read the full Management and Security Governance explanation →

A company has a multi-account AWS Organizations setup with hundreds of accounts. The Security team needs to enforce a policy that prohibits the creation of any S3 bucket with public read access across all accounts. They have enabled all features in Organizations and are using Service Control Policies (SCPs). The team creates an SCP with a Deny effect for s3:PutBucketAcl and s3:PutBucketPolicy when the request includes a condition that would make the bucket public. They attach the SCP to the root OU. However, a developer in a member account under the root OU is able to create a bucket with a bucket policy that grants public read access. The SCP is evaluated and shows the Deny is effective for s3:PutBucketPolicy but the bucket policy is still created. What is the MOST likely reason for this behavior?

Question 148mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer needs to ensure that all API calls made to AWS services are logged for auditing. Which AWS service should be used?

Question 149hardmultiple choice
Read the full Management and Security Governance explanation →

A company wants to enforce that all S3 buckets are encrypted with SSE-KMS. Which AWS service can be used to automatically remediate non-compliant buckets?

Question 150easymultiple choice
Read the full Management and Security Governance explanation →

A security team needs to centrally manage permissions for multiple AWS accounts. Which AWS service should they use?

Question 151mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to grant cross-account access to an S3 bucket. What is the best practice for managing permissions?

Question 152hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer notices that an IAM user has been inactive for 90 days. What is the best way to identify and disable such users?

Question 153easymultiple choice
Read the full Management and Security Governance explanation →

Which AWS service provides a centralized view of compliance status for AWS resources?

Question 154mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to enforce that all EC2 instances use a specific AMI ID. Which AWS service can be used to detect and remediate non-compliant instances?

Question 155hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to monitor for unauthorized API calls in real-time. Which combination of services should be used?

Question 156easymultiple choice
Read the full Management and Security Governance explanation →

Which AWS service allows you to create and manage encryption keys for your AWS resources?

Question 157mediummulti select
Read the full Management and Security Governance explanation →

Which TWO actions should a security engineer take to protect root user credentials? (Select TWO.)

Question 158hardmulti select
Read the full Management and Security Governance explanation →

Which THREE AWS services can be used to centrally manage security across multiple accounts? (Select THREE.)

Question 159mediummulti select
Read the full Management and Security Governance explanation →

Which TWO are best practices for managing IAM policies? (Select TWO.)

Question 160hardmultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. An IAM policy attached to a user allows s3:GetObject only from a specific IP range and denies all S3 actions if not using HTTPS. What happens when the user makes a GET request from IP 10.0.0.5 using HTTP?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "10.0.0.0/16"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
Question 161mediummultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A security engineer runs the AWS CLI command to look up CloudTrail events. What can be concluded from the output?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-01-01end-time 2023-01-31Refer to the exhibit."Events": ["EventId": "abc123","EventName": "CreateTrail","ReadOnly": "false","Username": "admin","EventTime": "2023-01-15T10:30:00Z","Resources": [{"ResourceType": "AWS::CloudTrail::Trail", "ResourceName": "my-trail"}]
Question 162easymultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A CloudFormation template creates an S3 bucket. Which security control is NOT enabled by this template?

Exhibit

Refer to the exhibit.

Resources:
  MyS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
Question 163mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer is designing a solution to enforce that all S3 buckets in an AWS account have server-side encryption enabled. The engineer needs to automatically remediate any non-compliant buckets. Which AWS service should be used to implement this requirement?

Question 164easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to grant a third-party auditor read-only access to specific CloudTrail log files stored in an S3 bucket. The auditor should not be able to list or access any other objects in the bucket. What is the most secure way to achieve this?

Question 165hardmultiple choice
Read the full NAT/PAT explanation →

A company's security team needs to implement a solution to detect and alert on the creation of IAM users or roles with administrative privileges. The solution must be able to analyze historical account activity and provide real-time alerts. Which combination of AWS services should be used?

Question 166mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. What is the most efficient way to enforce this across all accounts?

Question 167easymultiple choice
Read the full Management and Security Governance explanation →

A developer accidentally committed AWS access keys to a public GitHub repository. The security team needs to immediately revoke the compromised keys and ensure that no new keys are created for that IAM user. What is the most effective immediate action?

Question 168hardmultiple choice
Read the full Management and Security Governance explanation →

A company has a requirement that all Amazon EC2 instances must be launched with an IAM role that grants least-privilege permissions. The security team wants to prevent users from launching instances without a role, and also want to ensure that the role used is one of a set of approved roles. How can this be enforced?

Question 169mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Key Management Service (KMS) to encrypt sensitive data in Amazon S3. The security team needs to ensure that the KMS key can only be used from within the company's VPC and not from the public internet. How can this be achieved?

Question 170easymultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS Organizations and wants to delegate the management of IAM policies to a specific member account without granting full administrative access. Which AWS feature allows the management account to delegate policy management to another account?

Question 171hardmultiple choice
Read the full NAT/PAT explanation →

A company's security team is implementing a solution to automatically revoke public access to Amazon S3 buckets that become public. The solution must be serverless and use native AWS services. Which combination of services should be used?

Question 172mediummulti select
Read the full Management and Security Governance explanation →

Which TWO AWS services can be used to centrally manage and audit permissions across multiple AWS accounts? (Choose two.)

Question 173hardmulti select
Read the full Management and Security Governance explanation →

Which THREE steps should a security engineer take to remediate a compromised IAM user whose access keys were exposed? (Choose three.)

Question 174easymulti select
Read the full Management and Security Governance explanation →

Which TWO AWS services can be used to enforce that Amazon S3 buckets are not publicly accessible? (Choose two.)

Question 175mediummultiple choice
Read the full Management and Security Governance explanation →

The exhibit shows an SCP attached to an organizational unit. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:PutBucketPolicy",
      "Resource": "arn:aws:s3:::*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 176hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer runs the get-account-authorization-details command and sees the exhibit output. The engineer wants to ensure that the 'admin' user does not have administrative access. Which steps should be taken?

Exhibit

Refer to the exhibit.

$ aws iam get-account-authorization-details
{
    "UserDetailList": [
        {
            "UserName": "admin",
            "AttachedManagedPolicies": [
                {
                    "PolicyName": "AdministratorAccess",
                    "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
                }
            ]
        },
        {
            "UserName": "svc-account",
            "AttachedManagedPolicies": [
                {
                    "PolicyName": "ReadOnlyAccess",
                    "PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess"
                }
            ]
        }
    ],
    "GroupDetailList": [],
    "Policies": [
        {
            "PolicyName": "CustomReadOnly",
            "PolicyId": "ANPA...",
            "AttachmentCount": 1,
            "PolicyVersionList": [
                {
                    "Document": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Action": ["ec2:Describe*", "s3:Get*"],
                                "Resource": "*"
                            }
                        ]
                    }
                }
            ]
        }
    ]
}
Question 177easymultiple choice
Read the full Management and Security Governance explanation →

The exhibit shows an S3 bucket policy. The security team wants to ensure that only users from account 123456789012 can access objects in the bucket. What is a potential security issue with this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 178mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all S3 buckets across the organization are encrypted with AWS KMS keys. What is the MOST effective way to enforce this requirement?

Question 179hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a centralized logging solution for a multi-account AWS environment using AWS Organizations. The solution must ensure that all CloudTrail logs from all accounts are delivered to a single S3 bucket in the security account. Additionally, the logs must be encrypted with a KMS key that is managed by the security account. Which combination of steps is required?

Question 180easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to automate the enforcement of security best practices across all AWS accounts in an organization. The solution should automatically remediate noncompliant resources. Which AWS service should be used to achieve this?

Question 181mediummultiple choice
Read the full Management and Security Governance explanation →

A security team is reviewing IAM roles and policies. They want to ensure that any new IAM role created in the account must include a specific managed policy (e.g., SecurityAudit). What AWS service can enforce this requirement?

Question 182hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with a management account and several member accounts. The security team wants to restrict the use of specific AWS services (e.g., EC2, Lambda) in certain accounts based on the account's environment (dev, test, prod). Which approach should be used to implement this requirement?

Question 183easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to centralize the management of IAM users and groups for multiple AWS accounts. Which AWS service should be used to allow users to access multiple accounts with a single set of credentials?

Question 184mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to ensure that all EC2 instances launched in an account have a specific tag (e.g., CostCenter) applied. If an instance is launched without the tag, it should be automatically terminated. Which solution meets these requirements with minimal effort?

Question 185hardmultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS Organizations and wants to delegate the administration of certain accounts to different teams. For example, the finance team should be able to manage billing-related accounts, but not development accounts. Which AWS feature allows this type of delegation?

Question 186easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to receive real-time notifications when an IAM user in their AWS account performs a console login. Which AWS service should be used to monitor and alert on this activity?

Question 187mediummulti select
Read the full Management and Security Governance explanation →

A security engineer is configuring AWS Config to track changes to security groups in a VPC. The engineer wants to be notified when a security group is modified. Which TWO steps are required to achieve this?

Question 188hardmulti select
Read the full Management and Security Governance explanation →

A company is implementing a data classification policy using AWS. The policy requires that all S3 objects containing personally identifiable information (PII) be automatically tagged and encrypted. Which THREE services should be used together to meet this requirement?

Question 189easymulti select
Read the full Management and Security Governance explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that no root user credentials are used for any account. Which TWO actions should be taken to enforce this?

Question 190mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer has attached the above IAM policy to a user. The user reports that they cannot upload objects to the S3 bucket from their office, which has a public IP address of 198.51.100.50. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 191hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer is auditing the AWS Organizations structure. The engineer notices that the 'Management' account (111111111111) has a status of 'ACTIVE' and joined method 'CREATED'. The engineer is concerned about potential security risks. Which action should the engineer take to improve security?

Exhibit

Refer to the exhibit.

$ aws organizations list-accounts
{
    "Accounts": [
        {
            "Id": "111111111111",
            "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111",
            "Email": "admin@company.com",
            "Name": "Management",
            "Status": "ACTIVE",
            "JoinedMethod": "CREATED",
            "JoinedTimestamp": 1570000000.0
        },
        {
            "Id": "222222222222",
            "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/222222222222",
            "Email": "dev@company.com",
            "Name": "Development",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": 1570000001.0
        },
        {
            "Id": "333333333333",
            "Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/333333333333",
            "Email": "prod@company.com",
            "Name": "Production",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": 1570000002.0
        }
    ]
}
Question 192easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 193mediummultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS Organizations to manage multiple accounts. The security team needs to enforce that all newly created S3 buckets across the organization have server-side encryption (SSE-S3) enabled by default. Which solution is MOST operationally efficient?

Question 194hardmulti select
Read the full NAT/PAT explanation →

A security engineer is designing a solution to automatically remediate noncompliant EC2 security groups. The company uses AWS Organizations with multiple accounts. The engineer wants to deploy an AWS Config rule and a custom Lambda function in a central security account to evaluate and remediate security groups across all accounts. Which combination of steps is REQUIRED to allow the Lambda function to modify security groups in member accounts? (Choose TWO.)

Question 195easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to ensure that all IAM users in an account have multi-factor authentication (MFA) enabled. A security administrator needs to identify users who do not have MFA. Which AWS service should the administrator use?

Question 196mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS CloudFormation to deploy infrastructure. The security team requires that all CloudTrail trails be encrypted with a customer-managed KMS key. Which CloudFormation template snippet correctly enforces this requirement?

Question 197hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is investigating a potential data exfiltration incident. The engineer notices that an EC2 instance in a private subnet is making outbound connections to an external IP address on port 443. The VPC has a NAT gateway in a public subnet, and the route table for the private subnet directs 0.0.0.0/0 to the NAT gateway. The security group for the instance allows all outbound traffic. Which AWS service can the engineer use to determine which IAM role or user is responsible for launching the instance?

Question 198easymultiple choice
Read the full NAT/PAT explanation →

A company has a requirement that all S3 buckets must block public access. The security engineer needs to continuously monitor for compliance and automatically remediate any noncompliant buckets. Which combination of AWS services should the engineer use?

Question 199mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Key Management Service (KMS) to encrypt data. The security team needs to ensure that KMS keys cannot be deleted accidentally. Which action should be taken?

Question 200hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with a multi-account strategy. The security team wants to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI) ID. Which approach should the team take to enforce this requirement across all accounts?

Question 201easymultiple choice
Read the full Management and Security Governance explanation →

A security engineer is tasked with ensuring that all S3 buckets in an AWS account have versioning enabled. The engineer needs to identify buckets that do not have versioning enabled. Which AWS service is BEST suited for this task?

Question 202mediummulti select
Read the full Management and Security Governance explanation →

A company is implementing a data retention policy for CloudTrail logs. The logs are stored in an S3 bucket. The policy requires that logs be retained for 7 years and then automatically deleted. Which TWO actions should the security engineer take to meet this requirement?

Question 203hardmulti select
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with 50 accounts. The security team wants to centrally manage IAM roles that grant cross-account access to a central security account. Which THREE steps are required to set up this cross-account access?

Question 204mediummulti select
Read the full Management and Security Governance explanation →

A security engineer is auditing IAM policies. The engineer wants to identify if any policy grants 'Effect: Allow' with 'Action: *' and 'Resource: *'. Which TWO AWS services can be used to detect such overly permissive policies?

Question 205mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which policy should be attached to the IAM users or group to enforce this requirement?

Question 206hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer is designing a cross-account IAM role that allows an external AWS account to access resources in the company's account. The external account's root user must not be able to delegate permissions to other users. Which trust policy condition should be included?

Question 207easymultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to prevent any IAM user from creating access keys. Which type of policy should be used to enforce this control across all accounts?

Question 208mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS KMS to encrypt data in S3 buckets. The security team needs to ensure that KMS keys can only be used by specific IAM roles within the same account. Which key policy should be applied?

Question 209hardmultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to enforce that all S3 buckets created by CloudFormation have encryption enabled. Which approach should be used to enforce this policy?

Question 210easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to centrally manage access keys for all IAM users across multiple accounts. Which AWS service should be used to rotate access keys automatically?

Question 211mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is configuring an S3 bucket policy to restrict access to only requests that originate from a specific VPC endpoint. Which condition key should be used?

Question 212hardmultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS Config to evaluate resource compliance. They need to ensure that all EC2 instances have a specific tag key 'Environment' with a value of 'Production' or 'Development'. Which type of AWS Config rule should be used?

Question 213easymultiple choice
Read the full Management and Security Governance explanation →

A company needs to grant an IAM user permissions to start and stop specific EC2 instances. Which IAM policy element should be used to restrict actions to specific instances?

Question 214mediummulti select
Read the full Management and Security Governance explanation →

Which TWO actions are valid ways to enforce the principle of least privilege in an AWS environment?

Question 215hardmulti select
Read the full Management and Security Governance explanation →

Which THREE AWS services can be used to centrally manage and audit permissions across multiple accounts in AWS Organizations?

Question 216easymulti select
Read the full Management and Security Governance explanation →

Which TWO AWS services can be used to detect and alert on unauthorized API calls in real time?

Question 217mediummultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to upload an object to my-bucket using server-side encryption with AWS KMS (SSE-KMS). What is the outcome?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 218hardmultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A security engineer runs the CLI command to determine if the IAM user 'testuser' created a key pair in January 2023. The output shows one event. What can be concluded from this output?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-01-01T00:00:00Zend-time 2023-01-31T23:59:59Zquery 'Events[?UserIdentity.arn==`arn:aws:iam::123456789012:user/testuser`]'output jsonRefer to the exhibit."EventId": "example1","EventName": "CreateKeyPair","ReadOnly": false,"Username": "testuser","EventTime": "2023-01-15T10:30:00Z","UserIdentity": {"arn": "arn:aws:iam::123456789012:user/testuser"},"Resources": ["ARN": "arn:aws:ec2:us-east-1:123456789012:key-pair/my-key-pair","AccountId": "123456789012"
Question 219mediummultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. A company uses this CloudFormation template. What security best practice is being violated?

Exhibit

Refer to the exhibit.

Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0abcdef1234567890
      InstanceType: t2.micro
      SecurityGroupIds:
        - !Ref MySecurityGroup
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            VolumeSize: 100
            Encrypted: false
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable SSH access
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
Question 220easymultiple choice
Read the full Management and Security Governance explanation →

A company needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record these changes?

Question 221mediummultiple choice
Read the full Management and Security Governance explanation →

A security engineer notices that an IAM user has permissions to launch EC2 instances but the engineer wants to ensure that all new instances are automatically tagged with the creator's user name. What is the most efficient way to enforce this?

Question 222hardmultiple choice
Read the full Management and Security Governance explanation →

A company has a multi-account AWS Organization with hundreds of accounts. The security team wants to prevent any IAM user from creating access keys in any account. What is the most scalable and secure approach?

Question 223mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to ensure that all S3 buckets in their AWS account have encryption enabled. Which AWS service can continuously evaluate compliance and automatically remediate non-compliant buckets?

Question 224hardmultiple choice
Read the full Management and Security Governance explanation →

An organization uses AWS Organizations with multiple OUs. The security team wants to ensure that any new account created in the 'Production' OU automatically gets a set of mandatory tags (CostCenter, Environment) and that these tags cannot be removed. What is the most effective approach?

Question 225easymultiple choice
Read the full NAT/PAT explanation →

A security auditor needs to view a list of all IAM users, including their last activity timestamps, for a compliance review. Which AWS service provides this information natively?

Question 226mediummultiple choice
Read the full Management and Security Governance explanation →

A company wants to centrally manage and enforce encryption on all EBS volumes across multiple AWS accounts. Which AWS service can be used to define and enforce encryption policies at the organizational level?

Question 227hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a system to detect and respond to IAM policy changes that could grant excessive permissions. The solution must alert within minutes of the change and automatically revert the change if it violates a predefined baseline. Which combination of services should the engineer use?

Question 228easymultiple choice
Read the full Management and Security Governance explanation →

What is the purpose of an AWS Service Control Policy (SCP) in AWS Organizations?

Question 229mediummulti select
Read the full Management and Security Governance explanation →

A company wants to implement a least-privilege access model for their AWS resources. Which TWO of the following are best practices for achieving this?

Question 230hardmulti select
Read the full Management and Security Governance explanation →

A security engineer is designing a solution to detect and alert on any S3 bucket that is publicly accessible. Which THREE services can be used together to achieve this?

Question 231easymulti select
Read the full Management and Security Governance explanation →

Which TWO of the following are valid AWS IAM security best practices?

Question 232mediummultiple choice
Read the full Management and Security Governance explanation →

A company is implementing a multi-account strategy using AWS Organizations. The security team wants to enforce that all newly created member accounts automatically have an IAM role that allows read-only access to the management account. Which configuration should be used?

Question 233hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer is reviewing an SCP that denies access to a specific AWS service. The engineer notices that the SCP has an Effect of 'Deny' for 's3:PutObject' but the condition block uses 'StringEquals' with 'aws:SourceIp' set to an IP range. Users in the account are still able to upload objects to S3 from IP addresses outside the range. What is the most likely reason?

Question 234easymultiple choice
Read the full Management and Security Governance explanation →

A company has a requirement to audit all API calls made to AWS services in their account. Which AWS service should be used to meet this requirement?

Question 235mediummultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to prevent all users in the production account from disabling AWS CloudTrail or modifying its configuration. What is the MOST effective way to achieve this?

Question 236hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer creates the IAM policy shown in the exhibit. The policy is attached to an IAM role. When a user assumes the role and attempts to upload an object to the bucket without specifying server-side encryption, what is the expected behavior?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 237easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to ensure that all IAM users have multi-factor authentication (MFA) enabled. Which AWS service can be used to detect users without MFA and automatically send a notification?

Question 238mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a system to centrally manage security rules across multiple AWS accounts. The engineer wants to ensure that any resources that are non-compliant with security policies are automatically remediated. Which combination of services should the engineer use?

Question 239hardmultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations with many accounts. The security team wants to ensure that no account can disable AWS CloudTrail or stop logging. Which configuration should be used?

Question 240easymultiple choice
Read the full Management and Security Governance explanation →

A company needs to centrally manage access to AWS resources across multiple accounts. Which AWS service should be used to define and enforce a set of common permissions for all accounts in the organization?

Question 241mediummulti select
Read the full Management and Security Governance explanation →

Which TWO actions are effective for detecting and responding to unauthorized access in an AWS environment? (Choose two.)

Question 242hardmulti select
Read the full Management and Security Governance explanation →

Which THREE are best practices for managing security in a multi-account AWS environment? (Choose three.)

Question 243easymulti select
Read the full Management and Security Governance explanation →

Which TWO AWS services can be used to automatically enforce policies on resources at the time of creation? (Choose two.)

Question 244mediummultiple choice
Read the full Management and Security Governance explanation →

A company has a multi-account AWS Organization with 50 accounts. The security team uses AWS CloudTrail to log all API calls and sends the logs to a central S3 bucket in the security account. The team wants to ensure that any attempt to disable CloudTrail logging or delete the trail is detected and automatically remediated within 5 minutes. They have configured an AWS Config rule that triggers an AWS Lambda function when the CloudTrail configuration changes. However, the Lambda function is not being invoked when they test by stopping the trail. The Lambda function's IAM role has permissions to start and update CloudTrail. CloudTrail logs show that the Config rule is evaluating the resource, but the Lambda function is not triggered. What is the most likely cause?

Question 245hardmultiple choice
Read the full Management and Security Governance explanation →

A company is using AWS Organizations with a management account and several member accounts. The security team has created an SCP that denies access to all actions for the 'ec2:*' service unless the request comes from a specific VPC endpoint. The SCP is attached to the organization root. However, users in a member account are still able to launch EC2 instances from the AWS Management Console, which does not use a VPC endpoint. The SCP is as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {

"aws:sourceVpce": "vpce-12345678"

}
      }
    }
  ]
}

What is the most likely reason the SCP is not preventing the users from launching instances?

Question 246easymultiple choice
Read the full Management and Security Governance explanation →

A company has a single AWS account with several IAM users. The security team wants to ensure that all IAM users have strong passwords and that passwords are rotated every 90 days. The team also wants to receive a notification if any user's password is older than 90 days. The team has enabled an IAM password policy that requires strong passwords and sets a maximum password age of 90 days. However, they are not receiving notifications about expired passwords. Which additional step should the security team take to receive notifications?

Question 247mediummultiple choice
Read the full Management and Security Governance explanation →

A company has an AWS environment with multiple accounts managed under AWS Organizations. The security team wants to enforce that all newly created S3 buckets in any account have encryption enabled by default. Which approach should the security team take?

Question 248hardmultiple choice
Read the full Management and Security Governance explanation →

A security engineer is troubleshooting a situation where an IAM user is unable to assume a role in a different account. The trust policy of the role allows the user's account to assume the role, and the user has permissions to call AssumeRole. However, the user receives an 'AccessDenied' error. What is the most likely cause?

Question 249easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to centrally manage backups for Amazon RDS instances across multiple AWS accounts. Which AWS service should be used to automate the creation and enforcement of backup policies?

Question 250mediummultiple choice
Read the full NAT/PAT explanation →

A security team needs to ensure that all API calls made in the AWS account are logged and the logs are stored in a central S3 bucket that is encrypted with a KMS key. Which combination of steps should the team take to achieve this?

Question 251hardmulti select
Read the full Management and Security Governance explanation →

A company has a security policy that requires all IAM users to use multi-factor authentication (MFA) when accessing the AWS Management Console. The company also wants to enforce this policy using an SCP. Which TWO conditions must be met for the SCP to be effective?

Question 252mediummulti select
Read the full Management and Security Governance explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to prevent the creation of Amazon EC2 instances with public IP addresses in all accounts. Which TWO actions should the team take to implement this control using Service Control Policies (SCPs)?

Question 253mediummulti select
Read the full Management and Security Governance explanation →

A company wants to ensure that all Amazon S3 buckets are encrypted at rest. Which THREE services can be used together to automatically remediate unencrypted S3 buckets?

Question 254hardmulti select
Read the full Management and Security Governance explanation →

A company has an AWS Organization with hundreds of accounts. The security team wants to enforce that no account can disable AWS CloudTrail logging. Which TWO approaches can achieve this?

Question 255mediummultiple choice
Read the full Management and Security Governance explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload files to the S3 bucket 'example-bucket' using the AWS CLI with HTTPS. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 256hardmultiple choice
Read the full Management and Security Governance explanation →

A company's security team discovers that an EC2 instance in the production account has been compromised. The instance has an IAM role attached that allows it to read from an S3 bucket containing sensitive data. The team needs to immediately stop the data exfiltration while preserving the evidence. What should the team do first?

Question 257easymultiple choice
Read the full Management and Security Governance explanation →

A company uses AWS Organizations and wants to centrally manage CloudTrail trails across all accounts. Which feature should be enabled?

Question 258hardmultiple choice
Read the full Management and Security Governance explanation →

A company has a requirement that all IAM users must use strong passwords. The security engineer needs to enforce a password policy that requires minimum 12 characters, at least one uppercase letter, and at least one number. The engineer sets the password policy in IAM. However, existing users with weak passwords are not forced to change them. What should the engineer do to enforce the policy for existing users?

Question 259mediummultiple choice
Read the full Management and Security Governance explanation →

A company has a multi-account AWS environment managed with AWS Organizations. The security team wants to ensure that no EC2 instance in any account can be launched without a specific tag 'CostCenter'. The team has created a Service Control Policy (SCP) that denies the ec2:RunInstances action if the request does not include the tag 'CostCenter'. However, they find that instances are still being launched without the tag in some accounts. What is the most likely reason?

Question 260hardmultiple choice
Read the full Management and Security Governance explanation →

A company has an S3 bucket that contains sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that objects in the bucket are being deleted by an IAM user from outside the VPC. The engineer checks the bucket policy and confirms that the policy denies access if the request does not come from the VPC endpoint. However, the deletions continue. What is the most likely cause?

Question 261easymultiple choice
Read the full Management and Security Governance explanation →

A company wants to implement a least-privilege security model for its AWS environment. The security team has identified that many IAM users have overly permissive policies. The team wants to use AWS IAM Access Analyzer to identify policies that grant access to external principals. However, the team is not seeing any findings. What is the most likely reason?

Question 262mediummultiple choice
Read the full Management and Security Governance explanation →

A financial services company uses AWS Organizations to manage multiple accounts. The Security team has enabled AWS CloudTrail in all accounts and logs are delivered to a central S3 bucket in the management account. The company has a requirement to detect and alert on any IAM user or role that performs a console login without multi-factor authentication (MFA) across all accounts. Currently, the team manually reviews CloudTrail logs, which is time-consuming and error-prone. They want an automated solution that uses AWS services and follows AWS best practices for security governance. The solution must be cost-effective and should not require custom code or third-party tools. What should the Security team do to meet this requirement?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SCS-C02 Practice Test 1 — 10 Questions→SCS-C02 Practice Test 2 — 10 Questions→SCS-C02 Practice Test 3 — 10 Questions→SCS-C02 Practice Test 4 — 10 Questions→SCS-C02 Practice Test 5 — 10 Questions→SCS-C02 Practice Exam 1 — 20 Questions→SCS-C02 Practice Exam 2 — 20 Questions→SCS-C02 Practice Exam 3 — 20 Questions→SCS-C02 Practice Exam 4 — 20 Questions→Free SCS-C02 Practice Test 1 — 30 Questions→Free SCS-C02 Practice Test 2 — 30 Questions→Free SCS-C02 Practice Test 3 — 30 Questions→SCS-C02 Practice Questions 1 — 50 Questions→SCS-C02 Practice Questions 2 — 50 Questions→SCS-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Management and Security Governance setsAll Management and Security Governance questionsSCS-C02 Practice Hub