Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security and Compliance practice sets

SOA-C02 Security and Compliance • Complete Question Bank

SOA-C02 Security and Compliance — All Questions With Answers

Complete SOA-C02 Security and Compliance question bank — all 0 questions with answers and detailed explanations.

260
Questions
Free
No signup
Certifications/SOA-C02/Practice Test/Security and Compliance/All Questions
Question 1mediummultiple choice
Read the full Security and Compliance explanation →

An organization requires that all Amazon S3 buckets be encrypted at rest by default. A SysOps administrator needs to enforce this using AWS Config. Which AWS Config managed rule should be used?

Question 2mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that all traffic to an Application Load Balancer (ALB) uses encryption. How can this be enforced?

Question 3mediummultiple choice
Read the full Security and Compliance explanation →

An organization requires that all Amazon S3 buckets block public access entirely. A SysOps administrator needs to ensure that no bucket can be made public, even accidentally. Which approach enforces this control at the organizational level?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A company's security team requires that all Amazon EC2 instances in a specific AWS account must have the tag 'Environment' set to either 'Production' or 'Test'. Any instance that is launched without this tag or with an invalid value must be automatically terminated within five minutes. Which combination of AWS services can enforce this requirement with minimal manual intervention?

Question 5mediummultiple choice
Read the full Security and Compliance explanation →

A company has an AWS account that contains multiple Amazon S3 buckets with sensitive data. A SysOps administrator needs to ensure that all S3 buckets in the account have versioning enabled to protect against accidental deletions. The administrator wants to automatically remediate any bucket that is created without versioning enabled. Which solution should be used?

Question 6hardmultiple choice
Read the full Security and Compliance explanation →

An organization requires that all Amazon EC2 instances must be launched only with approved Amazon Machine Images (AMIs) that have been pre-approved by the security team. The SysOps administrator needs to enforce this policy for all current and future instances in the AWS account. Unapproved AMIs should be prevented from launching. Which solution meets these requirements with the least operational overhead?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon S3 to store sensitive customer data. A SysOps administrator needs to ensure that any S3 bucket that is incorrectly configured to allow public read access is automatically remediated within five minutes. The administrator wants to use native AWS services with minimal custom code. Which solution should be used?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon RDS for PostgreSQL instances be encrypted at rest using AWS Key Management Service (KMS) customer managed keys and have automated backups enabled with a retention period of at least 30 days. A SysOps administrator needs to use AWS Config to automatically detect any RDS instance that is non-compliant with either requirement and automatically remediate it. Which combination of AWS Config managed rules and remediation actions should be used?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled. The SysOps administrator needs to automatically detect any existing or new S3 bucket that does not have SSE-KMS enabled and automatically apply the encryption configuration. The solution must use managed AWS services with minimal custom code. Which combination of AWS services should be used?

Question 10easymultiple choice
Read the full Security and Compliance explanation →

An organization wants to ensure that no Amazon S3 bucket in the entire AWS Organization can be made public. The security team requires a preventive control that cannot be overridden by individual account administrators. Which AWS service or feature should be used?

Question 11mediummultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all new Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled by default. A SysOps administrator wants to enforce this requirement for all current and future S3 buckets in the account. Which AWS service or feature should be used to automatically apply this configuration?

Question 12mediummultiple choice
Read the full Security and Compliance explanation →

An organization has a policy requiring that all Amazon EC2 instances launched in the production account must have detailed monitoring enabled for Amazon CloudWatch. A SysOps administrator needs to enforce this rule automatically. Which solution will ensure that any EC2 instance launched without detailed monitoring is automatically remediated?

Question 13hardmultiple choice
Read the full Security and Compliance explanation →

A company manages multiple AWS accounts using AWS Organizations. The security team wants to restrict the use of Amazon EC2 instance types to only those that are approved for production workloads (e.g., m5.large, m5.xlarge). The policy should be applied to all member accounts in the organization, and it should prevent any non-approved instance type from being launched. The SysOps administrator should implement this with minimal operational overhead. Which solution should be used?

Question 14hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations and wants to restrict access to S3 buckets based on project tags. The security policy requires that users in the 'DataScientists' group can only access S3 buckets that have the tag 'Project: DataEngineering'. Which IAM policy condition key should the SysOps administrator use in a customer managed policy to enforce this restriction?

Question 15mediummultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all IAM users must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to automatically detect IAM users without MFA and generate a compliance report. Which AWS service should be used to meet this requirement with minimal operational overhead?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A company's security team requires that all Amazon S3 buckets are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any S3 bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

Question 17easymultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that the AWS account root user must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to continuously verify compliance and automatically notify the security team if the root user is not configured with MFA. Which AWS service can be used to create a compliance rule for this requirement?

Question 18mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator manages IAM roles for Amazon EC2 instances. The administrator needs to identify permissions that have never been used in the last 90 days to right-size the policies. Which AWS feature should be used to achieve this?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon S3 buckets must be non-publicly accessible. The SysOps administrator needs to automatically detect any bucket that becomes publicly accessible and automatically remediate it by applying a bucket policy that blocks public access. The solution should use AWS managed services with minimal custom code. Which combination of services should be used?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

Question 21easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest. The administrator wants to automatically remediate any bucket that is created without default encryption. Which AWS service should be used to achieve this with the least operational overhead?

Question 22mediummultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that IAM users rotate their access keys every 90 days. The SysOps administrator must automatically identify users whose access keys are older than 90 days and notify the security team. Which combination of AWS services should be used to meet this requirement with the least operational overhead?

Question 23mediummultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all Amazon EC2 instances must have a specific tag 'Environment' with a value of either 'Production' or 'Development'. The SysOps administrator needs to detect any instance that is missing this tag or has an invalid value, and automatically email the operations team. Which AWS service should be used to achieve this with the least operational overhead?

Question 24mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to ensure that only specific IAM roles within the same AWS account can encrypt and decrypt data using an AWS KMS customer managed key. Which type of policy must be configured to achieve this restriction?

Question 25hardmultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator needs to detect when an IAM user attempts to modify an Amazon S3 bucket policy in the production AWS account. The administrator wants to receive an email notification within 5 minutes of such an event. The solution must use AWS managed services with no custom code. Which combination of services should the administrator use?

Question 26easymultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all Amazon S3 buckets must have server-side encryption enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and notify the security team. Which AWS service should be used to detect non-compliant buckets?

Question 27mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to enforce that all Amazon EC2 instances launched in the AWS account must have a specific termination protection setting enabled. The SysOps administrator needs to automatically remediate any instances that are launched without termination protection. Which AWS service should be used to achieve this?

Question 28mediummultiple choice
Read the full Security and Compliance explanation →

A company requires that all users in an AWS account must authenticate with multi-factor authentication (MFA) before they can perform any actions on Amazon EC2 instances. The SysOps administrator needs to implement this requirement using IAM policies. Which IAM policy condition key should be used to enforce MFA?

Question 29easymultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that only traffic from the corporate office IP range (203.0.113.0/24) can access an Amazon S3 bucket that stores internal reports. The SysOps administrator must enforce this restriction. Which policy type should be modified to implement this requirement?

Question 30mediummultiple choice
Read the full Security and Compliance explanation →

A company requires that all Amazon S3 buckets in its AWS account must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to detect any bucket that does not have KMS encryption enabled and automatically remediate it by enabling encryption. Which AWS service should be used to implement this automated compliance enforcement?

Question 31hardmultiple choice
Read the full Security and Compliance explanation →

A company operates a web application behind an Application Load Balancer (ALB). The SysOps administrator needs to block incoming requests from specific geographic locations (countries X and Y) and also enforce a rate limit of 100 requests per IP address per 5-minute window to mitigate DDoS attacks. The solution must be centrally configured and apply to all requests handled by the ALB. Which AWS service should be used to implement these requirements?

Question 32easymultiple choice
Read the full NAT/PAT explanation →

A company requires that all Amazon EC2 instances launched in its AWS account must have termination protection enabled. The SysOps administrator needs to automatically remediate any instance launched without termination protection. The solution should use AWS managed services without custom scripts. Which AWS service should be used?

Question 33easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are configured with server-side encryption using AWS KMS (SSE-KMS). The administrator wants to automatically detect any S3 buckets that are not compliant and remediate them by enabling SSE-KMS. Which AWS service should be used to implement this automated compliance enforcement?

Question 34mediummultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all IAM users must authenticate with multi-factor authentication (MFA) before they can perform any actions on Amazon EC2 instances. The SysOps administrator needs to enforce this requirement using IAM policies. Which IAM policy condition key should the administrator use in the policy?

Question 35mediummultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all Amazon S3 buckets must have server-side encryption (SSE-S3 or SSE-KMS) enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and remediate it by enabling SSE-S3. Which AWS service should be used to implement this automated compliance enforcement?

Question 36hardmultiple choice
Read the full Security and Compliance explanation →

A company manages multiple AWS accounts under AWS Organizations. The security team requires that all Amazon S3 buckets in the organization must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect any bucket that is not compliant and remediate it by enabling SSE-KMS. Which AWS feature or service should be used to implement this automated compliance enforcement?

Question 37mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to restrict access to an AWS Systems Manager Parameter Store parameter to only requests originating from the corporate network IP range (10.0.0.0/8). The SysOps administrator needs to implement this restriction using an IAM policy. Which condition key should be used?

Question 38easymultiple choice
Read the full Security and Compliance explanation →

A company's security team requires that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. The SysOps administrator needs to create an IAM policy that denies all console actions if the user has not authenticated with MFA. Which IAM condition key should the administrator use?

Question 39hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations and has multiple accounts. The security team requires that all Amazon S3 buckets across all accounts must be encrypted at rest with AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect non-compliant buckets and remediate them by enabling SSE-KMS. The solution must work across all existing and future accounts. Which AWS service should be used?

Question 40mediummulti select
Read the full Security and Compliance explanation →

Match each AWS service with its primary security compliance function. (Drag each service to its correct function.) (Choose 4.)

Question 41hardmultiple choice
Read the full NAT/PAT explanation →

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest with AWS Key Management Service (AWS KMS) customer managed keys. A SysOps administrator discovers that some buckets are not encrypted. Which combination of AWS services should be used to automatically detect and remediate non-compliant buckets using infrastructure as code?

Question 42easymultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all IAM users must change their passwords every 90 days. The SysOps administrator needs to enforce this requirement. Which IAM setting should the administrator configure?

Question 43easymultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all IAM user passwords must be at least 12 characters long. The SysOps administrator needs to enforce this requirement across the AWS account. Which action should the administrator take?

Question 44hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to restrict access to a specific AWS service (Amazon EC2) in all accounts except for the 'production' account. The SysOps administrator needs to implement this restriction centrally. Which approach should the administrator use?

Question 45hardmultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all IAM users must authenticate using multi-factor authentication (MFA) before accessing the Amazon S3 bucket containing confidential finance data. The SysOps administrator needs to create an IAM policy that denies access to the S3 bucket if the user has not authenticated using MFA. Which IAM condition key should the administrator include in the policy?

Question 46easymultiple choice
Read the full Security and Compliance explanation →

A company wants to ensure that all Amazon S3 buckets have versioning enabled to protect against accidental deletion of objects. A SysOps administrator needs to automatically detect any buckets that do not have versioning enabled and receive notifications. Which AWS service should the administrator use?

Question 47mediummultiple choice
Read the full Security and Compliance explanation →

A company stores database credentials in AWS Secrets Manager. The security policy requires that the credentials be rotated automatically every 30 days. Which action should the SysOps administrator take to enforce this requirement?

Question 48mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple AWS accounts. The security team requires that all Amazon S3 buckets in every account be encrypted at rest using AWS KMS customer managed keys. The SysOps administrator needs to enforce this requirement centrally without requiring changes in each account individually. Which approach should the administrator use?

Question 49mediummultiple choice
Read the full Security and Compliance explanation →

A company requires all S3 uploads to use server-side encryption with a specific customer managed KMS key. What is the most direct enforcement mechanism?

Question 50easymultiple choice
Read the full Security and Compliance explanation →

Developers are allowed to create IAM roles for their Lambda functions. However, the security team is concerned that developers could create roles with Administrator access, granting Lambda functions more permissions than the developers themselves have. What IAM feature prevents privilege escalation in this scenario?

Question 51mediummultiple choice
Read the full Security and Compliance explanation →

The CISO asks for a centralized dashboard showing security findings from GuardDuty, Macie, Inspector, and Firewall Manager across 30 AWS accounts. Findings must be normalized into a single format so they can be prioritized by severity without switching between services. Which AWS service provides this capability?

Question 52mediummultiple choice
Read the full Security and Compliance explanation →

Account A owns an S3 bucket containing shared artifacts. Account B needs to read objects from the bucket. The Account A team wants to grant access without creating IAM users, sharing access keys, or creating a role in Account A that Account B assumes. How should the bucket be configured to allow Account B's IAM roles to read objects?

Question 53hardmultiple choice
Read the full Security and Compliance explanation →

An application stores its RDS PostgreSQL credentials in AWS Secrets Manager. The security policy requires credentials to be rotated every 30 days automatically. During rotation, the application must continue to serve traffic with zero downtime. The application retrieves credentials by calling GetSecretValue at the start of each database connection. What must be configured to satisfy all requirements?

Question 54mediumdrag order
Read the full Security and Compliance explanation →

Drag and drop the steps to create an Amazon CloudWatch alarm that sends an email notification when CPU utilization exceeds 90% into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 55mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure an Amazon Route 53 failover routing policy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 56mediummatching
Read the full Security and Compliance explanation →

Match each AWS compute service to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual machines in the cloud

Serverless function execution

Container orchestration with Docker

Managed Kubernetes clusters

Serverless compute for containers

Question 57mediummatching
Read the full Security and Compliance explanation →

Match each AWS cost management tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Visualize and analyze costs

Set custom cost and usage alerts

Detailed billing data

Discount in exchange for commitment

Flexible pricing model

Question 58mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to enforce that all Amazon S3 buckets in their AWS account are encrypted at rest. They have enabled AWS CloudTrail and want to automatically remediate any non-compliant bucket created by users. Which AWS service should they use to achieve this?

Question 59easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that an Amazon EC2 instance can access an Amazon S3 bucket without storing long-term credentials on the instance. Which approach should be used?

Question 60hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create access keys for themselves. Which is the MOST effective way to enforce this policy across all accounts?

Question 61mediummultiple choice
Read the full Security and Compliance explanation →

An application running on Amazon EC2 needs to encrypt data before writing to Amazon S3. The encryption key must be rotated every 90 days and access to the key must be auditable. Which solution meets these requirements?

Question 62hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to restrict access to an Amazon S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy statement should be added to the bucket policy?

Question 63easymultiple choice
Read the full Security and Compliance explanation →

A company requires that all AWS account activity be recorded and the logs be stored in a centralized S3 bucket for analysis. Which two AWS services should be used together to meet this requirement?

Question 64mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Key Management Service (KMS) to encrypt data in Amazon S3. They want to ensure that the KMS key can only be used from within a specific VPC. How can this be accomplished?

Question 65hardmultiple choice
Review the full subnetting walkthrough →

A SysOps administrator is troubleshooting an issue where an IAM user is unable to launch an EC2 instance in a specific subnet. The user has the following IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "*",
      "Condition": {
        "StringEquals": {

"ec2:Subnet": "subnet-12345"

}
      }
    }
  ]
}

What is the likely cause of the failure?

Question 66easymultiple choice
Read the full Security and Compliance explanation →

A company wants to ensure that all data in Amazon S3 is encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). Which bucket policy statement should be used to deny any PUT request that does not include the 'x-amz-server-side-encryption' header with value 'aws:kms'?

Question 67mediummulti select
Read the full Security and Compliance explanation →

A company is designing a secure application architecture. They need to ensure that sensitive data stored in Amazon S3 is not accessible from the public internet. Which TWO actions should be taken? (Choose TWO.)

Question 68hardmulti select
Read the full Security and Compliance explanation →

A SysOps administrator needs to audit all changes to IAM resources in their AWS account. Which THREE AWS services can be used together to achieve this? (Choose THREE.)

Question 69hardmulti select
Read the full Security and Compliance explanation →

A company uses AWS Organizations and wants to restrict the use of specific AWS services across all member accounts. Which TWO methods can be used to enforce these restrictions? (Choose TWO.)

Question 70easymulti select
Read the full Security and Compliance explanation →

A company wants to ensure that their Amazon S3 bucket policy only allows access from a specific VPC endpoint. Which TWO condition keys can be used in the bucket policy? (Choose TWO.)

Question 71mediummultiple choice
Read the full Security and Compliance explanation →

A company has the following S3 bucket policy attached to a bucket named 'example-bucket'. A user is unable to download an object from the bucket using an HTTP URL (not HTTPS). What is the cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Principal": "*"
    }
  ]
}
Question 72hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is investigating a security incident where an unauthorized key pair was created. The CloudTrail lookup command output is shown. The administrator wants to find the source IP address of the 'admin' user who created the key pair. Which field in the 'CloudTrailEvent' JSON should the administrator examine?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNameRefer to the exhibit."Events": ["EventId": "abc123","EventName": "CreateKeyPair","EventTime": "2023-01-15T12:00:00Z","Username": "admin","Resources": ["ResourceType": "AWS::EC2::KeyPair","ResourceName": "mykeypair"],"CloudTrailEvent": "..."
Question 73hardmultiple choice
Read the full VPN explanation →

A company's security team notices that an IAM user has been making unauthorized API calls from an IP address outside the company's VPN. The team wants to immediately block all API calls from that specific IP address for all users. Which action should be taken?

Question 74mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is tasked with encrypting data at rest for an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption keys be managed by AWS and rotated automatically. Which encryption solution meets these requirements?

Question 75easymultiple choice
Read the full Security and Compliance explanation →

A company wants to allow a developer to deploy applications using AWS CloudFormation but restrict the developer from creating or modifying IAM resources. Which IAM policy should be used?

Question 76hardmulti select
Read the full Security and Compliance explanation →

Which TWO actions should a SysOps administrator take to secure an S3 bucket that stores sensitive data? (Choose two.)

Question 77mediummulti select
Read the full Security and Compliance explanation →

A company wants to audit all API calls made in their AWS account for compliance. Which THREE AWS services can be used together to capture and store these logs? (Choose three.)

Question 78easymulti select
Read the full Security and Compliance explanation →

Which TWO measures help protect an AWS account root user? (Choose two.)

Question 79hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user's IP address is 10.0.1.5. What is the result when the user tries to download an object from the folder 'confidential' in 'example-bucket'?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/confidential/*"
    }
  ]
}
Question 80mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A company has a CloudTrail trail in us-east-1 that logs events for that region only. The company operates in multiple regions and wants to ensure all API calls from all regions are logged. What is the most efficient way to achieve this?

Network Topology
$ aws cloudtrail describe-trailstrail-name-list MyTrailRefer to the exhibit."trailList": ["Name": "MyTrail","S3BucketName": "my-cloudtrail-bucket","IncludeGlobalServiceEvents": true,"IsMultiRegionTrail": false,"HomeRegion": "us-east-1","TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/MyTrail","LogFileValidationEnabled": true,"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:MyCloudTrailLogGroup:*","CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role","KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abc12345-...","HasCustomEventSelectors": false,"IsOrganizationTrail": false
Question 81easymultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy allows a user to run instances only of type t2.micro. What happens when the user tries to run a t2.small instance?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeInstances",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}
Question 82hardmultiple choice
Read the full Security and Compliance explanation →

A company's security team wants to ensure that all new S3 buckets created in the AWS account are automatically encrypted with server-side encryption. What should a SysOps administrator do to enforce this?

Question 83mediummultiple choice
Read the full Security and Compliance explanation →

An organization requires that all data in transit between EC2 instances and the internet be encrypted. Which AWS service can be used to enforce this requirement?

Question 84easymultiple choice
Read the full Security and Compliance explanation →

A company wants to grant an IAM role in Account A access to an S3 bucket in Account B. What must be configured?

Question 85hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator discovers that an EC2 instance was compromised because the SSH key pair was leaked. The administrator wants to ensure that future access to EC2 instances is secured using a method that does not rely on static keys. Which solution should the administrator implement?

Question 86mediummultiple choice
Read the full Security and Compliance explanation →

A company's compliance team requires that all changes to IAM policies be logged and immediately alerted. Which AWS solution should be used?

Question 87easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that an EC2 instance can access an S3 bucket without storing AWS credentials on the instance. What should the administrator do?

Question 88mediummultiple choice
Read the full Security and Compliance explanation →

A company requires that all API calls to AWS services be logged for compliance. The logs must be stored in a centralized S3 bucket with server-side encryption enabled. Which AWS service should be used to capture the API calls?

Question 89easymultiple choice
Read the full Security and Compliance explanation →

An administrator needs to grant an IAM user the ability to stop and start EC2 instances, but only for instances tagged with 'Environment:Production'. Which IAM policy element should be used to enforce this condition?

Question 90hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with SCPs to restrict member accounts. The security team wants to prevent all users in the 'Developers' OU from deleting S3 buckets, except for the root user of the management account. How should this be implemented?

Question 91easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that data in an S3 bucket is encrypted at rest. The bucket already has server-side encryption with S3 managed keys (SSE-S3) enabled. Which additional step is required to enforce encryption for all objects?

Question 92hardmultiple choice
Read the full Security and Compliance explanation →

A company has a legacy application that requires access to an S3 bucket using an IAM user's access keys. The security team wants to rotate the access keys every 90 days automatically. What is the MOST efficient way to achieve this?

Question 93mediummultiple choice
Read the full Security and Compliance explanation →

An administrator notices that an EC2 instance has been compromised. The instance is part of an Auto Scaling group. What should the administrator do FIRST to contain the incident?

Question 94mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to allow an external auditor to read objects in a specific S3 bucket for 30 days. The auditor does not have an AWS account. Which method should be used?

Question 95hardmultiple choice
Read the full Security and Compliance explanation →

An organization wants to enforce that all IAM users have multi-factor authentication (MFA) enabled before they can perform any action except changing their own password. Which IAM policy element is MOST appropriate?

Question 96easymultiple choice
Read the full Security and Compliance explanation →

A company stores sensitive data in an RDS database. Which AWS service should be used to encrypt the database at rest?

Question 97mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions should a SysOps administrator take to secure an AWS account root user? (Choose two.)

Question 98hardmulti select
Read the full Security and Compliance explanation →

Which THREE are valid methods to control access to an S3 bucket? (Choose three.)

Question 99easymulti select
Read the full Security and Compliance explanation →

Which TWO services can be used to centrally manage cryptographic keys for AWS services? (Choose two.)

Question 100hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy is attached to a user. Which statement about the user's access is correct?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::example-bucket"
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
Question 101mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A SysOps administrator runs the AWS CLI command to check the event selectors for a CloudTrail trail. What does the output indicate?

Network Topology
$ aws cloudtrail get-event-selectorstrail-name management-trailRefer to the exhibit."TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/management-trail","EventSelectors": ["ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": []],"AdvancedEventSelectors": []
Question 102easymultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A SysOps administrator runs the command to list running EC2 instances. What is the purpose of the '--query' parameter?

Network Topology
aws ec2 describe-instancesregion us-east-1query "Reservations[].Instances[?State.Name=='running'].[InstanceIdRefer to the exhibit.
Question 103mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users in any member account can create access keys for themselves. What is the MOST efficient way to enforce this policy across all accounts?

Question 104easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to share an encrypted AMI with a different AWS account. The AMI uses an AWS KMS key (customer managed key) for EBS encryption. What must be done to allow the target account to launch EC2 instances from the AMI?

Question 105hardmultiple choice
Read the full Security and Compliance explanation →

A company's security team notices that an IAM user has been generating multiple access keys and deleting them within a short period. The SysOps administrator needs to detect and alert on this behavior. Which solution is the MOST effective?

Question 106mediummultiple choice
Read the full Security and Compliance explanation →

An organization requires that all Amazon S3 buckets be encrypted with AES-256 server-side encryption. A SysOps administrator needs to enforce this policy across the entire AWS account. Which action should be taken?

Question 107easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to provide a developer from another AWS account access to an S3 bucket in the administrator's account. The developer must be able to list objects and get objects from the bucket. The administrator does NOT want to share AWS access keys. Which solution meets these requirements?

Question 108hardmultiple choice
Read the full Security and Compliance explanation →

A company uses IAM roles to grant EC2 instances access to S3 buckets. After a recent security audit, the SysOps administrator must ensure that only instances with a specific tag (Environment=Production) can assume the role. How can this be achieved?

Question 109mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is configuring a new AWS account and wants to set up a secure password policy for IAM users. The policy must require at least 12 characters, one uppercase letter, one number, and must prevent password reuse. Where should this policy be configured?

Question 110easymultiple choice
Read the full Security and Compliance explanation →

A company wants to provide temporary credentials to an application running on an on-premises server so it can access AWS resources. The credentials must be rotated automatically. Which IAM feature should be used?

Question 111hardmultiple choice
Read the full Security and Compliance explanation →

An organization uses AWS KMS to encrypt data in S3. A SysOps administrator needs to ensure that KMS keys cannot be deleted accidentally. What is the MOST effective way to protect against accidental key deletion?

Question 112mediummulti select
Read the full Security and Compliance explanation →

A company has an S3 bucket that stores sensitive data. The security team requires that all data be encrypted at rest and that all access be logged. Which TWO actions should the SysOps administrator take to meet these requirements? (Choose TWO.)

Question 113hardmulti select
Read the full Security and Compliance explanation →

A SysOps administrator is designing a solution to manage secrets (e.g., database credentials) for a multi-tier application running on EC2 instances. The solution must rotate secrets automatically and provide fine-grained access control. Which TWO services should be used together? (Choose TWO.)

Question 114easymulti select
Read the full Security and Compliance explanation →

A company wants to audit all API calls made in their AWS account for security analysis. They need to record both management events and data events. Which THREE steps should be taken to set up comprehensive logging? (Choose THREE.)

Question 115easymultiple choice
Read the full Security and Compliance explanation →

A company wants to securely store database credentials used by an application running on Amazon EC2. Which AWS service should be used to rotate and manage access to these secrets?

Question 116mediummultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator is troubleshooting an issue where an IAM user can launch EC2 instances but cannot terminate them. The user's permissions are based on an IAM group policy. Which action should the administrator take to resolve this?

Question 117hardmultiple choice
Read the full Security and Compliance explanation →

A company has an S3 bucket that stores sensitive customer data. The security team requires that all objects uploaded to the bucket must be encrypted at rest using AWS KMS with a specific customer managed key. Which bucket policy condition should be used to enforce this?

Question 118easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that an Amazon RDS instance is encrypted at rest. The instance is already provisioned unencrypted. What is the correct approach to enable encryption?

Question 119mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to restrict all accounts from using specific AWS services unless explicitly allowed. Which feature should be used?

Question 120hardmultiple choice
Read the full Security and Compliance explanation →

An application running on Amazon EC2 needs to access an S3 bucket. The SysOps administrator wants to ensure that only that specific EC2 instance can access the bucket, without storing any long-term credentials on the instance. What is the most secure way to achieve this?

Question 121easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to audit all API calls made in the AWS account, including actions performed by the root user. Which service should be enabled?

Question 122mediummultiple choice
Read the full Security and Compliance explanation →

A company requires that all S3 buckets be tagged with a 'CostCenter' tag. A SysOps administrator needs to enforce this and prevent creation of untagged buckets. Which approach should be used?

Question 123hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator receives an alert that an IAM user's access key was used from an unexpected geographic location. What should the administrator do to prevent future unauthorized use?

Question 124mediummulti select
Read the full Security and Compliance explanation →

A company wants to ensure that its AWS resources are compliant with the CIS AWS Foundations Benchmark. Which TWO AWS services can be used to automate compliance checks and remediation?

Question 125hardmulti select
Read the full Security and Compliance explanation →

A SysOps administrator needs to securely transfer a large dataset from an on-premises server to an Amazon S3 bucket. The data is sensitive and must be encrypted in transit and at rest. Which THREE steps should the administrator take? (Choose three.)

Question 126easymulti select
Read the full Security and Compliance explanation →

A SysOps administrator is configuring a new VPC and wants to ensure that only traffic from a specific IP address range can access an EC2 instance via SSH. Which TWO components should be configured? (Choose two.)

Question 127hardmulti select
Read the full Security and Compliance explanation →

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no one can disable AWS CloudTrail or delete CloudTrail log files from the S3 bucket. Which THREE actions should be taken? (Choose three.)

Question 128mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets in the organization have server-side encryption enabled. What is the MOST efficient way to achieve this?

Question 129easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to provide temporary access to an S3 bucket for a third-party auditor. The access must expire after 24 hours. Which solution should the administrator use?

Question 130hardmultiple choice
Read the full Security and Compliance explanation →

A company uses an IAM policy to allow users to manage their own passwords and access keys. The policy includes a condition that requires multi-factor authentication (MFA) for any sensitive operations. However, users report that they are unable to change their own passwords even when MFA is not required. What is the likely cause?

Question 131mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that all API calls made to AWS are logged for auditing purposes. Which AWS service should be enabled to capture management events?

Question 132hardmultiple choice
Read the full Security and Compliance explanation →

A company has an S3 bucket that stores sensitive customer data. The security team requires that all objects in the bucket be encrypted at rest using AWS KMS. An administrator notices that some objects are not encrypted. What is the MOST efficient way to enforce encryption for future uploads?

Question 133easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance. The user has a policy that allows ec2:RunInstances. What is the most likely cause of the failure?

Question 134mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which solution meets this requirement with minimal administrative overhead?

Question 135hardmultiple choice
Read the full Security and Compliance explanation →

A company uses an IAM policy that allows s3:GetObject for a specific bucket. However, an IAM user is getting an Access Denied error when trying to download an object. The bucket policy also allows s3:GetObject for the user's account. What is the most likely cause?

Question 136easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to generate a report of all IAM users and their last activity. Which AWS service can provide this information?

Question 137mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to ensure that an EC2 instance can access an S3 bucket without storing AWS credentials on the instance. What should the SysOps administrator do?

Question 138hardmultiple choice
Read the full Security and Compliance explanation →

An IAM user has the policy shown in the exhibit. The user is trying to download an object from example-bucket from an IP address of 192.0.2.50. However, the request is denied. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 139mediummulti select
Read the full Security and Compliance explanation →

A company wants to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which TWO actions should the SysOps administrator take? (Choose TWO.)

Question 140hardmulti select
Read the full Security and Compliance explanation →

A company has an AWS account with multiple IAM users. The security team wants to enforce that all users use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should the SysOps administrator take? (Choose THREE.)

Question 141hardmultiple choice
Read the full Security and Compliance explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores sensitive data in an S3 bucket. The security team has mandated that all data in transit to the S3 bucket must be encrypted using TLS. The SysOps administrator configured the application to use HTTPS endpoints for S3. However, a security audit reveals that some requests to S3 are still being sent over HTTP. The administrator checks the VPC Flow Logs and sees that the EC2 instances are communicating with the S3 bucket via a VPC endpoint. The company also uses an S3 bucket policy that allows access only from the VPC endpoint. What is the most likely reason that some requests are sent over HTTP?

Question 142mediummultiple choice
Read the full Security and Compliance explanation →

A company has a single AWS account with multiple IAM users. The security team wants to ensure that no IAM user can create or modify VPC resources. The SysOps administrator creates a managed policy that denies ec2:CreateVpc, ec2:DeleteVpc, ec2:ModifyVpcAttribute, and similar actions. The policy is attached to all IAM users via a group. However, after a week, a user reports that they were able to create a VPC. The administrator checks CloudTrail and confirms that the user created the VPC. What is the most likely cause?

Question 143mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Organizations with SCPs to restrict access to services. The security team wants to ensure that no IAM user can create access keys, but the SCP is not working as expected. What is the most likely cause?

Question 144hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot access an S3 bucket using an instance profile. The instance profile has an IAM role with a policy that allows s3:GetObject on the bucket. The S3 bucket policy has a Deny for all principals except a specific service role. What is the most likely reason for the access failure?

Question 145easymultiple choice
Read the full Security and Compliance explanation →

A company requires that all data stored in Amazon S3 be encrypted at rest. Which S3 feature should be enabled to meet this requirement without changing the application code?

Question 146mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator notices that an EC2 instance running a web server is receiving unexpected traffic from an IP address that is known to be malicious. The administrator wants to block this IP address at the instance level. Which solution should be used?

Question 147hardmulti select
Read the full Security and Compliance explanation →

A company is using AWS CloudTrail to log all API calls. The security team wants to ensure that logs are tamper-proof and stored securely. Which TWO actions should be taken? (Choose two.)

Question 148easymulti select
Read the full Security and Compliance explanation →

A company wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which TWO steps should be taken? (Choose two.)

Question 149mediummulti select
Read the full Security and Compliance explanation →

A company needs to audit all changes to AWS resources. Which THREE AWS services should be used together to achieve this? (Choose three.)

Question 150hardmulti select
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt data. The security team wants to ensure that a specific IAM role can use a KMS key, but only when the request comes from a specific VPC. Which THREE conditions should be included in the KMS key policy? (Choose three.)

Question 151mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator applies the IAM policy shown in the exhibit to an IAM user. The user tries to upload an object to the S3 bucket without specifying encryption. What will happen?

Exhibit

Refer to the exhibit.

IAM Policy:
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
```
Question 152hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator deploys the CloudFormation template shown in the exhibit. The stack creation fails with a security group error. What is the most likely cause?

Exhibit

Refer to the exhibit.

CloudFormation template snippet:
```yaml
Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0abcdef1234567890
      InstanceType: t2.micro
      SecurityGroups:
        - !Ref MySecurityGroup
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow SSH
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 10.0.0.0/8
```
Question 153mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is investigating an unauthorized stop of an EC2 instance. The CloudTrail log entry shows the event. What is the first step to determine if the action was authorized?

Exhibit

Refer to the exhibit.

CloudTrail log entry:
```json
{
  "eventVersion": "1.05",
  "userIdentity": {
    "type": "IAMUser",
    "arn": "arn:aws:iam::123456789012:user/Admin",
    "accountId": "123456789012"
  },
  "eventTime": "2024-03-15T10:00:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "StopInstances",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.5",
  "userAgent": "console.amazonaws.com",
  "requestParameters": {
    "instancesSet": {
      "items": [
        {"instanceId": "i-0abcd1234"}
      ]
    }
  },
  "responseElements": null
}
```
Question 154easymultiple choice
Read the full NAT/PAT explanation →

A company has a fleet of EC2 instances in an Auto Scaling group behind an Application Load Balancer. The security team requires that all traffic to the instances be encrypted in transit. Currently, the ALB terminates HTTPS and forwards HTTP to the instances. The security team wants to ensure that the traffic between the ALB and the instances is also encrypted. What should the SysOps administrator do to meet this requirement with minimal changes?

Question 155mediummultiple choice
Read the full Security and Compliance explanation →

A company has an S3 bucket that stores sensitive customer data. The security team requires that all access to the bucket be logged for auditing. The SysOps administrator enabled S3 server access logging and configured the logs to be delivered to a different S3 bucket in the same account. However, after a week, the log bucket is empty. What is the most likely cause?

Question 156hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must use MFA. They create an SCP that denies all actions if the IAM user does not have MFA. However, the SCP does not apply to the root user. The SysOps administrator finds that some IAM users in member accounts are still able to access the console without MFA. What is the most likely reason?

Question 157mediummultiple choice
Read the full Security and Compliance explanation →

A company uses AWS KMS to encrypt data stored in S3. The security team wants to rotate the KMS key automatically every year. The SysOps administrator enabled automatic key rotation for the KMS key. However, after a year, the security team finds that the key has not been rotated. What is the most likely cause?

Question 158mediummultiple choice
Read the full Security and Compliance explanation →

A company stores sensitive data in an S3 bucket. The security team requires that all objects uploaded to the bucket be encrypted at rest using an AWS KMS customer-managed key. Which S3 bucket policy statement should be added to enforce this requirement?

Question 159hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all new S3 buckets created in any account have encryption enabled. Which approach should be used to enforce this policy?

Question 160easymultiple choice
Read the full Security and Compliance explanation →

A company uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. Which configuration step is required?

Question 161mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to allow its DevOps team to launch EC2 instances using a specific AMI ID and only in a particular VPC. Which IAM policy should be used?

Question 162hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS CodePipeline to deploy a web application. The security team requires that all code changes be reviewed and approved before deployment to production. Which action should be taken to enforce this requirement?

Question 163easymultiple choice
Read the full Security and Compliance explanation →

A company is using Amazon RDS for MySQL and needs to encrypt data at rest. Which action should be taken to enable encryption?

Question 164mediummultiple choice
Read the full Security and Compliance explanation →

A company wants to provide temporary access to an S3 bucket for a third-party vendor. The vendor needs to upload files for one hour. Which approach should be used?

Question 165hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets contain RDS databases that should not be accessible from the internet. Which configuration ensures that the databases are only accessible from the application servers in the public subnets?

Question 166easymultiple choice
Read the full Security and Compliance explanation →

A company wants to monitor for unauthorized API calls in their AWS account. Which AWS service should they use?

Question 167mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions can be used to protect data in transit between an EC2 instance and an S3 bucket? (Choose two.)

Question 168hardmulti select
Read the full Security and Compliance explanation →

Which THREE steps are required to enable AWS CloudTrail log file integrity validation? (Choose three.)

Question 169mediummulti select
Read the full Security and Compliance explanation →

Which TWO IAM policy conditions can be used to enforce multi-factor authentication (MFA) for API calls? (Choose two.)

Question 170hardmultiple choice
Read the full Security and Compliance explanation →

An S3 bucket policy is shown in the exhibit. The AdminRole attempts to upload an object to my-bucket without specifying any server-side encryption header. What will happen?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
```
Question 171mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator runs the AWS CLI command shown in the exhibit. What is the purpose of this command?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamemax-results 5region us-east-1Refer to the exhibit.```"Events": ["EventId": "abc123","EventName": "ConsoleLogin","ReadOnly": "False","Username": "john.doe","EventTime": "2024-03-01T12:00:00Z","CloudTrailEvent": "{...}","Resources": []
Question 172mediummultiple choice
Read the full Security and Compliance explanation →

A CloudFormation template creates an S3 bucket with encryption and a bucket policy as shown in the exhibit. An administrator tries to upload an object using the AWS CLI without specifying any encryption. What will happen?

Exhibit

Refer to the exhibit.

```
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-secure-bucket
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
  MyBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyBucket
      PolicyDocument:
        Statement:
          - Effect: Deny
            Principal: '*'
            Action: 's3:PutObject'
            Resource: !Sub '${MyBucket.Arn}/*'
            Condition:
              StringNotEquals:
                s3:x-amz-server-side-encryption: 'AES256'
```
Question 173easymultiple choice
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt data at rest in S3. The security team wants to ensure that encryption keys are automatically rotated annually. Which type of KMS key should be used?

Question 174mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to grant cross-account access to an S3 bucket in Account A for an IAM user in Account B. The bucket policy in Account A allows the IAM user's account root principal. What additional configuration is required?

Question 175hardmultiple choice
Read the full Security and Compliance explanation →

A company has an S3 bucket configured to log all access requests to another bucket. The security team notices that some delete requests are not being logged. What is the most likely cause?

Question 176mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is troubleshooting an IAM policy that is not granting the expected permissions. The policy has a Deny effect on a specific action, but the user is still able to perform that action. What is the most likely reason?

Question 177easymultiple choice
Read the full Security and Compliance explanation →

A company wants to ensure that all S3 buckets are encrypted by default. Which AWS service can be used to automatically enforce encryption on newly created S3 buckets?

Question 178hardmultiple choice
Review the full subnetting walkthrough →

A company has an EC2 instance that needs to access an S3 bucket. The instance is launched in a private subnet with no internet gateway. What is the most secure way to provide access to S3 without traversing the internet?

Question 179mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator notices that an IAM user can access the AWS Management Console but cannot use the AWS CLI. The user has a password and an access key. What is the most likely cause?

Question 180easymultiple choice
Read the full Security and Compliance explanation →

A company wants to centrally manage access to AWS accounts for its employees. Which AWS service should be used to create and manage users and groups across multiple accounts?

Question 181hardmultiple choice
Read the full Security and Compliance explanation →

A company has an S3 bucket with versioning enabled. They want to ensure that objects are not permanently deleted by users. What configuration should be applied?

Question 182mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions can be taken to secure an S3 bucket that contains sensitive data? (Choose two.)

Question 183hardmulti select
Read the full Security and Compliance explanation →

A company uses AWS KMS to encrypt EBS volumes. Which TWO statements about using KMS with EBS are correct? (Choose two.)

Question 184easymulti select
Read the full Security and Compliance explanation →

Which THREE security best practices should be followed when managing IAM users? (Choose three.)

Question 185mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM user has this policy attached. What is the effect when the user attempts to get an object from my-bucket from an IP address in the range 198.51.100.0/24?

Exhibit

Refer to the exhibit.

Consider the following IAM policy:
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
```
Question 186hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A SysOps administrator reviews the account password policy. Which of the following is true based on this output?

Exhibit

Refer to the exhibit.

```
$ aws iam get-account-password-policy
{
    "PasswordPolicy": {
        "MinimumPasswordLength": 12,
        "RequireSymbols": true,
        "RequireNumbers": true,
        "RequireUppercaseCharacters": true,
        "RequireLowercaseCharacters": true,
        "AllowUsersToChangePassword": true,
        "ExpirePasswords": true,
        "MaxPasswordAge": 90,
        "PasswordReusePrevention": 5,
        "HardExpiry": false
    }
}
```
Question 187mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A SysOps administrator creates this stack. Which of the following is true about the bucket?

Exhibit

Refer to the exhibit.

Consider the following CloudFormation template snippet:
```yaml
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub '${AWS::AccountId}-my-secure-bucket'
      VersioningConfiguration:
        Status: Enabled
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
```
Question 188mediummultiple choice
Read the full Security and Compliance explanation →

A company's security team notices that an IAM user has access keys that have not been rotated in over a year. Which action should the SysOps administrator take to enforce key rotation automatically?

Question 189easymultiple choice
Read the full Security and Compliance explanation →

An organization wants to centrally manage access to multiple AWS accounts in an AWS Organizations setup. Which AWS service should the SysOps administrator use to define and enforce fine-grained permissions across accounts?

Question 190hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudTrail to log API activity. The security team needs to be alerted when an IAM user creates a new access key. Which combination of services should the SysOps administrator use to meet this requirement?

Question 191mediummulti select
Read the full Security and Compliance explanation →

Which TWO actions can a SysOps administrator take to secure an Amazon S3 bucket that contains sensitive data? (Choose TWO.)

Question 192mediummulti select
Read the full Security and Compliance explanation →

Which THREE AWS services can be used to centrally manage and audit user permissions across multiple AWS accounts in AWS Organizations? (Choose THREE.)

Question 193easymulti select
Read the full Security and Compliance explanation →

A company needs to comply with PCI DSS requirements for its AWS environment. Which TWO services should the SysOps administrator use to automate compliance checks and generate reports? (Choose TWO.)

Question 194hardmultiple choice
Read the full Security and Compliance explanation →

A company has an AWS account with multiple VPCs connected via a transit gateway. The SysOps administrator needs to ensure that all traffic between VPCs is encrypted in transit. Which solution should the administrator implement?

Question 195mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to provide temporary, limited-privilege credentials to an application running on an EC2 instance. The application needs to access an S3 bucket. What is the most secure way to grant these credentials?

Question 196mediummultiple choice
Read the full Security and Compliance explanation →

A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using keys managed by the company. Which encryption option should the SysOps administrator choose?

Question 197hardmulti select
Read the full Security and Compliance explanation →

A SysOps administrator is designing a VPC for a web application that must be secure. Which THREE security measures should the administrator implement? (Choose THREE.)

Question 198easymulti select
Read the full Security and Compliance explanation →

Which TWO AWS services can be used to encrypt data at rest in Amazon RDS? (Choose TWO.)

Question 199hardmultiple choice
Read the full Security and Compliance explanation →

An organization has a requirement to prevent any IAM user from deleting an S3 bucket that contains critical data. The SysOps administrator needs to implement a preventive control that works even if the user has full administrative privileges. Which solution should the administrator implement?

Question 200mediummultiple choice
Read the full Security and Compliance explanation →

A company uses S3 to store sensitive data. To meet compliance requirements, all S3 buckets must be encrypted at rest. The security team notices that some objects in a bucket are not encrypted. What is the MOST efficient way to enforce encryption for all future objects?

Question 201hardmultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator must grant an IAM user the ability to start and stop specific EC2 instances, but NOT terminate them. The administrator creates a policy with the following statement. However, the user can still terminate instances. What is the MOST likely reason?

Question 202easymultiple choice
Read the full Security and Compliance explanation →

A company requires that all access to the AWS Management Console be protected by multi-factor authentication (MFA). The SysOps administrator has enabled an IAM policy that denies all actions if the user does not authenticate with MFA. However, some users report they cannot list their own MFA devices. What is the MOST likely cause?

Question 203hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS CloudTrail to log all API calls. The security team requires that all logs be encrypted at rest and stored in an S3 bucket that blocks public access. The SysOps administrator configures the bucket with default encryption (SSE-S3) and a bucket policy that denies all actions unless the request includes the x-amz-server-side-encryption header with value AES256. However, CloudTrail delivery fails. What is the MOST likely cause?

Question 204mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to allow an IAM user to launch EC2 instances only in the us-east-1 region. The administrator creates a policy with a condition that uses the aws:RequestedRegion condition key. However, the user can still launch instances in other regions. What is the MOST likely reason?

Question 205easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Key Management Service (KMS) to encrypt data in S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which of the following is the MOST effective way to achieve this?

Question 206mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public and private subnet. The security team wants to restrict outbound traffic from EC2 instances in the private subnet to only allow traffic to an S3 bucket in the same account. Which of the following is the MOST secure way to achieve this?

Question 207hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a permissions policy that allows sts:AssumeRole. However, the user still gets an access denied error. What is the MOST likely cause?

Question 208easymultiple choice
Read the full Security and Compliance explanation →

A company uses AWS Config to track resource changes. The security team wants to receive notifications whenever an IAM policy is changed. Which AWS service should be used with AWS Config to send notifications?

Question 209mediummulti select
Read the full Security and Compliance explanation →

A company has an S3 bucket that stores sensitive data. The security team requires that all access to the bucket be encrypted in transit. Which TWO actions should be taken to enforce this requirement? (Choose two.)

Question 210hardmulti select
Read the full Security and Compliance explanation →

A company wants to audit all AWS account activity for compliance. Which THREE AWS services should be used together to achieve this? (Choose three.)

Question 211mediummulti select
Read the full Security and Compliance explanation →

A SysOps administrator needs to restrict access to an S3 bucket so that only users from the corporate network IP range (203.0.113.0/24) can read objects. Which TWO elements are required to implement this? (Choose two.)

Question 212mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM user has this policy attached. The user tries to start an EC2 instance that has no tags. What will happen?

Exhibit

Refer to the exhibit.

IAM Policy JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/Environment": "Production"
        }
      }
    }
  ]
}
Question 213hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. The security team wants to ensure that all objects uploaded to the S3 bucket 'my-secure-bucket' are encrypted at rest. Based on the CloudTrail log entry, what can be concluded about the object 'confidential.pdf'?

Exhibit

Refer to the exhibit.

CloudTrail log entry:
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "arn": "arn:aws:iam::123456789012:user/john.doe",
    "accountId": "123456789012",
    "userName": "john.doe"
  },
  "eventTime": "2023-10-01T12:34:56Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "PutObject",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "192.0.2.1",
  "userAgent": "[S3Console]",
  "requestParameters": {
    "bucketName": "my-secure-bucket",
    "key": "confidential.pdf",
    "x-amz-server-side-encryption": "AES256"
  },
  "responseElements": {
    "x-amz-server-side-encryption": "AES256"
  }
}
Question 214easymultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM role has the trust policy shown. Which entity can assume this role?

Network Topology
$ aws iam get-rolerole-name MyRoleRefer to the exhibit.AWS CLI output:"Role": {"Path": "/","RoleName": "MyRole","Arn": "arn:aws:iam::123456789012:role/MyRole","AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:root"},"Action": "sts:AssumeRole","Condition": {}"CreateDate": "2023-01-01T00:00:00Z"
Question 215easymultiple choice
Read the full Security and Compliance explanation →

A company wants to enforce that all IAM users in an AWS account must use multi-factor authentication (MFA) to access the AWS Management Console. Which IAM policy effect should be used to deny access if MFA is not present?

Question 216mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is investigating why an EC2 instance cannot access an S3 bucket using an IAM role. The instance has an associated IAM role with a policy that allows s3:GetObject on the bucket. The bucket policy also allows access from the role. However, the instance's application still gets access denied. What is the most likely cause?

Question 217hardmulti select
Read the full NAT/PAT explanation →

A company uses AWS CloudTrail to log API calls. The SysOps team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and triggers an automated response. Which combination of services should be used? (Choose two.)

Question 218easymultiple choice
Read the full Security and Compliance explanation →

A company has an S3 bucket that contains sensitive customer data. The security team requires that all data in transit to and from the bucket must be encrypted. Which bucket policy condition should be used?

Question 219mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to grant an IAM user the ability to rotate their own access keys. What is the minimum set of permissions required?

Question 220hardmultiple choice
Read the full Security and Compliance explanation →

An organization uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any member account can create access keys that are more than 90 days old. What is the most efficient way to enforce this?

Question 221mediummulti select
Read the full Security and Compliance explanation →

A company wants to use AWS KMS to encrypt data at rest for an S3 bucket. The security policy requires that the CMK be rotated every year. Which of the following are true about automatic key rotation for AWS KMS customer master keys (CMKs)? (Choose TWO.)

Question 222hardmulti select
Read the full Security and Compliance explanation →

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot pull secrets from AWS Secrets Manager. The instance has an IAM role with a policy that allows secretsmanager:GetSecretValue. The secret is in the same account and region. What are possible reasons for the failure? (Choose THREE.)

Question 223easymulti select
Read the full Security and Compliance explanation →

A company uses AWS Shield Advanced to protect against DDoS attacks. Which of the following are benefits of AWS Shield Advanced? (Choose TWO.)

Question 224mediummulti select
Read the full Security and Compliance explanation →

A SysOps administrator is configuring CloudTrail to log all management events and data events for S3 buckets. Which of the following are true about CloudTrail logging? (Choose THREE.)

Question 225hardmulti select
Read the full Security and Compliance explanation →

A company wants to use AWS WAF to protect a web application behind an Application Load Balancer. Which of the following can AWS WAF inspect? (Choose THREE.)

Question 226easymultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission regarding the s3:DeleteObject action on the example-bucket?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::example-bucket/*"
        },
        {
            "Effect": "Deny",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}
Question 227mediummultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A SysOps administrator runs the commands shown. Which key(s) have automatic key rotation enabled?

Network Topology
key-id 1234abcd-12ab-34cd-56ef-1234567890ab$ aws kms get-key-rotation-statuskey-id 0987fedc-87fe-65dc-43ba-abcdef123456Refer to the exhibit.$ aws kms list-keys"Keys": [{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"},{"KeyId": "0987fedc-87fe-65dc-43ba-abcdef123456"}"KeyRotationEnabled": true"KeyRotationEnabled": false
Question 228hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. An IAM policy allows running instances. A user attempts to launch a t2.micro instance with a 20 GiB gp2 volume and an additional 100 GiB io1 volume. What will happen?

Exhibit

Refer to the exhibit.

arn:aws:iam::123456789012:policy/MyPolicy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": "t2.micro"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*"
        }
    ]
}
Question 229easymultiple choice
Read the full Security and Compliance explanation →

A company needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used to track these changes?

Question 230mediummultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts have encryption enabled. What is the most efficient way to enforce this policy?

Question 231easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to grant a developer access to view only the logs of a specific Amazon RDS instance. Which IAM action should be allowed?

Question 232hardmultiple choice
Read the full Security and Compliance explanation →

A company has an S3 bucket configured with default encryption using SSE-S3. Users report that objects uploaded without specifying encryption are still encrypted, but some objects are accessible to unauthorized users. What is the most likely cause?

Question 233mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator notices that an Amazon CloudWatch Logs log group is growing rapidly and suspects that an EC2 instance is sending sensitive data to the logs. What is the most effective way to detect and redact sensitive data in real-time?

Question 234easymultiple choice
Read the full Security and Compliance explanation →

A company wants to allow an external auditor to assume an IAM role in their AWS account to review resources. What is the minimum information the auditor needs from the company to do this?

Question 235hardmultiple choice
Read the full Security and Compliance explanation →

A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that only specific IAM roles can decrypt the volumes. Which configuration meets this requirement?

Question 236mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to audit all IAM user activity in the AWS account for the last 90 days. Which AWS service should be used?

Question 237easymultiple choice
Read the full Security and Compliance explanation →

A company wants to provide temporary security credentials to a mobile application so it can access an S3 bucket. Which AWS service should be used to issue these credentials?

Question 238mediummultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is asked to ensure that all objects in an S3 bucket are encrypted at rest using a customer-managed KMS key. The bucket currently has default encryption set to SSE-S3. What must be done to meet the requirement?

Question 239hardmulti select
Read the full Security and Compliance explanation →

A company's security team requires that all API calls to AWS services are encrypted in transit using TLS 1.2 or higher. Which TWO actions should be taken to enforce this?

Question 240mediummulti select
Read the full Security and Compliance explanation →

A company needs to restrict access to an S3 bucket so that only users from a specific VPC can read objects. Which THREE configurations are required?

Question 241hardmulti select
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that an Amazon RDS for MySQL database is compliant with PCI DSS requirements. Which THREE configurations should be implemented?

Question 242hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A SysOps administrator applies this S3 bucket policy to a bucket named 'my-bucket'. The root user of account 123456789012 attempts to upload an object to the bucket without specifying encryption. What will happen?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 243hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is managing a multi-account AWS environment using AWS Organizations. The security team has mandated that all Amazon S3 buckets across all accounts must be encrypted with SSE-KMS using a centrally managed KMS key. The administrator has created a KMS key in the master account and enabled key rotation. The key policy allows the root user of each member account to use the key. However, users in member accounts report that they cannot upload objects to their S3 buckets with SSE-KMS using the central key, even though they have s3:PutObject permissions. The administrator verifies that the KMS key policy includes the necessary permissions for the member accounts. What should the administrator do to resolve the issue?

Question 244mediummultiple choice
Read the full NAT/PAT explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores sensitive user data in an S3 bucket. The security team requires that traffic between the ALB and the EC2 instances be encrypted, and that the EC2 instances only accept traffic from the ALB. Currently, the ALB terminates HTTPS and forwards HTTP to the instances. The SysOps administrator needs to implement the required security controls. Which solution should the administrator implement?

Question 245easymultiple choice
Read the full Security and Compliance explanation →

A company wants to securely store secrets such as database credentials and API keys used by applications running on Amazon EC2. Which AWS service should be used to manage and rotate these secrets automatically?

Question 246mediummultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest using server-side encryption. Which combination of actions should be taken to enforce this policy?

Question 247hardmultiple choice
Read the full Security and Compliance explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to prevent any IAM user from creating access keys for themselves across all accounts. What is the most effective way to enforce this policy?

Question 248mediummultiple choice
Read the full Security and Compliance explanation →

An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket. The company security policy requires that credentials are not stored on the instance. What is the most secure way to grant access?

Question 249easymultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator needs to audit all changes to IAM policies in an AWS account. Which AWS service should be used to record these changes?

Question 250hardmultiple choice
Read the full Security and Compliance explanation →

A company has an AWS account with multiple VPCs connected via a transit gateway. The security team wants to centrally manage VPC security group rules and ensure compliance. Which approach is most effective?

Question 251mediummulti select
Read the full Security and Compliance explanation →

A company is using AWS KMS to encrypt data at rest. Which TWO actions can be taken to audit the usage of a customer managed key?

Question 252easymulti select
Read the full Security and Compliance explanation →

A SysOps administrator needs to ensure that an Amazon S3 bucket is not publicly accessible. Which THREE actions should be taken to prevent public access?

Question 253hardmulti select
Read the full Security and Compliance explanation →

A company is using AWS Organizations and wants to delegate administration of a specific member account to a user in the management account. Which TWO steps are required?

Question 254mediummulti select
Read the full Security and Compliance explanation →

An organization needs to encrypt data in transit between an Amazon EC2 instance and an Application Load Balancer (ALB). Which THREE actions should be taken?

Question 255hardmultiple choice
Read the full Security and Compliance explanation →

Refer to the exhibit. A SysOps administrator applies this bucket policy to an S3 bucket. What is the effect of this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 256mediummultiple choice
Read the full Security and Compliance explanation →

A company has a production AWS account with multiple IAM users. The security team wants to implement a policy that prevents users from launching EC2 instances without an IAM role that grants access to an S3 bucket containing sensitive data. The policy should also allow users to launch instances with other roles. A SysOps administrator creates an IAM policy that denies ec2:RunInstances if the instance does not have a specific IAM instance profile. However, users are still able to launch instances without any role. What is the most likely reason, and what should be done to fix it?

Question 257hardmultiple choice
Read the full Security and Compliance explanation →

A SysOps administrator is managing an AWS account that contains multiple S3 buckets. The security team requires that all objects uploaded to any S3 bucket must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The administrator wants to enforce this using a bucket policy that denies uploads without the x-amz-server-side-encryption header set to AES256. After implementing the policy on a test bucket, the administrator finds that some PutObject API calls from an application are failing even though the application is sending the correct header. The application uses the AWS SDK and the bucket is in the same region. What is the most likely cause?

Question 258easymultiple choice
Read the full Security and Compliance explanation →

A company has an AWS account with several IAM users. The SysOps administrator needs to ensure that all users are required to use multi-factor authentication (MFA) to access the AWS Management Console. The administrator has enabled MFA for each user and created an IAM policy that denies all actions unless MFA is present. However, some users report that they can still access the console without MFA. What is the most likely reason?

Question 259mediummultiple choice
Read the full Security and Compliance explanation →

A company has a requirement to store audit logs for a minimum of 7 years to comply with regulatory standards. The logs are currently stored in Amazon S3. The SysOps administrator needs to ensure that logs are not deleted before the retention period expires. Which solution should be implemented?

Question 260hardmultiple choice
Read the full NAT/PAT explanation →

A company hosts a critical web application on EC2 instances behind an Application Load Balancer. The security team enabled AWS WAF on the ALB to block SQL injection and XSS attacks. They also use AWS Shield Advanced for DDoS protection. Recently, the application experienced intermittent performance degradation during normal traffic patterns. The security team reviewed the WAF logs and found that legitimate user requests with query strings containing the word "select" (e.g., ?category=select+option) were being blocked. The team wants to ensure that only actual SQL injection attempts are blocked, not legitimate requests with similar patterns. What course of action should the SysOps administrator take to resolve this issue while maintaining security?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SOA-C02 Practice Test 1 — 10 Questions→SOA-C02 Practice Test 2 — 10 Questions→SOA-C02 Practice Test 3 — 10 Questions→SOA-C02 Practice Test 4 — 10 Questions→SOA-C02 Practice Test 5 — 10 Questions→SOA-C02 Practice Exam 1 — 20 Questions→SOA-C02 Practice Exam 2 — 20 Questions→SOA-C02 Practice Exam 3 — 20 Questions→SOA-C02 Practice Exam 4 — 20 Questions→Free SOA-C02 Practice Test 1 — 30 Questions→Free SOA-C02 Practice Test 2 — 30 Questions→Free SOA-C02 Practice Test 3 — 30 Questions→SOA-C02 Practice Questions 1 — 50 Questions→SOA-C02 Practice Questions 2 — 50 Questions→SOA-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Monitoring, Logging, and RemediationReliability and Business ContinuityDeployment, Provisioning, and AutomationSecurity and ComplianceNetworking and Content DeliveryCost and Performance Optimization

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security and Compliance setsAll Security and Compliance questionsSOA-C02 Practice Hub