CCNA Security Questions

75 of 429 questions · Page 1/6 · Security · Answers revealed

1
Multi-Selecthard

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must authenticate users using a third-party OIDC identity provider and authorize each request. Which THREE steps should the developer take? (Choose THREE.)

Select 3 answers
A.Create an Amazon Cognito user pool with the OIDC identity provider configured.
B.Generate an API key and distribute it to users for authentication.
C.Create an IAM authorizer in API Gateway to validate the JWT token.
D.In the Lambda function, parse the JWT claims from the event context to make authorization decisions.
E.Use a Cognito user pool authorizer in API Gateway to validate the token.
AnswersA, D, E

Cognito can federate with OIDC providers.

Why this answer

Option A is correct because Amazon Cognito user pools can be configured to federate with third-party OIDC identity providers. This allows the user pool to act as an intermediary that handles the OIDC token exchange, issuing its own JWT tokens after successful authentication. This is the standard approach for integrating external OIDC providers with AWS serverless applications.

Exam trap

The trap here is confusing the role of API Gateway authorizers: candidates often pick IAM authorizer (Option C) thinking it can validate JWTs, but IAM authorizers require AWS SigV4 signing and are not designed for OIDC token validation, while the Cognito user pool authorizer is the correct choice for JWT-based federated authentication.

2
MCQhard

A developer attached the managed policy above to an IAM role used by an application. The application tries to decrypt data using a KMS key that has an encryption context of {"department": "finance"}. However, the request fails with access denied. What is the most likely reason?

A.The KMS key policy does not grant decrypt permission to the IAM role
B.The IAM role does not have permission to call kms:Decrypt on any key
C.The encryption context does not match the condition
D.The IAM policy does not allow the kms:Decrypt action
AnswerA

KMS requires the key policy to allow the IAM role to use the key, in addition to IAM policies.

Why this answer

The policy uses a condition key kms:EncryptionContext:department, which requires the encryption context to match exactly. However, the context is a key-value pair; the condition must match both the key and the value. The policy might be correct, but the issue could be that the application does not pass the encryption context, or the KMS key policy does not grant access.

The most likely reason is that the KMS key policy itself does not allow the IAM role to decrypt, because KMS requires both key policy and IAM policy to allow access.

3
Multi-Selectmedium

An application in ECS Fargate needs to read a secret and decrypt it with KMS. Which two permissions/configurations are needed?

Select 2 answers
A.Store the secret in the container image
B.Task role permissions for Secrets Manager access
C.An EC2 instance profile attached to the Fargate host
D.KMS key policy/IAM permission allowing decrypt for the task role
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because the ECS task role is an IAM role that the Fargate task assumes to make AWS API calls. To read a secret from AWS Secrets Manager, the task role must have an IAM policy granting `secretsmanager:GetSecretValue` permission. Option D is correct because the secret is encrypted with a KMS key, so the task role also needs a KMS key policy or IAM permission that allows `kms:Decrypt` on that specific key.

Exam trap

The trap here is that candidates often confuse EC2 instance profiles with ECS task roles, forgetting that Fargate is serverless and has no underlying EC2 host to attach an instance profile to.

4
MCQmedium

A developer needs to allow users from another AWS account (account ID: 123456789012) to read objects in an S3 bucket owned by the developer's account. The developer wants to use a bucket policy and does not want to create IAM users in the other account. Which bucket policy statement achieves this securely?

A.{"Principal": "*", "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"StringEquals": {"aws:SourceAccount": "123456789012"}}}
B.{"Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*"}
C.{"Principal": {"AWS": "arn:aws:iam::123456789012:user/cross-account-user"}, "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*"}
D.{"Principal": {"AWS": "arn:aws:iam::123456789012:role/cross-account-role"}, "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*"}
AnswerB

The root ARN of the trusted account (arn:aws:iam::123456789012:root) is used as the Principal. This delegates control to the other account's administrator, who can then grant read access to specific IAM users or roles in their account.

Why this answer

Option B is correct because it uses the AWS account root principal ARN (arn:aws:iam::123456789012:root) to grant cross-account access to the S3 bucket. This allows any IAM user or role in the external account to read objects, provided the external account's administrator delegates permissions via IAM policies. The bucket policy does not require creating IAM users in the other account, aligning with the requirement.

Exam trap

The trap here is that candidates often confuse the root principal ARN with a specific IAM entity, leading them to choose options that require pre-existing users or roles in the external account, or they misuse conditions like aws:SourceAccount with a wildcard principal, which does not securely restrict access.

How to eliminate wrong answers

Option A is wrong because the aws:SourceAccount condition is used for ensuring the request originates from a specific AWS account in resource-based policies, but it is typically paired with aws:SourceArn to prevent confused deputy issues; here, it is used alone with a wildcard principal, which is insecure and does not restrict to the intended account. Option C is wrong because it specifies a specific IAM user ARN, which requires that user to exist in the external account, contradicting the requirement not to create IAM users. Option D is wrong because it specifies a specific IAM role ARN, which requires that role to exist in the external account, also contradicting the requirement not to create IAM users or roles.

5
MCQeasy

A company has a centralized logging solution where all EC2 instances send logs to a CloudWatch Logs group in a central account. The EC2 instances are in a different account (App Account). The developer configures the CloudWatch agent on the instances with the necessary IAM role. However, logs are not appearing in the central account's log group. The IAM role in the App Account has permissions to put logs to the central account's log group. What is the most likely missing configuration?

A.CloudWatch Logs must be encrypted with the same KMS key in both accounts.
B.The central account's log group must have a resource-based policy that grants the App Account's IAM role permissions to put logs.
C.The log group must be in the same region as the EC2 instances.
D.The EC2 instances must be in a VPC with a VPC endpoint for CloudWatch Logs.
AnswerB

Cross-account logging requires a destination policy on the log group.

Why this answer

Option A is correct because cross-account CloudWatch Logs requires a destination policy in the central account that allows the App Account to write logs. Option B is wrong because VPC endpoints are not required. Option C is wrong because the log group does not need to be in the same region, but cross-region might require additional configuration.

Option D is wrong because KMS encryption is optional.

6
MCQeasy

A company wants to ensure that no Amazon S3 buckets in the AWS account can be made publicly accessible, even if a bucket policy or ACL is later configured to allow public access. Which AWS feature should the developer enable to enforce this at the account level?

A.S3 Block Public Access
B.S3 Object Lock
C.S3 Transfer Acceleration
D.S3 Bucket Policy with Deny clause
AnswerA

Correct. S3 Block Public Access at the account level prevents any public access to buckets regardless of bucket policies or ACLs.

Why this answer

S3 Block Public Access is the correct choice because it provides account-level settings that override any bucket-level policies or ACLs that would grant public access. When enabled at the account level, these settings apply to all current and future S3 buckets, effectively preventing any bucket from becoming publicly accessible regardless of subsequent configuration changes.

Exam trap

The trap here is that candidates often choose a bucket policy with a Deny clause (Option D) thinking it can enforce account-wide restrictions, but they overlook that such policies are bucket-specific and can be removed or modified by users with appropriate IAM permissions, whereas S3 Block Public Access provides a centralized, immutable account-level control.

How to eliminate wrong answers

Option B is wrong because S3 Object Lock is designed to prevent objects from being deleted or overwritten for a fixed period, not to control public access permissions. Option C is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using AWS edge locations, and it has no effect on access control or public accessibility. Option D is wrong because a bucket policy with a Deny clause is applied at the individual bucket level, not at the account level, and it can be overridden or removed by anyone with sufficient permissions; it does not provide the centralized, enforceable control that Block Public Access offers.

7
MCQhard

A company's S3 bucket policy includes a condition that uses 'aws:SourceIp' to restrict access to a specific IP range. However, requests from that IP range are still denied. What is a possible reason?

A.The request is routed through CloudFront, which changes the source IP.
B.The bucket owner's IAM user policy overrides the bucket policy.
C.The request is coming through a VPC endpoint, so the source IP is not the client's IP.
D.The condition key 'aws:SourceIp' is misspelled.
AnswerC

With VPC endpoints, the source IP is the endpoint's private IP, not the client's public IP; use 'aws:SourceVpce' instead.

Why this answer

When a request is made through a VPC endpoint (specifically a Gateway Endpoint for S3), the source IP address seen by S3 is the private IP of the VPC endpoint, not the client's original public IP. The 'aws:SourceIp' condition key evaluates the IP address from which the request originates at the network layer, but VPC endpoints use private IPs from the VPC CIDR range, which will not match the public IP range specified in the policy. This causes the condition to fail and the request to be denied, even though the client is within the intended IP range.

Exam trap

The trap here is that candidates assume 'aws:SourceIp' always reflects the client's original public IP, but they forget that VPC endpoints and proxies (like CloudFront or a NAT gateway) can change the source IP seen by the service, leading to unexpected denials.

How to eliminate wrong answers

Option A is wrong because CloudFront does not change the source IP for S3 bucket policy evaluation; CloudFront uses its own IP addresses when forwarding requests to the origin, but the 'aws:SourceIp' condition in a bucket policy would see CloudFront's IP, not the client's IP, so this could also cause denial, but the question specifies the request is from the correct IP range and still denied, making VPC endpoint the more precise reason. Option B is wrong because IAM user policies do not override bucket policies; if both exist, the request must be allowed by at least one policy, but an explicit deny in the bucket policy would still block the request, and an IAM policy cannot override a bucket policy deny. Option D is wrong because if 'aws:SourceIp' were misspelled, the condition would be ignored (not evaluated), and the policy would likely allow the request (assuming other conditions are met), not deny it.

8
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A security audit reveals that the S3 bucket policy allows access from any AWS account. Which combination of actions should be taken to secure the bucket?

A.Enable default encryption on the bucket
B.Enable S3 Block Public Access at the account level
C.Modify the bucket policy to allow access only from the application's VPC endpoint or specific IAM roles
D.Enable AWS CloudTrail to log bucket access
AnswerC

Restricting access to specific VPC endpoints or IAM roles ensures only authorized entities can access the bucket.

Why this answer

Option C is correct because the bucket policy currently allows access from any AWS account, which is overly permissive. By restricting access to only the application's VPC endpoint (via aws:SourceVpce condition) or specific IAM roles (via aws:PrincipalArn), you enforce least privilege and ensure only authorized traffic from your application can access the sensitive data. This directly addresses the audit finding without relying on other mechanisms that don't restrict access by source.

Exam trap

The trap here is that candidates often confuse 'public access' (open to the internet) with 'cross-account access' (open to any AWS account), leading them to choose S3 Block Public Access, which does not block cross-account access when the policy explicitly allows it via a principal like '*' or an account ARN.

How to eliminate wrong answers

Option A is wrong because enabling default encryption only encrypts new objects at rest; it does not restrict who can access the bucket or its contents, so it does not address the policy allowing any AWS account. Option B is wrong because S3 Block Public Access at the account level prevents public access via ACLs or bucket policies that grant public access, but the current policy allows access from any AWS account (not the general public), and Block Public Access may not block cross-account access if the policy explicitly allows it; it also could break legitimate cross-account access if applied incorrectly. Option D is wrong because enabling CloudTrail logs access events but does not prevent unauthorized access; it only provides auditing after the fact, not a security control to restrict access.

9
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. They have a Customer Master Key (CMK) with key rotation enabled. The S3 bucket has default encryption using SSE-KMS with this CMK. An application writes objects to the bucket. Which statement about the encryption is correct?

A.The CMK is used to generate a data key that encrypts the object, and the encrypted data key is stored with the object.
B.The CMK directly encrypts the object data.
C.When the CMK is rotated, all existing objects in the bucket are automatically re-encrypted with the new key.
D.Each object is encrypted with a unique data key that is stored alongside the object.
AnswerA

This is the correct description of envelope encryption with KMS.

Why this answer

Option A is correct because AWS KMS uses envelope encryption: when an object is written to S3 with SSE-KMS, KMS generates a unique data key from the CMK, encrypts the object with that data key, and then stores the encrypted data key alongside the object in S3. The CMK itself never directly encrypts the object data; it only encrypts the data key. This ensures that the CMK can be rotated without affecting the encrypted objects, as the encrypted data key remains decryptable by the new key material if the key ID is the same.

Exam trap

The trap here is that candidates often confuse the role of the CMK and the data key, mistakenly thinking the CMK directly encrypts the object (Option B), or they assume key rotation triggers re-encryption of existing data (Option C), when in fact envelope encryption decouples the key rotation from the stored ciphertext.

How to eliminate wrong answers

Option B is wrong because the CMK never directly encrypts the object data; AWS KMS uses envelope encryption where the CMK encrypts a data key, and that data key encrypts the object. Option C is wrong because key rotation creates new backing key material for the CMK but does not re-encrypt existing objects; the old backing key remains available for decryption, and objects encrypted before rotation are not automatically re-encrypted. Option D is wrong because while each object is encrypted with a unique data key, that data key is not stored alongside the object in plaintext; it is stored encrypted under the CMK, and the statement omits the critical detail that the data key is encrypted.

10
MCQhard

Refer to the exhibit. An IAM policy allows s3:GetObject for a bucket only from a specific IP range. A developer accesses the bucket from a laptop with IP address 192.0.2.55, but access is denied. What is the most likely reason?

A.The policy includes an explicit deny statement elsewhere.
B.The condition key should be 'aws:SourceIp' without the 'IpAddress' wrapper.
C.The laptop's IP address is not within the allowed range.
D.The request is made from an AWS service, such as the AWS Management Console, which does not use the laptop's public IP.
AnswerD

When using the console, requests originate from AWS IPs, not the client's IP.

Why this answer

Option D is correct because when a request is made via the AWS Management Console, the console itself acts as an intermediary. The console's requests originate from AWS service IPs, not the user's laptop public IP. Therefore, the `aws:SourceIp` condition in the IAM policy evaluates against the console's IP, which is not in the allowed range, causing the denial even though the laptop's IP is valid.

Exam trap

The trap here is that candidates assume the laptop's public IP is always used for the request, forgetting that the AWS Management Console acts as a proxy, so the `aws:SourceIp` condition evaluates the console's IP, not the user's.

How to eliminate wrong answers

Option A is wrong because the question states the policy allows s3:GetObject from a specific IP range, and there is no mention or evidence of an explicit deny statement elsewhere; the most likely reason is the IP mismatch due to the console proxy. Option B is wrong because the `IpAddress` wrapper is the correct syntax for the `aws:SourceIp` condition key in an IAM policy; omitting it would cause a syntax error, not a logical denial. Option C is wrong because the laptop's IP address (192.0.2.55) is within the allowed range as described in the scenario, so the denial must stem from the request not using that IP.

11
MCQmedium

A developer is building an application that uploads files to S3. The application uses an IAM user with access keys. The developer wants to rotate the access keys regularly. Which approach is the most secure?

A.Use AWS Secrets Manager to automatically rotate the access keys.
B.Use the root account access keys and rotate them manually.
C.Manually create new keys every 90 days and update the application.
D.Create a new IAM user and update the application.
AnswerA

Secrets Manager can rotate IAM user keys.

Why this answer

Option C is correct because rotating keys automatically with Secrets Manager reduces human error. Option A is wrong because manual rotation is error-prone. Option B is wrong because creating a new user does not rotate keys.

Option D is wrong because using the root account is a security risk.

12
MCQmedium

A company uses AWS KMS to encrypt S3 objects. A developer needs to allow an IAM user to decrypt objects but not encrypt them. Which IAM policy action should be allowed?

A.kms:Decrypt
B.kms:GenerateDataKey
C.kms:Encrypt
D.kms:ReEncrypt
AnswerA

This action allows decryption of ciphertext.

Why this answer

The correct action is `kms:Decrypt` because the developer's requirement is to allow an IAM user to decrypt S3 objects but not encrypt them. AWS KMS uses separate permissions for encryption and decryption operations; `kms:Decrypt` specifically grants the ability to decrypt ciphertext without granting any encryption capabilities. By allowing only this action, the user can decrypt objects encrypted with the KMS key but cannot encrypt new data or perform any key management operations.

Exam trap

The trap here is that candidates often confuse `kms:Decrypt` with `kms:GenerateDataKey` or `kms:ReEncrypt`, mistakenly thinking those actions are required for decryption, when in fact they also enable encryption capabilities that violate the requirement.

How to eliminate wrong answers

Option B is wrong because `kms:GenerateDataKey` is used to generate a data key for client-side encryption, which involves creating both a plaintext key and an encrypted key; allowing this would enable the user to encrypt new data, violating the requirement to prevent encryption. Option C is wrong because `kms:Encrypt` directly allows the user to encrypt plaintext into ciphertext using the KMS key, which is explicitly prohibited. Option D is wrong because `kms:ReEncrypt` allows decrypting ciphertext and re-encrypting it under a different KMS key, which includes decryption capability but also introduces encryption operations, violating the restriction against encryption.

13
MCQmedium

A company runs an application on Amazon EC2 instances that need to read files from an Amazon S3 bucket. The developer must grant access to the S3 bucket without storing long-term credentials on the instances. Which approach should the developer use?

A.Store the access key ID and secret access key in environment variables on the EC2 instance.
B.Create an IAM role with permissions to the S3 bucket and attach it to the EC2 instance profile.
C.Use an S3 bucket policy that grants access to the EC2 instance's public IP address.
D.Store the credentials in AWS Secrets Manager and have the application retrieve them at startup.
AnswerB

An IAM role provides temporary credentials automatically rotated by AWS, which is the secure and recommended approach.

Why this answer

Option B is correct because using an IAM role attached to an EC2 instance profile allows the application to obtain temporary security credentials from the AWS Security Token Service (STS) via the instance metadata service. This eliminates the need to store long-term credentials on the instance, adhering to the principle of least privilege and improving security posture.

Exam trap

The trap here is that candidates may think storing credentials in environment variables or Secrets Manager is acceptable, but the question explicitly requires no long-term credentials on the instance, making the IAM role the only correct answer that leverages temporary credentials via the instance metadata service.

How to eliminate wrong answers

Option A is wrong because storing access key ID and secret access key in environment variables on the EC2 instance exposes long-term credentials that could be compromised if the instance is accessed or the environment is leaked, violating the requirement to avoid storing long-term credentials. Option C is wrong because an S3 bucket policy that grants access based on the EC2 instance's public IP address is not a secure or reliable method; public IPs can change (unless using an Elastic IP) and do not authenticate the instance's identity, plus S3 bucket policies support principal-based access, not IP-based for EC2 instances in this context. Option D is wrong because while AWS Secrets Manager securely stores credentials, the application would still need to retrieve and use long-term credentials at startup, which contradicts the requirement to avoid storing long-term credentials on the instance; using an IAM role is the preferred approach for EC2 instances.

14
MCQmedium

A company wants to allow cross-account access to an S3 bucket in Account A from a role in Account B. The S3 bucket policy in Account A allows the role's ARN. However, access is denied. What is the most likely missing step?

A.Add a bucket policy that denies access to all principals.
B.The role in Account B must have an IAM policy that allows the S3 actions.
C.Disable block public access settings on the bucket.
D.Enable ACLs on the S3 bucket.
AnswerB

Cross-account access requires both the resource-based policy (bucket policy) and the identity-based policy (IAM role) to grant permissions.

Why this answer

Option B is correct because cross-account S3 access requires both a resource-based policy (the bucket policy in Account A) that grants access to the role ARN, and an identity-based policy (an IAM policy attached to the role in Account B) that explicitly allows the S3 actions. Without the IAM policy in Account B, the role lacks permission to perform the S3 operations, even though the bucket policy permits the access. This is a fundamental principle of AWS cross-account authorization: both the resource side and the principal side must grant the necessary permissions.

Exam trap

The trap here is that candidates often assume a bucket policy alone is sufficient for cross-account access, overlooking the requirement for an IAM policy on the requesting role to explicitly allow the S3 actions.

How to eliminate wrong answers

Option A is wrong because adding a bucket policy that denies access to all principals would explicitly block all access, including the intended cross-account access, making the problem worse. Option C is wrong because block public access settings are irrelevant to cross-account access via IAM roles; they only affect public access from the internet, not authenticated cross-account requests. Option D is wrong because enabling ACLs on the S3 bucket is not required for cross-account access; ACLs are a legacy access control mechanism and are not needed when using IAM policies and bucket policies, and they would not resolve the missing IAM policy issue.

15
MCQmedium

A company has an S3 bucket that stores sensitive data. They want to ensure that any object uploaded to the bucket is automatically encrypted with server-side encryption using AWS KMS (SSE-KMS). They also want to deny any uploads that do not specify the correct encryption. Which bucket policy condition should be used to enforce this requirement?

A.s3:x-amz-server-side-encryption equals aws:kms
B.s3:x-amz-server-side-encryption equals AES256
C.s3:x-amz-server-side-encryption-aws-kms-key-id equals a specific key ARN
D.aws:SecureTransport equals true
AnswerA

This condition specifies that the object must be encrypted with SSE-KMS. A Deny statement with this condition will reject uploads that do not use 'aws:kms' for server-side encryption.

Why this answer

Option A is correct because the condition `s3:x-amz-server-side-encryption equals aws:kms` enforces that any PUT request to the S3 bucket must include the `x-amz-server-side-encryption` header set to `aws:kms`, which triggers SSE-KMS encryption. This policy condition ensures that objects uploaded without specifying SSE-KMS are denied, meeting the requirement to automatically encrypt all uploaded objects with AWS KMS.

Exam trap

The trap here is that candidates confuse the condition for specifying a particular KMS key ARN (Option C) with the condition for simply requiring SSE-KMS encryption, leading them to pick an overly restrictive policy that would break uploads using the default KMS key.

How to eliminate wrong answers

Option B is wrong because `AES256` corresponds to SSE-S3 (S3-managed keys), not SSE-KMS, so it would enforce the wrong encryption type. Option C is wrong because `s3:x-amz-server-side-encryption-aws-kms-key-id` enforces a specific KMS key ARN, but the question only requires SSE-KMS encryption, not a particular key; using this condition would be overly restrictive and could deny valid uploads using the default KMS key. Option D is wrong because `aws:SecureTransport` enforces HTTPS (TLS) for all requests, which is a transport-layer security requirement, not an encryption-at-rest requirement for object uploads.

16
MCQeasy

A company wants to encrypt data in transit between an EC2 instance and an S3 bucket. What should they do?

A.Use SSH to transfer files to S3.
B.Establish a VPN connection between the instance and S3.
C.Enable client-side encryption using the AWS SDK.
D.Use the S3 HTTPS endpoint for all API calls.
AnswerD

HTTPS encrypts data in transit.

Why this answer

Option C is correct because S3 supports HTTPS endpoints for encrypted data in transit. Option A is wrong because S3 does not support SSH. Option B is wrong because S3 does not support VPN connections.

Option D is wrong because client-side encryption encrypts data before transmission, but HTTPS is the standard for in-transit encryption.

17
MCQhard

A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?

A.The bucket policy in Account A grants s3:GetObject to the role, the KMS key policy grants kms:Decrypt to the role, and the role in Account B has an IAM policy allowing s3:GetObject and kms:Decrypt
B.The bucket policy in Account A grants s3:GetObject to the role, and the role in Account B has an IAM policy allowing s3:GetObject. No KMS permissions are needed because SSE-KMS uses AWS managed keys by default.
C.The bucket policy in Account A grants s3:GetObject to the role, and the KMS key policy grants kms:Decrypt to the role. The role in Account B does not need additional IAM policies because the bucket and key policies provide sufficient permissions.
D.Only the bucket policy in Account A needs to grant s3:GetObject to the role. KMS is not involved because the bucket is encrypted with SSE-KMS but the role can decrypt using the default KMS key.
AnswerA

All three policies are required: bucket policy and key policy in Account A grant the necessary permissions, and the IAM role in Account B must have the corresponding IAM policy to authorize the use of those grants.

Why this answer

Option A is correct because cross-account access to an SSE-KMS encrypted S3 bucket requires three layers of permissions: the bucket policy in Account A must grant s3:GetObject to the IAM role in Account B, the KMS key policy must grant kms:Decrypt to the same role, and the role's IAM policy in Account B must allow both s3:GetObject and kms:Decrypt. Without any one of these, the request will fail due to either an S3 authorization error or a KMS decryption failure.

Exam trap

The trap here is that candidates assume bucket and key policies alone are sufficient for cross-account access, forgetting that the requesting principal (the IAM role) must also have an IAM policy that explicitly allows the required actions.

How to eliminate wrong answers

Option B is wrong because SSE-KMS with a customer managed key (CMK) requires explicit kms:Decrypt permissions; AWS managed keys are not used here, and omitting KMS permissions will cause a 'KMS.AccessDeniedException' when the role tries to read encrypted objects. Option C is wrong because the role in Account B must have an IAM policy that allows s3:GetObject and kms:Decrypt; bucket and key policies alone cannot grant permissions to a principal in another account—the role's trust policy and IAM permissions are necessary to authorize the action. Option D is wrong because KMS is always involved when SSE-KMS is used; the bucket is encrypted with a CMK, not the default KMS key, and the role must have kms:Decrypt permissions to decrypt the objects.

18
MCQmedium

A developer runs the AWS CLI command to decrypt a file using a KMS key. What is the most likely cause of the error?

A.The encrypted file is corrupted.
B.The CLI cannot read the file.
C.The IAM user lacks kms:Decrypt permission on the key.
D.The KMS key ID is incorrect.
AnswerC

Explicitly says not authorized.

Why this answer

The IAM user DevUser does not have kms:Decrypt permission on the specified KMS key.

19
Multi-Selecthard

Which THREE are valid methods to encrypt data at rest in Amazon S3? (Choose 3)

Select 3 answers
A.Encryption in transit using SSL/TLS
B.Server-Side Encryption with S3-Managed Keys (SSE-S3)
C.Client-Side Encryption with AWS KMS
D.Server-Side Encryption with Customer-Provided Keys (SSE-C)
E.Server-Side Encryption with KMS-Managed Keys (SSE-KMS)
AnswersB, D, E

SSE-S3 is a valid method.

Why this answer

Options A, B, and C are valid methods. Option D (client-side encryption with KMS) is actually a form of SSE-C, but SSE-C uses customer-provided keys, not KMS. Option E (SSL/TLS) is encryption in transit, not at rest.

20
MCQhard

Based on the CloudTrail log entry, which security concern should be investigated?

A.The role used has too many permissions.
B.The instance was launched in an unauthorized region.
C.Multi-factor authentication (MFA) was not used when assuming the role.
D.The source IP address is from a suspicious location.
AnswerC

mfaAuthenticated is false, indicating no MFA.

Why this answer

The CloudTrail log entry shows that the `sts:AssumeRole` API call was made without the `aws:MultiFactorAuthPresent` key set to `true`. This indicates that the role was assumed without MFA, which violates the security best practice of requiring MFA for privileged role assumptions. The absence of MFA increases the risk of unauthorized access if the user's credentials are compromised.

Exam trap

The trap here is that candidates often focus on the source IP address or region as suspicious, but the key security indicator is the absence of MFA in the `sts:AssumeRole` call, which is a direct violation of the principle of least privilege and a common attack vector.

How to eliminate wrong answers

Option A is wrong because the CloudTrail log entry does not provide information about the permissions attached to the role; it only records the API call, not the effective permissions. Option B is wrong because the log entry does not indicate the region where the instance was launched; it only shows the region of the CloudTrail event (e.g., us-east-1), which is not necessarily the same as the instance's region. Option D is wrong because the source IP address in the log entry is from an AWS service (e.g., ec2.amazonaws.com) or an internal AWS IP, not an external suspicious location; CloudTrail logs for AWS API calls often show internal IPs for service-to-service calls.

21
Multi-Selecthard

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket. The instance has an IAM role with a policy that allows s3:GetObject on the bucket. Which TWO additional checks should the developer perform to resolve the issue?

Select 2 answers
A.Check the network ACLs for the subnet.
B.Check if the S3 bucket policy has an explicit deny statement that affects the EC2 instance.
C.Check if the EC2 instance is in a VPC with an S3 VPC endpoint configured.
D.Check the security group rules attached to the EC2 instance.
E.Check if the S3 bucket uses SSE-KMS encryption and the EC2 role has kms:Decrypt permissions.
AnswersB, E

An explicit deny overrides any allow.

Why this answer

Option B is correct because S3 bucket policies can explicitly deny access even if the IAM role attached to the EC2 instance grants s3:GetObject. An explicit deny in a bucket policy overrides any allow, so checking for such a deny statement is essential. Option E is correct because if the S3 bucket uses SSE-KMS encryption, the EC2 instance's IAM role must have kms:Decrypt permissions to decrypt the object; without it, GetObject requests will fail.

Exam trap

The trap here is that candidates often focus only on IAM policies or network controls (NACLs/security groups) and overlook the combination of bucket policies with explicit denies and KMS encryption permissions, which are common real-world blockers.

22
MCQhard

A company has an AWS Lambda function that processes sensitive financial data. The function uses environment variables to store database connection strings. A security audit requires that all sensitive data be encrypted at rest and in transit. The developer must ensure that the environment variables are encrypted with a customer-managed key that is rotated quarterly. What should the developer do?

A.Use AWS Systems Manager Parameter Store with a SecureString parameter using an AWS managed key
B.Store the connection string in AWS Secrets Manager and enable automatic rotation with a custom Lambda function
C.Encrypt the environment variables using the Lambda service key
D.Use AWS KMS to encrypt the environment variables and set a manual rotation policy
AnswerB

Secrets Manager supports automatic rotation with custom Lambda functions, allowing you to rotate the secret every 90 days using a customer-managed KMS key.

Why this answer

Option B is correct because AWS Secrets Manager natively supports automatic rotation of secrets using a custom Lambda function, which meets the quarterly rotation requirement. Secrets Manager also encrypts secrets at rest using KMS, and the customer can specify a customer-managed key (CMK) for encryption, satisfying the encryption-at-rest and customer-managed key requirements. Additionally, Secrets Manager enforces encryption in transit via TLS when retrieving secrets, fulfilling the full security audit mandate.

Exam trap

AWS often tests the distinction between rotating the encryption key (KMS) versus rotating the secret value itself, leading candidates to incorrectly choose KMS-based options when the requirement is to rotate the stored credential.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with a SecureString parameter can use an AWS managed key by default, but it does not support automatic rotation of the parameter value itself (only the KMS key can be rotated, not the stored secret), failing the quarterly rotation requirement. Option C is wrong because the Lambda service key is an AWS managed key, not a customer-managed key, and Lambda environment variables encrypted with the service key cannot be rotated quarterly by the customer. Option D is wrong because AWS KMS does not provide a built-in mechanism to automatically rotate the encrypted environment variable value; KMS only supports automatic key rotation (yearly by default), not quarterly, and manual rotation of the key does not rotate the stored connection string itself.

23
MCQmedium

A developer is configuring a load balancer in front of an EC2 instance running a web application. The application needs to authenticate users via an identity provider. Which AWS service should the developer use to handle authentication and authorization?

A.AWS Identity and Access Management (IAM)
B.Amazon Cognito
C.Amazon Route 53
D.Amazon CloudFront
AnswerB

Cognito user pools provide authentication for web apps.

Why this answer

Option B is correct because Amazon Cognito provides user pools for authentication and can be integrated with an Application Load Balancer. Option A is wrong because IAM is for AWS API access, not web app users. Option C is wrong because CloudFront is a CDN.

Option D is wrong because Route 53 is DNS.

24
MCQeasy

A developer is building a serverless application using AWS Lambda functions that need to read and write to an Amazon DynamoDB table. What is the best practice for granting the Lambda function access to DynamoDB?

A.Create an IAM role with a trust policy that allows Lambda to assume it, and attach a permissions policy granting DynamoDB access.
B.Create an IAM user and store the access keys in the Lambda environment variables.
C.Attach a resource-based policy to the Lambda function that grants DynamoDB access.
D.Use the Lambda function's default VPC role to access DynamoDB via a VPC endpoint.
AnswerA

Lambda uses an execution role to obtain temporary credentials.

Why this answer

Option A is correct because AWS Lambda functions require an IAM role (execution role) with a trust policy that allows Lambda to assume it, and a permissions policy that grants the necessary DynamoDB actions (e.g., GetItem, PutItem). This is the standard and secure method for granting permissions to Lambda, as it avoids hardcoding credentials and follows the principle of least privilege.

Exam trap

The trap here is that candidates confuse resource-based policies (used for Lambda function invocation permissions) with execution roles (used for granting the Lambda function access to other AWS services), leading them to incorrectly choose Option C.

How to eliminate wrong answers

Option B is wrong because storing IAM user access keys in Lambda environment variables is insecure and violates best practices; keys can be exposed in logs or through the console, and they do not automatically rotate. Option C is wrong because Lambda functions do not support resource-based policies for granting access to other AWS services like DynamoDB; resource-based policies are used for cross-account access to the Lambda function itself, not for the function to access external resources. Option D is wrong because a VPC role or VPC endpoint does not grant IAM permissions; VPC endpoints enable private network connectivity but do not replace the need for an IAM role with DynamoDB access policies.

25
MCQeasy

A developer needs to securely store database credentials for a serverless application. Which service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon S3
D.AWS Key Management Service (KMS)
AnswerA

Secrets Manager is the best choice for database credentials.

Why this answer

AWS Secrets Manager is designed for storing and rotating secrets like database credentials. Option B (SSM Parameter Store) can store secrets but lacks automatic rotation. Option C (KMS) is for keys.

Option D (S3) is not a secrets service.

26
MCQmedium

A company has an Amazon S3 bucket that stores sensitive documents. The security team wants to ensure that all GET requests to the bucket are authenticated and that the requester does not have public access. Which combination of S3 features should the developer implement?

A.Block public access and enable S3 Access Points with a network origin policy
B.Enable S3 Object Lock and versioning
C.Use S3 Transfer Acceleration and server-side encryption
D.Configure a bucket policy that allows only specific IAM users and enable MFA Delete
AnswerA

Block public access prevents public access, and S3 Access Points with network policies restrict access to authenticated requests from allowed networks.

Why this answer

Option A is correct because blocking public access at the bucket level ensures that no anonymous or public requests can reach the bucket, while S3 Access Points with a network origin policy restrict access to requests originating from a specific VPC or on-premises network. This combination enforces that all GET requests must be authenticated (via the Access Point's IAM policies) and cannot come from public internet sources, meeting the security team's requirements.

Exam trap

The trap here is that candidates often confuse MFA Delete or encryption with authentication controls, not realizing that only explicit public access blocking combined with network-level restrictions (like Access Points) can prevent unauthenticated GET requests.

How to eliminate wrong answers

Option B is wrong because S3 Object Lock and versioning prevent object deletion or overwrite and maintain object history, but they do not control authentication or public access for GET requests. Option C is wrong because S3 Transfer Acceleration speeds up uploads over long distances and server-side encryption protects data at rest, neither of which authenticates requests or blocks public access. Option D is wrong because a bucket policy allowing only specific IAM users can restrict access, but MFA Delete only adds multi-factor authentication to delete operations, not to GET requests, and this combination does not inherently block public access from unauthenticated sources.

27
MCQeasy

A company is using AWS KMS to encrypt sensitive data stored in S3. The security team wants to ensure that only a specific IAM role can decrypt the data. What is the most secure way to achieve this?

A.Use S3 server-side encryption with S3-managed keys (SSE-S3).
B.Create a KMS key policy that grants the role the kms:Decrypt permission.
C.Enable automatic key rotation for the KMS key.
D.Use an S3 bucket policy to restrict access to the role.
AnswerB

KMS key policies directly control who can use the key.

Why this answer

Option B is correct because KMS key policies are the most direct and secure way to control who can perform cryptographic operations like kms:Decrypt on a specific CMK. By granting only the specific IAM role the kms:Decrypt permission in the key policy, you ensure that no other principal (including the root user or other roles) can decrypt the data, even if they have S3 access. This follows the principle of least privilege and decouples data access from infrastructure access.

Exam trap

The trap here is that candidates often confuse S3 bucket policies with KMS key policies, assuming that restricting S3 access is sufficient to prevent decryption, when in fact the KMS key policy is the only way to enforce decryption restrictions at the cryptographic level.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses S3-managed keys, which do not allow you to restrict decryption to a specific IAM role; any principal with S3 GetObject permission can decrypt the data. Option C is wrong because automatic key rotation only changes the backing key material over time for security hygiene, but does not restrict who can decrypt; it does not address access control. Option D is wrong because an S3 bucket policy can control access to the S3 object itself, but it cannot prevent decryption of the underlying KMS-encrypted data if the caller has both S3 GetObject and KMS Decrypt permissions; the KMS key policy is the authoritative control for decryption.

28
MCQeasy

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from 'example-bucket' from an IP address of 10.0.1.5. Will the download succeed?

A.Yes, because the source IP matches the condition.
B.No, because the policy does not specify the user's IP.
C.Yes, but only if the bucket policy also allows the access.
D.No, because the condition requires the IP to be in 10.0.0.0/16.
AnswerA

The IP falls within the allowed CIDR.

Why this answer

Option A is correct because the policy allows s3:GetObject on the bucket when the source IP is within 10.0.0.0/16. The user's IP 10.0.1.5 is within that range. Option B is incorrect because the IP is in the allowed range.

Option C is incorrect because the condition is met. Option D is incorrect because the policy is sufficient.

29
MCQeasy

A company requires that all objects uploaded to an Amazon S3 bucket are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The developer wants to enforce this with a bucket policy. Which condition key and value should be used in the policy to deny uploads that do not meet this requirement?

A.s3:x-amz-server-side-encryption equals AES256
B.s3:x-amz-server-side-encryption-aws-kms-key-id equals alias/aws/s3
C.aws:SecureTransport equals true
D.s3:object-lock-mode equals GOVERNANCE
AnswerA

Correct. This condition ensures that the request includes the header specifying SSE-S3 encryption.

Why this answer

Option A is correct because the condition key `s3:x-amz-server-side-encryption` with value `AES256` directly checks that the request header `x-amz-server-side-encryption` is set to `AES256`, which is the required value for SSE-S3. By using this condition in a bucket policy with a Deny effect, any upload that does not include this header or includes a different value (e.g., `aws:kms`) will be rejected, enforcing server-side encryption with Amazon S3 managed keys.

Exam trap

The trap here is that candidates often confuse the condition key for SSE-S3 (`s3:x-amz-server-side-encryption` with value `AES256`) with the condition key for SSE-KMS (`s3:x-amz-server-side-encryption-aws-kms-key-id`), or mistakenly think `aws:SecureTransport` enforces encryption at rest instead of in transit.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption-aws-kms-key-id` is used to enforce a specific KMS key ID for SSE-KMS, not for SSE-S3; using `alias/aws/s3` would require SSE-KMS, not SSE-S3. Option C is wrong because `aws:SecureTransport` checks whether the request uses HTTPS (TLS), which enforces encryption in transit, not encryption at rest. Option D is wrong because `s3:object-lock-mode` is used to enforce S3 Object Lock governance mode, which prevents object deletion or overwrite, and has nothing to do with encryption at rest.

30
MCQeasy

A developer needs to allow an Amazon EC2 instance to send messages to an Amazon SQS queue. What is the most secure way to grant this access?

A.Create a bucket policy on S3 to allow EC2 to access SQS
B.Use a resource-based policy on the SQS queue allowing the EC2 instance's security group
C.Assign an IAM role to the EC2 instance with permissions to send messages to SQS
D.Create an IAM user and store the credentials in the application configuration file
AnswerC

Using an IAM role grants temporary credentials via instance metadata, which is secure.

Why this answer

The most secure approach is to assign an IAM role to the EC2 instance with a policy that allows sqs:SendMessage for the queue. This avoids hardcoding credentials.

31
MCQhard

Refer to the exhibit. A developer has attached this resource-based policy to an S3 bucket. The Lambda function 'my-function' is still getting access denied when trying to read objects from the bucket. What is the MOST likely reason?

A.The bucket name is incorrect in the policy.
B.The condition aws:SourceArn does not match the principal's ARN because the principal is the Lambda execution role, not the function.
C.The Lambda function's execution role does not have s3:GetObject permission.
D.The policy denies s3:GetObject for the Lambda function.
AnswerB

The source ARN is the function, but the principal is the role; the condition fails.

Why this answer

Option B is correct because the `aws:SourceArn` condition in the resource-based policy expects the ARN of the principal that is making the request. However, when a Lambda function invokes an S3 operation, the principal is the Lambda execution role (e.g., `arn:aws:iam::123456789012:role/my-function-role`), not the function itself (e.g., `arn:aws:lambda:us-east-1:123456789012:function:my-function`). The condition therefore fails, causing an access denied error even though the function's ARN is listed in the policy.

Exam trap

The trap here is that candidates confuse the ARN of the Lambda function with the ARN of the Lambda execution role, assuming the `aws:SourceArn` condition should match the function ARN, when in fact it must match the principal (the role) that performs the S3 operation.

How to eliminate wrong answers

Option A is wrong because if the bucket name were incorrect, the policy would not apply to the bucket at all, but the error message specifically indicates the policy exists and is being evaluated, so the bucket name must be correct. Option C is wrong because the question states the Lambda function is getting access denied when trying to read objects, and the resource-based policy is attached to the S3 bucket; if the execution role lacked `s3:GetObject`, the error would be an authorization failure from the role side, but the policy is the one being evaluated here. Option D is wrong because the policy explicitly grants `s3:GetObject` to the Lambda function (Principal: `lambda.amazonaws.com` with `AWS:arn:aws:lambda:us-east-1:123456789012:function:my-function`), so there is no deny statement for that action.

32
Drag & Dropmedium

Drag and drop the steps to implement a disaster recovery plan using cross-region replication for S3 in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create buckets, enable versioning, configure replication rule, and set permissions.

33
MCQeasy

A developer needs to grant an IAM user access to list objects in an S3 bucket named 'app-data'. Which IAM policy statement should be used?

A.{"Effect":"Allow","Action":"s3:*","Resource":"*"}
B.{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}
C.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::app-data"}
D.{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::app-data/*"}
AnswerC

ListBucket is the correct action to list objects in a bucket.

Why this answer

Option C is correct because the s3:ListBucket action is required to list the objects in an S3 bucket, and the resource ARN must specify the bucket itself (arn:aws:s3:::app-data) without a trailing /*. This grants permission to list the contents of the 'app-data' bucket, which is the exact requirement.

Exam trap

The trap here is that candidates often confuse s3:ListBucket (bucket-level action) with s3:GetObject (object-level action) or incorrectly apply the resource ARN with a trailing '/*' for bucket-level permissions.

How to eliminate wrong answers

Option A is wrong because it grants full administrative access to all S3 actions on all resources, which violates the principle of least privilege and is overly permissive for the specific task of listing objects. Option B is wrong because s3:ListAllMyBuckets lists all buckets in the account, not the objects within a specific bucket, and the resource '*' does not restrict to 'app-data'. Option D is wrong because s3:GetObject is used to retrieve an object's data, not to list objects; additionally, the resource ARN includes a trailing '/*' which refers to objects within the bucket, not the bucket itself.

34
Multi-Selecthard

A developer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline must deploy to multiple AWS accounts. Which THREE components are required to securely deploy across accounts?

Select 3 answers
A.The pipeline's service role must have a trust policy allowing it to assume the target account role.
B.An IAM role in the target account with permissions to deploy resources.
C.A CodeCommit repository in each account.
D.An S3 artifact bucket that the pipeline can access in the target account.
E.A customer managed KMS key to encrypt artifacts.
AnswersA, B, D

Without trust, the pipeline cannot assume the role.

Why this answer

To deploy across accounts, you need an IAM role in the target account that the pipeline can assume (A), the pipeline must have permissions to assume that role (B), and the pipeline must use an artifact bucket in the target account or use cross-account access (C) to store artifacts. (D) is not required; KMS keys are optional. (E) is not needed; CodeCommit is just a source.

35
MCQhard

A developer is storing an API secret for a third-party service in AWS Secrets Manager. The secret needs to be accessed by an AWS Lambda function that runs in a VPC. The Lambda function must have the minimum required permissions. Which IAM policy statement should the developer attach to the Lambda execution role?

A.A policy that grants secretsmanager:GetSecretValue for the specific secret ARN and includes a condition for aws:SourceVpce to restrict access to the VPC endpoint
B.A policy that grants secretsmanager:GetSecretValue for all secrets in the account
C.A policy that grants secretsmanager:GetSecretValue for the secret and includes a condition for aws:SourceIp
D.A policy that grants secretsmanager:GetSecretValue for the secret and includes a condition for ec2:Vpc
AnswerA

Correct. This provides least privilege and restricts access to requests coming through the VPC endpoint.

Why this answer

Option A is correct because it grants the minimum required permission (secretsmanager:GetSecretValue) scoped to the specific secret ARN, and uses the aws:SourceVpce condition key to restrict access to the VPC endpoint used by the Lambda function. This ensures that only requests originating from the specified VPC endpoint can retrieve the secret, aligning with the principle of least privilege and the requirement that the Lambda function runs in a VPC.

Exam trap

The trap here is that candidates often confuse aws:SourceIp with VPC-based access control, not realizing that Lambda functions in a VPC use private IPs and require VPC endpoint conditions (aws:SourceVpce or aws:SourceVpc) instead of IP-based conditions.

How to eliminate wrong answers

Option B is wrong because it grants secretsmanager:GetSecretValue for all secrets in the account, which violates the principle of least privilege by allowing access to secrets beyond the intended one. Option C is wrong because aws:SourceIp is not effective for Lambda functions in a VPC, as they use private IP addresses from the VPC subnet, and the condition would not match the source IP seen by Secrets Manager (which is the VPC endpoint's private IP). Option D is wrong because ec2:Vpc is not a valid condition key for Secrets Manager; the correct condition key for VPC endpoint restrictions is aws:SourceVpce, not ec2:Vpc.

36
Multi-Selectmedium

A developer is creating an IAM policy to allow access to an Amazon DynamoDB table. The policy must allow the user to read and write items, but not to delete the table or modify its schema. Which TWO DynamoDB actions should be included in the policy?

Select 2 answers
A.UpdateTable
B.Scan
C.GetItem
D.DeleteTable
E.PutItem
AnswersC, E

GetItem reads a single item from the table.

Why this answer

GetItem and PutItem are the actions for reading and writing individual items. DeleteTable and UpdateTable are administrative actions that should not be allowed.

37
MCQeasy

A developer needs to grant least-privilege access to a Lambda function to write logs to CloudWatch Logs. Which IAM policy effect should be used?

A.Always allow
B.Allow
C.Deny
D.Revoke
AnswerB

Allow grants the specified permissions.

Why this answer

Option B is correct because the policy should explicitly allow the necessary actions. Option A is wrong because Deny is used to explicitly deny access. Option C is wrong because Allow is the correct effect.

Option D is wrong because Revoke is not an IAM policy effect.

38
MCQmedium

A company is using AWS CodeCommit for source control. Developers need to access the repository from their local machines. Which authentication method is recommended for secure access?

A.Use IAM user name and password for Git credentials.
B.Use IAM access key and secret key for authentication.
C.Use Amazon Cognito user pools for authentication.
D.Generate and use SSH keys paired with an IAM user.
AnswerD

SSH keys are secure and recommended for CodeCommit.

Why this answer

Option C is correct because SSH keys provide secure access without storing credentials on the machine. Option A is wrong because IAM user password is for console access, not Git. Option B is wrong because access keys are long-term credentials and less secure.

Option D is wrong because Cognito is for end-user authentication, not developers.

39
MCQhard

A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout error after 30 seconds. The developer checked the Lambda logs and saw that the function is making network calls to the database but never receives a response. What is the MOST likely cause?

A.The Lambda function memory is insufficient; increase memory to 1024 MB.
B.The Lambda function timeout is set too low; increase it to 5 minutes.
C.The Lambda function is not attached to a VPC with a NAT gateway or VPC endpoints for Secrets Manager.
D.The database credentials are incorrect; the rotation function cannot authenticate.
AnswerC

Lambda needs network connectivity to both the database and Secrets Manager; without a NAT gateway or VPC endpoints, it cannot reach Secrets Manager.

Why this answer

Option A is correct because Lambda functions in a VPC require a NAT gateway or VPC interface endpoints to access the internet or AWS services outside the VPC. The database is likely in a private subnet without internet access, and the Secrets Manager endpoint might be unreachable, causing the timeout. Options B, C, and D are incorrect because increasing timeout or memory would not solve network connectivity issues, and disabling rotation would not address the root cause.

40
Multi-Selecthard

Which THREE are best practices for managing IAM users and roles? (Choose three.)

Select 3 answers
A.Rotate IAM user access keys periodically.
B.Grant least privilege permissions.
C.Use IAM roles for EC2 instances instead of storing access keys.
D.Use the root account for daily administrative tasks.
E.Assign full administrator access to all users.
AnswersA, B, C

Limits exposure of compromised keys.

Why this answer

Options A, D, and E are correct. Option A: Granting least privilege limits permissions. Option D: Using roles for EC2 instances is more secure than storing credentials.

Option E: Rotating access keys regularly reduces risk. Option B is wrong because using the root account should be avoided. Option C is wrong because IAM users should have only necessary permissions, not full access.

41
MCQhard

A company uses AWS Organizations with multiple accounts. A developer needs to grant an IAM user in Account A (111111111111) read-only access to an S3 bucket in Account B (222222222222). The bucket is encrypted with SSE-S3. Which combination of policies is required for cross-account access?

A.Bucket policy in Account B granting s3:GetObject to the IAM user ARN, and an IAM policy in Account A allowing s3:GetObject.
B.Bucket policy in Account B granting s3:GetObject to Account A's root user ARN, and an IAM policy in Account A allowing s3:GetObject.
C.Bucket policy in Account B granting s3:GetObject to the IAM user ARN, and no IAM policy in Account A is needed.
D.IAM policy in Account A allowing s3:GetObject, and an S3 Access Point in Account B configured for cross-account access.
AnswerA

This combination satisfies the cross-account access requirement: the bucket policy allows the specific user, and the IAM policy permits the user to use the permission.

Why this answer

Option A is correct because cross-account S3 access requires both a bucket policy in the resource account (Account B) that explicitly grants the IAM user ARN from Account A the s3:GetObject permission, and an IAM policy in the user's account (Account A) that allows the same action. The bucket policy acts as a resource-based policy that authorizes the cross-account principal, while the IAM policy is necessary to authorize the user to make the request. SSE-S3 encryption does not require additional configuration because S3 handles decryption automatically for authorized users.

Exam trap

The trap here is that candidates often think only a bucket policy is needed for cross-account access, forgetting that the IAM user must also have an explicit allow in their own account's IAM policy to actually invoke the S3 API call.

How to eliminate wrong answers

Option B is wrong because granting access to Account A's root user ARN would allow any principal in Account A to assume root-level permissions, which is overly broad and not a best practice; the correct approach is to grant access to the specific IAM user ARN. Option C is wrong because without an IAM policy in Account A allowing s3:GetObject, the IAM user lacks the necessary permissions to initiate the request, even if the bucket policy grants access; both policies are required for cross-account access. Option D is wrong because an S3 Access Point in Account B can simplify cross-account access but still requires a bucket policy that grants access to the Access Point, and the IAM user in Account A still needs an IAM policy allowing s3:GetObject; the Access Point alone does not eliminate the need for both policies.

42
MCQhard

A company has an S3 bucket configured with server-side encryption using AWS KMS (SSE-KMS). An application running on EC2 with an appropriate IAM role is unable to write objects to the bucket. The error message indicates an access denied error. Which additional permission is most likely required?

A.kms:GenerateDataKey
B.kms:Decrypt
C.kms:Encrypt
D.kms:ReEncrypt
AnswerA

Required by S3 to encrypt the object with SSE-KMS.

Why this answer

Option D is correct because with SSE-KMS, the IAM role must have kms:GenerateDataKey permission to encrypt the object. Option A is wrong because kms:Decrypt is for reading. Option B is wrong because kms:Encrypt is used for client-side encryption, but for SSE-KMS, the S3 service uses GenerateDataKey.

Option C is wrong because kms:ReEncrypt is for re-encryption.

43
MCQeasy

Which AWS service provides a managed, rotating secret store for database credentials?

A.AWS Secrets Manager
B.AWS KMS
C.AWS IAM Roles
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager provides automatic rotation for supported databases.

Why this answer

AWS Secrets Manager is the correct service because it is specifically designed to manage the entire lifecycle of secrets, including automatic rotation of database credentials on a configurable schedule (e.g., every 30 days). It natively integrates with Amazon RDS, Aurora, Redshift, and DocumentDB to rotate credentials without application downtime, using a built-in Lambda rotation function. This makes it the only fully managed, rotating secret store among the options.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store (which can store secrets) with Secrets Manager, but Parameter Store lacks native automatic rotation, making Secrets Manager the only correct answer for a managed rotating secret store.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not a secret store; it does not store or rotate database credentials. Option C (AWS IAM Roles) is wrong because IAM roles provide temporary credentials for AWS service access via the AWS STS, but they are not a secret store and cannot store or rotate static database passwords. Option D (AWS Systems Manager Parameter Store) is wrong because while it can store secrets as SecureString parameters, it does not provide native automatic rotation of database credentials; rotation must be implemented manually or via custom automation.

44
Multi-Selecthard

A company uses AWS KMS to encrypt data in S3. The security team wants to ensure that only specific IAM roles can decrypt the data. Which THREE steps should be taken?

Select 3 answers
A.Add a condition in the key policy that allows decrypt only when the principal matches the desired IAM roles.
B.Grant all IAM users decrypt permission and rely on S3 bucket policies.
C.Create an IAM policy that grants kms:Decrypt only to the specific roles.
D.Create a customer-managed customer master key (CMK) in KMS.
E.Use separate CMKs for each IAM role to isolate access.
AnswersA, C, D

Conditions can restrict decryption to specific roles.

Why this answer

Option A is correct because key policies in AWS KMS are resource-based policies that directly control access to the CMK. By adding a condition that restricts the `kms:Decrypt` action to only specific IAM roles (using the `aws:PrincipalArn` or `kms:CallerPrincipal` condition key), the security team can ensure that only those roles can decrypt data encrypted with that key. This approach is more secure than relying solely on IAM policies, as key policies are evaluated first and can explicitly deny access even if an IAM policy grants it.

Exam trap

The trap here is that candidates often think IAM policies alone are sufficient for KMS access control, but they forget that KMS key policies are the primary mechanism and must explicitly allow IAM policies to take effect; otherwise, even if an IAM policy grants `kms:Decrypt`, the key policy will deny the request.

45
Multi-Selectmedium

A developer is designing a system that must meet the following security requirements: (1) Encrypt data at rest in S3, (2) Automatically rotate encryption keys annually, (3) Use an encryption key that is managed by AWS. Which services or features should the developer use? (Choose TWO.)

Select 2 answers
A.SSE-C
B.SSE-KMS
C.SSE-S3
D.AWS CloudHSM
E.Client-side encryption with AWS KMS
AnswersB, C

KMS-managed keys, supports rotation.

Why this answer

Option A (SSE-S3) and Option E (SSE-KMS) are correct because both provide encryption at rest with AWS-managed keys. SSE-KMS supports automatic annual rotation (if KMS key rotation is enabled). SSE-S3 uses S3-managed keys which rotate automatically.

Option B (SSE-C) uses customer-provided keys, not AWS-managed. Option C (CloudHSM) is customer-managed. Option D (client-side encryption) is not AWS-managed.

46
MCQmedium

A company stores sensitive data in Amazon S3. The security team requires that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). The developer needs to enforce that any PutObject request that does not specify the 'x-amz-server-side-encryption' header with value 'aws:kms' is denied. Which S3 bucket policy condition should be used?

A.s3:x-amz-server-side-encryption equals 'aws:kms'
B.s3:x-amz-server-side-encryption-aws-kms-key-id equals the KMS key ARN
C.s3:x-amz-acl equals 'bucket-owner-full-control'
D.s3:signatureversion equals 'AWS4-HMAC-SHA256'
AnswerA

Correct. This condition ensures that the request includes the required encryption header with value aws:kms.

Why this answer

Option A is correct because the condition key `s3:x-amz-server-side-encryption` in an S3 bucket policy can be used to require that the `x-amz-server-side-encryption` header is set to `aws:kms` on every PutObject request. This enforces server-side encryption with AWS KMS (SSE-KMS) at the bucket policy level, denying any request that omits or uses a different encryption header value.

Exam trap

The trap here is that candidates often confuse the condition key for the encryption header (`s3:x-amz-server-side-encryption`) with the condition key for the KMS key ID (`s3:x-amz-server-side-encryption-aws-kms-key-id`), mistakenly choosing Option B to enforce SSE-KMS instead of the correct header-based condition.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption-aws-kms-key-id` checks for a specific KMS key ARN, not the encryption header value; it would allow requests with any SSE-KMS key but does not enforce the header itself. Option C is wrong because `s3:x-amz-acl` controls access control lists (ACLs), not encryption requirements; it is unrelated to server-side encryption enforcement. Option D is wrong because `s3:signatureversion` checks the signature version used in the request (e.g., AWS Signature Version 4), which is about request authentication, not encryption headers.

47
MCQhard

A company wants to audit all API calls made to AWS. Which service should be used to collect and store these logs?

A.VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records API calls for auditing.

Why this answer

AWS CloudTrail records all API calls and can store logs in S3. Option A (CloudWatch Logs) can store logs but is not the primary service for API auditing. Option C (VPC Flow Logs) captures network traffic, not API calls.

Option D (Config) records resource configuration changes, not API calls.

48
Multi-Selecthard

Which TWO security best practices should be applied when using AWS Lambda? (Choose TWO.)

Select 2 answers
A.Attach an IAM execution role with least privilege permissions.
B.Enable CloudWatch Logs for the Lambda function.
C.Hardcode database credentials in the function code.
D.Store sensitive data in Lambda environment variables.
E.Use AWS Secrets Manager to retrieve secrets at runtime.
AnswersA, E

Execution roles grant necessary permissions; least privilege minimizes risk.

Why this answer

Option A is correct because AWS Lambda requires an IAM execution role that defines the permissions the function has when interacting with other AWS services. The principle of least privilege dictates that this role should grant only the specific actions and resources needed for the function's intended purpose, minimizing the potential blast radius if the function is compromised.

Exam trap

The trap here is that candidates often confuse operational best practices (like enabling CloudWatch Logs) with security best practices, or they mistakenly believe that environment variables are a safe place to store secrets because they are not visible in the function code itself.

49
MCQeasy

A company needs to grant another AWS account read-only access to an S3 bucket. The developer wants to use a bucket policy without requiring IAM users in the trusted account. Which resource-based policy statement should the developer add to the bucket?

A.A principal of the root user of the other account with s3:GetObject.
B.A principal of any user with a condition for the account ID.
C.A principal of the other account's root ARN with s3:ListBucket and s3:GetObject.
D.A principal of 'arn:aws:iam::OTHER-ACCOUNT-ID:root' with s3:GetObject and s3:ListBucket.
AnswerD

Correct. This grants the entire account read-only access to the bucket.

Why this answer

Option D is correct because it uses the root user ARN of the trusted account as the principal, which effectively grants permissions to all IAM users and roles in that account. The s3:GetObject and s3:ListBucket actions provide the required read-only access. This approach allows cross-account access without needing to create IAM users in the trusted account, as the bucket policy is a resource-based policy that directly authorizes the principal.

Exam trap

The trap here is that candidates often confuse the principal format for cross-account access, mistakenly using an IAM user ARN or a full root ARN with 'root' as the resource, when the correct approach is to use the account ID or the root user ARN as the principal to grant access to all identities in the trusted account.

How to eliminate wrong answers

Option A is wrong because specifying the root user as a principal with only s3:GetObject grants read access to individual objects but not the ability to list the bucket contents, which is typically required for read-only access. Option B is wrong because using 'any user' as a principal is overly permissive and insecure; a condition for the account ID does not restrict the principal to the trusted account, as any AWS user could potentially match the condition if they are in that account, but the principal is not scoped correctly. Option C is wrong because using the root user's ARN (which includes the account ID) with s3:ListBucket and s3:GetObject is functionally correct, but the ARN format 'arn:aws:iam::OTHER-ACCOUNT-ID:root' is not a valid principal ARN for a bucket policy; the correct format is 'arn:aws:iam::OTHER-ACCOUNT-ID:root' as a string, but the principal element must be the account ID or the root user ARN, not a full ARN with 'root' as the resource name.

50
Multi-Selecteasy

A developer wants to ensure that an S3 bucket is not publicly accessible. Which TWO measures should the developer implement?

Select 2 answers
A.Enable S3 server access logging.
B.Enable versioning on the bucket.
C.Enable default encryption on the bucket.
D.Review the bucket policy to ensure it does not allow public access.
E.Enable S3 Block Public Access settings on the bucket.
AnswersD, E

A bucket policy could grant public access even if Block Public Access is off; removing public grants is essential.

Why this answer

Blocking public access at the account or bucket level (A) and ensuring no bucket policy grants public access (B) are both necessary. (C) is about encryption at rest, not access. (D) is about versioning. (E) is about logging.

51
Multi-Selecteasy

Which THREE practices help protect data at rest in Amazon S3?

Select 3 answers
A.Enable versioning.
B.Enable MFA Delete.
C.Enable server-side encryption for the bucket.
D.Enable cross-region replication.
E.Use bucket policies to deny uploads without encryption headers.
AnswersB, C, E

MFA Delete requires multi-factor authentication to delete objects, adding a layer of protection.

Why this answer

B is correct because enabling MFA Delete on an S3 bucket requires multi-factor authentication for permanent deletion of object versions, adding an extra layer of security to protect data at rest from accidental or malicious deletion. This directly safeguards the durability and integrity of stored data.

Exam trap

The trap here is that candidates often confuse versioning (which provides data protection through object recovery) with data-at-rest security (which requires encryption or access controls like MFA Delete), leading them to select versioning as a valid practice for protecting data at rest.

52
MCQhard

A developer is using an S3 bucket to store sensitive files. The bucket policy includes a condition that requires TLS for all requests. A user reports that they can access the bucket via the AWS Management Console but not via an application using HTTP. What is the likely issue?

A.The application is using an expired IAM access key.
B.The bucket policy denies HTTP requests via aws:SecureTransport condition.
C.The S3 bucket is in a different region.
D.The application is not signing requests with Signature Version 4.
AnswerB

Console uses HTTPS, application uses HTTP.

Why this answer

The condition aws:SecureTransport requires HTTPS; the application uses HTTP, which violates the policy.

53
MCQmedium

A company's S3 bucket contains sensitive data. The security team requires that all data be encrypted at rest. Which combination of actions will enforce encryption for all objects written to the bucket?

A.Enable default encryption on the bucket and apply a bucket policy that denies PutObject if the x-amz-server-side-encryption header is missing or set to None.
B.Use bucket ACLs to grant write access only to users who use encryption.
C.Enable default encryption on the bucket and use bucket ACLs to restrict access.
D.Create an AWS KMS key and attach a key policy that requires encryption.
AnswerA

This enforces encryption on all writes.

Why this answer

Option C is correct because enabling default encryption and using a bucket policy to deny writes without encryption headers ensures all objects are encrypted. Option A is wrong because default encryption alone does not prevent unencrypted uploads. Option B is wrong because KMS key policies do not enforce encryption.

Option D is wrong because bucket ACLs do not enforce encryption.

54
Multi-Selectmedium

A company is implementing a CI/CD pipeline using AWS CodePipeline and CodeBuild. The pipeline deploys a serverless application. Which TWO actions should be taken to securely manage the database credentials used by the application?

Select 2 answers
A.Embed the credentials in the Lambda function code.
B.Store the credentials in the buildspec.yml file in the CodeCommit repository.
C.Pass the credentials as CloudFormation parameters during deployment.
D.Use AWS Lambda environment variables with encryption using a KMS key.
E.Use AWS Secrets Manager to store the credentials and retrieve them in CodeBuild using an IAM role.
AnswersD, E

Lambda can encrypt environment variables with KMS and decrypt at runtime.

Why this answer

Option D is correct because AWS Lambda environment variables can be encrypted at rest using a KMS key, providing a secure way to store sensitive data like database credentials without hardcoding them in the function code. This approach ensures that the credentials are decrypted only when the Lambda function executes, and access to the KMS key can be controlled via IAM policies. Option E is also correct because AWS Secrets Manager is a dedicated service for managing secrets throughout their lifecycle, and CodeBuild can retrieve them securely using an IAM role with appropriate permissions, eliminating the need to store secrets in code or configuration files.

Exam trap

The trap here is that candidates may think CloudFormation parameters (Option C) are secure because they are not hardcoded, but they overlook that parameters can be exposed in plaintext in stack outputs, events, and parameter store, and they lack built-in encryption and rotation capabilities compared to Secrets Manager.

55
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they can access objects in the S3 bucket from their office IP address (192.0.2.15) but cannot access from home (203.0.113.5). What is the most likely reason?

A.The policy requires requests to originate from a VPC.
B.The bucket policy does not allow the user.
C.The policy restricts access based on source IP address.
D.The policy denies all s3:GetObject actions.
AnswerC

The condition limits access to the specified IP range.

Why this answer

Option A is correct because the policy includes an IP address condition that restricts access to the 192.0.2.0/24 range. Option B is wrong because the policy allows GetObject. Option C is wrong because the bucket name is correct.

Option D is wrong because the condition is on source IP, not VPC.

56
MCQeasy

A developer needs to store a database password for an AWS Lambda function. The password must be encrypted at rest with a customer-managed key that can be rotated manually. Which solution meets these requirements with minimal operational overhead?

A.Store the password in an encrypted Lambda environment variable using a customer-managed AWS KMS key
B.Store the password in AWS Systems Manager Parameter Store as a SecureString parameter
C.Store the password in AWS Secrets Manager and configure automatic rotation
D.Store the password in an Amazon S3 configuration file encrypted with server-side encryption
AnswerA

Lambda supports encrypting environment variables with a customer-managed KMS key, and the key can be rotated manually as needed.

Why this answer

Option A is correct because storing the password in an encrypted Lambda environment variable using a customer-managed AWS KMS key meets the encryption-at-rest requirement with minimal operational overhead. Lambda natively integrates with KMS to encrypt environment variables at rest using a customer-managed key, and the key can be manually rotated via the AWS Management Console or API. This approach requires no additional services or infrastructure, keeping operational overhead low.

Exam trap

The trap here is that candidates often assume AWS Secrets Manager is always the best choice for secrets, but the question explicitly requires minimal operational overhead and manual rotation, making the simpler Lambda environment variable with KMS the correct answer.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store as a SecureString parameter uses a default AWS-managed KMS key or a customer-managed key, but it introduces additional operational overhead for managing the parameter and does not provide native manual rotation capabilities without custom automation. Option C is wrong because AWS Secrets Manager with automatic rotation exceeds the requirement of minimal operational overhead and manual rotation; it is designed for automated rotation, not manual, and adds complexity and cost. Option D is wrong because storing the password in an Amazon S3 configuration file encrypted with server-side encryption (SSE) requires the Lambda function to fetch and decrypt the file from S3, adding latency, complexity, and potential security risks from managing file access, which is not minimal overhead.

57
MCQmedium

A developer is designing a serverless application using API Gateway, Lambda, and DynamoDB. The API must authenticate users using a JWT token. Which API Gateway feature should the developer use to validate the JWT before invoking the Lambda function?

A.Use an IAM authorizer with a resource policy.
B.Use an Amazon Cognito user pool authorizer.
C.Use a Lambda authorizer (custom authorizer).
D.Use an API Gateway resource policy to allow only authenticated IPs.
AnswerC

Lambda authorizer can validate any JWT.

Why this answer

Option C is correct because a Lambda authorizer (custom authorizer) allows the developer to implement custom JWT validation logic, such as verifying the token's signature, expiry, and claims, before the request reaches the Lambda function. This is the most flexible approach when the JWT is issued by a third-party identity provider (IdP) that is not Amazon Cognito, as API Gateway's native JWT authorizer only supports JWTs from specific providers like Cognito or Auth0. The Lambda authorizer can return an IAM policy to allow or deny the request, enabling fine-grained access control based on the token's content.

Exam trap

The trap here is that candidates often confuse the managed Cognito user pool authorizer (Option B) with the ability to validate any JWT, but the exam tests that the Cognito authorizer only works with Cognito-issued tokens, while a Lambda authorizer is required for custom or third-party JWT validation.

How to eliminate wrong answers

Option A is wrong because an IAM authorizer with a resource policy authenticates requests using AWS Signature Version 4, not JWT tokens, and is designed for AWS service-to-service or IAM user access, not for validating third-party JWTs. Option B is wrong because an Amazon Cognito user pool authorizer is a managed solution that validates JWTs issued only by a Cognito user pool; it cannot validate JWTs from other identity providers, which is the requirement in this scenario. Option D is wrong because an API Gateway resource policy controls access based on source IP addresses or AWS accounts, not on JWT token validation, and does not authenticate individual users.

58
Multi-Selectmedium

A company is using AWS Lambda functions that access an RDS database. Which THREE practices should be followed to secure the database credentials?

Select 3 answers
A.Use AWS Secrets Manager to store and automatically rotate the credentials.
B.Use a security group to decrypt the credentials.
C.Encrypt the credentials using AWS KMS and pass them as encrypted environment variables to Lambda.
D.Store the credentials in the Lambda function code.
E.Place the Lambda function inside a VPC and use a security group to allow access to RDS.
AnswersA, C, E

Secrets Manager provides secure storage and rotation.

Why this answer

Option A is correct because AWS Secrets Manager is designed to securely store, retrieve, and automatically rotate database credentials, eliminating the need to hardcode secrets. It integrates natively with RDS to manage credential rotation on a schedule you define, reducing the risk of credential exposure. This follows the AWS security best practice of using a dedicated secrets management service rather than embedding credentials in code or configuration.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) with cryptographic operations, or assume that encrypting environment variables with KMS is sufficient, overlooking that Secrets Manager provides rotation and centralized audit capabilities that KMS alone does not.

59
MCQhard

A developer is using AWS KMS to encrypt data in an S3 bucket. The developer wants to ensure that the S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) by default. Which configuration should be applied?

A.Add a bucket policy that denies PutObject without the 'x-amz-server-side-encryption' header set to 'aws:kms'.
B.Configure the bucket to use SSE-C with a customer-provided key.
C.Set the bucket's default encryption to SSE-S3.
D.Set the bucket's default encryption to SSE-KMS with a KMS key.
AnswerD

This ensures default encryption uses KMS.

Why this answer

Option D is correct because setting the bucket's default encryption to SSE-KMS with a KMS key ensures that all objects uploaded to the S3 bucket are automatically encrypted using server-side encryption with AWS KMS managed keys (SSE-KMS). This configuration enforces encryption at rest without requiring the client to specify encryption headers in the request, meeting the requirement for default SSE-KMS encryption.

Exam trap

The trap here is that candidates often confuse enforcing encryption via a bucket policy (Option A) with setting a default encryption configuration, but the policy only denies non-compliant requests without establishing a default, whereas the default encryption setting automatically applies encryption to all objects regardless of request headers.

How to eliminate wrong answers

Option A is wrong because a bucket policy that denies PutObject without the 'x-amz-server-side-encryption' header set to 'aws:kms' enforces encryption on a per-request basis but does not set a default encryption configuration for the bucket; it only rejects requests that lack the header, leaving the bucket without a default encryption setting. Option B is wrong because SSE-C uses a customer-provided key, not an AWS KMS managed key, and is not the SSE-KMS method specified in the requirement. Option C is wrong because SSE-S3 uses Amazon S3 managed keys, not AWS KMS managed keys, and thus does not fulfill the requirement for SSE-KMS.

60
MCQmedium

A developer is deploying a web application on Amazon ECS with a Fargate launch type. The application needs to securely access an Amazon DynamoDB table. How should the developer grant permissions?

A.Store AWS credentials in the container image
B.Define a task role for the ECS task with DynamoDB permissions
C.Assign an IAM role to the ECS service and use it from the container
D.Use an EC2 instance profile and mount it to the container
AnswerB

The task role is assumed by the container and provides temporary credentials.

Why this answer

For ECS tasks with Fargate, you define a task execution role and a task role. The task role grants permissions to the containers to access AWS services like DynamoDB.

61
MCQmedium

A company has an S3 bucket containing confidential data. The security team wants to ensure that the bucket is never publicly accessible, even if a bucket policy or ACL is incorrectly set to allow public access. Which S3 feature should the developer enable?

A.Enable S3 Transfer Acceleration to ensure faster uploads.
B.Enable S3 Block Public Access (bucket-level).
C.Enable S3 Server Access Logging to monitor access.
D.Enable S3 Object Lock to prevent objects from being deleted.
AnswerB

S3 Block Public Access provides an additional layer of security that prevents any public access, even if a bucket policy or ACL inadvertently allows it. It is the recommended way to ensure a bucket is never public.

Why this answer

Option B is correct because S3 Block Public Access (bucket-level) provides a definitive override that prevents any public access to the bucket, regardless of any bucket policies or ACLs that might otherwise grant public access. This feature acts as a safety net, ensuring that even if a policy or ACL is misconfigured to allow public access, the block public access settings will deny all public requests at the S3 service level before any policy evaluation occurs.

Exam trap

The trap here is that candidates often confuse monitoring features (like logging) or object protection features (like Object Lock) with access control mechanisms, failing to recognize that S3 Block Public Access is the only feature specifically designed to enforce a hard block on public access regardless of other configurations.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a performance feature that speeds up uploads over long distances using AWS edge locations, and it has no impact on access control or public accessibility. Option C is wrong because S3 Server Access Logging only records access requests for auditing purposes; it does not prevent public access or enforce any security restrictions. Option D is wrong because S3 Object Lock is designed to prevent objects from being deleted or overwritten for a specified retention period, but it does not control or block public read access to the bucket.

62
Multi-Selectmedium

A developer wants to encrypt data in an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). Which TWO steps are required?

Select 2 answers
A.Set the default encryption on the bucket to SSE-KMS.
B.Enable MFA Delete on the bucket.
C.Create a bucket policy that denies unencrypted requests.
D.Grant the IAM role kms:GenerateDataKey and kms:Decrypt permissions.
E.Enable versioning on the bucket.
AnswersA, D

Required to enforce SSE-KMS.

Why this answer

The bucket must be configured for SSE-KMS, and the IAM role must have kms:GenerateDataKey and kms:Decrypt permissions.

63
Multi-Selecthard

Which TWO actions should a developer take to securely manage database credentials in a serverless application?

Select 2 answers
A.Store credentials in AWS Secrets Manager and enable automatic rotation.
B.Use IAM database authentication for Amazon RDS.
C.Store credentials in a text file within the Lambda deployment package.
D.Hardcode credentials in environment variables.
E.Use security groups to allow only the Lambda function to access the database.
AnswersA, B

Secrets Manager securely stores and rotates credentials.

Why this answer

AWS Secrets Manager securely stores database credentials and supports automatic rotation, which reduces the risk of credential exposure and eliminates the need for manual updates. By integrating with Lambda via the AWS SDK, the application can retrieve credentials at runtime without embedding them in code or configuration files.

Exam trap

AWS often tests the distinction between network-level controls (security groups) and credential management, leading candidates to mistakenly select security groups as a method for securing credentials rather than managing them.

64
MCQmedium

Refer to the exhibit. A developer ran this CLI command and received the output shown. The application is retrieving the secret but getting an authentication error from the database. What is the MOST likely issue?

A.The secret is not marked as AWSCURRENT.
B.The application is not correctly parsing the JSON SecretString.
C.The CLI command should have used the --secret-string parameter.
D.The secret ID is incorrect.
AnswerB

The password contains special characters that may need escaping.

Why this answer

The CLI command successfully retrieved the secret, as shown by the output containing the secret value. The application, however, is failing with an authentication error from the database. This indicates that the secret was retrieved but the application is likely misinterpreting the JSON structure of the SecretString.

If the secret is stored as a JSON object (e.g., containing username and password fields), the application must parse the JSON and extract the correct field (e.g., 'password'). If it treats the entire JSON string as the password, it will pass an invalid credential to the database, causing an authentication error.

Exam trap

The trap here is that candidates assume any retrieval error is due to an incorrect secret ID or missing label, but the question explicitly states the secret was retrieved successfully, shifting the issue to how the application processes the retrieved value.

How to eliminate wrong answers

Option A is wrong because the secret is successfully retrieved, and the AWSCURRENT label is automatically applied to the latest version of a secret; if it were missing, the retrieval would fail entirely, not cause a parsing issue. Option C is wrong because the CLI command used 'get-secret-value' which is the correct command to retrieve a secret; the '--secret-string' parameter is used when creating or updating a secret, not when retrieving it. Option D is wrong because the secret ID is correct—the command returned a valid secret value without an error, proving the ID was accurate.

65
MCQmedium

A company wants to enforce multi-factor authentication (MFA) for all users accessing the AWS Management Console. The company has an existing IAM setup with users and groups. Which approach should the developer recommend to enforce MFA?

A.Enable MFA at the account level using the AWS Account settings.
B.Attach an IAM policy to each user that denies all actions unless the user has MFA present.
C.Enable MFA on the root user and require all users to use the root user credentials with MFA.
D.Create a new IAM group for MFA users and add users to that group.
AnswerB

This uses a condition in the policy to require MFA for any API action, effectively enforcing MFA for all users.

Why this answer

Option B is correct because it uses an IAM policy with a condition key (`aws:MultiFactorAuthPresent`) to deny all actions when MFA is not present. This is the standard AWS-recommended approach to enforce MFA for IAM users accessing the Management Console, as it applies a deny-all-except-MFA effect at the user level without requiring account-level changes.

Exam trap

The trap here is that candidates assume MFA can be enforced at the account level (Option A) or by simply adding users to a group (Option D), but AWS requires an explicit IAM policy with a condition key to deny unauthenticated MFA actions.

How to eliminate wrong answers

Option A is wrong because AWS does not support enabling MFA at the account level for all users; MFA must be configured per IAM user or via a policy. Option C is wrong because sharing root user credentials violates security best practices and AWS prohibits using root user for everyday tasks; MFA on root does not enforce MFA for other IAM users. Option D is wrong because simply creating a group and adding users does not enforce MFA; a policy with a condition key must be attached to the group to deny actions without MFA.

66
MCQeasy

A developer needs to enforce encryption in transit for all traffic between an application and an RDS database. Which configuration should be used?

A.Configure the security group to only allow traffic on port 443.
B.Create a VPC peering connection between the application and database subnets.
C.Enable encryption at rest using AWS KMS.
D.Set the 'require_secure_transport' parameter to 'ON' in the DB parameter group.
AnswerD

This forces clients to use SSL/TLS for connections.

Why this answer

Option D is correct because setting the 'require_secure_transport' parameter to 'ON' in the DB parameter group enforces TLS/SSL encryption for all connections to the RDS database. This ensures that data in transit between the application and the database is encrypted, meeting the requirement for encryption in transit.

Exam trap

The trap here is that candidates often confuse encryption at rest (Option C) with encryption in transit, or assume that network-level controls like security groups (Option A) or VPC peering (Option B) inherently encrypt traffic, when they do not.

How to eliminate wrong answers

Option A is wrong because port 443 is used for HTTPS traffic, not for native database connections (e.g., MySQL uses port 3306, PostgreSQL uses 5432), and security groups do not enforce encryption—they only control network access. Option B is wrong because VPC peering connects networks but does not provide encryption for traffic; it only facilitates routing between VPCs without encrypting the data in transit. Option C is wrong because encryption at rest using AWS KMS protects data stored on disk, not data transmitted between the application and the database; it addresses a different security concern.

67
MCQeasy

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption with a specific AWS KMS customer managed key (CMK). The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not use the specified KMS key. Which IAM condition key should be used?

A.s3:x-amz-server-side-encryption
B.kms:EncryptionContext
C.s3:x-amz-server-side-encryption-aws-kms-key-id
D.kms:KeyArn
AnswerC

Correct. This condition key evaluates the KMS key ID in the request header, allowing you to deny requests that do not specify the required CMK.

Why this answer

Option C is correct because the `s3:x-amz-server-side-encryption-aws-kms-key-id` condition key allows you to enforce that a specific AWS KMS customer managed key (CMK) ARN is used for server-side encryption on S3 PutObject requests. By using this condition key in a Deny statement, you can reject any upload that does not specify the required KMS key ID, ensuring encryption compliance.

Exam trap

The trap here is that candidates confuse the condition key for enforcing encryption type (Option A) with the condition key for enforcing a specific KMS key ID (Option C), or mistakenly think that a KMS-specific condition key like `kms:KeyArn` can be used in an S3 policy, when in fact it only applies to KMS API calls.

How to eliminate wrong answers

Option A is wrong because `s3:x-amz-server-side-encryption` only checks whether the `x-amz-server-side-encryption` header is set to `AES256` or `aws:kms`, but it cannot enforce a specific KMS key ID. Option B is wrong because `kms:EncryptionContext` is used to control access based on encryption context in KMS operations, not to enforce which KMS key is used for S3 server-side encryption. Option D is wrong because `kms:KeyArn` is a condition key for KMS API actions (like `kms:Decrypt` or `kms:GenerateDataKey`), not for S3 PutObject requests, and it cannot be used directly in an S3 bucket policy to enforce encryption key selection.

68
Multi-Selecthard

Which THREE are valid methods to authenticate to AWS APIs? (Choose 3)

Select 3 answers
A.Temporary security credentials from AWS STS
B.Database password stored in Secrets Manager
C.Credentials from an EC2 instance profile
D.CloudFront key pair
E.IAM user access key ID and secret access key
AnswersA, C, E

Used for federated users or cross-account access.

Why this answer

Options A, B, and C are correct. A: IAM user access keys are a standard method. B: Temporary credentials from STS are used for roles.

C: EC2 instance profile credentials are used by applications on EC2. D: Database passwords are not for API authentication. E: CloudFront key pairs are for signed URLs, not general API auth.

69
MCQmedium

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The role's trust policy allows the EC2 service, and the permissions policy grants s3:GetObject on the bucket. The application on the instance receives 'Access Denied' errors when trying to read objects. What is the most likely cause?

A.The IAM role's trust policy does not allow the EC2 service.
B.The S3 bucket has default encryption enabled.
C.The EC2 instance does not have an instance profile associated with the IAM role.
D.The S3 bucket policy explicitly denies s3:GetObject.
AnswerC

Without an instance profile, the instance cannot assume the role and retrieve temporary credentials.

Why this answer

The most likely cause is that the EC2 instance does not have an instance profile associated with the IAM role. An IAM role must be attached to an EC2 instance via an instance profile, which acts as a container for the role. Without this association, the instance cannot obtain temporary credentials from the AWS Security Token Service (STS) to sign API requests, resulting in 'Access Denied' errors even if the role's trust and permissions policies are correctly configured.

Exam trap

The trap here is that candidates often assume the IAM role's trust and permissions policies are sufficient, overlooking the mandatory instance profile association required for EC2 to use the role.

How to eliminate wrong answers

Option A is wrong because the trust policy allowing the EC2 service is correctly configured, as stated in the question; if it were not, the role could not be assumed at all, but the error occurs at the S3 access level, not at the role assumption level. Option B is wrong because default encryption on an S3 bucket does not affect IAM permissions for reading objects; it only encrypts objects at rest, and the application would still be able to read objects if it has the correct IAM permissions. Option D is wrong because the question states the permissions policy grants s3:GetObject, and there is no indication of a bucket policy; an explicit deny in a bucket policy would override the IAM role's allow, but the scenario does not mention any bucket policy, making this an unlikely primary cause.

70
MCQeasy

A developer needs to grant a Lambda function read-only access to an S3 bucket. Which IAM entity should be used to attach the permissions?

A.Create an IAM user and provide the credentials to the Lambda function.
B.Attach a resource-based policy to the S3 bucket.
C.Attach a policy to an IAM group and add the Lambda function to the group.
D.Create an IAM role with the necessary permissions and assign it to the Lambda function as the execution role.
AnswerD

Lambda execution roles are IAM roles that grant permissions to the function.

Why this answer

Option D is correct because Lambda functions require an IAM role (execution role) to obtain temporary AWS credentials via the AWS Security Token Service (STS). This role must have a trust policy allowing Lambda to assume it, and an attached permissions policy granting read-only access to the S3 bucket. This is the standard and secure method for granting permissions to an AWS service like Lambda.

Exam trap

The trap here is that candidates confuse resource-based policies (which grant access to the principal specified in the policy) with identity-based policies (which grant permissions to the principal the policy is attached to), and incorrectly think a bucket policy alone can grant permissions to a Lambda function without an execution role.

How to eliminate wrong answers

Option A is wrong because IAM users are intended for human or application access with long-term credentials, not for AWS services; embedding user credentials in a Lambda function is insecure and violates best practices. Option B is wrong because a resource-based policy on the S3 bucket can grant cross-account access or access to other AWS services, but it cannot directly grant permissions to a Lambda function's execution role; the Lambda function still needs an execution role with the appropriate permissions. Option C is wrong because IAM groups are used to manage permissions for IAM users, not for AWS services; Lambda functions cannot be added to an IAM group.

71
MCQmedium

A developer is designing an application that will process credit card payments and store them temporarily in an Amazon DynamoDB table. The developer must ensure that the payment data is encrypted at rest and that the encryption key is managed by the company's security team using AWS KMS. Which type of encryption should the developer enable on the DynamoDB table?

A.Server-side encryption with a customer-managed KMS key
B.Server-side encryption with an AWS managed KMS key
C.Client-side encryption
D.Static key encryption
AnswerA

This allows the security team to manage the KMS key, providing control over encryption and key rotation.

Why this answer

Option A is correct because the requirement specifies that the encryption key must be managed by the company's security team. Server-side encryption (SSE) with a customer-managed KMS key allows the company to create, rotate, and control access to the KMS key used to encrypt the DynamoDB table at rest. This gives the security team full control over the encryption key lifecycle, meeting the stated requirement.

Exam trap

The trap here is that candidates often confuse 'customer-managed KMS key' with 'AWS managed KMS key,' assuming any KMS encryption meets the requirement, but the exam specifically tests the distinction between who manages the key (customer vs. AWS) to enforce security control requirements.

How to eliminate wrong answers

Option B is wrong because server-side encryption with an AWS managed KMS key means AWS owns and manages the key, not the company's security team, so it does not satisfy the requirement for key management by the security team. Option C is wrong because client-side encryption encrypts data before it is sent to DynamoDB, which would require the developer to implement encryption logic in the application and manage keys separately, not using AWS KMS for server-side encryption at rest. Option D is wrong because 'static key encryption' is not a valid encryption type for DynamoDB; DynamoDB supports server-side encryption with AWS KMS keys (AWS managed or customer managed) and not a static key approach.

72
MCQhard

Refer to the exhibit. A developer is trying to query a DynamoDB table from a Lambda function that uses an execution role named MyRole. The Lambda function is failing with the error shown. Which step should the developer take to resolve this?

A.Enable DynamoDB encryption at rest.
B.Add a resource-based policy to the DynamoDB table allowing the Lambda role.
C.Attach a policy to the Lambda execution role that allows dynamodb:Query on the table.
D.Grant the Lambda role kms:Decrypt permission on the KMS key.
AnswerC

The role needs identity-based permission.

Why this answer

Option B is correct because the error indicates the role lacks dynamodb:Query permission. Option A is wrong because the error is about missing permission, not resource policy. Option C is wrong because the error is not about encryption.

Option D is wrong because the error is not about KMS.

73
MCQeasy

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The application needs to authenticate users using a third-party identity provider that supports SAML 2.0. The company wants to use AWS Identity and Access Management (IAM) to manage user permissions. Which solution should the developer implement?

A.Use AWS Security Token Service (STS) to generate temporary credentials for the users.
B.Create an IAM identity provider for the SAML IdP and set up a role with a trust policy that allows federated users to assume it.
C.Store the SAML metadata document in AWS Certificate Manager.
D.Use Amazon Cognito user pools with a SAML identity provider.
AnswerB

Standard SAML federation with IAM.

Why this answer

Option B is correct because it describes the standard AWS pattern for SAML 2.0 federation: creating an IAM identity provider for the external SAML IdP, then configuring an IAM role with a trust policy that allows users authenticated by that IdP to assume the role. This enables the application to use IAM to manage permissions for federated users without creating IAM users in the AWS account.

Exam trap

The trap here is that candidates may confuse Amazon Cognito (which also supports SAML) as the only way to federate with a third-party IdP, but the question explicitly requires IAM to manage permissions, making direct IAM SAML federation the correct choice.

How to eliminate wrong answers

Option A is wrong because AWS STS generates temporary credentials, but it does not directly handle SAML authentication; STS is used after federation is established to issue credentials for an assumed role. Option C is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates, not SAML metadata documents; SAML metadata is uploaded to IAM when creating the identity provider. Option D is wrong because Amazon Cognito user pools with a SAML IdP is a valid approach for user authentication, but the question specifically requires using IAM to manage user permissions, and Cognito does not integrate with IAM for permission management in the same way as direct IAM SAML federation.

74
MCQhard

A developer attached the above IAM policy to an IAM user. The user tries to download an object from example-bucket using the AWS CLI without specifying server-side encryption. What will happen?

A.The download succeeds because the policy allows s3:GetObject
B.The download fails with an AccessDenied error
C.The download succeeds because the object is encrypted with SSE-S3
D.The download fails with a 500 Internal Server Error
AnswerB

The condition is not satisfied, so access is denied.

Why this answer

The policy grants s3:GetObject only if the request uses server-side encryption with AES256. If the user does not specify encryption, the condition is not met, and the request is denied. Option A is incorrect because the policy does not require SSE-KMS.

Option C is incorrect because the policy explicitly allows GetObject. Option D is incorrect because the condition is evaluated.

75
Multi-Selecteasy

Which TWO actions are valid ways to encrypt data at rest in Amazon S3? (Choose TWO.)

Select 2 answers
A.Use S3-managed keys (SSE-S3)
B.Use client-side encryption with a KMS key
C.Use SSL/TLS for all data transfers
D.Use AWS CloudHSM to store encryption keys
E.Use AWS KMS keys (SSE-KMS)
AnswersA, E

SSE-S3 encrypts data at rest with S3-managed keys.

Why this answer

SSE-S3 is a valid server-side encryption option where Amazon S3 manages the encryption keys on your behalf. When you upload an object, S3 encrypts the data using AES-256 before writing it to disk and decrypts it when you access it, all without requiring any additional configuration or key management from you.

Exam trap

The trap here is that candidates often confuse encryption at rest with encryption in transit, leading them to select SSL/TLS (Option C) as a valid answer, or they mistakenly think client-side encryption with KMS (Option B) is a server-side encryption method for S3.

Page 1 of 6 · 429 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security questions.