CCNA Security Questions

75 of 429 questions · Page 5/6 · Security · Answers revealed

301
MCQhard

An application uses Amazon Cognito user pools for authentication. A developer wants to restrict access to an API Gateway endpoint to only authenticated users from a specific user pool. What is the best approach?

A.Attach an IAM policy to the API Gateway resource that allows only the Cognito user pool ARN.
B.Use a Cognito User Pool authorizer in API Gateway.
C.Use an API Gateway resource policy that allows access only from the Cognito user pool.
D.Use a Lambda authorizer that validates the JWT token against the user pool.
AnswerB

API Gateway directly supports Cognito user pool authorizers for JWT validation.

Why this answer

Option B is correct because a Cognito User Pool authorizer in API Gateway is the native, fully managed way to restrict access to an API endpoint to authenticated users from a specific user pool. It automatically validates the JWT token issued by the user pool and caches the result, requiring no custom code. This approach integrates directly with API Gateway's authorization flow, ensuring only tokens from the specified user pool are accepted.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing a Lambda authorizer (option D) because they think they need custom validation logic, forgetting that API Gateway has a built-in Cognito User Pool authorizer that handles JWT validation natively without any custom code.

How to eliminate wrong answers

Option A is wrong because IAM policies cannot reference a Cognito user pool ARN as a principal or resource for API Gateway; IAM policies control access based on IAM users/roles, not user pool identities. Option C is wrong because API Gateway resource policies control access by source IP, VPC, or AWS account, not by Cognito user pool tokens or user pool ARN. Option D is wrong because while a Lambda authorizer could validate a JWT against a user pool, it is unnecessary overhead and not the 'best approach' when a built-in Cognito User Pool authorizer exists that is simpler, faster, and requires no custom code.

302
MCQmedium

A developer needs to encrypt secrets such as database passwords used by an application running on EC2. Which AWS service should be used to securely store and rotate these secrets?

A.AWS CloudHSM
B.AWS Secrets Manager
C.AWS KMS
D.AWS Systems Manager Parameter Store
AnswerB

Designed for secrets with rotation.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, manage, and automatically rotate secrets such as database passwords, API keys, and other credentials. It integrates natively with AWS services like RDS, Redshift, and DocumentDB to enable automatic rotation of secrets without custom code, and it enforces encryption at rest using AWS KMS. This makes it the ideal service for the use case described, where secrets must be both stored securely and rotated automatically.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation, which is the key requirement in this question.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules for cryptographic key storage and operations, but it does not offer a managed service for storing or rotating secrets like database passwords; it is a lower-level key management solution. Option C is wrong because AWS KMS is a key management service that creates and controls encryption keys used to encrypt data, but it does not store secrets or provide automatic rotation of secrets; it only supports automatic rotation of the KMS key itself, not the secret value. Option D is wrong because AWS Systems Manager Parameter Store can store secrets as SecureString parameters with KMS encryption, but it lacks built-in automatic rotation capabilities; any rotation would require custom implementation using AWS Lambda or other automation.

303
MCQmedium

A developer is deploying a containerized application on Amazon ECS with the Fargate launch type. The application needs to read data from an Amazon S3 bucket. The developer wants to follow the principle of least privilege. How should the developer grant the necessary permissions to the ECS tasks?

A.Store AWS access keys as environment variables in the task definition.
B.Create an IAM task role and reference it in the task definition using the 'taskRoleArn' parameter.
C.Create an IAM user and embed its credentials in the container image.
D.Use an S3 bucket policy that grants access based on the security group of the ECS tasks.
AnswerB

The ECS task role provides temporary credentials to the container, and the AWS SDK automatically retrieves them. This is the recommended secure practice.

Why this answer

Option B is correct because Amazon ECS with the Fargate launch type supports IAM task roles, which allow you to assign an IAM role to the ECS task itself. By referencing the IAM task role in the task definition using the 'taskRoleArn' parameter, the containerized application can securely obtain temporary credentials from the ECS container agent via the AWS STS service, adhering to the principle of least privilege without embedding long-lived credentials.

Exam trap

The trap here is that candidates may confuse IAM roles with IAM users or think that network-level controls like security groups can be used for S3 access, but AWS S3 does not evaluate security groups for authorization; only IAM policies and bucket policies are evaluated.

How to eliminate wrong answers

Option A is wrong because storing AWS access keys as environment variables in the task definition exposes long-term credentials in plaintext, violating the principle of least privilege and increasing the risk of credential leakage. Option C is wrong because embedding IAM user credentials in the container image is a security anti-pattern that hardcodes long-lived secrets, making rotation difficult and violating best practices for container security. Option D is wrong because S3 bucket policies cannot grant permissions based on security groups; security groups are network-level constructs for EC2 instances and are not evaluated by AWS S3 for access control decisions.

304
MCQmedium

A developer needs to allow an EC2 instance to read objects from a specific S3 bucket. Which is the MOST secure way to grant permissions?

A.Store AWS access keys in the EC2 instance's user data
B.Use an S3 bucket policy that allows access from the EC2 instance's public IP
C.Create an IAM role with S3 read permission and attach it to the EC2 instance as an instance profile
D.Attach a security group to the EC2 instance that allows S3 access
AnswerC

IAM roles provide temporary credentials and are the secure way to grant permissions to EC2.

Why this answer

Option D is correct because an IAM role with an instance profile is the recommended way to grant permissions to AWS services running on EC2. Option A is wrong because storing access keys on the instance is insecure. Option B is wrong because S3 bucket policies alone cannot grant permissions to an EC2 instance without an IAM role.

Option C is wrong because security groups are for network-level access, not S3.

305
MCQeasy

A developer is creating an IAM policy to allow an EC2 instance to access an S3 bucket. Which AWS service should the developer use to securely provide credentials to the EC2 instance?

A.Use Amazon Cognito identity pools to generate temporary credentials for the instance.
B.Create an IAM user with access keys and store them on the instance.
C.Create an IAM role and attach it to the EC2 instance profile.
D.Store the AWS access key in AWS Secrets Manager and retrieve it at runtime.
AnswerC

IAM roles provide temporary credentials via instance profiles, which is the secure best practice for EC2.

Why this answer

IAM roles are designed to be assumed by AWS services like EC2. Instance profiles deliver temporary credentials to the EC2 instance automatically, avoiding hard-coded keys. Option A is wrong because access keys are long-term and not recommended for EC2.

Option C is wrong because Secrets Manager is for secrets, not EC2 instance credentials. Option D is wrong because Cognito is for user identity.

306
MCQmedium

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket even though the instance has an IAM role with full S3 access. The instance can access the internet. What is the most likely cause?

A.The instance is in a private subnet without a NAT gateway or VPC endpoint for S3.
B.S3 Transfer Acceleration is not enabled on the bucket.
C.The security group attached to the instance blocks outbound traffic to S3.
D.The IAM role is not correctly associated with the instance.
AnswerA

Private subnets need a NAT gateway or VPC endpoint to reach S3.

Why this answer

The most likely cause is that the EC2 instance resides in a private subnet, which has no direct route to the internet or to S3. Without a NAT gateway or a VPC endpoint for S3, the instance cannot reach the S3 API endpoints, even though it has an IAM role granting full S3 access. The instance's ability to access the internet is irrelevant if it's in a private subnet, as internet traffic must go through a NAT device or a VPC endpoint.

Exam trap

The trap here is that candidates often assume that an IAM role with full S3 access is sufficient for an EC2 instance to access S3, overlooking the critical requirement of network connectivity, especially when the instance is in a private subnet without a NAT gateway or VPC endpoint.

How to eliminate wrong answers

Option B is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using edge locations; it is not required for basic connectivity to S3. Option C is wrong because security groups by default allow all outbound traffic, and the question states the instance can access the internet, so outbound traffic to S3 is not blocked. Option D is wrong because the IAM role is correctly associated with the instance (the question states the instance has an IAM role with full S3 access), so the issue is not with the role association.

307
MCQhard

A company has an S3 bucket that contains sensitive data. The security team requires that all objects uploaded to the bucket must be encrypted at rest using AWS KMS. Which combination of actions will enforce this?

A.Configure the bucket to use SSE-S3 by default.
B.Enable default encryption on the bucket with SSE-KMS.
C.Use a bucket policy that allows only PutObject with KMS encryption.
D.Use a bucket policy that denies PutObject if the x-amz-server-side-encryption header is not 'aws:kms'.
AnswerD

This enforces KMS encryption on every upload.

Why this answer

Option D is correct because a bucket policy that denies PutObject requests when the `x-amz-server-side-encryption` header is not set to `aws:kms` enforces encryption at rest using AWS KMS for all uploads. This policy explicitly rejects any upload that does not include the required KMS encryption header, ensuring compliance with the security team's requirement. Default encryption settings (like SSE-S3 or SSE-KMS) can be overridden by the client, so a bucket policy is the only way to enforce encryption at the API level.

Exam trap

The trap here is that candidates often confuse default encryption with enforcement, not realizing that default encryption can be overridden by client-specified headers, whereas a bucket policy with a deny condition is the only way to mandate encryption at the API level.

How to eliminate wrong answers

Option A is wrong because configuring the bucket to use SSE-S3 by default encrypts objects with S3-managed keys, not AWS KMS, which does not meet the requirement for KMS encryption. Option B is wrong because enabling default encryption with SSE-KMS only applies when the client does not specify encryption headers; a client can still upload without KMS encryption by explicitly setting a different encryption header (e.g., `AES256`), bypassing the default. Option C is wrong because allowing only PutObject with KMS encryption does not deny requests that lack KMS encryption; it merely permits some requests, but without a deny statement, unencrypted uploads could still succeed if other permissions allow them.

308
MCQmedium

Refer to the exhibit. A developer created an IAM role for a Lambda function. When the Lambda function invokes, it fails with an access denied error when trying to write logs to CloudWatch Logs. What is the most likely cause?

A.The trust policy does not allow the Lambda service to assume the role.
B.The CloudWatch Logs log group has a resource-based policy that denies the Lambda function.
C.The role lacks a permissions policy that allows CloudWatch Logs actions.
D.The Lambda function is not associated with this role.
AnswerC

Without a permissions policy, the role cannot perform any actions.

Why this answer

Option C is correct because the Lambda function's IAM role must include a permissions policy that grants the `logs:CreateLogGroup`, `logs:CreateLogStream`, and `logs:PutLogEvents` actions. Without these permissions, the Lambda runtime cannot write logs to CloudWatch Logs, resulting in an access denied error. The error occurs at invocation time when the Lambda service attempts to create or write to the log stream on behalf of the function.

Exam trap

The trap here is that candidates often confuse trust policies with permissions policies, assuming that if the role is assumed successfully, all subsequent API calls will work, but the trust policy only governs role assumption, not the actions the role can perform.

How to eliminate wrong answers

Option A is wrong because the trust policy is what allows the Lambda service to assume the role; if it were missing or incorrect, the error would be 'Lambda cannot assume the role' rather than an access denied on CloudWatch Logs writes. Option B is wrong because CloudWatch Logs log groups do not have resource-based policies by default; such policies are optional and typically used for cross-account access, not for denying a function that already has the correct role. Option D is wrong because the question states the developer created the role for the Lambda function, implying the function is associated with it; if it were not associated, the error would be about missing execution role or permissions, not specifically CloudWatch Logs access denied.

309
MCQmedium

A developer launches an Amazon EC2 instance that needs to read and write data to an Amazon DynamoDB table. The developer must follow the principle of least privilege and ensure that no long-term credentials are stored on the instance. Which approach should the developer use?

A.Create an IAM user with programmatic access, store the access key and secret key in a configuration file on the EC2 instance.
B.Store the DynamoDB credentials in AWS Systems Manager Parameter Store as a SecureString, and retrieve them from the EC2 instance at runtime.
C.Create an IAM role with the necessary DynamoDB permissions, and attach the role to the EC2 instance profile. The SDK will automatically retrieve temporary credentials from the instance metadata.
D.Use a Lambda function to generate temporary credentials for the EC2 instance and pass them via user data at launch.
AnswerC

An IAM role provides temporary credentials that are automatically rotated. The EC2 instance retrieves them via the instance metadata service, eliminating the need for long-term credentials.

Why this answer

Option C is correct because it uses an IAM role attached to the EC2 instance profile, which allows the AWS SDK to automatically retrieve temporary credentials from the instance metadata service (IMDS). This follows the principle of least privilege by granting only the necessary DynamoDB permissions and eliminates the need to store any long-term credentials on the instance, as the credentials are rotated automatically by AWS STS.

Exam trap

The trap here is that candidates may choose Option B (Parameter Store) thinking it securely stores credentials, but they overlook that the instance still needs an IAM role to access Parameter Store, and the retrieved credentials are static rather than automatically rotated temporary credentials, which fails the 'no long-term credentials' requirement.

How to eliminate wrong answers

Option A is wrong because storing an IAM user's access key and secret key in a configuration file on the EC2 instance violates the requirement of no long-term credentials on the instance and increases the risk of credential exposure. Option B is wrong because while Parameter Store can securely store credentials, the EC2 instance would still need an IAM role or long-term credentials to retrieve them, and the retrieved credentials (if stored as a SecureString) are static, not temporary, thus not fully meeting the 'no long-term credentials' requirement. Option D is wrong because using a Lambda function to generate temporary credentials and passing them via user data at launch would require the instance to store those credentials locally, and the credentials would not be automatically rotated or refreshed, leading to potential security issues and operational complexity.

310
MCQhard

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The bucket policy also grants access to the role. An application running on the instance is unable to read objects. The instance has the correct instance profile. What is the MOST likely cause?

A.The bucket policy has a condition that does not match the request context.
B.The EC2 instance's security group blocks outbound traffic to S3.
C.The S3 bucket is in a different AWS account.
D.The instance profile is not attached to the EC2 instance.
AnswerA

Conditions can cause implicit denies even if the role is allowed.

Why this answer

The most likely cause is that the bucket policy includes a condition (e.g., aws:SourceIp, aws:SourceVpce, or aws:SecureTransport) that does not match the request context from the EC2 instance. Even though the IAM role grants access, the bucket policy's explicit condition denies the request if the condition key evaluates to false, resulting in an implicit deny. This is a common misconfiguration where the role has permissions but the bucket policy's conditions are too restrictive.

Exam trap

The trap here is that candidates often overlook bucket policy conditions and assume that if the IAM role has S3 permissions and the instance profile is attached, access should work, ignoring that bucket policies can impose additional restrictions that override role permissions.

How to eliminate wrong answers

Option B is wrong because security groups operate at the network layer (stateful filtering) and do not block outbound traffic to S3 by default; S3 uses HTTPS (TCP/443) which is typically allowed, and security groups do not inspect application-layer conditions. Option C is wrong because cross-account access is fully supported with proper IAM roles and bucket policies; the bucket being in a different account would not inherently cause failure if permissions are correctly configured. Option D is wrong because the question explicitly states the instance has the correct instance profile, so the instance profile attachment is not the issue.

311
MCQeasy

What is required for the Lambda function to access the code in the S3 bucket?

A.The S3 bucket policy must grant access to the Lambda service.
B.The Lambda function must be in a VPC with an S3 VPC endpoint.
C.The S3 bucket must be configured as a static website with CloudFront.
D.The Lambda execution role must have s3:GetObject permission on the S3 bucket.
AnswerD

The role needs permission to read the code.

Why this answer

Lambda functions access code stored in S3 buckets using an IAM execution role. The execution role must include the `s3:GetObject` permission for the specific bucket and object path to allow the Lambda service to download the deployment package. Without this permission, the Lambda function will fail with an access denied error during initialization.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM roles), assuming a bucket policy granting access to the Lambda service principal is sufficient, when in fact the Lambda execution role must explicitly have the `s3:GetObject` permission.

How to eliminate wrong answers

Option A is wrong because the S3 bucket policy granting access to the Lambda service is not sufficient; the Lambda execution role must also have the necessary IAM permissions, and the bucket policy alone does not authorize the Lambda function's principal. Option B is wrong because placing the Lambda function in a VPC with an S3 VPC endpoint is only required when the Lambda function needs to access S3 without traversing the public internet, but it is not a requirement for the Lambda function to access its own code in S3; the default public S3 endpoint works without a VPC. Option C is wrong because configuring the S3 bucket as a static website with CloudFront is unrelated to Lambda's code retrieval; Lambda downloads the deployment package directly from S3 via the S3 API, not through a website or CloudFront.

312
Multi-Selectmedium

A company stores sensitive data in an S3 bucket. The security team requires that all data be encrypted at rest and in transit. Which THREE measures should be implemented?

Select 3 answers
A.Use HTTPS for all requests to S3
B.Enable server-side encryption (SSE) on the S3 bucket
C.Add a bucket policy that denies requests without encryption in transit
D.Use client-side encryption
E.Enable MFA Delete on the bucket
AnswersA, B, C

Encrypts data in transit.

Why this answer

Option A is correct because HTTPS encrypts data in transit between the client and S3 using TLS, ensuring confidentiality and integrity during transmission. This satisfies the requirement for encryption in transit, as HTTP requests would send data in plaintext.

Exam trap

The trap here is that candidates may confuse client-side encryption as a bucket-level security measure, but it is an application-side implementation that does not enforce encryption at the S3 bucket level, and MFA Delete is a red herring unrelated to encryption requirements.

313
MCQmedium

A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?

A.The S3 bucket does not have versioning enabled.
B.The Lambda function's execution role does not have an explicit allow for s3:GetObject.
C.The Lambda function is not in the same AWS region as the S3 bucket.
D.The Lambda function does not have kms:Decrypt permission on the KMS key used by the bucket.
AnswerD

SSE-KMS requires both S3 read permissions and KMS decrypt permission. The bucket policy does not grant KMS permissions; the KMS key policy must allow the Lambda execution role.

Why this answer

When an S3 bucket uses SSE-KMS, the Lambda function must have explicit kms:Decrypt permission on the KMS key to decrypt the object after s3:GetObject retrieves the encrypted data. Even though the bucket policy and execution role allow s3:GetObject, the missing KMS permission causes an Access Denied error because S3 returns the encrypted object and the Lambda runtime cannot decrypt it without the key.

Exam trap

The trap here is that candidates focus on the S3 bucket policy and IAM role for s3:GetObject, overlooking that SSE-KMS introduces a separate KMS authorization layer that must be explicitly configured.

How to eliminate wrong answers

Option A is wrong because S3 versioning is unrelated to access permissions or KMS decryption; it controls object version retention, not read access. Option B is wrong because the scenario explicitly states the execution role includes an IAM policy that allows s3:GetObject, so an explicit allow exists. Option C is wrong because cross-region access between Lambda and S3 is fully supported; region mismatch does not cause Access Denied errors unless the bucket policy explicitly restricts by source IP or VPC, which is not mentioned.

314
MCQmedium

Refer to the exhibit. A developer runs the AWS CLI command to decrypt a file using a KMS key. The command fails with an AccessDeniedException. What is the most likely cause?

A.The IAM user 'DevUser' does not have the kms:Decrypt permission on the KMS key.
B.The ciphertext blob is not base64-encoded.
C.The KMS key is disabled.
D.The KMS key ID is incorrect.
AnswerA

The error explicitly says the user is not authorized to perform kms:Decrypt.

Why this answer

The AccessDeniedException indicates that the IAM user 'DevUser' lacks the required kms:Decrypt permission on the specified KMS key. KMS key policies and IAM policies work together to control access; without an explicit allow for kms:Decrypt on that key, the API call is denied regardless of other permissions.

Exam trap

The trap here is that candidates often confuse AccessDeniedException with other KMS errors like InvalidCiphertextException or DisabledException, but the exam expects you to recognize that only a missing permission produces an AccessDeniedException when the key exists and is enabled.

How to eliminate wrong answers

Option B is wrong because the AWS CLI decrypt command automatically handles base64 decoding of the ciphertext blob if the --ciphertext-blob parameter is provided as a file or base64-encoded string; an incorrect encoding would produce a ValidationError, not AccessDeniedException. Option C is wrong because a disabled KMS key would return a DisabledException, not AccessDeniedException. Option D is wrong because an incorrect key ID would result in a NotFoundException or InvalidKeyIdException, not AccessDeniedException.

315
MCQmedium

A developer is writing a Lambda function that needs to access an RDS database. The function currently fails with a timeout. What is the most likely cause?

A.The Lambda function is not in the same VPC as the RDS instance
B.The Lambda function has a cold start delay
C.The RDS instance is not publicly accessible
D.The Lambda function does not have an IAM role granting RDS access
AnswerA

Without VPC connectivity, the Lambda function cannot reach the RDS instance, causing a timeout.

Why this answer

If the Lambda function is in a VPC without a proper VPC configuration (NAT Gateway or VPC endpoints), it cannot access the RDS database. Option A is possible but less likely than network issues. Option C (wrong permissions) would cause access denied, not timeout.

Option D (cold start) would not cause a timeout to RDS.

316
Multi-Selecteasy

A developer is using AWS KMS to encrypt data. Which TWO are valid operations that can be performed using KMS?

Select 2 answers
A.Store customer-managed keys on an HSM in your data center.
B.Generate data keys for envelope encryption.
C.Hash data using a keyed hash function.
D.Encrypt data using a customer master key.
E.Generate SSL/TLS certificates for a domain.
AnswersB, D

KMS generates data keys via GenerateDataKey API.

Why this answer

Option A is correct because KMS can encrypt data up to 1 KB. Option D is correct because KMS can generate data keys for client-side encryption. Option B is wrong because KMS does not host SSL/TLS certificates.

Option C is wrong because KMS does not hash data. Option E is wrong because KMS does not provide a key store for customer-managed keys outside AWS.

317
MCQhard

A developer notices that an IAM user has permissions to terminate EC2 instances, but the user should only be allowed to stop instances. The developer needs to update the policy to prevent termination while allowing stop. Which IAM policy statement should be added?

A.{"Effect":"Deny","Action":"ec2:TerminateInstances","Resource":"*"}
B.{"Effect":"Allow","Action":"ec2:TerminateInstances","Resource":"*"}
C.{"Effect":"Allow","Action":["ec2:StopInstances","ec2:TerminateInstances"],"Resource":"*"}
D.{"Effect":"Allow","Action":"ec2:RebootInstances","Resource":"*"}
AnswerA

Deny explicit blocks termination.

Why this answer

Option B is correct because a Deny statement for ec2:TerminateInstances will explicitly block termination, overriding any Allow. Option A is wrong because it allows termination. Option C is wrong because it allows both.

Option D is wrong because ec2:RebootInstances is unrelated.

318
MCQeasy

A developer is troubleshooting an issue where an IAM role assumed by an EC2 instance does not have permission to call the DynamoDB PutItem API. The role has a policy that allows all DynamoDB actions on a specific table. Which of the following is the most likely cause?

A.The IAM role has not been attached to the EC2 instance profile.
B.The DynamoDB table is not in the same region as the EC2 instance.
C.The IAM role policy does not include the 'dynamodb:PutItem' action or the resource ARN is incorrect.
D.The EC2 instance does not have the necessary network connectivity to DynamoDB.
AnswerC

If the policy is missing the action or has wrong ARN, the API call will be denied.

Why this answer

Option C is correct because the most likely cause is that the IAM role's policy either does not explicitly include the 'dynamodb:PutItem' action or the resource ARN is incorrectly specified. Even if the policy allows all DynamoDB actions (e.g., via 'Action': 'dynamodb:*'), a missing or mismatched resource ARN (such as not targeting the specific table ARN) will cause the API call to fail with an access denied error. The developer should verify that the policy statement includes the correct action and that the Resource element points to the exact DynamoDB table ARN.

Exam trap

The trap here is that candidates often assume a policy with 'dynamodb:*' automatically grants all actions, but they overlook that the resource ARN must exactly match the table being accessed, or that the policy might be missing the specific action name if it's not a wildcard.

How to eliminate wrong answers

Option A is wrong because if the IAM role were not attached to the EC2 instance profile, the instance would not have any AWS credentials at all, resulting in an 'Access Denied' or 'No credentials' error, not a specific permission issue with DynamoDB PutItem. Option B is wrong because DynamoDB is a global service and IAM policies do not require the table to be in the same region as the EC2 instance; cross-region access is fully supported as long as the resource ARN in the policy matches the table's region. Option D is wrong because network connectivity issues (e.g., missing VPC endpoints, security group rules, or internet gateway) would cause a timeout or connection error, not an IAM permission error; the error message for a permission issue is distinct (e.g., 'AccessDeniedException').

319
MCQhard

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with a policy that allows s3:GetObject on the bucket. However, the application receives an AccessDenied error. The bucket policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AppRole" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*" } ] } The EC2 instance is using the correct IAM role. What is the most likely cause of the error?

A.The bucket uses default encryption with SSE-S3, and the application does not support it.
B.The IAM role attached to the EC2 instance has a different ARN than the one specified in the bucket policy.
C.The IAM role policy allows s3:GetObject, but the bucket policy also must allow it, which it does.
D.The bucket policy requires MFA, but the application does not provide it.
AnswerB

Mismatch in role ARN causes denial.

Why this answer

Option C is correct because the bucket policy explicitly allows only the role with the exact ARN 'arn:aws:iam::123456789012:role/AppRole'. If the instance's role ARN is different, the request is denied. Option A is wrong because S3 does not require SSE for GetObject.

Option B is wrong because MFA is not specified in the error. Option D is wrong because IAM role policies and bucket policies are evaluated separately; an allow in the bucket policy must match the principal.

320
Multi-Selecteasy

A developer needs to securely store database credentials and retrieve them programmatically from a Lambda function. Which AWS services can be used for this purpose? (Choose TWO.)

Select 2 answers
A.AWS Systems Manager Parameter Store (SecureString)
B.AWS Secrets Manager
C.AWS CloudFormation
D.AWS Identity and Access Management (IAM)
E.Amazon S3
AnswersA, B

Can store encrypted parameters.

Why this answer

Options A and D are correct. AWS Secrets Manager and AWS Systems Manager Parameter Store (SecureString) are designed to securely store secrets and retrieve them programmatically. Option B (CloudFormation) is for infrastructure as code.

Option C (S3) is for object storage, not secure secrets management. Option E (IAM) is for permissions, not for storing secrets.

321
MCQmedium

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all objects uploaded to a specific S3 bucket must be encrypted with a specific KMS key (key ID: xyz). The developer needs to enforce this by denying any PutObject request that does not use the correct key. Which bucket policy condition should be used?

A.s3:x-amz-server-side-encryption-aws-kms-key-id
B.kms:EncryptionContext
C.s3:EncryptionAlgorithm
D.kms:GrantOperations
AnswerA

This condition checks the KMS key ID used for SSE-KMS encryption, allowing you to enforce a specific key.

Why this answer

Option A is correct because the `s3:x-amz-server-side-encryption-aws-kms-key-id` condition key allows you to enforce that a specific KMS key ID (e.g., `xyz`) is used for server-side encryption with AWS KMS (SSE-KMS). By including this condition in a bucket policy with a `Deny` effect, any `PutObject` request that does not specify the required key ID will be denied, meeting the security team's requirement.

Exam trap

The trap here is confusing S3-specific condition keys (like `s3:x-amz-server-side-encryption-aws-kms-key-id`) with KMS condition keys (like `kms:EncryptionContext`), leading candidates to pick a KMS condition key that does not apply to S3 bucket policies.

How to eliminate wrong answers

Option B is wrong because `kms:EncryptionContext` is a condition key used to control access based on the encryption context in KMS API calls (e.g., `Encrypt`, `Decrypt`), not to enforce the KMS key ID used for S3 object encryption. Option C is wrong because `s3:EncryptionAlgorithm` is not a valid S3 condition key; S3 uses `s3:x-amz-server-side-encryption` to specify the encryption type (e.g., AES256 or aws:kms), not the algorithm. Option D is wrong because `kms:GrantOperations` is a condition key used to restrict the operations allowed in a KMS grant, not to enforce the KMS key ID in S3 PutObject requests.

322
MCQeasy

A developer wants to encrypt data in transit between an application and an S3 bucket. Which option achieves this?

A.Enable server-side encryption with S3 managed keys (SSE-S3).
B.Configure an IAM policy to require encryption.
C.Use HTTPS when making requests to S3.
D.Use AWS KMS to encrypt the data before upload.
AnswerC

HTTPS encrypts data in transit.

Why this answer

Option A is correct because HTTPS provides encryption in transit. Option B is wrong because SSE-S3 encrypts at rest, not in transit. Option C is wrong because SSE-KMS encrypts at rest.

Option D is wrong because IAM is for access control.

323
MCQeasy

A developer wants to securely store database credentials for a Lambda function. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon S3 with server-side encryption
D.Amazon DynamoDB
AnswerA

Secrets Manager is purpose-built for secrets management.

Why this answer

Option B is correct because AWS Secrets Manager is designed to store and rotate secrets. Option A is wrong because Parameter Store can store secrets but is not as feature-rich for rotation. Option C is wrong because DynamoDB is a database, not a secret store.

Option D is wrong because S3 is not secure by default for secrets.

324
MCQmedium

A developer is deploying an application on Amazon EC2 instances that need to securely retrieve secrets from AWS Secrets Manager. What is the MOST secure way to provide the necessary permissions without hardcoding credentials?

A.Store the secret in an environment variable.
B.Attach an IAM role to the EC2 instance with permission to access Secrets Manager.
C.Embed the secret in the application code.
D.Use a configuration file stored in S3 with bucket policy.
AnswerB

IAM roles provide temporary credentials securely; the application can use the AWS SDK to fetch secrets without hardcoding.

Why this answer

Attaching an IAM role to the EC2 instance is the most secure method because it leverages temporary security credentials obtained via the EC2 instance metadata service (IMDS). This eliminates the need to hardcode, embed, or store any long-term credentials on the instance, adhering to the AWS Well-Architected Framework's security pillar. The IAM role's policy grants the instance precise permissions to call Secrets Manager APIs like GetSecretValue, ensuring least privilege.

Exam trap

The trap here is that candidates may think environment variables or S3 configuration files are secure enough, but the exam emphasizes that any form of static credential storage (including environment variables) is insecure compared to IAM roles, which provide automatic, temporary, and rotated credentials.

How to eliminate wrong answers

Option A is wrong because storing the secret in an environment variable still exposes the secret in plaintext within the instance's process space and can be read by any user or process with access to the environment, violating security best practices. Option C is wrong because embedding the secret in application code hardcodes the credential, making it visible in source control, logs, or binary analysis, and prevents rotation without redeployment. Option D is wrong because using a configuration file stored in S3 with a bucket policy does not inherently provide secure access; the EC2 instance would still need credentials to retrieve the file, and the bucket policy alone cannot grant permissions to the instance without an IAM role or user, while also exposing the secret in transit and at rest if not encrypted.

325
MCQhard

A company uses AWS KMS with imported key material. The key material is expired. What must the developer do to continue using the KMS key?

A.Use the existing key until it expires
B.Create a new KMS key and re-import the same key material
C.Enable automatic key rotation
D.Delete the existing key and create a new one with new key material
AnswerD

You must create a new key and import new key material.

Why this answer

Option D is correct because imported key material has an expiration date; you must reimport new key material before it expires. Option A is wrong because the key cannot be used after expiration. Option B is wrong because automatic renewal is not supported for imported key material.

Option C is wrong because you cannot change the key material of an existing KMS key.

326
MCQhard

An organization wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. The security team needs to deny any console access if MFA is not enabled. Which IAM policy statement should be used?

A.Deny action '*' unless 'aws:MultiFactorAuthPresent' is true.
B.Deny action '*' if 'aws:MultiFactorAuthPresent' is false.
C.Deny action '*' if 'aws:MultiFactorAuthPresent' is false using BoolIfExists.
D.Allow action '*' if 'aws:MultiFactorAuthPresent' is true.
AnswerB

This explicitly denies access when MFA is not present.

Why this answer

Option B is correct because it uses a Deny statement with the condition 'aws:MultiFactorAuthPresent' set to 'false', which explicitly blocks any action when MFA is not present. This is the standard approach to enforce MFA for console access, as it overrides any Allow policies by default. The Deny effect ensures that even if other policies grant access, the lack of MFA results in denial.

Exam trap

The trap here is that candidates confuse 'Deny' with 'Allow' logic or misuse 'BoolIfExists' thinking it handles missing keys, but for console access the key is always present, so 'Bool' is required to correctly enforce the denial.

How to eliminate wrong answers

Option A is wrong because it uses 'unless' syntax, which is not valid in IAM policy language; IAM uses condition operators like 'Bool', 'StringEquals', etc., not 'unless'. Option C is wrong because 'BoolIfExists' is used when the condition key might not exist (e.g., for API calls that don't support MFA), but for console access the key is always present, so 'Bool' is appropriate and 'BoolIfExists' could inadvertently allow access if the key is missing. Option D is wrong because an Allow statement alone cannot enforce denial; it would only grant access when MFA is present but would not block access when MFA is absent if other policies allow it, and it fails to explicitly deny non-MFA access.

327
MCQmedium

A company uses AWS Secrets Manager to rotate database credentials. The rotation process uses a Lambda function that updates the secret. The developer notices that the rotation sometimes fails because the Lambda function does not have permission to update the secret. What is the MOST likely cause?

A.The secret has a resource-based policy that denies the Lambda function.
B.The Lambda function's execution role does not have the necessary IAM permissions to update the secret.
C.The KMS key used to encrypt the secret is not accessible by the Lambda function.
D.The Lambda function is not in the same VPC as the Secrets Manager endpoint.
AnswerB

The execution role must allow secretsmanager:PutSecretValue.

Why this answer

Option C is correct because the Lambda function's execution role needs permissions to update the secret. Option A is wrong because rotation does not require VPC endpoints. Option B is wrong because the secret itself does not have a resource policy blocking access.

Option D is wrong because KMS key permissions are for encryption, not secret update.

328
MCQhard

A company uses IAM roles to grant permissions to EC2 instances. The security team notices that an instance is using a role that has administrator privileges, which is a security risk. What is the BEST way to restrict the instance's permissions without disrupting the application?

A.Remove the existing role from the instance and let the application fail.
B.Create a new IAM role with only required permissions, attach it to the instance profile, and update the instance to use the new profile.
C.Modify the trust policy of the existing role to deny access to the instance.
D.Attach a permissions boundary to the existing role that limits the maximum permissions.
AnswerB

This isolates the change to the specific instance and allows the application to continue.

Why this answer

Option C is correct because creating a new role with only necessary permissions and updating the instance profile allows the application to continue with minimal disruption. Option A would cause downtime. Option B affects all instances using that role.

Option D is not sufficient because the application might still use the previous role until restarted.

329
MCQhard

A company wants to encrypt data at rest in an Amazon RDS for PostgreSQL database. The database is already running, and the company wants to enable encryption without significant downtime. Which approach should be taken?

A.Take a snapshot of the database and enable encryption on the snapshot.
B.Take a snapshot, copy the snapshot with encryption, and restore a new encrypted instance from the encrypted snapshot.
C.Modify the RDS instance and enable encryption in the configuration.
D.Create a read replica with encryption and promote it.
AnswerB

This is the standard process to enable encryption on an existing RDS instance.

Why this answer

Option D is correct because you cannot encrypt an existing unencrypted RDS instance; you must create a snapshot, copy it with encryption, and restore a new encrypted instance. Option A is wrong because you cannot modify the instance to enable encryption directly. Option B is wrong because you cannot attach a KMS key to an existing instance.

Option C is wrong because you cannot encrypt an existing snapshot; you must copy it with encryption.

330
MCQmedium

A company uses AWS KMS to encrypt data at rest. A developer wants to allow a Lambda function to decrypt data using a KMS key. What is the minimum permissions required?

A.kms:Decrypt on all keys.
B.kms:Encrypt and kms:Decrypt on the key.
C.kms:Decrypt on the key in the Lambda execution role.
D.Full access to KMS.
AnswerC

Decrypt is needed, and the key must be specified.

Why this answer

The Lambda function's execution role needs kms:Decrypt permission for the specific key.

331
MCQeasy

A developer is troubleshooting an S3 bucket policy that is denying all access. The policy has an explicit Deny for s3:PutObject. What is the most likely reason for the denial even though an Allow exists?

A.The bucket policy has an explicit Deny for all actions.
B.The user is not authorized because the bucket is in a different account.
C.IAM evaluates explicit Deny before Allow.
D.The AWS account root user has denied access.
AnswerC

Explicit Deny always overrides Allow.

Why this answer

IAM evaluates explicit Deny before Allow, so an explicit Deny overrides any Allow.

332
Multi-Selectmedium

A company has a VPC with public and private subnets. The private subnets contain Amazon RDS databases. Which TWO actions are required to secure the database instances?

Select 2 answers
A.Configure security groups to allow only necessary traffic from application servers.
B.Attach an IAM role to the RDS instance to control access.
C.Use network ACLs to allow inbound traffic on port 3306 from anywhere.
D.Place the RDS instances in public subnets with a route to an internet gateway.
E.Place the RDS instances in private subnets.
AnswersA, E

Security groups act as a virtual firewall for the database.

Why this answer

Option A is correct because placing RDS in a private subnet prevents direct internet access. Option C is correct because security groups control inbound traffic to the database. Option B is wrong because public subnets would expose the database.

Option D is wrong because NACLs are stateless and not the primary security mechanism for RDS. Option E is wrong because IAM roles are not used to connect to RDS (user/password or IAM database authentication).

333
Multi-Selectmedium

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. Which options are managed by AWS KMS? (Choose TWO.)

Select 2 answers
A.SSE-S3
B.SSE-KMS
C.Envelope encryption with KMS
D.SSE-C
E.Client-side encryption
AnswersB, C

SSE-KMS uses AWS KMS for key management.

Why this answer

SSE-KMS (option B) is a server-side encryption option where AWS KMS manages the customer master key (CMK) used to encrypt S3 objects. Envelope encryption with KMS (option C) is the underlying mechanism used by SSE-KMS, where a data key is generated by KMS to encrypt the object, and that data key is then encrypted by the CMK. Both options involve AWS KMS managing the encryption keys, making them the correct choices for the question.

Exam trap

The trap here is that candidates often confuse SSE-S3 (which is server-side encryption but not KMS-managed) with SSE-KMS, or they think envelope encryption is a separate client-side concept rather than the core mechanism of SSE-KMS.

334
MCQmedium

A company wants to encrypt data in transit between an Application Load Balancer and its EC2 instances. The instances run a custom web server. Which configuration should the developer implement?

A.Configure the ALB listener with a TLS certificate and set the target group protocol to HTTPS. Install the server certificate on the EC2 instances.
B.Use AWS Certificate Manager to issue a certificate for the EC2 instances and configure the web server to use it.
C.Configure the ALB listener with a TLS certificate and set the target group protocol to HTTP.
D.Enable client certificate authentication on the ALB.
AnswerA

This encrypts traffic between ALB and instances.

Why this answer

To encrypt data in transit between an Application Load Balancer (ALB) and EC2 instances, the ALB listener must be configured with a TLS certificate for client-to-ALB encryption, and the target group protocol must be set to HTTPS to enable encryption between the ALB and the instances. The EC2 instances must have a server certificate installed (e.g., from ACM or self-signed) to terminate the TLS connection, ensuring end-to-end encryption. This setup allows the ALB to re-encrypt traffic after decrypting it from the client, using HTTPS for the backend connection.

Exam trap

The trap here is that candidates often assume setting the ALB listener to HTTPS alone encrypts the entire path, forgetting that the target group protocol must also be HTTPS to encrypt the ALB-to-instance traffic, or they mistakenly think ACM certificates can be directly installed on EC2 instances.

How to eliminate wrong answers

Option B is wrong because AWS Certificate Manager (ACM) cannot issue certificates directly to EC2 instances; ACM certificates are designed for use with AWS services like ALB, CloudFront, or API Gateway, and cannot be exported for installation on custom web servers. Option C is wrong because setting the target group protocol to HTTP sends unencrypted traffic between the ALB and EC2 instances, failing to encrypt data in transit as required. Option D is wrong because client certificate authentication on the ALB is used for mutual TLS (mTLS) to verify client identity, not for encrypting data in transit between the ALB and backend instances.

335
Multi-Selectmedium

Which TWO actions can help protect an S3 bucket from data leaks? (Choose two.)

Select 2 answers
A.Enable versioning.
B.Enable default encryption.
C.Enable MFA Delete.
D.Block public access at the bucket level.
E.Configure cross-region replication.
AnswersB, D

Encrypts data at rest to protect against unauthorized access.

Why this answer

Options A and C are correct. Option A: Blocking public access prevents accidental public exposure. Option C: Enabling default encryption ensures data is encrypted at rest.

Option B is wrong because versioning helps with recovery, not leak prevention. Option D is wrong because MFA delete prevents unauthorized deletion, not leaks. Option E is wrong because cross-region replication is for redundancy, not leak prevention.

336
Multi-Selecteasy

Which TWO services can be used to encrypt data at rest in Amazon S3? (Choose two.)

Select 2 answers
A.SSE-KMS
B.AWS IAM
C.AWS Certificate Manager (ACM)
D.AWS CloudHSM
E.SSE-S3
AnswersA, E

AWS KMS-managed keys.

Why this answer

Options A and B are correct. Option A: SSE-S3 uses S3-managed keys. Option B: SSE-KMS uses AWS KMS for key management.

Option C is wrong because CloudHSM is not directly integrated with S3 for encryption. Option D is wrong because IAM is an access management service, not encryption. Option E is wrong because ACM is for SSL/TLS certificates, not encryption at rest.

337
MCQmedium

A developer runs the commands above. The key is disabled. An application that uses this key to encrypt S3 objects starts failing. What should the developer do to fix the issue?

A.Delete the key and recreate it
B.Create a new KMS key and update the application to use it
C.Enable the KMS key
D.Enable automatic key rotation
AnswerC

Enabling the key will allow the application to use it again.

Why this answer

The key is disabled, so enabling it will restore functionality. Option A (create new key) would require updating the application. Option B (rotate key) is not necessary.

Option D (delete key) would make things worse.

338
MCQmedium

A developer is creating a new IAM policy to allow an application to read objects from a specific S3 bucket and write logs to a CloudWatch log group. Which policy statement is correct?

A.{"Effect":"Allow","Action":["ec2:DescribeInstances"],"Resource":"*"}
B.{"Effect":"Allow","Action":["s3:ListBucket"],"Resource":"arn:aws:s3:::my-bucket/*"}
C.{"Effect":"Allow","Action":["s3:GetObject","logs:CreateLogStream","logs:PutLogEvents"],"Resource":["arn:aws:s3:::my-bucket/*","arn:aws:logs:us-east-1:123456789012:log-group:MyLogGroup:*"]}
D.{"Effect":"Allow","Action":["s3:PutObject"],"Resource":"arn:aws:s3:::my-bucket/*"}
AnswerC

Correct actions and resources.

Why this answer

Option D is correct because it grants both s3:GetObject on the bucket and logs:CreateLogStream and logs:PutLogEvents on the log group. Option A is wrong because it uses s3:ListBucket instead of s3:GetObject. Option B is wrong because it uses s3:PutObject instead of GetObject.

Option C is wrong because it uses ec2:DescribeInstances which is irrelevant.

339
MCQmedium

A company's security policy requires that all data in transit between an Application Load Balancer (ALB) and its backend EC2 instances be encrypted. The ALB currently uses HTTPS listeners. What configuration ensures encryption between the ALB and targets?

A.Add a security group rule allowing port 443 from the ALB to the instances.
B.Configure the target group to use HTTPS protocol.
C.Use a Network Load Balancer with a TLS listener.
D.Set the listener protocol to HTTPS with a certificate.
AnswerB

Target group protocol determines encryption between ALB and instances.

Why this answer

Option B is correct because the target group protocol must be HTTPS to encrypt traffic between ALB and targets. Option A is wrong because the listener protocol only handles client-to-ALB traffic. Option C is wrong because security group rules do not encrypt traffic.

Option D is wrong because a TLS listener is for client-to-ALB, not backend.

340
MCQhard

A company uses AWS KMS customer master keys (CMKs) to encrypt sensitive data in Amazon S3. A compliance requirement mandates that the backing keys for the CMKs be automatically rotated every year. The developer must implement this with minimal operational overhead. Which solution meets the requirement?

A.Enable automatic key rotation for the CMK in AWS KMS.
B.Create a new CMK every year and update the S3 bucket policy to use the new key.
C.Use an AWS managed key (aws/s3) which automatically rotates annually.
D.Use SSE-S3 encryption with automatically rotated keys instead of KMS.
AnswerA

When enabled, AWS KMS automatically rotates the backing key of a CMK once per year, satisfying the compliance requirement.

Why this answer

Option A is correct because AWS KMS supports automatic key rotation for customer managed CMKs. When enabled, KMS automatically rotates the backing key annually (approximately every 365 days) with no additional operational overhead. This satisfies the compliance requirement for yearly rotation without manual intervention.

Exam trap

The trap here is that candidates may confuse AWS managed keys (which rotate automatically but not on a customer-defined schedule) with customer managed CMKs, or assume that manual key rotation is required when automatic rotation is available.

How to eliminate wrong answers

Option B is wrong because manually creating a new CMK each year and updating the S3 bucket policy introduces significant operational overhead and violates the 'minimal operational overhead' requirement. Option C is wrong because AWS managed keys (aws/s3) are automatically rotated, but the rotation schedule is managed by AWS and is not guaranteed to be exactly every year; additionally, the question specifies using customer master keys (CMKs), not AWS managed keys. Option D is wrong because SSE-S3 uses server-side encryption with Amazon S3-managed keys, not AWS KMS CMKs, and the rotation schedule is managed by S3, not the customer, so it does not meet the requirement of using KMS CMKs with annual rotation.

341
MCQeasy

A developer attaches this IAM policy to an IAM user. The user is trying to access an object in example-bucket from an IP address 203.0.113.5. What will happen?

A.Access is denied because the condition is not satisfied.
B.Access is allowed because the condition is not mandatory.
C.Access is denied because the resource ARN is incorrect.
D.Access is allowed because the policy allows the action.
AnswerA

IP address does not match.

Why this answer

The policy allows access only from the 192.0.2.0/24 range. The user's IP 203.0.113.5 is outside that range, so access is implicitly denied.

342
MCQmedium

A company is using an S3 bucket to store sensitive data. They want to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What is the most secure way to enforce this?

A.Enable default encryption on the bucket with SSE-KMS.
B.Create a bucket policy that denies PutObject without encryption.
C.Create a bucket policy that denies PutObject unless the x-amz-server-side-encryption header is set to aws:kms.
D.Enable S3 Block Public Access on the bucket.
AnswerC

This denies uploads that do not use SSE-KMS.

Why this answer

Option D is correct because an S3 bucket policy that denies PutObject requests without the x-amz-server-side-encryption header set to aws:kms ensures that any upload without SSE-KMS is rejected. Option A is wrong because default encryption can be changed by the uploader. Option B is wrong because enabling S3 Block Public Access does not enforce encryption.

Option C is wrong because bucket policies alone do not enforce encryption; they need a condition key.

343
MCQmedium

An application uses IAM roles to grant EC2 instances access to S3. The developer notices that the application works correctly in one account but fails with access denied in another account. What is the most likely cause?

A.The IAM role is not attached to the EC2 instance
B.The EC2 instance does not have internet access
C.The S3 bucket policy does not grant access to the IAM role
D.The KMS key policy does not allow decryption
AnswerC

Cross-account access requires the S3 bucket policy to explicitly allow the IAM role.

Why this answer

The most likely cause is that the S3 bucket policy in the second account does not explicitly grant the IAM role from the first account (or the second account's own IAM role) the necessary permissions. When an IAM role is used, both the role's trust policy and the resource-based policy (S3 bucket policy) must allow the action; if the bucket policy denies or omits the role's ARN, access will be denied even if the role itself has S3 permissions.

Exam trap

The trap here is that candidates assume IAM role permissions alone are sufficient, forgetting that resource-based policies (like S3 bucket policies) can override or deny access even when the identity-based policy allows it.

How to eliminate wrong answers

Option A is wrong because if the IAM role were not attached to the EC2 instance, the application would fail in both accounts, not just one—the issue is cross-account or cross-policy inconsistency. Option B is wrong because EC2 instances access S3 via AWS API endpoints over the internet or VPC endpoints; lack of internet access would cause a timeout or connectivity error, not an 'access denied' (HTTP 403) response. Option D is wrong because the question does not mention KMS encryption; if S3 objects were encrypted with a KMS key, a KMS key policy issue would produce a different error (e.g., 'AccessDenied' for kms:Decrypt), but the scenario specifically states an S3 access denied, not a KMS-related failure.

344
Multi-Selecthard

A security audit reveals that an S3 bucket is publicly accessible. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. Which TWO actions should be taken to remediate this issue? (Select TWO.)

Select 2 answers
A.Remove the public access grant from the bucket ACL.
B.Create an IAM user policy that denies s3:GetObject for anonymous users.
C.Enable versioning on the bucket.
D.Modify the bucket policy to remove the Allow effect for Principal "*".
E.Enable default encryption on the bucket.
AnswersA, D

ACL might also grant public access.

Why this answer

Option A is correct because the bucket ACL may still grant public access even if the bucket policy is the primary issue. Removing the public access grant from the ACL ensures that no anonymous principals have s3:GetObject permissions via ACLs, which is a separate access control mechanism from bucket policies. This is a direct remediation step to eliminate public read access.

Exam trap

The trap here is that candidates may think only the bucket policy needs fixing, overlooking that ACLs can independently grant public access, so both the policy and ACL must be remediated.

345
MCQmedium

A company is using AWS Lambda to process sensitive data. The Lambda function needs to access an S3 bucket in the same account. What is the BEST practice for granting permissions?

A.Use an S3 bucket policy that allows access from the Lambda function's ARN.
B.Create an IAM role with a policy granting S3 access and attach it to the Lambda function.
C.Generate a key pair and use it to authenticate the Lambda function to S3.
D.Store the AWS access key ID and secret access key in the Lambda environment variables.
AnswerB

This follows least privilege and best practice.

Why this answer

Option A is correct because attaching an IAM role with a policy that grants S3 access to the Lambda function follows the principle of least privilege and best practice. Option B is wrong because storing secrets in environment variables is insecure. Option C is wrong because Lambda does not use key pairs.

Option D is wrong because S3 bucket policies are not the primary mechanism for Lambda access; IAM roles are preferred.

346
MCQmedium

A developer is building a serverless application using AWS Lambda and needs to securely store database credentials. Which AWS service should be used to store and retrieve the credentials?

A.AWS CloudFormation
B.AWS Secrets Manager
C.AWS Systems Manager Parameter Store
D.AWS Key Management Service (KMS)
AnswerB

Designed for secret storage with automatic rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed to securely store and automatically rotate secrets such as database credentials. Option A is wrong because SSM Parameter Store can store parameters but lacks automatic rotation. Option C is wrong because KMS is for encryption keys, not credential storage.

Option D is wrong because CloudFormation is for infrastructure as code.

347
MCQhard

A company is designing a multi-account strategy using AWS Organizations. They want to enable cross-account access for developers using IAM roles. Each developer has an IAM user in the 'developers' account. The 'production' account has an IAM role 'AdminRole' that can be assumed by the 'developers' account. Which trust policy should be attached to 'AdminRole'?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole"}]} where 123456789012 is the developers account ID.
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/*"},"Action":"sts:AssumeRole"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:role/AdminRole"},"Action":"sts:AssumeRole"}]}
AnswerA

The root user of the account is used to allow all IAM users/roles in that account to assume the role.

Why this answer

Option A is correct because the trust policy on the 'AdminRole' in the production account must allow the entire 'developers' account (using its root ARN) to assume the role. When an IAM user in the developers account calls sts:AssumeRole, AWS evaluates the trust policy; specifying the root ARN of the developers account (arn:aws:iam::123456789012:root) delegates trust to the entire account, and the individual user's permissions are then controlled by an IAM policy attached to the user or a group that grants sts:AssumeRole for this role.

Exam trap

The trap here is that candidates often confuse the trust policy's Principal with the resource being accessed, mistakenly specifying the role's own ARN (Option D) or limiting to specific users (Option C), instead of using the root ARN of the trusted account to allow any authorized entity in that account to assume the role.

How to eliminate wrong answers

Option B is wrong because it specifies a Service principal (ec2.amazonaws.com), which is used for AWS services like EC2 to assume a role, not for cross-account IAM users. Option C is wrong because it restricts the principal to IAM users with a wildcard (arn:aws:iam::123456789012:user/*), which would not allow IAM roles or the root account to assume the role, and also does not cover cases where the developer might be using an IAM role in the developers account. Option D is wrong because it specifies the ARN of the AdminRole itself as the principal, which would create a self-referential trust policy that does not grant access to any external account; the principal must be the trusted account's root or specific IAM entities.

348
Multi-Selecthard

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application requires that only authenticated users can invoke the API, and the data must be encrypted at rest. Which THREE steps should the developer take?

Select 3 answers
A.Enable CloudWatch Logs for API Gateway to log all requests.
B.Create a customer managed KMS key and use it to encrypt DynamoDB tables.
C.Enable DynamoDB encryption at rest using the AWS-owned CMK.
D.Implement a Lambda authorizer in API Gateway to validate a JWT token.
E.Use IAM authorization on the API Gateway methods.
AnswersA, C, D

Logging helps with security auditing.

Why this answer

Option B is correct because API Gateway can use a Lambda authorizer to validate a JWT token. Option C is correct because DynamoDB encryption at rest is enabled by default. Option D is correct because CloudWatch Logs can log API requests for auditing.

Option A is wrong because IAM authorization is for IAM users/roles, not for end-user authentication via JWT. Option E is wrong because KMS is not needed for default encryption.

349
MCQhard

A company uses AWS Lambda to process sensitive data. The Lambda function needs to access an RDS database with a password stored in AWS Secrets Manager. The function currently retrieves the secret using the AWS SDK. What is the best practice to secure this setup?

A.Configure the Lambda function to use IAM database authentication for RDS.
B.Store the password as a Lambda environment variable encrypted with KMS.
C.Use the AWS CLI within the Lambda function to fetch the secret each time.
D.Rotate the secret daily using Secrets Manager and cache it in Lambda.
AnswerA

IAM auth uses short-lived tokens, no password needed.

Why this answer

Option A is correct because IAM database authentication eliminates the need to store or retrieve a password entirely. The Lambda function assumes an IAM role that generates a temporary authentication token (valid for 15 minutes) using the AWS SDK, which is then used to connect to RDS via TLS. This approach follows the principle of least privilege and removes the risk of static credentials being exposed or misused.

Exam trap

The trap here is that candidates assume Secrets Manager is always the best practice for secrets, but the question specifically asks for the best practice to secure the setup, and IAM authentication removes the secret entirely, which is more secure than any secret management approach.

How to eliminate wrong answers

Option B is wrong because storing the password as a Lambda environment variable, even if encrypted with KMS, still introduces a static secret that could be exposed through logs, error messages, or function configuration views. Option C is wrong because using the AWS CLI within a Lambda function is inefficient (adds cold-start latency and dependency on the CLI binary) and still requires the function to handle the secret in memory, whereas the SDK is the recommended method. Option D is wrong because daily rotation and caching in Lambda does not address the fundamental risk of a static password; the secret still exists and could be compromised, whereas IAM authentication removes the password entirely.

350
MCQmedium

A company has a requirement to automatically rotate database credentials every 30 days. Which AWS service can meet this requirement with minimal development effort?

A.AWS KMS
B.AWS IAM
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager has built-in rotation for supported databases.

Why this answer

AWS Secrets Manager is the correct choice because it provides built-in, automated rotation of database credentials without custom code. You can define a rotation schedule (e.g., every 30 days) and Secrets Manager will automatically update the secret and the database password using a Lambda function, meeting the requirement with minimal development effort.

Exam trap

The trap here is that candidates often confuse Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with Secrets Manager, overlooking the critical requirement for automated rotation with minimal effort.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for encryption keys, not for storing or rotating database credentials. Option B is wrong because AWS IAM manages users, roles, and permissions, but it does not natively rotate database credentials or store secrets. Option C is wrong because AWS Systems Manager Parameter Store can store secrets but lacks built-in automatic rotation; you would need to build custom automation to rotate credentials every 30 days, which contradicts the 'minimal development effort' requirement.

351
MCQmedium

A company stores sensitive documents in an Amazon S3 bucket. The security team requires that all objects uploaded must be encrypted at rest using a specific customer-managed AWS KMS key (key-id: 1234-5678). The developer must enforce this by denying any PutObject request that does not use the correct key. Which S3 bucket policy condition should be used?

A.s3:x-amz-server-side-encryption with value 'aws:kms'
B.s3:x-amz-server-side-encryption-aws-kms-key-id with value 'arn:aws:kms:us-east-1:123456789012:key/1234-5678'
C.s3:x-amz-acl with value 'bucket-owner-full-control'
D.aws:SourceArn with value the bucket ARN
AnswerB

This condition checks the KMS key ARN used in the request. Only requests that specify exactly this key will be allowed, enforcing the security requirement.

Why this answer

Option B is correct because the condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` allows you to enforce that a specific customer-managed AWS KMS key (identified by its full ARN) is used for server-side encryption. By denying PutObject requests that do not match this key ID, the security team ensures all uploaded objects are encrypted at rest with the required KMS key.

Exam trap

The trap here is that candidates often confuse `s3:x-amz-server-side-encryption` (which only checks if SSE-KMS is enabled) with `s3:x-amz-server-side-encryption-aws-kms-key-id` (which checks the specific key ID), leading them to pick Option A, which does not enforce the required customer-managed key.

How to eliminate wrong answers

Option A is wrong because `s3:x-amz-server-side-encryption` with value `aws:kms` only enforces that SSE-KMS is used, but does not restrict which KMS key is used; any KMS key (including default AWS-managed keys) would satisfy the condition. Option C is wrong because `s3:x-amz-acl` with value `bucket-owner-full-control` controls access permissions via ACLs, not encryption requirements, and is irrelevant to enforcing encryption key usage. Option D is wrong because `aws:SourceArn` is used to restrict requests based on the source ARN (e.g., to prevent cross-service confused deputy attacks), not to enforce encryption key selection.

352
Multi-Selecteasy

Which TWO of the following are best practices for securing AWS account root user?

Select 2 answers
A.Delete the root user access keys.
B.Use the root user for daily administrative tasks.
C.Set a password policy that locks the root user after 10 failed attempts.
D.Share the root user password with senior developers for emergencies.
E.Enable multi-factor authentication (MFA) for the root user.
AnswersA, E

Access keys are rarely needed for root.

Why this answer

Option B and C are correct. Option B: MFA adds extra security. Option C: Access keys should be deleted to prevent misuse.

Option A is wrong because root user should not be used for daily tasks. Option D is wrong because root user is not automatically locked. Option E is wrong because sharing password is insecure.

353
MCQhard

A company has a multi-account architecture using AWS Organizations. The security team wants to centrally manage IAM policies that apply to all accounts. Which AWS feature should the developer use?

A.Service control policies (SCPs) in AWS Organizations.
B.IAM cross-account roles.
C.AWS Config conformance packs.
D.IAM policies attached to the root user.
AnswerA

SCPs allow you to set permission guardrails across all accounts in the organization.

Why this answer

S CPs are used in AWS Organizations to centrally control the maximum permissions for accounts. They affect all IAM users and roles in the member accounts. Option A is wrong because IAM roles are per-account.

Option B is wrong because IAM policies are per-account. Option D is wrong because AWS Config is for compliance, not permission management.

354
MCQhard

A developer is troubleshooting an IAM policy that is supposed to allow a Lambda function to read objects from an S3 bucket. The Lambda function role has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::example-bucket/*","arn:aws:s3:::example-bucket"]}]}. Despite this, the Lambda function receives an AccessDenied error when trying to read objects. What is the most likely cause?

A.The S3 bucket has a bucket policy that explicitly denies the Lambda function's access.
B.The IAM policy does not include the s3:GetObjectVersion action.
C.The Lambda function is in a different AWS account than the S3 bucket.
D.The IAM policy uses an incorrect resource ARN format.
AnswerA

Bucket policy deny overrides IAM allow.

Why this answer

The IAM policy attached to the Lambda function role correctly grants s3:GetObject and s3:ListBucket permissions on the bucket and its objects. However, if the S3 bucket itself has a bucket policy that explicitly denies access to the Lambda function's role, that explicit deny overrides any allow from IAM policies, resulting in an AccessDenied error. This is because AWS evaluates all policies (identity-based and resource-based) and an explicit deny always takes precedence.

Exam trap

The trap here is that candidates often assume the IAM policy alone is sufficient and overlook the possibility of a bucket policy that explicitly denies access, which overrides any IAM allow.

How to eliminate wrong answers

Option B is wrong because the s3:GetObjectVersion action is only needed when accessing a specific version of an object using version ID; the error occurs on a standard read, which only requires s3:GetObject. Option C is wrong because cross-account access would still work if the bucket policy grants access to the Lambda function's role; the error is not inherently caused by being in a different account. Option D is wrong because the resource ARN format is correct: 'arn:aws:s3:::example-bucket/*' for objects and 'arn:aws:s3:::example-bucket' for the bucket itself, which is the standard format for S3 ARNs.

355
Multi-Selecteasy

Which TWO actions are required to enable server-side encryption for an Amazon RDS instance? (Choose 2)

Select 2 answers
A.Enable encryption on the database after creation
B.Use client-side encryption in the application
C.Configure the DB instance to use a VPC
D.Use AWS KMS to manage the encryption key
E.Specify encryption at rest when creating the DB instance
AnswersD, E

RDS uses KMS for encryption keys.

Why this answer

To enable encryption for RDS, you must specify encryption at instance creation (A) and use KMS (B). Option C is for enabling encryption at the table level, not instance. Option D is for RDS Proxy.

Option E is for client-side encryption.

356
MCQmedium

A developer has an IAM policy that allows 's3:GetObject' for a specific S3 bucket. However, when the developer tries to download an object using the AWS CLI, access is denied. What could be the issue?

A.The bucket policy explicitly denies access to the user.
B.The bucket is in a different region than the CLI configuration.
C.The bucket ACL does not grant the user access.
D.The object is encrypted with SSE-KMS and the user lacks kms:Decrypt permission.
AnswerD

With SSE-KMS, the user needs both S3 and KMS permissions to download.

Why this answer

Option D is correct because when an S3 object is encrypted with SSE-KMS, the `s3:GetObject` permission alone is insufficient. The AWS CLI must also have `kms:Decrypt` permission on the KMS key used to encrypt the object. Without this, the S3 service cannot decrypt the object before returning it, resulting in an access denied error even though the S3 policy allows the GetObject action.

Exam trap

The trap here is that candidates assume S3 access control is solely based on S3-specific permissions (like s3:GetObject) and overlook the fact that KMS permissions are required when SSE-KMS is used, leading them to incorrectly choose a bucket policy or ACL issue.

How to eliminate wrong answers

Option A is wrong because the question states the IAM policy allows 's3:GetObject', and while a bucket policy can explicitly deny access, the scenario does not mention any bucket policy; the denial could be due to other factors. Option B is wrong because S3 is a global service and bucket operations are not restricted by the CLI's configured region; the CLI automatically routes requests to the correct regional endpoint based on the bucket's location. Option C is wrong because S3 bucket ACLs are legacy and, by default, object access is controlled by IAM policies and bucket policies; ACLs are not evaluated when the request is made by an IAM user with an IAM policy that grants access, unless the bucket policy explicitly requires ACL evaluation.

357
MCQmedium

A developer needs to prevent accidental public access to all S3 buckets in an account. Which account-level control should be enabled?

A.S3 Transfer Acceleration
B.S3 Block Public Access
C.S3 Inventory
D.S3 Object Lambda
AnswerB

Correct for the stated requirement.

Why this answer

S3 Block Public Access is an account-level control that provides a centralized way to enforce that no S3 buckets or objects in the account can be made publicly accessible, regardless of individual bucket policies or ACLs. This setting overrides any bucket-level public access settings, effectively preventing accidental exposure of data to the internet.

Exam trap

The trap here is that candidates may confuse bucket-level controls (like bucket policies or ACLs) with account-level controls, or mistakenly think features like Transfer Acceleration or Inventory provide security, when only S3 Block Public Access offers a centralized, account-wide safeguard against public exposure.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using AWS edge locations, not a security control for preventing public access. Option C is wrong because S3 Inventory is used to generate reports on object metadata and replication status for auditing and compliance, not to block public access. Option D is wrong because S3 Object Lambda allows you to add custom code to process data during S3 GET, HEAD, and LIST requests, but it does not provide any access control or public access blocking functionality.

358
MCQmedium

A company uses AWS IAM roles to grant permissions to EC2 instances. An application running on an instance fails to access an S3 bucket. The IAM role has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. What is the likely cause?

A.The instance does not have an instance profile.
B.The policy does not include s3:ListBucket permission.
C.The trust policy of the role does not allow EC2 to assume it.
D.The IAM role is not attached to the EC2 instance.
AnswerB

ListBucket is needed for many S3 operations like listing objects.

Why this answer

The IAM policy allows only `s3:GetObject` on objects within `my-bucket`, but the application likely needs to list the bucket's contents first (e.g., via `s3:ListBucket`) to know which objects to retrieve. Without `s3:ListBucket` permission on the bucket resource (`arn:aws:s3:::my-bucket`), any attempt to list objects (such as through the AWS CLI `aws s3 ls` or SDK operations like `listObjects`) will fail with an AccessDenied error, even though `GetObject` is allowed. This is a common oversight when granting S3 access, as listing is a separate action required for many operations.

Exam trap

The trap here is that candidates assume `s3:GetObject` on `/*` is sufficient for all read operations, forgetting that listing objects requires a separate bucket-level permission (`s3:ListBucket`) on the bucket itself, not the objects.

How to eliminate wrong answers

Option A is wrong because an instance profile is automatically created and attached when an IAM role is assigned to an EC2 instance via the console or CLI; if the role were attached, the instance profile would exist. Option C is wrong because the trust policy of the role is configured by default to allow the EC2 service to assume the role when the role is created for EC2; if the application is failing due to missing permissions, the trust policy is not the issue. Option D is wrong because the question states the IAM role is used to grant permissions to EC2 instances, implying it is attached; if it were not attached, the instance would have no IAM credentials at all, leading to a different error (e.g., no credentials found) rather than an S3 access failure.

359
MCQhard

A company uses AWS Secrets Manager to rotate database credentials for an RDS MySQL instance. The rotation Lambda function fails with the error: 'Secret is scheduled for deletion.' What is the MOST likely cause?

A.The secret has been marked for deletion and is in the waiting period.
B.The secret's rotation schedule has been disabled.
C.The Lambda function does not have permission to access the secret.
D.The RDS instance is not in the same VPC as the Lambda function.
AnswerA

Secrets marked for deletion cannot be rotated.

Why this answer

The error 'Secret is scheduled for deletion' indicates that the secret has been marked for deletion and is currently in the mandatory waiting period (default 7 to 30 days). During this period, AWS Secrets Manager prevents any operations on the secret, including rotation, to ensure the deletion is intentional. The rotation Lambda function fails because it cannot access or modify a secret that is pending deletion.

Exam trap

The trap here is that candidates may confuse the 'scheduled for deletion' error with a permissions or network issue, but the error message directly points to the secret's lifecycle state, which is a distinct concept in AWS Secrets Manager.

How to eliminate wrong answers

Option B is wrong because disabling the rotation schedule would prevent the Lambda function from being triggered, but it would not cause a 'Secret is scheduled for deletion' error; the secret would still be accessible. Option C is wrong because a permissions issue would result in an 'AccessDeniedException' or similar authorization error, not a deletion-specific error message. Option D is wrong because VPC mismatch would cause a network timeout or connectivity error, not a deletion-related error; the Lambda function would still be able to call the Secrets Manager API if network access is configured.

360
MCQhard

Refer to the exhibit. A developer attached this bucket policy to an S3 bucket named 'my-bucket'. The IAM role 'AppRole' is used by an application running on EC2 instances with an IP address of 192.0.2.10. The application tries to upload an object to 'my-bucket/confidential/report.pdf'. Will the upload succeed?

A.Yes, but only if the application also has an IAM policy that allows s3:PutObject.
B.No, because the Deny statement denies all s3 actions on the 'confidential/' prefix.
C.No, because the Allow statement only allows GetObject and PutObject on the entire bucket, but the Deny overrides.
D.Yes, because the Deny statement uses a condition that does not match the application's IP.
AnswerD

The Deny applies only if the IP is NOT in 192.0.2.0/24; the IP is in that range, so Deny is not triggered.

Why this answer

Option B is correct because the Deny statement explicitly denies all s3 actions on the 'confidential/' prefix unless the source IP is within 192.0.2.0/24. The application's IP is 192.0.2.10, which is within that range, so the condition is not met (the Deny does not apply). The Allow statement grants s3:PutObject on the bucket, so the upload succeeds.

Option A is incorrect because the Deny does not apply. Option C is incorrect because the Allow does apply. Option D is incorrect because the condition is met (IP is within range).

361
MCQmedium

A company wants to use AWS KMS to encrypt data in an S3 bucket. They need to rotate the CMK annually. Which key type should they use to enable automatic rotation?

A.AWS managed key (aws/s3)
B.Customer managed key (CMK)
C.Custom key store
D.AWS owned key
AnswerA

Automatic rotation annually.

Why this answer

AWS managed keys (aws/s3) support automatic annual rotation automatically without any configuration. When you use an AWS managed key for S3, AWS KMS rotates the key material once every year, which satisfies the requirement for annual rotation without manual intervention.

Exam trap

The trap here is that candidates often assume customer managed keys (CMKs) are the only way to get automatic rotation, but AWS managed keys (aws/s3) already provide automatic annual rotation without any setup, making them the correct choice for this specific requirement.

How to eliminate wrong answers

Option B is wrong because customer managed keys (CMKs) do not support automatic rotation by default; you must enable automatic rotation manually, and even then, the rotation period is fixed at one year, but the key must be explicitly configured. Option C is wrong because custom key stores use AWS CloudHSM clusters and do not support automatic key rotation at all; rotation must be performed manually by generating new keys. Option D is wrong because AWS owned keys are used by AWS services on your behalf and are not visible or manageable by you, so you cannot control or verify rotation schedules.

362
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted using SSE-KMS with a specific KMS key from the central security account. They also want to prevent any unencrypted bucket creation. A developer in the development account creates a new S3 bucket and enables default encryption using SSE-S3. The bucket creation succeeds, but the security team wants to prevent this. The developer argues that the bucket still encrypts data at rest. Compliance requires SSE-KMS only. What should the security team do to enforce this policy across all accounts?

A.Create an IAM policy in the central security account that denies s3:PutBucketEncryption if the encryption is not SSE-KMS.
B.Use AWS Config to detect non-compliant buckets and automatically apply default encryption with SSE-KMS.
C.Enable CloudTrail to log all S3 API calls and manually review for non-compliant buckets.
D.Create a service control policy (SCP) that denies s3:PutObject and s3:PutBucketEncryption unless the encryption is SSE-KMS with the specific KMS key.
AnswerD

SCPs can enforce conditions across all accounts in the organization.

Why this answer

Option D is correct because a service control policy (SCP) applied at the AWS Organizations root or OU level can centrally deny S3 bucket creation and encryption configuration unless SSE-KMS with the specific KMS key is used. SCPs affect all accounts in the organization, preventing developers from bypassing the policy by creating buckets with SSE-S3, as the SCP condition key `s3:x-amz-server-side-encryption` and `s3:x-amz-server-side-encryption-aws-kms-key-id` enforce the required encryption at the API level before the bucket is created.

Exam trap

The trap here is that candidates often confuse IAM policies (which are account-scoped) with SCPs (which are organization-wide), and assume that AWS Config remediation or CloudTrail can proactively enforce encryption, when in fact only SCPs can deny the API call at the point of creation across all accounts.

How to eliminate wrong answers

Option A is wrong because an IAM policy in the central security account only applies to principals in that account, not to developers in other accounts, and cannot prevent bucket creation across the organization. Option B is wrong because AWS Config can detect non-compliant buckets and trigger remediation (e.g., via Lambda), but it is reactive—it does not prevent the initial creation of an unencrypted bucket, which the security team explicitly wants to block. Option C is wrong because CloudTrail logging only provides auditing after the fact, not proactive enforcement; manual review is impractical and does not prevent non-compliant bucket creation.

363
MCQmedium

A developer is building a serverless application that processes personally identifiable information (PII). The application uses API Gateway, Lambda, and DynamoDB. The developer needs to ensure that the PII is encrypted at rest in DynamoDB. The company already uses AWS KMS with a customer-managed key for other services. The developer wants to reuse the same KMS key for DynamoDB. After enabling encryption with the KMS key, the Lambda function fails to write to the table with an AccessDenied error. The Lambda execution role has dynamodb:PutItem permission. What is the most likely cause?

A.The Lambda execution role lacks kms:Encrypt and kms:Decrypt permissions on the customer-managed KMS key.
B.The Lambda execution role does not have DynamoDB write permissions.
C.The DynamoDB table has a resource-based policy that denies access.
D.The Lambda function is not in a VPC, so it cannot access the KMS key.
AnswerA

Required for encrypted DynamoDB table.

Why this answer

When a DynamoDB table is encrypted with a customer-managed KMS key, any operation that reads or writes data to the table requires the caller to have permissions to use that KMS key. Even though the Lambda execution role has dynamodb:PutItem permission, the PutItem operation internally triggers KMS Encrypt and Decrypt calls to manage the encryption of the item. Without kms:Encrypt and kms:Decrypt permissions on the specific KMS key, the request fails with an AccessDenied error.

Exam trap

The trap here is that candidates assume DynamoDB's built-in encryption with a KMS key is transparent and does not require additional IAM permissions beyond the DynamoDB actions, but in reality, the caller must have explicit KMS permissions on the key for any read or write operation.

How to eliminate wrong answers

Option B is wrong because the question explicitly states that the Lambda execution role has dynamodb:PutItem permission, so the failure is not due to missing DynamoDB write permissions. Option C is wrong because there is no mention of a resource-based policy on the DynamoDB table, and the error is specifically related to KMS permissions, not a table policy denying access. Option D is wrong because Lambda functions do not need to be in a VPC to access KMS; KMS is a regional service accessible over the public AWS network, and VPC configuration is irrelevant to KMS key access permissions.

364
MCQeasy

A developer is designing a web application that will run on EC2 instances behind an Application Load Balancer. The application needs to authenticate users. Which service should the developer use to manage user identities and provide single sign-on?

A.AWS IAM
B.Amazon Cognito
C.AWS Directory Service
D.AWS Security Token Service (STS)
AnswerB

User pools for app authentication.

Why this answer

Amazon Cognito is the correct choice because it is a fully managed identity service designed for web and mobile applications. It provides user sign-up, sign-in, and access control, and supports single sign-on (SSO) through federation with social identity providers (e.g., Google, Facebook) and enterprise identity providers via SAML 2.0 or OIDC. This makes it ideal for authenticating users in an application running behind an Application Load Balancer.

Exam trap

The trap here is confusing AWS IAM (for AWS resource access) with a customer-facing identity service, leading candidates to choose IAM for user authentication instead of Cognito.

How to eliminate wrong answers

Option A is wrong because AWS IAM is designed for managing permissions for AWS services and resources, not for authenticating end users of a web application; it lacks built-in user registration, sign-in UI, and SSO federation for external identities. Option C is wrong because AWS Directory Service is primarily for integrating with Microsoft Active Directory or creating managed directories for enterprise workloads, not for providing a simple, scalable user identity store with social login or SSO for web applications. Option D is wrong because AWS Security Token Service (STS) is used to issue temporary security credentials for AWS API requests, not for managing user identities or providing authentication and SSO for application users.

365
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be rotated automatically every 12 months. Which type of KMS key should be used?

A.Custom key store (CloudHSM)
B.AWS owned key
C.AWS managed key
D.Customer managed key
AnswerC

AWS managed keys are automatically rotated every year (12 months), meeting the requirement.

Why this answer

AWS managed keys are automatically rotated every year. Customer managed keys support automatic rotation, but the default rotation period is 1 year. Custom key stores do not support automatic rotation.

AWS managed keys are the simplest way to meet the requirement.

366
MCQmedium

A developer set up a Lambda function that reads from an SQS queue and processes messages. The function sometimes times out. How can the developer improve security while minimizing execution time?

A.Use encryption at rest for the SQS queue
B.Enable a dead-letter queue (DLQ) for the SQS queue
C.Increase the Lambda function timeout to 15 minutes
D.Reduce the SQS visibility timeout to match the Lambda function's timeout
AnswerD

A shorter visibility timeout reduces the chance of duplicate processing and improves security.

Why this answer

Option A is correct because reducing the visibility timeout prevents other consumers from processing the same message before the function completes. Option B is wrong because increasing the timeout would not improve security. Option C is wrong because using a DLQ does not affect execution time.

Option D is wrong because encryption does not improve execution time.

367
MCQmedium

A developer is creating a web application that uses Amazon Cognito for user authentication. The application needs to verify the identity of users before allowing access to the API. Which Cognito feature should the developer use?

A.User Pools
B.Identity Pools
C.Cognito Sync
D.Cognito Events
AnswerA

User Pools handle user authentication and produce tokens that can be verified to grant API access.

Why this answer

Amazon Cognito User Pools provide a fully managed identity and access management service specifically designed for user authentication and authorization in web and mobile applications. They handle user sign-up, sign-in, and identity verification through features like multi-factor authentication (MFA) and JSON Web Token (JWT) issuance, making them the correct choice for verifying user identity before granting API access.

Exam trap

The trap here is confusing Identity Pools (which grant AWS credentials) with User Pools (which authenticate users), leading candidates to select Identity Pools when the question explicitly asks about verifying user identity, not granting AWS resource access.

How to eliminate wrong answers

Option B (Identity Pools) is wrong because Identity Pools are used to exchange user tokens (from a User Pool or other identity provider) for temporary AWS credentials to access AWS services like DynamoDB or S3, not for authenticating users directly. Option C (Cognito Sync) is wrong because Cognito Sync is a deprecated service for synchronizing user profile data across devices, not for identity verification. Option D (Cognito Events) is wrong because Cognito Events are AWS Lambda triggers that run during User Pool operations (e.g., pre-sign-up), but they do not perform user authentication themselves.

368
MCQeasy

A developer wants to securely store database credentials used by a Lambda function. The credentials should be automatically rotated every 90 days. Which service should be used?

A.AWS Secrets Manager
B.AWS Key Management Service (KMS)
C.AWS Identity and Access Management (IAM)
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager is designed for storing secrets with automatic rotation.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, retrieving, and automatically rotating database credentials and other secrets. It supports native rotation with built-in integration for Amazon RDS (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB) and Amazon DocumentDB, allowing you to configure automatic rotation every 90 days without custom code. The service encrypts secrets at rest using AWS KMS and enforces fine-grained access control via IAM policies.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation, which is explicitly required by the 90-day rotation requirement in the question.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not a secret storage service; it cannot store or rotate database credentials. Option C (IAM) is wrong because it manages users, groups, roles, and permissions for AWS API access, not database credentials; it has no mechanism to store or rotate secrets. Option D (AWS Systems Manager Parameter Store) is wrong because while it can store secrets as SecureString parameters, it does not natively support automatic rotation of credentials; you would need to build a custom rotation solution using Lambda, whereas Secrets Manager provides built-in rotation.

369
MCQeasy

A developer wants to securely transmit secrets to an EC2 instance at launch. Which approach is recommended?

A.Store secrets in environment variables within an AMI
B.Hardcode secrets in the application code
C.Pass secrets in user data as plain text
D.Use EC2 Instance Metadata Service (IMDSv2) to retrieve secrets from AWS Secrets Manager
AnswerD

IMDSv2 provides a secure way to access secrets via IAM roles.

Why this answer

Option D is correct because the recommended approach to securely transmit secrets to an EC2 instance at launch is to use an IAM role attached to the instance, which grants the instance permission to retrieve secrets from AWS Secrets Manager via the EC2 Instance Metadata Service (IMDSv2). IMDSv2 requires a session-oriented PUT request to obtain a token, mitigating the risk of SSRF attacks, and secrets are never stored on disk or transmitted in plaintext during launch.

Exam trap

The trap here is that candidates may think user data is secure because it is only accessible at launch, but they overlook that user data is stored in plaintext and can be read via the metadata service or CloudTrail, whereas IMDSv2 with Secrets Manager provides encryption and access control.

How to eliminate wrong answers

Option A is wrong because storing secrets in environment variables within an AMI embeds them in the snapshot, making them accessible to anyone who can launch or inspect the AMI, violating security best practices. Option B is wrong because hardcoding secrets in application code exposes them in version control, build artifacts, and logs, and violates the principle of never storing secrets in code. Option C is wrong because passing secrets in user data as plain text leaves them visible in the EC2 console, CloudTrail logs, and to any process that can read the instance metadata (if IMDSv1 is enabled), and user data is not encrypted at rest.

370
MCQhard

A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?

A.Enable CloudTrail data events for the S3 bucket containing the encrypted objects.
B.Create an additional CloudTrail trail that logs all management events for the KMS key.
C.Enable CloudTrail data events for the specific KMS key ARN.
D.Enable CloudTrail Insights events on the existing trail.
AnswerC

CloudTrail data events for KMS record every call to Decrypt, Encrypt, GenerateDataKey, etc. By specifying the key ARN in the data event selector, only operations on that key are logged, meeting the audit requirement without excessive logging.

Why this answer

Option C is correct because CloudTrail data events can be configured to log individual API operations (such as Decrypt and Encrypt) on specific KMS keys. By default, CloudTrail management events do not include these data-plane operations; enabling data events for the specific KMS key ARN ensures every cryptographic call is recorded for auditing.

Exam trap

The trap here is that candidates confuse S3 server-side encryption with KMS data events, assuming that logging S3 bucket data events will capture KMS calls, when in fact KMS data-plane operations require explicit data event logging on the KMS key itself.

How to eliminate wrong answers

Option A is wrong because enabling CloudTrail data events for the S3 bucket captures S3 object-level operations (e.g., GetObject, PutObject), not the KMS Decrypt and Encrypt API calls themselves. Option B is wrong because management events already include KMS key management actions (e.g., CreateKey, DisableKey) but not data-plane cryptographic operations; creating another trail with management events does not capture Decrypt/Encrypt. Option D is wrong because CloudTrail Insights events detect unusual API activity patterns but do not log individual Decrypt/Encrypt calls; they are an analysis feature, not a logging configuration for specific API operations.

371
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer. The security team discovers that the application is vulnerable to SQL injection attacks. The team wants to implement a web application firewall (WAF) to block these attacks. The architecture includes an ALB, EC2 instances in an Auto Scaling group, and an RDS database. The ALB currently has a listener on port 443 with an SSL certificate. The developer must integrate AWS WAF with minimal changes to the existing infrastructure. Which action should the developer take?

A.Subscribe to AWS Shield Advanced and enable automatic mitigation.
B.Install a WAF agent on each EC2 instance in the Auto Scaling group.
C.Place a CloudFront distribution in front of the ALB and associate WAF with CloudFront.
D.Associate AWS WAF directly with the Application Load Balancer.
AnswerD

WAF integrates natively with ALB.

Why this answer

Option B is correct because AWS WAF can be associated directly with an ALB, which is the simplest integration. Option A is wrong because CloudFront adds complexity and cost, and is not necessary. Option C is wrong because WAF does not run on EC2; it's a managed service.

Option D is wrong because Shield Advanced does not provide WAF rules for SQL injection.

372
MCQhard

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with KMS (SSE-KMS). They want to ensure that only certain IAM roles can decrypt objects. What must be configured?

A.IAM role policy to allow kms:Decrypt
B.S3 bucket policy to allow decrypt
C.KMS key policy to allow the IAM roles to decrypt
D.KMS key policy to allow s3.amazonaws.com to decrypt
AnswerC

KMS key policy must grant kms:Decrypt to the specific IAM roles.

Why this answer

Option C is correct because SSE-KMS uses a customer master key (CMK) to encrypt and decrypt S3 objects. The KMS key policy is the primary access control mechanism for a CMK; it must explicitly grant the IAM roles the kms:Decrypt permission. Without this policy statement, even if the IAM roles have a policy allowing kms:Decrypt, they will be denied access because KMS key policies can override IAM permissions when the key policy does not grant access to the account's IAM principals.

Exam trap

The trap here is that candidates assume an IAM role policy granting kms:Decrypt is sufficient, forgetting that KMS key policies act as an independent access control layer that can explicitly deny or allow access, and without the key policy granting the role, the IAM policy is ineffective.

How to eliminate wrong answers

Option A is wrong because an IAM role policy allowing kms:Decrypt is necessary but not sufficient; the KMS key policy must also grant the role permission to use the key, and if the key policy does not include the role, the IAM policy alone will not allow decryption. Option B is wrong because S3 bucket policies control access to S3 actions (like s3:GetObject) but cannot grant KMS decryption permissions; KMS actions are governed solely by KMS key policies and IAM policies. Option D is wrong because allowing the service principal s3.amazonaws.com to decrypt would grant decryption to any S3 request that uses the key, bypassing the IAM role restriction and violating the requirement that only certain IAM roles can decrypt.

373
Multi-Selecthard

A company is designing a secure CI/CD pipeline using AWS CodePipeline and AWS CodeBuild. The pipeline must securely store and access sensitive parameters (e.g., API keys) used during the build. Which TWO services can be used to securely store and retrieve these parameters?

Select 2 answers
A.AWS Systems Manager Parameter Store (SecureString)
B.AWS Secrets Manager
C.Amazon S3 with server-side encryption
D.AWS Key Management Service (KMS) alone
E.AWS CloudFormation parameter store
AnswersA, B

Parameter Store can store secrets as SecureString parameters and is integrated with CodeBuild.

Why this answer

AWS Systems Manager Parameter Store (SecureString) and AWS Secrets Manager are both designed to securely store secrets and can be accessed by CodeBuild via IAM roles.

374
MCQeasy

A company has an S3 bucket that contains sensitive financial data. The security team requires that all access to the bucket be logged for audit purposes. The developer needs to enable logging that captures who accessed the bucket, the actions performed, and the source IP addresses. The logs must be stored in a separate bucket for security. Which solution meets these requirements?

A.Use Amazon CloudWatch Logs to capture S3 access logs by enabling S3 data events in CloudWatch.
B.Enable S3 server access logging on the bucket and store logs in the same bucket.
C.Enable AWS CloudTrail with S3 data events and deliver logs to a separate S3 bucket.
D.Enable VPC Flow Logs on the VPC that contains the S3 bucket.
AnswerC

CloudTrail captures data events with details.

Why this answer

Option A is correct because AWS CloudTrail S3 data events can log object-level operations and can be delivered to a separate bucket. Option B is wrong because S3 server access logs provide similar data but are not as manageable. Option C is wrong because CloudWatch Logs is for monitoring, not auditing.

Option D is wrong because VPC Flow Logs capture network traffic, not S3 API calls.

375
Multi-Selecthard

A developer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline deploys a Lambda function. Which THREE practices should be followed to ensure security?

Select 3 answers
A.Use IAM roles for pipeline actions instead of access keys.
B.Scan code dependencies for known vulnerabilities.
C.Use CloudFront to distribute pipeline artifacts.
D.Store database credentials in AWS Secrets Manager and retrieve them during deployment.
E.Encrypt artifacts in transit using TLS.
AnswersA, B, D

IAM roles provide temporary credentials and are more secure.

Why this answer

Option A is correct because IAM roles provide temporary credentials for AWS services, eliminating the need to manage long-term access keys. CodePipeline can assume an IAM role to perform actions like deploying a Lambda function, which reduces the risk of credential leakage. This follows the principle of least privilege and is a security best practice for automated pipelines.

Exam trap

The trap here is that candidates may confuse CloudFront's artifact distribution capability with S3's role in CodePipeline, or assume TLS encryption is an optional security practice rather than a default AWS behavior.

← PreviousPage 5 of 6 · 429 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security questions.