CCNA Security Questions

75 of 230 questions · Page 1/4 · Security topic · Answers revealed

1
MCQeasy

Which AWS service allows you to monitor API calls made in your AWS account, including who made the call, from which IP address, and when?

A.Amazon CloudWatch
B.AWS CloudTrail
C.VPC Flow Logs
D.AWS Config
AnswerB

CloudTrail records every API call including who made it, from what IP, at what time, on what resource, with what parameters — the core audit trail for AWS accounts.

Why this answer

AWS CloudTrail is the service that records API activity in your AWS account, capturing details such as the identity of the caller, the source IP address, and the timestamp of each API call. This makes it the correct choice for monitoring who made a call, from where, and when.

Exam trap

The trap here is that candidates often confuse CloudWatch (for monitoring metrics and logs) with CloudTrail (for auditing API calls), because both involve logging, but CloudTrail is specifically designed for recording API activity with caller identity and source IP details.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, not for recording API call details like caller identity or source IP. Option C is wrong because VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC, not API calls made to the AWS management plane. Option D is wrong because AWS Config evaluates resource configurations and compliance rules, and does not log API call metadata such as who made the call or the source IP address.

2
MCQmedium

A company uses AWS CloudTrail to log all API calls in their AWS account for compliance and security auditing. Their compliance officer needs to prove to an external auditor that the CloudTrail log files have not been altered or deleted after they were created. The company must use the most cost-effective and built-in AWS feature to detect any tampering with the log files. What should the company enable?

A.Enable CloudTrail log file integrity validation
B.Enable server-side encryption for the CloudTrail log file S3 bucket using SSE-KMS
C.Configure CloudTrail to send logs to CloudWatch Logs and set a metric filter for changes
D.Enable multi-factor authentication (MFA) delete on the S3 bucket
AnswerA

Correct. Log file integrity validation uses hash-based digital signatures to verify that CloudTrail log files have not been modified or deleted after they were delivered to the S3 bucket. It is a built-in, cost-effective feature designed for this purpose.

Why this answer

CloudTrail log file integrity validation uses a hash chain (SHA-256) to create a digest file that is signed with a private key, allowing you to verify that log files have not been modified, deleted, or tampered with after delivery. This is a built-in, no-cost feature that directly meets the compliance officer's requirement to prove log integrity to an external auditor without additional services or costs.

Exam trap

The trap here is that candidates confuse encryption (which protects confidentiality) with integrity validation (which proves data has not been altered), leading them to choose SSE-KMS or MFA delete instead of the built-in, cost-free integrity validation feature.

How to eliminate wrong answers

Option B is wrong because server-side encryption with SSE-KMS protects the confidentiality of log files at rest, but does not provide any mechanism to detect tampering or prove that the files have not been altered after creation. Option C is wrong because sending logs to CloudWatch Logs and setting a metric filter can alert on changes or patterns, but it does not provide cryptographic proof of integrity or a verifiable chain of custody for the log files. Option D is wrong because MFA delete on the S3 bucket prevents unauthorized deletion of objects, but it does not detect or prove that existing log files have been altered or tampered with after they were written.

3
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce a policy that prevents any user, including account administrators, from creating Amazon S3 buckets that are publicly accessible across the entire organization. The policy must be centrally managed and cannot be overridden by individual account administrators. Which AWS feature should the security team use?

A.AWS Config rules with auto-remediation
B.Service Control Policies (SCPs) in AWS Organizations
C.AWS Identity and Access Management (IAM) policies with a Deny effect
D.Amazon Macie with automated response
AnswerB

SCPs are a type of organization policy that you can use to specify the maximum permissions for member accounts. They apply to all users and roles in the account, including the account root user, and cannot be overridden by any IAM policy within those accounts. By attaching an SCP that denies actions that make S3 buckets public (e.g., setting a bucket policy that allows public access), the security team can enforce this restriction across the entire organization.

Why this answer

Service Control Policies (SCPs) in AWS Organizations are the correct choice because they allow the security team to centrally define a policy that denies the creation of publicly accessible S3 buckets across all accounts in the organization. SCPs apply to all users, including account administrators, and cannot be overridden by any IAM policy or local account permissions, ensuring organization-wide enforcement.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM Deny effects can be centrally managed and enforced across accounts, but IAM policies are account-scoped and can be overridden by local administrators, whereas SCPs operate at the organization level and are non-overridable.

How to eliminate wrong answers

Option A is wrong because AWS Config rules with auto-remediation can detect and fix non-compliant resources after creation, but they do not prevent the action from being taken in the first place and can be overridden by account administrators with sufficient permissions. Option C is wrong because IAM policies with a Deny effect are account-specific and can be overridden by account administrators who have full control over IAM in their own accounts, failing the requirement for central management and non-overridability. Option D is wrong because Amazon Macie is a data security service that discovers and protects sensitive data, not a policy enforcement mechanism for preventing bucket creation.

4
MCQmedium

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits, including SQL injection and cross-site scripting (XSS). The solution must integrate directly with the ALB and allow custom rules to be defined. Which AWS service should the company use?

A.AWS WAF
B.AWS Shield Advanced
C.Security Groups
D.AWS Firewall Manager
AnswerA

AWS WAF is a web application firewall that protects against common web exploits like SQL injection and XSS. It integrates directly with ALB and allows custom rules to be defined.

Why this answer

AWS WAF is a web application firewall that integrates directly with an Application Load Balancer to filter and monitor HTTP(S) requests. It provides managed rules to block common web exploits such as SQL injection and cross-site scripting (XSS), and allows you to define custom rules using conditions like IP addresses, HTTP headers, and URI strings. This makes it the correct choice for protecting the ALB-hosted application against these specific threats.

Exam trap

The trap here is that candidates confuse AWS Shield Advanced (Layer 3/4 DDoS protection) with AWS WAF (Layer 7 web exploit filtering), or mistakenly think Security Groups can inspect application-layer traffic when they only filter at the network and transport layers.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides DDoS protection and enhanced detection for larger volumetric attacks, but it does not include the ability to inspect HTTP request payloads for SQL injection or XSS patterns, nor does it support custom rule definitions for web exploits. Option C is wrong because Security Groups act as a stateful firewall at the instance or ENI level, filtering traffic based on IP addresses and protocols (TCP/UDP), but they cannot inspect application-layer payloads or block specific web exploits like SQL injection or XSS.

5
MCQeasy

According to the AWS Shared Responsibility Model, for which of the following is the customer ALWAYS responsible, regardless of the AWS service used?

A.Physical security of the data center
B.Patching the underlying hypervisor
C.Customer data and its classification
D.Network infrastructure management
AnswerC

Customer data ownership and responsibility never transfers to AWS — the customer always decides what data to store, how to classify it, who can access it, and whether to encrypt it.

Why this answer

Under the AWS Shared Responsibility Model, the customer is always responsible for customer data and its classification, regardless of the service used. This includes deciding what data to store, how it is encrypted, and how access controls are configured. AWS never assumes responsibility for the content or classification of customer data, as this is entirely under the customer's control.

Exam trap

The trap here is that candidates often confuse operational responsibilities (like patching or network management) with customer-owned data governance, leading them to select options that AWS actually manages under the 'Security of the Cloud' pillar.

How to eliminate wrong answers

Option A is wrong because physical security of the data center is AWS's responsibility, not the customer's, as part of the 'Security of the Cloud' under the shared model. Option B is wrong because patching the underlying hypervisor is managed by AWS, as it is part of the virtualization infrastructure that the customer does not have access to. Option D is wrong because network infrastructure management, including routers, switches, and the AWS global network backbone, is AWS's responsibility; the customer only manages their own virtual network configurations (e.g., VPCs, subnets, security groups).

6
MCQeasy

Which IAM feature allows you to grant temporary, limited access to AWS resources for users who don't have AWS accounts, such as third-party contractors?

A.IAM Groups
B.IAM Roles with cross-account access
C.IAM password policies
D.Service Control Policies (SCPs)
AnswerB

IAM Roles with STS AssumeRole grant temporary credentials to external identities without requiring permanent IAM users, with fine-grained permissions and automatic expiration.

Why this answer

IAM Roles with cross-account access allow you to grant temporary, limited permissions to users from another AWS account or external identity providers (e.g., third-party contractors) without creating IAM users for them. The role is assumed via AWS Security Token Service (STS), which issues temporary credentials that expire after a defined duration, ensuring least-privilege access.

Exam trap

The trap here is that candidates often confuse IAM Roles with cross-account access with IAM Groups, thinking groups can be used to grant permissions to external users, but groups only apply to IAM users within your own account.

How to eliminate wrong answers

Option A is wrong because IAM Groups are used to organize IAM users within your own AWS account and assign permissions collectively; they cannot grant access to users who don't have AWS accounts. Option C is wrong because IAM password policies only enforce password complexity and rotation rules for IAM users in your account; they do not provide any mechanism for granting temporary access to external users. Option D is wrong because Service Control Policies (SCPs) are used in AWS Organizations to set permission guardrails for member accounts, not to grant temporary access to individual users or contractors.

7
MCQmedium

A company has enabled Amazon GuardDuty for threat detection, Amazon Inspector for vulnerability scans, and AWS Config for compliance checks. The security team wants a single, centralized dashboard that aggregates all security findings from these services, provides a consolidated security score, and allows them to automate remediation workflows. Which AWS service should the team use?

A.AWS Trusted Advisor
B.AWS Security Hub
C.AWS Systems Manager
D.Amazon Detective
AnswerB

AWS Security Hub is the correct service. It provides a comprehensive view of security alerts and compliance status across AWS accounts. It integrates with services like GuardDuty, Inspector, and Config, aggregates findings, generates a consolidated security score, and supports automated remediation through AWS Config rules and custom actions.

Why this answer

AWS Security Hub is designed to aggregate findings from multiple AWS security services, including GuardDuty, Inspector, and Config, into a single dashboard. It provides a consolidated security score (via the security standards framework) and supports automated remediation through integration with AWS Systems Manager and EventBridge. This makes it the correct choice for centralized security visibility and response.

Exam trap

The trap here is that candidates may confuse AWS Security Hub with AWS Trusted Advisor, thinking both provide security recommendations, but Trusted Advisor lacks the ability to aggregate findings from multiple security services or provide a consolidated security score and automated remediation workflows.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not aggregate findings from GuardDuty, Inspector, or Config, nor does it offer a consolidated security score or automated remediation workflows. Option C is wrong because AWS Systems Manager is an operations management service for patching, configuration, and automation of EC2 and on-premises instances, not a security findings aggregator; while it can be used as a target for remediation actions triggered by Security Hub, it does not itself provide a centralized security dashboard or security score.

8
MCQmedium

An organization needs to sign a Business Associate Agreement (BAA) with AWS to run applications that process Protected Health Information (PHI) under HIPAA. Which statement about AWS and HIPAA is accurate?

A.AWS is HIPAA certified, meaning all AWS services automatically comply with HIPAA
B.AWS will sign a BAA for eligible services, and customers are responsible for configuring services to meet HIPAA requirements
C.PHI cannot be stored in the cloud because cloud environments are inherently non-compliant with HIPAA
D.HIPAA compliance is automatic once a BAA is signed with AWS
AnswerB

AWS signs BAAs for HIPAA-eligible services. The Shared Responsibility Model applies — AWS secures the infrastructure, customers must configure encryption, access controls, and audit logging per HIPAA requirements.

Why this answer

AWS does not have a blanket HIPAA certification; instead, it provides a Business Associate Agreement (BAA) for specific services listed in its HIPAA Eligible Services Reference. Customers must sign a BAA with AWS and then configure those eligible services (e.g., enabling encryption, access controls, logging) to meet their own HIPAA compliance obligations. This shared responsibility model means AWS is responsible for the security of the cloud, while the customer is responsible for security in the cloud.

Exam trap

The trap here is that candidates assume signing a BAA automatically makes the entire AWS environment HIPAA-compliant, ignoring the shared responsibility model and the need to configure services correctly.

How to eliminate wrong answers

Option A is wrong because AWS is not 'HIPAA certified' as a whole; HIPAA compliance is not a certification but a regulatory framework, and only specific AWS services are eligible for a BAA, not all services. Option C is wrong because PHI can be stored in the cloud if the customer uses AWS services covered by a BAA and configures them correctly, as cloud environments are not inherently non-compliant. Option D is wrong because signing a BAA is a prerequisite, not a guarantee of compliance; the customer must still implement technical and administrative safeguards (e.g., encryption, access controls, audit logging) to meet HIPAA requirements.

9
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to prevent accounts in the 'Development' OU from launching any resources in regions outside of us-east-1 and eu-west-1. Which AWS Organizations feature allows this restriction?

A.IAM permission boundaries
B.Resource-based policies attached to each S3 bucket
C.Service Control Policies (SCPs)
D.AWS Config rules across all accounts
AnswerC

SCPs are applied at the OU or account level in AWS Organizations and act as guardrails on all accounts within the OU. An SCP denying all regions except us-east-1 and eu-west-1 would apply to every account in the Development OU, regardless of their individual IAM policies.

Why this answer

Service Control Policies (SCPs) are the correct AWS Organizations feature because they allow you to centrally control the maximum available permissions for all accounts within an OU. By attaching an SCP that denies all actions in regions other than us-east-1 and eu-west-1, the security team can enforce this restriction across all 'Development' accounts, even if IAM policies within those accounts allow broader access.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking that IAM permission boundaries or resource-based policies can enforce cross-account region restrictions, but SCPs are the only mechanism that operates at the organization level to centrally limit permissions for all accounts in an OU.

How to eliminate wrong answers

Option A is wrong because IAM permission boundaries are applied to individual IAM users or roles within a single account, not across multiple accounts in an OU, and they cannot restrict the region where resources are launched at the organization level. Option B is wrong because resource-based policies attached to S3 buckets only control access to those specific S3 buckets, not the ability to launch any resources in other regions. Option D is wrong because AWS Config rules evaluate resource configurations for compliance after resources are created, but they do not prevent the launch of resources in unauthorized regions; they only detect and report non-compliance.

10
MCQeasy

A company's public-facing web application is being attacked with SQL injection and cross-site scripting (XSS) attempts. Which AWS service should they deploy to detect and block these web application attacks?

A.AWS Shield Standard
B.Amazon GuardDuty
C.AWS WAF
D.Amazon Inspector
AnswerC

AWS WAF is a web application firewall that inspects HTTP/HTTPS requests and applies rules to block attacks including SQL injection and XSS. AWS Managed Rules provide pre-built protections for common OWASP Top 10 attacks.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It allows you to create custom rules to filter and monitor HTTP(S) requests based on conditions such as IP addresses, HTTP headers, or request body patterns, and can block malicious traffic before it reaches your application.

Exam trap

The trap here is that candidates often confuse AWS Shield (DDoS protection) with AWS WAF (web application firewall), but Shield operates at Layer 3/4 and cannot inspect or block application-layer payloads like SQL injection or XSS.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides always-on protection against DDoS attacks at the network and transport layers (Layer 3/4), not against application-layer attacks like SQL injection or XSS. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not actively block web application attacks at the HTTP request level. Option D is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, not a runtime web application firewall that can inspect and block HTTP requests.

11
MCQmedium

Which AWS service provides centralized governance and compliance across multiple AWS accounts in an organization?

A.AWS IAM
B.AWS Config
C.AWS Organizations
D.Amazon Macie
AnswerC

AWS Organizations provides centralized multi-account governance, SCPs, and consolidated billing.

Why this answer

AWS Organizations is the correct service because it provides centralized governance and compliance across multiple AWS accounts by enabling you to create a hierarchy of accounts with Service Control Policies (SCPs) that centrally control permissions. SCPs allow you to enforce compliance rules, such as restricting the use of specific AWS services or regions, across all accounts in the organization without requiring individual account-level configuration.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation capabilities with centralized governance, but AWS Config is a detective service that reports on compliance after resources are created, whereas AWS Organizations provides preventive governance through SCPs that block non-compliant actions before they occur.

How to eliminate wrong answers

Option A is wrong because AWS IAM is an identity and access management service that controls permissions for individual users, groups, and roles within a single AWS account, not across multiple accounts in an organization. Option B is wrong because AWS Config is a service that evaluates and records resource configurations for compliance within individual accounts or across accounts via aggregators, but it does not provide centralized governance or policy enforcement across accounts—it is a detective tool, not a preventive one. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover and protect sensitive data in Amazon S3, and it does not provide governance or compliance controls across multiple accounts.

12
MCQmedium

A financial services company stores sensitive transaction data in Amazon S3. The company must encrypt the data at rest using keys that are stored in a hardware security module (HSM) validated under FIPS 140-2 Level 3. Additionally, the company requires full control over the key lifecycle, including rotation and deletion, and AWS must not have any access to the keys. Which AWS service should the company use to generate and store the encryption keys?

A.AWS Key Management Service (KMS) with a customer managed key
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Certificate Manager (ACM)
AnswerB

AWS CloudHSM provides dedicated HSMs that are FIPS 140-2 Level 3 validated. Customers have full control over the HSMs and the keys stored inside them, including the ability to rotate and delete keys. AWS cannot access the keys because the HSMs are dedicated to the customer and managed by the customer.

Why this answer

AWS CloudHSM is the correct choice because it provides dedicated hardware security modules (HSMs) that are validated under FIPS 140-2 Level 3, allowing you to generate and store encryption keys entirely within the HSM. With CloudHSM, AWS has no access to your keys, and you retain full control over key lifecycle operations such as rotation and deletion, meeting the strict compliance and security requirements of the financial services company.

Exam trap

The trap here is that candidates often confuse AWS KMS customer managed keys with full customer control, but KMS still allows AWS to manage the underlying HSM infrastructure and does not meet FIPS 140-2 Level 3 requirements, whereas CloudHSM provides exclusive customer control and a higher validation level.

How to eliminate wrong answers

Option A is wrong because AWS KMS with a customer managed key does not use a dedicated HSM that is FIPS 140-2 Level 3 validated; KMS uses FIPS 140-2 Level 2 validated HSMs, and AWS retains the ability to manage and access the underlying key material. Option C is wrong because AWS Secrets Manager is a service for securely storing and rotating secrets (like database credentials), not for generating or storing encryption keys in a dedicated HSM, and it does not provide FIPS 140-2 Level 3 validation or full customer control over key lifecycle. Option D is wrong because AWS Certificate Manager (ACM) is used to provision, manage, and deploy SSL/TLS certificates, not for generating or storing encryption keys for S3 data at rest, and it does not offer FIPS 140-2 Level 3 HSM-based key storage.

13
MCQmedium

A healthcare company is required to encrypt all protected health information (PHI) stored in Amazon S3. The company must maintain control over the encryption keys, rotate them annually, and log all key usage. Which AWS service or feature should they use to meet these requirements?

A.Amazon S3 server-side encryption with Amazon S3-managed keys (SSE-S3)
B.AWS Key Management Service (AWS KMS) with customer managed keys
C.Amazon S3 server-side encryption with customer-provided keys (SSE-C)
D.AWS Certificate Manager (ACM)
AnswerB

With customer managed keys in AWS KMS, the company has full control over the encryption keys, can set automatic key rotation, and can audit key usage through AWS CloudTrail. This matches all stated requirements.

Why this answer

AWS KMS with customer managed keys is correct because it allows the healthcare company to maintain full control over the encryption keys, enforce annual rotation (via automatic or manual key rotation), and log all key usage through AWS CloudTrail. This meets the compliance requirements for protecting PHI in S3 while retaining key management authority.

Exam trap

The trap here is that candidates often confuse SSE-S3 (which is simpler but lacks key control and logging) with the required key management and audit capabilities, or they mistakenly think ACM can be used for S3 encryption when it only handles transport layer security.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon-managed keys, meaning the company cannot control or rotate the keys themselves, and key usage is not logged in CloudTrail. Option C is wrong because SSE-C requires the customer to provide and manage their own encryption keys outside of AWS, which does not integrate with AWS KMS for rotation or CloudTrail logging of key usage. Option D is wrong because AWS Certificate Manager (ACM) handles SSL/TLS certificates for HTTPS, not encryption of data at rest in S3.

14
MCQmedium

A financial services company requires all data stored in Amazon S3 to be encrypted at rest. The company has a compliance policy that states encryption keys must be managed entirely by the customer and must never be stored or managed by the cloud provider. Which encryption option should the company use for Amazon S3?

A.Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS)
C.Server-Side Encryption with Customer-Provided Keys (SSE-C)
D.Client-Side Encryption using an on-premises key management system
AnswerC

Correct. SSE-C allows you to provide your own encryption key with each request. AWS uses the key to encrypt/decrypt the data but does not store the key. This meets the compliance requirement that keys are managed entirely by the customer and are never stored by the cloud provider.

Why this answer

SSE-C allows the customer to provide their own encryption keys for server-side encryption of S3 objects. The customer manages the keys entirely, and AWS does not store or manage them, meeting the compliance requirement that encryption keys must never be stored or managed by the cloud provider.

Exam trap

The trap here is that candidates often choose SSE-KMS (Option B) thinking 'customer managed keys' means the customer fully controls the keys, but AWS KMS still stores and manages the key material, which violates the policy that keys must never be stored or managed by the cloud provider.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon S3-managed keys, where AWS manages the encryption keys, violating the policy that keys must not be stored or managed by the cloud provider. Option B is wrong because SSE-KMS with customer managed keys still stores and manages the keys within AWS KMS, which is a managed service by AWS, thus not meeting the requirement that keys must never be stored or managed by the cloud provider. Option D is wrong because client-side encryption encrypts data before it is sent to S3, but the question specifies encryption at rest in S3, and the compliance policy requires keys to be managed entirely by the customer; while client-side encryption does use customer-managed keys, it is not a server-side encryption option and does not address the requirement for encryption at rest within S3 itself.

15
MCQmedium

A company needs to allow inbound HTTPS traffic (port 443) to their EC2 web servers while blocking all other inbound traffic. The solution should be stateful — return traffic for allowed inbound connections should automatically be permitted without additional rules. Which AWS feature provides this?

A.Network Access Control Lists (NACLs)
B.AWS WAF rules
C.Security groups
D.VPC route tables
AnswerC

Security groups are stateful firewalls applied at the instance level. An inbound rule allowing port 443 automatically allows the corresponding return traffic. Only the allowed inbound connections need to be specified.

Why this answer

Security groups act as a stateful virtual firewall for EC2 instances. When you allow inbound HTTPS traffic on port 443, the security group automatically tracks the connection state and permits the corresponding outbound return traffic without requiring an explicit outbound rule. This stateful behavior is inherent to security groups and is the correct choice for the described requirement.

Exam trap

The trap here is that candidates often confuse the stateless nature of Network ACLs with the stateful behavior of security groups, assuming NACLs automatically permit return traffic, which they do not.

How to eliminate wrong answers

Option A is wrong because Network ACLs are stateless, meaning you must explicitly define both inbound and outbound rules to allow return traffic; they do not automatically permit response traffic. Option B is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS requests at the application layer (Layer 7) and does not control network-level stateful traffic filtering or port-based access. Option D is wrong because VPC route tables control the path of network traffic (routing) between subnets and gateways, not the filtering or stateful tracking of individual connections.

16
MCQeasy

Which AWS service helps customers understand the compliance programs that AWS has been validated against, such as PCI DSS, HIPAA, and SOC 2?

A.AWS Trusted Advisor
B.AWS Config
C.AWS Artifact
D.AWS Security Hub
AnswerC

AWS Artifact provides self-service download of AWS compliance reports (SOC, PCI, ISO, HIPAA) and agreements (NDA, BAA) for customer audit needs.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS’s compliance reports, such as PCI DSS, HIPAA, and SOC 2, as well as the AWS Service Organization Controls (SOC) reports. It allows customers to download and review the specific certifications and attestations that AWS has been validated against, directly supporting audit and compliance needs.

Exam trap

The trap here is that candidates often confuse services that help with internal compliance posture (like AWS Config or Security Hub) with the service that provides AWS’s own third-party compliance certifications, leading them to pick a wrong answer that sounds compliance-related but does not deliver the actual audit reports.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is an advisory tool that inspects your AWS environment and provides recommendations to optimize cost, performance, security, and fault tolerance—it does not provide compliance program validation reports. Option B is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies (e.g., using AWS Config rules), but it does not host or deliver third-party compliance attestations like PCI DSS or SOC reports. Option D is wrong because AWS Security Hub aggregates security findings from multiple AWS services and third-party tools, providing a centralized view of security alerts and compliance status based on standards like CIS, but it does not provide the underlying compliance program validation documents that AWS itself has been audited against.

17
MCQmedium

Which AWS service acts as a centralized firewall for traffic inspection between VPCs, between VPCs and on-premises networks, and for internet traffic?

A.Security Groups
B.Network Access Control Lists (NACLs)
C.AWS Network Firewall
D.AWS WAF
AnswerC

Network Firewall provides centralized, managed stateful packet inspection at the VPC level with domain-based filtering and integration with Firewall Manager for multi-account governance.

Why this answer

AWS Network Firewall is a managed service that provides a centralized firewall to inspect and filter traffic across VPCs, between VPCs and on-premises networks (via AWS Transit Gateway or VPN/Direct Connect), and for internet-bound traffic. It supports stateful and stateless rules, intrusion prevention (IPS), and domain filtering, making it the correct choice for a unified traffic inspection solution.

Exam trap

The trap here is that candidates often confuse AWS Network Firewall with Security Groups or NACLs, thinking those can provide centralized traffic inspection across VPCs and hybrid networks, but they are limited to instance-level or subnet-level filtering and lack the centralized, stateful inspection capabilities required for this use case.

How to eliminate wrong answers

Option A is wrong because Security Groups are stateful virtual firewalls that operate at the instance level (ENI) and cannot inspect traffic between VPCs or between VPCs and on-premises networks; they lack centralized management and do not support traffic inspection for internet-bound traffic across multiple VPCs. Option B is wrong because Network Access Control Lists (NACLs) are stateless, operate at the subnet level, and cannot provide centralized firewall capabilities across VPCs or hybrid connections; they also do not support stateful inspection or advanced threat detection. Option D is wrong because AWS WAF is a web application firewall that protects web applications from common exploits (e.g., SQL injection, XSS) at the application layer (HTTP/HTTPS), not a network-layer firewall for general traffic inspection between VPCs, on-premises, or internet traffic.

18
MCQmedium

A company must encrypt all data at rest stored in Amazon S3 and wants AWS to manage the encryption keys. Which S3 encryption option requires the least operational overhead?

A.SSE-C (Customer-Provided Keys)
B.SSE-KMS (AWS KMS-Managed Keys)
C.SSE-S3 (Amazon S3-Managed Keys)
D.Client-side encryption
AnswerC

SSE-S3 has zero operational overhead — AWS handles all key management transparently. It is the default encryption method for S3 and requires no customer key management.

Why this answer

SSE-S3 uses Amazon S3-managed keys, where AWS fully handles key creation, management, and rotation with no configuration required from the user. This option provides the least operational overhead because you simply enable server-side encryption on the bucket or object, and AWS manages the entire encryption process transparently.

Exam trap

The trap here is that candidates often confuse 'AWS managed keys' with SSE-KMS, assuming KMS is the default AWS-managed option, but SSE-S3 is the true fully managed key service with zero configuration overhead.

How to eliminate wrong answers

Option A is wrong because SSE-C requires you to provide and manage your own encryption keys, including key storage, rotation, and secure transmission, which adds significant operational overhead. Option B is wrong because SSE-KMS uses AWS KMS-managed keys, which still requires you to create, manage, and control key policies, permissions, and key rotation schedules, increasing operational complexity compared to SSE-S3. Option D is wrong because client-side encryption requires you to encrypt data before uploading to S3, manage encryption keys locally, and handle decryption on retrieval, resulting in the highest operational overhead of all options.

19
MCQmedium

A company wants to set up a new multi-account AWS environment with pre-configured security guardrails, a logging account, an audit account, and a predefined structure for creating new accounts — all based on AWS best practices — with minimal manual configuration. Which AWS service provides this automated account setup?

A.AWS CloudFormation StackSets
B.AWS Organizations
C.AWS Control Tower
D.AWS Security Hub
AnswerC

Control Tower automates the entire landing zone setup: creates the management account structure, configures a log archive account, sets up an audit account, and applies mandatory guardrails (preventive SCPs and detective Config rules) following AWS best practices.

Why this answer

AWS Control Tower is the correct answer because it provides a fully automated, best-practices-based setup for a multi-account AWS environment, including pre-configured security guardrails (using Service Control Policies), a logging account, an audit account, and a predefined account structure via Account Factory. This eliminates the need for manual configuration of these foundational components.

Exam trap

The trap here is that candidates often confuse AWS Organizations (which provides the raw capability to manage multiple accounts) with AWS Control Tower (which automates the entire setup with best-practice guardrails and account factory), leading them to pick Organizations as the 'automated' solution when it actually requires significant manual configuration.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets allow you to deploy infrastructure across multiple accounts and regions, but they do not automatically set up the initial multi-account structure, guardrails, or dedicated logging/audit accounts — they require you to manually define and manage the stack instances. Option B is wrong because AWS Organizations provides the underlying organizational hierarchy and policy management (SCPs) but does not include pre-configured guardrails, a logging account, an audit account, or a predefined account creation workflow — it is a building block, not a turnkey solution. Option D is wrong because AWS Security Hub is a security posture management service that aggregates findings from various AWS services (like GuardDuty, Inspector, etc.) but does not automate the setup of a multi-account environment, guardrails, or account structure.

20
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that no Amazon EC2 instance can be launched with a public IPv4 address in any member account. The team needs a preventive control that centrally blocks the launch action if a public IP is assigned, and the control must automatically apply to all existing and future accounts in the organization. Which AWS feature should the security team use to meet these requirements?

A.AWS Config rule with an automatic remediation action that terminates the instance after launch
B.IAM policy with a condition key to deny ec2:RunInstances when a public IP is assigned
C.Service control policy (SCP) in AWS Organizations
D.AWS Firewall Manager security group policy
AnswerC

An SCP can be attached to the root organizational unit (OU) or the entire organization to deny the ec2:RunInstances action when the request includes a parameter for a public IP address (e.g., condition key 'ec2:AssociatePublicIpAddress'). SCPs are preventive policies that apply to all principals (including the root user) in all member accounts, and they are automatically inherited by new accounts added to the organization. This meets all the requirements.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally define the maximum available permissions for all accounts in the organization. By creating an SCP that denies the ec2:RunInstances action when the request includes a public IP address assignment (using the ec2:AssociatePublicIpAddress condition key), you can prevent any EC2 instance from being launched with a public IPv4 address. This control applies automatically to all existing and future member accounts without requiring per-account configuration.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, not realizing that SCPs are the only mechanism in AWS Organizations that can centrally and preventively restrict actions across all accounts, including future ones, without requiring per-account configuration.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are detective, not preventive; they can only trigger remediation after the instance is launched, which does not meet the requirement for a preventive control that blocks the launch action. Option B is wrong because IAM policies are account-specific and cannot be centrally applied to all accounts in an organization; they would need to be deployed individually to each member account, and they do not automatically apply to future accounts. Option D is wrong because AWS Firewall Manager security group policies manage security group rules across accounts, but they do not control the assignment of public IP addresses during EC2 instance launch.

21
MCQmedium

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer. The security team wants to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS) at the edge, before the requests reach the application. The company wants to use pre-built rule sets maintained by AWS to quickly enable protection, and the solution should be fully managed with no servers to manage. Which AWS service should the company use?

A.AWS Shield Advanced
B.Amazon GuardDuty
C.AWS WAF
D.AWS Network Firewall
AnswerC

AWS WAF is a fully managed web application firewall that enables customers to monitor and control HTTP(S) requests to their applications. It provides managed rule groups for common threats like SQL injection and cross-site scripting (XSS). The service integrates seamlessly with Application Load Balancers, allowing traffic to be inspected at the edge before reaching the backend instances, and requires no server management.

Why this answer

AWS WAF is a fully managed web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It integrates with Application Load Balancers (ALBs) and allows you to use pre-built, AWS-managed rule sets (e.g., the AWS Managed Rules for SQL injection and XSS) to quickly enable protection at the edge, before traffic reaches the EC2 instances. This meets the requirement for a serverless, managed solution with no infrastructure to maintain.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield Advanced, mistakenly thinking Shield Advanced handles application-layer attacks like SQL injection, when in fact it focuses on DDoS mitigation at the network and transport layers.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks, not against application-layer attacks like SQL injection or XSS. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events; it does not actively block or filter web requests at the application layer.

22
MCQhard

A company recently migrated to AWS and needs to ensure their S3 buckets are not publicly accessible. Which combination of controls best prevents accidental public S3 exposure?

A.Enable S3 server-side encryption on all buckets
B.Enable S3 Block Public Access at the account level and use AWS Config to detect violations
C.Enable S3 versioning on all buckets
D.Enable S3 Transfer Acceleration for all buckets
AnswerB

Account-level Block Public Access prevents any bucket from being made public (overrides all bucket policies/ACLs), while Config provides ongoing compliance monitoring to detect any policy drift.

Why this answer

Option B is correct because S3 Block Public Access at the account level provides a centralized, enforceable guardrail that prevents any bucket or object from being made publicly accessible, overriding any bucket-level policies or ACLs. AWS Config can then continuously monitor for configuration violations, such as a bucket policy that grants public access, and trigger remediation or alerts. Together, these controls create a defense-in-depth approach that both prevents accidental exposure and detects non-compliance.

Exam trap

The trap here is that candidates often confuse data protection features (encryption, versioning, acceleration) with access control mechanisms, leading them to select options that secure data in transit or at rest but do not prevent public exposure.

How to eliminate wrong answers

Option A is wrong because S3 server-side encryption protects data at rest but does not control access permissions; a bucket can be encrypted yet still publicly readable. Option C is wrong because S3 versioning preserves object versions and aids in recovery from accidental deletion or overwrites, but it has no effect on public access controls. Option D is wrong because S3 Transfer Acceleration speeds up uploads over long distances using edge locations, but it does not modify or enforce bucket access policies.

23
MCQmedium

A company is deploying an application that processes payment card data. Which AWS compliance program provides assurance that AWS infrastructure meets Payment Card Industry Data Security Standard requirements?

A.SOC 2 Type II
B.PCI DSS Level 1 compliance
C.HIPAA compliance
D.ISO 27001 certification
AnswerB

AWS maintains PCI DSS Level 1 certification (the highest level) for its infrastructure and services. Customers can access AWS's Attestation of Compliance via AWS Artifact to support their own PCI compliance programs.

Why this answer

PCI DSS Level 1 compliance is the highest level of validation for organizations that process payment card data, and AWS has been validated as a Level 1 service provider. This means AWS infrastructure has undergone the required on-site assessments and annual audits to meet the Payment Card Industry Data Security Standard (PCI DSS) requirements, providing assurance for the company's deployment.

Exam trap

The trap here is that candidates often confuse general security certifications (like SOC 2 or ISO 27001) with the specific, mandatory compliance program for payment card data, which is PCI DSS Level 1.

How to eliminate wrong answers

Option A is wrong because SOC 2 Type II reports focus on controls related to security, availability, processing integrity, confidentiality, and privacy, but they do not specifically certify compliance with PCI DSS requirements. Option C is wrong because HIPAA compliance is specific to the healthcare industry and protects protected health information (PHI), not payment card data. Option D is wrong because ISO 27001 certification is a general information security management standard that does not specifically address the 12 requirements of PCI DSS.

24
MCQmedium

An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket. The security team requires that no long-term access keys be stored on the instance. Which IAM feature should be used to grant the EC2 instance permission to access S3?

A.Create an IAM user and embed the access key in the application code
B.Store the access key in an EC2 environment variable
C.Attach an IAM role to the EC2 instance
D.Use an IAM group to assign the permissions to the EC2 instance
AnswerC

An IAM role attached to an EC2 instance (via an instance profile) provides temporary, automatically rotating credentials. The EC2 metadata service delivers these credentials to the application, eliminating the need to store any long-term access keys.

Why this answer

Option C is correct because an IAM role can be attached to an EC2 instance, allowing the instance to obtain temporary security credentials from AWS STS via the instance metadata service. This eliminates the need to store long-term access keys on the instance, satisfying the security team's requirement. The EC2 instance automatically rotates these temporary credentials before they expire, providing secure, programmatic access to the S3 bucket.

Exam trap

The trap here is that candidates may confuse IAM roles with IAM users or groups, thinking that any IAM entity can be attached to an EC2 instance, but only IAM roles support the temporary credential workflow required for secure, keyless access.

How to eliminate wrong answers

Option A is wrong because embedding an IAM user's access key in application code stores long-term credentials on the instance, directly violating the security requirement. Option B is wrong because storing the access key in an EC2 environment variable still persists long-term credentials on the instance, which is insecure and contradicts the no-long-term-keys policy. Option D is wrong because an IAM group is used to manage permissions for IAM users, not for EC2 instances; it cannot be directly attached to an EC2 instance to grant permissions.

25
MCQmedium

A company runs a data analytics application on an Amazon EC2 instance. The application needs to read CSV files from an Amazon S3 bucket to process them. The security team requires that no long-term AWS credentials (access key ID and secret access key) be stored on the instance. The instance is already launched in a private subnet within a VPC. Which solution meets the security requirement and provides the necessary access?

A.Store the AWS access key ID and secret access key in a configuration file on the instance's local disk.
B.Create an IAM role with the required S3 read permissions. Attach the role to the EC2 instance profile.
C.Write a resource-based policy on the S3 bucket that allows access based on the private IP address of the EC2 instance.
D.Create a new IAM user with the required permissions. Store the IAM user's access key and secret key in AWS Systems Manager Parameter Store, and configure the application to retrieve them at runtime.
AnswerB

This is the correct and most secure method. The EC2 instance assumes the IAM role, obtaining temporary, automatically-rotated credentials. No long-term secrets are stored on the instance, complying with the security policy.

Why this answer

Option B is correct because it uses an IAM role attached to an EC2 instance profile, which allows the application to obtain temporary AWS credentials via the instance metadata service (IMDS). This eliminates the need to store long-term access keys on the instance, satisfying the security requirement while granting the necessary S3 read permissions.

Exam trap

The trap here is that candidates may think storing credentials in a secure service like Systems Manager Parameter Store (Option D) is sufficient, but it still involves long-term IAM user keys, whereas the IAM role approach provides fully temporary credentials that are automatically rotated and never stored on the instance.

How to eliminate wrong answers

Option A is wrong because storing the AWS access key ID and secret access key in a configuration file on the instance's local disk directly violates the security requirement by persisting long-term credentials. Option C is wrong because S3 bucket policies cannot grant access based on an EC2 instance's private IP address; they support conditions like aws:SourceIp but only for public IPs, and private IPs are not routable or verifiable by S3. Option D is wrong because while it retrieves credentials from Systems Manager Parameter Store at runtime, the IAM user's access key and secret key are still long-term credentials that must be stored or transmitted, and the application would need to manage them, which does not fully eliminate the risk of credential exposure.

26
MCQeasy

Which AWS IAM object should be used to grant permissions to an AWS service (like EC2 or Lambda) to access other AWS services on behalf of the application?

A.IAM User with access keys
B.IAM Group
C.IAM Role
D.IAM Policy
AnswerC

IAM Roles provide temporary credentials to AWS services without long-term access keys. EC2 instances assume the role via instance profile; Lambda has an execution role — the secure way to grant AWS service-to-service permissions.

Why this answer

An IAM Role is the correct AWS identity to grant permissions to an AWS service (e.g., EC2, Lambda) because it provides temporary security credentials via AWS Security Token Service (STS). Unlike IAM Users, roles are designed to be assumed by trusted entities, including AWS services, enabling them to access other AWS resources on behalf of the application without long-lived access keys.

Exam trap

The trap here is that candidates often confuse IAM Policies with IAM Roles, thinking a policy alone can grant permissions to a service, but a policy is just a permission document and must be attached to an identity (like a Role) that the service can assume.

How to eliminate wrong answers

Option A is wrong because an IAM User with access keys is a long-lived identity intended for human users or programmatic access, not for granting permissions to an AWS service; using access keys for services like EC2 or Lambda would require embedding static credentials, which is a security anti-pattern. Option B is wrong because an IAM Group is a container for IAM Users and cannot be directly assigned to an AWS service; groups are used to manage permissions for multiple users, not for service-to-service access. Option D is wrong because an IAM Policy is a document that defines permissions (e.g., JSON policy statements) but is not an identity that can be assumed; a policy must be attached to an IAM User, Group, or Role to grant permissions, and only a Role can be assumed by an AWS service.

27
MCQmedium

A multi-national company needs to ensure their AWS resources in Europe comply with GDPR by keeping all data within EU regions. Which approach ensures data remains in Europe?

A.AWS automatically keeps EU customer data in EU regions without any configuration
B.Deploy resources only in EU AWS Regions and use SCPs to prevent deployment outside EU
C.Enable CloudTrail in all regions to monitor data movement
D.GDPR compliance requires using only AWS GovCloud Regions
AnswerB

Deploying in EU Regions keeps data in the EU (AWS doesn't cross-Region replicate automatically). SCPs with aws:RequestedRegion conditions enforce that no resources can be created outside approved EU Regions.

Why this answer

Option B is correct because deploying resources only in EU AWS Regions (such as eu-west-1, eu-central-1) combined with Service Control Policies (SCPs) that explicitly deny actions outside those regions ensures data residency. SCPs are organization-level policies in AWS Organizations that can restrict member accounts from launching resources in non-EU regions, providing a preventive control to enforce GDPR data localization requirements.

Exam trap

The trap here is that candidates may confuse detective controls (like CloudTrail or Config) with preventive controls (like SCPs or IAM policies), or mistakenly believe AWS automatically enforces data residency without customer configuration.

How to eliminate wrong answers

Option A is wrong because AWS does not automatically keep EU customer data in EU regions; customers must explicitly choose EU regions for resource deployment, and AWS offers global services (e.g., IAM, Route 53) that may process metadata outside the EU. Option C is wrong because CloudTrail is a detective control that logs API activity but does not prevent data from leaving EU regions; it only provides visibility after the fact. Option D is wrong because AWS GovCloud Regions are designed for US government workloads and compliance (e.g., ITAR, FedRAMP), not for GDPR compliance in Europe, and they are located in the US.

28
MCQmedium

A company manages multiple AWS accounts using AWS Organizations and maintains hundreds of Amazon S3 buckets across these accounts. The security team wants a service that automatically scans all S3 bucket policies and identifies any bucket that grants access to an external AWS account (an account outside the organization). The team needs to receive findings when such policies are detected and wants to review the findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?

A.AWS Trusted Advisor
B.AWS IAM Access Analyzer
C.AWS Config
D.AWS Service Catalog
AnswerB

IAM Access Analyzer analyzes resource-based policies across supported resources (including S3 buckets) and identifies when access is granted to an external entity, such as an AWS account outside the organization. It provides a centralized console to review findings and can send alerts via AWS Security Hub or Amazon EventBridge. This directly meets the requirement to automatically detect buckets accessible to external accounts.

Why this answer

AWS IAM Access Analyzer helps identify resources shared with external principals by analyzing resource-based policies (such as S3 bucket policies). It can be configured to use a trusted zone (e.g., the AWS Organizations management account or a specific OU) so that any policy granting access to an AWS account outside that zone generates a finding. These findings are aggregated in the IAM Access Analyzer console, providing a centralized dashboard for review.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to monitor resource changes with the specific need to analyze policy content for external access, but Config requires custom Lambda rules or conformance packs to replicate what IAM Access Analyzer does natively.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice checks (e.g., S3 bucket permissions, security groups) but does not automatically scan all bucket policies across multiple accounts for external access and does not offer a centralized findings dashboard for cross-account policy analysis. Option C is wrong because AWS Config evaluates resource configurations against rules and can detect changes, but it does not natively analyze S3 bucket policies for external account access and does not generate findings specifically for cross-account sharing; it requires custom rules or additional logic. Option D is wrong because AWS Service Catalog is used to create and manage a catalog of approved IT services (e.g., pre-configured products) and has no capability to scan S3 bucket policies or detect external access.

29
MCQmedium

A security team needs to analyze VPC network traffic to detect anomalies and investigate security incidents. Which AWS service captures and stores network flow data for VPCs?

A.AWS CloudTrail
B.VPC Flow Logs
C.Amazon Inspector
D.Amazon GuardDuty
AnswerB

VPC Flow Logs capture network traffic metadata (IPs, ports, protocols, bytes, action) for all network interfaces in a VPC, essential for network forensics and anomaly detection.

Why this answer

VPC Flow Logs capture IP traffic information for network interfaces within a VPC, including metadata such as source/destination IPs, ports, protocols, and packet accept/reject decisions. This data is stored in Amazon CloudWatch Logs or Amazon S3, enabling security teams to analyze traffic patterns, detect anomalies, and investigate incidents. AWS CloudTrail, Amazon Inspector, and Amazon GuardDuty serve different purposes—auditing API calls, assessing vulnerabilities, and threat detection, respectively—but do not directly capture raw network flow data.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (network traffic metadata) with AWS CloudTrail (API activity logs), often selecting CloudTrail because both involve logging, but CloudTrail does not capture network-level flow data.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and user actions within AWS, not network traffic flow data; it captures who did what and when, not the IP packets traversing VPCs. Option C is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, but it does not capture or store ongoing network flow logs. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious activity, but it does not itself capture or store the raw flow data—it consumes it from VPC Flow Logs.

30
MCQmedium

A company must maintain audit records of all user actions and configuration changes across their AWS accounts. Which AWS service should they enable to capture this information?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.VPC Flow Logs
AnswerC

CloudTrail records every API call with caller identity, timestamp, source IP, and parameters — enabling complete audit trails for user actions and configuration changes across all AWS accounts.

Why this answer

AWS CloudTrail is the correct service because it records API activity and user actions across AWS accounts, providing a complete audit trail of all management and data plane operations. This includes who made changes, what actions were performed, and when they occurred, which is essential for maintaining audit records of user actions and configuration changes.

Exam trap

The trap here is that candidates confuse AWS Config's resource configuration tracking with CloudTrail's API activity logging, but Config records the 'what' (resource state) while CloudTrail records the 'who, what, when, and how' (API calls and user identity).

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs is designed for monitoring, storing, and accessing log files from applications and AWS services, but it does not natively capture API-level user actions or configuration changes; it requires logs to be sent to it from other sources. Option B is wrong because AWS Config focuses on evaluating and recording resource configuration changes and compliance against rules, but it does not capture user identity or API call details—it records the state of resources, not the actions that changed them. Option D is wrong because VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol) for network interfaces, not user actions or configuration changes; they are used for network analysis and security, not audit trails of user activity.

31
MCQmedium

A company runs a web application on Amazon EC2 instances that connect to an Amazon RDS MySQL database. The application requires database credentials to authenticate. The security team wants to eliminate the practice of storing database credentials in the application code or configuration files. Additionally, the team needs a managed service that can automatically rotate the database credentials on a regular schedule without any manual intervention. Which AWS service should the security team use to store and manage these database credentials?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS Identity and Access Management (IAM) roles
D.AWS Key Management Service (AWS KMS)
AnswerA

AWS Secrets Manager is the correct choice because it is designed specifically for storing secrets (like database credentials) and supports automatic rotation of secrets for Amazon RDS databases without manual effort.

Why this answer

AWS Secrets Manager is the correct choice because it is a managed service specifically designed to store, manage, and automatically rotate database credentials (such as those for Amazon RDS MySQL) on a scheduled basis without manual intervention. It natively integrates with Amazon RDS to rotate credentials, eliminating the need to embed secrets in application code or configuration files, which directly addresses the security team's requirements.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation, which is the key requirement in this question.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store can store database credentials as secure strings, but it does not provide built-in automatic rotation of those credentials; rotation would require custom automation via AWS Lambda or other services. Option C is wrong because AWS Identity and Access Management (IAM) roles are used to grant permissions to AWS resources, not to store or rotate database credentials; database authentication requires credentials (username/password), not IAM roles, unless using IAM database authentication, which is not mentioned and does not eliminate the need for credential storage. Option D is wrong because AWS Key Management Service (AWS KMS) is a managed service for creating and controlling encryption keys, not for storing or rotating database credentials; it can encrypt secrets but does not manage or rotate the secrets themselves.

32
MCQmedium

Which IAM best practice helps prevent unauthorized access if an IAM user's long-term credentials are compromised?

A.Using IAM roles instead of IAM users
B.Granting least privilege permissions
C.Enabling Multi-Factor Authentication (MFA)
D.Rotating access keys quarterly
AnswerC

MFA requires a second factor, preventing access even when long-term credentials (passwords/access keys) are stolen.

Why this answer

Option C is correct because Multi-Factor Authentication (MFA) adds a second layer of security beyond the password or access key. Even if long-term credentials (e.g., password or access key) are compromised, an attacker cannot access the AWS console or API without the MFA device (e.g., hardware token or virtual TOTP). This directly prevents unauthorized access from credential theft.

Exam trap

The trap here is that candidates confuse 'preventing unauthorized access' with 'limiting damage after compromise' and incorrectly choose least privilege (Option B) or key rotation (Option D), but MFA is the only option that directly blocks the attacker from using stolen credentials at the authentication step.

How to eliminate wrong answers

Option A is wrong because IAM roles issue temporary credentials via AWS STS, which reduces the risk of long-term credential exposure but does not prevent unauthorized access if the role's trust policy is misconfigured or if the user's session is hijacked; MFA is still needed for critical operations. Option B is wrong because least privilege permissions limit the scope of damage after a compromise but do not prevent the initial unauthorized access from stolen credentials. Option D is wrong because rotating access keys quarterly reduces the window of exposure but does not prevent an attacker from using the compromised key until the rotation occurs; MFA provides immediate protection regardless of rotation schedule.

33
MCQmedium

A company handles credit card transactions and must comply with the Payment Card Industry Data Security Standard (PCI DSS). The company's compliance officer needs to review AWS's PCI DSS compliance reports and also download and sign the AWS Business Associate Addendum (BAA) for HIPAA eligibility. The company wants a single, managed AWS service that provides on-demand access to these compliance documents and agreements. Which AWS service should the compliance officer use?

A.AWS Trusted Advisor
B.AWS Config
C.AWS Artifact
D.Amazon Inspector
AnswerC

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports and agreements, including PCI DSS reports and the Business Associate Addendum (BAA). It allows users to review, download, and sign these documents from a single central location.

Why this answer

AWS Artifact is the correct service because it provides on-demand, self-service access to AWS compliance reports (including PCI DSS reports) and agreements such as the Business Associate Addendum (BAA) for HIPAA. It allows the compliance officer to review, download, and sign these documents directly from the AWS Management Console, meeting the requirement for a single managed service.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Config or Trusted Advisor, thinking those services also handle compliance documents, but they are designed for configuration auditing and best-practice recommendations, not document repository and agreement signing.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and provides recommendations to optimize costs, improve performance, increase security, and close gaps in fault tolerance; it does not provide access to compliance reports or agreements like PCI DSS reports or BAAs. Option B is wrong because AWS Config is a service that evaluates your AWS resource configurations against desired policies and tracks configuration changes over time; it does not host or provide access to compliance documents or agreements.

34
MCQmedium

A company wants to implement multi-factor authentication for all IAM users across their AWS Organization without requiring individual account administrators to configure MFA for each user. Which approach enables organization-wide MFA enforcement?

A.Enable MFA on the root account only
B.Apply an SCP that denies all actions unless MFA is authenticated
C.Configure IAM password policies to require MFA
D.Enable AWS Config rule to check MFA status
AnswerB

An MFA enforcement SCP at the org root denies all AWS actions when `aws:MultiFactorAuthPresent` is false — IAM users must authenticate with MFA or they can't perform any actions.

Why this answer

Option B is correct because Service Control Policies (SCPs) can be applied at the root or organizational unit level to enforce a condition that denies all AWS API actions unless the request includes multi-factor authentication (MFA). This ensures that every IAM user across the entire AWS Organization must authenticate with MFA before performing any action, without requiring individual account administrators to configure MFA per user.

Exam trap

The trap here is that candidates confuse detective controls (like AWS Config rules) with preventive controls (like SCPs), or assume that password policies can enforce MFA at the API level when they only manage device assignment.

How to eliminate wrong answers

Option A is wrong because enabling MFA on the root account only protects the root user, not IAM users; it does not enforce MFA for any other principal in the organization. Option C is wrong because IAM password policies can require an MFA device to be assigned, but they do not enforce MFA at the API call level—users can still make requests without MFA if they have valid access keys or session tokens. Option D is wrong because an AWS Config rule can only detect and report non-compliant MFA status, not actively deny actions; it is a detective control, not a preventive enforcement mechanism.

35
MCQeasy

What is the principle of least privilege in AWS IAM?

A.Giving all users administrator access to simplify management
B.Granting users only the minimum permissions required to perform their tasks
C.Allowing users to request additional permissions as needed
D.Restricting all access by default and never granting permissions
AnswerB

Least privilege means granting only the permissions necessary for a specific job function.

Why this answer

The principle of least privilege in AWS IAM dictates that users, roles, and services should be granted only the minimum permissions necessary to perform their intended functions. This is implemented by creating fine-grained IAM policies that specify exactly which actions are allowed on which resources, reducing the attack surface and limiting the blast radius of a potential compromise. Option B correctly captures this core security concept.

Exam trap

AWS often tests the principle of least privilege by presenting Option D as a distractor, where candidates confuse 'deny by default' (which is the implicit behavior of IAM) with 'never granting permissions' (which would make the system unusable), leading them to incorrectly select the absolute denial option instead of the balanced minimum-permissions approach.

How to eliminate wrong answers

Option A is wrong because granting all users administrator access violates the principle of least privilege by providing excessive permissions, which increases security risk and contradicts the goal of minimizing access. Option C is wrong because allowing users to request additional permissions as needed describes a process for privilege escalation or just-in-time access, not the principle itself, which focuses on granting only the minimum permissions from the start. Option D is wrong because restricting all access by default and never granting permissions is an extreme interpretation that would prevent any legitimate work; the principle requires granting the minimum necessary permissions, not a complete denial of access.

36
MCQeasy

Under the AWS Shared Responsibility Model, which scenario correctly demonstrates the customer's responsibility?

A.AWS ensuring the physical data center is protected from unauthorized entry
B.A customer configuring security groups to restrict unnecessary inbound traffic to EC2 instances
C.AWS patching the underlying hypervisor on EC2 hosts
D.AWS ensuring S3 storage hardware is replaced when it fails
AnswerB

Security group configuration is the customer's responsibility — AWS provides the security group mechanism, but configuring appropriate rules is the customer's job.

Why this answer

Option B is correct because configuring security groups to restrict inbound traffic is a customer responsibility under the Shared Responsibility Model. Security groups act as a virtual firewall for EC2 instances, and customers must define rules to control traffic at the instance level. AWS manages the underlying network infrastructure but does not configure customer-specific access controls.

Exam trap

The trap here is that candidates often confuse 'patching the hypervisor' (AWS responsibility) with 'patching the guest OS' (customer responsibility), leading them to incorrectly assign hypervisor patching to the customer under the Shared Responsibility Model.

How to eliminate wrong answers

Option A is wrong because AWS is responsible for physical security of data centers, including controlling physical access, which is part of AWS's responsibility 'Security of the Cloud'. Option C is wrong because patching the hypervisor is an AWS responsibility, as it falls under the underlying infrastructure that customers cannot access or modify. Option D is wrong because AWS handles hardware maintenance and replacement for S3 storage, which is part of the 'Security of the Cloud' where AWS manages the physical components.

37
MCQmedium

A financial services company is undergoing an external audit. The auditor requests copies of AWS SOC 2, ISO 27001, and PCI DSS compliance reports to validate the company's cloud infrastructure controls. Where can the company's compliance team obtain these reports in a centralized manner?

A.AWS Config
B.AWS Artifact
C.AWS Audit Manager
D.AWS Security Hub
AnswerB

AWS Artifact is the correct service. It is a self-service portal that provides on-demand access to AWS compliance reports, such as SOC, ISO, and PCI DSS, as well as agreements like the Business Associate Addendum (BAA).

Why this answer

AWS Artifact is the correct service because it provides a centralized, self-service portal for on-demand access to AWS compliance reports, including SOC 2, ISO 27001, and PCI DSS. The compliance team can download these reports directly without needing to contact AWS support, making it the single source of truth for audit evidence.

Exam trap

The trap here is that candidates confuse AWS Artifact with AWS Audit Manager, thinking that Audit Manager’s evidence collection feature also provides the raw compliance reports, when in fact Audit Manager only helps you gather your own evidence while Artifact is the sole source for AWS’s pre-existing certifications.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, not a repository for downloading third-party compliance reports. Option C is wrong because AWS Audit Manager helps automate evidence collection and risk assessment for audits, but it does not host or provide direct access to AWS’s own compliance certifications like SOC 2 or ISO 27001. Option D is wrong because AWS Security Hub aggregates security alerts and compliance status from multiple AWS services, but it does not store or serve downloadable compliance reports such as SOC 2 or PCI DSS.

38
MCQmedium

A company wants to identify sensitive data (such as PII and credit card numbers) stored in Amazon S3 buckets across their organization. Which AWS service automates this discovery?

A.Amazon Inspector
B.AWS Config
C.Amazon Macie
D.Amazon GuardDuty
AnswerC

Macie uses ML to discover and classify sensitive data in S3 including PII, financial data, and credentials, generating actionable findings.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover, classify, and protect sensitive data stored in Amazon S3. It automatically identifies personally identifiable information (PII), credit card numbers, and other sensitive data types, making it the correct choice for this use case.

Exam trap

The trap here is that candidates often confuse Amazon Macie with Amazon Inspector or GuardDuty because all three are security services, but only Macie is designed for content-aware data discovery and classification of sensitive data in S3.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for discovering sensitive data in S3 buckets. Option B is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, but it does not inspect the content of S3 objects for sensitive data. Option D is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, not for scanning S3 object content for sensitive data.

39
MCQeasy

Which AWS feature protects S3 buckets from having their versioned objects permanently deleted without multi-factor authentication approval?

A.S3 Block Public Access
B.S3 Object Lock
C.S3 MFA Delete
D.S3 Access Points
AnswerC

MFA Delete requires a valid MFA code to permanently delete versioned objects or suspend versioning, providing an additional layer of protection against accidental or unauthorized permanent deletion.

Why this answer

S3 MFA Delete is the correct answer because it is the specific S3 versioning feature that requires multi-factor authentication (MFA) to permanently delete versioned objects or suspend versioning on a bucket. When enabled, any DeleteObject request that includes a version ID (permanent delete) or a PUT request to suspend versioning must include the x-amz-mfa header with a valid MFA code from a hardware or virtual MFA device. This prevents unauthorized or accidental permanent deletion of object versions, even by users with full S3 permissions.

Exam trap

The trap here is that candidates often confuse S3 Object Lock's WORM protection with MFA Delete, but Object Lock prevents deletion based on time-based retention, not by requiring a second authentication factor, while MFA Delete specifically mandates MFA approval for permanent deletion of versioned objects.

How to eliminate wrong answers

Option A is wrong because S3 Block Public Access is a set of settings that prevents public access to S3 buckets and objects, but it has no mechanism to require MFA for deletions or to protect versioned objects from permanent deletion. Option B is wrong because S3 Object Lock provides write-once-read-many (WORM) protection to prevent object deletion or overwrite for a specified retention period, but it does not require MFA authentication for deletion operations; it relies on retention modes (Governance/Compliance) and legal holds. Option D is wrong because S3 Access Points are network endpoints attached to buckets that simplify managing data access at scale, but they do not enforce MFA for deletions and have no role in protecting versioned objects from permanent deletion.

40
MCQmedium

A company manages multiple AWS accounts under a single AWS Organizations organization. The security team wants to implement a preventive control that blocks any action that would disable AWS CloudTrail or delete CloudTrail log files across all accounts, including the management account. The solution must be centrally managed and must not require changes to individual account permissions. Which AWS feature should the security team use?

A.IAM permission boundaries
B.AWS Service Control Policies (SCPs)
C.AWS Identity and Access Management (IAM) roles with a trust policy
D.AWS Config conformance packs
AnswerB

SCPs are a feature of AWS Organizations that allow you to centrally control the maximum permissions for all accounts in your organization. They can be used to deny specific API actions (such as disabling CloudTrail) across all accounts, including the management account, providing a preventive security guardrail.

Why this answer

AWS Service Control Policies (SCPs) are the correct choice because they allow the security team to define preventive guardrails at the AWS Organizations root, OU, or account level that apply to all principals, including the management account. An SCP can explicitly deny any action that would disable CloudTrail (e.g., cloudtrail:StopLogging, cloudtrail:DeleteTrail) or delete log files (e.g., s3:DeleteObject on the CloudTrail S3 bucket), and because SCPs are inherited by all accounts in the organization, no individual account permission changes are required.

Exam trap

The trap here is that candidates often confuse SCPs with IAM permission boundaries, thinking both can centrally manage permissions across accounts, but SCPs are the only AWS Organizations feature that applies preventive controls to all accounts, including the management account, without requiring per-account configuration.

How to eliminate wrong answers

Option A is wrong because IAM permission boundaries are applied to individual IAM users or roles within a single account and cannot centrally enforce controls across multiple accounts or the management account; they also do not block actions by the root user or service-linked roles. Option C is wrong because IAM roles with a trust policy only define who can assume a role and do not provide any preventive control to block API actions; they are used for granting cross-account access, not for enforcing organization-wide deny rules.

41
MCQmedium

Which AWS service is used to centrally manage and enforce policies across multiple AWS accounts in an organization, such as restricting which AWS services member accounts can use?

A.AWS IAM policies
B.AWS Organizations with Service Control Policies
C.AWS Config rules
D.Amazon GuardDuty
AnswerB

SCPs applied through AWS Organizations define maximum permission boundaries across all member accounts, providing centralized governance and guardrails.

Why this answer

AWS Organizations with Service Control Policies (SCPs) is the correct service because SCPs enable central governance of the maximum available permissions for all accounts within an organization. SCPs act as a permission guardrail, allowing administrators to restrict which AWS services, actions, and resources member accounts can use, regardless of the IAM policies attached to those accounts. This makes SCPs the appropriate tool for enforcing organization-wide restrictions across multiple accounts.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, not realizing that IAM policies are account-specific and cannot enforce restrictions across multiple accounts, while SCPs provide centralized, organization-wide guardrails without granting permissions themselves.

How to eliminate wrong answers

Option A is wrong because AWS IAM policies are attached to individual IAM users, groups, or roles within a single account and cannot centrally enforce restrictions across multiple AWS accounts in an organization. Option C is wrong because AWS Config rules evaluate resource configurations for compliance against desired policies but do not actively enforce or restrict which services member accounts can use. Option D is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not a policy enforcement mechanism for restricting service usage across accounts.

42
MCQmedium

A company runs an e-commerce website on AWS and expects a high volume of traffic during Black Friday. The security team is concerned about potential DDoS attacks overwhelming the infrastructure. The company wants a managed service that provides always-on detection and automatic inline mitigation of DDoS attacks at the network and transport layers (layer 3 and 4), as well as cost protection against scaling charges due to DDoS attacks. Which AWS service should the company use?

A.AWS Shield Standard
B.AWS Shield Advanced
C.AWS WAF
D.Amazon GuardDuty
AnswerB

AWS Shield Advanced provides always-on detection and automatic inline mitigation of DDoS attacks at layers 3 and 4 (and layer 7 when integrated with AWS WAF). It also includes cost protection that provides financial coverage against scaling charges (e.g., from EC2 or ELB) incurred during a DDoS attack, as well as 24/7 access to the DDoS Response Team (DRT). This matches all the specified requirements.

Why this answer

AWS Shield Advanced is the correct choice because it provides always-on detection and automatic inline mitigation of DDoS attacks at layers 3 and 4 (network and transport layers), such as SYN floods and UDP reflection attacks. Additionally, it offers cost protection against scaling charges incurred due to DDoS-related usage spikes, which directly addresses the company's concern about financial impact from attack-induced scaling.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard (free, basic protection) with AWS Shield Advanced (paid, enhanced protection) or mistakenly think AWS WAF can mitigate network-layer DDoS attacks, when in fact WAF only handles application-layer threats.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides only basic protection against common DDoS attacks (e.g., SYN floods) but lacks automatic inline mitigation at layers 3 and 4, and does not include cost protection against scaling charges. Option C is wrong because AWS WAF operates at the application layer (layer 7) to filter HTTP/HTTPS requests based on rules, not at the network or transport layers (layers 3 and 4), and it does not provide automatic inline DDoS mitigation or cost protection against scaling charges.

43
Matchingmedium

Match each AWS management tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Audit API calls and user activity

Monitoring and observability

Track resource configuration changes

Best practice recommendations

Infrastructure as code templates

Why these pairings

Management tools help govern and automate AWS.

44
MCQmedium

A company has 50 IAM users in a single AWS account. The security policy requires that every IAM user must have a virtual MFA device enabled for AWS Management Console access. The company wants to automatically detect any user who disables or has an inactive MFA device and immediately revoke that user's ability to access AWS resources by disabling their access keys. The solution must be fully managed, require no custom scripts, and use native AWS services. Which AWS service should the company use to define the compliance rule and automatically trigger the remediation action?

A.AWS Config
B.AWS Shield
C.AWS CloudTrail
D.AWS WAF
AnswerA

AWS Config offers managed rules like 'iam-user-mfa-enabled' to check MFA compliance. It can automatically trigger a remediation action (e.g., disabling access keys) when a noncompliant user is detected, meeting the requirement for a fully managed solution without custom scripts.

Why this answer

AWS Config is the correct service because it provides managed rules (such as the `iam-user-mfa-enabled` managed rule) that continuously evaluate IAM user configurations against compliance policies. When a user disables or has an inactive virtual MFA device, AWS Config can detect the non-compliant resource and automatically trigger a remediation action via AWS Systems Manager Automation, which can disable the user's access keys without any custom scripts.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging and monitoring capabilities with AWS Config's compliance evaluation and remediation features, mistakenly thinking that CloudTrail can automatically enforce security policies when it only records events for analysis.

How to eliminate wrong answers

Option B (AWS Shield) is wrong because it is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS, and it has no capability to evaluate IAM user MFA status or perform access key remediation. Option C (AWS CloudTrail) is wrong because it is a service for logging API calls and user activity for auditing and governance, but it does not define compliance rules or automatically trigger remediation actions; it only records events that can be used for manual or separate automated analysis.

45
MCQmedium

A company needs to store database passwords and API keys used by their applications, with automatic rotation and audit logging of access. Which AWS service is purpose-built for this?

A.AWS Systems Manager Parameter Store
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.Amazon S3 with bucket policies
AnswerC

Secrets Manager stores, retrieves, and automatically rotates secrets with native RDS integration, IAM-based access control, and CloudTrail audit logging.

Why this answer

AWS Secrets Manager is purpose-built for securely storing, automatically rotating, and auditing access to database passwords, API keys, and other secrets. It natively supports automatic rotation with built-in integrations for Amazon RDS, Redshift, and DocumentDB, and it logs every secret access call in AWS CloudTrail for audit compliance.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with AWS Secrets Manager, leading them to choose Parameter Store when the question explicitly requires automatic rotation and audit logging.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store is a hierarchical store for configuration data and secrets, but it does not support automatic rotation of secrets natively (you must build custom rotation logic with Lambda). Option B is wrong because AWS Key Management Service (KMS) is a managed service for creating and controlling encryption keys, not for storing or rotating secrets like passwords or API keys. Option D is wrong because Amazon S3 with bucket policies is an object storage service that can store encrypted files but lacks built-in secret rotation, automatic expiration, or native audit logging of secret access events.

46
MCQmedium

A company must store sensitive financial records in Amazon S3. The compliance policy mandates that the encryption key for data at rest must be generated and stored on the company's own on-premises hardware security module (HSM). The company must never allow AWS to have access to the plaintext encryption key. Which Amazon S3 encryption option should the company use?

A.Server-Side Encryption with S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS Key Management Service (SSE-KMS) using a customer managed key
C.Server-Side Encryption with Customer-Provided Keys (SSE-C)
D.Client-side encryption using the AWS Encryption SDK
AnswerC

SSE-C allows you to provide your own encryption key with each request to S3. S3 uses the key to encrypt data but does not store the key. This meets the requirement that the company manages the key on-premises and AWS never has access to the plaintext key.

Why this answer

SSE-C allows the customer to provide their own encryption key, which is used by S3 to encrypt data at rest. AWS temporarily stores the key in memory during the encryption/decryption process but immediately discards it after use, and the key is never stored persistently on AWS infrastructure. This satisfies the compliance requirement that the key must be generated and stored on the company's own on-premises HSM, and AWS never has access to the plaintext key.

Exam trap

The trap here is that candidates often confuse SSE-KMS with customer managed keys as meeting the 'customer-controlled key' requirement, but they overlook the fact that AWS KMS still stores the key material and has access to it for decryption operations, which fails the 'never allow AWS to have access to the plaintext encryption key' condition.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses AWS-managed keys, where AWS generates, stores, and manages the encryption keys entirely within its infrastructure, violating the requirement that the key must be generated and stored on the company's own on-premises HSM. Option B is wrong because SSE-KMS with a customer managed key still stores the key material within AWS KMS (even if you control key policies and rotation), and AWS has access to the plaintext key material for cryptographic operations, which does not meet the requirement that AWS must never have access to the plaintext encryption key.

47
MCQmedium

A healthcare company stores sensitive patient data in Amazon S3. The company must comply with a regulation that requires encryption keys to be rotated automatically every 12 months. The security team also needs to use IAM policies to control which users and roles can decrypt specific S3 objects. Which encryption solution should the company use for the S3 objects?

A.Server-side encryption with customer-provided keys (SSE-C)
B.Server-side encryption with AWS KMS managed keys (SSE-KMS) using a customer managed key
C.Client-side encryption using the AWS Encryption SDK
D.Server-side encryption with Amazon S3 managed keys (SSE-S3)
AnswerB

SSE-KMS with a customer managed key allows the company to define IAM and key policies for granular access control. AWS KMS can automatically rotate the key annually (configurable), satisfying the regulation. This is the correct solution.

Why this answer

SSE-KMS with a customer managed key is correct because it allows automatic key rotation every 12 months (configurable via the AWS KMS console) and enables fine-grained access control through IAM policies and key policies. This meets both the regulatory rotation requirement and the security team's need to control decryption of specific S3 objects.

Exam trap

The trap here is that candidates often confuse SSE-S3's automatic key management (which rotates keys but not on a customer-defined schedule) with the automatic rotation and IAM control provided only by SSE-KMS with a customer managed key.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to manage and rotate the encryption keys manually, not automatically every 12 months. Option C is wrong because client-side encryption with the AWS Encryption SDK encrypts data before it reaches S3, so decryption is controlled by the client application, not by IAM policies on S3 objects. Option D is wrong because SSE-S3 uses AWS-managed keys that cannot be rotated on a customer-defined schedule and do not support IAM-based access control for decryption of individual objects.

48
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company wants to serve traffic over HTTPS to encrypt data in transit between clients and the ALB. The security team requires that the SSL/TLS certificate be automatically renewed before expiration and that AWS manage the entire certificate lifecycle. The company does not want to manually upload or manage private keys. Which AWS service should the company use to meet these requirements?

A.AWS Certificate Manager (ACM)
B.AWS Secrets Manager
C.AWS Identity and Access Management (IAM)
D.AWS Key Management Service (KMS)
AnswerA

ACM is the correct choice. It automates the provisioning, deployment, and renewal of SSL/TLS certificates for use with AWS services such as ALB, CloudFront, and API Gateway. ACM handles the full certificate lifecycle and keeps private keys secure.

Why this answer

AWS Certificate Manager (ACM) is the correct choice because it integrates directly with Application Load Balancers to provision, deploy, and automatically renew SSL/TLS certificates. ACM manages the entire certificate lifecycle, including private key generation and storage, without requiring manual intervention. This meets the security team's requirement for automatic renewal and AWS-managed certificate lifecycle.

Exam trap

The trap here is that candidates may confuse AWS Secrets Manager or KMS with certificate management, but neither service handles SSL/TLS certificate issuance or automatic renewal for load balancers; ACM is the only service that provides fully managed certificate lifecycle for ALB HTTPS termination.

How to eliminate wrong answers

Option B (AWS Secrets Manager) is wrong because it is designed to securely store and rotate database credentials, API keys, and other secrets, not to issue or manage SSL/TLS certificates for HTTPS termination on an ALB. Option C (AWS Identity and Access Management) is wrong because IAM is used for managing user permissions and access control, not for certificate provisioning or lifecycle management; while IAM can store server certificates for use with Classic Load Balancers, it does not support automatic renewal and requires manual private key upload. Option D (AWS Key Management Service) is wrong because KMS is a managed service for creating and controlling encryption keys used to encrypt data at rest, not for SSL/TLS certificates used for data in transit.

49
MCQmedium

A company hosts a web application behind an Application Load Balancer (ALB) in AWS. The application must comply with a security policy requiring TLS encryption for all traffic between users and the ALB. The company wants to automate the renewal of TLS certificates and avoid manual certificate management. Which AWS service should the company use to provision and automatically renew the certificates?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
AnswerA

Correct. ACM is the AWS service designed to provision, manage, and automatically renew SSL/TLS certificates for use with AWS services like ALB, CloudFront, and API Gateway.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it integrates directly with Application Load Balancers to provision and automatically renew TLS certificates, eliminating manual certificate management. ACM handles the entire certificate lifecycle, including renewal, which is essential for maintaining TLS encryption compliance without operational overhead.

Exam trap

The trap here is that candidates may confuse AWS Certificate Manager with AWS Secrets Manager or KMS, thinking any 'management' service can handle certificate renewal, but only ACM is purpose-built for provisioning and automatic renewal of TLS certificates for AWS services like ALB, CloudFront, and API Gateway.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not for managing TLS certificates or their automatic renewal. Option C (AWS Secrets Manager) is wrong because it is designed to rotate and manage secrets like database credentials or API keys, not to provision or automatically renew TLS certificates for use with an ALB.

50
MCQeasy

A company is setting up their AWS account for the first time. What security action should they take immediately after creating the account?

A.Create IAM users for all employees immediately
B.Enable MFA on the root account and create an IAM admin user for daily operations
C.Create root access keys for programmatic access
D.Enable AWS Config in all regions
AnswerB

Enabling MFA on root prevents unauthorized root access even if the password is compromised. Creating an IAM admin user allows daily operations without ever logging in as root.

Why this answer

Option B is correct because the root user has unrestricted access to the AWS account, and enabling Multi-Factor Authentication (MFA) on the root account adds a critical second layer of security to prevent unauthorized access. Creating an IAM admin user for daily operations follows the principle of least privilege, ensuring that routine administrative tasks are performed using IAM roles or users with controlled permissions, rather than the highly privileged root user. This is a foundational security best practice recommended by AWS immediately after account creation.

Exam trap

The trap here is that candidates may think creating IAM users for all employees (Option A) is the immediate priority, but the exam tests the understanding that securing the root account with MFA and creating a single IAM admin user for daily operations is the first and most critical security step, not mass user creation.

How to eliminate wrong answers

Option A is wrong because creating IAM users for all employees immediately is premature and insecure; the first step should be to secure the root account and establish an administrative IAM user, not to create users for everyone without a proper identity and access management strategy. Option C is wrong because creating root access keys for programmatic access is a severe security risk; root access keys provide unrestricted, long-term credentials that cannot be rotated or scoped, and AWS strongly advises against using root access keys for any purpose. Option D is wrong because enabling AWS Config in all regions is not an immediate security action; AWS Config is a governance and compliance service that tracks resource configuration changes, and while valuable, it should be configured after establishing basic identity security and access controls.

51
MCQmedium

A financial services company is preparing for an annual audit. The auditors have requested a copy of the AWS SOC 2 Type II report to verify the security controls of the AWS infrastructure that the company uses. The company's compliance officer needs to directly download this report from a trusted AWS source. Which AWS service should the compliance officer use to obtain the report?

A.AWS Config
B.AWS Artifact
C.AWS Trusted Advisor
D.Amazon Inspector
AnswerB

AWS Artifact is the correct service. It is the go-to place for on-demand access to AWS compliance reports (e.g., SOC, PCI) and agreements. You can download the SOC 2 Type II report directly from AWS Artifact.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC 2 Type II reports, ISO certifications, and PCI DSS reports. The compliance officer can directly download the SOC 2 report from the AWS Artifact console or via the AWS Artifact API, ensuring the report comes from a trusted AWS source.

Exam trap

The trap here is that candidates often confuse AWS Artifact with AWS Config or Amazon Inspector, mistakenly thinking that configuration auditing or vulnerability scanning tools can provide compliance reports, when only AWS Artifact is designed to serve as the authoritative source for AWS compliance documentation.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, not a repository for downloading compliance reports like SOC 2. Option C is wrong because AWS Trusted Advisor inspects your AWS environment to provide best-practice recommendations for cost, performance, security, and fault tolerance, but it does not provide downloadable compliance reports. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans workloads for software vulnerabilities and unintended network exposure, not a source for SOC 2 reports.

52
MCQmedium

A company stores sensitive financial data in Amazon S3. The company's security policy requires that all data be encrypted at rest using a key that the company creates and manages, with the ability to rotate the key annually. The company also needs an audit trail of when the key was used and by which AWS service. Which solution should the company use to meet these requirements?

A.Use server-side encryption with S3 managed keys (SSE-S3).
B.Use server-side encryption with AWS KMS customer managed keys (SSE-KMS).
C.Use server-side encryption with customer-provided keys (SSE-C).
D.Use client-side encryption with an AWS KMS managed key.
AnswerB

SSE-KMS with a customer managed key (CMK) allows the company to create, manage, and rotate the key. Key usage is logged in AWS CloudTrail, providing the required audit trail. This is the correct solution.

Why this answer

Option B is correct because SSE-KMS with a customer managed key (CMK) allows the company to create and manage its own encryption key, enable automatic annual key rotation via AWS KMS, and provides detailed CloudTrail audit logs of every KMS API call (e.g., Decrypt, GenerateDataKey) showing which AWS service or user used the key. This satisfies all stated requirements: customer-managed key, annual rotation, and audit trail.

Exam trap

The trap here is that candidates confuse SSE-S3's 'AWS managed' keys with customer managed keys, or assume SSE-C's customer-provided keys satisfy the 'create and manage' requirement, overlooking the need for annual rotation and audit trail capabilities.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon S3-managed keys, which the company cannot create, manage, or rotate on its own schedule, and it does not provide a per-key-use audit trail in CloudTrail. Option C is wrong because SSE-C requires the customer to provide their own encryption key with each request, the key is not stored or managed by AWS, and it does not support automatic annual rotation or provide an audit trail of key usage by AWS services.

53
MCQmedium

A company's compliance team needs to know which AWS resources are not compliant with the company's tagging policy (all resources must have a 'CostCenter' tag). Which AWS service can continuously evaluate and report on this compliance?

A.Amazon CloudWatch
B.AWS Config with the required-tags rule
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerB

AWS Config continuously evaluates all in-scope resources and the 'required-tags' managed rule flags any resources missing required tags like 'CostCenter', generating non-compliance findings.

Why this answer

AWS Config with the managed 'required-tags' rule can continuously evaluate whether resources have the specified tag (e.g., 'CostCenter') and report non-compliant resources. AWS Config records configuration changes, evaluates them against rules, and provides a compliance dashboard and notifications via Amazon SNS, making it the correct service for ongoing compliance monitoring.

Exam trap

The trap here is that candidates often confuse AWS Config (configuration compliance) with AWS CloudTrail (API auditing) or Amazon CloudWatch (performance monitoring), assuming any 'monitoring' service can handle tag compliance, but only AWS Config provides continuous, rule-based evaluation of resource configurations.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, not a configuration compliance evaluator; it cannot check resource tagging policies. Option C is wrong because AWS Trusted Advisor provides best-practice recommendations (e.g., cost optimization, security) but does not perform continuous, customizable compliance evaluations against custom tagging policies. Option D is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not evaluate resource configurations or tag compliance in real time.

54
MCQmedium

Which AWS networking feature prevents resources in a private subnet from directly receiving inbound connections from the internet, while still allowing them to initiate outbound connections?

A.Internet Gateway
C.Security Groups
D.Network ACLs
AnswerB

NAT Gateway in a public subnet allows private subnet instances to initiate outbound internet connections while dropping all unsolicited inbound connections — one-way internet access for private resources.

Why this answer

A NAT Gateway enables instances in a private subnet to initiate outbound connections to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. It achieves this by translating the private IP of the instance to the NAT Gateway's Elastic IP for outbound traffic, and only forwarding return traffic that matches an established outbound session.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with an Internet Gateway, assuming both provide internet access, but the key distinction is that an Internet Gateway allows bidirectional inbound connections, while a NAT Gateway specifically prevents unsolicited inbound connections from the internet.

How to eliminate wrong answers

Option A is wrong because an Internet Gateway allows both inbound and outbound traffic directly from the internet to instances in a public subnet, and does not prevent unsolicited inbound connections. Option C is wrong because Security Groups act as a stateful virtual firewall at the instance level, but they do not provide the network address translation needed to allow outbound-only internet access from a private subnet; they can filter traffic but cannot enable internet connectivity without a routing path. Option D is wrong because Network ACLs are stateless subnet-level traffic filters that can block or allow traffic based on rules, but they do not provide outbound-only internet connectivity or address translation for private subnets.

55
MCQmedium

A company manages user access to AWS resources using IAM users. The security team wants to automatically detect if an IAM user's access key is being used from a geographic location that is unusual for that user, which could indicate a compromised credential. The team needs a managed threat detection service that monitors API activity and raises alerts for such anomalies. Which AWS service should the security team use?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Trusted Advisor
D.Amazon Inspector
AnswerB

Amazon GuardDuty is the correct choice. It is a managed threat detection service that uses machine learning, anomaly detection, and threat intelligence feeds to monitor for unusual API activity, including compromised credentials and access from suspicious locations. GuardDuty raises findings that can be sent to AWS Security Hub or Amazon EventBridge for automated response.

Why this answer

Amazon GuardDuty is a managed threat detection service that continuously monitors AWS API activity, including IAM user access key usage, and uses machine learning to establish baseline behavior. When it detects access from an unusual geographic location, it generates a finding alerting the security team to a potentially compromised credential. This directly meets the requirement for automated anomaly detection without manual configuration.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, not realizing that CloudTrail only records events and requires an additional service like GuardDuty to analyze and alert on anomalies.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a service that records API activity for auditing and compliance, but it does not analyze or detect anomalies in real-time; it requires additional services or custom logic to identify unusual geographic access. Option C is wrong because AWS Trusted Advisor provides best-practice checks for cost optimization, performance, security, and fault tolerance, but it does not monitor IAM user access key usage or detect geographic anomalies in API activity.

56
MCQmedium

A company runs a web application on Amazon EC2 that connects to an Amazon RDS database. The database credentials are currently hardcoded in the application configuration file. The security team requires that the credentials be automatically rotated every 90 days and that the application retrieves them securely from a managed service without storing them in the application code. Which AWS service should the company use to meet these requirements?

A.AWS Key Management Service (AWS KMS)
B.AWS Secrets Manager
C.AWS Systems Manager Parameter Store
D.AWS Certificate Manager (ACM)
AnswerB

AWS Secrets Manager is the correct service because it stores database credentials securely, allows retrieval via API calls, and can automatically rotate credentials for supported services like Amazon RDS on a defined schedule (e.g., every 90 days).

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, retrieving, and automatically rotating database credentials (including for Amazon RDS) on a schedule. It allows the application to fetch credentials at runtime via API calls, eliminating hardcoded secrets, and supports native rotation every 90 days without custom code.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation, which is explicitly required in the question.

How to eliminate wrong answers

Option A (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not for storing or rotating secrets like database credentials. Option C (AWS Systems Manager Parameter Store) is wrong because while it can securely store parameters, it does not provide built-in automatic rotation of secrets; rotation would require custom AWS Lambda functions and additional setup. Option D (AWS Certificate Manager) is wrong because it manages SSL/TLS certificates for network encryption, not database credentials or secret rotation.

57
MCQmedium

A company's security team manages AWS accounts for multiple business units using AWS Organizations. The security team needs a single place to view and prioritize all security alerts, including findings from Amazon GuardDuty, Amazon Inspector, and AWS IAM Access Analyzer. The team also wants to automatically run continuous compliance checks against industry standards such as the CIS AWS Foundations Benchmark. The solution must provide a consolidated dashboard with automated findings aggregation and compliance score tracking. Which AWS service should the security team choose?

A.AWS Config
B.AWS Security Hub
C.Amazon Detective
D.AWS Trusted Advisor
AnswerB

AWS Security Hub is designed to aggregate, organize, and prioritize security findings from across AWS services (GuardDuty, Inspector, Macie, IAM Access Analyzer, etc.) and third-party tools. It also performs automated compliance checks against standards like CIS AWS Foundations Benchmark and provides a unified dashboard with compliance scores, meeting all the stated requirements.

Why this answer

AWS Security Hub is the correct choice because it provides a single, consolidated dashboard that aggregates security findings from multiple AWS services, including Amazon GuardDuty, Amazon Inspector, and AWS IAM Access Analyzer. It also performs automated continuous compliance checks against industry standards like the CIS AWS Foundations Benchmark and tracks compliance scores over time, meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance rules with Security Hub's consolidated findings and compliance scoring, but AWS Config lacks the ability to aggregate findings from multiple security services and track overall compliance scores against industry benchmarks.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and recording resource configurations against rules, but it does not aggregate findings from GuardDuty, Inspector, or IAM Access Analyzer into a single dashboard, nor does it provide compliance score tracking against CIS benchmarks. Option C is wrong because Amazon Detective is designed for investigating security incidents by analyzing log data and generating visualizations, but it does not aggregate findings from multiple services or perform automated compliance checks against industry standards. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not aggregate security findings from GuardDuty, Inspector, or IAM Access Analyzer, nor does it run continuous compliance checks against CIS benchmarks.

58
MCQeasy

A company is concerned about Distributed Denial of Service (DDoS) attacks against their website hosted on AWS. They want basic DDoS protection without incurring additional cost. Which AWS service provides automatic DDoS protection at no extra charge?

A.AWS WAF
B.Amazon GuardDuty
C.AWS Shield Advanced
D.AWS Shield Standard
AnswerD

AWS Shield Standard is enabled automatically for every AWS customer at no additional charge. It protects against the most common network and transport layer DDoS attacks.

Why this answer

AWS Shield Standard is automatically enabled for all AWS customers at no additional cost and provides basic protection against common infrastructure-layer DDoS attacks, such as SYN/UDP floods and reflection attacks. This matches the requirement for automatic, no-cost DDoS protection without any manual configuration or subscription.

Exam trap

The trap here is that candidates often confuse AWS WAF (which protects against application-layer threats but is not free) with DDoS protection, or they assume Shield Advanced is the only DDoS service, overlooking the always-on, no-cost Shield Standard.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects against application-layer attacks (e.g., SQL injection, cross-site scripting) and incurs additional costs based on rules and requests; it does not provide automatic infrastructure-layer DDoS protection. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using machine learning and threat intelligence, but it does not actively mitigate DDoS attacks and has a cost per volume of log data analyzed. Option C is wrong because AWS Shield Advanced is a paid service (with a monthly commitment and data transfer fees) that provides enhanced DDoS protection, including 24/7 support and cost protection, not a free automatic option.

59
MCQmedium

A company needs to ensure that none of their AWS accounts allow resources to be deployed outside of the us-east-1 and eu-west-1 regions for data sovereignty. Which control achieves this most effectively?

A.Configure AWS Config rules in each account to detect out-of-region deployments
B.Apply an SCP in AWS Organizations that denies resource creation outside approved regions
C.Train developers to only deploy in approved regions
D.Enable IAM permission boundaries restricting regions in each account
AnswerB

An SCP with a `aws:RequestedRegion` condition can prevent any API calls creating resources in non-approved regions across all member accounts, providing proactive enforcement.

Why this answer

B is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally deny resource creation in non-approved regions across all member accounts. By applying an SCP with a condition that denies actions unless the `aws:RequestedRegion` is `us-east-1` or `eu-west-1`, you enforce data sovereignty at the organization level, preventing any account from deploying resources outside those regions regardless of individual account permissions.

Exam trap

The trap here is that candidates often confuse detective controls (AWS Config) with preventive controls (SCPs), or assume IAM permission boundaries can enforce region restrictions globally, when in fact SCPs are the only mechanism that applies to all principals in an account, including the root user.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are detective, not preventive — they can detect out-of-region deployments after they occur but cannot block them, leaving a window for non-compliant resources to exist. Option C is wrong because training developers relies on human behavior and provides no technical enforcement, making it ineffective for mandatory compliance. Option D is wrong because IAM permission boundaries restrict what actions an IAM principal can perform but do not inherently limit the region; they would require complex condition keys and per-account configuration, and they cannot override permissions granted to the root user or service-linked roles, leaving gaps in enforcement.

60
MCQmedium

A compliance officer needs to download AWS's SOC 2 Type II report and ISO 27001 certification to provide to their company's auditors as evidence that the AWS infrastructure meets regulatory standards. Where should they access these documents?

A.AWS Trusted Advisor
B.AWS Artifact
C.AWS Security Hub
D.AWS Config
AnswerB

AWS Artifact is the central repository for AWS compliance documentation. It provides access to AWS security and compliance reports (SOC 1, SOC 2, SOC 3, PCI DSS, ISO 27001) and AWS agreements on demand, at no cost.

Why this answer

AWS Artifact is the central resource for downloading AWS compliance reports, including SOC 2 Type II reports and ISO 27001 certifications. It provides on-demand access to these documents, which auditors require as evidence of AWS's adherence to regulatory standards. This service is specifically designed for compliance and audit use cases, making it the correct choice.

Exam trap

The trap here is that candidates confuse AWS Artifact with AWS Security Hub, mistakenly thinking Security Hub's compliance checks provide the actual certification documents, when in fact Security Hub only checks your own resources against compliance frameworks, not AWS's own certifications.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is an optimization tool that inspects your AWS environment and provides recommendations for cost, performance, security, and fault tolerance, but it does not host or provide access to compliance reports. Option C is wrong because AWS Security Hub aggregates security alerts and automates compliance checks against standards like CIS and PCI DSS, but it does not store or deliver raw compliance certification documents such as SOC 2 or ISO 27001. Option D is wrong because AWS Config evaluates and records resource configurations for compliance with internal policies, but it does not provide access to AWS's own third-party audit reports.

61
MCQeasy

A security auditor needs to know which IAM user deleted a specific S3 bucket last week, from which IP address the action was taken, and at what exact time. Which AWS service captures this information?

A.Amazon CloudWatch
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerC

CloudTrail logs every API call to AWS services, capturing the IAM identity, source IP, timestamp, and operation details. Searching CloudTrail for DeleteBucket events would show exactly who deleted the S3 bucket, when, and from which IP.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to the AWS environment, including S3 bucket deletion actions (DeleteBucket). It captures the identity of the IAM user, the source IP address, and the exact timestamp of each API call, which directly meets the auditor's requirements.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to track resource changes (like bucket deletion) with CloudTrail's ability to log the identity and source of the API call, leading them to select Config instead of CloudTrail.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms; it does not record API-level user activity or capture the specific IAM user, IP address, and timestamp of an S3 bucket deletion. Option B is wrong because AWS Config is a configuration management and compliance service that tracks resource configuration changes over time, but it does not log who performed an action or the source IP address; it focuses on resource state, not API call details. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity; it does not natively store or provide raw API call history with user identity and IP address for forensic auditing.

62
MCQmedium

A company has a compliance policy requiring that all Amazon EC2 instances in its production environment must have the tag "Environment=Production" and must be associated with a security group named "Prod-SG". The company wants to continuously monitor its AWS account and automatically detect any EC2 instances that do not meet these requirements. The IT team needs a service that can evaluate the configuration of resources against these rules and send notifications when a non-compliant resource is detected. Which AWS service should the company use?

A.AWS Trusted Advisor
B.Amazon GuardDuty
C.AWS Config
D.Amazon Inspector
AnswerC

AWS Config allows you to define rules (both managed and custom) that evaluate the configuration of your AWS resources. It continuously monitors for changes and can automatically detect resources that violate your policies, such as missing tags or incorrect security groups, and send notifications through Amazon SNS.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired rules. You can create a custom AWS Config rule to check that all EC2 instances have the tag 'Environment=Production' and are associated with the security group 'Prod-SG'. When a resource becomes non-compliant, AWS Config can trigger an Amazon SNS notification to alert the IT team.

Exam trap

The trap here is that candidates confuse AWS Config (configuration auditing and compliance) with AWS Trusted Advisor (best-practice recommendations) or Amazon GuardDuty (threat detection), but only AWS Config can evaluate custom rules like tag and security group requirements.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor inspects your AWS environment to make recommendations for cost optimization, performance, security, and fault tolerance, but it does not allow you to define custom compliance rules or continuously evaluate resource configurations against specific tags or security group associations. Option B is wrong because Amazon GuardDuty is a threat detection service that uses machine learning and anomaly detection to identify malicious activity and unauthorized behavior, not to evaluate resource configurations against custom compliance policies.

63
MCQmedium

A company wants to automatically detect potential security threats such as compromised credentials, unauthorized access attempts, and communication with known malicious IP addresses across its AWS environment. The company has enabled AWS CloudTrail, VPC Flow Logs, and DNS logs. Which AWS service should the company use to continuously analyze these logs and generate actionable security findings without requiring manual setup of data sources?

A.Amazon GuardDuty
B.AWS Config
C.AWS Trusted Advisor
D.Amazon Inspector
AnswerA

Amazon GuardDuty is the correct choice because it is designed to continuously analyze supported data sources (CloudTrail, VPC Flow Logs, DNS logs) to detect and generate findings for potential security threats.

Why this answer

Amazon GuardDuty is a threat detection service that continuously analyzes AWS CloudTrail, VPC Flow Logs, and DNS logs using machine learning and anomaly detection to identify compromised credentials, unauthorized access, and communication with known malicious IP addresses. It operates without requiring manual setup of data sources because it automatically ingests these logs once enabled, generating actionable security findings.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (which scans for vulnerabilities) with GuardDuty (which detects threats from logs), or assume AWS Config's compliance rules can detect security threats, when in fact Config only checks configuration drift, not log-based anomalies.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it evaluates resource configurations against compliance rules and tracks configuration changes, but it does not analyze logs for security threats like compromised credentials or malicious IP communication. Option C (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not perform continuous log analysis or threat detection. Option D (Amazon Inspector) is wrong because it is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for analyzing CloudTrail, VPC Flow Logs, or DNS logs for threat detection.

64
MCQmedium

A company uses AWS Organizations to manage over 50 AWS accounts. The security team has identified a high-priority requirement to prevent any security group rule in any account from allowing inbound RDP (port 3389) access from the internet (0.0.0.0/0). If a rule is created that violates this policy, the team wants it to be automatically removed. The team needs a centralized service that can enforce this policy across all current and new accounts without requiring manual setup in each account. Which AWS service should the team use?

A.AWS Config
B.AWS Firewall Manager
C.AWS IAM Access Analyzer
D.AWS Security Hub
AnswerB

AWS Firewall Manager allows organizations to centrally configure and manage security group rules and AWS WAF rules across all accounts. It can apply a common security group baseline and automatically remove non-compliant rules (e.g., inbound RDP from 0.0.0.0/0), enforcing the policy across current and new accounts without manual intervention.

Why this answer

AWS Firewall Manager is the correct choice because it provides centralized management of firewall rules across all accounts in an AWS Organization. It can enforce a security group policy that automatically removes any inbound RDP rule allowing 0.0.0.0/0, and it applies this policy to both existing and newly created accounts without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's detection capabilities with Firewall Manager's enforcement capabilities, assuming Config can automatically remediate without realizing it requires custom automation, while Firewall Manager provides native, centralized auto-remediation across all accounts.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration auditing and compliance service that can detect non-compliant security group rules but cannot automatically remediate them without custom AWS Config rules and Lambda functions; it lacks native auto-remediation for this specific use case. Option C is wrong because AWS IAM Access Analyzer analyzes resource-based policies for unintended cross-account access, not security group rules or inbound traffic from the internet. Option D is wrong because AWS Security Hub aggregates security findings and compliance status from multiple services but does not have the ability to enforce or automatically remove security group rules.

65
MCQhard

A company stores sensitive financial data in Amazon S3. They need to ensure that even if an attacker gains access to the S3 service, they cannot read the data without a customer-controlled encryption key. Which S3 encryption method satisfies this requirement?

A.SSE-S3 (Amazon S3-managed keys)
B.SSE-KMS with an AWS managed CMK (aws/s3)
C.SSE-KMS with a customer-managed CMK
D.S3 Versioning with MFA Delete
AnswerC

Customer-managed CMKs give the customer control over key policies, rotation, and deletion. Disabling or deleting the CMK makes the data unreadable — even by AWS. Key usage is auditable via CloudTrail.

Why this answer

Option C is correct because SSE-KMS with a customer-managed CMK ensures that the encryption key is under the customer's exclusive control, not AWS. Even if an attacker gains access to the S3 service, they cannot decrypt the data without the customer-managed CMK, which is stored in AWS KMS and can be further protected with key policies, IAM policies, and optional key rotation. This satisfies the requirement that the attacker cannot read the data without a customer-controlled encryption key.

Exam trap

The trap here is that candidates confuse 'customer-managed' with 'AWS managed' and assume any KMS key provides customer control, but only a customer-managed CMK gives the customer exclusive control over the key's lifecycle and permissions.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon S3-managed keys, where AWS controls the encryption keys, so an attacker with S3 access could potentially decrypt the data using those keys. Option B is wrong because SSE-KMS with an AWS managed CMK (aws/s3) still has the key managed by AWS, not the customer, so the customer does not have exclusive control over the encryption key. Option D is wrong because S3 Versioning with MFA Delete only protects against accidental or malicious deletion of object versions, not against reading encrypted data, and does not involve encryption keys at all.

66
MCQmedium

A healthcare company is migrating patient records to Amazon S3. The company must comply with HIPAA and needs to automatically identify any S3 buckets that contain protected health information (PHI) and generate alerts. The solution must be fully managed and require no manual effort to scan the data. Which AWS service should the company use?

A.Amazon Macie
B.Amazon Inspector
C.AWS Config
D.AWS Security Hub
AnswerA

Correct. Amazon Macie is designed to automatically discover, classify, and protect sensitive data in Amazon S3, including PHI, using machine learning. It requires no manual scanning and integrates with AWS Security Hub for alerting.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover, classify, and protect sensitive data in Amazon S3. It automatically identifies protected health information (PHI) such as medical record numbers, diagnosis codes, and patient names, and can generate alerts when such data is found in S3 buckets, meeting HIPAA compliance requirements without any manual scanning effort.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (which sounds like it 'inspects' data) with Macie, but Inspector only scans for vulnerabilities in compute resources, not for sensitive data content in S3 objects.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is an automated vulnerability management service that scans EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure, not for data classification or PHI detection in S3. Option C is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies (e.g., checking if S3 buckets are encrypted or publicly accessible), but it cannot inspect the actual data content of objects to identify PHI. Option D is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (like Macie, GuardDuty, Inspector) and applies security standards, but it does not itself perform data scanning or classification of S3 objects.

67
MCQmedium

A company has a strict security policy requiring that no Amazon S3 bucket or IAM role should be accessible to external AWS accounts unless explicitly approved. The security team needs a service that continuously analyzes resource-based policies and can generate findings when an S3 bucket policy allows access to a principal from outside the company's AWS Organization. Which AWS service should the team use?

A.AWS Config
B.IAM Access Analyzer
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

IAM Access Analyzer continuously analyzes resource-based policies and generates findings when a resource is accessible from outside the AWS Organization. This matches the requirement of detecting unintended external access to S3 buckets and IAM roles.

Why this answer

IAM Access Analyzer is designed to continuously analyze resource-based policies (such as S3 bucket policies and IAM role trust policies) and generate findings when access is granted to principals outside of the trusted AWS Organization. It uses zone of trust logic to identify policies that allow access to external AWS accounts, making it the correct service for this security requirement.

Exam trap

The trap here is that candidates often confuse AWS Config (which audits resource configurations) with IAM Access Analyzer (which specifically analyzes resource-based policies for cross-account access), leading them to choose AWS Config for a use case that requires policy-level access analysis.

How to eliminate wrong answers

Option A is wrong because AWS Config evaluates resource configurations against compliance rules but does not natively analyze resource-based policies for cross-account access or generate findings about external principals; it is a configuration auditing tool, not an access analyzer. Option C is wrong because AWS Trusted Advisor provides high-level best practice checks (e.g., S3 bucket permissions, security groups) but does not continuously analyze resource-based policies for access from outside the AWS Organization and does not generate granular findings for IAM role trust policies.

68
MCQmedium

A company runs a microservices-based application on Amazon ECS. The application stores database credentials and API keys in plaintext configuration files that are baked into container images. A security audit reveals that this practice violates the company's compliance policy, which mandates that secrets must be stored separately from code, centrally managed, and automatically rotated every 90 days. Which AWS service should the company use to meet these requirements?

A.AWS Key Management Service (AWS KMS)
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerC

AWS Secrets Manager is purpose-built for storing, managing, and automatically rotating secrets such as database credentials and API keys. It integrates with Lambda to perform rotation on a schedule and with RDS for automatic credential updates, meeting the compliance requirements.

Why this answer

AWS Secrets Manager is the correct choice because it is designed specifically for storing, managing, and automatically rotating database credentials, API keys, and other secrets throughout their lifecycle. It meets the compliance requirements by storing secrets separately from code, providing a central management console and API, and supporting automatic rotation every 90 days via built-in integration with AWS RDS, Redshift, and DocumentDB, or custom Lambda functions.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager with AWS Systems Manager Parameter Store, assuming both offer automatic rotation, but Parameter Store lacks native rotation capabilities and is primarily for configuration data, not secrets lifecycle management.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for creating and controlling encryption keys used to encrypt data, not for storing or automatically rotating secrets like database credentials or API keys. Option B is wrong because AWS CloudHSM provides dedicated hardware security modules for generating and storing cryptographic keys, but it does not offer a managed service for storing application secrets or automatic rotation capabilities. Option D is wrong because AWS Systems Manager Parameter Store can store secrets as SecureString parameters, but it lacks native automatic rotation functionality and is not designed as a dedicated secrets management service with built-in rotation scheduling.

69
MCQeasy

A company's compliance officer needs to provide an external auditor with copies of AWS SOC 2 reports and a PCI DSS attestation of compliance. The officer needs a self-service portal to download these documents directly, without contacting AWS Support. The solution must provide the most current versions of these reports. Which AWS service should the officer use?

A.AWS Artifact
B.AWS Audit Manager
C.Amazon Inspector
D.AWS Config
AnswerA

AWS Artifact is a self-service portal that provides access to AWS compliance reports and agreements, including SOC reports and PCI DSS attestations, without needing to contact AWS Support.

Why this answer

AWS Artifact is the correct service because it provides a self-service portal for on-demand access to AWS compliance reports, including SOC 2 reports and PCI DSS attestations of compliance. It ensures the most current versions are always available without needing to contact AWS Support, directly meeting the compliance officer's requirement for a self-service download solution.

Exam trap

The trap here is that candidates confuse AWS Artifact (a document repository for compliance reports) with AWS Audit Manager (a tool for creating and managing audit evidence), leading them to select Audit Manager for downloading reports instead of Artifact.

How to eliminate wrong answers

Option B is wrong because AWS Audit Manager is a service for continuously auditing AWS usage to simplify risk assessment and compliance, not a repository for downloading pre-existing compliance reports like SOC 2 or PCI DSS attestations. Option C is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not a portal for accessing compliance documentation.

70
MCQmedium

A company's security team wants to identify all Amazon S3 buckets that are shared with external AWS accounts or publicly accessible. The team needs a continuous evaluation that reports findings in a centralized dashboard and sends alerts when new unintended external shares are created. Which AWS service should the security team use to meet these requirements?

A.AWS Config
B.IAM Access Analyzer
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

IAM Access Analyzer analyzes resource-based policies to identify resources that are shared with external entities (outside your AWS organization). It provides continuous monitoring, a dashboard of findings, and integration with AWS Security Hub and Amazon EventBridge for alerts. This directly meets the requirement.

Why this answer

IAM Access Analyzer is the correct choice because it continuously monitors resource policies, including S3 bucket policies, to identify resources shared with external AWS accounts or publicly. It provides a centralized dashboard in the IAM console to view findings and integrates with Amazon EventBridge to send alerts via Amazon SNS when new unintended external shares are created, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to detect resource changes with the specific need for continuous policy analysis and centralized findings for external access, leading them to pick AWS Config instead of IAM Access Analyzer.

How to eliminate wrong answers

Option A (AWS Config) is wrong because while AWS Config can evaluate resource configurations against rules and detect changes, it does not natively analyze resource policies for external or public access in a centralized findings dashboard; it requires custom rules and lacks the built-in external access analysis that IAM Access Analyzer provides. Option C (AWS Trusted Advisor) is wrong because it performs a one-time or periodic check for publicly accessible S3 buckets in the 'Security' category but does not provide continuous evaluation, a centralized findings dashboard for all external shares, or automated alerting for new unintended shares; it also does not analyze external AWS account sharing. Option D (Amazon GuardDuty) is wrong because it is a threat detection service that monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, not for analyzing S3 bucket policies for external or public access; it does not generate findings for resource-based policy sharing.

71
MCQmedium

An e-commerce company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer and Amazon CloudFront. The application has been experiencing frequent, large-scale DDoS attacks that cause significant compute and data transfer costs. The company wants to implement a managed DDoS protection service that provides financial protection against scaling costs incurred during DDoS attacks, access to a DDoS Response Team (DRT) for real-time attack mitigation support, and integration with AWS WAF for application-layer attack protection. Which AWS service should the company use to meet these requirements?

A.AWS Shield Standard
B.AWS Shield Advanced
C.AWS WAF
D.Amazon GuardDuty
AnswerB

AWS Shield Advanced is a paid service that provides enhanced DDoS protection. It includes cost protection against scaling charges incurred during a DDoS attack, 24/7 access to the DDoS Response Team (DRT) for expert support, and integration with AWS WAF for application-layer attack mitigation. This matches all the requirements described in the scenario.

Why this answer

AWS Shield Advanced is the correct choice because it provides enhanced DDoS protection with financial protection against scaling costs incurred during DDoS attacks (cost protection for EC2, ELB, CloudFront, and Route 53), 24/7 access to the DDoS Response Team (DRT) for real-time attack mitigation, and seamless integration with AWS WAF for application-layer attack protection. This fully managed service meets all three stated requirements, unlike the other options.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard (free, basic protection) with AWS Shield Advanced (paid, enhanced protection with cost protection and DRT access), or mistakenly think AWS WAF alone provides DDoS mitigation and financial safeguards, when in fact WAF is only an application-layer component that must be paired with Shield Advanced for the full solution.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides only basic network-layer DDoS protection (SYN floods, UDP floods) at no additional cost, but it does not offer financial protection against scaling costs, access to the DDoS Response Team (DRT), or integration with AWS WAF for application-layer protection. Option C is wrong because AWS WAF is a web application firewall that protects against application-layer attacks (e.g., SQL injection, cross-site scripting) but does not provide financial protection against DDoS-related scaling costs or access to the DRT; it is a component that integrates with Shield Advanced, not a standalone DDoS protection service. Option D is wrong because Amazon GuardDuty is a threat detection service that uses machine learning to identify malicious activity (e.g., compromised instances, suspicious API calls) but does not provide DDoS mitigation, financial protection, or DRT access.

72
MCQmedium

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires a mechanism to prevent any IAM user or role in any member account from modifying Amazon S3 bucket policies to grant public access. The solution must be enforced centrally and cannot be overridden by account administrators. Which AWS feature should the company use?

A.IAM permissions boundaries
B.Service control policies (SCPs)
C.AWS Config conformance packs
D.AWS CloudTrail Insights
AnswerB

SCPs are used in AWS Organizations to centrally manage permissions across all accounts. They define the maximum available permissions and can explicitly deny actions like modifying S3 bucket policies. SCPs apply to all principals in the account and cannot be bypassed by account administrators.

Why this answer

Service control policies (SCPs) are the correct choice because they allow AWS Organizations to centrally define permission guardrails that apply to all IAM users and roles across member accounts. SCPs can explicitly deny actions like s3:PutBucketPolicy to prevent any account administrator from modifying S3 bucket policies to grant public access, and these restrictions cannot be overridden by any IAM entity within the member account.

Exam trap

The trap here is that candidates often confuse SCPs with IAM permissions boundaries, thinking both are equally enforceable centrally, but SCPs operate at the organization level and cannot be bypassed by account administrators, whereas permissions boundaries are account-level and can be removed or modified by an admin with sufficient privileges.

How to eliminate wrong answers

Option A is wrong because IAM permissions boundaries are applied at the individual IAM user or role level within a single account and can be overridden by an account administrator with sufficient privileges; they do not provide a centralized, unbreakable guardrail across all accounts in an organization. Option C is wrong because AWS Config conformance packs are used to evaluate resource compliance against rules and can trigger remediation actions, but they do not enforce preventive controls that block API calls before they happen; they are detective and reactive, not preventive.

73
MCQmedium

A company has a security policy that requires all SSH connections to Amazon EC2 instances to originate from the company's corporate network IP range (203.0.113.0/24). An administrator is creating an IAM policy to enforce this restriction. Which IAM policy element should the administrator use to specify the allowed IP address range?

A.aws:RequestedRegion condition key
B.aws:SourceIp condition key
C.aws:PrincipalOrgID condition key
D.aws:MultiFactorAuthPresent condition key
AnswerB

The aws:SourceIp condition key is the correct IAM policy element to restrict requests to specific source IP address ranges, such as a corporate network.

Why this answer

The aws:SourceIp condition key is used in IAM policies to restrict access based on the requester's IP address. Since the security policy requires SSH connections to EC2 instances to originate only from the corporate network IP range (203.0.113.0/24), the administrator should use aws:SourceIp in a condition block to enforce this restriction. This key evaluates the source IP address of the API caller, not the destination of the traffic.

Exam trap

The trap here is that candidates may confuse IAM policy conditions (which control API access) with network-level controls (like security groups), leading them to incorrectly think aws:SourceIp can directly restrict SSH traffic to the instance rather than the API calls that manage it.

How to eliminate wrong answers

Option A is wrong because aws:RequestedRegion condition key restricts access to specific AWS regions, not IP addresses, so it cannot enforce the corporate network IP range requirement. Option C is wrong because aws:PrincipalOrgID condition key restricts access based on the AWS Organization ID of the principal, not the source IP address, and is used for cross-account access control within an organization.

74
MCQmedium

A company stores customer data in Amazon S3 buckets. The compliance team needs to automatically discover which buckets contain personally identifiable information (PII) such as names, addresses, and credit card numbers. The team also wants to receive continuous monitoring and alerts when new sensitive data is uploaded. Which AWS service should the team use to meet these requirements?

A.Amazon Macie
B.AWS Shield
C.Amazon Inspector
D.AWS Config
AnswerA

Amazon Macie is correct because it is designed to automatically discover, classify, and protect sensitive data in Amazon S3. It provides continuous monitoring and alerts for new sensitive data using machine learning.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data in Amazon S3. It can identify PII such as names, addresses, and credit card numbers, and it provides continuous monitoring with alerts when new sensitive data is uploaded, meeting both the discovery and ongoing monitoring requirements.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (which scans for vulnerabilities) with Amazon Macie (which scans for sensitive data), because both involve 'scanning' but for entirely different purposes and resource types.

How to eliminate wrong answers

Option B (AWS Shield) is wrong because it is a managed Distributed Denial of Service (DDoS) protection service, not designed for data classification or PII discovery. Option C (Amazon Inspector) is wrong because it is an automated vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and unintended network exposure, not S3 buckets or PII. Option D (AWS Config) is wrong because it is a service that evaluates AWS resource configurations against desired policies and tracks configuration changes, but it does not inspect the content of S3 objects for sensitive data like PII.

75
MCQmedium

A company has internal security policies that require all Amazon S3 buckets to be private (not publicly accessible) and all Amazon EC2 security groups to restrict inbound SSH traffic to a specific IP range. The security team needs to continuously monitor all AWS resources across their account to detect any resource that violates these policies. They also need a historical record of configuration changes and a compliance dashboard that shows overall pass/fail status. Which AWS service should the security team use to meet these requirements?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.Amazon Inspector
AnswerA

AWS Config is designed specifically for resource inventory, configuration history, and compliance evaluation against rules. It tracks changes and shows compliance status, perfectly matching the requirements.

Why this answer

AWS Config is the correct service because it provides continuous monitoring, compliance auditing, and historical recording of configuration changes for AWS resources. It allows you to define rules (e.g., 's3-bucket-public-read-prohibited' and 'restricted-ssh') that automatically evaluate your S3 bucket policies and EC2 security group rules against your security policies, and it offers a compliance dashboard showing pass/fail status for each resource. AWS Config also maintains a configuration history that can be used for auditing and troubleshooting.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which tracks resource configuration state and compliance), leading them to choose CloudTrail because they think 'historical record of changes' refers to API logs rather than configuration item snapshots.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because it records API activity and user actions (who did what, when, and from where) but does not evaluate resource configurations against policies or provide a compliance dashboard for resource-level pass/fail status. Option C (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity, not for monitoring resource configuration compliance or maintaining a historical record of configuration changes.

Page 1 of 4 · 230 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security questions.