CCNA Security and Compliance Questions

5 of 230 questions · Page 4/4 · Security and Compliance · Answers revealed

226
MCQmedium

A company's compliance team needs to enforce a policy that all Amazon S3 buckets must have 'Block all public access' enabled. If a bucket is created without this setting, the company wants the policy to be automatically remediated within minutes without manual intervention. The solution must check for compliance continuously and apply the fix automatically. Which AWS service should the company use to meet these requirements?

A.AWS Config with an AWS Config rule and an automatic remediation action
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Identity and Access Management (IAM)
AnswerA

AWS Config can evaluate resource configurations against rules (e.g., 's3-bucket-public-read-prohibited') and automatically trigger a remediation action, such as an SSM Automation document, to fix non-compliant resources like S3 buckets without manual intervention. This matches the requirement.

Why this answer

AWS Config can continuously evaluate the configuration of S3 buckets against a managed rule like 's3-bucket-public-read-prohibited' or 's3-bucket-public-write-prohibited'. When a noncompliant bucket is detected, AWS Config can automatically trigger a remediation action using an AWS Systems Manager Automation document (e.g., 'AWS-DisableS3BucketPublicReadWrite') to enable 'Block all public access' within minutes, without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance and remediation capabilities with CloudTrail's logging or GuardDuty's threat detection, failing to recognize that only AWS Config provides continuous evaluation with automatic remediation actions.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using anomaly detection and threat intelligence; it does not evaluate resource compliance against internal policies or perform automated remediation. Option C is wrong because AWS CloudTrail records API activity for auditing and governance, but it cannot continuously check compliance or automatically remediate misconfigurations; it only provides logs for post-event analysis. Option D is wrong because AWS Identity and Access Management (IAM) manages user permissions and access control, but it does not monitor or enforce S3 bucket-level configuration settings like public access blocks.

227
MCQmedium

A company has 200 IAM users. The security team needs to automatically verify that every IAM user has enabled multi-factor authentication (MFA) for console access. They also need to receive a notification whenever a new user is created without MFA so they can enforce the policy. Which AWS service should the security team use to meet these requirements?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerA

AWS Config provides managed rules to evaluate the configuration of AWS resources. The 'iam-user-mfa-enabled' rule checks MFA status on every IAM user and can trigger notifications for non-compliant resources.

Why this answer

AWS Config is correct because it provides managed rules like 'iam-user-mfa-enabled' that can continuously evaluate whether all IAM users have MFA enabled. When a new user is created without MFA, AWS Config can trigger an Amazon SNS notification via its compliance change event, meeting both the verification and notification requirements automatically.

Exam trap

The trap here is that candidates confuse CloudTrail's API logging with Config's continuous compliance evaluation, assuming that recording user creation events is sufficient to enforce MFA, but CloudTrail lacks the ability to assess resource state or trigger notifications based on compliance status.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because CloudTrail records API calls (e.g., CreateUser) but does not perform ongoing compliance checks or send notifications based on resource state; it is an audit trail, not a configuration compliance evaluator. Option C (Amazon GuardDuty) is wrong because GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, not for verifying IAM user MFA settings or sending policy enforcement notifications.

228
MCQmedium

A company wants to automatically evaluate its AWS resource configurations against internal security policies. The company has defined rules such as 'EBS volumes must be encrypted' and 'S3 buckets must not be publicly accessible'. They need a service that continuously monitors resource configurations, identifies noncompliant resources, and provides a dashboard of compliance status over time. Which AWS service should the company use?

A.AWS Config
B.Amazon Inspector
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerA

Correct. AWS Config continuously monitors and records AWS resource configurations and evaluates them against rules you define, such as encryption or public access policies. It provides a compliance dashboard and notifications for noncompliant resources.

Why this answer

AWS Config is the correct service because it continuously monitors and records AWS resource configurations, evaluates them against custom rules (like 'EBS volumes must be encrypted' and 'S3 buckets must not be publicly accessible'), and provides a compliance dashboard that shows historical compliance status over time. It directly addresses the need for automated, ongoing evaluation of resource configurations against internal security policies.

Exam trap

The trap here is confusing AWS Config's configuration compliance monitoring with Amazon Inspector's vulnerability scanning or Trusted Advisor's best-practice checks, leading candidates to choose a service that does not support custom rule definitions or continuous compliance dashboards.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for evaluating resource configurations against custom security policies. Option C is wrong because AWS Trusted Advisor provides best-practice recommendations based on AWS Well-Architected Framework checks, but it does not allow you to define custom rules or continuously monitor compliance against your own internal security policies. Option D is wrong because AWS CloudTrail records API activity and provides audit logs of actions taken on AWS resources, but it does not evaluate resource configurations for compliance or provide a compliance dashboard.

229
MCQmedium

A company uses multiple AWS accounts within AWS Organizations. The security team needs to automatically check that no Amazon S3 bucket in any account has public read or write access. They want to define a security rule once and have it evaluated continuously across all accounts. The team also needs to view the overall compliance status from a single dashboard. Which AWS service should they use to meet these requirements?

A.AWS Config
B.AWS Trusted Advisor
C.Amazon Inspector
D.AWS Shield
AnswerA

AWS Config provides continuous monitoring and evaluation of resource configurations against desired policies. It supports multi-account aggregation via AWS Organizations, allowing you to apply rules centrally and view compliance across all accounts.

Why this answer

AWS Config is the correct service because it provides managed rules (such as 's3-bucket-public-read-prohibited' and 's3-bucket-public-write-prohibited') that can be defined once in a delegated administrator account and automatically evaluated across all member accounts in AWS Organizations. It continuously monitors S3 bucket configurations and aggregates compliance results into a single dashboard (the AWS Config aggregator), meeting the requirement for a unified view of overall compliance status.

Exam trap

The trap here is that candidates often confuse AWS Config (which evaluates resource configurations against rules) with AWS Trusted Advisor (which provides best-practice checks but lacks custom rule definition and multi-account aggregation), leading them to select Trusted Advisor because it also checks S3 bucket permissions.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor provides best-practice checks (including S3 bucket permissions) but does not allow you to define custom security rules or continuously evaluate them across all accounts from a single dashboard; it only offers a point-in-time check per account and cannot aggregate results across multiple accounts. Option C is wrong because Amazon Inspector is designed for vulnerability assessment of EC2 instances, container images, and Lambda functions, not for monitoring S3 bucket configurations or public access settings. Option D is wrong because AWS Shield is a managed Distributed Denial of Service (DDoS) protection service and has no capability to check S3 bucket public access permissions or provide compliance dashboards for resource configurations.

230
MCQmedium

A company is migrating an on-premises MySQL database to Amazon RDS for MySQL. The security team needs to understand their responsibilities under the AWS Shared Responsibility Model. Which of the following tasks is the customer's responsibility?

A.Applying minor version patches to the MySQL database engine
B.Managing the physical security of the data center where the RDS instance is hosted
C.Configuring security group rules to control network access to the database
D.Replacing failed hardware components in the RDS host server
AnswerC

This is correct. Security groups act as virtual firewalls for RDS instances. Configuring inbound and outbound rules to allow only necessary traffic is a customer responsibility under the Shared Responsibility Model.

Why this answer

Under the AWS Shared Responsibility Model, the customer is responsible for configuring security group rules to control network access to the database. Security groups act as a virtual firewall that controls inbound and outbound traffic at the instance level, and the customer must define the rules (e.g., source IP, port 3306 for MySQL) to restrict access appropriately.

Exam trap

The trap here is confusing 'patching the database engine' (which is AWS's responsibility for RDS) with 'configuring network access controls' (which is the customer's responsibility), leading candidates to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because applying minor version patches to the MySQL database engine is an AWS responsibility under the 'Security of the Cloud' — AWS manages the RDS service, including automatic minor version upgrades unless the customer explicitly opts out, but the actual patching is performed by AWS. Option B is wrong because managing the physical security of the data center where the RDS instance is hosted is entirely AWS's responsibility under the 'Security of the Cloud' — AWS controls physical access, surveillance, and environmental controls at their data centers.

← PreviousPage 4 of 4 · 230 questions total

Ready to test yourself?

Try a timed practice session using only Security and Compliance questions.