CCNA Security Questions

75 of 230 questions · Page 2/4 · Security topic · Answers revealed

76
MCQmedium

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires that no IAM users can be created in any member account. All access must use federated identities from the company's existing identity provider. The security team needs a single, centralized mechanism to enforce this restriction across all existing and future member accounts. Which AWS feature should the security team use to meet this requirement?

A.AWS Identity and Access Management (IAM) policies
B.AWS Organizations service control policies (SCPs)
C.AWS Config managed rules with automatic remediation
D.IAM Access Analyzer
AnswerB

SCPs are a centralized policy mechanism within AWS Organizations that can deny the IAM:CreateUser action across all member accounts in an organization, OU, or specific account. SCPs apply to all principals, including the root user, and affect both existing and future accounts, making them the correct choice for enforcing this restriction.

Why this answer

AWS Organizations service control policies (SCPs) allow a central administrator to define maximum permissions for all accounts within an organization. By creating an SCP that explicitly denies the `iam:CreateUser` action, the security team can enforce that no IAM users can be created in any member account, including future accounts, because SCPs are inherited by all accounts in the organization. This provides a single, centralized mechanism that cannot be overridden by account-level IAM policies.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM policies can centrally control all accounts, but SCPs are the only mechanism that can enforce restrictions across an entire AWS Organization, including preventing the creation of IAM users.

How to eliminate wrong answers

Option A is wrong because IAM policies are attached to IAM users, groups, or roles within a single account and cannot enforce restrictions across multiple accounts or prevent the creation of IAM users themselves; they only control permissions for existing identities. Option C is wrong because AWS Config managed rules can detect non-compliant resources (e.g., an IAM user being created) and trigger automatic remediation, but they are reactive and cannot prevent the creation of IAM users in the first place; they also require per-account setup and do not centrally block the action. Option D is wrong because IAM Access Analyzer analyzes resource-based policies to identify unintended cross-account access, but it does not enforce restrictions on IAM user creation or provide any preventive control.

77
MCQmedium

A company needs to maintain a secure audit trail of all API calls made against its AWS resources. The audit trail must record the identity of the caller, the time of the call, the source IP address, and the request details. The records must be stored securely with integrity guarantees for a minimum of five years to meet compliance requirements. Which AWS service should the company use to capture and store this information?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Trusted Advisor
AnswerC

AWS CloudTrail is the correct service. It records all API calls made to the AWS environment, including details such as the caller's identity, time of the call, source IP address, and request parameters. The logs can be stored durably in Amazon S3 with integrity validation and can be retained for as long as needed.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS services, capturing the identity of the caller, timestamp, source IP address, and request details. It stores these logs in Amazon S3 with server-side encryption and integrity validation via digest files, and can be configured to retain logs for more than five years using lifecycle policies or by archiving to Amazon S3 Glacier.

Exam trap

The trap here is that candidates confuse AWS Config's configuration tracking with CloudTrail's API activity logging, or assume GuardDuty's threat detection includes a complete audit trail, when in fact only CloudTrail provides the detailed, integrity-protected record of every API call required for compliance.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for recording resource configuration changes and evaluating compliance rules, not for capturing API call audit trails with caller identity and source IP. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes logs and network traffic for malicious activity, but it does not natively store a complete, long-term audit trail of all API calls with integrity guarantees.

78
MCQmedium

A company hosts a web application on AWS that uses Amazon CloudFront for content delivery and an Application Load Balancer (ALB) in front of Amazon EC2 instances. The security team wants to protect the application against common web exploits such as SQL injection and cross-site scripting (XSS). They need a managed service that can inspect incoming HTTP/HTTPS requests and block malicious traffic before it reaches the application servers. Which AWS service should the company use to meet these requirements?

A.AWS WAF
B.AWS Shield Advanced
C.AWS Firewall Manager
D.Amazon Inspector
AnswerA

AWS WAF is a web application firewall that monitors and filters HTTP/HTTPS traffic to protect against attacks such as SQL injection and cross-site scripting. It integrates directly with CloudFront and ALB, making it the correct choice for this scenario.

Why this answer

AWS WAF is a managed web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It integrates directly with Amazon CloudFront and Application Load Balancers (ALB) to inspect incoming HTTP/HTTPS requests and block malicious traffic before it reaches the application servers. This makes it the correct choice for the security team's requirement to filter and block specific attack patterns at the application layer.

Exam trap

The trap here is that candidates often confuse AWS Shield Advanced (Layer 3/4 DDoS protection) with AWS WAF (Layer 7 application-layer filtering), leading them to select Shield Advanced for web exploit protection instead of the correct service.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks, not against application-layer exploits like SQL injection or XSS. Option C is wrong because AWS Firewall Manager is a centralized policy management service that helps manage firewall rules across multiple accounts and resources, but it does not itself inspect HTTP/HTTPS requests for web exploits; it can centrally deploy AWS WAF rules but is not the inspection service itself.

79
MCQmedium

A financial services company must encrypt all sensitive customer data stored in Amazon S3 using an encryption key that the company manages and rotates annually. The company also needs a complete, tamper-proof record of every time the key is used (including who used it and on which object) to satisfy regulatory audit requirements. Which AWS service should the company use to meet both the key management and audit logging requirements?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (AWS KMS)
C.AWS CloudHSM
D.AWS Secrets Manager
AnswerB

KMS enables you to create and manage customer-managed keys (CMKs) for encrypting data at rest in S3. It also integrates with AWS CloudTrail to log every key usage request, providing the required audit trail for compliance.

Why this answer

AWS KMS is the correct choice because it allows the company to create and manage a customer managed key (CMK) with annual rotation, and it integrates with AWS CloudTrail to deliver tamper-proof logs of every KMS API call (e.g., Decrypt, Encrypt, GenerateDataKey). These logs record the key ID, the IAM user or role that made the request, and the S3 object ARN (via encryption context), satisfying both key management and audit logging requirements.

Exam trap

The trap here is that candidates confuse AWS CloudHSM's hardware security with the integrated audit logging and automatic rotation capabilities of AWS KMS, assuming that a dedicated HSM is always required for regulatory compliance, when KMS with CloudTrail fully meets the tamper-proof audit requirement.

How to eliminate wrong answers

Option A (AWS Certificate Manager) is wrong because ACM manages SSL/TLS certificates, not encryption keys for S3 data, and it does not provide key usage audit logs. Option C (AWS CloudHSM) is wrong because while it provides hardware security modules for key management, it does not natively integrate with CloudTrail for tamper-proof audit logging of every key usage; you must build custom logging, and it does not support automatic annual key rotation. Option D (AWS Secrets Manager) is wrong because it is designed to rotate and manage secrets (e.g., database credentials), not encryption keys for S3, and its audit logs focus on secret access, not granular per-object encryption key usage.

80
MCQmedium

A company runs a fleet of Amazon EC2 instances that host a customer-facing web application. The security team wants to automatically identify software vulnerabilities, such as missing patches and common vulnerabilities and exposures (CVEs), in the operating system and applications running on these instances. The team also needs visibility into unintended network accessibility, such as instances with ports open to the internet. The solution must be natively integrated with AWS and should provide findings that can be viewed in a central dashboard. Which AWS service should the security team use?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Security Hub
D.AWS Trusted Advisor
AnswerB

Correct. Amazon Inspector automatically assesses EC2 instances for software vulnerabilities (CVEs) and network exposure (e.g., open ports). It integrates with AWS Systems Manager to perform deep scans of the OS and application packages.

Why this answer

Amazon Inspector is the correct choice because it is a vulnerability management service that automatically scans EC2 instances for software vulnerabilities (missing patches, CVEs) and unintended network accessibility (e.g., open ports to the internet). It is natively integrated with AWS and provides findings in a central dashboard via the AWS Management Console or AWS Security Hub. This directly matches the security team's requirements for automated identification of OS/application vulnerabilities and network exposure.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty (threat detection) with Amazon Inspector (vulnerability scanning), or assume AWS Security Hub performs the scanning itself rather than aggregating findings from other services.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using anomaly detection and threat intelligence, not for scanning software vulnerabilities or CVEs in OS/applications. Option C is wrong because AWS Security Hub is a centralized security findings aggregator that collects and prioritizes findings from multiple AWS services (including Inspector), but it does not perform vulnerability scanning itself. Option D is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment for best practices in cost, performance, security, and fault tolerance, but it does not perform deep vulnerability scanning for CVEs or open port analysis on EC2 instances.

81
MCQmedium

A company uses multiple AWS security services — GuardDuty, Inspector, Macie, and IAM Access Analyzer — across multiple accounts. The security team needs a single console to view, prioritise, and manage all security findings from these services and third-party tools. Which AWS service provides this aggregated view?

A.Amazon GuardDuty
B.Amazon CloudWatch
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and third-party tools into a unified dashboard. It uses the AWS Security Finding Format (ASFF) to normalise findings and allows centralised management across accounts.

Why this answer

AWS Security Hub is the correct service because it provides a single, consolidated view of security alerts and compliance status across multiple AWS accounts and services, including GuardDuty, Inspector, Macie, and IAM Access Analyzer. It aggregates findings from these native services and third-party tools into a standardized format using the AWS Security Finding Format (ASFF), enabling centralized prioritization and management. This directly addresses the requirement for a unified console to view, prioritize, and manage all security findings.

Exam trap

The trap here is that candidates often confuse AWS Security Hub with Amazon GuardDuty or AWS Config, mistakenly thinking that GuardDuty's threat detection or Config's compliance checks already provide a consolidated view, when in fact Security Hub is the dedicated aggregation service that ingests findings from multiple sources.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not aggregate findings from other security services or third-party tools; it only generates its own findings. Option B is wrong because Amazon CloudWatch is a monitoring and observability service for metrics, logs, and alarms, not a security findings aggregator; it lacks the standardized security finding format (ASFF) and cross-service consolidation capabilities of Security Hub. Option D is wrong because AWS Config is a resource inventory and compliance auditing service that evaluates resource configurations against rules, but it does not ingest or aggregate security findings from GuardDuty, Inspector, Macie, or third-party tools; it focuses on configuration compliance, not security alert management.

82
MCQmedium

A company stores sensitive customer data in Amazon S3 buckets. The company's security policy requires that all objects in these buckets be encrypted at rest using an encryption key that the company can rotate annually and audit for usage. The company also needs to control which IAM users and roles can use, create, and manage these keys. The security team wants to use an AWS managed service to handle the key management lifecycle. Which AWS service should the company use to meet these requirements?

A.AWS Key Management Service (KMS)
B.Amazon S3 server-side encryption with customer-provided keys (SSE-C)
C.AWS Certificate Manager (ACM)
D.AWS Secrets Manager
AnswerA

Correct. AWS KMS is a managed service that allows you to create, rotate, control access to, and audit the use of encryption keys used to protect data in AWS services such as Amazon S3.

Why this answer

AWS Key Management Service (KMS) is the correct choice because it is a managed service that allows you to create, rotate, and audit customer-managed keys (CMKs) used for encrypting S3 objects at rest. KMS integrates with AWS CloudTrail to log every key usage, enabling the required audit trail, and supports annual key rotation via automatic or manual rotation. It also provides fine-grained IAM policies and key policies to control which users and roles can use, create, and manage the keys, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager with KMS because both manage secrets, but Secrets Manager is for rotating application secrets like database passwords, not for managing encryption keys used for S3 server-side encryption, which is a core KMS function.

How to eliminate wrong answers

Option B (SSE-C) is wrong because while it encrypts objects at rest, the customer provides and manages the encryption keys themselves, not an AWS managed service, and AWS does not support automatic key rotation or audit logging for customer-provided keys. Option C (ACM) is wrong because it is designed to manage SSL/TLS certificates for securing network traffic, not for encrypting data at rest in S3 or for key management lifecycle. Option D (AWS Secrets Manager) is wrong because it is intended for securely storing and rotating secrets such as database credentials and API keys, not for managing encryption keys used for S3 server-side encryption.

83
MCQmedium

A company uses multiple AWS accounts. The security team wants to enforce two requirements for all Amazon S3 buckets: first, server-side encryption must be enabled using AWS KMS; second, no bucket can be publicly accessible. The team needs a service that continuously monitors the configuration of S3 buckets across all accounts, detects when a bucket violates either requirement, and automatically applies corrective actions (such as enabling default encryption or removing public access). Which AWS service should the security team use to meet these requirements?

A.AWS Config
B.AWS Trusted Advisor
C.AWS IAM Access Analyzer
D.AWS CloudTrail
AnswerA

AWS Config is the correct choice because it continuously evaluates resource configurations against desired policies (e.g., S3 bucket encryption and public access) and can automatically remediate non-compliant resources using pre-defined actions, meeting all requirements.

Why this answer

AWS Config is the correct service because it provides continuous monitoring, evaluation, and automated remediation of resource configurations across multiple accounts. With AWS Config rules (e.g., managed rules like `s3-bucket-server-side-encryption-enabled` and `s3-bucket-public-read-prohibited`), you can detect noncompliant S3 buckets and trigger AWS Systems Manager Automation documents or Lambda functions to automatically enable default encryption or remove public access. AWS Config also supports multi-account aggregation via an aggregator, allowing the security team to enforce these requirements across all accounts from a single management account.

Exam trap

The trap here is that candidates confuse AWS Config's continuous compliance monitoring and automated remediation with AWS Trusted Advisor's advisory checks or AWS IAM Access Analyzer's policy analysis, failing to recognize that only AWS Config provides both detection and automatic corrective actions.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not support continuous monitoring or automated corrective actions; it only offers periodic checks and manual remediation guidance. Option C is wrong because AWS IAM Access Analyzer analyzes resource-based policies to identify unintended public or cross-account access, but it does not enforce server-side encryption requirements or automatically apply corrective actions. Option D is wrong because AWS CloudTrail records API activity for auditing and governance but does not monitor current resource configurations or trigger automated remediation.

84
MCQmedium

After GuardDuty generates a security finding about potentially compromised EC2 instances, a security analyst needs to investigate the full context of the threat — understanding which users, IPs, and resources were involved and how they relate to each other. Which AWS service helps investigators analyse and visualise these relationships?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Detective
D.AWS Security Hub
AnswerC

Detective analyses security data from CloudTrail, VPC Flow Logs, and GuardDuty to automatically build a behaviour graph. Analysts use the visual interface to trace the timeline of an incident, identify affected resources, and understand attacker lateral movement.

Why this answer

Amazon Detective is designed specifically to analyze, investigate, and quickly identify the root cause of security findings by automatically collecting log data from AWS resources and building a graph model that shows relationships between users, IPs, and resources. When GuardDuty generates a finding about a potentially compromised EC2 instance, Detective can ingest that finding and provide a visual, interactive view of the entire resource interaction timeline, including network connections, API calls, and user activity, enabling investigators to understand the full context of the threat.

Exam trap

The trap here is that candidates often confuse Security Hub's aggregation and prioritization of findings with Detective's investigative and visualization capabilities, leading them to choose Security Hub when the question specifically asks for analyzing and visualizing relationships between users, IPs, and resources.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that generates security findings, but it does not provide the investigative analysis or visualization of relationships between users, IPs, and resources; it only alerts on suspicious activity. Option B is wrong because AWS CloudTrail records API calls for auditing and governance, but it does not automatically correlate events across multiple resources or build a graph model to visualize relationships; it provides raw logs that require manual correlation. Option D is wrong because AWS Security Hub aggregates and prioritizes security findings from multiple services, including GuardDuty, but it does not perform deep investigative analysis or visualize resource relationships; it is a central dashboard for compliance and security posture, not an investigation tool.

85
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to enforce that all Amazon Elastic Block Store (EBS) volumes created in any account within the organization are automatically encrypted at rest. The team needs a centrally managed solution that proactively prevents the creation of unencrypted EBS volumes without requiring individual account administrators to enable any settings. Which AWS feature should the security team use to meet these requirements?

A.AWS Key Management Service (AWS KMS) with automatic key rotation
B.AWS Organizations with a service control policy (SCP) that denies the CreateVolume action unless encryption is enabled
C.Amazon EBS encryption by default at the account level, configured via the EC2 console in each account
D.AWS Config with a managed rule to detect unencrypted volumes and trigger an AWS Lambda function for automatic remediation
AnswerB

An SCP can be applied to the root or specific organizational units (OUs) to deny the creation of unencrypted EBS volumes. This centrally enforces the encryption requirement across all affected accounts without requiring any local configuration. It is a proactive, preventive control.

Why this answer

Option B is correct because an SCP in AWS Organizations can centrally deny the ec2:CreateVolume API call unless the request includes a condition that encryption is enabled (e.g., ec2:Encrypted = true). This proactively prevents any user or role in any member account from creating an unencrypted EBS volume, regardless of individual account settings, meeting the requirement for a centrally managed, preventive control.

Exam trap

The trap here is that candidates confuse account-level default encryption settings (which are per-account and not centrally enforced) with SCPs, which provide organization-wide preventive controls without requiring individual account configuration.

How to eliminate wrong answers

Option A is wrong because AWS KMS with automatic key rotation manages encryption keys but does not enforce that EBS volumes are created encrypted; it only handles key lifecycle and rotation, not policy enforcement. Option C is wrong because enabling EBS encryption by default at the account level via the EC2 console requires each account administrator to manually configure the setting, which violates the requirement for a centrally managed solution that does not rely on individual account actions.

86
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to ensure that Amazon CloudTrail is enabled in all AWS Regions for every member account, and that no user (including account administrators) can disable it. The policy must apply automatically to any new accounts that are added to the organization. Which AWS feature should the security team use to enforce this requirement?

A.IAM policies with a Deny effect for CloudTrail actions
B.AWS Config rules with an auto-remediation action
C.Service Control Policies (SCPs)
D.AWS CloudTrail trails with multi-region and organization trail enabled
AnswerC

SCPs are the correct choice. They allow you to define a central permission guardrail at the organization level that applies to all accounts, including the root user. An SCP denying CloudTrail disablement will prevent any principal in the account from disabling the trail, and it automatically applies to new accounts added to the organization.

Why this answer

Service Control Policies (SCPs) are the correct choice because they allow the security team to centrally control the maximum available permissions for all accounts within an AWS Organization. By creating an SCP that denies all CloudTrail disabling actions (e.g., `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`) and attaching it to the root or specific organizational units, the policy applies automatically to all existing and new member accounts, and even account administrators cannot override it. This ensures CloudTrail remains enabled across all Regions in every account, meeting the enforcement requirement.

Exam trap

The trap here is that candidates often confuse IAM policies (which are account-specific and can be bypassed by administrators) with SCPs (which are organization-wide and cannot be overridden by account administrators), leading them to choose IAM Deny policies instead of SCPs.

How to eliminate wrong answers

Option A is wrong because IAM policies are applied at the account or user level and can be overridden by account administrators who have full control over their own IAM configurations; they do not provide a centralized, unchangeable guardrail across all accounts in an organization. Option B is wrong because AWS Config rules can detect non-compliance and trigger auto-remediation actions, but they are not preventive controls—they can be disabled or modified by account administrators, and they do not inherently prevent a user from disabling CloudTrail in the first place.

87
MCQmedium

A financial services company stores confidential transaction records in Amazon S3. The company's compliance policy requires that all data at rest be encrypted using encryption keys that are under the company's full control. The keys must be automatically rotated every year. The company also needs a detailed audit trail of when each key was used and by which AWS principal. Which combination of AWS service and key type should the company use to meet these requirements?

A.Use Amazon S3 server-side encryption with customer-provided keys (SSE-C) and store the keys in AWS Secrets Manager with automatic rotation enabled.
B.Use Amazon S3 server-side encryption with AWS managed keys (SSE-S3) and enable automatic key rotation.
C.Use AWS CloudHSM to generate and store the encryption keys, and configure an AWS Lambda function to rotate the keys every year and log usage to Amazon CloudWatch Logs.
D.Use AWS Key Management Service (AWS KMS) with a customer managed key and enable automatic key rotation.
AnswerD

AWS KMS customer managed keys give you full control over the key material and key policy. You can enable automatic annual rotation, and all key usage is logged in AWS CloudTrail, providing a detailed audit trail of which principal used the key.

Why this answer

Option D is correct because AWS KMS with a customer managed key allows the company to maintain full control over the encryption keys, enable automatic annual rotation, and provides detailed CloudTrail audit logs for every key usage, including the AWS principal that made the request. This satisfies the compliance requirements for encryption at rest, key rotation, and audit trail.

Exam trap

The trap here is that candidates often confuse SSE-C with customer managed keys in KMS, assuming that providing your own key (SSE-C) gives you full control and auditability, but SSE-C lacks automatic rotation and integrated auditing, which KMS provides.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to manage and provide the encryption keys themselves, and AWS does not support automatic key rotation for SSE-C; storing keys in Secrets Manager does not integrate with S3's SSE-C encryption process. Option B is wrong because SSE-S3 uses AWS managed keys, which are not under the customer's full control, and while automatic rotation is enabled, the customer cannot control the rotation schedule or have a detailed audit trail of key usage by AWS principal. Option C is wrong because CloudHSM provides hardware-based key storage but does not natively support automatic key rotation or integrate with AWS KMS for a detailed audit trail; a custom Lambda function would be needed, but this adds complexity and does not provide the same level of integrated auditing as KMS.

88
MCQmedium

A company has a compliance requirement that all Amazon S3 buckets must have server-side encryption (SSE) enabled and must block all public access. The company has hundreds of existing S3 buckets and creates new ones regularly. The security team needs a centralized AWS service that can continuously evaluate all buckets against these two rules, automatically detect noncompliant buckets, and then automatically remediate them by enabling SSE and blocking public access. Additionally, the team wants to receive notifications when compliance changes occur. Which AWS service should the security team use?

A.AWS Config with managed rules and automatic remediation
B.AWS Security Hub
C.AWS IAM Access Analyzer
D.Amazon Macie
AnswerA

AWS Config provides managed rules to evaluate resource configurations against best practices. It can automatically remediate noncompliant resources by invoking Systems Manager Automation documents. It also sends notifications via Amazon SNS for compliance changes, fully meeting the requirement.

Why this answer

AWS Config with managed rules such as 's3-bucket-server-side-encryption-enabled' and 's3-bucket-public-read-prohibited' can continuously evaluate all S3 buckets against these compliance requirements. When a noncompliant bucket is detected, AWS Config can automatically remediate it using SSM Automation documents (e.g., enabling SSE-S3 or SSE-KMS and applying bucket policies to block public access). Additionally, AWS Config can send notifications via Amazon SNS when compliance changes occur, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Security Hub's aggregation and visibility capabilities with the ability to perform automatic remediation, but Security Hub does not natively remediate resources; it relies on AWS Config rules or other services for that functionality.

How to eliminate wrong answers

Option B is wrong because AWS Security Hub aggregates security findings from multiple services (including AWS Config) and provides a comprehensive security posture view, but it does not natively perform automatic remediation of noncompliant resources; it relies on AWS Config rules or other services for remediation actions. Option C is wrong because AWS IAM Access Analyzer analyzes resource-based policies to identify unintended public or cross-account access, but it does not enforce server-side encryption, does not automatically remediate noncompliant buckets, and does not continuously evaluate all S3 buckets against encryption requirements.

89
MCQhard

A security team needs to continuously assess their AWS resources for security vulnerabilities and deviations from security best practices. Which service provides automated security assessments?

A.AWS Trusted Advisor
B.Amazon Detective
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub continuously runs automated security checks and aggregates findings from multiple security services.

Why this answer

AWS Security Hub is the correct answer because it provides a comprehensive view of your security posture across AWS accounts by aggregating, organizing, and prioritizing security findings from multiple AWS services (like Amazon GuardDuty, Amazon Inspector, and AWS Macie) and third-party tools. It continuously assesses your environment against security standards and best practices (e.g., CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices) and generates automated security assessments and compliance checks. This directly matches the requirement for continuous, automated security assessments.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with Security Hub (which provides security assessments and aggregates findings), leading them to select AWS Config because they think 'continuous assessment' means configuration monitoring, but Security Hub is the service specifically designed for automated security posture assessments.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor inspects your AWS environment and provides recommendations on cost optimization, performance, security, fault tolerance, and service limits, but it does not perform continuous automated security assessments or aggregate findings from multiple security services. Option B is wrong because Amazon Detective is a security investigation service that analyzes, investigates, and identifies the root cause of security findings or suspicious activities, but it does not provide automated security assessments or compliance checks. Option D is wrong because AWS Config is a service that evaluates your resource configurations against desired configurations (via rules) and tracks configuration changes, but it does not perform security vulnerability assessments or aggregate security findings; it focuses on configuration compliance, not security posture assessment.

90
MCQmedium

A company stores sensitive customer data in multiple Amazon S3 buckets. The security team wants to proactively identify any buckets that have been configured to allow unintended access from external AWS accounts or from the public internet. The team needs a service that continuously analyzes the resource-based policies attached to these buckets and generates findings when such unintended access is detected. Which AWS service should the security team use to meet this requirement?

A.AWS IAM Access Analyzer
B.AWS Config
C.AWS Trusted Advisor
D.Amazon Macie
AnswerA

Correct. AWS IAM Access Analyzer continuously analyzes resource-based policies and reports on resources that are accessible from external entities, including other AWS accounts or public access. It is specifically designed for this use case.

Why this answer

AWS IAM Access Analyzer is the correct service because it continuously analyzes resource-based policies (such as S3 bucket policies) to identify resources that are shared with external AWS accounts or publicly accessible. It generates findings for any policy that grants access to a principal outside of its AWS account, including the 'Principal': '*' condition that allows public internet access. This directly meets the requirement for proactive, continuous monitoring of unintended access.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to monitor resource configurations with IAM Access Analyzer's specific purpose of analyzing resource-based policies for cross-account and public access, leading them to choose Config when the requirement explicitly mentions 'resource-based policies' and 'unintended access from external AWS accounts or the public internet.'

How to eliminate wrong answers

Option B is wrong because AWS Config evaluates resource configurations against compliance rules but does not specifically analyze resource-based policies for external or public access; it can detect configuration drift but not generate findings about unintended cross-account or public sharing. Option C is wrong because AWS Trusted Advisor provides best-practice checks, including S3 bucket permissions, but it is not a continuous monitoring service—it runs on a periodic schedule (e.g., every 24 hours) and does not generate real-time findings for policy changes. Option D is wrong because Amazon Macie is designed to discover and protect sensitive data using machine learning and pattern matching, not to analyze resource-based policies for unintended access from external accounts or the public.

91
MCQmedium

A healthcare company is migrating its application and patient data to AWS. To meet HIPAA requirements, the compliance officer must review and accept the AWS Business Associate Addendum (BAA). Additionally, the auditor requires the company to provide the latest AWS SOC 2 Type II report. The compliance officer needs a single self-service portal to access both documents directly from AWS. Which AWS service should the company use?

A.AWS Config
B.AWS Artifact
C.AWS Trusted Advisor
D.AWS Security Hub
AnswerB

AWS Artifact is the correct service. It is a self-service portal that provides on-demand access to AWS compliance reports (e.g., SOC, PCI) and allows customers to review and accept agreements such as the HIPAA Business Associate Addendum (BAA).

Why this answer

AWS Artifact is the correct service because it provides a self-service portal for on-demand access to AWS compliance reports, including the Business Associate Addendum (BAA) and SOC 2 Type II reports. This directly meets the compliance officer's requirement to review and accept the BAA and provide the latest SOC 2 report from a single AWS portal.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Config or Security Hub, thinking those services also provide compliance documentation, but only Artifact offers direct access to signed BAAs and third-party audit reports.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating, auditing, and assessing resource configurations against desired policies, not for accessing compliance documents like BAAs or SOC reports. Option C is wrong because AWS Trusted Advisor provides recommendations for cost optimization, performance, security, and fault tolerance, but does not offer access to compliance reports or legal agreements. Option D is wrong because AWS Security Hub aggregates security findings and compliance checks from multiple AWS services, but it does not provide a portal to download or accept BAAs or SOC reports.

92
MCQmedium

A company needs to store their application's database connection strings and automatically rotate them every 30 days. Which AWS service handles secret storage with automatic rotation built in?

A.AWS Systems Manager Parameter Store
B.Amazon S3 with encryption
C.AWS Secrets Manager
D.AWS KMS
AnswerC

Secrets Manager stores secrets securely, rotates them automatically on a configurable schedule with native RDS integration, and provides versioned access so applications always get the current secret.

Why this answer

AWS Secrets Manager is the correct service because it is specifically designed to securely store secrets such as database connection strings, API keys, and passwords, and it provides built-in automatic rotation of secrets at a configurable interval (e.g., every 30 days) using AWS Lambda. This eliminates the need for custom rotation logic and integrates natively with supported databases like Amazon RDS, Redshift, and DocumentDB.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with AWS Secrets Manager, leading them to choose Parameter Store when the question explicitly requires built-in rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store can store secrets but does not have built-in automatic rotation; you must implement custom rotation logic with Lambda or other services. Option B is wrong because Amazon S3 with encryption provides secure storage but lacks any native secret rotation capability and is not designed for managing secrets with lifecycle rotation policies. Option D is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for storing or rotating secrets like database connection strings.

93
MCQmedium

A company's security team needs to investigate a potential security incident. They want to determine which IAM user launched a new, unauthorized Amazon EC2 instance two days ago. The team needs to see the exact timestamp, the source IP address, and the instance type that was launched. Which AWS service should the security team use to find this information?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerB

AWS CloudTrail records all API calls, including the caller identity, timestamp, source IP address, and request parameters. This enables the security team to determine which IAM user launched the EC2 instance, when, and from where.

Why this answer

AWS CloudTrail is the correct service because it records API activity in your AWS account, including the exact timestamp, source IP address, and details (such as instance type) for every RunInstances API call. This allows the security team to trace the unauthorized EC2 launch back to the specific IAM user who made the request, as CloudTrail logs include the user identity, request parameters, and response elements.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with CloudTrail (which tracks who made the change and when), leading them to pick Config because they think 'configuration change' includes user identity, but Config does not log the principal or source IP.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against desired policies and tracking configuration changes over time, but it does not record who performed the action or the source IP address; it focuses on resource state, not API-level audit logs. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious activity, but it does not provide a direct, queryable log of who launched a specific instance with exact timestamp and source IP; it generates findings, not raw API logs. Option D is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment to make recommendations for cost optimization, performance, security, and fault tolerance, but it does not log or provide historical API call details like user identity, timestamp, or source IP.

94
MCQmedium

A company is preparing for a third-party security audit. The auditors require the company to provide up-to-date AWS compliance reports, such as the SOC 2 report and the ISO 27001 certificate, as part of the evidence. The company needs to access these documents from a centralized, self-service portal within their AWS account. They also need to accept the terms and conditions for the reports. Which AWS service should the company use to meet these requirements?

A.AWS Config
B.AWS Artifact
C.AWS Security Hub
D.AWS CloudTrail
AnswerB

AWS Artifact is the correct service. It provides a self-service portal for downloading AWS compliance reports and managing agreements. Customers can access SOC, ISO, PCI DSS reports, and accept agreements like the BAA directly from the console.

Why this answer

AWS Artifact is the correct service because it provides a centralized, self-service portal for accessing AWS compliance reports, such as SOC 2 and ISO 27001 certificates, directly within the AWS Management Console. It also allows users to accept the terms and conditions for these reports, fulfilling the audit requirements without needing to contact AWS support.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Config or AWS Security Hub, assuming those services also provide compliance reports, but only Artifact offers the specific self-service portal for downloading and accepting terms for AWS compliance documents.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and recording resource configurations against desired policies, not for accessing compliance reports or accepting terms. Option C is wrong because AWS Security Hub aggregates security findings and compliance checks from multiple AWS services, but it does not provide direct access to downloadable compliance reports like SOC 2 or ISO 27001 certificates. Option D is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not offer a portal for accessing third-party compliance reports or accepting their terms.

95
MCQmedium

A security team suspects unauthorised network traffic is reaching a subnet in their VPC. They need to capture metadata about the IP traffic (source IP, destination IP, port, protocol, accept/reject status) flowing through their VPC network interfaces for analysis. Which AWS feature provides this network traffic metadata?

A.AWS CloudTrail
B.Amazon GuardDuty
C.VPC Flow Logs
D.AWS WAF logs
AnswerC

VPC Flow Logs capture IP traffic metadata including source IP, destination IP, port, protocol, and accept/reject status for traffic through VPC ENIs. Logs can be published to CloudWatch Logs or S3 for analysis.

Why this answer

VPC Flow Logs capture metadata about IP traffic flowing through VPC network interfaces, including source/destination IP addresses, ports, protocol numbers, and accept/reject status (based on security group and NACL rules). This is the correct service because it is specifically designed to log network traffic metadata at the VPC, subnet, or network interface level, enabling security analysis without impacting network performance.

Exam trap

The trap here is that candidates confuse VPC Flow Logs with CloudTrail or GuardDuty, mistakenly thinking that CloudTrail captures network traffic or that GuardDuty generates the raw metadata, when in fact VPC Flow Logs are the only service that directly captures the specified network traffic metadata at the interface level.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls and management events (e.g., who launched an EC2 instance), not network traffic metadata like IP addresses or ports. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and other data sources to identify malicious activity, but it does not itself generate or provide raw network traffic metadata. Option D is wrong because AWS WAF logs capture HTTP/HTTPS request details (e.g., URI, headers) for web ACL evaluations, not general IP traffic metadata across all protocols (e.g., TCP, UDP, ICMP) at the network interface level.

96
MCQeasy

A company wants to enable HTTPS on their Application Load Balancer using an SSL/TLS certificate. They want a managed service that provisions, renews, and deploys the certificate automatically at no cost for certificates used with integrated AWS services. Which AWS service provides this?

A.AWS KMS
B.AWS Secrets Manager
C.AWS Certificate Manager
D.AWS IAM
AnswerC

ACM provisions free SSL/TLS certificates for AWS-integrated services (ALB, CloudFront, API Gateway) and automatically renews them before expiration. This eliminates the cost and manual effort of certificate management.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it is a managed service that provisions, renews, and deploys SSL/TLS certificates automatically at no additional cost when used with integrated AWS services like Application Load Balancers. ACM handles the entire certificate lifecycle, including automatic renewal before expiration, and integrates natively with ALB to enable HTTPS without manual intervention.

Exam trap

The trap here is that candidates may confuse AWS Secrets Manager with ACM because both involve 'secrets' and 'rotation,' but Secrets Manager does not handle SSL/TLS certificate provisioning or deployment to load balancers, and it incurs costs per secret.

How to eliminate wrong answers

Option A is wrong because AWS KMS (Key Management Service) is a service for creating and managing encryption keys, not SSL/TLS certificates; it does not provision or renew certificates for HTTPS. Option B is wrong because AWS Secrets Manager is designed to rotate and manage secrets such as database credentials and API keys, not SSL/TLS certificates for load balancers; it does not automatically deploy certificates to ALB. Option D is wrong because AWS IAM (Identity and Access Management) can be used to upload and manage SSL/TLS certificates as server certificates for legacy use, but it does not provide automatic provisioning, renewal, or deployment, and certificates managed in IAM incur costs and require manual renewal.

97
MCQmedium

A financial services company is preparing for an annual compliance audit. The compliance team needs to continuously assess whether their AWS environment adheres to industry standards such as PCI DSS. They want to automate the collection of evidence, such as IAM policy changes and S3 bucket configurations, and generate audit-ready reports. They also need to identify gaps in their controls and receive remediation recommendations. Which AWS service should the company use?

A.AWS Config
B.AWS Audit Manager
C.AWS Artifact
D.AWS Security Hub
AnswerB

AWS Audit Manager helps you continuously assess your AWS usage to simplify risk assessment and compliance with regulations and industry standards. It automatically collects evidence from various AWS services, maps it to controls in frameworks like PCI DSS, and generates audit-ready reports. It also identifies control gaps and provides remediation recommendations.

Why this answer

AWS Audit Manager is the correct choice because it is specifically designed to continuously assess compliance with industry standards like PCI DSS. It automates the collection of evidence (e.g., IAM policy changes, S3 bucket configurations) and generates audit-ready reports, while also identifying control gaps and providing remediation recommendations. This directly matches the company's need for automated evidence collection and gap analysis.

Exam trap

The trap here is that candidates often confuse AWS Audit Manager with AWS Config or AWS Security Hub, but Audit Manager is the only service that combines automated evidence collection, framework-specific assessments, and remediation recommendations for compliance audits.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for recording and evaluating resource configuration changes against rules, but it does not generate audit-ready reports or provide remediation recommendations for compliance frameworks like PCI DSS. Option C is wrong because AWS Artifact is a self-service portal for downloading compliance reports and agreements (e.g., SOC reports, PCI DSS attestations), but it does not automate evidence collection or assess live AWS environments. Option D is wrong because AWS Security Hub aggregates security findings from multiple services and provides a consolidated view of security posture, but it does not generate audit-ready reports or offer remediation recommendations specific to compliance frameworks like PCI DSS.

98
MCQmedium

A company uses multiple AWS accounts to store data in Amazon S3. The security team wants to enforce a policy that all S3 buckets must have server-side encryption enabled. The team needs a service that can continuously monitor all S3 bucket configurations across all accounts, automatically detect any bucket that does not have encryption enabled, and automatically apply the encryption setting to bring the bucket into compliance. Which AWS service should the team use?

A.AWS Config
B.AWS Trusted Advisor
C.AWS Security Hub
D.AWS CloudTrail
AnswerA

AWS Config continuously evaluates resource configurations against rules and can automatically remediate non-compliant resources, such as enabling encryption on S3 buckets.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. Using a managed rule like 's3-bucket-server-side-encryption-enabled', AWS Config can automatically detect S3 buckets that lack server-side encryption and, through AWS Config rules with auto-remediation (via Systems Manager Automation or Lambda), automatically apply the encryption setting to bring non-compliant buckets into compliance.

Exam trap

The trap here is that candidates often confuse AWS Config's monitoring and remediation capabilities with AWS Security Hub's aggregation or Trusted Advisor's advisory checks, forgetting that only AWS Config can both detect and automatically fix non-compliant resource configurations.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not offer continuous monitoring or automatic remediation of S3 bucket encryption settings; it only gives a one-time or periodic assessment. Option C is wrong because AWS Security Hub aggregates security findings from multiple services (like AWS Config) and provides a centralized view, but it cannot directly monitor S3 bucket configurations or automatically apply encryption settings on its own. Option D is wrong because AWS CloudTrail records API activity and events for auditing, but it does not evaluate resource configurations or enforce compliance policies; it only logs actions after they occur.

99
MCQmedium

A company runs a public-facing e-commerce website on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team has discovered that attackers are attempting SQL injection attacks through the website's search feature. The company wants to use a managed AWS service to inspect incoming HTTP requests and block these malicious payloads before they reach the application. Which AWS service should the company use?

A.AWS Shield Standard
B.AWS WAF
C.Network ACLs
D.Amazon GuardDuty
AnswerB

AWS WAF is a web application firewall that inspects HTTP and HTTPS requests and can block common threats such as SQL injection and cross-site scripting. It integrates directly with Application Load Balancers, Amazon CloudFront, and API Gateway, making it the correct service for this use case.

Why this answer

AWS WAF is a managed web application firewall that allows you to create rules to inspect HTTP/HTTPS requests and block common attack patterns, such as SQL injection and cross-site scripting. By associating a WAF web ACL with the Application Load Balancer, the company can filter incoming traffic and block malicious payloads before they reach the EC2 instances.

Exam trap

The trap here is that candidates often confuse AWS Shield (which protects against DDoS at Layer 3/4) with AWS WAF (which protects against application-layer attacks like SQL injection), leading them to choose Shield Standard instead of WAF.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides only basic DDoS protection against network and transport layer attacks (e.g., SYN floods, UDP floods) and does not inspect application-layer payloads like SQL injection strings. Option C is wrong because Network ACLs are stateless firewall rules that operate at the subnet level (Layer 3/4) and cannot inspect HTTP request bodies or headers for SQL injection patterns. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity; it does not actively block incoming HTTP requests in real time.

100
MCQmedium

Which AWS service provides a managed way to create, control, and rotate encryption keys used to protect your data?

A.AWS Certificate Manager
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS CloudHSM
AnswerC

KMS is the dedicated managed service for creating and controlling encryption keys.

Why this answer

AWS Key Management Service (KMS) is the correct answer because it is a fully managed service that allows you to create, control, and rotate encryption keys used to protect your data. KMS integrates with other AWS services to encrypt data at rest and provides centralized key management, including automatic annual rotation for customer-managed keys. It uses hardware security modules (HSMs) to protect key material, but the service itself handles the management and rotation lifecycle.

Exam trap

The trap here is that candidates confuse AWS Secrets Manager (which rotates secrets) with KMS (which rotates encryption keys), but Secrets Manager does not create or manage the encryption keys themselves—it uses KMS for that purpose.

How to eliminate wrong answers

Option A is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates, not encryption keys for data protection; it handles certificate provisioning, renewal, and deployment, but does not create or rotate symmetric encryption keys. Option B is wrong because AWS Secrets Manager is designed to securely store, retrieve, and rotate secrets such as database credentials and API keys, not to create or manage encryption keys; while it can rotate secrets, it relies on KMS to encrypt those secrets at rest. Option D is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) that give you full control over the HSM appliance and key management, but it is not a managed service for creating, controlling, and rotating keys—you must manage the HSM cluster, key policies, and rotation yourself, and it does not offer automatic key rotation.

101
MCQmedium

A company's security policy requires that all Amazon S3 buckets have default encryption enabled (SSE-S3 or SSE-KMS). A recent audit found several buckets without encryption enabled. The company wants an automated solution to continuously monitor all existing and new S3 buckets, detect any bucket that does not have default encryption enabled, and automatically remediate by enabling encryption. The solution must also maintain a compliance score and allow the security team to review non-compliant resources. Which AWS service should the company use to meet these requirements?

A.AWS Config with a managed rule (s3-bucket-server-side-encryption-enabled) and an automatic remediation action using an AWS Systems Manager Automation document
B.Amazon GuardDuty with a finding type for S3 bucket encryption
C.AWS Trusted Advisor with the S3 Bucket Permissions check
D.AWS CloudTrail with a trail that logs S3 API calls and an Amazon CloudWatch alarm
AnswerA

AWS Config continuously evaluates resource configurations against rules. The managed rule checks for S3 bucket default encryption. Automatic remediation via Systems Manager Automation can enable encryption on non-compliant buckets. This meets all stated requirements: continuous monitoring, detection, remediation, compliance score, and review capability.

Why this answer

AWS Config with the managed rule `s3-bucket-server-side-encryption-enabled` continuously evaluates S3 buckets against the encryption requirement. When a non-compliant bucket is detected, an automatic remediation action can invoke an AWS Systems Manager Automation document to enable default encryption (SSE-S3 or SSE-KMS). AWS Config also provides a compliance score dashboard and allows the security team to review non-compliant resources, meeting all stated requirements.

Exam trap

The trap here is that candidates confuse AWS Config's compliance evaluation and remediation capabilities with GuardDuty's threat detection or Trusted Advisor's advisory checks, but only AWS Config provides continuous monitoring, automated remediation, and a compliance score for resource configuration rules.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity (e.g., unusual API calls, credential compromise) and does not have a finding type for S3 bucket encryption compliance; it cannot detect or remediate missing default encryption. Option C is wrong because AWS Trusted Advisor's S3 Bucket Permissions check only reviews bucket access policies (e.g., public read/write), not server-side encryption settings, and it does not provide automated remediation or a compliance score. Option D is wrong because AWS CloudTrail logs S3 API calls (e.g., PutBucketEncryption) but cannot evaluate encryption configuration state, trigger remediation, or maintain a compliance score; CloudWatch alarms can only react to metric thresholds, not enforce encryption policies.

102
Matchingmedium

Match each AWS database service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed relational database

NoSQL key-value and document database

Data warehousing

In-memory caching

MySQL/PostgreSQL-compatible relational database

Why these pairings

AWS offers diverse database options.

103
MCQmedium

A company is preparing for a PCI DSS compliance audit. The security team needs to ensure that all AWS API calls are logged and that the logs are continuously analyzed for suspicious or unauthorized activity. The team wants a managed security service that uses machine learning to identify threats, generates findings for review, and can trigger automated remediation through AWS Lambda. Which AWS service should the team use?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Config
D.Amazon Inspector
AnswerB

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior using machine learning and integrated threat intelligence. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs, generates findings, and can trigger automated responses through AWS Lambda, meeting all the requirements.

Why this answer

Amazon GuardDuty is a managed threat detection service that uses machine learning and integrated threat intelligence to continuously monitor AWS API calls (via CloudTrail), VPC Flow Logs, and DNS logs for suspicious activity. It generates actionable security findings and can trigger automated remediation through AWS Lambda, making it the correct choice for the described requirements.

Exam trap

The trap here is that candidates confuse AWS CloudTrail's logging capability with GuardDuty's threat detection, overlooking that CloudTrail alone does not analyze logs or trigger automated responses.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail only logs API calls and does not analyze them for threats or use machine learning to identify suspicious activity; it lacks built-in threat detection and automated remediation capabilities. Option C is wrong because AWS Config evaluates resource configurations against compliance rules and does not analyze API call logs for threats or use machine learning for threat detection. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and network exposure, not API call logs or continuous threat detection.

104
MCQeasy

Which AWS service continuously assesses your AWS resources for security vulnerabilities, unintended network exposure, and deviations from security best practices?

A.AWS Security Hub
B.Amazon Inspector
C.AWS Config
D.Amazon Macie
AnswerB

Inspector continuously scans EC2 instances and ECR container images for vulnerabilities and network exposure issues, generating prioritized findings.

Why this answer

Amazon Inspector is a vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure. It uses a combination of network reachability analysis and agent-based or agentless assessments to detect deviations from security best practices, such as missing patches or open ports to the internet.

Exam trap

The trap here is that candidates often confuse AWS Security Hub (a central dashboard for findings) with the actual scanning service, leading them to choose Security Hub instead of Inspector, even though Security Hub does not perform the underlying vulnerability assessments.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a central security posture management service that aggregates findings from multiple AWS services (including Inspector) and checks compliance against standards like CIS AWS Foundations, but it does not perform the actual vulnerability scanning itself. Option C is wrong because AWS Config is a resource inventory and configuration tracking service that evaluates resource configurations against desired policies (e.g., whether an S3 bucket is public), but it does not scan for software vulnerabilities or network exposure. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (e.g., PII) in S3 buckets, not to assess compute resources for security vulnerabilities or network exposure.

105
MCQhard

A company's security policy requires that access keys for IAM users must be rotated every 90 days. Which AWS service can automatically detect users with non-compliant key age?

A.AWS CloudTrail
B.AWS Config with the access-keys-rotated rule
C.Amazon GuardDuty
D.AWS IAM Access Analyzer
AnswerB

The AWS Config managed rule 'access-keys-rotated' continuously evaluates IAM access key ages and generates non-compliance findings for keys older than the configured threshold.

Why this answer

AWS Config with the 'access-keys-rotated' managed rule automatically checks whether IAM user access keys have been rotated within the specified number of days (default 90). When a key exceeds the configured maximum age, AWS Config flags the resource as non-compliant, enabling automated detection and remediation.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance rules (which evaluate resource configurations like key age) with CloudTrail's auditing capabilities (which log actions but do not enforce policies), leading them to incorrectly select CloudTrail.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (e.g., key creation, deletion) but does not evaluate compliance against a rotation policy; it lacks built-in rules for key age checks. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS, VPC flow logs, and CloudTrail events for malicious activity, not for IAM key rotation compliance. Option D is wrong because AWS IAM Access Analyzer identifies resources shared with external entities (e.g., cross-account access), not internal key rotation age.

106
MCQmedium

A compliance team needs to track the configuration history of AWS resources, determine when a security group was last modified, and verify that all EC2 instances comply with a rule requiring encryption on all attached EBS volumes. Which AWS service provides these capabilities?

A.AWS CloudTrail
B.Amazon CloudWatch
C.AWS Config
D.Amazon GuardDuty
AnswerC

Config continuously records the configuration of AWS resources and their relationships. It maintains a configuration history, evaluates configurations against compliance rules, and identifies non-compliant resources (like unencrypted EBS volumes).

Why this answer

AWS Config is the correct service because it provides configuration history of AWS resources, tracks changes to security groups (including last modification time), and allows you to define rules—such as requiring encryption on all EBS volumes attached to EC2 instances—and evaluate resources against those rules. It records configuration changes as configuration items and can trigger evaluations against managed or custom rules, making it ideal for compliance auditing.

Exam trap

The trap here is that candidates confuse AWS CloudTrail's API logging with AWS Config's configuration tracking, but CloudTrail only records the API call that made the change, not the resulting configuration state or compliance evaluation.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (who did what, when, and from where) but does not track the configuration state or history of resources over time, nor does it evaluate compliance rules. Option B is wrong because Amazon CloudWatch monitors metrics, logs, and alarms for operational health and performance, but it does not track resource configuration history or enforce compliance rules like encryption requirements. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS logs, VPC flow logs, and CloudTrail events for malicious activity, not for tracking configuration changes or evaluating compliance rules.

107
MCQeasy

A company hires 10 new developers and needs to assign them identical AWS permissions — read access to S3 and the ability to launch EC2 instances. What is the AWS best practice for assigning these permissions efficiently?

A.Attach an inline policy to each of the 10 IAM users individually
B.Create an IAM group, attach the required policies to the group, and add all 10 users to the group
C.Create one IAM user account and share the credentials with all 10 developers
D.Grant the developers root account access with MFA enabled
AnswerB

IAM groups are specifically designed for this purpose. Assign policies once to the group, add users to the group, and all users inherit the permissions. Future permission changes only need to be made to the group.

Why this answer

IAM groups allow administrators to assign permissions to multiple users at once. By creating a 'Developers' group with the required policies and adding all 10 users to it, permissions are managed centrally. Adding a policy to the group affects all members simultaneously.

108
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to enforce a policy that prevents any employee from deploying resources in AWS Regions outside of the United States. The company’s legal department requires a preventive control that automatically blocks all resource creation in non-approved Regions for every account, including any new accounts added in the future. The team wants a solution that requires minimal ongoing administration. Which AWS feature should the security team use?

A.Create an IAM policy with a condition that denies `ec2:RunInstances` if the Region is not `us-east-1` or `us-west-2`, and attach it to all IAM users and roles.
B.Configure an AWS Config rule that checks for resources in non-approved Regions and automatically terminates them using a custom Lambda function.
C.Attach a Service Control Policy (SCP) in AWS Organizations that denies access to all AWS API actions when the `aws:RequestedRegion` condition key does not match an approved Region.
D.Use VPC endpoint policies to restrict traffic to only the approved AWS Regions.
AnswerC

This is correct. An SCP is a centralized, preventive control that applies to all principals (users, roles) in member accounts. The condition `aws:RequestedRegion` is supported by most AWS services, allowing the policy to block resource creation in any non-approved Region. It automatically applies to new accounts added to the organization.

Why this answer

Option C is correct because a Service Control Policy (SCP) attached to the root or an OU in AWS Organizations can deny all AWS API actions when the `aws:RequestedRegion` condition key does not match an approved Region (e.g., `us-east-1` or `us-west-2`). This provides a preventive, account-wide guard that automatically applies to all existing and future accounts in the organization, requiring no per-user or per-role configuration and minimal ongoing administration.

Exam trap

The trap here is that candidates confuse detective controls (AWS Config) with preventive controls (SCPs) or mistakenly think IAM policies can enforce organization-wide restrictions, but SCPs are the only mechanism that applies to all accounts and principals in AWS Organizations without ongoing maintenance.

How to eliminate wrong answers

Option A is wrong because an IAM policy attached to users and roles is not a preventive control that applies to all accounts in the organization; it does not cover service-linked roles, root users, or new accounts, and it requires manual attachment to every principal. Option B is wrong because AWS Config rules are detective, not preventive—they detect non-compliant resources after creation and rely on a Lambda function for remediation, which does not block the initial resource creation and introduces latency and potential race conditions. Option D is wrong because VPC endpoint policies control traffic to AWS services through VPC endpoints but do not restrict resource creation in non-approved Regions; they are scoped to network-level access, not account-wide API actions.

109
MCQmedium

A company's external auditor requires the company to provide evidence that the AWS infrastructure used by the company meets SOC 2 and ISO 27001 standards. The company needs to download the latest AWS SOC 2 report and ISO 27001 certification to share with the auditor. Which AWS service or feature should the company use to retrieve these documents?

A.AWS Audit Manager
B.AWS Artifact
C.AWS Config
D.AWS Trusted Advisor
AnswerB

AWS Artifact is the correct service for downloading AWS compliance reports, such as SOC 2 and ISO 27001 certifications, on demand.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS security and compliance reports, including SOC 2 and ISO 27001 certifications. The company can download the latest versions directly from the AWS Artifact console or API, satisfying the auditor's request for evidence without needing to configure any additional resources.

Exam trap

The trap here is that candidates confuse AWS Artifact (a document repository for compliance reports) with AWS Audit Manager (a tool for automating internal audits), leading them to select Audit Manager when the question specifically asks for downloading existing reports.

How to eliminate wrong answers

Option A (AWS Audit Manager) is wrong because it is used to continuously audit AWS usage and automate evidence collection for internal compliance frameworks, not to download pre-existing compliance reports like SOC 2 or ISO 27001. Option C (AWS Config) is wrong because it evaluates and records resource configuration changes against desired policies, but it does not provide access to AWS's own third-party compliance certifications. Option D (AWS Trusted Advisor) is wrong because it offers real-time recommendations for cost optimization, performance, security, and fault tolerance, but it does not host or distribute compliance documentation.

110
MCQmedium

A company processes credit card transactions and must comply with PCI DSS requirements. Customer payment data is stored in Amazon RDS for MySQL. The security team needs to ensure that all automated database snapshots are encrypted at rest using customer-managed encryption keys that are automatically rotated every 365 days. The team wants a fully managed AWS service to create and control these encryption keys. Which AWS service should the company use to meet these requirements?

A.AWS Key Management Service (AWS KMS)
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Certificate Manager (ACM)
AnswerA

Correct. AWS KMS is the managed service for creating and controlling encryption keys. It supports automatic annual key rotation and encrypts RDS snapshots at rest.

Why this answer

AWS KMS is the correct service because it provides a fully managed, centralized way to create and control customer-managed keys (CMKs) that can be used to encrypt Amazon RDS automated snapshots. KMS supports automatic annual key rotation (365 days) as a built-in feature, and it integrates directly with RDS to enforce encryption at rest for snapshots without requiring any manual key management. This meets the PCI DSS requirement for customer-controlled encryption keys with automated rotation.

Exam trap

The trap here is that candidates confuse CloudHSM's hardware-based key control with KMS's fully managed key rotation and integration, assuming that any HSM service automatically handles key rotation, when in fact CloudHSM requires you to implement rotation logic yourself.

How to eliminate wrong answers

Option B is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) that give you full control over the HSM appliance, but it is not a fully managed key creation and rotation service; you must manage key rotation yourself, and it does not natively integrate with RDS for automated snapshot encryption. Option C is wrong because AWS Secrets Manager is designed to manage and rotate secrets (like database credentials or API keys), not to create or control encryption keys for data-at-rest encryption; it cannot be used to encrypt RDS snapshots. Option D is wrong because AWS Certificate Manager (ACM) handles SSL/TLS certificates for securing network traffic, not encryption keys for data at rest; it has no capability to encrypt RDS snapshots or manage customer-managed encryption keys.

111
MCQmedium

A healthcare startup is migrating its patient records database to Amazon RDS for PostgreSQL. The company must comply with HIPAA and ensure that all protected health information (PHI) is encrypted at rest and in transit. Which task is the company responsible for under the AWS shared responsibility model?

A.Encrypting the physical disk drives in the AWS data center that host the database.
B.Enabling encryption at rest for the Amazon RDS instance and configuring SSL for connections.
C.Applying operating system patches to the Amazon RDS database engine.
D.Configuring network ACLs to block all traffic except from authorized sources.
AnswerB

This is the customer's responsibility. The customer must choose to enable encryption at rest when creating or modifying the RDS instance and must configure SSL/TLS settings to ensure data in transit is encrypted. AWS provides the underlying infrastructure, but the customer controls the encryption settings.

Why this answer

Under the AWS shared responsibility model, the customer is responsible for encryption in transit and at rest for the data they store in AWS services. For Amazon RDS, enabling encryption at rest (via AWS KMS) and configuring SSL/TLS for client connections are customer-side tasks. AWS handles the physical security of data centers and the underlying infrastructure, but the customer must explicitly enable these encryption features to meet HIPAA compliance.

Exam trap

The trap here is that candidates often confuse customer-managed patching (Option C) with AWS-managed patching in RDS, or they assume network ACLs (Option D) satisfy encryption requirements, when the question specifically targets encryption responsibilities under HIPAA.

How to eliminate wrong answers

Option A is wrong because encrypting physical disk drives in AWS data centers is the sole responsibility of AWS under the shared responsibility model; customers have no access to or control over physical hardware. Option C is wrong because applying operating system patches to the Amazon RDS database engine is managed by AWS, not the customer; RDS is a managed service where AWS handles patching of the database engine and underlying OS. Option D is wrong because configuring network ACLs to block all traffic except from authorized sources is a customer responsibility, but it is not the specific task required to meet the encryption-in-transit and at-rest requirements for HIPAA; the question explicitly asks about encryption, not network access control.

112
MCQmedium

A company uses an Amazon RDS for PostgreSQL database for its production application. The security policy requires that database passwords be rotated automatically every 90 days. The database credentials are currently stored in a configuration file on an Amazon EC2 instance. The company wants a fully managed AWS service that can securely store the credentials, automatically rotate them on a schedule, and update the RDS instance without requiring code changes to the application. Which AWS service should the company use to meet these requirements?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS Key Management Service (KMS)
D.AWS Certificate Manager (ACM)
AnswerA

Secrets Manager natively supports automatic rotation of RDS database credentials with built-in rotation functions, and it integrates directly with RDS to update the password. No application code changes are needed.

Why this answer

AWS Secrets Manager is the correct choice because it is a fully managed service designed specifically to securely store database credentials, automatically rotate them on a defined schedule (e.g., every 90 days), and natively integrate with Amazon RDS to update the password without requiring any application code changes. The application can retrieve the current credentials at runtime using the Secrets Manager API, eliminating the need for hardcoded or file-based credentials.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation and RDS integration, making it unsuitable for the rotation requirement.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it only stores plaintext or encrypted parameters and requires custom solutions (e.g., Lambda functions) to implement rotation. Option C is wrong because AWS Key Management Service (KMS) is a key management service for creating and controlling encryption keys, not for storing or rotating database credentials. Option D is wrong because AWS Certificate Manager (ACM) is used to provision, manage, and deploy SSL/TLS certificates, not database passwords or secrets.

113
MCQeasy

Which AWS IAM feature allows you to set the maximum permissions that IAM entities in an account can have, regardless of what their identity-based policies allow?

A.IAM Conditions
B.Permission Boundaries
C.Service Control Policies (SCPs)
D.Resource-based policies
AnswerB

Permission Boundaries define the maximum permissions an IAM entity can have — even if attached policies grant more, the boundary limits actual effective permissions.

Why this answer

Permission Boundaries are an AWS IAM feature that sets the maximum permissions an IAM entity (user or role) can have. They act as a guardrail, limiting the effective permissions to the intersection of the identity-based policy and the boundary, regardless of what the identity-based policy allows. This ensures that even if a policy grants broad access, the boundary caps it at a defined maximum.

Exam trap

The trap here is confusing Permission Boundaries with Service Control Policies (SCPs), as both set permission limits, but SCPs operate at the AWS Organizations account level, not at the individual IAM entity level within a single account.

How to eliminate wrong answers

Option A is wrong because IAM Conditions are used to specify when a policy is in effect (e.g., based on IP address, time, or MFA status), not to set a hard cap on maximum permissions. Option C is wrong because Service Control Policies (SCPs) are an AWS Organizations feature that apply to all accounts within an organization, not to individual IAM entities within a single account. Option D is wrong because Resource-based policies are attached directly to AWS resources (like S3 buckets or KMS keys) and grant cross-account access, but they do not limit the maximum permissions of an IAM entity.

114
MCQmedium

A company hosts a multi-tier web application on AWS. The web tier runs on Amazon EC2 instances in a public subnet, and the database tier runs on Amazon EC2 instances in a private subnet. The security team needs to configure security groups to allow only the web tier instances to communicate with the database tier on port 3306 (MySQL). The web tier must be accessible from the internet on port 443. Which security group configuration meets these requirements?

A.Web security group: inbound rule allowing 0.0.0.0/0 on port 443. Database security group: inbound rule allowing the web security group as source on port 3306.
B.Web security group: inbound rule allowing 0.0.0.0/0 on port 443. Database security group: inbound rule allowing 0.0.0.0/0 on port 3306.
C.Web security group: inbound rule allowing the web security group as source on port 443. Database security group: inbound rule allowing the web security group as source on port 3306.
D.Web security group: inbound rule allowing 0.0.0.0/0 on port 443. Database security group: inbound rule allowing the internet-facing Application Load Balancer security group as source on port 3306.
AnswerA

This is correct. The web SG allows internet traffic on port 443, and the database SG uses the web SG as a source, which permits only traffic from instances associated with the web SG on port 3306.

Why this answer

Option A is correct because it uses a security group reference as the source for the database security group's inbound rule on port 3306, which allows traffic only from instances associated with the web security group. The web security group allows inbound HTTPS traffic from the internet (0.0.0.0/0) on port 443, meeting the requirement for public access. This configuration ensures least-privilege access by restricting database communication to only the web tier, without exposing the database to the internet or requiring IP-based rules.

Exam trap

The trap here is that candidates often confuse security group references with IP-based rules or incorrectly assume that the web security group should reference itself for inbound internet traffic, rather than using 0.0.0.0/0 for public access.

How to eliminate wrong answers

Option B is wrong because allowing 0.0.0.0/0 on port 3306 in the database security group would permit any internet host to connect to the database, violating the requirement to restrict access to only the web tier. Option C is wrong because the web security group's inbound rule should allow traffic from the internet (0.0.0.0/0) on port 443, not from itself; referencing the web security group as source on port 443 would only allow traffic from other instances in the same web security group, blocking external users. Option D is wrong because the database security group should reference the web security group as source, not the Application Load Balancer security group; the ALB is not part of the web tier instances and would allow traffic from the load balancer rather than directly from the EC2 instances, which does not match the requirement.

115
MCQmedium

A company encrypts data stored in Amazon S3, Amazon RDS, and Amazon EBS. The security team needs a managed service to create, rotate, and control the encryption keys used to protect this data, with full audit trails of key usage. Which AWS service should they use?

A.AWS CloudHSM
B.AWS Secrets Manager
C.AWS KMS
D.AWS Certificate Manager
AnswerC

KMS creates and manages encryption keys and integrates directly with S3, RDS, EBS, and many other services. All key usage events are automatically logged in CloudTrail, providing the required audit trail.

Why this answer

AWS KMS is a managed service that allows you to create, rotate, and control encryption keys used to protect data in Amazon S3, Amazon RDS, and Amazon EBS. It integrates with AWS CloudTrail to provide full audit trails of key usage, meeting the security team's requirements for a managed key management solution.

Exam trap

The trap here is that candidates often confuse AWS KMS with AWS CloudHSM, mistakenly thinking CloudHSM is required for full control and audit trails, but KMS provides managed key rotation and native CloudTrail integration without the operational overhead of managing HSMs.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for key storage but requires manual management of key rotation and does not offer native integration with AWS services for automatic key creation and rotation like KMS does. Option B is wrong because AWS Secrets Manager is designed to manage and rotate secrets such as database credentials and API keys, not encryption keys for data at rest in S3, RDS, or EBS. Option D is wrong because AWS Certificate Manager handles SSL/TLS certificates for securing network traffic, not encryption keys for data at rest.

116
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application connects to an Amazon RDS for MySQL database. The database password is currently hardcoded in the application configuration file, and the security team is concerned about the risk of exposure. The company wants to remove the hardcoded credential and instead have the application retrieve the database password securely at runtime. Additionally, the security team requires that the password be automatically rotated every 90 days without any manual intervention or custom scripting. Which AWS service should the company use to meet these requirements?

A.AWS Systems Manager Parameter Store (SecureString parameters)
B.AWS Key Management Service (AWS KMS)
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM) roles for Amazon EC2
AnswerC

AWS Secrets Manager is a fully managed service for storing, retrieving, and automatically rotating secrets, including database credentials. It integrates with Amazon RDS to enable automatic rotation without custom code, meeting all requirements.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, retrieving, and automatically rotating database credentials (including RDS for MySQL) without custom code. It supports native, automatic rotation of secrets every 90 days via a built-in Lambda rotation function, meeting the security team's requirement for zero manual intervention. Unlike Parameter Store, Secrets Manager provides automatic rotation out of the box, which is the key differentiator here.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (SecureString) with Secrets Manager, but Parameter Store lacks native automatic rotation, which is the critical requirement in this scenario.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store (SecureString parameters) can securely store the password and retrieve it at runtime, but it does not provide built-in automatic rotation of secrets; you would need custom scripting or a separate solution to rotate the password every 90 days. Option B is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for storing or rotating secrets like database passwords. Option D is wrong because IAM roles for EC2 grant permissions to AWS API actions but cannot store or rotate a database password; they are used for authentication to AWS services, not for managing application-level credentials.

117
MCQmedium

A company operates a global e-commerce website behind Amazon CloudFront. Security analysts have noticed a pattern of SQL injection attempts and cross-site scripting attacks targeting the web application. The company needs a fully managed service that can inspect incoming HTTP(S) requests and block these common web exploits before they reach the application origin. The solution must integrate with CloudFront and allow the security team to author custom rules. Which AWS service should the company use?

A.AWS Shield Advanced
B.AWS WAF
C.Amazon GuardDuty
D.AWS Firewall Manager
AnswerB

AWS WAF is a web application firewall that monitors and filters web requests for common attack patterns such as SQL injection and cross-site scripting. It integrates with CloudFront and allows you to define custom rules to block malicious traffic before it reaches your application.

Why this answer

AWS WAF is a fully managed web application firewall that integrates directly with Amazon CloudFront to inspect HTTP(S) requests. It provides pre-configured rule groups (e.g., the SQL injection and cross-site scripting rule sets) and allows the security team to author custom rules to block common web exploits before they reach the origin. This makes it the correct choice for the described use case.

Exam trap

The trap here is that candidates confuse AWS Shield Advanced (which handles volumetric DDoS) with AWS WAF (which handles application-layer exploits like SQL injection and XSS), leading them to select Shield Advanced when the question explicitly describes web application attacks.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides DDoS protection and cost protection against scaling attacks, not application-layer inspection for SQL injection or XSS. Option C is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity in AWS accounts and workloads using VPC Flow Logs, DNS logs, and CloudTrail events, not a web application firewall that inspects HTTP(S) requests. Option D is wrong because AWS Firewall Manager is a policy management service that centrally configures and enforces firewall rules (including AWS WAF rules) across accounts, but it does not itself inspect or block web traffic.

118
MCQeasy

What is the purpose of AWS Shield Standard?

A.To encrypt data at rest in S3 buckets
B.To protect AWS resources against common DDoS attacks
C.To monitor API calls made to AWS services
D.To filter malicious web traffic using rules
AnswerB

Shield Standard automatically protects all AWS customers against common DDoS attacks at no extra cost.

Why this answer

AWS Shield Standard is a free, always-on service that protects all AWS customers from common, infrastructure-layer Distributed Denial of Service (DDoS) attacks, such as SYN floods, UDP floods, and reflection attacks. It uses network flow monitoring and inline mitigation techniques at the AWS edge to automatically detect and block malicious traffic targeting AWS resources like EC2, ELB, CloudFront, and Route 53. This makes option B correct because its sole purpose is to provide baseline DDoS protection without any additional configuration or cost.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard with AWS WAF, mistakenly thinking Shield Standard provides application-layer filtering (like SQL injection or XSS protection), when in fact it only handles infrastructure-layer DDoS attacks, while WAF is needed for Layer 7 web traffic inspection.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest in S3 buckets is handled by AWS Key Management Service (KMS) or S3 server-side encryption (SSE), not by Shield Standard, which is a network-layer DDoS mitigation service. Option C is wrong because monitoring API calls to AWS services is the function of AWS CloudTrail, which logs API activity for auditing and governance, not Shield Standard. Option D is wrong because filtering malicious web traffic using rules is the purpose of AWS WAF (Web Application Firewall), which operates at Layer 7 and inspects HTTP/HTTPS requests, whereas Shield Standard focuses on Layer 3/4 volumetric DDoS attacks.

119
MCQmedium

Which AWS service provides hardware-based key management and cryptographic operations using FIPS 140-2 Level 3 validated hardware security modules (HSMs)?

A.AWS Key Management Service (KMS)
B.AWS CloudHSM
C.AWS Secrets Manager
D.Amazon Macie
AnswerB

CloudHSM provides dedicated, single-tenant HSMs validated to FIPS 140-2 Level 3, giving customers full control over cryptographic keys without AWS having access.

Why this answer

AWS CloudHSM is the correct answer because it provides dedicated, single-tenant hardware security modules (HSMs) that are FIPS 140-2 Level 3 validated. This allows customers to perform cryptographic operations (e.g., key generation, signing, encryption) using hardware that meets the highest security level required for regulated workloads like PKI and financial services.

Exam trap

The trap here is that candidates confuse AWS KMS (which also uses HSMs) with CloudHSM, not realizing that KMS uses multi-tenant, FIPS 140-2 Level 2 HSMs by default and does not offer dedicated, single-tenant hardware or direct HSM access for custom cryptographic operations.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a managed service that uses FIPS 140-2 Level 2 validated HSMs (or Level 3 in some regions for specific operations) but does not provide dedicated, single-tenant hardware or direct access to the HSM for custom cryptographic operations. Option C is wrong because AWS Secrets Manager is a service for rotating and managing secrets (e.g., database credentials, API keys) and does not perform cryptographic operations or use HSMs directly. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover and protect sensitive data (e.g., PII) in S3, and it has no involvement with hardware-based key management or cryptographic operations.

120
MCQmedium

A company manages 15 AWS accounts and wants to centrally deploy and enforce consistent AWS WAF rules, security groups, and Shield Advanced protections across all accounts and regions from a single administrator account. Which AWS service provides this centralised security policy management?

A.AWS WAF
B.AWS Security Hub
C.AWS Firewall Manager
D.AWS Shield Advanced
AnswerC

Firewall Manager is a security management service that centrally deploys and enforces WAF rules, Shield Advanced protections, VPC security groups, and Network Firewall policies across all accounts in an AWS Organisation.

Why this answer

AWS Firewall Manager is the correct service because it provides centralized security policy management across multiple AWS accounts and regions. It allows an administrator to define and enforce AWS WAF rules, security group rules, and Shield Advanced protections from a single administrator account, ensuring consistent compliance across all accounts in an AWS Organization.

Exam trap

The trap here is that candidates confuse AWS WAF (a resource-level protection service) with Firewall Manager (a multi-account policy management service), leading them to select AWS WAF instead of the centralized governance solution.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall service that protects individual resources (e.g., CloudFront, ALB) but does not centrally manage policies across multiple accounts or regions. Option B is wrong because AWS Security Hub aggregates security findings and compliance checks from various services but does not enforce or deploy security policies like WAF rules or security groups. Option D is wrong because AWS Shield Advanced provides DDoS protection for specific resources but lacks the centralized policy management and enforcement capabilities across accounts and regions that Firewall Manager offers.

121
MCQmedium

A security team wants to automatically identify S3 buckets, IAM roles, and other resources in their AWS account that have policies granting access to external AWS accounts or the public internet — including findings they may not be aware of. Which AWS service performs this analysis?

A.Amazon GuardDuty
B.AWS Config
C.AWS IAM Access Analyzer
D.Amazon Macie
AnswerC

IAM Access Analyzer uses automated reasoning to analyse resource-based policies and generate findings when resources are accessible from outside the account or organisation. It covers S3 buckets, IAM roles, KMS keys, SQS queues, Lambda functions, and Secrets Manager secrets.

Why this answer

AWS IAM Access Analyzer is the correct service because it is specifically designed to analyze resource-based policies (such as S3 bucket policies, IAM role trust policies, and KMS key policies) and identify resources that are shared with external AWS accounts or publicly accessible. It generates findings for any policy that grants access to a principal outside of your AWS account, including the public internet, even for resources you may not be aware of. This directly matches the security team's requirement to automatically identify such exposures.

Exam trap

The trap here is that candidates often confuse IAM Access Analyzer with Amazon GuardDuty, assuming GuardDuty's threat detection includes policy analysis, but GuardDuty focuses on operational threats (e.g., compromised credentials) rather than static policy evaluation for external access.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not analyze resource policies for external access. Option B is wrong because AWS Config evaluates resource configurations against desired rules and tracks configuration changes, but it does not specifically analyze policies for cross-account or public access; it can only trigger rules that you define manually. Option D is wrong because Amazon Macie uses machine learning to discover and protect sensitive data in S3 buckets, but it does not analyze IAM roles or other resource policies for external access permissions.

122
MCQmedium

A company hosts a public-facing web application on Amazon EC2 instances behind an Application Load Balancer. The security team has noticed an increase in volumetric distributed denial-of-service (DDoS) attacks targeting the application's IP address. The company wants a managed AWS service that provides automatic, always-on protection against common network-layer DDoS attacks at no additional cost. Which AWS service should the company use?

A.AWS WAF
B.AWS Shield Standard
C.AWS Shield Advanced
D.AWS Network Firewall
AnswerB

AWS Shield Standard is free and automatically provides always-on protection against common network-layer (Layer 3/4) DDoS attacks for all AWS customers. It requires no configuration or additional cost, meeting the company's requirements.

Why this answer

AWS Shield Standard is the correct choice because it provides automatic, always-on protection against common network-layer (Layer 3/4) DDoS attacks, such as SYN floods and UDP reflection attacks, at no additional cost. It is integrated with Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53, making it ideal for protecting a public-facing web application behind an Application Load Balancer without requiring any configuration or extra fees.

Exam trap

The trap here is that candidates often confuse AWS WAF (Layer 7) with network-layer DDoS protection, or assume Shield Advanced is required for any DDoS protection, when Shield Standard already provides free, automatic coverage for common volumetric attacks at Layer 3/4.

How to eliminate wrong answers

Option A (AWS WAF) is wrong because it is a web application firewall that protects against application-layer (Layer 7) attacks like SQL injection and cross-site scripting, not volumetric network-layer DDoS attacks, and it incurs additional costs based on rules and requests. Option C (AWS Shield Advanced) is wrong because it provides enhanced DDoS protection with 24/7 access to the DDoS Response Team (DRT) and cost protection against scaling, but it is not free; it has a monthly subscription fee of $3,000 per organization plus data transfer charges. Option D (AWS Network Firewall) is wrong because it is a managed firewall service for filtering traffic at the VPC subnet level based on stateful rules and domain lists, not a dedicated DDoS mitigation service, and it does not provide automatic always-on protection against volumetric attacks.

123
MCQmedium

A company operates hundreds of AWS accounts under AWS Organizations. The security team wants a single dashboard that aggregates security findings from Amazon GuardDuty, Amazon Inspector, and AWS Macie across all accounts. Additionally, they want to continuously assess the accounts against the CIS AWS Foundations Benchmark and receive a consolidated compliance score. Which AWS service should the security team use?

A.AWS Config
B.AWS Security Hub
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerB

Correct. AWS Security Hub is designed to aggregate, organize, and prioritize security findings from multiple AWS services (GuardDuty, Inspector, Macie, etc.) and third-party tools. It also provides continuous compliance checks against industry standards such as the CIS AWS Foundations Benchmark and displays a consolidated compliance score, all from a single dashboard.

Why this answer

AWS Security Hub is the correct service because it provides a single dashboard that aggregates security findings from multiple AWS services, including GuardDuty, Inspector, and Macie, across all accounts in an AWS Organization. It also integrates with AWS Config rules to continuously assess accounts against the CIS AWS Foundations Benchmark and provides a consolidated compliance score, meeting both requirements.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation capabilities with Security Hub's consolidated dashboard and cross-service aggregation, leading them to choose AWS Config despite it lacking the single-pane-of-glass view for findings from multiple security services.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against rules, but it does not aggregate findings from GuardDuty, Inspector, or Macie into a single dashboard, nor does it provide a consolidated compliance score for the CIS benchmark across multiple accounts. Option C is wrong because Amazon GuardDuty is a threat detection service that only generates findings for malicious activity; it cannot aggregate findings from other services or assess compliance against the CIS benchmark. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost, performance, security, and fault tolerance, but it does not aggregate security findings from GuardDuty, Inspector, or Macie, nor does it perform continuous CIS benchmark assessments with a compliance score.

124
MCQmedium

A company is preparing for a SOC 2 Type II audit and needs to provide its auditor with evidence of AWS's operational security controls. The security team has been asked to download the latest SOC 2 Type II report published by AWS. The team must access the report through a self-service portal without needing to contact AWS Support. Which AWS service should the security team use to meet this requirement?

A.AWS Artifact
B.AWS Audit Manager
C.AWS Config
D.AWS Trusted Advisor
AnswerA

AWS Artifact is a self-service portal that provides on-demand access to AWS compliance reports, including SOC 2 Type II, PCI DSS, and ISO 27001. Customers can download these reports directly without contacting AWS Support, making it the correct service for this requirement.

Why this answer

AWS Artifact is the correct service because it provides a self-service portal for downloading AWS compliance reports, including SOC 2 Type II reports, without needing to contact AWS Support. It offers on-demand access to AWS’s security and compliance documents, directly meeting the requirement for auditor evidence.

Exam trap

The trap here is that candidates may confuse AWS Audit Manager (which helps manage your own audits) with AWS Artifact (which provides AWS’s own compliance reports), leading them to select Audit Manager for downloading AWS’s SOC reports.

How to eliminate wrong answers

Option B is wrong because AWS Audit Manager is used to automate evidence collection for audits by assessing resource configurations, not to download pre-existing AWS compliance reports. Option C is wrong because AWS Config evaluates and records resource configuration changes against rules, but it does not host or provide access to AWS’s own SOC reports. Option D is wrong because AWS Trusted Advisor offers recommendations for cost optimization, performance, security, and fault tolerance, but it does not provide compliance report downloads.

125
Matchingmedium

Match each AWS support plan to its key feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Customer service & documentation only

Business hours email support

24/7 phone & chat support

Concierge support team & proactive guidance

Technical Account Manager (TAM) & business-critical support

Why these pairings

AWS support plans offer increasing levels of support.

126
MCQmedium

A company manages over 100 AWS accounts using AWS Organizations. The security team wants a centralized service that continuously monitors for malicious or unauthorized behavior across all accounts. The service must analyze AWS CloudTrail management event logs, VPC Flow Logs, and DNS query logs to automatically detect threats such as anomalous API calls, crypto-mining activity, and compromised credentials. The security team wants to receive actionable alerts without having to write custom detection rules or manage underlying infrastructure. Which AWS service should the security team use?

A.Amazon Inspector
B.AWS Trusted Advisor
C.Amazon GuardDuty
D.AWS Config
AnswerC

Amazon GuardDuty is a managed threat detection service that continuously monitors AWS accounts and workloads for malicious activity. It analyzes CloudTrail management events, VPC Flow Logs, and DNS logs to detect threats such as anomalous API calls, crypto-mining, and compromised credentials. It operates without requiring custom rules and can be centrally enabled across all accounts in an AWS Organization.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior using machine learning, anomaly detection, and integrated threat intelligence. It natively analyzes AWS CloudTrail management event logs, VPC Flow Logs, and DNS query logs across all accounts in an AWS Organization, automatically generating actionable alerts without requiring custom rules or infrastructure management.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (a vulnerability scanner) with GuardDuty (a threat detector), or assume AWS Config can perform threat detection when it is actually a compliance and configuration tracking service.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not a continuous threat detection service that analyzes CloudTrail, VPC Flow Logs, or DNS logs. Option B is wrong because AWS Trusted Advisor provides best-practice checks for cost optimization, performance, security, and fault tolerance, but it does not perform real-time threat detection or analyze log data for malicious activity. Option D is wrong because AWS Config is a resource inventory and compliance auditing service that evaluates resource configurations against rules, not a threat detection service that monitors for anomalous behavior or analyzes log streams.

127
MCQmedium

A company discovered that an IAM user's access keys were accidentally committed to a public GitHub repository. Which immediate action should they take first?

A.Delete the GitHub repository
B.Immediately deactivate or delete the exposed IAM access keys
C.Enable MFA for the IAM user
D.Move the credentials to a private repository
AnswerB

Deactivating or deleting the exposed keys stops any active unauthorized use immediately. This is the first priority before investigation.

Why this answer

The immediate priority when IAM access keys are exposed is to revoke their validity to prevent unauthorized use. Deactivating or deleting the keys ensures that any malicious actor who obtained them from the public repository can no longer authenticate as the IAM user, stopping potential data breaches or resource abuse. This aligns with the AWS security best practice of rotating credentials upon suspected compromise.

Exam trap

The trap here is that candidates may focus on removing the public exposure (e.g., deleting the repo or moving to private) rather than understanding that the keys themselves must be invalidated, as the damage is already done once they are publicly accessible.

How to eliminate wrong answers

Option A is wrong because deleting the GitHub repository does not invalidate the already-exposed access keys; the keys remain active and can still be used by anyone who copied them. Option C is wrong because enabling MFA adds a second factor for future console logins but does not affect the validity of the already-leaked access keys, which are used for programmatic access and bypass MFA entirely. Option D is wrong because moving the credentials to a private repository does not revoke the keys; they are still active and could have been copied by unauthorized parties before the move, leaving the account vulnerable.

128
MCQmedium

A company runs a web application that connects to an Amazon RDS for MySQL database. The security policy requires that the database password be rotated every 30 days. The development team wants a fully managed solution that automatically rotates the password, handles the update in RDS, and provides the application with the latest credentials without any code changes. The application should also continue to work during the rotation process. Which AWS service should the company use to meet these requirements?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS Key Management Service (AWS KMS)
D.AWS Identity and Access Management (IAM)
AnswerA

Correct. AWS Secrets Manager is a fully managed service that stores, rotates, and retrieves secrets such as database credentials. It supports automatic rotation with built-in integration for Amazon RDS, Aurora, Redshift, and other services. Secrets Manager can rotate passwords on a schedule and use versioning to ensure that applications continue to work during rotation by serving the current version while a new version is being created.

Why this answer

AWS Secrets Manager is the correct choice because it provides a fully managed service for automatic password rotation every 30 days, directly integrates with Amazon RDS for MySQL to update the database credentials, and supplies the latest credentials to the application via the Secrets Manager API without requiring any code changes. The rotation process is designed to ensure application availability by using a staged rotation strategy (e.g., creating a new credential while the old one remains valid) so the application continues to work during the rotation.

Exam trap

AWS often tests the distinction between Secrets Manager (for automatic rotation and RDS integration) and Systems Manager Parameter Store (for static configuration or manual rotation), leading candidates to choose Parameter Store because it can store secrets but lacks the automated rotation and RDS-specific update capability required here.

How to eliminate wrong answers

Option B (AWS Systems Manager Parameter Store) is wrong because it does not support automatic rotation of RDS database passwords; it is a parameter store for configuration data and secrets but lacks built-in rotation scheduling or direct RDS integration. Option C (AWS Key Management Service) is wrong because it is a key management service for encryption keys, not for storing or rotating database passwords; it cannot update RDS credentials or provide the application with the latest password. Option D (AWS Identity and Access Management) is wrong because IAM manages users, roles, and permissions for AWS services, not database passwords; it cannot rotate RDS credentials or serve as a credential store for the application.

129
MCQmedium

A company operates a healthcare application on AWS that must comply with HIPAA regulations. The application stores sensitive patient data in Amazon S3. The compliance team requires that all data at rest in S3 be encrypted with a key that the company manages. The company also needs the ability to automatically rotate the encryption key every 365 days and to audit all key usage through AWS CloudTrail. Which AWS service should the company use to meet these requirements?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (KMS) with a customer managed key
C.AWS CloudHSM
D.Amazon S3 server-side encryption with S3-managed keys (SSE-S3)
AnswerB

KMS with a customer managed key enables you to create and control the lifecycle of encryption keys. Automatic key rotation every 365 days is supported for customer managed keys, and all key usage is recorded in CloudTrail for auditing.

Why this answer

AWS KMS with a customer managed key (CMK) allows the company to create and control the encryption key used for S3 server-side encryption, meeting HIPAA's requirement for customer-managed keys. KMS supports automatic key rotation every 365 days (or custom period) and integrates with AWS CloudTrail to log every key usage (e.g., Decrypt, Encrypt API calls) for auditing. This combination satisfies all stated requirements: encryption at rest, customer-managed key, automatic rotation, and auditability.

Exam trap

The trap here is that candidates may confuse AWS CloudHSM (which offers dedicated HSM control) with KMS's simpler managed rotation and auditing, overlooking that CloudHSM requires manual rotation and lacks native CloudTrail integration for key usage logs.

How to eliminate wrong answers

Option A is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates for data in transit, not encryption keys for data at rest in S3; it cannot provide key rotation or audit key usage via CloudTrail. Option C is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for key storage but does not natively support automatic key rotation (you must implement rotation manually) and does not integrate directly with CloudTrail for key usage auditing without additional custom logging; KMS is the simpler, fully managed service that meets all requirements out of the box.

130
MCQmedium

Which AWS service helps detect unusual API activity and potential security threats by analyzing AWS CloudTrail, VPC Flow Logs, and DNS logs?

A.AWS Security Hub
B.Amazon Macie
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerC

GuardDuty uses ML to analyze CloudTrail, VPC Flow Logs, and DNS logs to detect threats.

Why this answer

Amazon GuardDuty is a threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to identify malicious activity. It analyzes data sources including AWS CloudTrail management and data events, VPC Flow Logs, and DNS logs to detect unusual API calls, potentially compromised instances, and other security threats.

Exam trap

The trap here is that candidates confuse AWS CloudTrail (the logging service) with GuardDuty (the threat detection service), assuming that simply enabling CloudTrail provides threat detection, when in fact CloudTrail only records events and requires a separate analysis engine like GuardDuty to identify malicious patterns.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (including GuardDuty) and checks compliance against standards, but it does not directly analyze raw logs like CloudTrail, VPC Flow Logs, or DNS logs. Option B is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (e.g., PII) stored in Amazon S3, not to analyze API activity or network logs. Option D is wrong because AWS CloudTrail is the service that records API activity for governance and auditing, but it does not perform threat detection or analysis; it simply provides the log data that other services like GuardDuty can consume.

131
MCQeasy

A company stores sensitive financial data in an Amazon S3 bucket. The security policy requires that all data must be encrypted in transit. The security administrator discovers that some automated scripts are using HTTP instead of HTTPS to upload files. The administrator must enforce that any request that does not use HTTPS is denied by the S3 bucket policy. Which condition key should the administrator include in the bucket policy to enforce this requirement?

A.aws:SourceIp
B.aws:Referer
C.aws:SecureTransport
D.s3:x-amz-server-side-encryption
AnswerC

This condition key checks if the request was sent over SSL/TLS. When set to 'false', the condition matches HTTP requests, allowing the policy to deny them. This is the correct key to enforce encryption in transit.

Why this answer

Option C is correct because the `aws:SecureTransport` condition key in an S3 bucket policy evaluates whether the request was sent over HTTPS (TLS). Setting it to `false` denies any request that uses HTTP, enforcing encryption in transit as required by the security policy.

Exam trap

The trap here is that candidates may confuse `aws:SecureTransport` with other condition keys like `aws:SourceIp` or `aws:Referer`, which control different aspects of access (network origin or referrer) rather than the transport protocol itself.

How to eliminate wrong answers

Option A is wrong because `aws:SourceIp` restricts access based on the client's IP address, not the protocol (HTTP vs HTTPS). Option B is wrong because `aws:Referer` restricts access based on the HTTP Referer header, which is unrelated to transport encryption.

132
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to ensure that no Amazon S3 bucket in any account within the organization can be made publicly accessible. The team wants a centrally managed, preventive control that applies to all existing and future accounts and cannot be overridden by individual account administrators. Which AWS feature should the security team use to meet these requirements?

A.S3 Block Public Access account-level settings
B.AWS Config managed rule s3-bucket-public-read-prohibited
C.Amazon Macie with a sensitive data discovery job
D.Service control policy (SCP) in AWS Organizations
AnswerD

Service control policies (SCPs) are a feature of AWS Organizations. They allow centralized, preventive control over the maximum permissions granted to accounts within the organization. An SCP can deny actions that would make an S3 bucket public, such as s3:PutBucketAcl or s3:PutBucketPolicy. SCPs apply to all accounts (including future accounts) and cannot be overridden by account administrators, meeting all requirements.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally define and enforce permission guardrails across all accounts in the organization. An SCP that denies the `s3:PutBucketPublicAccessBlock` action and related public-access actions ensures that no S3 bucket can be made publicly accessible, and this policy applies to all existing and future accounts without being overridden by individual account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs), or assume account-level settings (like S3 Block Public Access) can be centrally enforced across an organization without an SCP.

How to eliminate wrong answers

Option A is wrong because S3 Block Public Access account-level settings are applied per account and can be overridden by an account administrator with sufficient permissions; they are not centrally enforced across all accounts in an organization. Option B is wrong because AWS Config managed rules are detective controls that only evaluate and report compliance after a resource is created or modified; they do not prevent the action from occurring. Option C is wrong because Amazon Macie is a data security service that discovers and protects sensitive data, but it does not provide preventive controls to block public access to S3 buckets.

133
MCQmedium

A company runs a web application behind an Application Load Balancer (ALB) in a VPC. The application must comply with a security standard that requires encryption in transit for all web traffic. The company needs a service to centrally manage SSL/TLS certificates, automatically renew them, and deploy them to the ALB without manual intervention. Which AWS service should the company use to meet these requirements?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (AWS KMS)
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
AnswerA

ACM allows you to provision, manage, and deploy public and private SSL/TLS certificates for use with integrated AWS services like Application Load Balancers. ACM handles automatic renewal and reduces administrative overhead.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it provides centralized management of SSL/TLS certificates, supports automatic renewal for certificates issued by ACM, and can seamlessly deploy these certificates to an Application Load Balancer (ALB) without any manual intervention. This directly meets the requirement for encryption in transit and compliance with the security standard.

Exam trap

The trap here is that candidates often confuse AWS KMS (for encryption at rest) or Secrets Manager (for secrets) with ACM, because all three involve 'keys' or 'certificates,' but only ACM handles SSL/TLS certificates for encryption in transit and integrates with ALB for automatic deployment and renewal.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because it is designed for creating and managing encryption keys used for data at rest, not for SSL/TLS certificates used for encryption in transit. Option C (AWS Secrets Manager) is wrong because it is intended for securely storing and rotating database credentials, API keys, and other secrets, not for managing SSL/TLS certificates or deploying them to an ALB.

134
MCQmedium

A company is undergoing a compliance audit to demonstrate that its AWS environment adheres to industry standards such as PCI DSS and SOC. The auditor requests the company to provide the latest AWS compliance reports to verify the security controls implemented by AWS. The company needs to obtain these reports directly from AWS in a downloadable format. Which AWS service should the company use to meet this requirement?

A.AWS Config
B.AWS Trusted Advisor
C.AWS Artifact
D.AWS Security Hub
AnswerC

AWS Artifact is the correct service for downloading AWS compliance reports. It provides on-demand access to AWS security and compliance documents, including SOC reports, PCI DSS reports, and ISO certifications, which are commonly requested by auditors.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC and PCI DSS reports, in a downloadable format. This allows the company to directly obtain the latest reports from AWS to share with auditors, meeting the compliance audit requirement without needing to configure or manage any other service.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with AWS Artifact (which provides compliance reports), leading them to select a service that manages compliance rules rather than one that delivers the actual audit documentation.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, not a repository for downloading compliance reports. Option B is wrong because AWS Trusted Advisor provides recommendations for optimizing AWS environments based on best practices, but it does not offer downloadable compliance reports like SOC or PCI DSS.

135
Multi-Selectmedium

A company wants to ensure that their AWS account root user is protected with the highest level of security. Which two actions should they take? (Choose the answer that covers both.)

Select 2 answers
A.Create IAM user access keys for the root account to enable programmatic access
B.Enable MFA on the root account and delete any existing root access keys
C.Share the root password with the security team for emergency access
D.Use the root account for all day-to-day AWS operations to avoid delegation complexity
AnswersB, C

MFA on root provides strong authentication protection, and deleting root access keys eliminates programmatic root access — together these are the most critical root account security measures.

Why this answer

Option B is correct because enabling multi-factor authentication (MFA) on the AWS root user adds a second layer of security beyond the password, and deleting any existing root access keys eliminates the risk of programmatic access using long-term credentials. The root user has unrestricted access to all AWS resources, so these two actions are the most effective ways to protect it according to AWS best practices.

Exam trap

The trap here is that candidates may think creating IAM access keys for the root user is a valid way to enable programmatic access (Option A), but AWS explicitly prohibits this because root access keys cannot be managed or rotated like IAM user keys and pose an unacceptable security risk.

136
MCQmedium

A company runs a web application on Amazon EC2 instances that connect to an Amazon RDS for MySQL database. Currently, the database administrator (DBA) hardcodes the database password in the application configuration file. A recent security audit recommends removing the password from the code and implementing automated password rotation every 30 days. The company wants a managed AWS service that can store the password securely and rotate it on a schedule without requiring custom code. Which AWS service should the company use?

A.AWS KMS (Key Management Service)
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.AWS IAM (Identity and Access Management)
AnswerC

Secrets Manager is designed for securely storing secrets such as database credentials, API keys, and other sensitive data. It offers built-in automatic secret rotation with integration to RDS and other services, meeting the requirement without custom code.

Why this answer

AWS Secrets Manager is the correct choice because it is a managed service specifically designed to securely store database credentials and other secrets, with built-in capability to automatically rotate passwords on a defined schedule (e.g., every 30 days) without requiring custom code. It integrates natively with Amazon RDS for MySQL, enabling automated rotation of the master user password via a pre-built Lambda function, which directly addresses the security audit's requirement to remove hardcoded passwords and implement rotation.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store encrypted strings, but Parameter Store lacks native automated rotation, which is the critical requirement in this question.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for creating and controlling encryption keys used to encrypt data at rest or in transit; it does not store secrets like database passwords nor provide any automated rotation capability for credentials. Option B is wrong because AWS Systems Manager Parameter Store can store passwords as SecureString parameters with encryption via KMS, but it lacks native automated rotation functionality—any rotation would require custom code (e.g., a Lambda function) and manual scheduling, which does not meet the requirement for a managed service that rotates on a schedule without custom code.

137
MCQmedium

A company is required by their compliance framework to encrypt all data at rest and in transit. Which AWS service provides centralized key creation, management, rotation, and audit logging for encryption keys used across AWS services?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS Key Management Service (KMS)
D.Amazon Macie
AnswerC

KMS provides centralized cryptographic key management with automatic rotation, HSM-backed key storage, fine-grained IAM access control, and CloudTrail audit logging for all key operations.

Why this answer

AWS Key Management Service (KMS) is the correct choice because it is a fully managed service that provides centralized control over encryption keys, including creation, rotation, and audit logging via AWS CloudTrail. It integrates seamlessly with other AWS services (e.g., S3, EBS, RDS) to encrypt data at rest and supports TLS/SSL for data in transit, meeting compliance requirements for key lifecycle management.

Exam trap

The trap here is that candidates confuse AWS Secrets Manager's secret rotation capability with encryption key management, but Secrets Manager does not create or manage encryption keys—it relies on KMS for that purpose.

How to eliminate wrong answers

Option A is wrong because AWS Secrets Manager is designed to manage secrets (e.g., database credentials, API keys) and can rotate them, but it does not provide native encryption key creation or centralized key management for AWS services; it relies on KMS for encryption. Option B is wrong because AWS CloudHSM offers dedicated hardware security modules (HSMs) for key storage and cryptographic operations, but it requires manual key management, lacks built-in automatic rotation, and does not provide centralized audit logging via CloudTrail without additional configuration. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover and protect sensitive data (e.g., PII) in S3, but it does not create, manage, or rotate encryption keys.

138
MCQeasy

A company's compliance team is preparing documentation for a third-party audit. The auditor requires a copy of the AWS SOC 3 report, which provides an overview of AWS's security controls and is intended for public distribution. The team needs to securely download the most recent version of this report directly from AWS. Which AWS service should the team use?

A.AWS Artifact
B.AWS Trusted Advisor
C.AWS Config
D.AWS CloudTrail
AnswerA

Correct. AWS Artifact is a service that provides on-demand downloads of AWS compliance reports, including SOC reports, PCI DSS reports, and ISO certifications, making it the right choice for obtaining the SOC 3 report.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC reports, PCI reports, and ISO certifications. The SOC 3 report is specifically designed for public distribution, and AWS Artifact allows users to securely download the most recent version directly from AWS without needing to contact support or navigate third-party sites.

Exam trap

The trap here is that candidates may confuse operational auditing services (CloudTrail, Config) with compliance document delivery (Artifact), or mistakenly think Trusted Advisor provides compliance reports instead of optimization recommendations.

How to eliminate wrong answers

Option B (AWS Trusted Advisor) is wrong because it provides recommendations for optimizing AWS environments based on best practices (cost, performance, security, fault tolerance, service limits), but it does not store or distribute compliance reports like SOC 3. Option C (AWS Config) is wrong because it evaluates and records resource configurations and changes over time for compliance auditing, but it does not provide access to AWS's own third-party audit reports. Option D (AWS CloudTrail) is wrong because it records API activity and user actions within an AWS account for governance and operational auditing, but it does not host or deliver AWS compliance documentation such as SOC reports.

139
MCQeasy

What does the principle of least privilege mean in the context of AWS IAM?

A.All IAM users should have the same level of access to ensure consistency
B.Grant only the minimum permissions necessary to perform required tasks
C.Use AWS managed policies instead of customer-managed policies
D.Rotate IAM access keys every 90 days
AnswerB

Least privilege limits the blast radius of compromised credentials or misconfigured resources by restricting permissions to only what is needed.

Why this answer

The principle of least privilege in AWS IAM means granting only the permissions that are strictly necessary for a user, role, or service to perform its intended functions. This minimizes the attack surface by ensuring that even if credentials are compromised, the potential damage is limited to only the allowed actions and resources. AWS IAM enforces this through fine-grained policy statements that specify exact actions, resources, and conditions.

Exam trap

The trap here is that candidates confuse security best practices (like key rotation or using managed policies) with the core definition of least privilege, which is solely about minimizing permission scope, not about policy source or credential management.

How to eliminate wrong answers

Option A is wrong because granting all IAM users the same level of access violates the principle of least privilege and increases security risk; users should have different permissions based on their job functions. Option C is wrong because the principle of least privilege does not mandate using AWS managed policies over customer-managed policies; in fact, customer-managed policies often allow more precise permission scoping, while AWS managed policies may grant broader access than needed. Option D is wrong because rotating IAM access keys every 90 days is a security best practice for credential management, but it does not define or implement the principle of least privilege, which is about permission scope, not credential lifecycle.

140
Drag & Dropmedium

Drag and drop the steps to configure an Application Load Balancer (ALB) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ALB setup: target group first, then register instances, create ALB, configure listeners, and link target group.

141
MCQmedium

A company runs a multi-tier web application on Amazon EC2 instances. The security team wants to continuously monitor the configuration of the EC2 security groups to ensure that no security group allows inbound SSH (port 22) access from the entire internet (0.0.0.0/0). If a security group is modified to allow such access, the company must be automatically notified and provided with a detailed record of the change, including the user who made the change. Which combination of AWS services should the company use to meet these requirements?

A.AWS Config with a managed rule to check for unrestricted SSH access, and Amazon Simple Notification Service (Amazon SNS) to send notifications when the rule is non-compliant.
B.AWS CloudTrail to log all API calls, and Amazon CloudWatch Logs to analyze the logs for security group modifications and trigger a notification.
C.AWS Trusted Advisor to check for security groups with unrestricted SSH access on a periodic basis, and Amazon Simple Email Service (Amazon SES) to send email alerts.
D.AWS Systems Manager Inventory to collect configuration data from EC2 instances, and Amazon CloudWatch Events to trigger a Lambda function that checks security group rules.
AnswerA

AWS Config can evaluate security group rules against a managed rule like 'restricted-ssh' (or a custom rule) and trigger an SNS notification when a resource is non-compliant. CloudTrail logs the API calls that made the change, and AWS Config can include the related CloudTrail event in its compliance history.

Why this answer

AWS Config continuously monitors the configuration of AWS resources, including security groups, and can evaluate them against managed rules such as 'restricted-ssh' (which checks that inbound SSH traffic is not allowed from 0.0.0.0/0). When a security group becomes non-compliant, AWS Config can trigger an Amazon SNS notification to alert the security team, and the detailed configuration history (including the user who made the change via CloudTrail integration) is available in the AWS Config timeline. This combination directly meets the requirements for continuous monitoring, automatic notification, and a detailed record of the change.

Exam trap

The trap here is that candidates often confuse AWS Config's continuous compliance monitoring with AWS Trusted Advisor's periodic checks or AWS CloudTrail's logging-only capability, leading them to choose options that lack real-time evaluation or detailed change attribution.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail logs API calls but does not continuously monitor security group configurations or evaluate compliance against rules; analyzing logs in CloudWatch Logs would require custom logic and does not provide built-in compliance evaluation or automatic notifications for specific security group rule changes. Option C is wrong because AWS Trusted Advisor performs periodic checks (not continuous monitoring) and does not provide a detailed record of who made the change; Amazon SES is for sending emails but does not integrate directly with Trusted Advisor for automated notifications on configuration changes. Option D is wrong because AWS Systems Manager Inventory collects configuration data from EC2 instances (e.g., installed software, OS patches), not security group rules; CloudWatch Events can trigger a Lambda function, but this approach requires custom code and does not provide the built-in compliance evaluation and detailed change history that AWS Config offers.

142
MCQmedium

A company stores sensitive customer data in Amazon S3. The security policy requires that all objects be encrypted at rest using an encryption key that is automatically rotated every 12 months. The company must retain full control over the key, including the ability to immediately revoke access to the key if a security incident occurs. The security team also needs to audit every use of the key through AWS CloudTrail. Which key management solution should the company choose to meet these requirements?

A.Use an AWS KMS customer managed key (CMK) with automatic key rotation enabled.
B.Use an AWS KMS AWS managed key with automatic key rotation.
C.Use Amazon S3 server-side encryption with SSE-S3.
D.Use AWS CloudHSM to generate and manage the key.
AnswerA

Correct. A customer managed CMK provides full control over the key, allows automatic yearly rotation, and integrates with CloudTrail for auditing all key usage.

Why this answer

AWS KMS customer managed keys (CMKs) allow you to enable automatic annual key rotation (every 12 months) and retain full control over the key, including the ability to immediately revoke access by disabling or deleting the key. CloudTrail integration is inherent with KMS, logging every use of the key via the `Decrypt` and `GenerateDataKey` API calls, meeting the audit requirement. This combination satisfies all stated security policy needs: encryption at rest, automatic rotation, full control, immediate revocation, and auditability.

Exam trap

The trap here is that candidates often confuse AWS managed keys (which also rotate automatically) with customer managed keys, overlooking the requirement for full customer control and immediate revocation capability that only customer managed keys provide.

How to eliminate wrong answers

Option B is wrong because AWS managed keys are automatically rotated every 12 months, but the customer does not have full control over the key—they cannot disable, delete, or immediately revoke access to an AWS managed key; AWS manages the key lifecycle. Option C is wrong because SSE-S3 uses Amazon S3-managed keys (SSE-S3) which are automatically rotated but the customer has no control over the key material, cannot revoke access independently, and CloudTrail does not log individual object-level encryption events with the key ID for SSE-S3.

143
MCQmedium

A company hosts a critical e-commerce web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team is concerned about Layer 7 attacks, such as SQL injection and cross-site scripting (XSS). They also want to automatically block traffic from known malicious IP addresses. The company needs a managed web application firewall that integrates directly with the ALB. Which AWS service should the company use?

A.AWS WAF
B.AWS Shield Advanced
C.Amazon GuardDuty
D.AWS Firewall Manager
AnswerA

AWS WAF is a managed web application firewall that protects against common web exploits like SQL injection and XSS. It integrates with Application Load Balancers to filter and monitor HTTP/S requests.

Why this answer

AWS WAF is a managed web application firewall that protects web applications from common Layer 7 attacks, such as SQL injection and cross-site scripting (XSS), by inspecting HTTP/HTTPS requests. It integrates directly with an Application Load Balancer (ALB) to allow you to create custom rules that block or allow traffic based on request patterns, including automatically blocking traffic from known malicious IP addresses using managed IP reputation lists.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield Advanced, assuming Shield Advanced provides application-layer filtering, but Shield Advanced focuses on DDoS mitigation at the network and transport layers, not on inspecting request payloads for SQL injection or XSS.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks at Layer 3 and Layer 4, and does not include Layer 7 inspection capabilities like SQL injection or XSS detection, nor does it offer managed IP reputation lists for automatic blocking. Option C is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not act as a web application firewall or integrate directly with an ALB to inspect and filter HTTP/HTTPS requests.

144
MCQmedium

A financial services company uses AWS CloudTrail to log all API calls in its AWS account. The company must demonstrate to auditors that the CloudTrail log files have not been tampered with after they were delivered to the Amazon S3 bucket. The company wants to use a feature that automatically creates digest files containing a hash of each log file, allowing the auditor to mathematically verify the integrity of the logs. Which AWS feature should the company enable to meet this requirement?

A.S3 Object Lock
B.CloudTrail log file integrity validation
C.AWS Config conformance packs
D.Amazon Detective
AnswerB

CloudTrail log file integrity validation is a feature that automatically creates digest files containing the hash of each log file. These digests are signed using private keys from AWS Key Management Service (AWS KMS), enabling an auditor to verify that log files have not been altered or deleted. This feature is specifically designed for compliance scenarios that require cryptographic proof of log integrity.

Why this answer

CloudTrail log file integrity validation is the correct feature because it automatically creates digest files that contain a hash of each log file. These digest files are themselves signed using a private key, and the corresponding public key is published by AWS, enabling auditors to mathematically verify that the log files have not been tampered with after delivery to S3.

Exam trap

The trap here is that candidates may confuse S3 Object Lock's write-once-read-many (WORM) protection with cryptographic integrity validation, but Object Lock only prevents deletion/modification at the S3 layer and does not provide the hash-based digest chain needed for auditor verification.

How to eliminate wrong answers

Option A is wrong because S3 Object Lock prevents objects from being deleted or overwritten for a fixed retention period, but it does not create hash-based digest files or provide a cryptographic mechanism to verify log file integrity after delivery. Option C is wrong because AWS Config conformance packs are used to evaluate compliance of AWS resources against predefined rules, not to generate or verify cryptographic digests of CloudTrail logs. Option D is wrong because Amazon Detective is a security investigation service that analyzes and visualizes security data, but it does not create digest files or provide integrity verification for CloudTrail logs.

145
MCQmedium

A company wants to identify all resources in their AWS account that are accessible from outside the account — such as S3 buckets with public access or IAM roles with external trust. Which AWS service provides this analysis?

A.Amazon Inspector
B.AWS IAM Access Analyzer
C.Amazon GuardDuty
D.AWS Config
AnswerB

IAM Access Analyzer uses automated reasoning to identify resources accessible from outside the account or organization, generating findings for S3, IAM roles, KMS keys, Lambda, SQS, and more.

Why this answer

AWS IAM Access Analyzer is the correct service because it analyzes resource-based policies (such as S3 bucket policies, IAM role trust policies, and KMS key policies) to identify resources shared with an external entity outside the AWS account. It uses a policy analysis engine that evaluates the principal, action, and condition elements to determine if a policy grants access to an external AWS account, an IAM user in another account, or a public principal (e.g., `"Principal": "*"`). This directly matches the requirement to find resources accessible from outside the account.

Exam trap

The trap here is that candidates often confuse Amazon Inspector's network reachability analysis with policy-based external access analysis, but Inspector only checks for network-level exposure (e.g., open ports), not for resource policies that grant permissions to external principals.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, but it does not analyze resource-based policies for external access. Option C is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using DNS logs, VPC Flow Logs, and CloudTrail events, but it does not perform policy-level analysis to identify publicly accessible resources or external trust relationships. Option D is wrong because AWS Config evaluates resource configurations against desired rules and tracks configuration changes over time, but it does not specifically analyze policies to determine if resources are accessible from outside the account; it lacks the policy analysis engine that IAM Access Analyzer provides.

146
MCQmedium

A healthcare company is subject to HIPAA regulations and must record all AWS API calls made in its account for auditing. The logs must be retained for 7 years and must be protected from any modification or deletion, including by the account root user. Which combination of AWS services should the company use to meet these requirements?

A.AWS CloudTrail with log file validation enabled, and store the log files in an Amazon S3 bucket with S3 Object Lock enabled in compliance mode
B.AWS Config with a HIPAA conformance pack, and store the configuration history in an Amazon S3 bucket with versioning enabled
C.Amazon GuardDuty with findings exported to an Amazon S3 bucket, and enable MFA Delete on the bucket
D.AWS CloudTrail with log file validation enabled, and store the log files in an Amazon S3 bucket with MFA Delete enabled
AnswerA

This option is correct. CloudTrail records API calls, and log file validation provides integrity. S3 Object Lock in compliance mode prevents any user, including the root user, from deleting or modifying the log files for the retention period, satisfying the tamper-proof retention requirement.

Why this answer

Option A is correct because AWS CloudTrail with log file validation enabled ensures the integrity of the API call logs by using a digital signature (SHA-256 hash) to detect any tampering. Storing these logs in an Amazon S3 bucket with S3 Object Lock in compliance mode prevents any user, including the root user, from overwriting or deleting the objects for the specified retention period (7 years), meeting HIPAA's immutable audit log requirements.

Exam trap

The trap here is that candidates confuse MFA Delete with S3 Object Lock, not realizing that MFA Delete can be bypassed by the root user who controls the MFA device, whereas compliance mode enforces a legal hold that even the root user cannot override.

How to eliminate wrong answers

Option B is wrong because AWS Config records configuration changes, not AWS API calls, and versioning alone does not prevent deletion or modification by the root user; it only preserves previous versions. Option C is wrong because Amazon GuardDuty detects threats but does not record all API calls, and MFA Delete on the bucket does not prevent deletion by the root user if the root user has access to the MFA device. Option D is wrong because MFA Delete only requires multi-factor authentication for delete operations but does not prevent the root user from deleting objects if they possess the MFA device; it also does not enforce a retention period or immutability against all users.

147
MCQmedium

A financial services company must comply with PCI DSS requirements that mandate the use of a dedicated hardware security module (HSM) to store encryption keys used to protect cardholder data. The company plans to use server-side encryption in Amazon S3 and needs to ensure that the encryption keys are stored in a dedicated HSM under the company's sole control. Which AWS service should the company use to meet this requirement?

A.AWS KMS with automatic key rotation
B.AWS Certificate Manager (ACM)
C.AWS CloudHSM
D.AWS Secrets Manager
AnswerC

CloudHSM provides a dedicated HSM appliance that runs in the customer's VPC. The customer has exclusive control over the HSM and the keys it contains, meeting the PCI DSS requirement for a dedicated HSM under sole control.

Why this answer

AWS CloudHSM provides dedicated hardware security modules (HSMs) that are under the customer's sole control, meeting PCI DSS requirements for storing encryption keys in a dedicated HSM. It allows you to generate and manage your own encryption keys within a single-tenant, FIPS 140-2 Level 3 validated device, ensuring compliance with the mandate for dedicated hardware.

Exam trap

The trap here is that candidates often confuse AWS KMS with a dedicated HSM solution, but KMS is a shared, multi-tenant service that does not provide the sole control required by PCI DSS for dedicated HSMs.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a multi-tenant, managed service that uses shared hardware security modules; it does not provide a dedicated HSM under the customer's sole control, and automatic key rotation does not address the dedicated hardware requirement. Option B is wrong because AWS Certificate Manager (ACM) is used to provision, manage, and deploy public and private SSL/TLS certificates, not for storing encryption keys in a dedicated HSM. Option D is wrong because AWS Secrets Manager is a service for securely storing and rotating secrets (e.g., database credentials, API keys), not for dedicated HSM-based key storage, and it does not provide a dedicated HSM under the customer's sole control.

148
MCQmedium

Which AWS service provides a centrally managed firewall policy that can be applied to multiple AWS accounts and VPCs across an organization?

A.AWS WAF
B.Amazon GuardDuty
C.AWS Firewall Manager
D.AWS Security Hub
AnswerC

Firewall Manager provides centralized management of WAF rules, Shield Advanced protections, security groups, and Network Firewall policies across all accounts in an AWS Organization.

Why this answer

AWS Firewall Manager is the correct service because it provides a centralized firewall policy management across multiple accounts and VPCs within an AWS Organization. It allows you to deploy AWS WAF rules, AWS Shield Advanced protections, and VPC security group rules consistently across your entire organization, ensuring a uniform security posture without manual per-account configuration.

Exam trap

The trap here is that candidates confuse AWS WAF (a per-resource firewall) with Firewall Manager (a multi-account policy management service), because both involve firewall rules, but Firewall Manager is specifically designed for centralized governance across an organization.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects individual resources like CloudFront, ALB, or API Gateway from common web exploits, but it does not centrally manage policies across multiple accounts or VPCs. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using machine learning and threat intelligence, not a firewall policy management service. Option D is wrong because AWS Security Hub aggregates security findings and compliance checks from multiple AWS services into a single dashboard, but it does not deploy or manage firewall policies across accounts and VPCs.

149
MCQmedium

A company has deployed multiple EC2 instances with different security groups. The compliance team wants to ensure that no security group allows unrestricted SSH access (0.0.0.0/0) and receive alerts if any such rule is created. Which AWS service can they use to continuously monitor and evaluate the security group configurations against this policy?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Config
D.AWS Security Hub
AnswerC

AWS Config continuously monitors and records AWS resource configurations and allows you to evaluate them against desired configurations using managed or custom rules. It can detect security groups with unrestricted SSH access and trigger notifications or automatic remediation.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. With a managed rule like `restricted-ssh`, AWS Config can automatically detect security groups that allow unrestricted SSH access (0.0.0.0/0) and trigger alerts or remediation actions. This meets the compliance team's requirement for ongoing, rule-based evaluation of security group configurations.

Exam trap

The trap here is that candidates confuse AWS CloudTrail (which logs API calls) with AWS Config (which evaluates resource configurations), or they mistakenly think Amazon GuardDuty can check static security group rules when it is designed for dynamic threat detection.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (e.g., who created a security group rule) but does not continuously evaluate the configuration state of resources against a policy; it is an audit trail, not a configuration compliance checker. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes network traffic and logs for malicious activity (e.g., brute force attempts), not a tool for evaluating static security group rules against a compliance policy.

150
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a policy that restricts SSH access (port 22) from the internet (0.0.0.0/0) in all VPCs across all accounts. The team wants to centrally define the allowed rules and automatically apply them to newly created VPCs and security groups, while also automatically remediating any existing non-compliant security groups. Which AWS service should the team use?

A.AWS Config
B.AWS Firewall Manager
C.Amazon GuardDuty
D.AWS Identity and Access Management (IAM)
AnswerB

AWS Firewall Manager is designed to centrally configure and manage firewall rules across accounts and resources in AWS Organizations. It can enforce a common security group policy, automatically apply it to new VPCs and security groups, and remediate existing non-compliant resources, meeting all the stated requirements.

Why this answer

AWS Firewall Manager is the correct service because it provides centralized management of firewall rules across all accounts in AWS Organizations. It can enforce a common security group rule to deny SSH access from 0.0.0.0/0, automatically apply this policy to new VPCs and security groups, and remediate non-compliant existing security groups by removing or replacing violating rules. This meets the requirement for both proactive enforcement and automated remediation at scale.

Exam trap

The trap here is that candidates often confuse AWS Config's detection capabilities with enforcement, assuming it can automatically fix non-compliant resources without additional automation, while Firewall Manager is the native service for centralized, automated security group policy enforcement across an organization.

How to eliminate wrong answers

Option A is wrong because AWS Config is a compliance monitoring and evaluation service that can detect non-compliant security groups but cannot automatically remediate them or enforce policies on newly created resources without custom automation (e.g., AWS Config rules with auto-remediation via Systems Manager Automation, which is not a native, built-in enforcement mechanism). Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes network traffic and logs for malicious activity; it does not enforce security group rules or manage firewall policies.

← PreviousPage 2 of 4 · 230 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security questions.