Security

A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?

A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?

A developer needs to grant a user in another AWS account (Account B) read-only access to objects in an Amazon S3 bucket owned by Account A. The developer has already added a bucket policy that grants s3:GetObject access to the IAM user in Account B. However, the user in Account B still gets Access Denied when trying to read objects. What additional configuration is required?

A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?

A developer is building a mobile application that uses Amazon Cognito for user authentication. After a user signs in, the application needs to access an Amazon DynamoDB table. The developer has set up an identity pool with an authenticated role. The IAM role attached to the authenticated identity has a policy allowing the required DynamoDB actions. However, users report that they cannot perform DynamoDB operations. What is the MOST likely cause of this issue?

A company uses a customer managed AWS KMS key to encrypt sensitive data stored in DynamoDB. A Lambda function reads from the DynamoDB table and needs to decrypt the data. The Lambda function's execution role has an IAM policy that allows kms:Decrypt on the key. However, access is denied. What must the developer add to the KMS key policy to resolve the issue?

A company has an AWS Lambda function that processes sensitive financial data. The function uses environment variables to store database connection strings. A security audit requires that all sensitive data be encrypted at rest and in transit. The developer must ensure that the environment variables are encrypted with a customer-managed key that is rotated quarterly. What should the developer do?

A company has an Amazon S3 bucket (Bucket-A) in Account A that contains sensitive data. A developer in Account B needs read-only access to objects in Bucket-A. The developer in Account A added a bucket policy granting s3:GetObject to the IAM user in Account B. However, the IAM user in Account B still receives Access Denied errors. What additional step is required?

A company uses an Amazon S3 bucket to store sensitive documents. The security team requires that all objects uploaded to the bucket must be encrypted at rest using server-side encryption with a customer-managed KMS key (SSE-KMS). A developer needs to enforce this by denying any PutObject request that does not specify the required encryption. Which bucket policy condition should be used?

A company stores sensitive data in Amazon S3. The security team requires that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). The developer needs to enforce that any PutObject request that does not specify the 'x-amz-server-side-encryption' header with value 'aws:kms' is denied. Which S3 bucket policy condition should be used?

A developer in Account A has an Amazon S3 bucket that contains sensitive data. The developer wants to grant an IAM user in Account B read-only access to objects in the bucket. The developer has added a bucket policy in Account A that grants s3:GetObject access to the IAM user's ARN. However, the IAM user in Account B still receives Access Denied errors. What additional configuration is required?

A company runs an application on Amazon EC2 that needs to securely store database credentials. The security team requires that credentials be automatically rotated every 30 days to reduce the risk of compromise. The application must be able to retrieve the credentials at startup without storing them in code or configuration files. Which AWS service should the developer use?

A company wants to grant a third-party vendor access to an Amazon S3 bucket in the company's AWS account. The vendor has their own AWS account. The company requires the vendor to include a unique identifier in each request to verify their identity before granting access. Which policy element should the company include in the S3 bucket policy?

A company is developing a web application that runs on Amazon EC2 instances. The application needs to access an Amazon DynamoDB table to store and retrieve data. The security team requires that no IAM users or roles should be used; instead, the application must use temporary credentials that are automatically rotated. Which approach should the developer use to securely grant access to DynamoDB?

A company uses AWS Secrets Manager to store database credentials. The credentials must be automatically rotated every 30 days. The developer needs to configure rotation without exposing the secret to any IAM user directly. Which configuration steps should the developer take?

A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?

A developer is storing an API secret for a third-party service in AWS Secrets Manager. The secret needs to be accessed by an AWS Lambda function that runs in a VPC. The Lambda function must have the minimum required permissions. Which IAM policy statement should the developer attach to the Lambda execution role?

A developer is building an application that needs to read a secret API key from AWS Secrets Manager. The application runs on an EC2 instance that is part of an Auto Scaling group. The developer wants to ensure that only this application can retrieve the secret. Which set of steps should the developer take?

A developer is designing an application that will process credit card payments and store them temporarily in an Amazon DynamoDB table. The developer must ensure that the payment data is encrypted at rest and that the encryption key is managed by the company's security team using AWS KMS. Which type of encryption should the developer enable on the DynamoDB table?

A company uses AWS KMS customer master keys (CMKs) to encrypt sensitive data in Amazon S3. A compliance requirement mandates that the backing keys for the CMKs be automatically rotated every year. The developer must implement this with minimal operational overhead. Which solution meets the requirement?

A developer needs to grant read-only access to objects in an S3 bucket (in Account A) to an IAM role in Account B. The bucket uses server-side encryption with AWS KMS (SSE-KMS) using a customer managed key (CMK) in Account A. Which of the following is REQUIRED for the cross-account access to succeed?

A company manages multiple AWS accounts using AWS Organizations. A developer needs to allow an IAM role in the production account to read objects from an S3 bucket in the development account. The bucket is encrypted with an AWS KMS customer managed key (CMK) in the development account. Which of the following is required to enable this cross-account access?

A company stores sensitive documents in an Amazon S3 bucket. The security team requires that all objects uploaded must be encrypted at rest using a specific customer-managed AWS KMS key (key-id: 1234-5678). The developer must enforce this by denying any PutObject request that does not use the correct key. Which S3 bucket policy condition should be used?

A company uses AWS Organizations with multiple accounts. A developer needs to grant an IAM user in Account A (111111111111) read-only access to an S3 bucket in Account B (222222222222). The bucket is encrypted with SSE-S3. Which combination of policies is required for cross-account access?

A company has an S3 bucket that stores sensitive data. They want to ensure that any object uploaded to the bucket is automatically encrypted with server-side encryption using AWS KMS (SSE-KMS). They also want to deny any uploads that do not specify the correct encryption. Which bucket policy condition should be used to enforce this requirement?

A developer is deploying a containerized application on Amazon ECS with the Fargate launch type. The application needs to read data from an Amazon S3 bucket. The developer wants to follow the principle of least privilege. How should the developer grant the necessary permissions to the ECS tasks?

A company has an IAM policy that allows access to an S3 bucket only if the request comes from a specific VPC endpoint. The developer notices that requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all objects uploaded to a specific S3 bucket must be encrypted with a specific KMS key (key ID: xyz). The developer needs to enforce this by denying any PutObject request that does not use the correct key. Which bucket policy condition should be used?

A company stores application logs in an Amazon S3 bucket. The security team requires that all objects uploaded to the bucket must be encrypted at rest using an AWS KMS key. The developer needs to enforce this by denying any PutObject request that does not use the required encryption. Which bucket policy condition should be used?

A company stores sensitive data in Amazon S3. A developer needs to implement a solution that automatically encrypts objects at rest using a key that is rotated annually. The developer must minimize operational overhead. Which solution meets these requirements?

A developer launches an Amazon EC2 instance that needs to read and write data to an Amazon DynamoDB table. The developer must follow the principle of least privilege and ensure that no long-term credentials are stored on the instance. Which approach should the developer use?

A company requires that all data in Amazon S3 be encrypted at rest using server-side encryption with a customer-managed KMS key. The developer needs to ensure that any object uploaded without the x-amz-server-side-encryption header set to aws:kms is denied. How can this be enforced?

A developer needs to allow users from another AWS account (account ID: 123456789012) to read objects in an S3 bucket owned by the developer's account. The developer wants to use a bucket policy and does not want to create IAM users in the other account. Which bucket policy statement achieves this securely?

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption. The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not include the server-side encryption header. Which IAM condition key should be used?

A company runs an application on Amazon EC2 instances that need to read files from an Amazon S3 bucket. The developer must grant access to the S3 bucket without storing long-term credentials on the instances. Which approach should the developer use?

A company has an S3 bucket that stores sensitive data. The data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to ensure that only a specific IAM role in the same account can decrypt the objects. Which configuration should the developer implement?

A developer needs to grant an IAM user in the same AWS account access to a specific object in an S3 bucket. The bucket policy currently grants access only to the bucket owner (the root account). Which identity-based policy statement should the developer add to the IAM user's permissions?

A developer wants to enforce that all requests to an Amazon S3 bucket must use HTTPS (TLS). The bucket is used for static website hosting. Which bucket policy condition should be used to deny requests that do not use HTTPS?

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption with a specific AWS KMS customer managed key (CMK). The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not use the specified KMS key. Which IAM condition key should be used?

A company has an Amazon S3 bucket that stores sensitive documents. The security team wants to ensure that all GET requests to the bucket are authenticated and that the requester does not have public access. Which combination of S3 features should the developer implement?

A developer needs to grant cross-account access to an Amazon S3 bucket. The developer's AWS account (Account A) owns the bucket, and a user in another account (Account B) needs to write objects to it. The developer has already added a bucket policy that grants the user in Account B permissions. What additional step is required?

A developer is deploying an application on Amazon EC2 instances that need to securely retrieve secrets from AWS Secrets Manager. What is the MOST secure way to provide the necessary permissions without hardcoding credentials?

A company requires that all objects uploaded to an Amazon S3 bucket are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The developer wants to enforce this with a bucket policy. Which condition key and value should be used in the policy to deny uploads that do not meet this requirement?

A company requires that all API calls to create an Amazon S3 bucket must include a specific tag (e.g., 'CostCenter'). Which IAM policy condition key should a developer use to enforce this requirement?

A company has an S3 bucket containing confidential data. The security team wants to ensure that the bucket is never publicly accessible, even if a bucket policy or ACL is incorrectly set to allow public access. Which S3 feature should the developer enable?

A company wants to store database credentials securely and rotate them automatically on a schedule. The credentials are used by an AWS Lambda function to access an Amazon RDS instance. Which AWS service should the developer use to meet these requirements?

A developer needs to grant an IAM role in the same AWS account read-only access to objects in a specific S3 bucket. The bucket is configured with a bucket policy that has an explicit Deny statement denying all principals except the root user. Which approach should the developer use to grant the required access?

A developer needs to grant temporary access to an Amazon S3 bucket for a user from a different AWS account. The developer wants to use the most secure method that does not require sharing long-term credentials. Which approach should the developer take?

A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role has permissions to access an S3 bucket. Which policy is required in the developer's account to enable this cross-account access?

A developer runs an application on Amazon EC2 that needs to securely store database credentials (username and password). The security team requires that the credentials be automatically rotated every 30 days. Which AWS service should the developer use to store and automatically rotate the credentials?

A developer stores database credentials for an application running on Amazon EC2. The security team requires that the credentials be automatically rotated every 30 days to reduce the risk of compromise. Which AWS service should the developer use to store and automatically rotate the credentials?

A company wants to enforce multi-factor authentication (MFA) for all users accessing the AWS Management Console. The company has an existing IAM setup with users and groups. Which approach should the developer recommend to enforce MFA?

A company needs to grant another AWS account read-only access to an S3 bucket. The developer wants to use a bucket policy without requiring IAM users in the trusted account. Which resource-based policy statement should the developer add to the bucket?

A company runs an application on Amazon EC2 instances that need to read data from an Amazon DynamoDB table. The developer must grant access to DynamoDB without storing any long-term credentials on the instance. Which approach should the developer use?

A company wants to restrict access to an Amazon S3 bucket so that only requests originating from a specific Amazon VPC are allowed. The bucket is in the same AWS account as the VPC. Which configuration should the developer implement?

A developer is creating a web application that uses Amazon Cognito for user authentication. The application needs to verify the identity of users before allowing access to the API. Which Cognito feature should the developer use?

A developer is building a REST API with Amazon API Gateway and needs to authorize requests based on a custom JSON Web Token (JWT) that includes claims for user roles. Which authorization mechanism should the developer use?

A developer wants to grant a user in a different AWS account access to an S3 bucket. The developer has written a bucket policy that allows the user's IAM user ARN. However, the access is still denied. What is the most likely reason?

A company wants to ensure that no Amazon S3 buckets in the AWS account can be made publicly accessible, even if a bucket policy or ACL is later configured to allow public access. Which AWS feature should the developer enable to enforce this at the account level?

A developer is building a REST API using API Gateway and AWS Lambda. The API must only be accessible by authenticated users who belong to a specific group within an Amazon Cognito user pool. Which API Gateway authorization mechanism should the developer use?

A developer needs to grant cross-account access to an S3 bucket for an IAM user from another AWS account. The developer has added a bucket policy that allows the user's ARN. However, the user still cannot access the bucket. What additional step is required?

A company wants to enforce that all IAM users use multi-factor authentication (MFA) when accessing the AWS Management Console. Which IAM policy condition key should be used in a policy attached to each user or group to deny access if MFA is not present?

A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to encrypt data in transit between the client and the ALB. Which AWS service should be used to manage the SSL/TLS certificate?

A company stores sensitive customer data in Amazon S3. The security policy requires that all data be encrypted at rest using server-side encryption with a customer-managed AWS KMS key. Which S3 server-side encryption option should the developer use?

A developer needs to store a database password for an AWS Lambda function. The password must be encrypted at rest with a customer-managed key that can be rotated manually. Which solution meets these requirements with minimal operational overhead?

An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer type is most appropriate?

A Lambda function needs to decrypt data encrypted with a customer managed KMS key. Which two permissions are commonly required?

A developer stores database credentials in Secrets Manager. The application sometimes receives AccessDeniedException from Lambda after secret rotation. What should be checked first?

A mobile application must let authenticated users upload only to their own S3 prefix. Which approach best follows least privilege?

An application receives webhooks from a partner. The developer must verify that each request was signed by the partner and not modified in transit. What should the application validate?

A developer needs to call AWS APIs from application code running on EC2. Which credential source should the AWS SDK use by default?

An S3 bucket policy allows GetObject from another account, but objects encrypted with SSE-KMS still return AccessDenied. Which additional authorization is required?

A developer needs to prevent accidental public access to all S3 buckets in an account. Which account-level control should be enabled?

A Lambda function in a VPC must retrieve secrets from Secrets Manager without traversing the public internet. Which configuration should be used?

A developer uses API Gateway with Cognito. Which two token validations are important when authorizing API access?

An application in ECS Fargate needs to read a secret and decrypt it with KMS. Which two permissions/configurations are needed?

A developer needs to securely distribute temporary AWS credentials to authenticated mobile users. Which two components are commonly involved?

A team wants to prevent secrets from being committed to source control and reduce blast radius if a secret is exposed. Which two practices help?