CCNA Security Questions

75 of 230 questions · Page 3/4 · Security topic · Answers revealed

151
MCQmedium

A company is expanding its AWS environment from a single account to multiple accounts using AWS Organizations. The security team wants to enforce a baseline set of permissions across all accounts, ensuring that users in any account cannot disable AWS CloudTrail or modify Amazon S3 bucket policies that prevent public access. Which feature of AWS Organizations should the security team use to achieve this control?

A.Consolidated Billing
B.Service Control Policies (SCPs)
C.AWS Config rules
D.IAM roles
AnswerB

SCPs allow you to define and enforce maximum permissions for all accounts in your AWS Organization. They act as a guardrail, ensuring that even if an account has permissive IAM policies, the effective permissions are limited by the SCP. This enables central enforcement of security baselines such as preventing the disabling of CloudTrail or modification of S3 bucket policies that block public access.

Why this answer

Service Control Policies (SCPs) are the correct choice because they allow you to centrally define and enforce baseline permissions across all accounts in an AWS Organization. SCPs act as a guardrail, restricting what actions users and roles in member accounts can perform, even if they have full administrative privileges within their own account. By creating an SCP that explicitly denies the `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, and `s3:PutBucketPolicy` actions (or similar), the security team can prevent disabling CloudTrail and modifying S3 bucket policies that block public access across the entire organization.

Exam trap

The trap here is that candidates often confuse AWS Config rules (detective) with SCPs (preventive), thinking that Config rules can block actions when they only alert on non-compliance after the fact.

How to eliminate wrong answers

Option A is wrong because Consolidated Billing is a feature that aggregates usage costs across accounts for a single invoice and volume discounts; it does not enforce any permissions or security controls. Option C is wrong because AWS Config rules are used for evaluating resource configurations against desired policies (e.g., detecting non-compliant S3 bucket policies) but they cannot prevent actions from being taken—they only provide detective, not preventive, controls.

152
MCQmedium

A security engineer needs to apply network traffic filtering rules at the subnet level rather than the instance level. The solution must be stateless and must explicitly define both inbound and outbound rules, including allowing return traffic. Which AWS feature provides subnet-level stateless traffic control?

A.Security groups
B.Network Access Control Lists (NACLs)
C.AWS WAF
D.VPC route tables
AnswerB

NACLs are applied at the subnet level and are stateless — each packet is evaluated against the rules independently. Both inbound and outbound rules must explicitly allow traffic, including return traffic for connections initiated from inside the subnet.

Why this answer

Network Access Control Lists (NACLs) are the correct choice because they operate at the subnet level, are stateless (meaning they do not automatically allow return traffic), and require explicit inbound and outbound rules. This matches the requirement for stateless traffic filtering where both directions must be defined separately, including rules for return traffic.

Exam trap

The trap here is that candidates often confuse security groups (stateful, instance-level) with NACLs (stateless, subnet-level), forgetting that the stateless requirement explicitly demands separate inbound and outbound rules for return traffic.

How to eliminate wrong answers

Option A is wrong because security groups are stateful and operate at the instance level, not the subnet level; they automatically allow return traffic, which violates the stateless requirement. Option C is wrong because AWS WAF is a web application firewall that protects against web exploits at the application layer (HTTP/HTTPS), not a subnet-level network traffic filter. Option D is wrong because VPC route tables control the path of network traffic (routing) between subnets and gateways, not traffic filtering or access control.

153
MCQmedium

A company manages 20 AWS accounts and wants employees to log in once with their corporate Active Directory credentials and then access any of their authorised AWS accounts without re-entering credentials for each account. Which AWS service provides this centralised single sign-on capability?

A.AWS Directory Service
B.Amazon Cognito
C.AWS IAM Identity Center
D.AWS Control Tower
AnswerC

IAM Identity Center provides a single sign-on portal where employees authenticate once with corporate credentials and then access any of their authorised AWS accounts. It integrates with Active Directory and other SAML 2.0 identity providers.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides centralized single sign-on (SSO) across multiple AWS accounts and business applications. It integrates with an external identity provider (IdP) such as Active Directory via SAML 2.0 or SCIM, allowing users to authenticate once with their corporate credentials and then access any authorized AWS account without re-entering credentials.

Exam trap

The trap here is that candidates often confuse AWS Directory Service (which provides the directory itself) with the SSO service that uses that directory for cross-account access, leading them to pick Option A instead of the correct IAM Identity Center.

How to eliminate wrong answers

Option A is wrong because AWS Directory Service provides managed Microsoft Active Directory in the cloud, but it does not natively offer SSO across multiple AWS accounts; it requires additional configuration with IAM Identity Center or a federation proxy. Option B is wrong because Amazon Cognito is designed for customer-facing identity and access management for web and mobile apps, not for workforce SSO across AWS accounts. Option D is wrong because AWS Control Tower is a governance and orchestration service for setting up and managing a multi-account AWS environment, but it does not provide SSO capabilities; it relies on IAM Identity Center for identity federation.

154
MCQmedium

A company needs to ensure that all data transmitted between their on-premises servers and AWS is encrypted during transfer. Which AWS services provide encryption in transit? (Choose the most complete answer.)

A.AWS Direct Connect with dedicated link guarantees
B.AWS Site-to-Site VPN using IPsec encryption
C.Amazon S3 SSE-S3 encryption
D.AWS KMS key rotation
AnswerB

Site-to-Site VPN uses IPsec to encrypt all traffic between on-premises and AWS, ensuring encryption in transit over the public internet.

Why this answer

AWS Site-to-Site VPN is the correct choice because it creates an encrypted tunnel between on-premises servers and AWS using IPsec (Internet Protocol Security) protocol suite. IPsec provides confidentiality, integrity, and authentication for all data packets traversing the public internet, ensuring encryption in transit as required by the question.

Exam trap

The trap here is that candidates confuse encryption in transit with encryption at rest, often selecting S3 SSE-S3 or KMS key rotation because they associate 'encryption' broadly with AWS security, without distinguishing the data state.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect provides a dedicated private network connection but does not inherently encrypt data in transit; encryption must be added separately (e.g., via IPsec over the Direct Connect link). Option C is wrong because Amazon S3 SSE-S3 (Server-Side Encryption with S3-Managed Keys) encrypts data at rest, not during transfer; it protects data stored in S3, not data in transit between on-premises and AWS. Option D is wrong because AWS KMS key rotation manages the lifecycle of encryption keys but does not directly encrypt data in transit; it is a key management feature, not a transport encryption mechanism.

155
MCQmedium

A company stores sensitive audit reports in an Amazon S3 bucket. An external auditor needs to download a specific report for a compliance review. The auditor does not have an AWS account and will only need access for 48 hours. The company wants to provide a secure, time-limited link that allows the auditor to download the file directly from S3 without making the bucket public or requiring the auditor to authenticate with AWS. Which AWS feature should the company use to meet these requirements?

A.S3 bucket policy with a condition that restricts access by IP address
B.IAM role with cross-account access for the auditor's AWS account
C.S3 presigned URL generated with a 48-hour expiration
D.CloudFront signed URL using a trusted key group
AnswerC

An S3 presigned URL is the correct solution. It allows the company to generate a URL that provides temporary access to a specific S3 object. The URL includes a signature that expires after the specified time (48 hours). The auditor can simply use the URL to download the file without needing AWS credentials or any other authentication, and the bucket remains private.

Why this answer

An S3 presigned URL allows the company to grant temporary, time-limited access to a specific object in a private S3 bucket without requiring the auditor to have AWS credentials. By generating the URL with a 48-hour expiration, the company meets the exact requirement for secure, time-bound access. The auditor can download the file directly via HTTPS using the presigned URL, which embeds the necessary authentication information.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing CloudFront signed URLs (Option D) because they associate signed URLs with security, but the question explicitly requires a direct S3 download without additional services, making the simpler S3 presigned URL the correct choice.

How to eliminate wrong answers

Option A is wrong because an S3 bucket policy with an IP address condition would require the auditor to have a static, known IP address, which is not specified and does not provide time-limited access; it also makes the bucket publicly accessible to that IP range. Option B is wrong because cross-account IAM role access requires the auditor to have an AWS account and the ability to assume the role, which contradicts the requirement that the auditor does not have an AWS account. Option D is wrong because a CloudFront signed URL requires setting up CloudFront as a CDN in front of the S3 bucket and managing a trusted key group, which adds unnecessary complexity and cost; the simpler S3 presigned URL directly meets the need without additional infrastructure.

156
MCQmedium

A company runs a web application on an Application Load Balancer (ALB) in the us-east-1 Region. The application serves HTTPS traffic. The company uses a third-party certificate authority to issue SSL/TLS certificates, but these certificates expire every year and require manual renewal. The company wants to use a managed AWS service to automatically provision, renew, and manage the SSL/TLS certificates for the ALB at no additional cost (no extra charge beyond the ALB usage). Which AWS service should the company use?

A.AWS Key Management Service (AWS KMS)
B.AWS WAF
C.AWS Certificate Manager (ACM)
D.AWS Secrets Manager
AnswerC

ACM is the correct service. It provisions, manages, and automatically renews SSL/TLS certificates. ACM integrates directly with ALB at no additional cost, simplifying HTTPS configuration.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it can provision, manage, and automatically renew public SSL/TLS certificates for use with an Application Load Balancer at no additional cost. ACM integrates directly with ALB to handle certificate deployment and renewal, eliminating the need for manual renewal of third-party certificates. The service is free for public certificates used with supported AWS services like ALB, CloudFront, and API Gateway.

Exam trap

The trap here is that candidates may confuse AWS KMS as a certificate management service because it deals with encryption, but KMS manages symmetric and asymmetric keys for data encryption, not SSL/TLS certificates for HTTPS termination.

How to eliminate wrong answers

Option A is wrong because AWS Key Management Service (AWS KMS) is a managed service for creating and controlling encryption keys used to encrypt data, not for managing SSL/TLS certificates or their renewal. Option B is wrong because AWS WAF is a web application firewall that protects web applications from common exploits, but it does not provision, renew, or manage SSL/TLS certificates.

157
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants a preventive control to ensure that nobody in any account, including account root users, can disable AWS CloudTrail or delete Amazon S3 bucket policies. Which AWS feature should the security team use?

A.IAM roles with multi-factor authentication (MFA)
B.AWS Config rules with automatic remediation
C.Service control policies (SCPs)
D.AWS Shield Advanced
AnswerC

SCPs are a feature of AWS Organizations that allow central administrators to set permission guardrails for all accounts in the organization. SCPs can explicitly deny actions like cloudtrail:StopLogging or s3:DeleteBucketPolicy, even for the root user of member accounts. This provides a preventive control that cannot be overridden by account administrators.

Why this answer

Service control policies (SCPs) are the correct choice because they provide centralized preventive controls over the maximum available permissions for all IAM users, roles, and root users in member accounts within AWS Organizations. SCPs can explicitly deny actions such as cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:PutBucketPolicy, ensuring that even root users cannot disable CloudTrail or delete S3 bucket policies. This makes SCPs the only AWS feature that can enforce such restrictions across all accounts in an organization.

Exam trap

The trap here is that candidates often confuse detective/corrective controls (like AWS Config rules) with preventive controls (like SCPs), or they mistakenly think IAM MFA can block API actions, when in reality MFA only adds an authentication requirement and does not restrict specific service operations.

How to eliminate wrong answers

Option A is wrong because IAM roles with multi-factor authentication (MFA) are an authentication mechanism that adds a second factor to user sign-ins, but they do not provide any preventive control to block specific API actions like disabling CloudTrail or deleting S3 bucket policies; they only require MFA for role assumption. Option B is wrong because AWS Config rules with automatic remediation are detective and corrective controls—they detect noncompliant resource changes after they occur and can trigger remediation actions, but they cannot prevent the action from happening in the first place, so they are not a preventive control.

158
MCQeasy

Which AWS service provides automated security assessments of EC2 instances against a library of security best practices and common vulnerabilities?

A.AWS Trusted Advisor
B.Amazon Inspector
C.AWS Security Hub
D.AWS Config
AnswerB

Inspector continuously scans EC2 instances and container images for software vulnerabilities using CVE databases and checks for network exposure issues.

Why this answer

Amazon Inspector is the correct AWS service because it is specifically designed to perform automated security assessments of EC2 instances. It uses a library of rules mapped to common security best practices (e.g., CIS benchmarks) and common vulnerabilities (e.g., CVEs) to scan the instance's OS and network configuration, generating a detailed findings report.

Exam trap

The trap here is that candidates confuse AWS Security Hub (which aggregates findings) with the service that actually performs the vulnerability scan, leading them to pick Security Hub instead of Amazon Inspector.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides general best-practice checks across your AWS account (e.g., cost optimization, performance, fault tolerance), but it does not perform deep, agent-based vulnerability scanning of EC2 instances. Option C is wrong because AWS Security Hub aggregates and prioritizes security alerts from multiple AWS services (like Amazon Inspector, GuardDuty, etc.) and provides a centralized view, but it does not itself perform automated vulnerability assessments on EC2 instances. Option D is wrong because AWS Config evaluates resource configurations against desired policies (e.g., compliance rules) and tracks configuration changes, but it does not scan for software vulnerabilities or security best practices at the OS/application level.

159
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce a policy that prevents any user, including the root user, in any member account from disabling the 'Block Public Access' setting on Amazon S3 buckets. The policy must be centrally managed and automatically applied to all existing and future member accounts. Which AWS feature should the security team use?

A.AWS Identity and Access Management (IAM) policy
B.AWS Service Control Policy (SCP)
C.AWS Config rule with automatic remediation
D.AWS Trusted Advisor
AnswerB

SCPs are a feature of AWS Organizations that allow you to centrally manage permissions for all accounts in the organization. They can deny specific actions (like disabling S3 Block Public Access) for all users, including the root user, in every member account. SCPs are automatically applied to all existing and future accounts in the organizational unit to which they are attached, meeting all the requirements.

Why this answer

AWS Service Control Policies (SCPs) are the correct choice because they allow central management of permissions across all accounts in an AWS Organization. SCPs can explicitly deny actions like s3:PutBucketPublicAccessBlock at the root, OU, or account level, and they apply to all principals, including the root user, in member accounts. SCPs are automatically inherited by new accounts added to the organization, ensuring consistent enforcement without per-account configuration.

Exam trap

The trap here is that candidates often confuse AWS Config with a preventive control, but Config is detective and reactive, not preventive, and cannot block the root user or centrally enforce policies across accounts like an SCP can.

How to eliminate wrong answers

Option A is wrong because IAM policies are account-specific and cannot be centrally applied across multiple accounts; they also cannot restrict the root user. Option C is wrong because AWS Config rules can detect noncompliant resources and trigger remediation, but they do not prevent the action from being taken in the first place and can be bypassed by users with sufficient permissions; they also do not apply to the root user. Option D is wrong because AWS Trusted Advisor is an advisory tool that provides recommendations and best practice checks, not an enforcement mechanism to block API calls.

160
MCQmedium

A company manages multiple AWS accounts under AWS Organizations. The security team wants to enforce a policy that prohibits launching Amazon EC2 instances of instance families g (GPU) and p (GPU) across all accounts to control costs. The team needs a centralized method to block these instance types at the organization level, and the policy must be applied proactively before any instance is launched. Which AWS solution should the team use?

A.Create an AWS IAM policy with a Deny effect for ec2:RunInstances where the instance type starts with 'g' or 'p' and attach it to a specific IAM role in each account.
B.Use an AWS Config managed rule to detect GPU instance launches and trigger an auto-remediation action that terminates the instances.
C.Apply an AWS Organizations Service Control Policy (SCP) that denies ec2:RunInstances when the requested instance type belongs to the g or p families.
D.Use AWS Trusted Advisor cost optimization checks to identify GPU instances and then manually disable them in each account.
AnswerC

SCPs are permission guardrails that can be applied at the organization, organizational unit, or account level. They proactively deny API actions before the resource is created, making them ideal for enforcing restrictions like prohibited instance types across multiple accounts. This is the correct centralized and preventive solution.

Why this answer

Option C is correct because AWS Organizations Service Control Policies (SCPs) are the only centralized mechanism that can proactively deny API actions across all accounts in the organization before the action occurs. By creating an SCP with a Deny effect on ec2:RunInstances where the instance type matches 'g*' or 'p*', the security team enforces the restriction at the root, OU, or account level, preventing any user or role from launching GPU instances regardless of their IAM permissions.

Exam trap

The trap here is confusing reactive services like AWS Config with preventive controls; candidates often pick Option B because it 'detects and fixes' the issue, but the question explicitly requires a proactive block before launch, which only SCPs or IAM permission boundaries can achieve at the organization level.

How to eliminate wrong answers

Option A is wrong because IAM policies attached to a role in each account are not centralized—they must be manually deployed per account and can be overridden by other IAM policies that allow the action, plus they do not block actions by the root user or users with full admin access. Option B is wrong because AWS Config is a detective service that reacts after the instance is launched, not a preventive control; auto-remediation via Lambda or Systems Manager can terminate instances, but the instance will have already run and incurred costs, violating the proactive requirement.

161
MCQmedium

A company stores sensitive documents in Amazon S3. The security team wants a preventive control that ensures no S3 bucket in the AWS account can ever be configured with a bucket policy that grants public read or write access. This control must apply automatically to all newly created buckets and to existing buckets, without requiring changes to individual bucket policies. Which AWS feature should the security team use?

A.AWS Config with the s3-bucket-public-read-prohibited managed rule
B.Amazon S3 Block Public Access at the account level
C.AWS Identity and Access Management (IAM) policy with a condition that denies s3:PutBucketPolicy for any action that grants public access
D.Amazon GuardDuty with a finding suppression rule for S3 public access events
AnswerB

Amazon S3 Block Public Access provides centralized controls that can be applied at the account level. When enabled, these settings override any bucket-level policies that grant public access, preventing both new and existing buckets from ever being made publicly accessible. This is the preventive control described in the scenario.

Why this answer

Amazon S3 Block Public Access at the account level is a preventive control that, when enabled, overrides any bucket policies or ACLs that would grant public read or write access. It applies automatically to all existing and newly created buckets in the account without requiring changes to individual bucket policies. This meets the security team's requirement for a blanket, account-wide preventive control.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like S3 Block Public Access), or they assume an IAM policy can universally block public access without considering that it must be attached to every principal and does not cover ACL-based public access.

How to eliminate wrong answers

Option A is wrong because AWS Config with the s3-bucket-public-read-prohibited managed rule is a detective control, not a preventive control; it can detect and alert on noncompliant buckets but does not block the creation or modification of public access. Option C is wrong because an IAM policy with a condition that denies s3:PutBucketPolicy for any action that grants public access can be bypassed if the bucket policy is set by a user with full administrative privileges or if public access is granted via ACLs instead of bucket policies, and it does not automatically apply to all principals without explicit attachment.

162
MCQmedium

A healthcare company stores patient records in Amazon S3 buckets across multiple accounts and needs to automatically discover and classify any objects containing personally identifiable information (PII) or protected health information (PHI). Which AWS service provides this capability?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Inspector
D.Amazon Macie
AnswerD

Macie uses machine learning to automatically discover and classify sensitive data including PII and PHI in Amazon S3. It generates findings when it detects sensitive data, allowing the security team to take action.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data stored in Amazon S3. It is specifically designed to identify personally identifiable information (PII) and protected health information (PHI) by analyzing object metadata and content, making it the correct choice for this healthcare compliance use case.

Exam trap

The trap here is that candidates often confuse Amazon Macie with Amazon GuardDuty, assuming both detect threats, but GuardDuty focuses on security threats and anomalies, not on data classification or sensitive content discovery in S3 objects.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, not for data classification or sensitive content discovery in S3 objects. Option B is wrong because AWS CloudTrail records API activity and governance events for auditing, but it does not inspect or classify the contents of S3 objects for PII or PHI. Option C is wrong because Amazon Inspector is an automated vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and network exposure, not for data classification in S3 buckets.

163
MCQeasy

A company runs a web application on Amazon EC2 instances. Under the AWS Shared Responsibility Model, who is responsible for patching the operating system on the EC2 instances?

A.AWS, because they own and operate all EC2 infrastructure
B.The customer, because OS patching is in the customer's area of responsibility for IaaS services
C.Both AWS and the customer equally share this responsibility
D.A third-party managed service provider designated by AWS
AnswerB

For EC2 (IaaS), the customer is responsible for the guest OS including patching, security configuration, and updates. AWS manages the hypervisor and physical infrastructure below the OS.

Why this answer

Under the AWS Shared Responsibility Model, for Infrastructure as a Service (IaaS) like EC2, the customer is responsible for managing the guest operating system, including patching and security updates. AWS is responsible for the physical infrastructure and the hypervisor layer, but not for the OS running inside the EC2 instance. Therefore, option B is correct.

Exam trap

The trap here is that candidates often assume AWS handles all patching for EC2 because it is a managed service, but the Shared Responsibility Model clearly assigns guest OS patching to the customer for IaaS services like EC2.

How to eliminate wrong answers

Option A is wrong because AWS is responsible for the physical infrastructure and hypervisor, but not for patching the guest OS on EC2 instances; that is the customer's responsibility under IaaS. Option C is wrong because the responsibility is not shared equally; AWS handles the host OS and hypervisor, while the customer handles the guest OS. Option D is wrong because AWS does not designate a third-party managed service provider for OS patching; customers may choose their own third-party tools, but the responsibility remains with the customer.

164
MCQmedium

A company's security policy requires that all IAM user access keys be rotated every 90 days. The security team wants to automatically identify any IAM user in the company's AWS account whose access keys are older than 90 days and trigger a notification to the security team. They need a managed AWS service that continuously evaluates the access key age against this requirement and generates findings. Which AWS service should the security team use?

A.AWS Trusted Advisor
B.AWS Config
C.Amazon Inspector
D.AWS IAM Access Analyzer
AnswerB

AWS Config is a managed service that evaluates your AWS resource configurations against desired policies. The managed rule 'access-keys-rotated' continuously checks whether active IAM access keys have been rotated within the specified maximum age (e.g., 90 days). Non-compliant resources are identified, and you can configure Amazon SNS notifications to alert the security team. This meets the requirement for continuous evaluation and automated notification.

Why this answer

AWS Config is a managed service that continuously evaluates your AWS resource configurations against desired policies (e.g., access keys older than 90 days) using managed rules like 'iam-user-unused-keys-check'. It generates compliance findings and can trigger notifications via Amazon EventBridge or SNS, meeting the requirement for continuous evaluation and alerting.

Exam trap

The trap here is that candidates confuse AWS Config's continuous compliance evaluation with AWS Trusted Advisor's one-time or periodic checks, or mistakenly think IAM Access Analyzer covers all IAM-related security checks, when it only focuses on external access analysis.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not offer continuous, custom rule-based evaluation or generate findings for specific IAM access key age policies; it only reports on overall account-level security gaps like unused keys. Option C is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure, not IAM user access key age. Option D is wrong because AWS IAM Access Analyzer analyzes resource-based policies to identify resources shared with external entities (e.g., S3 buckets, KMS keys), not the age or rotation status of IAM user access keys.

165
MCQmedium

A company uses Amazon GuardDuty for threat detection, Amazon Inspector for vulnerability scanning, and Amazon Macie for sensitive data discovery. The security team needs a centralized dashboard that aggregates findings from all these services, provides a security score, and tracks compliance against industry standards such as CIS AWS Foundations. Which AWS service should the security team use?

A.AWS Config
B.AWS Security Hub
C.Amazon Detective
D.AWS Trusted Advisor
AnswerB

AWS Security Hub is the correct choice. It aggregates findings from multiple AWS security services and partner integrations, provides a consolidated dashboard with a security score, and supports compliance standards like CIS AWS Foundations.

Why this answer

AWS Security Hub is the correct service because it provides a centralized dashboard that aggregates findings from multiple AWS security services, including GuardDuty, Inspector, and Macie. It also offers a consolidated security score and supports automated compliance checks against standards like CIS AWS Foundations, making it the ideal choice for this use case.

Exam trap

The trap here is that candidates may confuse AWS Security Hub with AWS Config, thinking Config provides a centralized findings dashboard, but Config focuses on resource configuration compliance rather than aggregating security service findings.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and auditing resource configurations against desired policies, not for aggregating security findings or providing a security score. Option C is wrong because Amazon Detective is designed for investigating and analyzing security incidents by correlating data from multiple sources, but it does not provide a centralized dashboard with a security score or compliance tracking against standards like CIS AWS Foundations. Option D is wrong because AWS Trusted Advisor offers best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not aggregate findings from GuardDuty, Inspector, and Macie, nor does it track compliance against industry standards.

166
MCQmedium

A company manages 20 AWS accounts under AWS Organizations. The security team wants to ensure that no security group in any account allows unrestricted inbound RDP access (0.0.0.0/0). They need to automatically detect any security group that violates this rule and receive a notification. They also want to track the configuration history of security group changes for forensic analysis. Which AWS service should they use to achieve these requirements?

A.AWS Config
B.Amazon GuardDuty
C.AWS Security Hub
D.AWS CloudTrail
AnswerA

AWS Config records configuration changes of supported AWS resources, evaluates them against configurable rules (including managed rules for security group permissions), and provides a history of changes. It integrates with Amazon SNS to send notifications when resources are noncompliant.

Why this answer

AWS Config is the correct service because it provides managed rules like 'restricted-common-ports' or a custom Lambda rule to detect security groups with inbound RDP access from 0.0.0.0/0. It continuously evaluates resource configurations, sends Amazon SNS notifications on noncompliant resources, and automatically records a configuration history of all security group changes, enabling forensic analysis. This directly meets the requirements for detection, notification, and historical tracking.

Exam trap

The trap here is that candidates confuse AWS Security Hub's aggregation and dashboard capabilities with the underlying compliance evaluation and history recording that only AWS Config provides, leading them to choose Security Hub instead of the service that actually performs the detection and tracking.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity, not for evaluating security group configurations against compliance rules or tracking configuration history. Option C (AWS Security Hub) is wrong because it aggregates findings from multiple services (including AWS Config) and provides a centralized view, but it does not itself perform the continuous compliance evaluation or maintain the configuration history of security groups; it relies on AWS Config for those capabilities.

167
MCQmedium

Which AWS service provides a central place to manage security alerts and automate compliance checks across an AWS Organization?

A.Amazon GuardDuty
B.AWS Security Hub
C.AWS Trusted Advisor
D.AWS Config
AnswerB

Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools, and runs automated compliance standard checks across the organization.

Why this answer

AWS Security Hub is the correct answer because it provides a single, central location for aggregating, organizing, and prioritizing security alerts (findings) from multiple AWS services (like Amazon GuardDuty, Amazon Inspector, and AWS Macie) and third-party tools. It also enables automated compliance checks against standards such as CIS AWS Foundations, PCI DSS, and AWS Foundational Security Best Practices across all accounts in an AWS Organization, using built-in or custom controls.

Exam trap

The trap here is that candidates often confuse AWS Security Hub with Amazon GuardDuty, thinking that GuardDuty's threat detection and alerting also covers compliance checks and centralized management of all security alerts, but GuardDuty only handles threat detection findings and lacks the multi-service aggregation and compliance automation that Security Hub provides.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using machine learning and threat intelligence, but it does not provide a central place to manage security alerts from multiple sources or automate compliance checks across an organization. Option C is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and makes recommendations for cost optimization, performance, security, fault tolerance, and service limits, but it does not aggregate security alerts from other services or automate compliance checks against specific standards. Option D is wrong because AWS Config is a service that evaluates your resource configurations against desired policies (using rules) and tracks configuration changes, but it does not serve as a central hub for security findings or automate compliance checks across multiple security standards.

168
MCQmedium

A company's security policy prohibits opening SSH (port 22) or RDP (port 3389) to the internet for any Amazon EC2 instance. The operations team needs a way to establish secure shell sessions to manage instances directly from the AWS Management Console without managing bastion hosts or SSH keys. Which AWS service provides this capability?

A.AWS Systems Manager Session Manager
B.AWS Certificate Manager
C.AWS CloudHSM
D.Amazon GuardDuty
AnswerA

Correct. Session Manager offers browser-based shell access to EC2 instances through the AWS Management Console or CLI, using the SSM Agent and without requiring any inbound open ports. It is designed for secure, agent-based instance management.

Why this answer

AWS Systems Manager Session Manager enables secure shell access to EC2 instances directly from the AWS Management Console without opening inbound ports (22 or 3389) or managing bastion hosts. It uses the SSM Agent and AWS Identity and Access Management (IAM) policies to establish a bidirectional connection over HTTPS (port 443), eliminating the need for SSH keys or public IP addresses. This fully satisfies the security policy requirement while providing the desired management capability.

Exam trap

The trap here is that candidates may confuse AWS Certificate Manager (a certificate provisioning service) or AWS CloudHSM (a hardware security module) with a secure access tool, when the correct answer is a systems management service that operates over HTTPS without opening traditional remote access ports.

How to eliminate wrong answers

Option B (AWS Certificate Manager) is wrong because it manages SSL/TLS certificates for securing network traffic (e.g., with Elastic Load Balancing or CloudFront) and does not provide interactive shell sessions or instance management. Option C (AWS CloudHSM) is wrong because it offers hardware-based cryptographic key storage and cryptographic operations, not remote shell access or session management for EC2 instances.

169
MCQmedium

A company stores database passwords for their RDS instances and API keys for third-party services in their application code, which is a security risk. They want a managed service that securely stores these secrets, makes them available to applications via API, and automatically rotates database passwords. Which AWS service should they use?

A.AWS KMS
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.Amazon Cognito
AnswerC

Secrets Manager stores secrets securely, provides them to applications via API (eliminating hardcoded credentials), and integrates with RDS to automatically rotate database passwords on a configurable schedule.

Why this answer

AWS Secrets Manager is the correct choice because it is a fully managed service specifically designed to securely store, retrieve, and automatically rotate secrets such as database passwords and API keys. It provides built-in integration with RDS for automatic rotation of database credentials without custom code, and it serves secrets via a secure API call, eliminating the need to hardcode secrets in application code.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation for RDS passwords, which is the key requirement in the question.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for storing or rotating secrets like passwords or API keys. Option B is wrong because AWS Systems Manager Parameter Store can store secrets but lacks native automatic rotation for database passwords; it requires custom Lambda functions to implement rotation, whereas Secrets Manager provides built-in rotation. Option D is wrong because Amazon Cognito is an identity and user management service for authentication and authorization, not a secret storage or rotation service for application credentials.

170
MCQhard

A company runs a payment processing application on AWS that must comply with the Payment Card Industry Data Security Standard (PCI DSS). An external auditor requests a copy of the AWS SOC 2 report and the PCI DSS Attestation of Compliance (AOC) to verify the security controls of the underlying AWS infrastructure. The company needs to obtain these documents directly from AWS. Which AWS service should the company use?

A.AWS Artifact
B.AWS Config
C.AWS Audit Manager
D.AWS Trusted Advisor
AnswerA

AWS Artifact is the correct service. It is a self-service portal for on-demand access to AWS compliance reports and agreements, such as SOC reports and PCI DSS Attestations of Compliance.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC 2 reports and PCI DSS Attestations of Compliance (AOC). These documents are published directly by AWS and can be downloaded from the AWS Artifact console without needing to contact AWS support, meeting the auditor's requirement for direct retrieval.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Audit Manager, mistakenly thinking Audit Manager provides the same compliance documents, when in fact Audit Manager is for creating custom audit frameworks, not for retrieving AWS's own published reports.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it is a service for recording and evaluating configuration changes of AWS resources, not for accessing compliance reports. Option C (AWS Audit Manager) is wrong because it helps automate evidence collection for internal audits, but it does not host or distribute AWS's own SOC 2 or PCI DSS AOC documents. Option D (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost, performance, security, and fault tolerance, not compliance report downloads.

171
MCQeasy

A retail company processes credit card payments and must comply with the Payment Card Industry Data Security Standard (PCI DSS). The company's compliance officer needs to obtain an official document from AWS that details the security controls AWS has implemented to support PCI DSS compliance for services such as Amazon RDS and Amazon EC2. The document must be downloadable as a PDF for review and audit purposes. Which AWS service should the compliance officer use to retrieve this document?

A.AWS Security Hub
B.AWS Artifact
C.AWS Config
D.AWS Trusted Advisor
AnswerB

AWS Artifact is the correct service. It offers on-demand access to AWS compliance reports (e.g., PCI DSS, SOC, ISO) and agreements. Users can download these documents in PDF format to meet audit requirements.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports and security documents, including the PCI DSS compliance attestation and responsibility summary. The compliance officer can download the AWS PCI DSS compliance package as a PDF directly from the AWS Artifact console, which is specifically designed for audit and review purposes.

Exam trap

The trap here is that candidates may confuse AWS Security Hub’s ability to run PCI DSS automated checks with the need to obtain the official AWS PCI DSS attestation document, which is only available through AWS Artifact.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub aggregates security alerts and automates compliance checks against standards like PCI DSS, but it does not provide downloadable PDF documents of AWS’s own security controls. Option C is wrong because AWS Config evaluates resource configurations against rules and tracks changes, but it does not host or deliver compliance attestation documents. Option D is wrong because AWS Trusted Advisor offers best-practice recommendations for cost, performance, and security, but it does not provide official PCI DSS compliance documentation.

172
MCQmedium

A company's security team wants to automatically remediate non-compliant AWS Config rules, such as automatically enabling S3 server-side encryption on any bucket found without it. Which AWS Config feature enables this?

A.AWS Config rule compliance reporting only
B.AWS Config Rules with Automatic Remediation using SSM Automation
C.AWS Security Hub findings export to S3
D.Amazon GuardDuty threat response
AnswerB

Config's remediation actions use AWS Systems Manager Automation documents to automatically fix non-compliant resources — e.g., enabling S3 encryption or enabling VPC flow logs.

Why this answer

AWS Config Rules with Automatic Remediation using SSM Automation (Option B) is the correct feature because it allows you to associate an SSM Automation document with a non-compliant AWS Config rule. When a resource is evaluated as non-compliant, Config can automatically invoke the SSM Automation runbook to remediate the issue—for example, enabling S3 server-side encryption on a bucket that lacks it. This directly satisfies the security team's requirement for automated, policy-driven remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance reporting (Option A) with its remediation capabilities, assuming that reporting alone can fix issues, or they mistakenly think Security Hub (Option C) or GuardDuty (Option D) can perform automated compliance remediation, when in fact those services are for aggregation and threat detection, not for executing configuration changes.

How to eliminate wrong answers

Option A is wrong because AWS Config rule compliance reporting only provides visibility into which resources are non-compliant; it does not include any mechanism to automatically remediate the non-compliant resources. Option C is wrong because AWS Security Hub findings export to S3 is a feature for centralizing security alerts and findings into an S3 bucket for analysis or archival, not for triggering automated remediation actions on AWS Config rule violations. Option D is wrong because Amazon GuardDuty threat response focuses on detecting and responding to malicious activity (e.g., compromised credentials or API calls) using threat intelligence, not on enforcing compliance rules like enabling S3 server-side encryption.

173
MCQeasy

Which AWS service automatically generates password policies, reviews IAM users, and provides a security score to help assess the security posture of an AWS account?

A.Amazon GuardDuty
B.AWS Trusted Advisor
C.Amazon Inspector
D.Amazon Macie
AnswerB

Trusted Advisor's security checks evaluate MFA on root, IAM password policies, access key rotation, and other security configurations, providing color-coded security recommendations.

Why this answer

AWS Trusted Advisor is the correct service because it provides automated checks that include password policy recommendations (e.g., minimum length, expiration), IAM user reviews (e.g., unused keys, MFA status), and a security score that aggregates findings to assess overall account security posture. This directly matches the question's description of generating password policies, reviewing IAM users, and providing a security score.

Exam trap

The trap here is that candidates confuse AWS Trusted Advisor's security checks with Amazon Inspector's vulnerability scanning, because both have 'security' in their descriptions, but Inspector focuses on EC2/container vulnerabilities while Trusted Advisor handles account-level IAM and password policy reviews.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity; it does not generate password policies, review IAM users, or provide a security score. Option C is wrong because Amazon Inspector is an automated vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure; it does not evaluate IAM users or password policies. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data in S3 buckets; it does not perform IAM user reviews or generate password policies.

174
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. The company wants employees to sign in using their existing corporate credentials from an on-premises Microsoft Active Directory. The company also needs a single sign-on (SSO) experience so that each employee can access the AWS Management Console for any authorized account without needing separate passwords. Additionally, the company wants to centrally manage permissions across all accounts. Which AWS service should the company use to meet these requirements?

A.AWS Identity and Access Management (IAM)
B.AWS IAM Identity Center (AWS SSO)
C.AWS Directory Service
D.Amazon Cognito
AnswerB

AWS IAM Identity Center is the service that centrally manages single sign-on access to multiple AWS accounts and applications. It integrates with Microsoft Active Directory and allows employees to use their existing corporate credentials to access the AWS Management Console across all authorized accounts with a single sign-on experience, and it centralizes permission management.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides a centralized place to manage single sign-on (SSO) access to multiple AWS accounts and applications. It integrates with an on-premises Microsoft Active Directory via the AWS Directory Service or an external identity provider, allowing employees to use their existing corporate credentials. IAM Identity Center also enables you to centrally define and manage permissions across all accounts in AWS Organizations, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Directory Service with a complete SSO solution, but Directory Service only provides the directory infrastructure, not the centralized permission management or SSO portal that IAM Identity Center delivers.

How to eliminate wrong answers

Option A is wrong because AWS Identity and Access Management (IAM) is designed for managing users and permissions within a single AWS account, not for providing SSO across multiple accounts or integrating with an on-premises Active Directory for federated access. Option C is wrong because AWS Directory Service provides managed Microsoft Active Directory in the cloud, but it does not itself offer a single sign-on experience or centrally manage permissions across multiple AWS accounts; it is a building block that can be used with IAM Identity Center for identity federation.

175
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team must ensure that all API activity across all accounts, including any new accounts added in the future, is recorded and delivered to a centralized S3 bucket for auditing. The solution should require minimal ongoing manual effort. Which AWS feature should the security team use?

A.Enable AWS CloudTrail in each account individually and configure the S3 bucket to allow cross-account access from the audit account.
B.Create an AWS CloudTrail organization trail that logs events for all accounts in the organization.
C.Use AWS Config to record API calls and deliver configuration history to an S3 bucket.
D.Set up Amazon GuardDuty to monitor API activity and send findings to a centralized S3 bucket.
AnswerB

An organization trail is a single trail that logs API activity for all current and future member accounts in AWS Organizations, automatically delivering logs to a centralized S3 bucket. This meets the requirements with minimal ongoing manual effort.

Why this answer

Option B is correct because AWS CloudTrail organization trails automatically log events for all accounts in an AWS Organization, including any new accounts added in the future, and deliver them to a single S3 bucket without requiring per-account configuration. This satisfies the requirement for minimal ongoing manual effort and centralized auditing.

Exam trap

The trap here is that candidates confuse AWS Config (which records configuration history) with CloudTrail (which records API activity), or assume that individual account trails with cross-account access are simpler, overlooking the automatic future-account coverage of an organization trail.

How to eliminate wrong answers

Option A is wrong because it requires manual configuration in each account individually and does not automatically include new accounts, leading to high ongoing effort and potential gaps. Option C is wrong because AWS Config records resource configuration changes, not API activity; it cannot capture API calls like CloudTrail does. Option D is wrong because Amazon GuardDuty monitors for threats and suspicious behavior, not API activity logging; it sends findings to S3 but does not record all API calls for auditing.

176
MCQeasy

A company wants all IAM users to verify their identity with both a password and a one-time code from an authenticator app before accessing the AWS Management Console. Which security control should the company enable?

A.AWS Shield
B.Multi-Factor Authentication (MFA)
C.AWS WAF
D.Amazon Cognito
AnswerB

MFA requires users to provide a second authentication factor — a time-based one-time password (TOTP) from an authenticator app — in addition to their password. This significantly reduces the risk of compromised credentials.

Why this answer

Multi-Factor Authentication (MFA) is the correct security control because it requires users to present two independent factors: something they know (password) and something they have (a one-time code from an authenticator app). This satisfies the company's requirement for both a password and a one-time code before accessing the AWS Management Console, significantly reducing the risk of unauthorized access even if a password is compromised.

Exam trap

The trap here is that candidates may confuse AWS WAF or Amazon Cognito with IAM MFA, but the question specifically asks for the security control that enforces both a password and a one-time code for IAM users, which is exclusively Multi-Factor Authentication (MFA) within IAM.

How to eliminate wrong answers

Option A is wrong because AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS, not an identity verification mechanism. Option C is wrong because AWS WAF (Web Application Firewall) monitors and controls HTTP/HTTPS traffic to web applications based on rules, but it does not enforce user authentication or MFA. Option D is wrong because Amazon Cognito provides user sign-up, sign-in, and access control for web and mobile applications, but it is not the native IAM feature for requiring MFA on IAM users; the correct control is enabling MFA directly on IAM users or groups.

177
MCQeasy

Which AWS service provides a Web Application Firewall that protects web applications from common exploits like SQL injection and cross-site scripting?

A.AWS Shield
B.AWS WAF
C.Amazon GuardDuty
D.Security Groups
AnswerB

WAF inspects HTTP/HTTPS requests and applies rules to block web attacks including SQL injection, XSS, and bad bots at the application layer (Layer 7).

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It allows you to create custom rules that block, allow, or monitor web requests based on conditions such as IP addresses, HTTP headers, URI strings, and request body content. This makes it the correct service for the described use case.

Exam trap

The trap here is that candidates often confuse AWS Shield (DDoS protection) with AWS WAF (application-layer filtering), but Shield operates at the network/transport layer while WAF inspects application-layer payloads for exploits like SQL injection and XSS.

How to eliminate wrong answers

Option A is wrong because AWS Shield is a managed Distributed Denial of Service (DDoS) protection service, not a web application firewall; it does not inspect application-layer payloads for SQL injection or XSS. Option C is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not actively filter or block web application exploits. Option D is wrong because Security Groups act as a virtual firewall at the instance or subnet level, filtering traffic based on IP addresses and ports, not application-layer content like HTTP request bodies or headers.

178
MCQmedium

A company's security team needs to receive near-real-time notifications whenever an IAM user in their AWS account performs an action that violates a defined baseline of expected behavior. Examples include launching an Amazon EC2 instance in an unauthorized AWS Region or modifying a security group to allow public SSH access from the internet. The solution must analyze continuous streams of AWS API activity to identify suspicious patterns and known malicious IP addresses. Which AWS service should the security team use?

A.Amazon GuardDuty
B.AWS CloudTrail
C.AWS Config
D.Amazon Inspector
AnswerA

Correct. Amazon GuardDuty uses threat intelligence and machine learning to analyze continuous streams of AWS API activity (via CloudTrail), VPC Flow Logs, and DNS logs. It detects suspicious patterns, unauthorized behavior, and known malicious IP addresses, and can send near-real-time alerts.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors AWS API activity, including CloudTrail management events, VPC Flow Logs, and DNS logs, to identify suspicious patterns and known malicious IP addresses. It uses machine learning and integrated threat intelligence to detect anomalous behavior such as launching EC2 instances in unauthorized regions or modifying security groups for public SSH access, and can deliver near-real-time notifications via Amazon EventBridge or SNS. This makes it the correct choice for analyzing continuous streams of API activity and alerting on violations of a defined baseline.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with GuardDuty's threat detection, assuming that simply recording API calls is sufficient for near-real-time security analysis, but CloudTrail lacks the built-in machine learning and threat intelligence needed to identify suspicious patterns or malicious IPs automatically.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because CloudTrail is a governance, compliance, and auditing service that records API activity but does not analyze streams for suspicious patterns, detect known malicious IP addresses, or provide near-real-time threat detection—it requires additional services like GuardDuty to interpret the logs. Option C (AWS Config) is wrong because AWS Config evaluates resource configurations against rules for compliance and change management, not for analyzing continuous API activity streams or detecting malicious IP addresses; it focuses on configuration drift rather than threat detection.

179
MCQmedium

A company is deploying a three-tier web application on AWS. The security team requires a network-level firewall that operates at the subnet level and can evaluate both inbound and outbound traffic using stateless rules. Which AWS feature should the company use to meet this requirement?

A.Security Groups
B.Network ACLs
C.AWS WAF
D.AWS Shield
AnswerB

Network ACLs are a stateless firewall operating at the subnet level, supporting both inbound and outbound rules. They evaluate traffic based on rule order and allow or deny traffic without maintaining connection state, matching the requirement.

Why this answer

Network ACLs (NACLs) are a stateless, subnet-level firewall that evaluates both inbound and outbound traffic based on numbered rules. Unlike security groups, NACLs do not maintain connection state, so rules must be explicitly defined for both directions, meeting the requirement for stateless inspection at the subnet boundary.

Exam trap

The trap here is confusing stateful security groups (which automatically track connection state) with stateless network ACLs, leading candidates to choose Security Groups when the question explicitly requires stateless, subnet-level filtering.

How to eliminate wrong answers

Option A is wrong because Security Groups are stateful firewalls that operate at the instance level, not the subnet level, and they automatically allow return traffic without explicit outbound rules, which contradicts the stateless requirement. Option C is wrong because AWS WAF is a web application firewall that operates at the application layer (Layer 7) to filter HTTP/S requests, not a network-layer firewall for subnet-level traffic inspection.

180
MCQmedium

A company's security team is concerned about the risk of compromised Amazon EC2 instances being used for crypto-mining activities. They want a managed AWS service that can automatically detect unusual outbound network traffic patterns that are characteristic of crypto-mining, without requiring the installation of any agents on the instances. The team needs continuous monitoring and the ability to receive findings that include details about the suspicious activity. Which AWS service should the security team use?

A.Amazon GuardDuty
B.Amazon Macie
C.AWS Config
D.Amazon Detective
AnswerA

Correct. Amazon GuardDuty uses machine learning and threat intelligence to analyze network traffic and logs for suspicious activity, including crypto-mining behavior, without requiring any agents.

Why this answer

Amazon GuardDuty is a managed threat detection service that uses machine learning and integrated threat intelligence to continuously monitor for malicious activity, including unusual outbound network traffic patterns like those associated with crypto-mining. It operates at the AWS account and VPC level by analyzing DNS logs, VPC Flow Logs, and CloudTrail events, and it does not require any agents to be installed on EC2 instances. When suspicious activity is detected, GuardDuty generates detailed findings that include information about the affected resource, the type of threat, and recommended remediation steps.

Exam trap

The trap here is that candidates may confuse Amazon Detective's investigative capabilities with proactive detection, but Detective requires existing findings to analyze and does not perform continuous monitoring for crypto-mining traffic patterns on its own.

How to eliminate wrong answers

Option B (Amazon Macie) is wrong because Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data stored in Amazon S3, not to detect network traffic anomalies or crypto-mining activity. Option C (AWS Config) is wrong because AWS Config is a service for evaluating and auditing the configuration of AWS resources against desired policies, not for real-time threat detection or analyzing network traffic patterns. Option D (Amazon Detective) is wrong because Detective is a post-incident investigation tool that ingests and analyzes log data to help identify the root cause of security findings, but it does not proactively detect unusual outbound traffic patterns on its own; it relies on findings from other services like GuardDuty.

181
MCQmedium

A company needs to grant an EC2 instance permission to write to an S3 bucket. What is the most secure way to accomplish this?

A.Hardcode the IAM user access keys in the application code
B.Store IAM access keys in environment variables on the EC2 instance
C.Attach an IAM role with the appropriate S3 permissions to the EC2 instance
D.Create an IAM user and configure the instance with its credentials
AnswerC

IAM roles provide automatically rotated temporary credentials via instance metadata — no long-term keys to manage, no credentials to steal, and the minimal permissions pattern is enforced.

Why this answer

Option C is correct because attaching an IAM role to an EC2 instance allows the instance to securely obtain temporary credentials via the instance metadata service (IMDS). These credentials are automatically rotated by AWS, eliminating the need to hardcode or store long-term access keys. The role's policy grants only the necessary S3 write permissions, following the principle of least privilege.

Exam trap

The trap here is that candidates may think storing credentials in environment variables is secure because they are not in code, but AWS explicitly recommends IAM roles over any form of long-term access key storage for EC2 instances.

How to eliminate wrong answers

Option A is wrong because hardcoding IAM user access keys in application code exposes them to source code leaks, version control exposure, and requires manual rotation, violating security best practices. Option B is wrong because storing IAM access keys in environment variables on the EC2 instance still uses long-term credentials that can be compromised if the instance is accessed or if the environment is dumped, and they lack automatic rotation. Option D is wrong because creating an IAM user and configuring the instance with its credentials involves distributing long-term access keys that must be securely stored and rotated, increasing the attack surface compared to using an IAM role with temporary credentials.

182
MCQeasy

Which AWS service provides managed threat detection that analyzes VPC Flow Logs, AWS CloudTrail events, and DNS logs to identify malicious activity and unauthorized behavior?

A.AWS Security Hub
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS Config
AnswerC

GuardDuty uses ML and threat intelligence to analyze VPC Flow Logs, CloudTrail, and DNS logs for active threats like compromised instances and account takeovers.

Why this answer

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behavior by analyzing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses machine learning, anomaly detection, and integrated threat intelligence to identify threats such as credential compromise, cryptocurrency mining, and API abuse without requiring additional security software or infrastructure.

Exam trap

The trap here is that candidates confuse AWS Security Hub (a central dashboard for findings) with GuardDuty (the actual threat detection engine), or assume Amazon Inspector performs network traffic analysis when it only scans for software vulnerabilities and network reachability.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (including GuardDuty) and performs compliance checks, but it does not itself analyze VPC Flow Logs, CloudTrail, or DNS logs for threat detection. Option B is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, not for analyzing flow logs or DNS logs to detect malicious activity. Option D is wrong because AWS Config is a resource inventory and compliance auditing service that evaluates resource configurations against desired policies and tracks configuration changes, but it does not perform threat detection or analyze network traffic or API logs for malicious behavior.

183
MCQmedium

A security team wants to automatically scan their Amazon EC2 instances for known software vulnerabilities (CVEs) and assess whether any instances have unintended network access paths open. Which AWS service performs these automated security assessments?

A.Amazon GuardDuty
B.Amazon Macie
C.Amazon Inspector
D.AWS Shield
AnswerC

Inspector automatically scans EC2 instances for software vulnerabilities (using the CVE database) and assesses network reachability to identify open paths that could allow unintended access. It continuously provides findings ranked by severity.

Why this answer

Amazon Inspector is the correct service because it is specifically designed to perform automated vulnerability scans (including CVEs) and network reachability assessments on EC2 instances. It uses a combination of AWS security best practices and common vulnerability databases to identify software vulnerabilities and unintended network access paths, such as open ports or overly permissive security groups.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty's threat detection with vulnerability scanning, but GuardDuty focuses on behavioral anomalies and known malicious IPs, not on identifying software CVEs or network configuration exposures.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using machine learning and threat intelligence, not for scanning known software vulnerabilities or network access paths. Option B is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (e.g., PII) in S3 buckets, not for vulnerability scanning of EC2 instances. Option D is wrong because AWS Shield is a managed DDoS protection service that safeguards against distributed denial-of-service attacks, not for automated vulnerability or network access assessments.

184
MCQmedium

A company uses an IAM role to allow an application running on Amazon EC2 to decrypt data stored in Amazon S3. The security team wants to enforce that the application can only use the decryption permission when the IAM role has a specific tag (e.g., 'Environment=Production'). Which approach should the security team implement to meet this requirement?

A.Add a condition to the KMS key policy that uses the 'kms:RequestTag/ConditionKey' to require the tag on the caller.
B.Add a condition to the IAM role's trust policy that denies the 'kms:Decrypt' action unless the role has the tag.
C.Add a condition to the IAM policy that grants the 'kms:Decrypt' permission with a condition on 'aws:PrincipalTag' to require the tag.
D.Add a condition to the S3 bucket policy that denies all access unless the IAM role has the required tag.
AnswerC

Correct. IAM policies support the 'aws:PrincipalTag' condition key, which checks the tags attached to the IAM principal (user or role) making the request. By adding a condition like 'StringEquals': {'aws:PrincipalTag/Environment': 'Production'} to the IAM policy that grants 'kms:Decrypt', the decryption action is only allowed when the role has the specified tag. This is a form of attribute-based access control (ABAC).

Why this answer

Option C is correct because the condition key 'aws:PrincipalTag' in an IAM policy allows you to control access based on tags attached to the IAM principal (the role). By adding a condition that requires 'aws:PrincipalTag/Environment' to equal 'Production', the 'kms:Decrypt' permission is only effective when the IAM role has that specific tag. This directly enforces the security team's requirement at the IAM policy level, which is the appropriate place to restrict permissions based on principal attributes.

Exam trap

The trap here is confusing which policy document (IAM policy vs. key policy vs. bucket policy) and which condition key (PrincipalTag vs. RequestTag) is appropriate for restricting actions based on the caller's tags.

How to eliminate wrong answers

Option A is wrong because 'kms:RequestTag/ConditionKey' is used to check tags on the KMS key itself or tags specified in the request, not tags on the calling IAM role. Option B is wrong because the IAM role's trust policy controls which principals can assume the role, not what actions the role can perform; denying 'kms:Decrypt' in the trust policy is ineffective and misapplied. Option D is wrong because an S3 bucket policy controls access to S3 objects, not to KMS decryption actions; it cannot enforce conditions on the KMS 'Decrypt' API call.

185
Drag & Dropmedium

Drag and drop the steps to set up a cross-region read replica for Amazon RDS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cross-region read replica: enable backups, configure, create replica, wait, and optionally promote.

186
MCQmedium

A company runs multiple workloads on AWS and must ensure that all Amazon S3 buckets have server-side encryption enabled. The compliance team wants to automatically detect any S3 bucket that is created without encryption and receive an alert. They also want to continuously monitor existing buckets for compliance. Which AWS service should they use?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon Inspector
AnswerA

Correct. AWS Config evaluates resource configurations against rules defined by the user (such as 's3-bucket-server-side-encryption-enabled') and can automatically detect non-compliant resources, including S3 buckets without encryption, and send alerts.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. You can create an AWS Config rule, such as the managed rule 's3-bucket-server-side-encryption-enabled', which automatically checks whether each S3 bucket has server-side encryption enabled. When a non-compliant bucket is detected (either newly created or existing), AWS Config can trigger an Amazon SNS notification to alert the compliance team, meeting both the detection and alerting requirements.

Exam trap

The trap here is that candidates often confuse AWS Config (configuration auditing) with AWS CloudTrail (API auditing), thinking that CloudTrail can detect non-compliant configurations, but CloudTrail only logs actions and does not evaluate the resulting state of resources against compliance rules.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that monitors for malicious activity and unauthorized behavior using anomaly detection and threat intelligence, not for checking resource configuration compliance like encryption settings. Option C (AWS CloudTrail) is wrong because it records API activity and provides audit logs of actions taken on S3 buckets (e.g., who created a bucket), but it does not continuously evaluate the configuration state of resources or alert on compliance violations. Option D (Amazon Inspector) is wrong because it is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for evaluating S3 bucket encryption policies.

187
MCQmedium

A security team wants to automatically detect unusual activity in their AWS account, such as EC2 instances communicating with known malicious IP addresses, unusual API calls indicating credential compromise, or cryptocurrency mining activity. Which AWS service uses machine learning to detect these threats?

A.Amazon Inspector
B.AWS Security Hub
C.Amazon GuardDuty
D.Amazon Macie
AnswerC

GuardDuty continuously analyses CloudTrail API logs, VPC Flow Logs, and DNS logs using machine learning and threat intelligence feeds. It detects threats like compromised EC2 instances, unusual API calls, and communication with malicious IPs.

Why this answer

Amazon GuardDuty is a threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to continuously monitor for malicious or unauthorized behavior in AWS accounts and workloads. It specifically analyzes VPC Flow Logs, AWS CloudTrail management and data events, and DNS logs to detect patterns such as EC2 instances communicating with known malicious IP addresses, unusual API calls indicative of credential compromise, and cryptocurrency mining activity. This makes it the correct choice for the described use case.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty with Amazon Inspector or AWS Security Hub, mistakenly thinking that vulnerability scanning or centralized security findings equate to active threat detection, whereas GuardDuty is the only service that continuously monitors for malicious behavior using machine learning and threat intelligence.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, not for detecting malicious activity like communication with known bad IPs or credential compromise. Option B is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (including GuardDuty) and checks compliance against standards, but it does not itself perform machine learning-based threat detection. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (e.g., PII, financial records) stored in Amazon S3, not to detect threats like malicious IP communication or cryptocurrency mining.

188
MCQmedium

A company wants to protect their S3 buckets from accidental or malicious data exfiltration by ensuring that data can only leave the VPC through S3 endpoint conditions. Which IAM policy condition controls this?

A.S3 Block Public Access
B.VPC endpoint policy with aws:SourceVpc condition
C.S3 CORS configuration
D.Amazon Macie sensitive data classification
AnswerB

The `aws:SourceVpc` or `aws:SourceVpce` condition in an S3 bucket policy restricts access to only requests coming through a specific VPC or VPC endpoint, preventing exfiltration via compromised credentials outside the VPC.

Why this answer

Option B is correct because the `aws:SourceVpc` condition key in a VPC endpoint policy restricts access to S3 buckets so that requests must originate from the specified VPC. This ensures that data can only leave the VPC through the S3 VPC endpoint, preventing accidental or malicious data exfiltration via the public internet. By combining this condition with a VPC endpoint policy, the company enforces network-level control over S3 access.

Exam trap

The trap here is that candidates confuse S3 Block Public Access (a bucket-level permission control) with network-level exfiltration prevention, or they mistakenly think Macie or CORS can enforce data flow restrictions, when only VPC endpoint policies with the `aws:SourceVpc` condition can restrict traffic to a specific VPC.

How to eliminate wrong answers

Option A is wrong because S3 Block Public Access only prevents public access to S3 buckets at the account or bucket level, but it does not control how data leaves a VPC or enforce that traffic must go through a VPC endpoint. Option C is wrong because S3 CORS configuration controls cross-origin HTTP requests from web browsers, not network-level data exfiltration or VPC endpoint routing. Option D is wrong because Amazon Macie is a data classification and discovery service that identifies sensitive data, but it does not enforce network access controls or restrict data exfiltration paths.

189
MCQmedium

A company stores sensitive financial data in Amazon S3 and must encrypt it at rest. The compliance team mandates that the encryption key must be rotated at least once per year, and the key material must be generated and managed by the company within AWS. The company wants a fully automated solution that requires no manual intervention for key rotation. Which AWS service or feature should the company use?

A.Use Amazon S3 server-side encryption with customer-provided encryption keys (SSE-C).
B.Create an AWS KMS customer managed key and enable automatic annual rotation.
C.Use an AWS KMS AWS managed key (aws/s3) which automatically rotates the key every year.
D.Use AWS CloudHSM to generate and manage the key, and implement a custom cron job to rotate the key.
AnswerB

Correct. AWS KMS customer managed keys (CMKs) can have automatic key rotation enabled, which rotates the key material once per year without any manual effort. The company retains control and ownership of the key.

Why this answer

Option B is correct because AWS KMS customer managed keys support automatic annual rotation, which satisfies the compliance requirement for key rotation without manual intervention. The company retains control over the key material since it is generated and managed within AWS KMS, meeting the mandate that the company manages the keys within AWS.

Exam trap

The trap here is that candidates may confuse AWS managed keys (which rotate automatically but are not customer-managed) with customer managed keys, or assume that SSE-C or CloudHSM are simpler solutions without realizing they fail the 'fully automated' or 'within AWS' requirements.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to provide and manage their own encryption keys outside of AWS, which contradicts the requirement that the key material be generated and managed by the company within AWS, and it does not offer automated rotation. Option C is wrong because AWS managed keys (aws/s3) are managed by AWS, not the company, and while they rotate automatically, the company does not have control over the key material or rotation schedule. Option D is wrong because AWS CloudHSM requires custom implementation for key rotation (e.g., a cron job), which introduces manual intervention and does not provide a fully automated solution as mandated.

190
MCQmedium

A company runs a web application on Amazon CloudFront and an Application Load Balancer (ALB). The security team wants to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS). Additionally, the company needs to block requests from specific countries due to compliance requirements. The security team prefers a managed service that provides pre-configured rule sets and integrates directly with CloudFront and ALB without requiring additional infrastructure. Which AWS service should the security team use?

A.AWS Network Firewall
B.AWS Shield Advanced
C.AWS WAF
D.AWS Firewall Manager
AnswerC

AWS WAF is a web application firewall that protects against common web exploits like SQL injection and XSS. It supports pre-configured managed rule sets, custom rules, and geographic (geo) blocking. It integrates directly with Amazon CloudFront and Application Load Balancer, meeting all the requirements.

Why this answer

AWS WAF is a managed web application firewall that protects web applications from common exploits like SQL injection and cross-site scripting (XSS) using pre-configured rule sets (e.g., AWS Managed Rules). It integrates natively with both CloudFront and Application Load Balancers (ALBs) without requiring additional infrastructure, and it supports geo-blocking to restrict requests from specific countries, meeting all stated requirements.

Exam trap

The trap here is that candidates may confuse AWS WAF with AWS Shield Advanced, thinking Shield Advanced provides application-layer attack protection, but Shield Advanced focuses on DDoS mitigation at the network and transport layers, not on inspecting HTTP payloads for SQL injection or XSS.

How to eliminate wrong answers

Option A is wrong because AWS Network Firewall is a managed firewall for VPC network traffic (stateful inspection of north-south and east-west traffic) and does not integrate directly with CloudFront or ALB for application-layer protection against SQL injection or XSS. Option B is wrong because AWS Shield Advanced provides DDoS protection and cost protection against scaling, but it does not include pre-configured rule sets for web application attacks like SQL injection or XSS, nor does it offer geo-blocking capabilities. Option D is wrong because AWS Firewall Manager is a policy management service that centrally configures and enforces firewall rules across accounts (including AWS WAF rules), but it is not itself a web application firewall and does not directly protect against SQL injection or XSS; it relies on AWS WAF for that functionality.

191
MCQmedium

Which AWS service provides DDoS protection for all AWS customers at no additional charge and automatically protects resources at Layers 3 and 4?

A.AWS WAF
B.AWS Shield Advanced
C.AWS Shield Standard
D.Amazon CloudFront with geo-restriction
AnswerC

Shield Standard is included at no charge for all AWS customers and automatically protects against Layer 3/4 DDoS attacks on all AWS resources.

Why this answer

AWS Shield Standard is automatically enabled for all AWS customers at no additional cost and provides always-on detection and inline mitigation of DDoS attacks targeting Layers 3 (network) and 4 (transport) of the OSI model. It protects common AWS resources such as Amazon CloudFront, Elastic Load Balancing, and Amazon Route 53 from common infrastructure-layer attacks like SYN floods and UDP reflection attacks.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard (free, automatic Layer 3/4 protection) with AWS Shield Advanced (paid, enhanced protection including Layer 7 and cost coverage), or mistakenly think AWS WAF provides Layer 3/4 DDoS protection when it only operates at Layer 7.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that operates at Layer 7 (application layer) and is not designed for Layer 3/4 DDoS protection; it also incurs additional charges. Option B is wrong because AWS Shield Advanced is a paid service that provides enhanced DDoS protection, including cost protection and 24/7 access to the DDoS Response Team, not a free service for all customers. Option D is wrong because Amazon CloudFront with geo-restriction is a content delivery service that can restrict access by geographic location, but it does not provide DDoS protection at Layers 3 and 4 and is not a free service.

192
MCQeasy

A company stores financial reports in Amazon S3. The security team needs to automatically detect whether any of these reports contain sensitive data, such as personally identifiable information (PII) like credit card numbers or social security numbers. The team wants a fully managed service that continuously scans the S3 buckets and reports findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?

A.Amazon Inspector
B.Amazon Macie
C.AWS Config
D.AWS Security Hub
AnswerB

Amazon Macie is designed to discover and protect sensitive data in S3. It automatically scans objects using ML and pattern matching to find PII, credentials, and other sensitive content, and provides findings in the Macie dashboard.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data such as PII (e.g., credit card numbers, social security numbers) stored in Amazon S3. It continuously scans S3 buckets and provides a centralized dashboard for findings, meeting the requirement for automated detection and reporting without manual intervention.

Exam trap

AWS often tests the distinction between services that inspect resource configurations (AWS Config) versus those that inspect data content (Macie), and candidates may confuse Security Hub as a scanning service when it is actually an aggregator of findings from other services.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads (EC2 instances, container images, and Lambda functions) for software vulnerabilities and unintended network exposure, not for sensitive data content in S3 objects. Option C is wrong because AWS Config is a service that evaluates and records resource configurations and compliance against rules (e.g., checking if S3 buckets are publicly accessible), but it does not inspect the content of objects for PII or sensitive data. Option D is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (like Macie, Inspector, GuardDuty) and third-party tools, but it does not perform the actual scanning of S3 objects for sensitive data itself.

193
MCQmedium

A company stores sensitive customer data in an Amazon S3 bucket. The security team wants to record every GetObject and PutObject API call made against the bucket, including the identity of the caller, the source IP address, and the time of the request. They need to store these records in a separate centralized S3 bucket and analyze them using Amazon Athena for security audits. Which AWS feature should the security team enable?

A.AWS Config managed rules
B.Amazon S3 server access logging
C.AWS CloudTrail data events
D.Amazon GuardDuty
AnswerC

Correct. AWS CloudTrail data events capture object-level API operations on Amazon S3 objects, including GetObject and PutObject. These logs include caller identity, source IP, and request time. They can be delivered to an S3 bucket and queried with Amazon Athena for security audits.

Why this answer

AWS CloudTrail data events (Option C) are the correct choice because they capture detailed information about S3 object-level API operations such as GetObject and PutObject, including the caller identity, source IP address, and request time. These logs can be delivered to a centralized S3 bucket and queried using Amazon Athena for security audits, meeting all stated requirements.

Exam trap

AWS often tests the distinction between S3 server access logs (which log requests but lack caller identity) and CloudTrail data events (which capture full API details including identity), leading candidates to mistakenly choose server access logging for security auditing.

How to eliminate wrong answers

Option A is wrong because AWS Config managed rules evaluate resource configurations for compliance (e.g., checking if S3 bucket is publicly accessible) but do not record individual API calls or provide caller identity, source IP, or timestamps for GetObject/PutObject operations. Option B is wrong because Amazon S3 server access logging provides logs of requests made to a bucket, but it does not include the identity of the caller (IAM user or role) and cannot be directly queried by Athena without additional transformation; it also lacks the granularity of CloudTrail data events for security auditing. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail management events for malicious activity, but it does not record every GetObject/PutObject API call with caller identity and source IP for audit purposes.

194
MCQmedium

A development team is building a mobile application and needs to add user registration, sign-in, and authentication (including social login via Google and Facebook) without building and managing their own authentication backend. Which AWS service provides managed user authentication for applications?

A.AWS IAM
B.AWS Directory Service
C.Amazon Cognito
D.AWS SSO
AnswerC

Cognito User Pools provide a managed authentication service for applications. They support user registration, sign-in, MFA, and federated authentication via social providers (Google, Facebook) without requiring a custom authentication backend.

Why this answer

Amazon Cognito is the correct choice because it provides a fully managed user identity and authentication service specifically designed for mobile and web applications. It supports user registration, sign-in, and social login via identity providers like Google and Facebook through its user pools and identity pools features, eliminating the need to build and manage a custom authentication backend.

Exam trap

The trap here is that candidates often confuse AWS IAM with user authentication for applications, but IAM is strictly for AWS resource access control, not for end-user identity management in custom apps.

How to eliminate wrong answers

Option A is wrong because AWS IAM is used for managing permissions and access control for AWS resources and services, not for authenticating end-users of an application with social login or user registration. Option B is wrong because AWS Directory Service is designed to set up and run Microsoft Active Directory in the AWS cloud, which is intended for enterprise identity management and not for mobile app user authentication with social providers. Option D is wrong because AWS SSO (now AWS IAM Identity Center) is a service for centrally managing single sign-on access to multiple AWS accounts and business applications, not for building user registration and social login into a custom mobile application.

195
Drag & Dropmedium

Drag and drop the steps to set up an S3 bucket with versioning and public access blocked in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Bucket creation comes first, then enabling versioning, blocking public access, uploading objects, and optionally setting lifecycle rules.

196
MCQmedium

A security team needs to demonstrate to auditors that no AWS infrastructure has been modified between two audit periods. Which AWS service provides a continuous record of configuration changes with before-and-after state for all resources?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch
D.Amazon GuardDuty
AnswerB

AWS Config provides a complete configuration history for each resource with before-and-after states — auditors can review exactly how resources were configured at any point in time and what changed.

Why this answer

AWS Config is the correct service because it continuously records configuration changes to AWS resources and provides a detailed history of each change, including the before-and-after state. This allows the security team to demonstrate to auditors that no infrastructure modifications occurred between two audit periods by reviewing the configuration timeline and compliance snapshots.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which records resource configuration states), but CloudTrail does not provide the before-and-after configuration state that auditors require for demonstrating no infrastructure changes.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and events (who did what, when, and from where), but it does not capture the before-and-after configuration state of resources; it logs actions, not the resulting resource configuration. Option C is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, not a configuration tracking service; it cannot provide a historical record of resource configuration changes with state details. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes logs and network traffic for malicious activity, not a configuration change recorder; it does not track or store resource configuration states.

197
MCQmedium

A financial services company is preparing for an annual third-party audit. The auditor has requested a copy of the AWS SOC 2 Type II report to evaluate the security controls of the AWS infrastructure. The company needs to retrieve the report as quickly as possible without raising a support ticket. Which AWS service should they use?

A.AWS Security Hub
B.AWS Config
C.AWS Artifact
D.AWS Trusted Advisor
AnswerC

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC, PCI, and ISO reports, which can be downloaded directly from the AWS Management Console.

Why this answer

AWS Artifact is the correct service because it provides on-demand, self-service access to AWS compliance reports, including SOC reports, PCI reports, and ISO certifications, without needing to open a support ticket. The auditor's request for a SOC 2 Type II report is exactly the use case AWS Artifact is designed for, allowing the company to download the report immediately from the AWS Management Console or via the AWS CLI.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Security Hub or AWS Config, thinking those services provide compliance reports, when in fact AWS Artifact is the only service that directly serves downloadable audit documentation without requiring a support ticket.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a cloud security posture management service that aggregates security alerts and compliance checks from multiple AWS services, but it does not provide downloadable compliance reports like SOC 2 reports. Option B is wrong because AWS Config is a service for evaluating, auditing, and recording configuration changes of AWS resources, not for retrieving compliance documentation or audit reports. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not offer access to compliance reports such as SOC 2 Type II reports.

198
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses a custom domain name and requires HTTPS for all traffic. The security team provisions an SSL/TLS certificate using AWS Certificate Manager (ACM) and associates it with the ALB. Which of the following is an advantage of using ACM over manually managing certificates?

A.ACM automatically renews the certificate before it expires, and the renewed certificate is automatically applied to the associated load balancer.
B.ACM encrypts the traffic between the ALB and the EC2 instances, ensuring end-to-end encryption.
C.ACM provides a certificate that can be exported and installed on any on-premises server for free.
D.ACM requires the company to store the private key in a secure location outside of AWS.
AnswerA

Correct. When DNS validation is configured, ACM automatically renews certificates before expiration and applies the renewed certificate to the associated AWS resources such as an ALB, eliminating the need for manual renewal and reducing the risk of certificate expiration.

Why this answer

Option A is correct because AWS Certificate Manager (ACM) automatically renews SSL/TLS certificates before they expire, and the renewed certificate is seamlessly applied to the associated AWS resources, such as an Application Load Balancer (ALB). This eliminates the manual effort of tracking expiration dates, generating new certificates, and re-associating them, which is a key operational advantage over self-managed certificates.

Exam trap

The trap here is that candidates may confuse ACM's automatic renewal with encryption capabilities or assume ACM certificates are portable, when in fact ACM only manages certificates for AWS services and does not provide encryption between the load balancer and backend instances.

How to eliminate wrong answers

Option B is wrong because ACM does not encrypt traffic between the ALB and EC2 instances; it only handles the SSL/TLS certificate termination at the ALB. End-to-end encryption between the ALB and backend instances requires separate configuration, such as using HTTPS listeners on the target group or self-signed certificates on the instances. Option C is wrong because ACM certificates cannot be exported for use on on-premises servers; they are region-specific and tied to AWS-integrated services like ALB, CloudFront, or API Gateway, and ACM does not provide free certificates for external use.

199
MCQmedium

A company's security team needs to run automated vulnerability scans on all Amazon EC2 instances in their production environment. They require a managed service that checks for common vulnerabilities and exposures (CVEs) and identifies insecure network configurations. The scans must be scheduled to run weekly and the results must be viewable in the AWS Management Console. Which AWS service should the team use?

A.Amazon Inspector
B.AWS Shield
C.Amazon GuardDuty
D.AWS WAF
AnswerA

Amazon Inspector is the correct service. It is a vulnerability management service that automatically scans EC2 instances for software vulnerabilities and network exposure, providing a managed solution for scheduling scans and viewing findings in the AWS Management Console.

Why this answer

Amazon Inspector is a managed vulnerability management service that automatically scans EC2 instances for software vulnerabilities (CVEs) and unintended network exposure. It supports scheduled recurring scans (e.g., weekly) and integrates with the AWS Management Console to display findings, making it the correct choice for the team's requirements.

Exam trap

The trap here is confusing Amazon Inspector (vulnerability scanning) with Amazon GuardDuty (threat detection) or AWS Shield (DDoS protection), as all three are security services but serve fundamentally different purposes—candidates often pick GuardDuty because it 'detects threats' without realizing it does not scan for CVEs or network configurations.

How to eliminate wrong answers

Option B (AWS Shield) is wrong because it is a DDoS protection service, not a vulnerability scanner; it mitigates network-layer attacks but does not check for CVEs or insecure configurations. Option C (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, not a vulnerability scanner for CVEs or network configurations. Option D (AWS WAF) is wrong because it is a web application firewall that filters HTTP/HTTPS traffic based on rules, not a service for scanning EC2 instances for vulnerabilities or insecure network configurations.

200
MCQmedium

A company is using AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that users in the development accounts cannot disable AWS CloudTrail logging or delete CloudTrail trails, even if those users have full administrator permissions within their own accounts. The team needs a central mechanism that is enforced across all development accounts regardless of individual IAM policies. Which AWS feature should the security team use to meet this requirement?

A.Service control policies (SCPs)
B.IAM policies
C.AWS Config rules
D.Amazon CloudWatch Events
AnswerA

Correct. SCPs are used within AWS Organizations to set permission guardrails for member accounts. They are evaluated before IAM policies, so they can block actions even for users with full administrative IAM permissions, making them ideal for centrally enforcing restrictions like preventing CloudTrail from being disabled.

Why this answer

Service control policies (SCPs) are a feature of AWS Organizations that allow you to centrally control the maximum available permissions for all accounts in an organization. SCPs act as a guardrail, restricting what actions users and roles in member accounts can perform, even if they have full administrator permissions via IAM policies. By applying an SCP that denies the `cloudtrail:DeleteTrail` and `cloudtrail:StopLogging` actions, the security team can enforce that CloudTrail cannot be disabled or deleted across all development accounts, regardless of individual IAM configurations.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM policies can centrally restrict actions across accounts, but SCPs are the only mechanism that can enforce a deny across all accounts in an AWS Organization regardless of local administrator privileges.

How to eliminate wrong answers

Option B is wrong because IAM policies are account-specific and can be overridden by a user with full administrator permissions within their own account; they cannot enforce restrictions across multiple accounts from a central point. Option C is wrong because AWS Config rules are used for evaluating resource compliance and triggering remediation actions, but they do not prevent actions from being taken—they only detect and report non-compliance after the fact, and they cannot block an administrator from disabling CloudTrail.

201
MCQmedium

A company requires all IAM users to have multi-factor authentication (MFA) enabled for AWS Management Console access. The security team needs an automated way to continuously detect any IAM user without an MFA device and generate a compliance report. The solution must not require custom code. Which AWS service should the team use?

A.AWS Config
B.IAM Access Analyzer
C.AWS Trusted Advisor
D.Amazon Inspector
AnswerA

AWS Config uses managed rules like iam-user-mfa-enabled to continuously evaluate IAM users and report non-compliance. This matches the requirement for automated detection and reporting without custom code.

Why this answer

AWS Config is correct because it provides a managed, rules-based evaluation of AWS resource configurations. By enabling the 'iam-user-mfa-enabled' managed rule, AWS Config continuously checks all IAM users for the presence of an MFA device and can automatically trigger remediation actions or generate compliance reports via AWS Config aggregators, all without any custom code.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor's root account MFA check with the broader requirement to check all IAM users, or they mistakenly think IAM Access Analyzer can audit user-level security settings like MFA.

How to eliminate wrong answers

Option B (IAM Access Analyzer) is wrong because it focuses on analyzing resource-based policies to identify unintended public or cross-account access, not on detecting missing MFA configurations on IAM users. Option C (AWS Trusted Advisor) is wrong because while it does check for MFA on the root account, it does not continuously monitor or report on MFA status for all IAM users; it only provides a point-in-time check for the root user. Option D (Amazon Inspector) is wrong because it is designed for vulnerability assessment of EC2 instances and container workloads, not for auditing IAM user configurations or MFA compliance.

202
MCQmedium

A company suspects that an IAM role used by an EC2 instance has been granted excessive permissions. Which AWS service can generate a policy that includes only the permissions actually used over the last 90 days?

A.AWS Trusted Advisor
B.Amazon GuardDuty
C.AWS IAM Access Analyzer
D.AWS Config
AnswerC

IAM Access Analyzer generates least-privilege policies by analyzing CloudTrail activity logs to identify which permissions were actually used within the analysis period.

Why this answer

AWS IAM Access Analyzer can generate a policy based on the access activity recorded in AWS CloudTrail logs over the trailing 90 days. This generated policy includes only the permissions that were actually used by the IAM role, allowing you to replace an overly permissive policy with a least-privilege version.

Exam trap

The trap here is that candidates confuse AWS IAM Access Analyzer's policy generation feature with its external access analysis feature, or mistakenly think AWS Config or Trusted Advisor can generate usage-based policies when they cannot.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice checks and recommendations (e.g., security groups open to 0.0.0.0/0) but cannot generate a policy based on historical usage. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using anomaly detection and threat intelligence; it does not analyze IAM permissions usage to generate policies. Option D is wrong because AWS Config evaluates resource configurations against rules and tracks configuration changes, but it does not analyze CloudTrail access logs to produce a usage-based policy.

203
MCQmedium

Which AWS service provides a finding-based security recommendations service that uses AI to identify operational issues and anomalies, going beyond simple rule-based Config checks?

A.AWS Config
B.Amazon GuardDuty
C.Amazon DevOps Guru
D.Amazon Inspector
AnswerC

DevOps Guru uses ML to continuously analyze operational data and detect anomalies indicating potential issues — providing proactive recommendations before customers are impacted.

Why this answer

Amazon DevOps Guru is the correct answer because it is an ML-powered service that automatically detects operational issues and anomalies, such as anomalous application behavior or resource contention, and provides finding-based security recommendations. Unlike rule-based services, DevOps Guru analyzes historical and real-time metrics, logs, and events to identify patterns that deviate from normal behavior, going beyond simple compliance checks.

Exam trap

The trap here is that candidates confuse Amazon GuardDuty's threat detection with operational anomaly detection, but GuardDuty focuses on security threats (e.g., unusual API calls) while DevOps Guru addresses operational issues like performance degradation and resource saturation.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates resource configurations against predefined rules (e.g., managed or custom Config rules) and provides compliance status, but it does not use AI to detect anomalies or operational issues—it is purely rule-based. Option B is wrong because Amazon GuardDuty is a threat detection service that uses machine learning to identify malicious activity and unauthorized behavior, but it focuses on security threats (e.g., compromised credentials, API abuse) rather than operational issues and anomalies in application performance. Option D is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, but it does not use AI to detect operational anomalies or provide finding-based security recommendations beyond vulnerability assessments.

204
MCQmedium

A company is migrating a legacy application from an on-premises server to AWS Lambda. The Lambda function needs to connect to an Amazon RDS for MySQL database that stores sensitive customer data. The security team requires that database credentials are never stored in the function's code, environment variables, or configuration files. The solution must follow AWS best practices for securing database access. Which approach should the company use?

A.Store the database password in AWS Secrets Manager and retrieve it from within the Lambda function code.
B.Store the database password in AWS Systems Manager Parameter Store as a SecureString and retrieve it from within the Lambda function.
C.Configure the Lambda function to use an IAM role with permissions to connect to the RDS database using IAM database authentication.
D.Encrypt the database password using AWS KMS and hardcode the encrypted password in the Lambda function code.
AnswerC

IAM database authentication allows the Lambda function to connect to the RDS database using an authentication token generated from the function's IAM role. No password or secret is stored anywhere in the function code, environment variables, or configuration files. This approach fully meets the security requirement and follows AWS best practices for securing database connections from AWS Lambda. It also provides the added benefit of centralized access control through IAM policies.

Why this answer

Option C is correct because IAM database authentication eliminates the need to store any credentials in code, environment variables, or configuration files. The Lambda function assumes an IAM role that generates an authentication token using the AWS Signature Version 4 process, which is then used as a password to connect to the RDS MySQL database. This approach meets the security team's requirement and follows AWS best practices by leveraging short-term, rotated credentials without embedding secrets.

Exam trap

The trap here is that candidates often assume Secrets Manager or Parameter Store are the only secure options, but the question explicitly requires that credentials are never stored anywhere, making IAM database authentication the only valid choice because it uses temporary tokens instead of stored secrets.

How to eliminate wrong answers

Option A is wrong because while AWS Secrets Manager securely stores the password, the Lambda function code must still retrieve it at runtime, which introduces a dependency on secret retrieval and does not eliminate the need for a static password in the database. Option B is wrong because AWS Systems Manager Parameter Store as a SecureString similarly requires the Lambda function to retrieve the password programmatically, still relying on a stored static secret that could be exposed if the retrieval call is compromised, and it does not use the native IAM-based authentication that avoids credentials entirely.

205
MCQeasy

A developer needs to read objects from a specific Amazon S3 bucket. Following AWS security best practices, which approach should be used when creating the IAM policy for this developer?

A.Grant AdministratorAccess to ensure all required permissions are included
B.Grant AmazonS3FullAccess to cover all S3 operations
C.Grant only s3:GetObject permission on the specific bucket
D.Use the root account credentials since they guarantee access
AnswerC

Granting only s3:GetObject on the specific S3 bucket ARN follows the principle of least privilege. The developer can perform exactly what is needed and nothing more.

Why this answer

Option C is correct because the principle of least privilege dictates granting only the specific permissions required for the task. By attaching an IAM policy with only the s3:GetObject action on the specific bucket ARN, the developer can read objects without having unnecessary permissions that could lead to accidental or malicious changes. This approach aligns with AWS security best practices for IAM policies.

Exam trap

The trap here is that candidates often choose broad managed policies like AmazonS3FullAccess because they seem 'safe' or 'easier to manage,' overlooking that AWS explicitly recommends least-privilege policies and that over-permissioning is a common cause of data breaches.

How to eliminate wrong answers

Option A is wrong because AdministratorAccess grants full administrative permissions to all AWS services and resources, which violates the principle of least privilege and exposes the account to significant security risks. Option B is wrong because AmazonS3FullAccess allows all S3 operations (including PutObject, DeleteObject, and bucket configuration changes) on all buckets, far exceeding the read-only requirement and creating unnecessary attack surface. Option D is wrong because using root account credentials is explicitly against AWS security best practices; root credentials should be reserved for limited account management tasks and never used for routine operations due to their unrestricted power and lack of MFA protection.

206
MCQmedium

A company runs a critical web application on AWS behind an Application Load Balancer. The security team is concerned about the risk of Distributed Denial of Service (DDoS) attacks that could deplete application resources and incur high costs due to auto scaling. The company wants a managed service that provides enhanced DDoS detection, access to the AWS DDoS Response Team (DRT), and financial protection against scaling costs associated with DDoS attacks. Which AWS service should the company use?

A.AWS Shield Standard
B.AWS Shield Advanced
C.AWS WAF
D.AWS Firewall Manager
AnswerB

Correct. AWS Shield Advanced provides enhanced DDoS detection and mitigation, 24/7 access to the AWS DDoS Response Team (DRT), and financial protection (cost reimbursement) for scaling costs incurred due to a DDoS attack.

Why this answer

AWS Shield Advanced is the correct choice because it provides enhanced DDoS detection and mitigation beyond what Shield Standard offers, includes 24/7 access to the AWS DDoS Response Team (DRT) for custom mitigations, and offers financial protection (cost protection) against scaling costs incurred due to DDoS attacks on resources like Application Load Balancers. This directly addresses the company's need for a managed service that covers detection, expert support, and cost coverage.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard (free, basic) with AWS Shield Advanced (paid, enhanced) or mistakenly think AWS WAF alone can handle DDoS cost protection and DRT access, when in fact WAF lacks those specific features.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides only basic network-layer DDoS protection (e.g., SYN floods, UDP floods) at no extra cost, but it does not include access to the DRT or financial protection against scaling costs. Option C is wrong because AWS WAF is a web application firewall that protects against application-layer attacks (e.g., SQL injection, cross-site scripting) but does not provide DDoS-specific detection, DRT access, or cost protection for auto scaling. Option D is wrong because AWS Firewall Manager is a policy management service that centrally manages firewall rules (e.g., WAF rules, security groups) across accounts, but it does not offer DDoS detection, DRT access, or financial protection against scaling costs.

207
MCQmedium

A company hosts a web application behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits such as SQL injection and cross-site scripting (XSS), using a managed service that requires no underlying infrastructure management. Which AWS service should they use?

A.AWS Shield Advanced
B.AWS WAF
C.Amazon Inspector
D.Amazon GuardDuty
AnswerB

AWS WAF is a managed web application firewall that enables you to create customizable rules to block common attack patterns like SQL injection and cross-site scripting. It integrates directly with Application Load Balancers, Amazon CloudFront, and API Gateway, and requires no server or software management.

Why this answer

AWS WAF is a managed web application firewall that protects web applications from common exploits like SQL injection and cross-site scripting (XSS). It integrates directly with Application Load Balancers and requires no underlying infrastructure management, making it the correct choice for this use case.

Exam trap

The trap here is that candidates confuse AWS WAF (application-layer filtering) with AWS Shield (network-layer DDoS protection) or Amazon Inspector (vulnerability scanning), overlooking that only WAF provides managed, rule-based protection against web exploits like SQL injection and XSS.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides DDoS protection, not application-layer threat detection for SQL injection or XSS. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposures, not a real-time web exploit filter.

208
MCQmedium

A company is preparing for an annual compliance audit. The auditor requests a copy of the AWS SOC 2 Type II report to review AWS's controls. Which AWS service or tool can the company use to obtain this report?

A.AWS Config
B.AWS Artifact
C.AWS Trusted Advisor
D.AWS Security Hub
AnswerB

AWS Artifact is the correct service. It is a self-service portal for on-demand access to AWS compliance reports and agreements. This allows customers to download reports like SOC 2 Type II directly.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC reports, PCI reports, and ISO certifications. The company can use AWS Artifact to download the SOC 2 Type II report directly, fulfilling the auditor's request without needing to contact AWS support.

Exam trap

The trap here is that candidates confuse AWS Artifact with AWS Config, thinking Config can generate compliance reports, but Config only evaluates resource compliance, not AWS's own control reports.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, not a repository for compliance reports like SOC 2. Option C is wrong because AWS Trusted Advisor provides recommendations for cost optimization, performance, security, and fault tolerance, but it does not host or distribute compliance audit reports.

209
MCQmedium

A company's security team wants to continuously monitor their AWS environment for potential security threats such as unusual API calls, traffic from known malicious IP addresses, and anomalous behavior that might indicate a compromised resource. They need a managed threat detection service that uses machine learning to identify suspicious activity and generates detailed findings. The service should integrate with AWS Organizations to monitor multiple accounts and with Amazon CloudWatch Events to trigger automated responses. Which AWS service should the security team use?

A.Amazon Inspector
B.AWS Config
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerC

Amazon GuardDuty is the correct service. It continuously monitors AWS accounts and workloads for malicious activity, using machine learning and integrated threat intelligence. It can monitor multiple accounts via AWS Organizations and send findings to CloudWatch Events for automated actions.

Why this answer

Amazon GuardDuty is a managed threat detection service that uses machine learning and integrated threat intelligence to continuously monitor AWS environments for suspicious activity, such as unusual API calls, traffic from known malicious IP addresses, and anomalous behavior. It integrates natively with AWS Organizations to enable multi-account monitoring and with Amazon CloudWatch Events to trigger automated remediation workflows, directly matching all requirements in the question.

Exam trap

The trap here is confusing a vulnerability scanning service (Inspector) or a configuration auditing service (Config) with a dedicated threat detection service that uses machine learning and threat intelligence to identify active threats like compromised credentials or malicious IP traffic.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not a continuous threat detection service for API calls or malicious IP traffic. Option B is wrong because AWS Config is a resource inventory and compliance auditing service that evaluates resource configurations against rules, not a threat detection service that uses machine learning to identify suspicious activity or integrates with threat intelligence feeds.

210
MCQmedium

A company's compliance framework requires that all AWS API calls must be logged and that log integrity must be validated. Which AWS service with which feature satisfies this requirement?

A.Amazon CloudWatch Logs with metric filters
B.AWS CloudTrail with Log File Integrity Validation enabled
C.AWS Config with conformance packs
D.VPC Flow Logs stored in S3
AnswerB

CloudTrail records all API calls and Log File Integrity Validation creates cryptographically signed digest files — auditors can verify that no log files were altered, deleted, or forged.

Why this answer

AWS CloudTrail Log File Integrity Validation uses industry-standard algorithms (SHA-256 hashing and digital signatures with SHA-256 with RSA) to ensure that CloudTrail log files have not been tampered with after delivery. This feature enables you to validate that log files were not modified, deleted, or changed without authorization, directly meeting the compliance requirement for logging all AWS API calls and validating log integrity.

Exam trap

The trap here is that candidates often confuse logging (CloudTrail) with monitoring (CloudWatch) or configuration tracking (AWS Config), and overlook the specific integrity validation feature that is unique to CloudTrail.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs with metric filters can monitor log data and trigger alarms, but it does not provide any mechanism to validate the integrity of log files (i.e., detect tampering or unauthorized modification). Option C is wrong because AWS Config with conformance packs evaluates resource configurations against compliance rules, but it does not log API calls nor validate log file integrity. Option D is wrong because VPC Flow Logs capture IP traffic information for network interfaces, not AWS API calls, and storing them in S3 does not include built-in integrity validation.

211
MCQmedium

A company's security team discovers that database credentials are stored in plaintext in application configuration files. The team wants to implement a secure way to store, manage, and automatically rotate these credentials every 90 days. The solution must provide fine-grained IAM policies to control which users and applications can access the secrets and must integrate with AWS services like Amazon RDS for automatic rotation. Which AWS service should the company use to meet these requirements?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.AWS Key Management Service (AWS KMS)
D.AWS Identity and Access Management (IAM)
AnswerB

Secrets Manager is the correct service. It provides native support for automatic rotation of credentials, including built-in integration with Amazon RDS. It also offers fine-grained IAM policies and central management of secrets, meeting all stated requirements.

Why this answer

AWS Secrets Manager is the correct service because it is purpose-built for securely storing, managing, and automatically rotating database credentials. It supports automatic rotation every 90 days for Amazon RDS, Aurora, Redshift, and DocumentDB with built-in Lambda rotation functions, and it integrates with IAM for fine-grained access control via resource-based and identity-based policies.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native rotation) with Secrets Manager, leading them to choose Parameter Store when the question explicitly requires automatic rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store does not natively support automatic rotation of secrets; it requires custom automation via AWS Lambda or EventBridge, and its advanced tier lacks the same built-in rotation integration for RDS. Option C is wrong because AWS KMS is a key management service for encryption keys, not a secrets storage service; it cannot store, manage, or rotate database credentials directly. Option D is wrong because IAM is an access management and authentication service, not a secrets storage service; it cannot store secrets or perform automatic rotation.

212
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce a policy that prevents any user or role in any member account from disabling AWS CloudTrail or deleting CloudTrail log files from Amazon S3. The team needs a solution that is centrally managed from the management account and applies to all current and future member accounts automatically. Which AWS feature should the security team use to meet these requirements?

A.AWS Config conformance packs
B.Service Control Policies (SCPs)
C.IAM permissions boundaries
D.AWS CloudTrail data events
AnswerB

Correct. SCPs are the correct choice because they allow centralized control over the maximum permissions for all accounts in an AWS Organization. They can explicitly deny actions such as disabling CloudTrail or deleting S3 objects in the log bucket. SCPs apply across the entire organization, including new accounts, and cannot be overridden by member account administrators. This provides the preventive enforcement the security team requires.

Why this answer

Service Control Policies (SCPs) are a feature of AWS Organizations that allow you to centrally control the maximum available permissions for all accounts within an organization. By attaching an SCP that explicitly denies the actions to disable CloudTrail or delete CloudTrail log files from S3, the security team can enforce this policy across all current and future member accounts from the management account, as SCPs automatically apply to new accounts added to the organization.

Exam trap

The trap here is that candidates often confuse SCPs with IAM permissions boundaries, not realizing that SCPs operate at the organization level and apply to all accounts automatically, while permissions boundaries are account-specific and require manual configuration per user/role.

How to eliminate wrong answers

Option A is wrong because AWS Config conformance packs are used to evaluate resource compliance against rules and remediate non-compliant resources, but they cannot prevent actions from being performed in the first place; they only detect and report violations after the fact. Option C is wrong because IAM permissions boundaries set the maximum permissions for IAM users and roles within a single account, but they are not centrally managed from the management account and do not automatically apply to all member accounts in an AWS Organization.

213
MCQmedium

A company hosts a public-facing web application behind an Application Load Balancer (ALB). The development team has recently identified that the application is vulnerable to common web attacks such as SQL injection and cross-site scripting (XSS). The security team wants to deploy a managed solution that can inspect incoming HTTP requests and block malicious traffic before it reaches the application. The solution must integrate directly with the existing ALB and provide pre-configured rule sets that can be customized. Which AWS service should the company use?

A.AWS Shield Advanced
B.Amazon GuardDuty
C.AWS WAF
D.AWS Firewall Manager
AnswerC

AWS WAF is a web application firewall that allows you to monitor and control HTTP and HTTPS requests forwarded to your protected resources. It integrates directly with ALB and provides managed rule sets for common threats like SQL injection and XSS. You can customize rules to meet specific requirements.

Why this answer

AWS WAF is a managed web application firewall that integrates directly with Application Load Balancers to inspect HTTP/HTTPS requests. It provides pre-configured rule sets, such as those for SQL injection and cross-site scripting (XSS), which can be customized to block malicious traffic before it reaches the application. This makes it the correct choice for the described use case.

Exam trap

The trap here is that candidates may confuse AWS Shield Advanced (which handles DDoS) with AWS WAF (which handles application-layer attacks like SQLi and XSS), but Shield does not inspect request payloads for malicious content.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides DDoS protection against volumetric and state-exhaustion attacks, but it does not inspect application-layer payloads for SQL injection or XSS. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for anomalous behavior, not a web application firewall that inspects and blocks HTTP requests at the ALB level.

214
MCQmedium

A security audit found that an S3 bucket is publicly readable. Which IAM/S3 mechanism should be reviewed to identify what grants the public access?

A.IAM identity-based policies attached to the root user
B.Bucket policies and S3 Block Public Access settings
C.AWS Organizations Service Control Policies
D.Amazon Macie classification rules
AnswerB

Public S3 access is granted through bucket policies with Principal '*' and/or bucket/object ACLs. Block Public Access settings can override these to prevent public exposure.

Why this answer

Bucket policies are resource-based policies that explicitly define who has access to an S3 bucket, including public access grants like `"Principal": "*"`. S3 Block Public Access settings act as an overarching security control that can override bucket policies to prevent public access. Reviewing both mechanisms together identifies exactly how public readability was granted and whether any block was misconfigured or absent.

Exam trap

The trap here is that candidates often confuse IAM identity-based policies (which control user permissions) with resource-based policies (like bucket policies) that directly grant public access, leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because IAM identity-based policies attached to the root user control actions the root user can perform, not who can access the bucket from the public; public access is granted via resource-based policies, not identity-based policies. Option C is wrong because AWS Organizations Service Control Policies (SCPs) set permission boundaries for accounts within an organization but do not directly grant or deny public access to a specific S3 bucket. Option D is wrong because Amazon Macie classification rules are used to discover and classify sensitive data in S3 buckets, not to control or audit access permissions.

215
MCQmedium

A company has multiple IAM users. The security policy requires that every user must have an MFA device assigned and must use it for console sign-in. The security team wants to automatically detect any IAM user that does not have MFA enabled and receive an email alert. Which combination of AWS services should the team use to meet these requirements?

A.AWS CloudTrail and Amazon CloudWatch Logs
B.AWS Trusted Advisor and Amazon Simple Email Service (Amazon SES)
C.AWS Config and Amazon Simple Notification Service (Amazon SNS)
D.AWS IAM Access Analyzer and Amazon Inspector
AnswerC

This option is correct. AWS Config can evaluate IAM users against the managed rule 'iam-user-mfa-enabled'. When a user is non-compliant, Config can publish a compliance change notification to an Amazon SNS topic. Subscribers (e.g., email endpoints) receive alerts automatically.

Why this answer

AWS Config can continuously monitor IAM users for compliance with the security policy by using a managed rule such as IAM_USER_MFA_ENABLED. When a non-compliant user is detected, AWS Config can trigger an Amazon SNS topic to send an email alert, meeting the requirement for automatic detection and notification.

Exam trap

The trap here is that candidates confuse AWS Trusted Advisor's root account MFA check with IAM user MFA enforcement, or assume CloudTrail can detect configuration state rather than just API events.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (e.g., sign-in events) but does not evaluate the state of MFA configuration on IAM users; CloudWatch Logs can store logs but cannot trigger alerts based on MFA status without custom metric filters and alarms, which is not the simplest or intended approach. Option B is wrong because AWS Trusted Advisor checks for MFA on the root account, not on individual IAM users, and Amazon SES is an email-sending service that requires custom integration, whereas Amazon SNS is the standard service for publishing notifications from AWS Config.

216
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. The company has an on-premises Microsoft Active Directory (AD) that contains employee credentials and group memberships. The company wants to grant employees access to the AWS Management Console and command-line interface (CLI) using their existing AD credentials, without creating IAM users for each employee. Additionally, the company wants to centrally manage permissions across all accounts by assigning policies to AD groups. Which AWS service should the company use to meet these requirements?

A.AWS Identity and Access Management (IAM)
B.AWS Directory Service for Microsoft Active Directory
C.AWS IAM Identity Center (AWS Single Sign-On)
D.AWS Resource Access Manager (AWS RAM)
AnswerC

IAM Identity Center is the correct service for this use case. It connects to an existing identity provider (such as on-premises Active Directory), enables single sign-on to the AWS Management Console and CLI, and centrally manages permissions across all accounts in AWS Organizations by assigning permission sets to groups.

Why this answer

AWS IAM Identity Center (formerly AWS Single Sign-On) is the correct service because it allows centralized management of user access to multiple AWS accounts and applications using existing corporate credentials from Microsoft Active Directory. It supports federation with AD via SAML 2.0 or SCIM, enabling employees to sign in to the AWS Management Console and CLI without creating IAM users. Permissions can be assigned to AD groups through permission sets, which map to IAM roles, ensuring consistent policy enforcement across all accounts in AWS Organizations.

Exam trap

The trap here is that candidates often confuse AWS Directory Service for Microsoft Active Directory with IAM Identity Center, thinking that a managed AD alone can provide cross-account access and SSO, but Directory Service only provides the directory backend and lacks the centralized permission assignment and federation capabilities that IAM Identity Center offers for multi-account environments.

How to eliminate wrong answers

Option A is wrong because AWS IAM is used to create and manage individual IAM users and policies, but the requirement explicitly states the company does not want to create IAM users for each employee; IAM cannot natively federate with on-premises AD without additional services like IAM Identity Center or SAML identity providers. Option B is wrong because AWS Directory Service for Microsoft Active Directory provides a managed AD domain in the cloud, but it does not natively integrate with AWS Organizations to centrally assign permissions across multiple accounts; it would require additional configuration with IAM roles and does not replace the need for IAM Identity Center's multi-account permission management.

217
MCQeasy

A company's internal audit team needs to download the latest AWS SOC 2 Type II report and ISO 27001 certificate to include in their compliance documentation for an upcoming external audit. The team requires a centralized, self-service portal where they can access these reports and any other relevant AWS compliance artifacts. They do not want to contact AWS Support or manage any infrastructure to obtain these documents. Which AWS service should the audit team use?

A.AWS Config
B.AWS Artifact
C.AWS Audit Manager
D.AWS Trusted Advisor
AnswerB

AWS Artifact is the correct service. It is a self-service portal that provides on-demand access to AWS compliance reports, such as SOC reports and ISO certifications, without requiring manual requests or infrastructure management.

Why this answer

AWS Artifact is the correct service because it provides a centralized, self-service portal for on-demand access to AWS compliance reports, such as SOC 2 Type II and ISO 27001 certificates, without requiring any infrastructure management or contacting AWS Support. The audit team can simply log in, browse the available artifacts, and download the latest versions directly, meeting their requirement for a no-touch, self-service solution.

Exam trap

The trap here is that candidates may confuse AWS Audit Manager's role in audit evidence collection with the ability to download pre-existing AWS compliance reports, but AWS Artifact is the only service designed specifically for self-service access to those artifacts.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating, auditing, and assessing the configuration of AWS resources against desired policies, not for downloading compliance reports or certificates. Option C is wrong because AWS Audit Manager helps automate evidence collection and risk assessment for audits, but it does not serve as a repository for downloading pre-existing AWS compliance artifacts like SOC or ISO reports. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not offer access to compliance documentation or downloadable reports.

218
MCQmedium

A company stores sensitive financial reports in an Amazon S3 bucket. The company's security policy mandates that all objects be encrypted at rest using an AWS KMS customer-managed key. The security team wants to ensure that only the 'Auditors' IAM role can decrypt the objects, even though the S3 bucket policy allows read access to a broader set of users. Which of the following steps must the security team take to enforce this access control?

A.Configure the S3 bucket to use SSE-KMS encryption with the customer-managed key, and modify the KMS key policy to grant the kms:Decrypt permission only to the 'Auditors' role.
B.Configure an S3 bucket policy that denies s3:GetObject requests unless the request is encrypted in transit using HTTPS.
C.Enable S3 Block Public Access on the bucket and attach an IAM policy to the 'Auditors' role that allows s3:GetObject.
D.Use S3 object-level logging to monitor access and revoke permissions for any role that attempts to decrypt objects without authorization.
AnswerA

This is correct. SSE-KMS encrypts objects at rest using a KMS key. The KMS key policy controls who can use the key to decrypt objects. By restricting kms:Decrypt to the 'Auditors' role, only that role can decrypt the objects, regardless of broader S3 read permissions.

Why this answer

Option A is correct because SSE-KMS with a customer-managed key separates encryption key management from S3 bucket policies. The KMS key policy is the authoritative access control for decryption operations. By granting kms:Decrypt only to the 'Auditors' role, even if the S3 bucket policy allows s3:GetObject to other users, they cannot decrypt the objects without the key permission.

This enforces the security requirement that only the Auditors role can decrypt the sensitive financial reports.

Exam trap

The trap here is that candidates often assume S3 bucket policies alone can control decryption, but AWS enforces KMS key policies as a separate authorization layer, so without explicitly restricting kms:Decrypt in the key policy, any user with s3:GetObject can decrypt the objects if they have KMS permissions through their IAM role or user.

How to eliminate wrong answers

Option B is wrong because enforcing HTTPS encryption in transit (s3:GetObject with aws:SecureTransport condition) does not control decryption at rest; it only ensures data is encrypted during transmission, not who can decrypt the objects after retrieval. Option C is wrong because S3 Block Public Access prevents public access but does not restrict decryption permissions; attaching an IAM policy to the Auditors role that allows s3:GetObject does not prevent other roles with read access from decrypting objects if they have KMS decrypt permissions. Option D is wrong because monitoring and revoking permissions after the fact is a detective control, not a preventive control; it does not enforce the mandatory access control that only the Auditors role can decrypt objects.

219
MCQmedium

A company has a compliance policy requiring that all data at rest in Amazon S3 be encrypted with a key that is automatically rotated every year. The company wants to manage the encryption keys themselves, maintain control over access policies, and have AWS handle the key rotation automatically. Which AWS service should the company use?

A.AWS Key Management Service (AWS KMS)
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Certificate Manager
AnswerA

AWS KMS allows you to create customer managed keys (CMKs) and enables automatic annual key rotation, meeting the compliance requirement while maintaining customer control over key policies.

Why this answer

AWS KMS allows you to create customer managed keys (CMKs) with automatic annual rotation enabled. You retain control over key policies and access permissions, while AWS handles the rotation of the key material. This satisfies the compliance requirement for encrypted data at rest in S3 with automatic yearly key rotation.

Exam trap

The trap here is confusing AWS KMS with AWS CloudHSM, as both involve encryption keys, but CloudHSM requires you to manage key rotation manually, failing the automatic rotation requirement.

How to eliminate wrong answers

Option B (AWS CloudHSM) is wrong because it provides dedicated hardware security modules (HSMs) that you manage yourself, including key rotation, which does not meet the requirement for AWS to handle rotation automatically. Option C (AWS Secrets Manager) is wrong because it is designed to manage secrets like database credentials, not encryption keys for S3 data at rest, and it does not provide key rotation for S3 encryption. Option D (AWS Certificate Manager) is wrong because it manages SSL/TLS certificates for network encryption, not data at rest encryption keys for S3.

220
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a consistent set of security group rules across all accounts. For example, they want to ensure that no security group in any account allows inbound SSH (port 22) from the internet (0.0.0.0/0). If a non-compliant security group is created, the service should automatically remediate by removing the offending rule or by applying a corrective policy. The company wants a managed AWS service that centrally applies these rules and requires no custom scripting. Which AWS service should the security team use?

A.AWS Firewall Manager
B.AWS Config
C.AWS Organizations
D.AWS Shield Advanced
AnswerA

Correct. AWS Firewall Manager enables central management of security group rules across multiple accounts in AWS Organizations. It can automatically enforce policies and remediate non-compliant resources, exactly as required.

Why this answer

AWS Firewall Manager is the correct service because it provides a centralized, managed way to apply security group rules across all accounts in an AWS Organization. It can automatically detect non-compliant security groups (e.g., those allowing SSH from 0.0.0.0/0) and remediate them by removing the offending rule or applying a corrective policy, all without custom scripting.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation and remediation capabilities with Firewall Manager's centralized policy enforcement, forgetting that Config requires custom scripting for automatic remediation, whereas Firewall Manager provides it as a managed service.

How to eliminate wrong answers

Option B is wrong because AWS Config is a service for evaluating resource compliance against rules, but it does not provide automatic remediation out-of-the-box without custom AWS Lambda functions or Systems Manager Automation documents; it requires custom scripting for remediation, which the question explicitly wants to avoid. Option C is wrong because AWS Organizations is a service for centrally managing multiple AWS accounts, including policy-based controls like SCPs, but it cannot enforce or remediate security group rules directly; SCPs can only deny API actions, not modify existing or newly created security group rules. Option D is wrong because AWS Shield Advanced is a DDoS protection service that safeguards against network and application layer attacks; it has no capability to manage or enforce security group rules.

221
MCQmedium

A company operates multiple AWS accounts under AWS Organizations. The security team needs to record all management events (for example, creating Amazon EC2 instances, modifying security groups, and deleting Amazon S3 buckets) across all accounts. The logs must be delivered to a single Amazon S3 bucket that is encrypted with an AWS KMS key and protected from modification. Which AWS feature should the team enable to achieve this centralized logging requirement?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS Audit Manager
AnswerA

AWS CloudTrail records API calls and can be configured as an organization trail to log activity across all accounts in AWS Organizations. It delivers log files to a specified S3 bucket, where encryption and immutability can be applied.

Why this answer

AWS CloudTrail is the correct service because it records all management events (API calls) across AWS accounts, and when configured as an organization trail in AWS Organizations, it automatically logs events from all member accounts to a single S3 bucket. This meets the requirement for centralized logging with encryption using AWS KMS and protection from modification via S3 bucket policies and versioning.

Exam trap

The trap here is that candidates often confuse CloudTrail for management events with AWS Config for configuration changes, or assume CloudWatch Logs can aggregate all account logs, but only CloudTrail provides the required centralized API activity logging across an organization.

How to eliminate wrong answers

Option B is wrong because AWS Config evaluates resource configurations against rules and records configuration changes, but it does not capture management events like API calls or provide centralized logging to a single S3 bucket. Option C is wrong because Amazon CloudWatch Logs is designed for monitoring and storing log data from applications and services, not for recording AWS management events across multiple accounts, and it does not natively aggregate logs from all accounts in an organization to a single bucket. Option D is wrong because AWS Audit Manager helps automate evidence collection for audits but does not directly record management events or deliver logs to an S3 bucket; it relies on CloudTrail for event data.

222
MCQmedium

A company has a security policy that requires all Amazon EBS volumes attached to production Amazon EC2 instances to be encrypted at rest using customer-managed encryption keys. The policy also mandates that the encryption keys must be automatically rotated every 365 days. The company wants to minimize operational overhead by using a managed AWS service for key management and automatic rotation. Which AWS service should the company use to meet these requirements?

A.AWS CloudHSM
B.AWS Certificate Manager (ACM)
C.AWS Key Management Service (AWS KMS)
D.AWS Secrets Manager
AnswerC

AWS KMS is a fully managed service that enables you to create, control, and rotate customer-managed keys. It supports automatic annual key rotation for customer managed keys with a simple checkbox, and integrates seamlessly with Amazon EBS for encryption at rest, meeting the policy requirements with minimal overhead.

Why this answer

AWS KMS is the correct choice because it provides managed customer master keys (CMKs) that can be used to encrypt EBS volumes at rest, and it supports automatic annual key rotation (every 365 days) with no additional operational overhead. KMS integrates directly with EBS to enforce encryption using customer-managed keys, meeting both the encryption and rotation requirements.

Exam trap

The trap here is that candidates may confuse AWS CloudHSM with KMS, thinking CloudHSM also provides automatic rotation, but CloudHSM requires manual rotation and does not natively integrate with EBS encryption policies.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for key storage but does not offer automatic key rotation; you must manually manage rotation, increasing operational overhead. Option B is wrong because AWS Certificate Manager (ACM) is designed for managing SSL/TLS certificates, not for encrypting EBS volumes or managing encryption keys for storage services.

223
MCQmedium

A company uses AWS Organizations and manages hundreds of AWS accounts. The security policy requires that all Amazon S3 buckets be encrypted using a specific AWS KMS customer-managed key (CMK). The security team wants to automatically detect any S3 bucket that is not encrypted with the required CMK and automatically apply the correct encryption configuration without manual intervention. Which AWS service should the security team use to implement this automated compliance enforcement?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail
D.AWS Trusted Advisor
AnswerB

AWS Config is designed to assess, audit, and evaluate the configurations of AWS resources. It can detect S3 buckets that do not have the required encryption and trigger automatic remediation actions (e.g., using AWS Systems Manager Automation to enable server-side encryption with the designated KMS key). This satisfies both the detection and automatic correction requirements.

Why this answer

AWS Config is the correct service because it provides managed rules (e.g., s3-bucket-server-side-encryption-enabled and s3-bucket-kms-encryption-specific-key) that can evaluate whether S3 buckets are encrypted with the required KMS customer-managed key. When a noncompliant bucket is detected, AWS Config can trigger an AWS Lambda function via an Amazon EventBridge rule to automatically apply the correct encryption configuration, enabling automated remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation and remediation capabilities with GuardDuty's threat detection or CloudTrail's audit logging, assuming any security-related service can enforce encryption policies.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not for compliance with encryption policies or automated remediation. Option C is wrong because AWS CloudTrail records API activity for auditing and governance, but it cannot evaluate resource configurations or automatically enforce compliance rules. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations and checks, but it does not offer automated enforcement or remediation capabilities for specific encryption key requirements.

224
MCQmedium

A company wants to implement zero-trust network security for their AWS environment. Which AWS service enables access to EC2 instances without requiring open inbound network ports or bastion hosts?

A.AWS Bastion Host on EC2
B.AWS Systems Manager Session Manager
C.AWS Direct Connect
D.Amazon VPC Endpoints
AnswerB

Session Manager provides browser and CLI-based shell access to instances without any inbound ports open or bastion hosts — access controlled entirely by IAM, with full session logging.

Why this answer

AWS Systems Manager Session Manager provides secure, auditable shell access to EC2 instances without requiring open inbound ports (e.g., SSH port 22 or RDP port 3389) or a bastion host. It uses the AWS Systems Manager agent to initiate a session via the AWS API, leveraging IAM policies for authentication and authorization, and can optionally encrypt session data using AWS KMS.

Exam trap

The trap here is that candidates often confuse 'no open inbound ports' with 'no network connectivity at all,' leading them to choose VPC Endpoints (which only connect to AWS services, not EC2 instances) or Direct Connect (which is a network link, not an access method).

How to eliminate wrong answers

Option A is wrong because AWS Bastion Host on EC2 is a traditional jump server that requires open inbound ports (e.g., SSH/RDP) and a public IP, which contradicts the zero-trust principle of eliminating network-based access. Option C is wrong because AWS Direct Connect establishes a dedicated network connection from on-premises to AWS, but it does not provide EC2 instance access without open ports; it still requires SSH/RDP or a bastion host to reach instances. Option D is wrong because Amazon VPC Endpoints (Gateway or Interface endpoints) enable private connectivity to AWS services (e.g., S3, DynamoDB) without traversing the internet, but they do not provide shell or remote desktop access to EC2 instances.

225
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to continuously monitor the configurations of all AWS resources across the organization and receive alerts when a resource violates a compliance rule. For example, they want to ensure that all Amazon RDS databases are not publicly accessible, and that any new RDS instance created with public access enabled is automatically flagged. The team does not want to build custom scripts for monitoring. Which AWS service should the security team use to meet these requirements?

A.AWS CloudTrail
B.AWS Config
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

AWS Config provides continuous monitoring and evaluation of AWS resource configurations against desired rules. It supports managed rules for common compliance checks (e.g., public RDS instances) and can automatically trigger remediation, meeting the requirement without custom scripts.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and recording of AWS resource configurations, and it can evaluate those configurations against custom or managed rules (e.g., 'rds-instance-public-access-check'). When a resource like an RDS instance violates a rule (e.g., being publicly accessible), AWS Config can automatically flag it and trigger an alert via Amazon SNS, all without requiring custom scripts.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which tracks resource state), leading them to choose CloudTrail because they think monitoring 'configurations' means tracking changes, but CloudTrail does not evaluate compliance rules or alert on resource state violations.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (who did what, when) but does not monitor the state or configuration of resources over time; it cannot detect that an RDS instance is publicly accessible unless an API call is made to change it, and it cannot evaluate compliance rules continuously. Option C is wrong because AWS Trusted Advisor provides best-practice checks and recommendations (e.g., for RDS public access) but does not offer continuous, customizable compliance monitoring or automated alerting for resource configuration violations; it is a one-time or periodic assessment tool, not a real-time configuration recorder. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity (e.g., unusual API calls or network traffic), not for resource configuration compliance like RDS public accessibility.

← PreviousPage 3 of 4 · 230 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security questions.