CCNA Security Questions

75 of 429 questions · Page 4/6 · Security · Answers revealed

226
MCQhard

The exhibit shows an IAM policy attached to a Lambda function's execution role. When the Lambda function tries to decrypt data using the KMS key, it receives an access denied error. What is the most likely cause?

A.The policy uses an incorrect action name for decryption.
B.The KMS key policy does not grant the Lambda execution role permission to use the key.
C.The policy does not include kms:DescribeKey permission.
D.The policy does not include kms:Decrypt permission.
AnswerB

Even if the IAM policy allows, the key policy must also allow; this is a common misconfiguration.

Why this answer

The policy grants kms:Decrypt but not kms:DescribeKey. However, the error is likely due to the Lambda function not having permission to call kms:Decrypt because the key's key policy might not grant the Lambda role. The key policy must explicitly allow the Lambda role to use the key.

Option A is wrong because kms:Decrypt is included. Option B is wrong because it's not about kms:DescribeKey. Option C is wrong because the action list is correct.

Option D is correct: the key policy must grant access to the Lambda role.

227
MCQeasy

The exhibit shows an S3 bucket policy. If an IAM user in the same AWS account attempts to download an object from the bucket from IP address 203.0.113.5, what will happen?

A.The request will succeed because the user has IAM permissions.
B.The request will succeed because the user is in the same account.
C.The request will succeed because the bucket policy does not explicitly deny.
D.The request will be denied.
AnswerD

The bucket policy condition restricts access to a specific IP range; the user's IP is outside that range.

Why this answer

The policy allows GetObject only if the source IP is in 192.0.2.0/24. The user's IP (203.0.113.5) is not in that range, so the request will be denied. The IAM user's own permissions do not override the bucket policy's explicit deny condition.

Option A is wrong because the bucket policy explicitly denies by not allowing the IP. Option C is wrong because the bucket policy is evaluated. Option D is wrong because the condition is not satisfied.

228
MCQmedium

A mobile application must let authenticated users upload only to their own S3 prefix. Which approach best follows least privilege?

A.Use Cognito identity credentials with an IAM policy scoped to the user's prefix using policy variables
B.Use a single hardcoded access key in the app
C.Make the bucket public and validate names in the client
D.Give every user AmazonS3FullAccess
AnswerA

Correct for the stated requirement.

Why this answer

Option A is correct because it uses Amazon Cognito identity pools to issue temporary AWS credentials scoped to a specific S3 prefix via IAM policy variables (e.g., `${cognito-identity.amazonaws.com:sub}`). This ensures each authenticated user can only upload to their own prefix (e.g., `uploads/${user_id}/`), adhering to the principle of least privilege by granting no more access than necessary.

Exam trap

The trap here is that candidates might choose Option B (hardcoded key) thinking it's simpler, missing that it exposes a static credential that can be compromised, or Option C (public bucket) assuming client-side validation is sufficient, when in fact AWS requires server-side enforcement for security.

How to eliminate wrong answers

Option B is wrong because hardcoding a single access key in the app violates security best practices — the key could be extracted from the mobile binary, granting unrestricted access to the entire bucket. Option C is wrong because making the bucket public and validating names client-side is insecure; a malicious user can bypass client-side checks and upload to any prefix. Option D is wrong because granting AmazonS3FullAccess to every user violates least privilege by giving all users full administrative control over all S3 buckets, including the ability to delete or modify any object.

229
Multi-Selectmedium

A company wants to ensure that only encrypted connections are used to access their S3 bucket. Which THREE methods can be used to enforce this?

Select 3 answers
A.Use Amazon CloudFront with the S3 bucket as origin and require HTTPS.
B.Enable default encryption on the bucket.
C.Enable S3 Block Public Access on the bucket.
D.Use a bucket policy that denies requests when aws:SecureTransport is false.
E.Use client-side encryption for all uploads.
AnswersA, D, E

CloudFront can enforce HTTPS.

Why this answer

Option A, Option C, and Option E are correct. A bucket policy with a condition on aws:SecureTransport denies HTTP. S3 Block Public Access does not enforce encryption.

Default encryption sets server-side encryption but does not enforce HTTPS. CloudFront can enforce HTTPS. Client-side encryption encrypts data before sending.

230
MCQhard

An application running on EC2 instances in an Auto Scaling group needs to access an S3 bucket. The security team wants to avoid storing long-term AWS credentials on the instances. Which approach should be used?

A.Store the credentials in AWS Systems Manager Parameter Store and retrieve them in User Data.
B.Create an IAM role and attach it to the EC2 instance profile.
C.Use an AWS Lambda function to generate temporary credentials and pass them to the instances.
D.Generate access keys for a dedicated IAM user and store them in a file on the AMI.
AnswerB

The SDK automatically retrieves temporary credentials from the instance metadata.

Why this answer

Option B is correct because it uses an IAM role attached to an EC2 instance profile, which allows the EC2 instances to automatically obtain temporary security credentials from the AWS Security Token Service (STS). This approach eliminates the need to store long-term credentials on the instances, as the credentials are rotated automatically and are retrieved via the instance metadata service (IMDS).

Exam trap

The trap here is that candidates may think storing credentials in Parameter Store or using Lambda to generate temporary credentials is more secure, but they overlook that an IAM role with an instance profile is the simplest and most secure method because it eliminates the need to handle credentials at all.

How to eliminate wrong answers

Option A is wrong because storing credentials in Systems Manager Parameter Store and retrieving them in User Data still requires the credentials to be stored as a secret, and User Data runs only at instance launch, leaving the credentials on the instance's local storage or memory, which violates the security requirement of not storing long-term credentials. Option C is wrong because using an AWS Lambda function to generate temporary credentials and pass them to the instances introduces unnecessary complexity and a potential security risk of passing credentials over the network; the instances can directly obtain temporary credentials via an IAM role without external orchestration. Option D is wrong because generating access keys for a dedicated IAM user and storing them in a file on the AMI embeds long-term credentials directly into the AMI, which persists across instances and violates the core security principle of avoiding stored credentials.

231
MCQhard

A company stores sensitive data in Amazon S3. A developer needs to implement a solution that automatically encrypts objects at rest using a key that is rotated annually. The developer must minimize operational overhead. Which solution meets these requirements?

A.Use Server-Side Encryption with S3-Managed Keys (SSE-S3) and set key rotation policy.
B.Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) with automatic key rotation.
C.Use Server-Side Encryption with Customer-Provided Keys (SSE-C) and manually rotate keys.
D.Use Client-Side Encryption with KMS.
AnswerB

SSE-KMS allows you to enable automatic annual key rotation, meeting the requirement with low overhead.

Why this answer

SSE-KMS with automatic key rotation meets the requirement for annual key rotation with minimal operational overhead because AWS KMS can automatically rotate the customer master key (CMK) every year (365 days) without any manual intervention. This ensures that objects in S3 are encrypted at rest using a key that is rotated on schedule, while the developer does not need to manage the rotation process.

Exam trap

The trap here is that candidates often confuse SSE-S3's automatic key rotation (which is fixed at one year and not configurable) with the ability to set a custom rotation policy, leading them to incorrectly choose option A.

How to eliminate wrong answers

Option A is wrong because SSE-S3 does not support customer-controlled key rotation; S3 manages the keys entirely and rotates them automatically every year, but the developer cannot set or control a custom key rotation policy. Option C is wrong because SSE-C requires the developer to provide and manage their own encryption keys, including manually rotating them, which increases operational overhead. Option D is wrong because client-side encryption requires the developer to implement encryption logic in the application and manage key rotation on the client side, adding significant operational overhead compared to a server-side solution.

232
MCQhard

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated automatically every 365 days. Which type of KMS key should be used?

A.Use a custom key store with automatic rotation enabled.
B.Use an AWS managed key (e.g., aws/s3).
C.Use a key with imported key material and set a rotation period of 365 days.
D.Use a customer managed key with automatic rotation enabled.
AnswerB

AWS managed keys are automatically rotated every 365 days, meeting the requirement without additional configuration.

Why this answer

AWS managed keys (e.g., aws/s3) automatically rotate every year (365 days) without any configuration required, which satisfies the security team's requirement. Customer managed keys with automatic rotation enabled rotate annually by default, but the question asks for the type of key that should be used, and AWS managed keys are the simplest choice that meets the requirement. Imported key material cannot be rotated automatically because AWS KMS cannot generate new key material for keys with imported material.

Exam trap

The trap here is that candidates assume only customer managed keys support automatic rotation, overlooking that AWS managed keys also rotate automatically every 365 days and are the simplest way to meet the requirement.

How to eliminate wrong answers

Option A is wrong because a custom key store (CloudHSM) does not support automatic key rotation; you must manually rotate keys in a custom key store. Option C is wrong because keys with imported key material cannot have automatic rotation enabled; AWS KMS cannot generate new key material for such keys, so rotation must be manual. Option D is wrong because while a customer managed key with automatic rotation enabled does rotate every 365 days, it is not the only option; the question asks which type of KMS key should be used, and AWS managed keys (Option B) also meet the requirement and are simpler to manage, making B the best answer.

233
Multi-Selecthard

A developer uses API Gateway with Cognito. Which two token validations are important when authorizing API access?

Select 2 answers
A.Validate issuer and audience/client ID
B.Accept any JWT signed with none algorithm
C.Validate scopes or group claims required by the route
D.Trust only the username string sent in a header
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because API Gateway with Cognito requires validating the JWT's issuer (iss) claim to ensure the token was issued by the expected Cognito user pool, and validating the audience (aud) or client ID (azp) claim to confirm the token was intended for the specific API Gateway application. Without these checks, an attacker could use a token from a different user pool or client to access the API.

Exam trap

The trap here is that candidates often focus only on signature verification (which is critical) but overlook the equally important validation of issuer and audience claims, which prevents token reuse across different user pools or clients.

234
MCQeasy

A developer needs to securely store database credentials for a Lambda function. The credentials must be automatically rotated every 90 days. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon DynamoDB
D.AWS KMS
AnswerA

Secrets Manager is designed for storing secrets and supports automatic rotation.

Why this answer

AWS Secrets Manager is the correct service because it is designed specifically for securely storing, managing, and automatically rotating database credentials and other secrets. It supports built-in rotation with AWS Lambda, allowing you to set a custom rotation interval (e.g., 90 days) without custom infrastructure. Secrets Manager also integrates natively with Amazon RDS, Redshift, and DocumentDB for automatic credential rotation.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets securely but lacks automatic rotation) with AWS Secrets Manager, leading them to choose Parameter Store when the question explicitly requires automatic rotation.

How to eliminate wrong answers

Option B (AWS Systems Manager Parameter Store) is wrong because while it can store secrets securely, it does not support automatic rotation of credentials out of the box; you would need to build custom rotation logic. Option C (Amazon DynamoDB) is wrong because it is a NoSQL database service, not a secrets management service, and storing credentials there would require manual encryption and rotation, violating security best practices. Option D (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not for storing or rotating secrets; it can be used to encrypt secrets but does not manage the secret lifecycle or rotation.

235
Drag & Dropmedium

Drag and drop the steps to set up a DynamoDB table with auto scaling in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the table, define scaling policies for both read and write, create a scaling target, and apply policies.

236
MCQmedium

A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role has permissions to access an S3 bucket. Which policy is required in the developer's account to enable this cross-account access?

A.An IAM role with a trust policy that allows the external account's root user or specific IAM users/roles to assume the role
B.An S3 bucket policy granting access to the external account
C.An IAM user policy in the external account allowing sts:AssumeRole
D.An AWS Organizations service control policy allowing cross-account access
AnswerA

Correct. The trust policy on the role specifies which principals from other accounts can assume it.

Why this answer

Option A is correct because cross-account IAM role access requires a trust policy attached to the role in the developer's account. This trust policy specifies the external AWS account ID (or specific IAM users/roles in that account) as the principal, allowing them to call sts:AssumeRole. Once the role is assumed, the developer's account grants the necessary S3 permissions via the role's permissions policy.

Exam trap

The trap here is that candidates often confuse the location of the trust policy (required in the account owning the role) with the permissions policy (required in the external account), or mistakenly think an S3 bucket policy alone can enable cross-account role assumption.

How to eliminate wrong answers

Option B is wrong because an S3 bucket policy alone cannot enable the initial assumption of a role; it only grants direct access to the bucket, not the ability to assume an IAM role. Option C is wrong because an IAM user policy in the external account allowing sts:AssumeRole is necessary but not sufficient—the developer's account must also have a trust policy that accepts the assumption request; the question asks for the policy required in the developer's account. Option D is wrong because AWS Organizations SCPs can restrict permissions but cannot grant cross-account access; they are used to set permission boundaries, not to allow role assumption.

237
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team wants to be notified immediately when an IAM user creates a new access key. Which solution is most efficient?

A.Configure CloudTrail to send logs to CloudWatch Logs and create a metric filter with an alarm.
B.Create a CloudWatch Events rule that matches the CreateAccessKey API call and triggers a Lambda function to send an SNS notification.
C.Enable CloudTrail log file validation and periodically check the logs.
D.Use Amazon Athena to query CloudTrail logs daily.
AnswerB

This provides real-time notification.

Why this answer

Option B is correct because CloudWatch Events (now Amazon EventBridge) can directly match the CreateAccessKey API call from CloudTrail and trigger a Lambda function to send an SNS notification in near real-time. This is the most efficient solution as it avoids the overhead of log ingestion, metric filters, or periodic queries, providing immediate notification with minimal latency.

Exam trap

The trap here is that candidates often default to CloudWatch Logs metric filters (Option A) because they are familiar, but fail to recognize that EventBridge rules provide a simpler, lower-latency, and more cost-effective solution for real-time API call monitoring.

How to eliminate wrong answers

Option A is wrong because it requires sending CloudTrail logs to CloudWatch Logs and creating a metric filter with an alarm, which introduces additional cost, latency, and complexity compared to a direct EventBridge rule. Option C is wrong because CloudTrail log file validation only verifies file integrity, not real-time monitoring, and periodically checking logs is not immediate. Option D is wrong because using Athena to query CloudTrail logs daily provides only periodic, not immediate, notification and is inefficient for real-time alerting.

238
MCQeasy

A developer needs to securely store database credentials for an application running on AWS Lambda. Which AWS service should they use?

A.AWS Systems Manager Session Manager
B.AWS CloudHSM
C.AWS Systems Manager Parameter Store (Standard tier)
D.AWS Secrets Manager
AnswerD

Designed for secrets with automatic rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed to securely store and rotate secrets like database credentials. Option A is wrong because Parameter Store can store parameters but is less secure for secrets and lacks automatic rotation. Option C is wrong because SSM Session Manager is for shell access.

Option D is wrong because CloudHSM is for hardware security modules, not secret storage.

239
MCQeasy

An application running on EC2 needs to access an S3 bucket. What is the most secure way to grant access?

A.Generate an IAM user access key and store it in a file on the instance
B.Use pre-signed URLs for each request
C.Make the S3 bucket public
D.Create an IAM role with S3 permissions and attach it to the EC2 instance
AnswerD

IAM roles are the secure method for granting permissions to EC2.

Why this answer

Using an IAM role attached to the EC2 instance is the most secure because it provides temporary credentials and avoids hardcoding keys. Option B (IAM user keys on the instance) is less secure. Option C (bucket policy with public access) is insecure.

Option D (pre-signed URLs) is not suitable for ongoing access.

240
MCQmedium

A developer is building a web application that stores user session data in an ElastiCache Redis cluster. The cluster is in a VPC and is not publicly accessible. The developer needs to ensure that data in transit is encrypted. What should the developer do?

A.Enable encryption in transit on the ElastiCache Redis cluster.
B.Place an Application Load Balancer in front of the Redis cluster and enable TLS termination.
C.Configure the security group to only allow traffic from the application servers.
D.Use VPC peering to connect the application VPC to the ElastiCache VPC.
AnswerA

ElastiCache supports encryption in transit for Redis.

Why this answer

Option D is correct because enabling encryption in transit on the ElastiCache Redis cluster encrypts data between clients and the cluster. Option A is wrong because ElastiCache does not support TLS termination at the ALB. Option B is wrong because security groups do not encrypt traffic.

Option C is wrong because VPC peering does not encrypt traffic by default.

241
Multi-Selecteasy

A developer needs to encrypt data at rest in an Amazon S3 bucket. Which THREE options are available for server-side encryption?

Select 3 answers
A.SSE-C
B.Client-side encryption
C.SSE-KMS
D.SSE-S3
E.AWS CloudHSM
AnswersA, C, D

Customer-provided encryption keys.

Why this answer

S3 offers three server-side encryption options: SSE-S3 (using S3-managed keys), SSE-KMS (using AWS KMS), and SSE-C (using customer-provided keys).

242
MCQmedium

A developer created the above IAM role for a Lambda function. The function needs to write logs to CloudWatch Logs. What is missing?

A.The role needs a permissions policy that grants logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.
B.The trust policy is incorrect; it should allow ec2.amazonaws.com.
C.The role name is invalid.
D.The trust policy should not allow Lambda to assume the role.
AnswerA

The role has no permissions policy.

Why this answer

The correct answer is A because Lambda functions require an IAM role with a permissions policy that explicitly allows the `logs:CreateLogGroup`, `logs:CreateLogStream`, and `logs:PutLogEvents` actions to write logs to CloudWatch Logs. Without these permissions, the Lambda function will fail to create log groups or streams and will be unable to send log events, resulting in missing or incomplete log output.

Exam trap

The trap here is that candidates may overlook the specific CloudWatch Logs permissions required for Lambda logging and instead focus on trust policy or naming issues, but the missing element is the permissions policy granting the necessary logging actions.

How to eliminate wrong answers

Option B is wrong because the trust policy should allow `lambda.amazonaws.com` (the Lambda service principal) to assume the role, not `ec2.amazonaws.com`, which is used for EC2 instances. Option C is wrong because there is no requirement for a specific role name; IAM role names can be any valid alphanumeric string and are not restricted to a particular format for Lambda. Option D is wrong because the trust policy must allow Lambda to assume the role; without this, the Lambda function cannot obtain temporary credentials to execute and access AWS resources.

243
MCQeasy

A developer needs to securely store database credentials for a serverless application. Which AWS service should be used?

A.AWS Key Management Service (KMS)
B.Amazon DynamoDB
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerC

Secrets Manager is built for secrets with rotation capabilities.

Why this answer

AWS Secrets Manager is the correct service because it is purpose-built for securely storing, rotating, and managing database credentials and other secrets throughout their lifecycle. It integrates natively with Amazon RDS, Redshift, and DocumentDB to automatically rotate credentials, and it enforces encryption at rest using AWS KMS. For a serverless application, Secrets Manager provides a simple API call (e.g., GetSecretValue) to retrieve credentials without hardcoding them in code or environment variables.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks automatic rotation and deep RDS integration) with AWS Secrets Manager, leading them to choose Parameter Store when the question explicitly requires secure storage and management of database credentials for a serverless application.

How to eliminate wrong answers

Option A is wrong because AWS Key Management Service (KMS) is a managed service for creating and controlling encryption keys, not for storing secrets like database credentials; it can encrypt secrets but does not provide secret rotation or retrieval APIs. Option B is wrong because Amazon DynamoDB is a NoSQL database designed for high-performance key-value and document storage, not a secure secrets store; storing credentials there would require manual encryption and lack built-in rotation, access auditing, or automatic secret management. Option D is wrong because AWS Systems Manager Parameter Store is a service for storing configuration data and secrets, but it lacks native automatic rotation for database credentials (unless combined with a custom Lambda function) and does not offer the same level of integration with RDS or secret-specific features like cross-account access or secret versioning with staging labels.

244
MCQhard

A developer stores database credentials in Secrets Manager. The application sometimes receives AccessDeniedException from Lambda after secret rotation. What should be checked first?

A.Whether API Gateway caching is enabled
B.Whether the Lambda execution role and KMS key policy allow access to the new secret version and key
C.Whether the VPC has exactly three subnets
D.Whether CloudFront invalidation completed
AnswerB

Correct for the stated requirement.

Why this answer

The AccessDeniedException from Lambda after secret rotation indicates that the Lambda function cannot access the new secret version. This is most commonly caused by the Lambda execution role lacking the necessary permissions (e.g., secretsmanager:GetSecretValue) for the new secret version ARN, or the KMS key policy not granting the Lambda role access to decrypt the secret using the customer-managed KMS key. Checking these two policies first is the correct troubleshooting step because rotation creates a new version with a different ARN, and the IAM policy must allow access to all versions or use a wildcard.

Exam trap

The trap here is that candidates may overlook the KMS key policy and focus only on the Lambda execution role, but the AccessDeniedException can also stem from the KMS key not authorizing the Lambda role to decrypt the secret, especially when using a customer-managed key.

How to eliminate wrong answers

Option A is wrong because API Gateway caching is unrelated to Lambda's ability to access Secrets Manager; caching affects API responses, not secret retrieval permissions. Option C is wrong because the number of VPC subnets (three) is irrelevant to secret rotation access; Lambda requires at least one subnet per AZ for VPC connectivity, but this does not cause AccessDeniedException from Secrets Manager. Option D is wrong because CloudFront invalidation is a CDN cache-clearing mechanism and has no bearing on Lambda's IAM permissions or secret access.

245
MCQhard

A developer is building an application that needs to read a secret API key from AWS Secrets Manager. The application runs on an EC2 instance that is part of an Auto Scaling group. The developer wants to ensure that only this application can retrieve the secret. Which set of steps should the developer take?

A.Store the secret in Secrets Manager, create an IAM user with a policy to read the secret, and embed the user's credentials in the application code
B.Store the secret in Secrets Manager, attach an IAM role to the EC2 instance that grants permission to read the secret, and configure the application to retrieve the secret using the AWS SDK
C.Store the secret as an environment variable in the EC2 user data
D.Store the secret in a configuration file on the instance and restrict file permissions
AnswerB

Correct. This follows the least privilege principle and uses temporary credentials from the instance profile, which are automatically rotated, providing a secure and scalable solution.

Why this answer

Option B is correct because it follows the principle of least privilege and uses IAM roles, which are the secure and recommended way to grant EC2 instances permissions to access AWS Secrets Manager. By attaching an IAM role to the EC2 instance, the application can securely retrieve the secret using the AWS SDK without embedding long-term credentials in code or configuration files. This ensures that only instances with that role can read the secret, and the credentials are automatically rotated by AWS.

Exam trap

The trap here is that candidates may think storing secrets in user data or configuration files is acceptable for simplicity, but the exam emphasizes secure, managed solutions like IAM roles and Secrets Manager to avoid hardcoding credentials and to enable automatic rotation.

How to eliminate wrong answers

Option A is wrong because embedding IAM user credentials in application code is a security anti-pattern; it exposes long-term static credentials that can be compromised and are difficult to rotate. Option C is wrong because storing the secret in EC2 user data is insecure; user data is visible to anyone who can describe the instance or view the console, and it does not provide access control or audit logging. Option D is wrong because storing the secret in a configuration file on the instance, even with restricted file permissions, does not protect against unauthorized access if the instance is compromised, and it lacks centralized management and rotation capabilities.

246
MCQhard

Refer to the exhibit. A developer in account 111111111111 tries to assume a role in account 123456789012. The error occurs. What is the MOST likely cause?

A.The role does not exist in the us-east-1 region.
B.The user does not have sts:AssumeRole permission on the target role.
C.The access keys used are expired.
D.The role ARN is incorrect.
AnswerB

User needs explicit permission.

Why this answer

Option C is correct because cross-account role assumption requires both a trust policy on the role allowing the user's account and an IAM policy granting the user sts:AssumeRole. The error indicates the user is not authorized, likely because of missing permissions on the user side (or trust policy). Option A is wrong because the error is AccessDenied, not access key issue.

Option B is wrong because the role name is provided correctly. Option D is wrong because region is not required for this API call.

247
MCQhard

A company has an S3 bucket with a policy that denies access to all users. The bucket owner wants to grant read access to a specific IAM user. What must be done?

A.Create a new bucket and copy objects there.
B.Add an Allow statement in the bucket policy for the user.
C.Remove the Deny statement from the bucket policy.
D.Add the user to the bucket ACL with read permission.
AnswerC

Removing the explicit deny allows other permissions to take effect.

Why this answer

Option C is correct because an explicit deny in a bucket policy overrides any allow. The deny must be removed or modified. Option A is wrong because the bucket policy's explicit deny overrides.

Option B is wrong because ACLs are legacy and still overridden by explicit deny. Option D is wrong because cross-account is not the issue.

248
MCQeasy

A developer wants to securely store API keys for a third-party service and retrieve them at runtime in a Lambda function. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS CloudFormation
C.Amazon DynamoDB with encryption at rest
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager is purpose-built for secrets, with rotation and fine-grained access control.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, rotating, and retrieving secrets such as API keys, database credentials, and OAuth tokens at runtime. It integrates natively with AWS Lambda via the AWS SDK, allowing developers to fetch secrets with minimal latency and without hardcoding sensitive values in code. Secrets Manager also supports automatic rotation of secrets using built-in or custom Lambda functions, which is critical for maintaining security compliance.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secure strings) with AWS Secrets Manager, but the exam expects you to know that Secrets Manager is the only service that provides automatic rotation and is specifically designed for secrets management, not just parameter storage.

How to eliminate wrong answers

Option B (AWS CloudFormation) is wrong because it is an Infrastructure as Code (IaC) service for provisioning AWS resources, not a secret store; it cannot securely store or retrieve API keys at runtime. Option C (Amazon DynamoDB with encryption at rest) is wrong because while it can store encrypted data, it lacks native secret rotation, versioning, and fine-grained access control for secrets; using it for API keys would require custom encryption/decryption logic and manual rotation management. Option D (AWS Systems Manager Parameter Store) is wrong because although it can store secure strings, it does not support automatic secret rotation, and its integration with Lambda for runtime retrieval is less seamless than Secrets Manager; Parameter Store is better suited for configuration data like database URLs, not for high-security secrets like API keys.

249
MCQeasy

A developer is building a REST API using API Gateway and AWS Lambda. The API must only be accessible by authenticated users who belong to a specific group within an Amazon Cognito user pool. Which API Gateway authorization mechanism should the developer use?

A.AWS IAM authorization
B.Amazon Cognito User Pool authorizer
C.Lambda authorizer
D.API key
AnswerB

A Cognito User Pool authorizer validates the JWT token and can enforce group membership via claim-based conditions, meeting the requirement exactly.

Why this answer

The Amazon Cognito User Pool authorizer is the correct choice because it directly integrates with Cognito user pools to validate JWT tokens issued by the pool. This allows the developer to restrict access to only authenticated users who belong to a specific group within the user pool, as group membership is encoded in the JWT claims.

Exam trap

The trap here is that candidates often confuse 'authentication' with 'authorization' and choose AWS IAM authorization (Option A) because they think IAM is the standard for AWS access control, but IAM does not natively integrate with Cognito user pool groups for fine-grained API access.

How to eliminate wrong answers

Option A is wrong because AWS IAM authorization uses IAM roles and policies to control access, which requires managing AWS credentials and does not natively validate Cognito user pool group membership. Option C is wrong because a Lambda authorizer (custom authorizer) can validate tokens or other logic, but it is overkill for this use case and requires additional Lambda code and maintenance; the simpler, native Cognito User Pool authorizer is preferred when the user pool is already in use. Option D is wrong because API keys are used for throttling and usage plans, not for authentication or authorization of individual users; they do not verify user identity or group membership.

250
MCQhard

A developer attaches the above S3 bucket policy to my-bucket. A user tries to upload an object using HTTP (not HTTPS). What will happen?

A.The upload succeeds because the Deny effect only applies if the condition is true
B.The upload succeeds if the user also has an Allow in another policy
C.The upload is denied
D.The upload succeeds because there is no Allow statement
AnswerC

The condition triggers the Deny effect.

Why this answer

Option A is correct because the policy denies s3:PutObject if SecureTransport is false. Since the request uses HTTP, SecureTransport is false, so the Deny applies and the upload fails. Option B is wrong because the condition is evaluated.

Option C is wrong because the Deny overrides any Allow. Option D is wrong because the policy explicitly denies.

251
Multi-Selectmedium

A company is using AWS CloudTrail to monitor API activity. Which TWO actions are required to ensure the integrity and security of the log files?

Select 2 answers
A.Enable log file validation.
B.Enable MFA Delete on the CloudTrail S3 bucket.
C.Enable S3 bucket versioning on the CloudTrail bucket.
D.Use an S3 VPC endpoint to access the CloudTrail bucket.
E.Use server-side encryption with AWS KMS managed keys (SSE-KMS).
AnswersA, E

Provides integrity verification using digest files.

Why this answer

Options A and E are correct because enabling log file validation creates a digest file for integrity, and using SSE-KMS encrypts the logs. Option B is wrong because CloudTrail does not have versioning. Option C is wrong because MFA delete helps with S3 versioning, not CloudTrail.

Option D is wrong because CloudTrail does not support VPC endpoints by default; you need to set up a gateway endpoint.

252
MCQhard

A company uses AWS CodePipeline with a cross-account action that deploys to an S3 bucket in another account. The deployment fails with 'Access Denied'. The pipeline role has permissions to assume a role in the target account, and the target role has S3 putObject permissions. What additional configuration is required?

A.Add a bucket policy on the S3 bucket to allow the assumed role to put objects
B.Add a trust policy on the target IAM role to allow the pipeline role to assume it
C.Enable versioning on the S3 bucket
D.Enable KMS encryption on the S3 bucket and grant decrypt permissions
AnswerA

The S3 bucket policy must grant the assumed role (from the other account) the s3:PutObject permission.

Why this answer

Option A is correct because in a cross-account CodePipeline deployment to an S3 bucket, the pipeline role in the source account assumes a target IAM role in the destination account. While the target role has S3 putObject permissions, S3 bucket policies are evaluated separately from IAM policies. The bucket policy must explicitly grant the assumed role (or its principal) the s3:PutObject action; otherwise, the request is denied by default, even if the IAM role allows it.

Exam trap

The trap here is that candidates assume IAM role permissions alone are sufficient for cross-account S3 access, forgetting that S3 bucket policies act as an additional authorization layer that must explicitly allow the cross-account principal.

How to eliminate wrong answers

Option B is wrong because the trust policy on the target IAM role is already in place — the question states the pipeline role has permissions to assume the role in the target account, so the trust relationship is configured. Option C is wrong because enabling versioning on the S3 bucket is unrelated to access control; versioning affects object version management, not authorization. Option D is wrong because KMS encryption and decrypt permissions are only relevant if the bucket uses SSE-KMS; the question does not mention encryption, and the 'Access Denied' error is due to missing bucket policy, not encryption key issues.

253
MCQmedium

A company hosts a web application on EC2 instances behind an ALB. The application uses cookies to track user sessions. The security team is concerned about session hijacking. Which action should be taken to protect the cookies?

A.Enable encryption on the ALB using a custom SSL certificate.
B.Store session data in ElastiCache instead of cookies.
C.Set the Secure and HttpOnly flags on the session cookie.
D.Use AWS WAF to block requests without a valid session cookie.
AnswerC

These flags prevent cookie theft via XSS and ensure transmission over HTTPS only.

Why this answer

Setting the Secure and HttpOnly flags on the session cookie is the correct action because the Secure flag ensures the cookie is only sent over HTTPS, preventing interception via man-in-the-middle attacks, while the HttpOnly flag prevents client-side scripts (e.g., JavaScript) from accessing the cookie, mitigating cross-site scripting (XSS)-based session hijacking. This directly addresses the security team's concern by hardening the cookie against common attack vectors without requiring architectural changes.

Exam trap

The trap here is that candidates often confuse encryption of the connection (Option A) with securing the cookie itself, or they assume moving session state server-side (Option B) eliminates the need for cookie security flags, when in fact the session identifier cookie still requires Secure and HttpOnly protection.

How to eliminate wrong answers

Option A is wrong because enabling encryption on the ALB with a custom SSL certificate protects data in transit between the client and ALB, but it does not secure the cookie itself from being read by JavaScript or transmitted over non-HTTPS connections if the application sets the cookie without the Secure flag. Option B is wrong because storing session data in ElastiCache instead of cookies changes where session state is stored (server-side vs. client-side), but it does not inherently protect the session identifier cookie from hijacking; the cookie still needs Secure and HttpOnly flags to prevent interception and script access. Option D is wrong because AWS WAF can block requests based on rules, but it cannot validate the integrity or security attributes of a session cookie; it would only filter based on presence or content, not prevent hijacking if the cookie is already stolen.

254
MCQhard

A Lambda function in a VPC must retrieve secrets from Secrets Manager without traversing the public internet. Which configuration should be used?

A.A public NAT gateway only
B.An internet gateway attached to the Lambda subnet
C.A VPC peering connection to every AWS region
D.An interface VPC endpoint for Secrets Manager with appropriate security groups
AnswerD

Correct for the stated requirement.

Why this answer

An interface VPC endpoint (AWS PrivateLink) for Secrets Manager allows Lambda functions within a VPC to securely retrieve secrets using private IP addresses, without traversing the public internet. This is achieved by creating an elastic network interface in the VPC subnet with a security group that controls access, ensuring traffic stays within the AWS network.

Exam trap

The trap here is that candidates often confuse NAT gateways or internet gateways as solutions for private service access, not realizing that AWS PrivateLink endpoints are the correct mechanism to keep traffic within the AWS backbone.

How to eliminate wrong answers

Option A is wrong because a public NAT gateway enables outbound internet access from private subnets but does not provide a private path to Secrets Manager; traffic would still traverse the internet. Option B is wrong because an internet gateway attached to the Lambda subnet would expose the Lambda function to the public internet, defeating the requirement to avoid public internet traversal and introducing security risks. Option C is wrong because VPC peering connections connect VPCs within the same or different regions but do not provide access to AWS services like Secrets Manager; they are used for inter-VPC communication, not service endpoints.

255
MCQeasy

A developer needs to grant cross-account access to an S3 bucket owned by Account A to a user in Account B. Which approach is the most secure?

A.Create an IAM role in Account A with a trust policy allowing the user from Account B to assume it.
B.Share the access keys of an IAM user in Account A with the user in Account B.
C.Add a bucket policy in Account A that grants access to the user in Account B, and attach an IAM policy to the user in Account B allowing the S3 actions.
D.Attach an IAM policy to the user in Account B that grants access to the S3 bucket.
AnswerC

This uses a resource-based policy (bucket policy) and IAM policy, following least privilege.

Why this answer

Option C is the most secure because it combines a resource-based bucket policy in Account A that explicitly grants access to the user in Account B with an identity-based IAM policy attached to that user in Account B. This dual-policy approach ensures that the user can only access the bucket when both policies allow the action, following the principle of least privilege and avoiding the need to share long-term credentials.

Exam trap

The trap here is that candidates often assume an IAM policy in the target account alone is sufficient for cross-account S3 access, forgetting that the owning account must explicitly allow the access via a resource-based policy like a bucket policy.

How to eliminate wrong answers

Option A is wrong because creating an IAM role in Account A with a trust policy for the user in Account B would require the user to assume the role, which is a valid cross-account access method but is less direct and adds unnecessary complexity for simple S3 bucket access; it is not the most secure or straightforward approach for this specific scenario. Option B is wrong because sharing access keys of an IAM user in Account A with a user in Account B violates security best practices by exposing long-term credentials, increasing the risk of credential leakage and unauthorized access. Option D is wrong because attaching an IAM policy to the user in Account B alone cannot grant access to an S3 bucket in Account A; cross-account access requires a resource-based policy (bucket policy or ACL) in the owning account to explicitly allow the external user.

256
MCQhard

Refer to the exhibit. An IAM policy attached to a user includes the above statement. The user uploads an object to the S3 bucket without specifying any encryption header. What is the outcome?

A.The upload succeeds and the object is encrypted with SSE-KMS.
B.The upload succeeds and the object is not encrypted.
C.The upload succeeds and the object is encrypted with SSE-S3.
D.The upload fails with an Access Denied error.
AnswerD

The condition is not satisfied, so the Allow does not apply, and there is no other Allow statement.

Why this answer

Option D is correct because the condition requires the encryption header to be AES256. If no header is provided, the condition is not met, so the action is denied. Option A is wrong because the condition is not satisfied, so the Allow does not apply.

Option B is wrong because the condition specifically requires AES256, not SSE-KMS. Option C is wrong because the upload is denied.

257
MCQmedium

A company has an S3 bucket that stores log files. The bucket policy grants the AWSServiceRoleForSSO service role write access. However, the logs are not being written. What is the MOST likely reason?

A.The bucket has S3 Block Public Access enabled, which blocks all service role access.
B.The bucket policy uses a service role ARN that is not a valid principal for S3 bucket policies.
C.The bucket ACL is set to private, which prevents service role writes.
D.The bucket has default encryption enabled using SSE-S3, which prevents writes from service roles.
AnswerB

Service roles are not valid principals in S3 bucket policies; use the service's principal instead.

Why this answer

Option A is correct because S3 bucket policies must grant access to the principal, and the service role is not a valid principal for S3 bucket policies. Option B is wrong because SSE-S3 does not block writes. Option C is wrong because Block Public Access does not affect service roles.

Option D is wrong because ACLs are disabled by default but service roles use bucket policies.

258
MCQeasy

A company wants to ensure that all data in transit between a web application and its users is encrypted. Which AWS service can provide SSL/TLS termination?

A.Amazon CloudFront
B.Application Load Balancer (ALB)
C.Amazon Route 53
D.Amazon EC2 instance
AnswerB

ALB can terminate SSL/TLS.

Why this answer

Option A is correct because ALB can terminate SSL/TLS and decrypt traffic. Option B is wrong because CloudFront can also terminate SSL, but the question asks which service can provide termination, and ALB is a common choice. Option C is wrong because EC2 instances can handle SSL but that is not a service.

Option D is wrong because Route 53 is DNS and does not terminate SSL.

259
MCQhard

A developer is using AWS Secrets Manager to rotate database credentials automatically. The rotation fails with the error 'The secret value is not valid JSON.' What is the most likely cause?

A.The secret is in a different AWS region than the Lambda rotation function.
B.The secret value was stored as a plain string instead of a JSON object.
C.The secret name is not base64-encoded.
D.The secret does not have the correct version label.
AnswerB

Secrets Manager requires JSON format for automatic rotation to parse username, password, etc.

Why this answer

AWS Secrets Manager requires secret values to be stored as valid JSON objects when automatic rotation is configured. If the secret is stored as a plain string (e.g., a single password string without key-value pairs), the rotation function cannot parse it, resulting in the 'The secret value is not valid JSON' error. This is because the Lambda rotation function expects to read and write a JSON structure to manage the credentials during rotation.

Exam trap

The trap here is that candidates may confuse the JSON validation error with other rotation failures, such as network issues or permission errors, but the specific error message 'The secret value is not valid JSON' directly points to the secret's format being incorrect.

How to eliminate wrong answers

Option A is wrong because the Lambda rotation function and the secret must be in the same AWS region; cross-region rotation is not supported, but this would cause a different error (e.g., 'AccessDenied' or 'ResourceNotFoundException'), not a JSON parsing error. Option C is wrong because secret names are not required to be base64-encoded; they are plain text strings that identify the secret, and base64 encoding is irrelevant to JSON validity. Option D is wrong because version labels (e.g., AWSCURRENT, AWSPREVIOUS) are managed automatically by Secrets Manager during rotation; an incorrect version label would cause a versioning error, not a JSON parsing failure.

260
MCQeasy

A developer runs an application on Amazon EC2 that needs to securely store database credentials (username and password). The security team requires that the credentials be automatically rotated every 30 days. Which AWS service should the developer use to store and automatically rotate the credentials?

A.AWS Systems Manager Parameter Store with a SecureString parameter.
B.AWS Secrets Manager with automatic rotation enabled.
C.AWS Identity and Access Management (IAM) roles for EC2.
D.AWS Key Management Service (KMS) to store the credentials as encrypted data.
AnswerB

Secrets Manager is designed for managing secrets and supports automatic rotation for many database services. It can rotate the credentials on a schedule as required.

Why this answer

AWS Secrets Manager is designed specifically for managing secrets such as database credentials, with built-in capabilities for automatic rotation according to a schedule (e.g., every 30 days). It integrates natively with supported databases (e.g., Amazon RDS, Redshift, DocumentDB) to rotate credentials without custom code, and it encrypts secrets at rest using AWS KMS. This makes it the correct choice for the developer's requirement of secure storage and automated rotation.

Exam trap

The trap here is that candidates often confuse Parameter Store's SecureString (which can store encrypted secrets but lacks built-in rotation) with Secrets Manager, overlooking the explicit requirement for automatic rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with a SecureString parameter can store encrypted credentials but does not support automatic rotation of the secret value; rotation would require custom automation via AWS Lambda or other services. Option C is wrong because IAM roles for EC2 provide temporary credentials for AWS API access, not for storing or rotating database credentials (username/password); they cannot be used to store secrets. Option D is wrong because AWS KMS is a key management service for encryption keys, not a secret storage service; it cannot store credentials or perform rotation.

261
MCQhard

A developer is troubleshooting access to an Amazon S3 bucket. The bucket policy allows access to the developer's IAM role, but the developer receives an Access Denied error when trying to upload objects. The developer is using an IAM user with access keys for API calls. What is the most likely cause?

A.The developer’s IAM user does not have s3:PutObject permission
B.The bucket policy does not include a Principal element
C.The S3 bucket is in a different region from the developer's API endpoint
D.The bucket policy allows the role ARN, but the developer is using user credentials
AnswerD

The bucket policy references the role ARN, but the developer is using IAM user credentials; thus access is denied.

Why this answer

When using IAM user credentials, the bucket policy must grant access to the IAM user ARN, not the role ARN. The developer is using user credentials, so the bucket policy should reference the user, not the role.

262
MCQmedium

A developer is building a serverless application using API Gateway and Lambda. The API must be accessible only from a specific VPC. How can the developer achieve this?

A.Use security groups to restrict access to the API Gateway.
B.Create the API Gateway inside the VPC.
C.Use CloudFront with an origin access identity to restrict access.
D.Create a VPC endpoint for API Gateway and attach a resource policy to the API that allows access only from the VPC endpoint.
AnswerD

This restricts API access to the VPC.

Why this answer

Option B is correct because resource policies on API Gateway can restrict access to a VPC or VPC endpoint. Option A is incorrect because API Gateway is a regional service and cannot be placed inside a VPC. Option C is incorrect because security groups are for EC2, not API Gateway.

Option D is incorrect because CloudFront does not restrict access to a specific VPC.

263
Multi-Selecthard

A developer is designing a microservices architecture where each service communicates over HTTPS. They need to ensure that only authorized services can invoke each other. Which TWO services can be used to manage authentication and authorization between services?

Select 2 answers
A.AWS App Mesh
B.AWS Resource Access Manager
C.AWS VPC Lattice
D.AWS Direct Connect
E.Amazon API Gateway
AnswersA, E

Supports mTLS for service authentication.

Why this answer

Option A and Option C are correct. AWS App Mesh provides service-to-service authentication using mTLS. AWS Resource Access Manager (RAM) is not correct.

API Gateway can use IAM authorization or Lambda authorizers. VPC Lattice provides service-to-service authentication. AWS Direct Connect is for dedicated network connections.

264
MCQeasy

A developer needs to grant an IAM user the ability to create and manage EC2 instances, but only in the us-east-1 region. Which IAM policy statement should be used?

A.{"Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": {"StringEquals": {"ec2:Region": "us-east-1"}}}
B.{"Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*"}
C.{"Effect": "Allow", "Action": "ec2:*", "Resource": "arn:aws:ec2:us-east-1:*:*"}
D.{"Effect": "Allow", "Action": "ec2:*", "Resource": "*"}
AnswerA

Condition restricts region.

Why this answer

Option A is correct because the Condition element with ec2:Region restricts actions to a specific region. Option B is wrong because Resource ARN cannot specify region for EC2 instances that way. Option C is wrong because without condition, it allows all regions.

Option D is wrong because the Action is not properly scoped.

265
Multi-Selecteasy

A developer is tasked with encrypting data at rest for an Amazon RDS for MySQL database. The developer wants to use AWS KMS for key management. Which TWO configurations are valid? (Choose TWO.)

Select 2 answers
A.Create a customer managed KMS key and specify it when creating the DB instance.
B.Enable encryption after the DB instance is created by modifying the DB instance.
C.Enable encryption using the default AWS managed key for RDS.
D.Use S3 server-side encryption (SSE-S3) with the RDS instance.
E.Use an AWS owned KMS key for encryption.
AnswersA, C

Customer managed keys are supported.

Why this answer

Option A is correct because you can create a customer managed KMS key and specify it when creating the DB instance. Amazon RDS for MySQL supports encryption at rest using AWS KMS, and you can choose a customer managed key at launch time. This key is used to encrypt the DB instance's storage, automated backups, read replicas, and snapshots.

Exam trap

The trap here is that candidates may think encryption can be toggled on after creation (Option B) or that AWS owned keys are a valid choice for RDS (Option E), but AWS explicitly requires encryption to be set at launch and only supports AWS managed or customer managed keys for RDS.

266
MCQhard

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to write logs to CloudWatch Logs. Which of the following is required to allow this?

A.Attach an IAM policy to the Lambda execution role with CloudWatch Logs permissions
B.Add a resource-based policy to the Lambda function
C.Configure the S3 bucket to trigger Lambda, and Lambda automatically logs to CloudWatch
D.Create an IAM role for CloudWatch Logs and assign it to the Lambda function
AnswerA

The execution role's policy must allow CloudWatch Logs actions.

Why this answer

The Lambda function's execution role must include a policy that allows logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. This is the standard approach for Lambda logging.

267
MCQmedium

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated automatically every year. Which solution meets this requirement with the LEAST operational overhead?

A.Use an AWS managed key (aws/s3) for S3 encryption.
B.Use a customer managed key and enable automatic rotation.
C.Create a customer managed key and rotate it manually every year.
D.Use an asymmetric KMS key and rotate it automatically.
AnswerA

AWS managed keys are automatically rotated every year.

Why this answer

Option B is correct because AWS managed keys (aws/s3) are automatically rotated annually with no effort. Option A requires manual rotation. Option C is for customer managed keys and requires enabling automatic rotation.

Option D is for asymmetric keys, which are not used for S3 encryption.

268
MCQmedium

A company is using AWS CloudTrail to monitor API activity. A developer notices that some actions are not logged. What is a possible reason?

A.Some services are not integrated with CloudTrail.
B.CloudTrail only logs read events.
C.CloudTrail has a 24-hour delay.
D.The CloudTrail trail is not enabled in the correct region.
AnswerA

Not all services log to CloudTrail.

Why this answer

CloudTrail does not log all AWS services by default; some services must be enabled separately.

269
MCQmedium

A company is using AWS CodePipeline to deploy a web application. The pipeline must securely store and use database credentials. Which AWS service should the developer use to store the credentials and retrieve them during deployment?

A.IAM role attached to the CodePipeline service role.
B.AWS Secrets Manager.
C.AWS Systems Manager Parameter Store with a SecureString parameter.
D.Amazon DynamoDB with server-side encryption.
AnswerB

Secrets Manager is the recommended service for storing and rotating database credentials securely.

Why this answer

AWS Secrets Manager is designed to store secrets like database passwords and supports automatic rotation. It integrates with CodePipeline via Lambda functions. Option A is wrong because SSM Parameter Store can store secrets but lacks native rotation for RDS.

Option C is wrong because DynamoDB is not a secrets store. Option D is wrong because IAM roles are for AWS service access, not for storing database credentials.

270
MCQeasy

A company wants to encrypt data at rest in an S3 bucket using server-side encryption. Which option provides the MOST control over the encryption key?

A.SSE-KMS (AWS KMS keys)
B.SSE-C (customer-provided keys)
C.Client-side encryption
D.SSE-S3 (S3-managed keys)
AnswerB

The customer provides and manages the encryption keys.

Why this answer

SSE-C (customer-provided keys) gives you the most control because you manage the encryption key yourself—you provide the key in each request, and AWS discards it after use. This means you have full lifecycle control over the key material, including rotation, deletion, and access policies, without AWS ever storing the key. In contrast, SSE-KMS and SSE-S3 rely on AWS-managed or AWS-controlled key stores, reducing your direct control.

Exam trap

The trap here is that candidates confuse 'most control' with 'easiest management' and pick SSE-KMS, but the question explicitly asks for the option that provides the MOST control over the encryption key, which is SSE-C because you own and manage the key entirely.

How to eliminate wrong answers

Option A is wrong because SSE-KMS uses AWS KMS keys, where AWS manages the key store and you share control with AWS via key policies and grants, so you do not have the most control. Option C is wrong because client-side encryption encrypts data before sending it to S3, which gives you full control over the key, but the question specifically asks about server-side encryption, so this is out of scope. Option D is wrong because SSE-S3 uses S3-managed keys (AES-256) where AWS fully manages the key lifecycle, giving you the least control over the encryption key.

271
MCQmedium

A developer is deploying an application with AWS CodeDeploy. The application needs to access a database password. Which service should be used to securely store and retrieve the password?

A.AWS Systems Manager Parameter Store
B.AWS CloudFormation template parameters
C.Amazon DynamoDB with encryption at rest
D.AWS Secrets Manager
AnswerD

Secrets Manager is purpose-built for storing secrets and supports automatic rotation.

Why this answer

Option C is correct because AWS Secrets Manager is designed to store secrets and automatically rotate them. Option A is wrong because Parameter Store can store secrets but lacks automatic rotation. Option B is wrong because DynamoDB is a database, not a secrets store.

Option D is wrong because CloudFormation is for infrastructure as code, not secret management.

272
MCQhard

A developer is designing a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. Which security group configuration meets these requirements?

A.Web tier SG allows inbound from application tier SG.
B.Web tier SG allows inbound 0.0.0.0/0 on port 80; Application tier SG allows inbound from web tier SG on port 8080.
C.Both SGs allow inbound 0.0.0.0/0 on necessary ports.
D.Web tier SG allows inbound 0.0.0.0/0 on port 80; Application tier SG allows inbound from 0.0.0.0/0 on port 443.
AnswerB

Web tier is internet-facing, app tier only from web tier.

Why this answer

Application tier security group should allow inbound traffic only from the web tier security group, not from the internet or CIDR ranges.

273
MCQhard

A developer is troubleshooting an IAM policy that is not working as expected. The policy has an Allow effect for s3:PutObject but the user gets AccessDenied. The user also has a Deny policy attached. What is the most likely reason?

A.The resource-based policy on S3 denies access
B.The Allow policy is evaluated before the Deny policy
C.An explicit Deny in an IAM policy overrides the Allow
D.An SCP denies the action
AnswerC

Explicit Deny takes precedence over any Allow.

Why this answer

Option C is correct because AWS IAM evaluates all policies (identity-based, resource-based, and SCPs) and an explicit Deny always overrides any Allow, regardless of the order in which the policies are written. In this scenario, even though the user has an Allow effect for s3:PutObject, the attached Deny policy explicitly denies the action, resulting in an AccessDenied error. This is a fundamental rule of AWS authorization logic: an explicit Deny cannot be overridden by any Allow.

Exam trap

The trap here is that candidates often assume the order of policy evaluation (Allow before Deny) matters, but AWS explicitly states that an explicit Deny overrides any Allow, making the order irrelevant.

How to eliminate wrong answers

Option A is wrong because a resource-based policy on S3 that denies access would also cause AccessDenied, but the question states the user has a Deny policy attached, making the explicit Deny in the IAM policy the most likely reason. Option B is wrong because AWS evaluates all policies in a single pass, and the order of evaluation (Allow before Deny) does not matter; the explicit Deny always takes precedence. Option D is wrong because while an SCP could deny the action, the question specifically mentions the user has a Deny policy attached, and SCPs apply at the account or OU level, not directly to the user; the most direct cause is the attached Deny policy.

274
MCQmedium

Refer to the exhibit. A developer applies this IAM policy to an IAM user. What is the effective result when the user attempts to download an object from the 'confidential' folder in the 'my-company-data' bucket?

A.The user cannot download objects from the confidential folder due to the explicit Deny.
B.The user can download objects from the confidential folder but cannot upload to it.
C.The user cannot download objects from any folder because the policy is invalid.
D.The user can download objects from the confidential folder because the Allow statement grants access.
AnswerA

Explicit Deny takes precedence over Allow.

Why this answer

The correct answer is A because IAM policies follow an explicit deny override, meaning that even if an Allow statement grants access, an explicit Deny statement for the same action will take precedence. In this policy, the Deny statement explicitly denies s3:GetObject for the 'confidential' folder (using a condition with StringLike on the ARN), so the user cannot download objects from that folder regardless of the Allow statement.

Exam trap

The trap here is that candidates often assume an Allow statement alone grants access, forgetting that an explicit Deny always takes precedence, even if the Allow appears broader or more permissive.

How to eliminate wrong answers

Option B is wrong because the explicit Deny prevents downloading, not just uploading, so the user cannot download objects from the confidential folder. Option C is wrong because the policy is valid; it contains both an Allow and a Deny statement, and IAM policies can have multiple statements as long as they are syntactically correct. Option D is wrong because while the Allow statement grants general access to the bucket, the explicit Deny for the 'confidential' folder overrides it, making the Allow ineffective for that specific path.

275
MCQeasy

A developer is using AWS Certificate Manager (ACM) to provision an SSL/TLS certificate for a website hosted on CloudFront. The certificate must be renewed automatically. What is the correct action?

A.The developer must configure a Lambda function to renew the certificate.
B.The certificate cannot be used with CloudFront; ACM certificates are only for ALB.
C.ACM automatically renews the certificate if it uses DNS validation.
D.The developer must manually request a new certificate before expiration.
AnswerC

ACM attempts to renew certificates 60 days before expiration using DNS validation.

Why this answer

ACM automatically renews certificates that use DNS validation, provided the required DNS CNAME record remains in place. CloudFront supports ACM certificates in us-east-1, and ACM handles renewal without any manual intervention or additional infrastructure like Lambda functions.

Exam trap

The trap here is that candidates assume ACM requires manual renewal or additional automation (like Lambda), but ACM's automatic renewal for DNS-validated certificates is a key managed feature tested in the DVA-C02 exam.

How to eliminate wrong answers

Option A is wrong because ACM automatically manages renewal for DNS-validated certificates; a Lambda function is unnecessary and not part of the renewal process. Option B is wrong because ACM certificates are fully supported with CloudFront (when issued in us-east-1), not limited to ALB. Option D is wrong because ACM handles automatic renewal for eligible certificates; manual re-request is only needed if validation fails or the certificate is not eligible.

276
MCQeasy

A developer needs to grant cross-account access to an Amazon S3 bucket. The developer's AWS account (Account A) owns the bucket, and a user in another account (Account B) needs to write objects to it. The developer has already added a bucket policy that grants the user in Account B permissions. What additional step is required?

A.No additional steps are needed; the bucket policy alone is sufficient.
B.The administrator of Account B must attach an IAM policy to the user that allows the required S3 actions.
C.Create a new IAM role in Account B and have the user assume the role.
D.Enable S3 ACLs on the bucket and grant write access to the Account B user.
AnswerB

The user in Account B needs an IAM policy that explicitly grants permissions to write to the bucket. Cross-account access requires both resource-based and identity-based policies.

Why this answer

Option B is correct because cross-account access to S3 requires both a resource-based policy (the bucket policy in Account A) and a user-based policy (an IAM identity-based policy in Account B). The bucket policy grants permissions to the Account B user, but that user cannot perform actions unless their own account explicitly allows those actions via an IAM policy. Without this, the request is denied by the user's own account's implicit deny, even if the bucket policy permits it.

Exam trap

The trap here is that candidates often assume a bucket policy alone is enough for cross-account access, forgetting that the requesting user's account must also explicitly authorize the action via an IAM policy.

How to eliminate wrong answers

Option A is wrong because a bucket policy alone is insufficient for cross-account access; the user in Account B must also have an IAM policy that allows the S3 actions, as the user's account must explicitly authorize the request. Option C is wrong because creating an IAM role in Account B and having the user assume it is an alternative approach, but it is not required; the question asks for the additional step given that a bucket policy is already in place, and the simplest correct step is to attach an IAM policy to the user, not to create a role. Option D is wrong because S3 ACLs are legacy and not recommended; more importantly, ACLs grant access to AWS accounts or canonical user IDs, not to specific IAM users, and enabling ACLs does not replace the need for an IAM policy in Account B.

277
MCQhard

A company uses AWS KMS with customer managed keys to encrypt S3 objects. The security team requires automatic key rotation. What must the developer do to enable rotation?

A.Use AWS managed keys instead of customer managed keys
B.Rotation is enabled by default for all KMS keys
C.Enable automatic key rotation in the KMS key settings
D.Create a new key and update the alias to point to the new key annually
AnswerC

Automatic rotation can be enabled for customer managed keys.

Why this answer

For customer managed KMS keys, automatic rotation can be enabled in the key management console or via the AWS CLI. Option A is incorrect because automatic rotation is not automatic for customer managed keys; it must be enabled. Option C is incorrect because rotation does not require creating a new key.

Option D is incorrect because AWS managed keys rotate automatically, but customer managed keys require enabling rotation.

278
Multi-Selectmedium

A developer is implementing a solution to encrypt data in transit for a web application running on an Application Load Balancer (ALB). Which TWO actions should the developer take?

Select 2 answers
A.Use client-side encryption in the application code.
B.Configure the ALB listener to use HTTPS protocol.
C.Enable S3 server-side encryption for application logs.
D.Add a security group rule to allow only HTTPS traffic.
E.Install an SSL/TLS certificate on the ALB.
AnswersB, E

HTTPS listener ensures traffic is encrypted using the certificate.

Why this answer

To encrypt data in transit, you need an SSL/TLS certificate on the ALB (A) and you must configure the listener to use HTTPS (C). The other options are not required: (B) is about server-side encryption at rest, (D) is about client-side encryption, and (E) is a security group rule for inbound traffic, not encryption.

279
Multi-Selecthard

A developer is designing a system that uses AWS KMS to encrypt data. Which of the following are valid ways to grant a user permission to decrypt data using a KMS key? (Select TWO.)

Select 2 answers
A.Use a resource-based policy on the KMS key that grants access to the user.
B.Create a KMS grant that allows the user to decrypt the key.
C.Attach an IAM policy to the user that allows kms:Decrypt, and ensure the key policy allows the user's account.
D.Add a statement in the S3 bucket policy that allows kms:Decrypt for the user.
E.Add a statement in the key policy that allows the IAM role to perform kms:Decrypt.
AnswersC, E

IAM policies can grant KMS actions if the key policy allows.

Why this answer

Options A and C are correct. A key policy can grant decrypt permission to an IAM role, and an IAM policy with kms:Decrypt can grant access if the key policy allows. Option B is wrong because S3 bucket policies do not grant KMS decrypt.

Option D is wrong because KMS does not have resource-based policies besides key policies. Option E is wrong because KMS grants are for cross-account, not for IAM roles in the same account.

280
MCQeasy

A developer needs to allow a user to deploy AWS CloudFormation stacks but restrict the user from creating or modifying IAM resources. Which IAM policy should the developer attach to the user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"cloudformation:*","Resource":"*"},{"Effect":"Deny","Action":"iam:*","Resource":"*"}]}
B.{"Effect":"Allow","Action":"iam:*","Resource":"*"}
C.{"Effect":"Allow","Action":"cloudformation:*","Resource":"*"}
D.{"Effect":"Deny","Action":"cloudformation:*","Resource":"*"}
AnswerA

Allows CloudFormation but denies IAM.

Why this answer

Option D is correct because it allows CloudFormation actions but denies IAM actions. Option A is wrong because it allows all CloudFormation actions including IAM. Option B is wrong because it denies all CloudFormation actions.

Option C is wrong because it allows IAM actions.

281
Multi-Selectmedium

A team wants to prevent secrets from being committed to source control and reduce blast radius if a secret is exposed. Which two practices help?

Select 2 answers
A.Store production secrets in README files
B.Use Secrets Manager or Parameter Store SecureString instead of source code
C.Give all developers AdministratorAccess
D.Rotate secrets and use least-privilege IAM policies
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because AWS Secrets Manager and Systems Manager Parameter Store SecureString are purpose-built services for securely storing and managing secrets like database credentials and API keys. By using these services, secrets are never hardcoded in source code, eliminating the risk of accidental exposure through version control. This practice directly addresses the requirement to prevent secrets from being committed to source control.

Exam trap

The trap here is that candidates may think storing secrets in README files is acceptable for documentation purposes, or that broad IAM permissions like AdministratorAccess simplify management, but the DVA-C02 exam specifically tests the understanding that secrets must never be in source code and that least-privilege IAM policies reduce blast radius.

282
MCQeasy

A developer needs to allow an EC2 instance to access an S3 bucket securely without storing long-term credentials on the instance. Which AWS service should be used to provide temporary credentials?

A.Create an IAM user with S3 access and store the access key on the EC2 instance.
B.Configure a security group allowing outbound traffic to S3.
C.Attach an IAM role to the EC2 instance profile with S3 permissions.
D.Use an EC2 key pair to encrypt access to S3.
AnswerC

IAM roles provide temporary credentials via STS.

Why this answer

Option C is correct because IAM roles for EC2 allow the instance to assume a role and obtain temporary credentials from STS. Option A is wrong because IAM users have long-term credentials. Option B is wrong because EC2 key pairs are for SSH access, not API credentials.

Option D is wrong because Security Groups are network firewalls.

283
MCQmedium

A company wants to restrict access to an Amazon S3 bucket so that only requests originating from a specific Amazon VPC are allowed. The bucket is in the same AWS account as the VPC. Which configuration should the developer implement?

A.Bucket policy with condition aws:SourceVpc
B.Bucket policy with condition aws:SourceIp
C.Bucket ACL with VPC ID
D.VPC Endpoint policy
AnswerA

Correct. The aws:SourceVpc condition key in a bucket policy restricts access to traffic from the specified VPC.

Why this answer

Option A is correct because the `aws:SourceVpc` condition key in an S3 bucket policy allows you to restrict access to requests originating from a specific VPC. This works in conjunction with a VPC endpoint for S3 (Gateway or Interface endpoint), which ensures that traffic from the VPC to S3 stays within the AWS network and does not traverse the public internet. The condition evaluates the VPC ID from which the request originates, providing a secure, network-level access control.

Exam trap

The trap here is that candidates often confuse `aws:SourceVpc` with `aws:SourceIp` or think a VPC Endpoint policy alone can restrict bucket access, but the bucket policy is the authoritative mechanism for inbound access control, while the endpoint policy governs outbound permissions from the VPC.

How to eliminate wrong answers

Option B is wrong because `aws:SourceIp` restricts access based on public IP addresses, but requests from a VPC using a VPC endpoint have private IPs and the source IP is not the VPC's public IP, making this condition ineffective for VPC-based access control. Option C is wrong because S3 bucket ACLs do not support VPC IDs; ACLs can only grant access to AWS accounts or predefined groups (e.g., AllUsers, AuthenticatedUsers), not to specific VPCs. Option D is wrong because a VPC Endpoint policy controls what actions principals within the VPC can perform on the S3 service, but it does not restrict access from the bucket's perspective; the bucket policy is the mechanism to enforce inbound restrictions based on the VPC.

284
MCQhard

Refer to the exhibit. An S3 bucket policy is set as shown. A developer tries to download an object from my-bucket using the AWS CLI from an IP address in the 203.0.113.0/24 range. What will happen?

A.The policy is invalid because of conflicting statements.
B.The download succeeds because the Allow statement matches the request.
C.The download succeeds because the Deny statement does not apply to GetObject.
D.The download fails with an AccessDenied error.
AnswerD

Explicit deny blocks all actions.

Why this answer

The correct answer is D because, in an S3 bucket policy, explicit Deny statements override any Allow statements. Even though the Allow statement grants s3:GetObject to all principals, the Deny statement explicitly denies s3:GetObject when the request originates from the 203.0.113.0/24 IP range. Since the developer's IP falls within that range, the Deny takes precedence, resulting in an AccessDenied error.

Exam trap

The trap here is that candidates often assume that an Allow statement will always grant access, forgetting that an explicit Deny for the same action from a matching condition (like a source IP) takes precedence and causes the request to fail.

How to eliminate wrong answers

Option A is wrong because the policy is valid; S3 bucket policies can contain both Allow and Deny statements, and they are evaluated with Deny taking precedence over Allow. Option B is wrong because the Allow statement does match the request, but the explicit Deny statement for the same action from the specified IP range overrides it, causing the download to fail. Option C is wrong because the Deny statement explicitly applies to s3:GetObject, as it uses a wildcard '*' for actions, which includes GetObject.

285
MCQhard

A developer is deploying an application on EC2 instances behind an Application Load Balancer (ALB). The application must authenticate users using an identity provider (IdP) that supports OpenID Connect (OIDC). What is the MOST secure way to offload authentication to the ALB?

A.Configure the ALB with an OIDC identity provider and use the authenticate-oidc action.
B.Use AWS Lambda@Edge to authenticate users at the CloudFront edge.
C.Use IAM federation to trust the IdP and assign IAM roles to users.
D.Use Amazon Cognito User Pools and configure the ALB to use Cognito as the authentication provider.
AnswerA

ALB natively supports OIDC authentication.

Why this answer

Option B is correct because ALB supports OIDC authentication natively, which offloads authentication to the load balancer and improves security. Option A is wrong because Cognito User Pools are for customer-facing apps, but ALB can directly integrate with OIDC IdPs. Option C is wrong because IAM federation is for AWS API access, not for web app authentication.

Option D is wrong because Lambda@Edge is for CloudFront, not ALB.

286
MCQeasy

An IAM user has the above IAM policy attached. What is the effect?

A.The user is denied access to example-bucket.
B.The user can list the objects in example-bucket.
C.The user can perform all S3 actions on example-bucket.
D.The user can read objects from example-bucket.
AnswerD

The policy allows s3:GetObject on all objects.

Why this answer

The IAM policy grants `s3:GetObject` permission on `arn:aws:s3:::example-bucket/*`, which allows reading objects from the bucket. Since there is no explicit deny and the policy only allows this single action, the user can read objects but cannot perform other actions like listing or deleting. Option D is correct because the policy explicitly permits read access to objects.

Exam trap

The trap here is that candidates assume granting `s3:GetObject` on objects implicitly allows listing the bucket, but listing requires a separate `s3:ListBucket` permission on the bucket resource.

How to eliminate wrong answers

Option A is wrong because the policy does not include a `Deny` effect for `example-bucket`; an explicit deny would be required to block all access. Option B is wrong because `s3:ListBucket` is not granted in the policy; listing objects requires the `s3:ListBucket` action on the bucket resource (`arn:aws:s3:::example-bucket`), not on objects. Option C is wrong because the policy only allows `s3:GetObject`, not all S3 actions (e.g., `s3:PutObject`, `s3:DeleteObject`, `s3:ListBucket` are missing).

287
Multi-Selectmedium

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which of the following are true about RDS encryption? (Select THREE.)

Select 3 answers
A.Encryption at rest can be enabled on an existing unencrypted DB instance.
B.Encryption at rest can be enabled when you create the DB instance.
C.Snapshots of an encrypted instance are encrypted.
D.When encryption is enabled, automated backups are encrypted.
E.Read replicas of an encrypted instance can be unencrypted.
AnswersB, C, D

Encryption is enabled at creation time.

Why this answer

Options A, C, and E are correct. Encryption at rest can be enabled when creating the DB instance, and it encrypts data, backups, read replicas, and snapshots. Option B is wrong because encryption cannot be enabled after creation.

Option D is wrong because read replicas must be encrypted if the source is encrypted.

288
MCQeasy

A developer is encrypting an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). What is a benefit of using SSE-KMS over SSE-S3?

A.Reduced latency for encrypted object retrieval
B.Lower cost than SSE-S3
C.Ability to control access to the encryption key separately
D.Automatic encryption of objects at rest
AnswerC

SSE-KMS uses a customer master key (CMK) that can be managed with IAM and key policies.

Why this answer

Option C is correct because SSE-KMS provides separate permissions for the encryption key, allowing fine-grained control. Option A is wrong because both SSE-S3 and SSE-KMS encrypt data at rest. Option B is wrong because SSE-KMS incurs additional KMS costs.

Option D is wrong because SSE-KMS uses envelope encryption, which does not reduce latency.

289
MCQeasy

A company stores sensitive customer data in Amazon S3. The security policy requires that all data be encrypted at rest using server-side encryption with a customer-managed AWS KMS key. Which S3 server-side encryption option should the developer use?

A.SSE-S3
B.SSE-KMS
C.SSE-C
D.Client-side encryption
AnswerB

SSE-KMS allows you to use a customer-managed KMS key for encryption.

Why this answer

SSE-KMS is the correct option because it provides server-side encryption with a customer-managed AWS KMS key, allowing the company to control key rotation, access policies, and audit usage via AWS CloudTrail. This meets the security policy requirement for encryption at rest using a customer-managed key, which SSE-S3 (using AWS-managed keys) and SSE-C (using customer-provided keys) do not fulfill.

Exam trap

The trap here is that candidates often confuse SSE-KMS with SSE-S3, assuming both use AWS-managed keys, but SSE-KMS uniquely supports customer-managed keys and additional control features like key rotation and audit logging.

How to eliminate wrong answers

Option A (SSE-S3) is wrong because it uses AWS-managed keys, not customer-managed keys, so it does not meet the policy requirement for customer control over the encryption key. Option C (SSE-C) is wrong because it requires the customer to provide their own encryption keys in each request, and AWS does not manage or store the key, which contradicts the requirement for a customer-managed AWS KMS key. Option D (Client-side encryption) is wrong because it encrypts data before sending it to S3, not at rest on the server side, and does not use S3 server-side encryption at all.

290
MCQeasy

A developer is building a web application that must encrypt data in transit. Which AWS service should be used to manage SSL/TLS certificates?

A.AWS KMS
B.AWS Secrets Manager
C.AWS CloudHSM
D.AWS Certificate Manager (ACM)
AnswerD

ACM provides and manages SSL/TLS certificates.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it is specifically designed to provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services (e.g., Elastic Load Balancers, CloudFront, API Gateway). It handles the full lifecycle of certificates, including renewal, which directly addresses the requirement to encrypt data in transit using HTTPS.

Exam trap

The trap here is that candidates often confuse AWS KMS (used for encryption keys for data at rest) with SSL/TLS certificate management for data in transit, leading them to select KMS instead of ACM.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for symmetric and asymmetric encryption keys used for data at rest, not for managing SSL/TLS certificates for data in transit. Option B is wrong because AWS Secrets Manager is designed to rotate and manage secrets such as database credentials and API keys, not SSL/TLS certificates. Option C is wrong because AWS CloudHSM provides dedicated hardware security modules for generating and storing encryption keys, but it does not manage SSL/TLS certificates or integrate directly with AWS services for automatic certificate deployment and renewal.

291
Multi-Selecthard

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket despite having an IAM role with the correct permissions attached. Which THREE steps should the developer take to diagnose the issue?

Select 3 answers
A.Use the AWS CLI command 'aws sts assume-role' to test the role credentials.
B.Check the security group of the EC2 instance for outbound rules.
C.Check the IAM policy attached to the role for any explicit Deny statements.
D.Verify that the IAM role is correctly associated with the EC2 instance.
E.Modify the S3 bucket policy to grant access to the instance's security group.
AnswersA, C, D

Helps verify role trust and permissions.

Why this answer

Option A, C, and E are correct. Option A verifies permissions. Option C checks if the instance actually has the role.

Option E ensures the instance is in the correct region or service is up. Option B is wrong because modifying the bucket policy is not a diagnostic step. Option D is wrong because security groups do not affect S3 access via IAM roles.

292
MCQeasy

A developer needs to securely store database credentials used by an application running on EC2. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon S3
D.AWS Certificate Manager (ACM)
AnswerA

Secrets Manager is designed for secure storage and automatic rotation of secrets like database credentials.

Why this answer

Option A is correct because AWS Secrets Manager is designed to securely store and rotate secrets such as database credentials. Option B is wrong because AWS Certificate Manager is for SSL/TLS certificates. Option C is wrong because Systems Manager Parameter Store can store secrets, but Secrets Manager provides built-in rotation and is more suitable for database credentials.

Option D is wrong because S3 is an object store, not designed for secret management.

293
Multi-Selecteasy

A developer needs to securely transfer files from an on-premises server to an S3 bucket. Which TWO methods meet the security requirements?

Select 2 answers
A.Use the S3 sync command without any additional configuration.
B.Use AWS Transfer Family with SFTP protocol.
C.Generate a presigned URL and use it with wget.
D.Use the AWS CLI with the cp command over HTTPS.
E.Use FTP with TLS.
AnswersB, D

SFTP provides encrypted file transfers.

Why this answer

Option B is correct because AWS Transfer Family provides a fully managed service that supports SFTP (SSH File Transfer Protocol) for securely transferring files to Amazon S3. It uses SSH for authentication and encryption, ensuring data in transit is protected without requiring any changes to the on-premises server's existing SFTP infrastructure.

Exam trap

The trap here is that candidates often assume the AWS CLI cp command over HTTPS (Option D) is inherently secure, but the exam expects them to recognize that while HTTPS encrypts data in transit, the question asks for 'methods' that meet security requirements, and both B and D are correct—Option D is indeed valid because the AWS CLI uses HTTPS by default, making it a secure method; however, the trap is that some might incorrectly eliminate D thinking it lacks encryption, when in fact it does use TLS.

294
MCQhard

The above resource-based policy is attached to an SQS queue. An application running on an EC2 instance with the IAM role 'AppRole' tries to send a message to the queue but receives an access denied error. What is the most likely cause?

A.The SQS queue is encrypted with a KMS key that the role cannot use
B.The principal ARN in the policy is incorrect
C.The SQS queue policy does not include the correct region
D.The IAM role does not have an identity-based policy allowing sqs:SendMessage
AnswerD

The role needs an IAM policy that allows the action, or the queue policy alone is insufficient if the role has no permissions.

Why this answer

The resource-based policy allows the role to send messages, but the role itself must also have an IAM policy that allows sqs:SendMessage. Without that, the request is denied because both the identity-based policy and the resource-based policy must grant access (unless one is an explicit deny).

295
MCQmedium

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption. The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not include the server-side encryption header. Which IAM condition key should be used?

A.s3:x-amz-server-side-encryption
B.s3:x-amz-server-side-encryption-aws-kms-key-id
C.s3:x-amz-acl
D.s3:x-amz-storage-class
AnswerA

This condition key checks the server-side encryption header in the request, allowing you to require encryption.

Why this answer

Option A is correct because the `s3:x-amz-server-side-encryption` condition key matches the `x-amz-server-side-encryption` request header, which is used to specify server-side encryption (SSE-S3 or SSE-KMS) for S3 PutObject requests. By denying requests that do not include this header, the policy enforces that all uploads must be encrypted at rest using server-side encryption.

Exam trap

The trap here is that candidates confuse the condition key for requiring encryption (`s3:x-amz-server-side-encryption`) with the key for specifying a particular KMS key (`s3:x-amz-server-side-encryption-aws-kms-key-id`), leading them to pick option B when the question only asks about enforcing the presence of any server-side encryption header.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption-aws-kms-key-id` is used to enforce a specific KMS key ID for SSE-KMS, not to require the presence of any server-side encryption header. Option C is wrong because `s3:x-amz-acl` controls access control list settings, not encryption. Option D is wrong because `s3:x-amz-storage-class` controls the storage class (e.g., STANDARD, GLACIER), not encryption.

296
MCQeasy

A developer needs to temporarily grant an IAM user permissions to perform a specific task. The permissions should expire after 12 hours. Which approach should the developer use?

A.Attach a policy to the user and detach it after 12 hours.
B.Use AWS STS to generate temporary security credentials.
C.Use cross-account IAM roles.
D.Create a new IAM user with the required permissions and delete the user after 12 hours.
AnswerB

Temporary and time-limited.

Why this answer

AWS Security Token Service (STS) can generate temporary security credentials that are valid for a configurable duration, up to a maximum of 12 hours for IAM users. This allows the developer to grant permissions that automatically expire without manual intervention, meeting the requirement precisely.

Exam trap

The trap here is that candidates may confuse temporary credentials with manual policy management or cross-account roles, but the key requirement is automatic expiration within the same account, which only STS provides.

How to eliminate wrong answers

Option A is wrong because manually attaching and detaching a policy after 12 hours requires human intervention or custom automation, which is error-prone and does not provide automatic expiration. Option C is wrong because cross-account IAM roles are designed for granting access across different AWS accounts, not for temporary permissions within the same account. Option D is wrong because creating and deleting an IAM user is an overly complex and risky approach; it also does not automatically expire permissions after exactly 12 hours without additional scripting.

297
MCQeasy

A developer is building a web application that must encrypt data in transit between the client and the server. Which AWS service should be used to offload SSL/TLS termination?

A.Application Load Balancer (ALB)
B.Amazon CloudFront
C.Network Load Balancer (NLB)
D.Amazon Route 53
AnswerA

ALB supports SSL/TLS termination.

Why this answer

An Application Load Balancer (ALB) supports SSL/TLS termination by decrypting HTTPS traffic from clients and forwarding it as HTTP to backend targets. This offloads the cryptographic processing from application servers, reducing their CPU load and centralizing certificate management. ALB uses listener rules with SSL/TLS certificates stored in AWS Certificate Manager (ACM) or uploaded via IAM, and it supports TLS 1.2 and 1.3 protocols.

Exam trap

The trap here is that candidates confuse Network Load Balancer's ability to handle TLS traffic (via passthrough) with SSL/TLS termination, but NLB cannot decrypt traffic—only ALB and Classic Load Balancer (CLB) can terminate SSL/TLS at Layer 7.

How to eliminate wrong answers

Option B (Amazon CloudFront) is wrong because CloudFront is a content delivery network (CDN) that caches content at edge locations; while it can terminate SSL/TLS, its primary purpose is not to offload termination for a single web application but to accelerate delivery globally, and it does not function as a load balancer for backend targets. Option C (Network Load Balancer) is wrong because NLB operates at Layer 4 (TCP/UDP) and does not terminate SSL/TLS; it can pass through TLS traffic to targets but cannot decrypt it, so it cannot offload termination. Option D (Amazon Route 53) is wrong because Route 53 is a DNS service that resolves domain names to IP addresses; it has no capability to terminate SSL/TLS or handle HTTPS traffic.

298
MCQhard

A developer is debugging an issue where an IAM user cannot list objects in an S3 bucket. The user has the following IAM policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example-bucket" } ] }. What is missing?

A.The Resource ARN is incorrect.
B.The bucket has a bucket policy that denies access.
C.The user needs to enable S3 ACLs.
D.The policy needs to also allow s3:GetObject on the objects.
AnswerD

ListBucket lists objects but doesn't allow reading them; GetObject is needed to view object details.

Why this answer

The IAM policy only grants the s3:ListBucket permission, which allows listing the objects in the bucket but not reading their contents. To actually list objects, the s3:ListBucket action is sufficient; however, the question implies the user cannot list objects at all. The missing permission is s3:GetObject, which is required to retrieve object metadata and data when using certain S3 operations like GetObject or HeadObject.

Without s3:GetObject, the user may fail to list objects if the bucket policy or ACLs require read access for the listing operation to succeed.

Exam trap

The trap here is that candidates often assume s3:ListBucket alone is enough to list objects in the console or CLI, but they overlook that the console also needs s3:GetObject to display object metadata, leading them to incorrectly choose options like bucket policy or ACLs.

How to eliminate wrong answers

Option A is wrong because the Resource ARN 'arn:aws:s3:::example-bucket' is correct for the s3:ListBucket action, which targets the bucket itself, not individual objects. Option B is wrong because the question does not mention any bucket policy, and the IAM policy alone is sufficient to grant the listed permission; a bucket policy that denies access would be an explicit denial, but the issue is about missing permissions, not an explicit deny. Option C is wrong because S3 ACLs are not required for IAM users to list objects; IAM policies and bucket policies are the primary mechanisms for access control, and ACLs are legacy and disabled by default for new buckets.

299
Multi-Selecthard

A developer is deploying an application that uses Amazon SQS queues. The messages contain sensitive data that must be encrypted at rest. Which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Encrypt the messages client-side before sending to SQS.
B.Store the messages in an S3 bucket with default encryption instead of using SQS.
C.Configure the SQS queue to use a customer managed KMS key.
D.Enable server-side encryption (SSE) for the SQS queue using AWS KMS.
E.Use AWS CloudHSM to generate and store the encryption keys.
AnswersC, D

You can specify a KMS key for SSE.

Why this answer

Option C is correct because configuring an SQS queue to use a customer managed KMS key gives you control over the key lifecycle, including rotation and access policies, while still leveraging AWS KMS for server-side encryption. Option D is also correct because enabling server-side encryption (SSE) for SQS using AWS KMS encrypts messages at rest automatically, without requiring client-side changes. Together, these two actions ensure that sensitive data in SQS messages is encrypted at rest using KMS, meeting the requirement.

Exam trap

The trap here is that candidates often think client-side encryption (Option A) is required for encryption at rest, but SQS SSE with KMS provides server-side encryption at rest without needing to modify the application code, making client-side encryption redundant for this specific requirement.

300
MCQhard

A developer is tasked with rotating database credentials stored in AWS Secrets Manager for an RDS MySQL instance. The rotation must occur automatically every 30 days. What is the BEST approach?

A.Store the credentials in AWS Systems Manager Parameter Store and use a scheduled Lambda to rotate them.
B.Use RDS automatic password rotation and have the application fetch the new password from RDS.
C.Use an IAM role for the RDS instance and rotate the role's credentials.
D.Configure automatic rotation in Secrets Manager using a rotation Lambda function.
AnswerD

Secrets Manager supports automatic rotation with a custom Lambda.

Why this answer

Option B is correct because Secrets Manager can rotate credentials automatically using a Lambda function. Option A is wrong because IAM roles are for EC2, not database credentials. Option C is wrong because Parameter Store does not support automatic rotation.

Option D is wrong because RDS generates a new master password but does not update Secrets Manager automatically.

← PreviousPage 4 of 6 · 429 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security questions.