Security and Compliance

A company is preparing for an annual compliance audit. The auditor requests a copy of the AWS SOC 2 Type II report to review AWS's controls. Which AWS service or tool can the company use to obtain this report?

A company has deployed multiple EC2 instances with different security groups. The compliance team wants to ensure that no security group allows unrestricted SSH access (0.0.0.0/0) and receive alerts if any such rule is created. Which AWS service can they use to continuously monitor and evaluate the security group configurations against this policy?

A company uses an IAM role to allow an application running on Amazon EC2 to decrypt data stored in Amazon S3. The security team wants to enforce that the application can only use the decryption permission when the IAM role has a specific tag (e.g., 'Environment=Production'). Which approach should the security team implement to meet this requirement?

A company needs to maintain a secure audit trail of all API calls made against its AWS resources. The audit trail must record the identity of the caller, the time of the call, the source IP address, and the request details. The records must be stored securely with integrity guarantees for a minimum of five years to meet compliance requirements. Which AWS service should the company use to capture and store this information?

A financial services company requires all data stored in Amazon S3 to be encrypted at rest. The company has a compliance policy that states encryption keys must be managed entirely by the customer and must never be stored or managed by the cloud provider. Which encryption option should the company use for Amazon S3?

A company runs a web application on Amazon EC2 that connects to an Amazon RDS database. The database credentials are currently hardcoded in the application configuration file. The security team requires that the credentials be automatically rotated every 90 days and that the application retrieves them securely from a managed service without storing them in the application code. Which AWS service should the company use to meet these requirements?

A company stores sensitive customer data in multiple Amazon S3 buckets. The security team wants to proactively identify any buckets that have been configured to allow unintended access from external AWS accounts or from the public internet. The team needs a service that continuously analyzes the resource-based policies attached to these buckets and generates findings when such unintended access is detected. Which AWS service should the security team use to meet this requirement?

A company has a compliance policy requiring that all Amazon EC2 instances in its production environment must have the tag "Environment=Production" and must be associated with a security group named "Prod-SG". The company wants to continuously monitor its AWS account and automatically detect any EC2 instances that do not meet these requirements. The IT team needs a service that can evaluate the configuration of resources against these rules and send notifications when a non-compliant resource is detected. Which AWS service should the company use?

A company runs a public-facing e-commerce website on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team has discovered that attackers are attempting SQL injection attacks through the website's search feature. The company wants to use a managed AWS service to inspect incoming HTTP requests and block these malicious payloads before they reach the application. Which AWS service should the company use?

A company is using AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that users in the development accounts cannot disable AWS CloudTrail logging or delete CloudTrail trails, even if those users have full administrator permissions within their own accounts. The team needs a central mechanism that is enforced across all development accounts regardless of individual IAM policies. Which AWS feature should the security team use to meet this requirement?

A company's security policy requires that all IAM user access keys be rotated every 90 days. The security team wants to automatically identify any IAM user in the company's AWS account whose access keys are older than 90 days and trigger a notification to the security team. They need a managed AWS service that continuously evaluates the access key age against this requirement and generates findings. Which AWS service should the security team use?

A financial services company is preparing for an annual audit. The auditors have requested a copy of the AWS SOC 2 Type II report to verify the security controls of the AWS infrastructure that the company uses. The company's compliance officer needs to directly download this report from a trusted AWS source. Which AWS service should the compliance officer use to obtain the report?

A financial services company must comply with PCI DSS requirements that mandate the use of a dedicated hardware security module (HSM) to store encryption keys used to protect cardholder data. The company plans to use server-side encryption in Amazon S3 and needs to ensure that the encryption keys are stored in a dedicated HSM under the company's sole control. Which AWS service should the company use to meet this requirement?

A company runs a web application that connects to an Amazon RDS for MySQL database. The security policy requires that the database password be rotated every 30 days. The development team wants a fully managed solution that automatically rotates the password, handles the update in RDS, and provides the application with the latest credentials without any code changes. The application should also continue to work during the rotation process. Which AWS service should the company use to meet these requirements?

A company hosts a multi-tier web application on AWS. The web tier runs on Amazon EC2 instances in a public subnet, and the database tier runs on Amazon EC2 instances in a private subnet. The security team needs to configure security groups to allow only the web tier instances to communicate with the database tier on port 3306 (MySQL). The web tier must be accessible from the internet on port 443. Which security group configuration meets these requirements?

A company hosts a web application behind an Application Load Balancer (ALB) in AWS. The application must comply with a security policy requiring TLS encryption for all traffic between users and the ALB. The company wants to automate the renewal of TLS certificates and avoid manual certificate management. Which AWS service should the company use to provision and automatically renew the certificates?

A company runs multiple workloads on AWS and must ensure that all Amazon S3 buckets have server-side encryption enabled. The compliance team wants to automatically detect any S3 bucket that is created without encryption and receive an alert. They also want to continuously monitor existing buckets for compliance. Which AWS service should they use?

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires that no IAM users can be created in any member account. All access must use federated identities from the company's existing identity provider. The security team needs a single, centralized mechanism to enforce this restriction across all existing and future member accounts. Which AWS feature should the security team use to meet this requirement?

A company stores sensitive documents in Amazon S3. The security team wants a preventive control that ensures no S3 bucket in the AWS account can ever be configured with a bucket policy that grants public read or write access. This control must apply automatically to all newly created buckets and to existing buckets, without requiring changes to individual bucket policies. Which AWS feature should the security team use?

A company uses AWS Organizations to manage multiple AWS accounts. The security team must ensure that all API activity across all accounts, including any new accounts added in the future, is recorded and delivered to a centralized S3 bucket for auditing. The solution should require minimal ongoing manual effort. Which AWS feature should the security team use?

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to enforce a policy that prevents any employee from deploying resources in AWS Regions outside of the United States. The company’s legal department requires a preventive control that automatically blocks all resource creation in non-approved Regions for every account, including any new accounts added in the future. The team wants a solution that requires minimal ongoing administration. Which AWS feature should the security team use?

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a policy that restricts SSH access (port 22) from the internet (0.0.0.0/0) in all VPCs across all accounts. The team wants to centrally define the allowed rules and automatically apply them to newly created VPCs and security groups, while also automatically remediating any existing non-compliant security groups. Which AWS service should the team use?

A company stores sensitive customer data in Amazon S3 buckets. The company's security policy requires that all objects in these buckets be encrypted at rest using an encryption key that the company can rotate annually and audit for usage. The company also needs to control which IAM users and roles can use, create, and manage these keys. The security team wants to use an AWS managed service to handle the key management lifecycle. Which AWS service should the company use to meet these requirements?

A company manages multiple AWS accounts using AWS Organizations and maintains hundreds of Amazon S3 buckets across these accounts. The security team wants a service that automatically scans all S3 bucket policies and identifies any bucket that grants access to an external AWS account (an account outside the organization). The team needs to receive findings when such policies are detected and wants to review the findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?

A company manages multiple AWS accounts using AWS Organizations. The company wants employees to sign in using their existing corporate credentials from an on-premises Microsoft Active Directory. The company also needs a single sign-on (SSO) experience so that each employee can access the AWS Management Console for any authorized account without needing separate passwords. Additionally, the company wants to centrally manage permissions across all accounts. Which AWS service should the company use to meet these requirements?

A company is preparing for a PCI DSS compliance audit. The security team needs to ensure that all AWS API calls are logged and that the logs are continuously analyzed for suspicious or unauthorized activity. The team wants a managed security service that uses machine learning to identify threats, generates findings for review, and can trigger automated remediation through AWS Lambda. Which AWS service should the team use?

A company's security team discovers that database credentials are stored in plaintext in application configuration files. The team wants to implement a secure way to store, manage, and automatically rotate these credentials every 90 days. The solution must provide fine-grained IAM policies to control which users and applications can access the secrets and must integrate with AWS services like Amazon RDS for automatic rotation. Which AWS service should the company use to meet these requirements?

A company runs a web application on Amazon CloudFront and an Application Load Balancer (ALB). The security team wants to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS). Additionally, the company needs to block requests from specific countries due to compliance requirements. The security team prefers a managed service that provides pre-configured rule sets and integrates directly with CloudFront and ALB without requiring additional infrastructure. Which AWS service should the security team use?

A company is preparing for a SOC 2 Type II audit and needs to provide its auditor with evidence of AWS's operational security controls. The security team has been asked to download the latest SOC 2 Type II report published by AWS. The team must access the report through a self-service portal without needing to contact AWS Support. Which AWS service should the security team use to meet this requirement?

A financial services company uses AWS CloudTrail to log all API calls in its AWS account. The company must demonstrate to auditors that the CloudTrail log files have not been tampered with after they were delivered to the Amazon S3 bucket. The company wants to use a feature that automatically creates digest files containing a hash of each log file, allowing the auditor to mathematically verify the integrity of the logs. Which AWS feature should the company enable to meet this requirement?

A company has internal security policies that require all Amazon S3 buckets to be private (not publicly accessible) and all Amazon EC2 security groups to restrict inbound SSH traffic to a specific IP range. The security team needs to continuously monitor all AWS resources across their account to detect any resource that violates these policies. They also need a historical record of configuration changes and a compliance dashboard that shows overall pass/fail status. Which AWS service should the security team use to meet these requirements?

A company runs a fleet of Amazon EC2 instances that host a customer-facing web application. The security team wants to automatically identify software vulnerabilities, such as missing patches and common vulnerabilities and exposures (CVEs), in the operating system and applications running on these instances. The team also needs visibility into unintended network accessibility, such as instances with ports open to the internet. The solution must be natively integrated with AWS and should provide findings that can be viewed in a central dashboard. Which AWS service should the security team use?

A company stores sensitive audit reports in an Amazon S3 bucket. An external auditor needs to download a specific report for a compliance review. The auditor does not have an AWS account and will only need access for 48 hours. The company wants to provide a secure, time-limited link that allows the auditor to download the file directly from S3 without making the bucket public or requiring the auditor to authenticate with AWS. Which AWS feature should the company use to meet these requirements?

A company uses Amazon GuardDuty for threat detection, Amazon Inspector for vulnerability scanning, and Amazon Macie for sensitive data discovery. The security team needs a centralized dashboard that aggregates findings from all these services, provides a security score, and tracks compliance against industry standards such as CIS AWS Foundations. Which AWS service should the security team use?

A company stores sensitive financial data in Amazon S3 and must encrypt it at rest. The compliance team mandates that the encryption key must be rotated at least once per year, and the key material must be generated and managed by the company within AWS. The company wants a fully automated solution that requires no manual intervention for key rotation. Which AWS service or feature should the company use?

A company is undergoing a compliance audit to demonstrate that its AWS environment adheres to industry standards such as PCI DSS and SOC. The auditor requests the company to provide the latest AWS compliance reports to verify the security controls implemented by AWS. The company needs to obtain these reports directly from AWS in a downloadable format. Which AWS service should the company use to meet this requirement?

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to enforce that all Amazon Elastic Block Store (EBS) volumes created in any account within the organization are automatically encrypted at rest. The team needs a centrally managed solution that proactively prevents the creation of unencrypted EBS volumes without requiring individual account administrators to enable any settings. Which AWS feature should the security team use to meet these requirements?

A company runs a web application on Amazon EC2 instances that connect to an Amazon RDS MySQL database. The application requires database credentials to authenticate. The security team wants to eliminate the practice of storing database credentials in the application code or configuration files. Additionally, the team needs a managed service that can automatically rotate the database credentials on a regular schedule without any manual intervention. Which AWS service should the security team use to store and manage these database credentials?

A healthcare company is required to encrypt all protected health information (PHI) stored in Amazon S3. The company must maintain control over the encryption keys, rotate them annually, and log all key usage. Which AWS service or feature should they use to meet these requirements?

A company is deploying a three-tier web application on AWS. The security team requires a network-level firewall that operates at the subnet level and can evaluate both inbound and outbound traffic using stateless rules. Which AWS feature should the company use to meet this requirement?

A financial services company is undergoing an external audit. The auditor requests copies of AWS SOC 2, ISO 27001, and PCI DSS compliance reports to validate the company's cloud infrastructure controls. Where can the company's compliance team obtain these reports in a centralized manner?

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits, including SQL injection and cross-site scripting (XSS). The solution must integrate directly with the ALB and allow custom rules to be defined. Which AWS service should the company use?

A company uses AWS Organizations to manage multiple accounts. The security team wants a preventive control to ensure that nobody in any account, including account root users, can disable AWS CloudTrail or delete Amazon S3 bucket policies. Which AWS feature should the security team use?

A company operates hundreds of AWS accounts under AWS Organizations. The security team wants a single dashboard that aggregates security findings from Amazon GuardDuty, Amazon Inspector, and AWS Macie across all accounts. Additionally, they want to continuously assess the accounts against the CIS AWS Foundations Benchmark and receive a consolidated compliance score. Which AWS service should the security team use?

A healthcare company is subject to HIPAA regulations and must record all AWS API calls made in its account for auditing. The logs must be retained for 7 years and must be protected from any modification or deletion, including by the account root user. Which combination of AWS services should the company use to meet these requirements?

A company wants to automatically evaluate its AWS resource configurations against internal security policies. The company has defined rules such as 'EBS volumes must be encrypted' and 'S3 buckets must not be publicly accessible'. They need a service that continuously monitors resource configurations, identifies noncompliant resources, and provides a dashboard of compliance status over time. Which AWS service should the company use?

A healthcare company stores sensitive patient data in Amazon S3. The company must comply with a regulation that requires encryption keys to be rotated automatically every 12 months. The security team also needs to use IAM policies to control which users and roles can decrypt specific S3 objects. Which encryption solution should the company use for the S3 objects?

A company's external auditor requires the company to provide evidence that the AWS infrastructure used by the company meets SOC 2 and ISO 27001 standards. The company needs to download the latest AWS SOC 2 report and ISO 27001 certification to share with the auditor. Which AWS service or feature should the company use to retrieve these documents?

A company has a security policy that requires all SSH connections to Amazon EC2 instances to originate from the company's corporate network IP range (203.0.113.0/24). An administrator is creating an IAM policy to enforce this restriction. Which IAM policy element should the administrator use to specify the allowed IP address range?

A company hosts a web application on AWS that uses Amazon CloudFront for content delivery and an Application Load Balancer (ALB) in front of Amazon EC2 instances. The security team wants to protect the application against common web exploits such as SQL injection and cross-site scripting (XSS). They need a managed service that can inspect incoming HTTP/HTTPS requests and block malicious traffic before it reaches the application servers. Which AWS service should the company use to meet these requirements?

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to ensure that no Amazon S3 bucket in any account within the organization can be made publicly accessible. The team wants a centrally managed, preventive control that applies to all existing and future accounts and cannot be overridden by individual account administrators. Which AWS feature should the security team use to meet these requirements?

A company is migrating an on-premises MySQL database to Amazon RDS for MySQL. The security team needs to understand their responsibilities under the AWS Shared Responsibility Model. Which of the following tasks is the customer's responsibility?

A company's security team needs to receive near-real-time notifications whenever an IAM user in their AWS account performs an action that violates a defined baseline of expected behavior. Examples include launching an Amazon EC2 instance in an unauthorized AWS Region or modifying a security group to allow public SSH access from the internet. The solution must analyze continuous streams of AWS API activity to identify suspicious patterns and known malicious IP addresses. Which AWS service should the security team use?

A company's security team needs to run automated vulnerability scans on all Amazon EC2 instances in their production environment. They require a managed service that checks for common vulnerabilities and exposures (CVEs) and identifies insecure network configurations. The scans must be scheduled to run weekly and the results must be viewable in the AWS Management Console. Which AWS service should the team use?

A company uses AWS Organizations to manage multiple accounts. The security team wants to continuously monitor the configurations of all AWS resources across the organization and receive alerts when a resource violates a compliance rule. For example, they want to ensure that all Amazon RDS databases are not publicly accessible, and that any new RDS instance created with public access enabled is automatically flagged. The team does not want to build custom scripts for monitoring. Which AWS service should the security team use to meet these requirements?

A company stores sensitive financial data in Amazon S3. The company's security policy requires that all data be encrypted at rest using a key that the company creates and manages, with the ability to rotate the key annually. The company also needs an audit trail of when the key was used and by which AWS service. Which solution should the company use to meet these requirements?

A company's compliance team is preparing documentation for a third-party audit. The auditor requires a copy of the AWS SOC 3 report, which provides an overview of AWS's security controls and is intended for public distribution. The team needs to securely download the most recent version of this report directly from AWS. Which AWS service should the team use?

A company uses AWS Organizations to manage over 50 AWS accounts. The security team has identified a high-priority requirement to prevent any security group rule in any account from allowing inbound RDP (port 3389) access from the internet (0.0.0.0/0). If a rule is created that violates this policy, the team wants it to be automatically removed. The team needs a centralized service that can enforce this policy across all current and new accounts without requiring manual setup in each account. Which AWS service should the team use?

A company manages multiple AWS accounts using AWS Organizations. The company has an on-premises Microsoft Active Directory (AD) that contains employee credentials and group memberships. The company wants to grant employees access to the AWS Management Console and command-line interface (CLI) using their existing AD credentials, without creating IAM users for each employee. Additionally, the company wants to centrally manage permissions across all accounts by assigning policies to AD groups. Which AWS service should the company use to meet these requirements?

A company's security team is concerned about the risk of compromised Amazon EC2 instances being used for crypto-mining activities. They want a managed AWS service that can automatically detect unusual outbound network traffic patterns that are characteristic of crypto-mining, without requiring the installation of any agents on the instances. The team needs continuous monitoring and the ability to receive findings that include details about the suspicious activity. Which AWS service should the security team use?

A company operates multiple AWS accounts under AWS Organizations. The security team needs to record all management events (for example, creating Amazon EC2 instances, modifying security groups, and deleting Amazon S3 buckets) across all accounts. The logs must be delivered to a single Amazon S3 bucket that is encrypted with an AWS KMS key and protected from modification. Which AWS feature should the team enable to achieve this centralized logging requirement?

A company has a compliance requirement that all Amazon S3 buckets must have server-side encryption (SSE) enabled and must block all public access. The company has hundreds of existing S3 buckets and creates new ones regularly. The security team needs a centralized AWS service that can continuously evaluate all buckets against these two rules, automatically detect noncompliant buckets, and then automatically remediate them by enabling SSE and blocking public access. Additionally, the team wants to receive notifications when compliance changes occur. Which AWS service should the security team use?

A company has a strict security policy requiring that no Amazon S3 bucket or IAM role should be accessible to external AWS accounts unless explicitly approved. The security team needs a service that continuously analyzes resource-based policies and can generate findings when an S3 bucket policy allows access to a principal from outside the company's AWS Organization. Which AWS service should the team use?

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to ensure that Amazon CloudTrail is enabled in all AWS Regions for every member account, and that no user (including account administrators) can disable it. The policy must apply automatically to any new accounts that are added to the organization. Which AWS feature should the security team use to enforce this requirement?

A company runs a payment processing application on AWS that must comply with the Payment Card Industry Data Security Standard (PCI DSS). An external auditor requests a copy of the AWS SOC 2 report and the PCI DSS Attestation of Compliance (AOC) to verify the security controls of the underlying AWS infrastructure. The company needs to obtain these documents directly from AWS. Which AWS service should the company use?

A company manages user access to AWS resources using IAM users. The security team wants to automatically detect if an IAM user's access key is being used from a geographic location that is unusual for that user, which could indicate a compromised credential. The team needs a managed threat detection service that monitors API activity and raises alerts for such anomalies. Which AWS service should the security team use?

A company stores customer data in Amazon S3 buckets. The compliance team needs to automatically discover which buckets contain personally identifiable information (PII) such as names, addresses, and credit card numbers. The team also wants to receive continuous monitoring and alerts when new sensitive data is uploaded. Which AWS service should the team use to meet these requirements?

A company operates a healthcare application on AWS that must comply with HIPAA regulations. The application stores sensitive patient data in Amazon S3. The compliance team requires that all data at rest in S3 be encrypted with a key that the company manages. The company also needs the ability to automatically rotate the encryption key every 365 days and to audit all key usage through AWS CloudTrail. Which AWS service should the company use to meet these requirements?

A company has 200 IAM users. The security team needs to automatically verify that every IAM user has enabled multi-factor authentication (MFA) for console access. They also need to receive a notification whenever a new user is created without MFA so they can enforce the policy. Which AWS service should the security team use to meet these requirements?

A company processes credit card transactions and must comply with PCI DSS requirements. Customer payment data is stored in Amazon RDS for MySQL. The security team needs to ensure that all automated database snapshots are encrypted at rest using customer-managed encryption keys that are automatically rotated every 365 days. The team wants a fully managed AWS service to create and control these encryption keys. Which AWS service should the company use to meet these requirements?

A company has enabled Amazon GuardDuty for threat detection, Amazon Inspector for vulnerability scans, and AWS Config for compliance checks. The security team wants a single, centralized dashboard that aggregates all security findings from these services, provides a consolidated security score, and allows them to automate remediation workflows. Which AWS service should the team use?

A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce a policy that prevents any user, including the root user, in any member account from disabling the 'Block Public Access' setting on Amazon S3 buckets. The policy must be centrally managed and automatically applied to all existing and future member accounts. Which AWS feature should the security team use?

A company's security team needs to investigate a potential security incident. They want to determine which IAM user launched a new, unauthorized Amazon EC2 instance two days ago. The team needs to see the exact timestamp, the source IP address, and the instance type that was launched. Which AWS service should the security team use to find this information?

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application connects to an Amazon RDS for MySQL database. The database password is currently hardcoded in the application configuration file, and the security team is concerned about the risk of exposure. The company wants to remove the hardcoded credential and instead have the application retrieve the database password securely at runtime. Additionally, the security team requires that the password be automatically rotated every 90 days without any manual intervention or custom scripting. Which AWS service should the company use to meet these requirements?

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that no Amazon EC2 instance can be launched with a public IPv4 address in any member account. The team needs a preventive control that centrally blocks the launch action if a public IP is assigned, and the control must automatically apply to all existing and future accounts in the organization. Which AWS feature should the security team use to meet these requirements?

A company's security team wants to identify all Amazon S3 buckets that are shared with external AWS accounts or publicly accessible. The team needs a continuous evaluation that reports findings in a centralized dashboard and sends alerts when new unintended external shares are created. Which AWS service should the security team use to meet these requirements?

A company uses multiple AWS accounts. The security team wants to enforce two requirements for all Amazon S3 buckets: first, server-side encryption must be enabled using AWS KMS; second, no bucket can be publicly accessible. The team needs a service that continuously monitors the configuration of S3 buckets across all accounts, detects when a bucket violates either requirement, and automatically applies corrective actions (such as enabling default encryption or removing public access). Which AWS service should the security team use to meet these requirements?

A company is preparing for a third-party security audit. The auditors require the company to provide up-to-date AWS compliance reports, such as the SOC 2 report and the ISO 27001 certificate, as part of the evidence. The company needs to access these documents from a centralized, self-service portal within their AWS account. They also need to accept the terms and conditions for the reports. Which AWS service should the company use to meet these requirements?

A financial services company stores sensitive transaction data in Amazon S3. The company must encrypt the data at rest using keys that are stored in a hardware security module (HSM) validated under FIPS 140-2 Level 3. Additionally, the company requires full control over the key lifecycle, including rotation and deletion, and AWS must not have any access to the keys. Which AWS service should the company use to generate and store the encryption keys?

A company stores financial reports in Amazon S3. The security team needs to automatically detect whether any of these reports contain sensitive data, such as personally identifiable information (PII) like credit card numbers or social security numbers. The team wants a fully managed service that continuously scans the S3 buckets and reports findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce a policy that prevents any user or role in any member account from disabling AWS CloudTrail or deleting CloudTrail log files from Amazon S3. The team needs a solution that is centrally managed from the management account and applies to all current and future member accounts automatically. Which AWS feature should the security team use to meet these requirements?

A healthcare startup is migrating its patient records database to Amazon RDS for PostgreSQL. The company must comply with HIPAA and ensure that all protected health information (PHI) is encrypted at rest and in transit. Which task is the company responsible for under the AWS shared responsibility model?

A company is expanding its AWS environment from a single account to multiple accounts using AWS Organizations. The security team wants to enforce a baseline set of permissions across all accounts, ensuring that users in any account cannot disable AWS CloudTrail or modify Amazon S3 bucket policies that prevent public access. Which feature of AWS Organizations should the security team use to achieve this control?

A company must store sensitive financial records in Amazon S3. The compliance policy mandates that the encryption key for data at rest must be generated and stored on the company's own on-premises hardware security module (HSM). The company must never allow AWS to have access to the plaintext encryption key. Which Amazon S3 encryption option should the company use?

A company has multiple IAM users. The security policy requires that every user must have an MFA device assigned and must use it for console sign-in. The security team wants to automatically detect any IAM user that does not have MFA enabled and receive an email alert. Which combination of AWS services should the team use to meet these requirements?

A company hosts a web application behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits such as SQL injection and cross-site scripting (XSS), using a managed service that requires no underlying infrastructure management. Which AWS service should they use?

A company runs a critical web application on AWS behind an Application Load Balancer. The security team is concerned about the risk of Distributed Denial of Service (DDoS) attacks that could deplete application resources and incur high costs due to auto scaling. The company wants a managed service that provides enhanced DDoS detection, access to the AWS DDoS Response Team (DRT), and financial protection against scaling costs associated with DDoS attacks. Which AWS service should the company use?

A healthcare company is migrating its application and patient data to AWS. To meet HIPAA requirements, the compliance officer must review and accept the AWS Business Associate Addendum (BAA). Additionally, the auditor requires the company to provide the latest AWS SOC 2 Type II report. The compliance officer needs a single self-service portal to access both documents directly from AWS. Which AWS service should the company use?

A company runs a microservices-based application on Amazon ECS. The application stores database credentials and API keys in plaintext configuration files that are baked into container images. A security audit reveals that this practice violates the company's compliance policy, which mandates that secrets must be stored separately from code, centrally managed, and automatically rotated every 90 days. Which AWS service should the company use to meet these requirements?

A financial services company must encrypt all sensitive customer data stored in Amazon S3 using an encryption key that the company manages and rotates annually. The company also needs a complete, tamper-proof record of every time the key is used (including who used it and on which object) to satisfy regulatory audit requirements. Which AWS service should the company use to meet both the key management and audit logging requirements?

A company manages 20 AWS accounts under AWS Organizations. The security team wants to ensure that no security group in any account allows unrestricted inbound RDP access (0.0.0.0/0). They need to automatically detect any security group that violates this rule and receive a notification. They also want to track the configuration history of security group changes for forensic analysis. Which AWS service should they use to achieve these requirements?

A company's security policy requires that all Amazon S3 buckets have default encryption enabled (SSE-S3 or SSE-KMS). A recent audit found several buckets without encryption enabled. The company wants an automated solution to continuously monitor all existing and new S3 buckets, detect any bucket that does not have default encryption enabled, and automatically remediate by enabling encryption. The solution must also maintain a compliance score and allow the security team to review non-compliant resources. Which AWS service should the company use to meet these requirements?

A company operates a global e-commerce website behind Amazon CloudFront. Security analysts have noticed a pattern of SQL injection attempts and cross-site scripting attacks targeting the web application. The company needs a fully managed service that can inspect incoming HTTP(S) requests and block these common web exploits before they reach the application origin. The solution must integrate with CloudFront and allow the security team to author custom rules. Which AWS service should the company use?

A company requires all IAM users to have multi-factor authentication (MFA) enabled for AWS Management Console access. The security team needs an automated way to continuously detect any IAM user without an MFA device and generate a compliance report. The solution must not require custom code. Which AWS service should the team use?

A financial services company is preparing for an annual compliance audit. The compliance team needs to continuously assess whether their AWS environment adheres to industry standards such as PCI DSS. They want to automate the collection of evidence, such as IAM policy changes and S3 bucket configurations, and generate audit-ready reports. They also need to identify gaps in their controls and receive remediation recommendations. Which AWS service should the company use?

A company manages multiple AWS accounts under AWS Organizations. The security team wants to enforce a policy that prohibits launching Amazon EC2 instances of instance families g (GPU) and p (GPU) across all accounts to control costs. The team needs a centralized method to block these instance types at the organization level, and the policy must be applied proactively before any instance is launched. Which AWS solution should the team use?

A company's security team wants to continuously monitor their AWS environment for potential security threats such as unusual API calls, traffic from known malicious IP addresses, and anomalous behavior that might indicate a compromised resource. They need a managed threat detection service that uses machine learning to identify suspicious activity and generates detailed findings. The service should integrate with AWS Organizations to monitor multiple accounts and with Amazon CloudWatch Events to trigger automated responses. Which AWS service should the security team use?

A financial services company stores confidential transaction records in Amazon S3. The company's compliance policy requires that all data at rest be encrypted using encryption keys that are under the company's full control. The keys must be automatically rotated every year. The company also needs a detailed audit trail of when each key was used and by which AWS principal. Which combination of AWS service and key type should the company use to meet these requirements?

A company is migrating a legacy application from an on-premises server to AWS Lambda. The Lambda function needs to connect to an Amazon RDS for MySQL database that stores sensitive customer data. The security team requires that database credentials are never stored in the function's code, environment variables, or configuration files. The solution must follow AWS best practices for securing database access. Which approach should the company use?

A company hosts a public-facing web application behind an Application Load Balancer (ALB). The development team has recently identified that the application is vulnerable to common web attacks such as SQL injection and cross-site scripting (XSS). The security team wants to deploy a managed solution that can inspect incoming HTTP requests and block malicious traffic before it reaches the application. The solution must integrate directly with the existing ALB and provide pre-configured rule sets that can be customized. Which AWS service should the company use?

A company runs a multi-tier web application on Amazon EC2 instances. The security team wants to continuously monitor the configuration of the EC2 security groups to ensure that no security group allows inbound SSH (port 22) access from the entire internet (0.0.0.0/0). If a security group is modified to allow such access, the company must be automatically notified and provided with a detailed record of the change, including the user who made the change. Which combination of AWS services should the company use to meet these requirements?

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a consistent set of security group rules across all accounts. For example, they want to ensure that no security group in any account allows inbound SSH (port 22) from the internet (0.0.0.0/0). If a non-compliant security group is created, the service should automatically remediate by removing the offending rule or by applying a corrective policy. The company wants a managed AWS service that centrally applies these rules and requires no custom scripting. Which AWS service should the security team use?

A retail company processes credit card payments and must comply with the Payment Card Industry Data Security Standard (PCI DSS). The company's compliance officer needs to obtain an official document from AWS that details the security controls AWS has implemented to support PCI DSS compliance for services such as Amazon RDS and Amazon EC2. The document must be downloadable as a PDF for review and audit purposes. Which AWS service should the compliance officer use to retrieve this document?

A company uses an Amazon RDS for PostgreSQL database for its production application. The security policy requires that database passwords be rotated automatically every 90 days. The database credentials are currently stored in a configuration file on an Amazon EC2 instance. The company wants a fully managed AWS service that can securely store the credentials, automatically rotate them on a schedule, and update the RDS instance without requiring code changes to the application. Which AWS service should the company use to meet these requirements?

A company runs a web application on an Application Load Balancer (ALB) in the us-east-1 Region. The application serves HTTPS traffic. The company uses a third-party certificate authority to issue SSL/TLS certificates, but these certificates expire every year and require manual renewal. The company wants to use a managed AWS service to automatically provision, renew, and manage the SSL/TLS certificates for the ALB at no additional cost (no extra charge beyond the ALB usage). Which AWS service should the company use?

A company uses AWS CloudTrail to log all API calls in their AWS account for compliance and security auditing. Their compliance officer needs to prove to an external auditor that the CloudTrail log files have not been altered or deleted after they were created. The company must use the most cost-effective and built-in AWS feature to detect any tampering with the log files. What should the company enable?

A company has 50 IAM users in a single AWS account. The security policy requires that every IAM user must have a virtual MFA device enabled for AWS Management Console access. The company wants to automatically detect any user who disables or has an inactive MFA device and immediately revoke that user's ability to access AWS resources by disabling their access keys. The solution must be fully managed, require no custom scripts, and use native AWS services. Which AWS service should the company use to define the compliance rule and automatically trigger the remediation action?

A company hosts a critical e-commerce web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team is concerned about Layer 7 attacks, such as SQL injection and cross-site scripting (XSS). They also want to automatically block traffic from known malicious IP addresses. The company needs a managed web application firewall that integrates directly with the ALB. Which AWS service should the company use?

A company stores sensitive customer data in Amazon S3. The security policy requires that all objects be encrypted at rest using an encryption key that is automatically rotated every 12 months. The company must retain full control over the key, including the ability to immediately revoke access to the key if a security incident occurs. The security team also needs to audit every use of the key through AWS CloudTrail. Which key management solution should the company choose to meet these requirements?

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires a mechanism to prevent any IAM user or role in any member account from modifying Amazon S3 bucket policies to grant public access. The solution must be enforced centrally and cannot be overridden by account administrators. Which AWS feature should the company use?

A company's compliance officer needs to provide an external auditor with copies of AWS SOC 2 reports and a PCI DSS attestation of compliance. The officer needs a self-service portal to download these documents directly, without contacting AWS Support. The solution must provide the most current versions of these reports. Which AWS service should the officer use?

A company's security team manages AWS accounts for multiple business units using AWS Organizations. The security team needs a single place to view and prioritize all security alerts, including findings from Amazon GuardDuty, Amazon Inspector, and AWS IAM Access Analyzer. The team also wants to automatically run continuous compliance checks against industry standards such as the CIS AWS Foundations Benchmark. The solution must provide a consolidated dashboard with automated findings aggregation and compliance score tracking. Which AWS service should the security team choose?

A company stores sensitive financial data in an Amazon S3 bucket. The security policy requires that all data must be encrypted in transit. The security administrator discovers that some automated scripts are using HTTP instead of HTTPS to upload files. The administrator must enforce that any request that does not use HTTPS is denied by the S3 bucket policy. Which condition key should the administrator include in the bucket policy to enforce this requirement?

A company runs a web application behind an Application Load Balancer (ALB) in a VPC. The application must comply with a security standard that requires encryption in transit for all web traffic. The company needs a service to centrally manage SSL/TLS certificates, automatically renew them, and deploy them to the ALB without manual intervention. Which AWS service should the company use to meet these requirements?

A company runs an e-commerce website on AWS and expects a high volume of traffic during Black Friday. The security team is concerned about potential DDoS attacks overwhelming the infrastructure. The company wants a managed service that provides always-on detection and automatic inline mitigation of DDoS attacks at the network and transport layers (layer 3 and 4), as well as cost protection against scaling charges due to DDoS attacks. Which AWS service should the company use?

A company's compliance team needs to enforce a policy that all Amazon S3 buckets must have 'Block all public access' enabled. If a bucket is created without this setting, the company wants the policy to be automatically remediated within minutes without manual intervention. The solution must check for compliance continuously and apply the fix automatically. Which AWS service should the company use to meet these requirements?

A financial services company is preparing for an annual third-party audit. The auditor has requested a copy of the AWS SOC 2 Type II report to evaluate the security controls of the AWS infrastructure. The company needs to retrieve the report as quickly as possible without raising a support ticket. Which AWS service should they use?

A company has a security policy that requires all Amazon EBS volumes attached to production Amazon EC2 instances to be encrypted at rest using customer-managed encryption keys. The policy also mandates that the encryption keys must be automatically rotated every 365 days. The company wants to minimize operational overhead by using a managed AWS service for key management and automatic rotation. Which AWS service should the company use to meet these requirements?

A company manages multiple AWS accounts under a single AWS Organizations organization. The security team wants to implement a preventive control that blocks any action that would disable AWS CloudTrail or delete CloudTrail log files across all accounts, including the management account. The solution must be centrally managed and must not require changes to individual account permissions. Which AWS feature should the security team use?

A company wants to automatically detect potential security threats such as compromised credentials, unauthorized access attempts, and communication with known malicious IP addresses across its AWS environment. The company has enabled AWS CloudTrail, VPC Flow Logs, and DNS logs. Which AWS service should the company use to continuously analyze these logs and generate actionable security findings without requiring manual setup of data sources?

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer. The security team wants to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS) at the edge, before the requests reach the application. The company wants to use pre-built rule sets maintained by AWS to quickly enable protection, and the solution should be fully managed with no servers to manage. Which AWS service should the company use?

An e-commerce company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer and Amazon CloudFront. The application has been experiencing frequent, large-scale DDoS attacks that cause significant compute and data transfer costs. The company wants to implement a managed DDoS protection service that provides financial protection against scaling costs incurred during DDoS attacks, access to a DDoS Response Team (DRT) for real-time attack mitigation support, and integration with AWS WAF for application-layer attack protection. Which AWS service should the company use to meet these requirements?

A company uses multiple AWS accounts within AWS Organizations. The security team needs to automatically check that no Amazon S3 bucket in any account has public read or write access. They want to define a security rule once and have it evaluated continuously across all accounts. The team also needs to view the overall compliance status from a single dashboard. Which AWS service should they use to meet these requirements?

A company handles credit card transactions and must comply with the Payment Card Industry Data Security Standard (PCI DSS). The company's compliance officer needs to review AWS's PCI DSS compliance reports and also download and sign the AWS Business Associate Addendum (BAA) for HIPAA eligibility. The company wants a single, managed AWS service that provides on-demand access to these compliance documents and agreements. Which AWS service should the compliance officer use?

A company has a compliance policy requiring that all data at rest in Amazon S3 be encrypted with a key that is automatically rotated every year. The company wants to manage the encryption keys themselves, maintain control over access policies, and have AWS handle the key rotation automatically. Which AWS service should the company use?

A company runs a data analytics application on an Amazon EC2 instance. The application needs to read CSV files from an Amazon S3 bucket to process them. The security team requires that no long-term AWS credentials (access key ID and secret access key) be stored on the instance. The instance is already launched in a private subnet within a VPC. Which solution meets the security requirement and provides the necessary access?

A company uses AWS Organizations with multiple accounts. The security team wants to enforce a policy that prevents any user, including account administrators, from creating Amazon S3 buckets that are publicly accessible across the entire organization. The policy must be centrally managed and cannot be overridden by individual account administrators. Which AWS feature should the security team use?

A healthcare company is migrating patient records to Amazon S3. The company must comply with HIPAA and needs to automatically identify any S3 buckets that contain protected health information (PHI) and generate alerts. The solution must be fully managed and require no manual effort to scan the data. Which AWS service should the company use?

A company runs a web application on Amazon EC2 instances that connect to an Amazon RDS for MySQL database. Currently, the database administrator (DBA) hardcodes the database password in the application configuration file. A recent security audit recommends removing the password from the code and implementing automated password rotation every 30 days. The company wants a managed AWS service that can store the password securely and rotate it on a schedule without requiring custom code. Which AWS service should the company use?

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company wants to serve traffic over HTTPS to encrypt data in transit between clients and the ALB. The security team requires that the SSL/TLS certificate be automatically renewed before expiration and that AWS manage the entire certificate lifecycle. The company does not want to manually upload or manage private keys. Which AWS service should the company use to meet these requirements?

A company manages over 100 AWS accounts using AWS Organizations. The security team wants a centralized service that continuously monitors for malicious or unauthorized behavior across all accounts. The service must analyze AWS CloudTrail management event logs, VPC Flow Logs, and DNS query logs to automatically detect threats such as anomalous API calls, crypto-mining activity, and compromised credentials. The security team wants to receive actionable alerts without having to write custom detection rules or manage underlying infrastructure. Which AWS service should the security team use?

A company's internal audit team needs to download the latest AWS SOC 2 Type II report and ISO 27001 certificate to include in their compliance documentation for an upcoming external audit. The team requires a centralized, self-service portal where they can access these reports and any other relevant AWS compliance artifacts. They do not want to contact AWS Support or manage any infrastructure to obtain these documents. Which AWS service should the audit team use?

A company uses multiple AWS accounts to store data in Amazon S3. The security team wants to enforce a policy that all S3 buckets must have server-side encryption enabled. The team needs a service that can continuously monitor all S3 bucket configurations across all accounts, automatically detect any bucket that does not have encryption enabled, and automatically apply the encryption setting to bring the bucket into compliance. Which AWS service should the team use?

A company hosts a public-facing web application on Amazon EC2 instances behind an Application Load Balancer. The security team has noticed an increase in volumetric distributed denial-of-service (DDoS) attacks targeting the application's IP address. The company wants a managed AWS service that provides automatic, always-on protection against common network-layer DDoS attacks at no additional cost. Which AWS service should the company use?

A company's security policy prohibits opening SSH (port 22) or RDP (port 3389) to the internet for any Amazon EC2 instance. The operations team needs a way to establish secure shell sessions to manage instances directly from the AWS Management Console without managing bastion hosts or SSH keys. Which AWS service provides this capability?

A company stores sensitive financial reports in an Amazon S3 bucket. The company's security policy mandates that all objects be encrypted at rest using an AWS KMS customer-managed key. The security team wants to ensure that only the 'Auditors' IAM role can decrypt the objects, even though the S3 bucket policy allows read access to a broader set of users. Which of the following steps must the security team take to enforce this access control?

A company stores sensitive customer data in an Amazon S3 bucket. The security team wants to record every GetObject and PutObject API call made against the bucket, including the identity of the caller, the source IP address, and the time of the request. They need to store these records in a separate centralized S3 bucket and analyze them using Amazon Athena for security audits. Which AWS feature should the security team enable?

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses a custom domain name and requires HTTPS for all traffic. The security team provisions an SSL/TLS certificate using AWS Certificate Manager (ACM) and associates it with the ALB. Which of the following is an advantage of using ACM over manually managing certificates?

A company uses AWS Organizations and manages hundreds of AWS accounts. The security policy requires that all Amazon S3 buckets be encrypted using a specific AWS KMS customer-managed key (CMK). The security team wants to automatically detect any S3 bucket that is not encrypted with the required CMK and automatically apply the correct encryption configuration without manual intervention. Which AWS service should the security team use to implement this automated compliance enforcement?