CCNA Dva Security Questions

75 of 429 questions · Page 2/6 · Dva Security topic · Answers revealed

76
Multi-Selectmedium

A Lambda function needs to decrypt data encrypted with a customer managed KMS key. Which two permissions are commonly required?

Select 2 answers
A.kms:Decrypt on the key
B.iam:CreateUser on the account
C.s3:PutBucketAcl on every bucket
D.Permission for the Lambda execution role to use the KMS key
AnswersA, D

Correct for the stated requirement.

Why this answer

Option A is correct because the Lambda function must have permission to call the kms:Decrypt action on the specific customer managed KMS key to decrypt the data. This permission is granted via a key policy or a grant on the KMS key itself, allowing the Lambda execution role to use the key for decryption operations.

Exam trap

The trap here is that candidates often confuse IAM actions (like iam:CreateUser or s3:PutBucketAcl) with KMS-specific permissions, or they forget that the Lambda execution role needs both the IAM policy and the key policy to allow kms:Decrypt.

77
MCQhard

A company is using AWS KMS to encrypt data in S3. They want to ensure that only specific IAM roles can decrypt the data, even if the IAM role has full S3 access. What should they do?

A.Use an IAM policy to deny KMS Decrypt for all users except the role.
B.Add a bucket policy that denies Decrypt for all principals except the role.
C.Enable S3 Block Public Access on the bucket.
D.Modify the KMS key policy to grant decrypt permission only to the specific IAM role.
AnswerD

Key policy controls who can use the key.

Why this answer

Option D is correct because a KMS key policy can grant decrypt permission to specific IAM roles. Option A is wrong because bucket policies only control S3 access, not KMS decrypt. Option B is wrong because IAM policies alone cannot restrict decrypt if the role has access.

Option C is wrong because S3 Block Public Access does not affect KMS.

78
MCQhard

A developer is troubleshooting an issue where an S3 bucket policy is not granting cross-account access to a user in another AWS account. The bucket policy uses a Principal element with the AWS account ID. What is the most likely reason for the failure?

A.The bucket is encrypted with SSE-S3, which blocks cross-account access.
B.The bucket policy must use the user's ARN instead of the account ID.
C.The bucket policy cannot grant access to users in another account.
D.The IAM user in the other account does not have an IAM policy that allows the S3 action.
AnswerD

Both bucket policy and user policy must allow the action.

Why this answer

Option B is correct because for cross-account access, the user's IAM role must also allow the S3 action; both bucket policy and user policy must grant permission. Option A is wrong because bucket policies can grant access to other accounts. Option C is wrong because encryption does not block access if permissions are correct.

Option D is wrong because bucket policies support granting access to specific IAM users in other accounts.

79
MCQhard

A company has a legacy application running on an EC2 instance that stores database credentials in a plain text configuration file. The security team requires that credentials be stored securely and rotated every 90 days. The developer must minimize changes to the application code. The application currently reads the configuration file from the file system. Which solution meets these requirements?

A.Encrypt the configuration file using AWS KMS and store the encrypted file on S3.
B.Use AWS Secrets Manager to store the credentials and configure automatic rotation with a Lambda function. Modify the application to retrieve the secret from Secrets Manager.
C.Store the credentials in environment variables on the EC2 instance.
D.Store the credentials in AWS Systems Manager Parameter Store as a SecureString and retrieve them at application startup.
AnswerB

Supports rotation; minimal code change required.

Why this answer

Option B is correct because AWS Secrets Manager provides built-in support for automatic credential rotation using a Lambda function, meeting the 90-day rotation requirement without manual intervention. By modifying the application to retrieve the secret via the Secrets Manager API, the credentials are no longer stored in plain text, satisfying the security team's mandate. This approach minimizes code changes because the application only needs to replace the file read with an API call, preserving the existing logic structure.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager with Systems Manager Parameter Store, assuming both support automatic rotation, but Parameter Store does not provide built-in rotation capabilities, making Secrets Manager the only correct choice for automated rotation requirements.

How to eliminate wrong answers

Option A is wrong because encrypting the configuration file and storing it on S3 does not address rotation; the encrypted file would still need to be manually updated every 90 days, and the application would require code changes to decrypt the file. Option C is wrong because environment variables on the EC2 instance are not encrypted at rest by default and do not support automatic rotation; they also expose credentials in process listings or logs. Option D is wrong because AWS Systems Manager Parameter Store as a SecureString does not support automatic rotation natively; while it can store encrypted parameters, rotation would require custom automation, and the application would still need code changes to retrieve the parameter via the AWS SDK.

80
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with SSE-S3. What is the MOST effective way to enforce this?

A.Create an IAM policy that denies non-SSE-S3 encryption and attach it to all users.
B.Use AWS Config rules to detect buckets without SSE-S3 and send alerts.
C.Use an SCP in AWS Organizations to deny s3:PutBucketEncryption unless the encryption algorithm is AES256.
D.Use S3 bucket policies to deny PutObject if encryption is not SSE-S3.
AnswerC

SCPs enforce across all accounts in the organization.

Why this answer

Option D is correct because service control policies (SCPs) can be applied at the organization level to deny actions that do not meet conditions. An SCP can deny s3:PutBucketEncryption if the encryption is not SSE-S3. Option A is not possible because you cannot directly apply IAM policies to all accounts.

Option B is per account and not centralized. Option C is per bucket and not enforced across accounts.

81
MCQmedium

A company has an S3 bucket that stores sensitive data. The data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to ensure that only a specific IAM role in the same account can decrypt the objects. Which configuration should the developer implement?

A.Add a bucket policy that denies s3:GetObject unless the request uses a specific IAM role.
B.Add a key policy that allows the IAM role to perform kms:Decrypt and denies all other principals.
C.Configure the S3 bucket with default encryption using the KMS key.
D.Create an IAM policy that grants kms:Decrypt only to the specific role.
AnswerB

KMS access is controlled via key policies; this grants decryption only to the specified role.

Why this answer

Option B is correct because KMS key policies directly control who can use the key for cryptographic operations like kms:Decrypt. By explicitly allowing only the specific IAM role and denying all other principals (including the root account), the key policy ensures that only that role can decrypt the S3 objects, regardless of any other IAM or bucket policies. This is the most secure and direct way to restrict decryption at the key level.

Exam trap

The trap here is that candidates often assume IAM policies alone can grant decryption access, but KMS key policies are the authoritative gatekeeper for key usage, and without an explicit Allow in the key policy, even an IAM policy with kms:Decrypt will fail.

How to eliminate wrong answers

Option A is wrong because a bucket policy denying s3:GetObject based on the IAM role does not control decryption; it controls read access to the object metadata and data, but if the object is encrypted with KMS, the request must also have kms:Decrypt permission, which the bucket policy cannot grant or deny. Option C is wrong because configuring default encryption with the KMS key only ensures new objects are encrypted at rest, but does not restrict which principals can decrypt them; any principal with kms:Decrypt on the key can still decrypt. Option D is wrong because an IAM policy granting kms:Decrypt to the role is insufficient if the key policy does not also allow the role; KMS key policies are the primary access control mechanism, and if the key policy denies all principals except the role, an IAM policy alone cannot override that denial.

82
MCQhard

A developer is building a serverless application using AWS Lambda and API Gateway. The API should be accessible only from a specific VPC. What is the MOST secure way to achieve this?

A.Attach a security group to the API Gateway that only allows traffic from the VPC.
B.Create a private API Gateway endpoint and associate it with the VPC.
C.Set up VPC Peering between the VPC and the API Gateway's VPC.
D.Create a VPC endpoint for API Gateway and attach a resource policy to the API that allows access only from the VPC endpoint.
AnswerD

This restricts access to the VPC using aws:SourceVpce condition.

Why this answer

Option D is correct because using a resource policy on API Gateway with aws:SourceVpce condition restricts access to requests originating from the VPC endpoint. Option A is wrong because private API Gateway endpoints are accessible from within a VPC without a resource policy. Option B is wrong because VPC Peering does not restrict access to API Gateway.

Option C is wrong because security groups are for network interfaces, not API Gateway.

83
Multi-Selecthard

A developer needs to securely expose an API running on an EC2 instance behind an Application Load Balancer. The API should only be accessible to authenticated users via a custom authorization header. Which steps should be taken? (Choose TWO.)

Select 2 answers
A.Create a Lambda authorizer that validates the custom header
B.Enable AWS WAF on the ALB to inspect the header
C.Use Amazon Cognito User Pools to validate the header
D.Use Amazon API Gateway instead of ALB
E.Configure the ALB to use the Lambda authorizer
AnswersA, E

Lambda authorizer can verify the token and return IAM policy.

Why this answer

Option A is correct because a Lambda authorizer can validate a custom authorization header by inspecting the header value and returning an IAM policy that either allows or denies access to the API. This approach is commonly used with API Gateway, but the question specifies an ALB, so the Lambda authorizer must be integrated with the ALB via a Lambda function that acts as an authenticator. The ALB can invoke a Lambda function as a target group, and the function can validate the custom header and return a response that the ALB uses to determine whether to forward the request.

Exam trap

The trap here is that candidates often assume API Gateway is required for Lambda authorizers, but the ALB can also invoke a Lambda function for authentication, and the question specifically asks for steps to secure the ALB, not to replace it.

84
MCQmedium

A developer ran the AWS CLI command shown in the exhibit. What is the most likely cause of the error?

A.The --origin parameter is misspelled.
B.The --key-spec parameter is invalid for custom key stores.
C.The IAM user does not have permission to create KMS keys.
D.The AWS Region does not support CloudHSM custom key stores.
AnswerD

Custom key stores are not available in all regions; the error confirms this.

Why this answer

Creating a KMS key in a custom key store (CloudHSM) requires a CloudHSM cluster and a custom key store to be set up first. The error indicates that custom key stores are not supported in the region, meaning the developer is in a region that does not support CloudHSM-based custom key stores. Option A is wrong because the CLI syntax is correct.

Option B is wrong because the error specifically says custom key stores not supported in this region. Option D is wrong because the key spec is valid.

85
Multi-Selectmedium

A company wants to encrypt data at rest in Amazon RDS for MySQL. Which TWO actions should be taken?

Select 2 answers
A.Enable encryption at rest when creating the DB instance.
B.Encrypt individual tables using MySQL native encryption.
C.Enable encryption at rest after the DB instance is created.
D.Use AWS KMS to manage the encryption keys.
E.Use client-side encryption to encrypt data before sending to RDS.
AnswersA, D

RDS encryption at rest must be enabled at creation time.

Why this answer

Option A is correct because Amazon RDS for MySQL supports encryption at rest only at the time of DB instance creation. You must enable the encryption option in the console or specify the --storage-encrypted flag in the AWS CLI when launching the instance. Once enabled, RDS automatically encrypts the underlying storage, automated backups, read replicas, and snapshots using AES-256 encryption, with keys managed through AWS KMS.

Exam trap

The trap here is that candidates often assume encryption at rest can be enabled after instance creation (like modifying a DB parameter group) or that MySQL native encryption is available in RDS, but AWS restricts encryption to instance creation time and does not support MySQL's native table encryption within the managed service.

86
MCQhard

A company uses AWS KMS to encrypt data in S3. The security team wants to ensure that all KMS keys are rotated every year. Which action should be taken?

A.Manually rotate the KMS key every year
B.Create a new KMS key and update all applications to use it
C.Enable automatic key rotation
D.Use AWS CloudWatch Events to trigger a Lambda function that rotates the key
AnswerC

KMS supports automatic annual rotation for symmetric keys.

Why this answer

AWS KMS supports automatic key rotation for customer-managed KMS keys. When enabled, KMS rotates the key material annually without requiring any manual intervention or application changes. This satisfies the security team's requirement for yearly rotation while maintaining the same key ID and existing encrypted data accessibility.

Exam trap

The trap here is that candidates may think manual rotation or creating a new key is required because they confuse KMS key rotation with S3 bucket key rotation or assume that automatic rotation changes the key ID, which would break references to the key.

How to eliminate wrong answers

Option A is wrong because manual rotation requires creating a new key and updating applications, which is error-prone and does not automatically re-encrypt existing data. Option B is wrong because creating a new KMS key and updating applications introduces operational overhead and does not rotate the existing key; it replaces it, potentially breaking access to previously encrypted data. Option D is wrong because AWS CloudWatch Events triggering a Lambda function is unnecessary and overly complex; KMS already provides a built-in, fully managed automatic rotation feature that does not require custom scripting or event-driven orchestration.

87
MCQeasy

A developer needs to generate temporary credentials for a user to access an S3 bucket for 30 minutes. Which AWS service should be used?

A.IAM role
B.Amazon Cognito
C.AWS Key Management Service (KMS)
D.AWS Security Token Service (STS)
AnswerD

STS issues temporary credentials that can be configured to expire in 30 minutes.

Why this answer

AWS Security Token Service (STS) is the correct service for generating temporary, limited-privilege credentials to access AWS resources. It can issue credentials with a configurable expiration period, such as 30 minutes, via the AssumeRole API call. This directly meets the requirement for time-bound access to an S3 bucket.

Exam trap

The trap here is that candidates confuse IAM roles (a permission container) with the service that actually issues temporary credentials (STS), leading them to select Option A instead of D.

How to eliminate wrong answers

Option A is wrong because an IAM role is a set of permissions, not a mechanism to generate temporary credentials; you must use STS (e.g., AssumeRole) to obtain temporary credentials for a role. Option B is wrong because Amazon Cognito is designed for user identity and authentication in web/mobile apps, not for directly generating temporary AWS credentials for a single S3 bucket access scenario; it uses identity pools which rely on STS under the hood but adds unnecessary complexity. Option C is wrong because AWS Key Management Service (KMS) manages encryption keys and cannot generate any type of credentials, temporary or otherwise.

88
MCQeasy

A developer needs to securely store database credentials for a Lambda function. The credentials should be automatically rotated every 30 days. Which AWS service should the developer use?

A.AWS Key Management Service (KMS) to encrypt the credentials.
B.Store the credentials in an IAM role's trust policy.
C.AWS Secrets Manager.
D.AWS Systems Manager Parameter Store with a SecureString parameter.
AnswerC

Supports automatic rotation.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, manage, and automatically rotate database credentials and other secrets. It supports native rotation of credentials for Amazon RDS, Redshift, and DocumentDB with built-in Lambda rotation functions, and can be configured to rotate on a schedule (e.g., every 30 days) without custom code. The service also integrates directly with Lambda via the AWS SDK to retrieve secrets at runtime, ensuring credentials are never hardcoded.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets with SecureString) with AWS Secrets Manager, but the key differentiator is that Secrets Manager provides built-in automatic rotation, which is explicitly required by the question.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for encrypting data at rest, but it does not store credentials or provide automatic rotation; it only provides the encryption key, not the secret management lifecycle. Option B is wrong because IAM role trust policies define which principals can assume the role, not where to store credentials; storing credentials in a trust policy is not supported and would be a security risk. Option D is wrong because while Systems Manager Parameter Store with SecureString can store encrypted parameters, it does not natively support automatic rotation of credentials; you would need to build a custom rotation solution, whereas Secrets Manager provides built-in rotation capabilities.

89
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer. The application uses a PostgreSQL database on RDS. The security team requires that database credentials never be stored in application code or configuration files. Which solution meets this requirement?

A.Store the credentials in a Systems Manager Parameter Store parameter and retrieve them at application startup.
B.Store the credentials in an encrypted S3 bucket and have the application read the config file at startup.
C.Hardcode the credentials in a Lambda function that is called to get the credentials.
D.Use AWS Secrets Manager to store the credentials and retrieve them at runtime with automatic rotation.
AnswerD

Secrets Manager provides secure storage and automatic rotation.

Why this answer

Option D is correct because AWS Secrets Manager is designed specifically for securely storing and automatically rotating database credentials. It integrates natively with RDS for PostgreSQL, enabling automatic rotation without code changes. The application retrieves credentials at runtime via the AWS SDK, ensuring they are never stored in code or configuration files.

Exam trap

The trap here is that candidates confuse Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with Secrets Manager, leading them to choose Option A despite the rotation requirement.

How to eliminate wrong answers

Option A is wrong because Systems Manager Parameter Store does not natively support automatic rotation of RDS credentials; it is a parameter store, not a secrets manager with built-in rotation. Option B is wrong because storing credentials in an S3 bucket, even encrypted, still requires the application to read a configuration file at startup, which violates the requirement that credentials never be stored in configuration files. Option C is wrong because hardcoding credentials in a Lambda function still stores them in code, which is explicitly prohibited by the security requirement.

90
MCQhard

A developer is using IAM roles for Amazon EC2 to grant permissions to an application. The application makes API calls to DynamoDB and S3. After deploying, the application fails to access DynamoDB. The developer verifies the IAM role has the correct DynamoDB permissions. What is the most likely cause?

A.The IAM role does not have a trust policy for EC2.
B.The IAM role is not attached to the EC2 instance profile.
C.The DynamoDB table is in a different region than the EC2 instance.
D.The application is using the wrong AWS SDK.
AnswerB

The instance profile must be associated with the EC2 instance for the application to use the role.

Why this answer

For an EC2 instance to use an IAM role, the role must be attached to an EC2 instance profile, which is the container that passes the role's credentials to the instance via the instance metadata service. Even if the IAM role has the correct DynamoDB permissions, if it is not associated with the instance profile, the application will not receive temporary credentials and will fail to access DynamoDB.

Exam trap

The trap here is that candidates assume simply having the correct IAM role with proper permissions is sufficient, overlooking the mandatory step of attaching the role to an EC2 instance profile for credential delivery.

How to eliminate wrong answers

Option A is wrong because the IAM role does have a trust policy for EC2 (it must, otherwise the role could not be assumed by EC2 at all); the issue is the lack of attachment to the instance profile. Option C is wrong because DynamoDB is a global service that can be accessed across regions via its global endpoints, and region mismatch does not cause access failures when permissions are correct. Option D is wrong because the AWS SDK automatically handles credential retrieval from the instance metadata service; using a different SDK version or language does not prevent credential resolution if the role is properly attached.

91
MCQhard

A developer is configuring cross-account access for an S3 bucket. The source account (111111111111) wants to allow the target account (222222222222) to write objects to the bucket. The developer attaches the following bucket policy. However, the write operation fails with AccessDenied. What is the most likely cause?

A.The target account has not attached an IAM policy granting the user or role s3:PutObject
B.The bucket has an S3 ACL that denies the target account
C.The bucket policy does not allow s3:PutObject for the target account
D.The bucket is encrypted with SSE-KMS and the target account lacks KMS permissions
AnswerA

Cross-account access requires both the resource-based policy (bucket policy) and an IAM policy in the target account.

Why this answer

Option A is correct because cross-account S3 access requires both a bucket policy that grants the target account principal (or a resource-based policy) AND an IAM policy in the target account that explicitly allows the user or role to perform the s3:PutObject action. Without the target account's IAM policy, the request is denied even if the bucket policy permits it, as the target account's principal lacks the necessary permissions to make the call.

Exam trap

The trap here is that candidates assume a bucket policy alone is sufficient for cross-account access, overlooking the requirement for an IAM policy in the target account to authorize the principal making the request.

How to eliminate wrong answers

Option B is wrong because S3 ACLs are legacy and, while they can grant cross-account permissions, the bucket policy is the primary mechanism here; an ACL denying the target account would cause a different error (e.g., AccessDenied with a different message) but is not the most likely cause given the bucket policy is already in place. Option C is wrong because the question states the developer attaches the bucket policy to allow the target account to write objects, so the bucket policy presumably includes s3:PutObject; if it didn't, the error would be expected, but the most likely cause is the missing IAM policy in the target account. Option D is wrong because SSE-KMS requires additional KMS key permissions (kms:GenerateDataKey, kms:Decrypt) for the target account, but the error would be a KMS-related AccessDenied, not a generic s3:PutObject failure; the question does not mention KMS, so this is less likely than the missing IAM policy.

92
MCQmedium

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated every 90 days. Which key type should the company use to meet this requirement with minimal operational overhead?

A.Customer managed KMS key with manual rotation
B.Customer managed KMS key with automatic rotation enabled
C.AWS managed KMS key
D.AWS owned KMS key
AnswerB

Customer managed keys allow you to set a custom rotation period (e.g., 90 days) and enable automatic rotation.

Why this answer

Customer managed KMS keys support automatic rotation, which can be enabled to rotate the key material every 365 days (or every 90 days if using a custom key store with imported key material). However, the requirement is for 90-day rotation with minimal operational overhead. Automatic rotation for customer managed KMS keys meets this by handling rotation without manual intervention, though note that the default automatic rotation period is 365 days; to achieve exactly 90 days, you would need to use a custom key store and import key material with a 90-day rotation schedule, or manually rotate more frequently.

Given the options, B is the best choice because it provides automatic rotation with less overhead than manual rotation.

Exam trap

The trap here is that candidates assume automatic rotation can be configured to any custom period (like 90 days) for standard customer managed keys, but KMS automatic rotation is fixed at 365 days for AWS KMS keys, and only imported key material in a custom key store allows custom rotation intervals.

How to eliminate wrong answers

Option A is wrong because manual rotation requires the company to create new keys, update applications, and delete old keys every 90 days, which introduces significant operational overhead and risk of errors. Option C is wrong because AWS managed KMS keys cannot be rotated by the customer; AWS rotates them automatically on a schedule that is not configurable (typically every 3 years for AWS managed keys), and the rotation policy is not under customer control. Option D is wrong because AWS owned KMS keys are used by AWS services on behalf of the customer, are not visible or manageable by the customer, and cannot be rotated on a custom schedule.

93
Multi-Selectmedium

A company is using AWS KMS to encrypt data in S3. Which TWO actions are required to allow an IAM user to decrypt objects in a specific S3 bucket?

Select 2 answers
A.Attach a policy to the user allowing s3:GetObject on the bucket.
B.Attach a policy to the user allowing kms:Encrypt.
C.Attach a policy to the user allowing s3:PutObject.
D.Attach a policy to the user allowing kms:GenerateDataKey.
E.Attach a policy to the user allowing kms:Decrypt on the KMS key.
AnswersA, E

Required to retrieve the object.

Why this answer

Option A is correct because to decrypt an object stored in S3 using server-side encryption with AWS KMS (SSE-KMS), the IAM user must have the s3:GetObject permission to retrieve the encrypted object from the bucket. Without this permission, the user cannot even initiate the GetObject request, regardless of KMS permissions.

Exam trap

The trap here is that candidates often forget that decrypting an SSE-KMS encrypted object requires both S3 read permissions and KMS decrypt permissions, leading them to select only one of the two required actions.

94
MCQhard

A company runs a containerized application on Amazon ECS using Fargate. The application needs to access an S3 bucket to read configuration files and a DynamoDB table to store session state. The ECS task role is configured with the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "dynamodb:PutItem", "dynamodb:GetItem" ], "Resource": "*" } ] } The application fails to read from the S3 bucket and write to DynamoDB. The error messages indicate AccessDenied. The S3 bucket has a bucket policy that denies all access unless the request includes a specific aws:SourceIp condition. The DynamoDB table has a resource-based policy that allows access only from the VPC endpoint. The ECS tasks are running in a private subnet with a VPC endpoint for DynamoDB but no VPC endpoint for S3. Which action should be taken to resolve the errors?

A.Add s3:ListBucket to the task role policy and ensure the S3 bucket policy allows the task role ARN
B.Attach a NAT gateway to the private subnet and update the S3 bucket policy to allow the NAT gateway's public IP
C.Modify the task role policy to restrict resource ARNs to the specific S3 bucket and DynamoDB table
D.Create a VPC endpoint for S3 and modify the S3 bucket policy to allow access from the VPC endpoint
AnswerD

VPC endpoint for S3 bypasses the need for public IP; bucket policy can use aws:sourceVpce condition.

Why this answer

The application fails because the S3 bucket policy denies access unless the request includes a specific `aws:SourceIp` condition, but the ECS tasks in a private subnet have no public IP and no VPC endpoint for S3. Without a VPC endpoint, traffic to S3 traverses the internet via a NAT gateway, but the bucket policy explicitly requires a specific source IP, which the NAT gateway's public IP does not match (or is not allowed). Option D resolves this by creating a VPC endpoint for S3 and modifying the bucket policy to allow access from the VPC endpoint, bypassing the IP condition and enabling private connectivity.

Exam trap

The trap here is that candidates may focus on the task role policy (Option C) or NAT gateway (Option B) without recognizing that the S3 bucket policy's `aws:SourceIp` condition explicitly blocks traffic from private subnets without a VPC endpoint, and that the DynamoDB table policy already requires a VPC endpoint, which is present for DynamoDB but missing for S3.

How to eliminate wrong answers

Option A is wrong because adding `s3:ListBucket` to the task role policy does not address the S3 bucket policy's `aws:SourceIp` condition that denies access; the bucket policy overrides the task role's permissions. Option B is wrong because attaching a NAT gateway gives the tasks a public IP, but the bucket policy requires a specific source IP that the NAT gateway's IP may not match, and updating the bucket policy to allow the NAT gateway's IP is not a scalable or secure solution; also, the DynamoDB access issue remains unresolved as the DynamoDB table policy requires VPC endpoint access. Option C is wrong because restricting resource ARNs in the task role policy does not resolve the S3 bucket policy's IP condition or the DynamoDB table policy's VPC endpoint requirement; the task role already allows the necessary actions on all resources, so the issue is with the resource-based policies, not the task role's scope.

95
Multi-Selectmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets are encrypted with AES-256 (SSE-S3) and that no public access is allowed. Which TWO methods can be used to enforce these requirements across all accounts? (Choose TWO.)

Select 2 answers
A.Use AWS Config rules with automatic remediation to detect and fix non-compliant buckets.
B.Attach an IAM policy to all IAM users in each account that denies unencrypted operations.
C.Use an SCP in the root organizational unit to deny 's3:PutBucketPublicAccessBlock' and enforce encryption settings.
D.Enable AWS CloudTrail to log all S3 API calls and send alerts.
E.Use AWS Trusted Advisor to check for unencrypted buckets.
AnswersA, C

Config rules can evaluate and remediate.

Why this answer

Option A is correct because AWS Config rules can evaluate S3 bucket configurations against desired settings (e.g., encryption enabled, public access blocked) and trigger automatic remediation via AWS Systems Manager Automation documents to fix non-compliant buckets. This provides continuous enforcement across all accounts in the organization without manual intervention.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can grant permissions (they only deny), or they assume CloudTrail or Trusted Advisor can enforce security requirements when they are only detective or advisory tools.

96
Multi-Selecthard

A company is deploying a web application on EC2 instances behind an ALB. The application needs to authenticate users using a corporate identity provider that supports SAML 2.0. Which of the following are required to configure this? (Choose THREE.)

Select 3 answers
A.Obtain the IdP's metadata document to configure the trust.
B.Register the corporate IdP as a SAML identity provider in IAM.
C.Configure Amazon Cognito as an intermediary.
D.Register the corporate IdP in Amazon Route 53.
E.Create an ALB rule that uses the SAML provider for authentication.
AnswersA, B, E

Metadata contains endpoints and certificates.

Why this answer

Options A, B, and D are correct. The ALB can authenticate users via SAML by creating a rule that uses an IdP. The IdP must be registered in IAM as a SAML provider.

The ALB must be configured with a listener rule that uses that provider. Option C is incorrect because Cognito is not required. Option E is incorrect because the IdP is not registered in Route 53.

97
Multi-Selectmedium

A developer is designing a system that must meet PCI DSS compliance. Which THREE AWS services can help with logging and monitoring security events?

Select 3 answers
A.Amazon CloudWatch Logs
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.AWS Key Management Service (KMS)
E.AWS Config
AnswersA, C, E

CloudWatch Logs collects and stores log files from various sources.

Why this answer

Amazon CloudWatch Logs is correct because it provides a centralized service for collecting, monitoring, and storing log data from various AWS resources and applications. For PCI DSS compliance, CloudWatch Logs can ingest security-related logs (e.g., from EC2, Lambda, or on-premises servers) and enable real-time monitoring, metric filters, and alarms to detect and respond to security events. It also supports log retention policies and encryption at rest using AWS KMS, which are required for audit trails under PCI DSS Requirement 10.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (network metadata) with security event logging, or mistakenly think KMS is a logging service because it is used for encryption, but neither generates or monitors security events as required by PCI DSS.

98
MCQmedium

A company wants to encrypt data in transit between an on-premises application and an Amazon RDS instance. Which of the following should be implemented?

A.Use an AWS Site-to-Site VPN connection
B.Use SSL/TLS for the database connection
C.Place the RDS instance in a private subnet and use a bastion host
D.Enable encryption at rest on the RDS instance
AnswerB

SSL/TLS encrypts data in transit between client and RDS.

Why this answer

Encryption in transit is achieved by using SSL/TLS for the connection. RDS supports SSL/TLS connections to encrypt data moving between the client and the database.

99
Multi-Selecteasy

A developer is storing secrets such as database passwords. Which TWO AWS services can be used to securely store and retrieve secrets?

Select 2 answers
A.AWS CloudHSM
B.AWS Systems Manager Parameter Store
C.AWS Identity and Access Management (IAM)
D.AWS Secrets Manager
E.Amazon S3
AnswersB, D

Can store encrypted parameters.

Why this answer

Option B and Option D are correct. AWS Secrets Manager is designed for secrets with automatic rotation. AWS Systems Manager Parameter Store can store secrets in the Advanced tier with encryption.

IAM is for identities. S3 is object storage. CloudHSM is a hardware security module.

100
MCQmedium

A developer is managing an application that uses Amazon S3 to store user-uploaded images. The application generates thumbnails using AWS Lambda and stores them in a separate S3 bucket. The security team requires that all objects in both buckets be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The developer has configured the Lambda function to use an IAM role with permissions to call KMS Encrypt and Decrypt. However, when a user uploads an image, the Lambda function fails to write the thumbnail with an 'Access Denied' error. The upload bucket has default encryption set to SSE-KMS. What is the MOST likely cause of the failure?

A.The Lambda function is not in a VPC that has access to the KMS key.
B.The output bucket does not have a bucket policy allowing the Lambda function to write.
C.The upload bucket's default encryption is not applied to objects uploaded by Lambda.
D.The Lambda execution role lacks kms:GenerateDataKey permission for the KMS key.
AnswerD

SSE-KMS requires GenerateDataKey to encrypt objects.

Why this answer

Option B is correct because the Lambda function's IAM role needs kms:GenerateDataKey permission to encrypt the thumbnail. Option A is wrong because the error is Access Denied, not a missing bucket policy. Option C is wrong because the upload bucket's default encryption does not affect the output bucket.

Option D is wrong because VPC endpoints are not required for S3 access.

101
MCQmedium

A developer needs to encrypt secrets (database passwords) that are used by an application running on EC2. The application retrieves the secrets at startup. Which combination of services provides the MOST secure and manageable solution?

A.Store the secrets in AWS Secrets Manager and use an IAM role to access them.
B.Encrypt the secrets with AWS KMS and store them in an S3 bucket with a bucket policy.
C.Store the secrets in AWS Systems Manager Parameter Store with a SecureString parameter.
D.Hardcode the secrets in the application code and encrypt the code.
AnswerA

Secrets Manager provides automatic rotation and fine-grained access control.

Why this answer

Option B is correct because AWS Secrets Manager is designed for rotating secrets and integrates with IAM. Option A is wrong because SSM Parameter Store does not have native rotation. Option C is wrong because S3 with KMS lacks automatic rotation.

Option D is wrong because environment variables are not secure.

102
MCQeasy

A developer is creating a new IAM policy to allow users to list objects in a specific S3 bucket. The policy must follow the principle of least privilege. Which policy statement should the developer use?

A.{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}
B.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}
C.{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::example-bucket/*"}
D.{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}
AnswerB

Correctly grants list on the specific bucket.

Why this answer

Option B is correct because it grants s3:ListBucket on the specific bucket. Option A is wrong because it grants s3:ListAllMyBuckets which lists all buckets, not just the specific one. Option C is wrong because s3:GetObject is for reading objects, not listing.

Option D is wrong because s3:PutObject is for writing.

103
MCQeasy

A developer wants to grant a user in a different AWS account access to an S3 bucket. The developer has written a bucket policy that allows the user's IAM user ARN. However, the access is still denied. What is the most likely reason?

A.The user's IAM user policy does not explicitly allow the required S3 action
B.The bucket policy does not have a principal of '*' to allow external accounts
C.The bucket is in a different region than the user's account
D.The user is using the wrong S3 endpoint (e.g., path-style vs virtual-hosted)
AnswerA

In cross-account access, both the bucket policy and the user's IAM policy must grant permission. The user's policy must include an Allow for the action (e.g., s3:GetObject).

Why this answer

When granting cross-account access to an S3 bucket, both the bucket policy (resource-based policy) and the user's IAM policy (identity-based policy) must explicitly allow the action. The bucket policy alone is insufficient if the user's IAM policy does not include an explicit Allow for the S3 action, because IAM denies by default. Even though the bucket policy grants access, the user's own IAM policy must also permit the operation for the request to succeed.

Exam trap

The trap here is that candidates assume a bucket policy alone is sufficient for cross-account access, forgetting that the external user's IAM policy must also explicitly allow the action, as IAM denies all actions by default.

How to eliminate wrong answers

Option B is wrong because a bucket policy does not require a principal of '*' to allow external accounts; you can specify the exact IAM user ARN as the principal, which is more secure and correct. Option C is wrong because S3 is a global service and bucket policies work across regions; the region of the bucket and the user's account does not affect access control. Option D is wrong because the S3 endpoint type (path-style vs virtual-hosted) affects URL format but does not impact authorization; access is denied due to IAM permissions, not endpoint choice.

104
MCQhard

A developer is building a serverless application using API Gateway and Lambda. The API must be accessed only by authenticated users from a specific AWS Cognito User Pool. Which method should be used?

A.Create a Lambda authorizer that checks the token against Cognito.
B.Use an IAM authorizer with a policy that allows only Cognito roles.
C.Use a resource policy on API Gateway to restrict by source IP.
D.Configure a Cognito Authorizer on the API Gateway method.
AnswerD

Directly integrates with Cognito User Pools.

Why this answer

API Gateway can use a Cognito Authorizer to validate tokens from a specific user pool.

105
MCQhard

An EC2 instance is running with an IAM instance profile. The application on the instance is trying to access an S3 bucket, but receives 'Access Denied'. The instance profile has a role with a policy that allows s3:GetObject on the bucket. What is a likely cause?

A.The instance profile is not attached to the instance.
B.The IAM role does not have the correct permissions.
C.The trust policy of the IAM role does not allow the EC2 service.
D.The instance is in a private subnet without a VPC endpoint for S3.
AnswerD

Without a VPC endpoint or NAT gateway, the instance cannot reach S3.

Why this answer

Option D is correct because when an EC2 instance is in a private subnet, it cannot reach the S3 public endpoint over the internet. Without a VPC endpoint (gateway or interface type) for S3, traffic to S3 is routed through a NAT device or internet gateway, which may be blocked by network ACLs or route tables. The 'Access Denied' error here is not due to IAM permissions but due to the network path being unavailable, causing the SDK to fail with a connectivity-related denial.

Exam trap

The trap here is that candidates often assume all 'Access Denied' errors are due to IAM permissions, but network-level restrictions (like missing VPC endpoints or incorrect route tables) can produce the same error message from the AWS SDK.

How to eliminate wrong answers

Option A is wrong because if the instance profile were not attached, the instance would have no IAM credentials at all, resulting in an 'Access Denied' error for any AWS API call, but the question states the instance profile is present. Option B is wrong because the policy explicitly allows s3:GetObject on the bucket, so the permissions are correct. Option C is wrong because the trust policy of an IAM role for EC2 must allow the ec2.amazonaws.com service principal to assume the role; if it were missing, the instance would fail to obtain temporary credentials entirely, not just for S3 access.

106
Multi-Selectmedium

A company wants to securely store database credentials for a Lambda function. The credentials must be automatically rotated. Which TWO services should be used together?

Select 2 answers
A.AWS KMS
B.AWS Secrets Manager
C.AWS CloudHSM
D.AWS Lambda
E.AWS Systems Manager Parameter Store
AnswersB, D

Stores and rotates secrets.

Why this answer

AWS Secrets Manager is the correct service because it is purpose-built for securely storing, retrieving, and automatically rotating database credentials and other secrets. It integrates natively with AWS Lambda and supports automatic rotation via a built-in rotation function or a custom Lambda function, meeting the requirement for automated credential rotation without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks automatic rotation, which is explicitly required in the question.

107
MCQhard

A company wants to allow cross-account access to a DynamoDB table. They set up an IAM role in Account A (table owner) and allow Account B's users to assume the role. Which additional step is required?

A.Add a policy to the DynamoDB table allowing Account B
B.Create a bucket policy in Account A
C.Attach a policy to the IAM role that allows DynamoDB actions
D.Configure the trust policy of the IAM role in Account A to allow Account B to assume it
AnswerD

The trust policy defines which principals can assume the role.

Why this answer

Option B is correct because the IAM role's trust policy must explicitly allow the Account B user or account to assume the role. Option A is wrong because the role is in Account A. Option C is wrong because DynamoDB tables do not have resource-based policies.

Option D is wrong because the trust policy is set on the role, not the table.

108
MCQeasy

A developer needs to grant a Lambda function permission to write logs to CloudWatch Logs. Which IAM entity should be used?

A.Attach an inline policy to the Lambda function.
B.Create an IAM execution role with the necessary permissions and associate it with the function.
C.Use a service control policy (SCP) to allow logging.
D.Add a resource-based policy to the Lambda function.
AnswerB

Execution roles are the standard way to grant permissions.

Why this answer

Lambda functions require an IAM execution role to obtain temporary credentials for accessing other AWS services. This role must include a trust policy allowing Lambda to assume it and a permissions policy granting the specific actions (e.g., logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents) on CloudWatch Logs. Associating this role with the function is the standard and secure way to grant permissions.

Exam trap

The trap here is confusing the entity that receives permissions (the Lambda function) with the mechanism that grants them (an execution role), leading candidates to incorrectly select attaching a policy directly to the function or using a resource-based policy.

How to eliminate wrong answers

Option A is wrong because an inline policy is attached to an IAM user, group, or role, not directly to a Lambda function; Lambda functions do not have IAM policies attached to them. Option C is wrong because Service Control Policies (SCPs) are used to set permission boundaries across an entire AWS organization or organizational unit, not to grant permissions to individual Lambda functions. Option D is wrong because resource-based policies are used to grant other AWS services or accounts access to the Lambda function itself (e.g., allowing an S3 bucket to invoke the function), not to grant the function permissions to other services like CloudWatch Logs.

109
Multi-Selectmedium

A developer is building a web application that uses Amazon Cognito for user authentication. Which TWO actions should be taken to secure the application?

Select 2 answers
A.Enable multi-factor authentication (MFA) for users.
B.Disable token expiration to avoid frequent re-authentication.
C.Use HTTPS for all communication between the client and the application.
D.Use IAM users for authentication instead of Cognito.
E.Store user tokens in local storage for persistence.
AnswersA, C

MFA provides additional security.

Why this answer

Option A is correct because enabling multi-factor authentication (MFA) adds an extra layer of security beyond just a password, requiring users to provide a second factor (e.g., a one-time code from an authenticator app or SMS). This significantly reduces the risk of unauthorized access due to compromised credentials. Amazon Cognito supports MFA natively, allowing developers to enforce it for user pools.

Exam trap

The trap here is that candidates often think disabling token expiration improves user experience, but they overlook the critical security risk of token theft and the need for short-lived tokens (e.g., 1 hour for access tokens) combined with refresh tokens to balance security and usability.

110
MCQmedium

A developer is using AWS Secrets Manager to store database credentials. The application runs on EC2 and needs to retrieve the secret. Which approach is the most secure?

A.Store the secret in an environment variable in the user data script.
B.Use an IAM role attached to the EC2 instance with permissions to access the secret, and call the AWS SDK to retrieve it at runtime.
C.Retrieve the secret at application startup and store it in a configuration file.
D.Download the secret from an S3 bucket using pre-signed URLs.
AnswerB

This follows best practices: no hardcoded secrets, automatic credential rotation.

Why this answer

Option B is correct because it follows the principle of least privilege and avoids hardcoding or storing secrets in insecure locations. By attaching an IAM role to the EC2 instance, the application can securely retrieve the secret from AWS Secrets Manager at runtime using the AWS SDK, without ever exposing the secret in code, configuration files, or environment variables. This approach leverages IAM's temporary credentials from the instance metadata service (IMDS) to authenticate the SDK call, ensuring the secret is never persisted locally.

Exam trap

The trap here is that candidates often think storing secrets in environment variables or configuration files is acceptable because it's 'runtime only,' but the exam emphasizes that any persistent or accessible storage of secrets violates security best practices, and only IAM roles with SDK retrieval provide the necessary isolation and rotation support.

How to eliminate wrong answers

Option A is wrong because storing the secret in an environment variable via user data script exposes it in the EC2 instance's metadata and process list, making it accessible to any user or process on the instance and violating security best practices. Option C is wrong because storing the secret in a configuration file after retrieval persists it on disk, increasing the risk of exposure through file system access, backups, or logs, and defeats the purpose of using Secrets Manager for dynamic rotation. Option D is wrong because downloading the secret from an S3 bucket using pre-signed URLs requires storing the secret in S3 first, which introduces additional management overhead and potential exposure, and pre-signed URLs can be intercepted or leaked, whereas Secrets Manager provides native encryption and access control.

111
Multi-Selectmedium

A developer is using AWS KMS to encrypt data. Which of the following are true about customer master keys (CMKs)? (Choose TWO.)

Select 2 answers
A.You can disable and re-enable AWS managed keys.
B.You cannot create customer managed keys; only AWS can create them.
C.AWS managed keys are free with no usage charges.
D.Customer managed keys can be rotated automatically every year.
E.You can create and manage customer managed keys.
AnswersD, E

You can enable automatic rotation for customer managed keys.

Why this answer

Options B and D are correct. Customer managed keys are created, managed, and can be rotated automatically (if enabled). AWS managed keys cannot be rotated by the customer.

Option A is incorrect because you can create customer managed keys. Option C is incorrect because AWS managed keys are free but have a per-request cost. Option E is incorrect because you can disable and re-enable customer managed keys.

112
MCQhard

An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet. What is the most secure way to grant access without using long-lived credentials?

A.Create a VPC endpoint for DynamoDB and attach a security group to allow access.
B.Store IAM user access keys in the application configuration file.
C.Create an IAM role with DynamoDB access and attach it to the EC2 instance profile.
D.Use a security group to allow the EC2 instance to communicate with DynamoDB.
AnswerC

Instance profiles provide temporary credentials via the instance metadata service. This is the best practice.

Why this answer

Option C is correct because it uses an IAM role attached to the EC2 instance profile, which allows the instance to obtain temporary security credentials from the AWS Security Token Service (STS). This eliminates the need for long-lived credentials and follows the principle of least privilege. The instance can securely access DynamoDB without storing any secrets on the instance.

Exam trap

The trap here is that candidates often confuse network-level controls (VPC endpoints or security groups) with identity-based access control, mistakenly thinking that enabling private connectivity alone grants API access to DynamoDB.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint for DynamoDB enables private network connectivity but does not grant IAM permissions; without an IAM role or credentials, the EC2 instance cannot authenticate to DynamoDB. Option B is wrong because storing IAM user access keys in the application configuration file introduces long-lived credentials that can be compromised, violating the security best practice of using temporary credentials. Option D is wrong because security groups control network traffic at the instance level and cannot authenticate or authorize API calls to DynamoDB; DynamoDB access requires IAM permissions, not network rules.

113
MCQmedium

A developer needs to grant an IAM user in the same AWS account access to a specific object in an S3 bucket. The bucket policy currently grants access only to the bucket owner (the root account). Which identity-based policy statement should the developer add to the IAM user's permissions?

A.A bucket policy that allows s3:GetObject for the user.
B.An IAM policy that allows s3:GetObject for the specific object ARN.
C.An S3 access point policy.
D.An IAM policy that allows s3:ListBucket for the bucket.
AnswerB

Correct. An IAM policy attached to the user can grant access to the specific object. The bucket policy does not deny, so this will work.

Why this answer

Option B is correct because an IAM policy attached directly to the user can grant s3:GetObject permission for a specific object ARN (e.g., arn:aws:s3:::bucket-name/object-key). This identity-based policy overrides the bucket policy's default deny for the root-only access, as long as there is no explicit deny in the bucket policy. The bucket policy restricts access to the root account, but an explicit allow in an IAM policy can still grant access to the user since IAM policies and bucket policies are evaluated together, and an explicit allow in either can permit the action unless an explicit deny exists.

Exam trap

The trap here is that candidates confuse resource-based policies (bucket policies) with identity-based policies (IAM policies) and assume that a bucket policy is the only way to grant S3 access, overlooking that IAM policies can grant access to specific objects even when the bucket policy restricts access to the root account.

How to eliminate wrong answers

Option A is wrong because a bucket policy is a resource-based policy, not an identity-based policy; the question specifically asks for an identity-based policy statement to add to the IAM user's permissions. Option C is wrong because an S3 access point policy is a separate resource-based policy attached to an access point, not an identity-based policy attached to the IAM user; it does not directly grant permissions to the user's identity. Option D is wrong because s3:ListBucket is a bucket-level action that lists objects in the bucket, not a specific object-level action; it does not grant access to a specific object and is irrelevant for granting GetObject on a particular object ARN.

114
MCQeasy

A company wants to store sensitive data in S3. The data must be encrypted at rest using server-side encryption with a key that is automatically rotated annually. Which S3 encryption option should be used?

A.Client-side encryption
B.SSE-S3
C.SSE-KMS with a customer managed key
D.SSE-C
AnswerB

SSE-S3 uses AWS managed keys that rotate automatically.

Why this answer

Option A is correct because SSE-S3 uses AWS managed keys that are automatically rotated. Option B (SSE-KMS) requires managing key rotation. Option C (SSE-C) does not manage rotation.

Option D (client-side) is not server-side.

115
MCQhard

A developer applied the above bucket policy to an S3 bucket. What is the outcome?

A.Anonymous users are allowed to read objects.
B.Only write requests are denied if not using HTTPS.
C.All requests to the bucket must use HTTPS; otherwise, they are denied.
D.The policy has no effect because it uses Deny.
AnswerC

The condition denies access when SecureTransport is false.

Why this answer

Option A is correct because the policy denies all S3 actions when the request is not using HTTPS (SecureTransport is false). All other requests are allowed by default. Option B is wrong because it denies all actions, not just write.

Option C is wrong because it only denies when not HTTPS. Option D is wrong because it does not allow anonymous access.

116
MCQmedium

Refer to the exhibit. A developer ran the above commands to inspect a KMS key. What can be determined about this key?

A.The key is disabled.
B.The key can be used in multiple AWS regions.
C.The key is an AWS managed key.
D.The key is a customer managed key.
AnswerD

KeyManager: CUSTOMER indicates customer managed.

Why this answer

Option D is correct because the KeyManager is 'CUSTOMER', meaning it is a customer managed key. Option A is incorrect because it is not an AWS managed key. Option B is incorrect because it is not a multi-region key (MultiRegion: false).

Option C is incorrect because the key is enabled, not disabled.

117
MCQmedium

A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout. Which action should be taken to resolve this issue?

A.Reduce the rotation schedule interval.
B.Increase the Lambda function timeout.
C.Place the Lambda function in a VPC with a NAT gateway.
D.Store the rotation schedule in EC2 user data.
AnswerB

Increasing timeout allows the rotation to complete.

Why this answer

The Lambda function is timing out during the rotation process, which indicates that the default 3-second timeout is insufficient for the rotation logic. Increasing the Lambda function timeout (Option B) directly addresses this by allowing the function more time to complete the rotation, such as calling the Secrets Manager API, updating the database, and verifying the new credentials.

Exam trap

The trap here is that candidates may confuse a timeout with a network issue and incorrectly choose to place the Lambda in a VPC with a NAT gateway, when the real problem is simply that the default execution duration is too short for the rotation logic.

How to eliminate wrong answers

Option A is wrong because reducing the rotation schedule interval does not fix a timeout during execution; it only makes the rotation happen more frequently, potentially exacerbating the issue. Option C is wrong because placing the Lambda function in a VPC with a NAT gateway is unrelated to a timeout; it is used to enable internet access for Lambda functions in a VPC, but rotation timeouts are typically due to insufficient execution time, not network connectivity. Option D is wrong because storing the rotation schedule in EC2 user data is irrelevant; Secrets Manager rotation is managed by Lambda, not EC2, and user data is used for instance bootstrapping, not for scheduling rotation.

118
MCQeasy

A developer is creating an IAM policy for an Amazon S3 bucket that must allow read access to a specific object only. Which policy element should be used to restrict access to the object?

A.Action
B.Condition
C.Principal
D.Resource
AnswerD

Resource specifies the S3 object ARN to restrict access to that object only.

Why this answer

The Resource element in an IAM policy specifies the ARN of the resource. For S3, the ARN format is arn:aws:s3:::bucket-name/key. Using a specific object ARN restricts access to that object only.

119
MCQeasy

A developer needs to securely store database credentials for a serverless application. Which service should be used?

A.Amazon S3 with server-side encryption.
B.AWS Identity and Access Management (IAM).
C.AWS Systems Manager Parameter Store.
D.AWS Secrets Manager.
AnswerD

Designed for secret storage and rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed to securely store and manage secrets like database credentials. Option A is wrong because S3 is not designed for secret storage without encryption. Option C is wrong because IAM is for identities, not secrets.

Option D is wrong because Systems Manager Parameter Store can store parameters but Secrets Manager provides automatic rotation.

120
Multi-Selectmedium

A developer is using IAM roles to grant permissions to an EC2 instance. Which TWO statements are true about IAM roles for EC2?

Select 2 answers
A.An EC2 instance can have multiple IAM roles attached simultaneously.
B.Temporary security credentials are obtained from the instance metadata service.
C.The temporary credentials expire after 6 hours and must be manually refreshed.
D.An IAM role can only be attached to one EC2 instance at a time.
E.An IAM role can be attached to a running EC2 instance without stopping it.
AnswersB, E

EC2 instances use Instance Metadata Service to get role credentials.

Why this answer

Options A and D are correct because IAM roles provide temporary credentials via the instance metadata service, and they can be attached to a running instance. Option B is wrong because you cannot attach a role to multiple instances simultaneously? Actually you can attach the same role profile to many instances. Option C is wrong because the credentials are automatically rotated by AWS.

Option E is wrong because roles are not limited to one per instance; you can attach one role per instance profile, but you can create multiple instance profiles.

121
MCQeasy

A developer is creating an IAM policy to allow an EC2 instance to read objects from a specific S3 bucket named 'my-app-data'. The policy should be attached to an IAM role that will be assumed by the EC2 instance. Which policy statement meets this requirement?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::my-app-data/*" } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*" } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::my-app-data/*" } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-app-data/*" } ] }
AnswerD

This allows only GetObject on the specific bucket.

Why this answer

Option D is correct because it grants only the s3:GetObject permission on the specific S3 bucket 'my-app-data' and its objects, which is the minimum required to allow an EC2 instance to read objects from that bucket. The policy is designed to be attached to an IAM role that the EC2 instance assumes, following the principle of least privilege.

Exam trap

The trap here is that candidates often choose overly permissive policies (like s3:* or including s3:PutObject) or forget to scope the resource to the specific bucket, leading to security misconfigurations that fail the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because it allows all S3 actions (s3:*) on the bucket objects, which is overly permissive and violates the requirement to only allow read access. Option B is wrong because it allows s3:GetObject on all S3 resources (*), which grants read access to any S3 bucket, not just 'my-app-data', and is a security risk. Option C is wrong because it includes s3:PutObject in addition to s3:GetObject, which allows write access to the bucket, exceeding the requirement of read-only access.

122
Multi-Selecteasy

A company wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which THREE actions are required?

Select 3 answers
A.Instruct users to use their MFA device when logging in
B.Configure a password policy that requires MFA
C.Create a service control policy (SCP) to enforce MFA
D.Enable MFA for each IAM user
E.Create an IAM policy that denies access unless MFA is present
AnswersA, D, E

Users must present MFA code during authentication.

Why this answer

Option A is correct because instructing users to use their MFA device when logging in is a necessary step to ensure that users know how to properly authenticate with their assigned MFA device (e.g., virtual TOTP token or hardware key fob) during the AWS Management Console login process. Without this instruction, users may not complete the MFA challenge, leaving the policy enforcement ineffective. This action complements the technical enforcement by providing user guidance.

Exam trap

The trap here is that candidates often think a password policy or SCP can enforce MFA, but password policies only control password rules and SCPs operate at the organizational level, not on individual IAM user login sessions.

123
MCQeasy

A company wants to encrypt data at rest in Amazon S3. Which AWS service can be used to manage the encryption keys?

A.AWS Certificate Manager (ACM)
B.AWS CloudHSM
C.AWS Identity and Access Management (IAM)
D.AWS Key Management Service (KMS)
AnswerD

KMS is used for creating and managing encryption keys.

Why this answer

Option C is correct because AWS KMS manages encryption keys for S3 SSE-KMS. Option A is wrong because CloudHSM is for hardware-based key management but not directly integrated with S3. Option B is wrong because IAM is for access control, not key management.

Option D is wrong because ACM is for SSL/TLS certificates.

124
MCQeasy

A developer needs to allow an EC2 instance to read items from a DynamoDB table. Which is the best practice for granting permissions?

A.Store IAM user access keys on the instance
B.Use root user credentials
C.Attach an IAM role with the required permissions to the EC2 instance
D.Apply a service control policy (SCP) to the instance
AnswerC

IAM roles are the secure way to grant permissions to AWS services.

Why this answer

Attaching an IAM role to the EC2 instance is the best practice because it avoids embedding credentials. Option B (IAM user keys) is less secure. Option C (root credentials) is insecure.

Option D (service control policy) is for organizational boundaries, not EC2 permissions.

125
Multi-Selectmedium

A company wants to audit access to their S3 buckets. Which TWO services can be used to log and monitor S3 API calls?

Select 2 answers
A.AWS Config
B.S3 server access logs
C.AWS CloudTrail
D.AWS KMS
E.Amazon CloudWatch Logs
AnswersB, C

These logs record object-level requests.

Why this answer

Option A is correct because CloudTrail logs S3 management events. Option C is correct because S3 server access logs record object-level requests. Option B is wrong because CloudWatch Logs does not directly capture S3 API calls; it can be used with CloudTrail logs.

Option D is wrong because KMS is for encryption keys. Option E is wrong because Config records resource configuration changes, not API calls.

126
Multi-Selecteasy

Which TWO AWS services can be used to protect an application running on EC2 from common web exploits like SQL injection and cross-site scripting?

Select 2 answers
A.Amazon CloudWatch
B.Security Groups
C.AWS WAF
D.AWS Shield Advanced
E.AWS Identity and Access Management (IAM)
AnswersC, D

WAF can block SQL injection and XSS attacks.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. It allows you to create rules that filter and monitor HTTP(S) requests based on conditions such as IP addresses, HTTP headers, URI strings, and SQL injection or cross-site scripting patterns, making it the correct choice for protecting against these specific threats.

Exam trap

The trap here is that candidates often confuse Security Groups (Layer 3/4 network filtering) with application-layer protection, mistakenly believing they can block web exploits, when in fact they only control traffic based on IP/port rules and have no awareness of HTTP payload content.

127
Multi-Selecthard

A developer is deploying an application on EC2 that must access an S3 bucket and an SQS queue. The developer wants to follow the principle of least privilege. Which THREE steps should be taken?

Select 3 answers
A.Attach the IAM role directly to the EC2 instance as a security group.
B.Configure an SQS queue policy that grants access to the IAM role.
C.Create an IAM role with permissions to access S3 and SQS.
D.Configure an S3 bucket policy that grants access to the IAM role.
E.Attach an IAM policy directly to the EC2 instance.
AnswersB, C, D

Queue policy allows the role to send/receive messages.

Why this answer

Option A is correct because an IAM role grants temporary credentials to EC2. Option C is correct because a bucket policy can allow access from the role. Option D is correct because an SQS queue policy can allow access from the role.

Option B is wrong because attaching a policy to the EC2 instance is not possible; policies are attached to roles. Option E is wrong because the role should be attached to the instance profile, not the instance directly.

128
MCQeasy

A developer needs to grant an IAM user the ability to create and manage CloudFormation stacks. Which IAM policy action should be allowed?

A.cloudformation:CreateStack
B.lambda:CreateFunction
C.ec2:RunInstances
D.s3:CreateBucket
AnswerA

This is the action to create CloudFormation stacks.

Why this answer

Option B is correct because cloudformation:CreateStack is the action to create stacks. Option A is for EC2, Option C is for S3, Option D is for Lambda.

129
MCQeasy

A developer needs to grant cross-account access to an S3 bucket for an IAM user from another AWS account. The developer has added a bucket policy that allows the user's ARN. However, the user still cannot access the bucket. What additional step is required?

A.The user must have an IAM policy allowing the required S3 actions on that bucket
B.The bucket must be made public
C.The user must use a different AWS CLI profile
D.The resource-based policy must explicitly allow the user's ARN
AnswerA

Without an identity-based policy, the user is not allowed to perform the action even if the resource policy permits it.

Why this answer

A is correct because cross-account access to an S3 bucket requires both a resource-based policy (the bucket policy) that grants access to the user's ARN and an identity-based policy (an IAM policy attached to the user) that explicitly allows the required S3 actions on that bucket. Without the IAM policy, the user's account denies the request by default, even if the bucket policy permits it. This is the principle of 'permission delegation' in AWS: the resource owner can grant access, but the user's own account must also authorize the action.

Exam trap

The trap here is that candidates assume a bucket policy alone is sufficient for cross-account access, forgetting that the requesting account must also explicitly authorize the action via an IAM policy, which is a common oversight in AWS cross-account scenarios.

How to eliminate wrong answers

Option B is wrong because making the bucket public would grant access to all anonymous users, which is overly permissive and not a secure or necessary step for cross-account access; the bucket policy already specifies the user's ARN. Option C is wrong because using a different AWS CLI profile does not resolve the underlying permission issue; the user's IAM policy must allow the S3 actions regardless of the profile used. Option D is wrong because the developer has already added a bucket policy that explicitly allows the user's ARN, so this step is already done; the missing piece is the user's own IAM policy.

130
MCQeasy

A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to encrypt data in transit between the client and the ALB. Which AWS service should be used to manage the SSL/TLS certificate?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
AnswerA

ACM provisions, manages, and deploys SSL/TLS certificates for AWS services including ALB, allowing automatic renewal and easy attachment to load balancers.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it provisions, manages, and deploys public and private SSL/TLS certificates that can be associated with an Application Load Balancer (ALB) to encrypt data in transit between clients and the ALB. ACM handles certificate renewal automatically and integrates natively with ALB, removing the need for manual certificate management. This ensures HTTPS termination at the load balancer, securing the client-to-ALB communication.

Exam trap

The trap here is that candidates may confuse AWS KMS (used for encryption at rest) with ACM (used for encryption in transit), or incorrectly assume IAM can manage SSL/TLS certificates for ALBs when it only supports legacy certificate uploads for CloudFront and Elastic Load Balancers in specific cases.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because KMS is a key management service for creating and controlling encryption keys used for data at rest, not for managing SSL/TLS certificates for data in transit. Option C (AWS Secrets Manager) is wrong because Secrets Manager is designed to rotate and manage secrets such as database credentials and API keys, not SSL/TLS certificates for load balancers. Option D (AWS IAM) is wrong because IAM is an identity and access management service for controlling user and resource permissions, and while IAM can support SSL certificates for legacy CloudFront distributions, it does not manage or automate SSL/TLS certificates for ALBs and is not the recommended service for this purpose.

131
MCQhard

Refer to the exhibit. An IAM role has the attached policy. A developer is writing an application that will upload objects to the S3 bucket using server-side encryption with AWS KMS (SSE-KMS). The application is failing with an Access Denied error when trying to upload. What is the missing permission?

A.kms:Decrypt on the KMS key
B.kms:ListKeys on the KMS key
C.kms:Encrypt on the KMS key
D.s3:PutObjectAcl on the bucket
AnswerC

Upload with SSE-KMS requires kms:Encrypt.

Why this answer

Option C is correct because s3:PutObject with SSE-KMS requires kms:Encrypt on the KMS key. The policy allows kms:Decrypt and GenerateDataKey, but not Encrypt. Option A is wrong because kms:Decrypt is not needed for upload.

Option B is wrong because kms:ListKeys is not required. Option D is wrong because the bucket name is correct.

132
MCQeasy

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The developer wants to restrict access to the API so that only authenticated users can invoke it. Which API Gateway feature should be used?

A.API Gateway Lambda authorizer
B.AWS WAF
C.API Gateway usage plan
D.API Gateway resource policy
AnswerA

A Lambda authorizer can validate tokens and return an IAM policy to allow or deny access.

Why this answer

API Gateway supports AWS Lambda authorizers (formerly custom authorizers) that use a Lambda function to validate a bearer token, such as a JWT, from the client. This allows authentication before invoking the backend.

133
MCQeasy

A developer wants to grant an IAM user permissions to list all S3 buckets in the account, but deny access to a specific bucket named 'confidential-data'. Which IAM policy should be attached?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Deny","Action":"s3:ListBucket","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Deny","Action":"s3:ListBucket","Resource":"confidential-data"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Deny","Action":"s3:ListBucket","Resource":"arn:aws:s3:::confidential-data"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::confidential-data"}]}
AnswerC

Explicitly denies ListBucket on the confidential-data bucket, overriding the allow.

Why this answer

Option C is correct because the policy grants s3:ListAllMyBuckets and explicitly denies s3:ListBucket on the confidential-data bucket. The explicit deny overrides the allow. Option A denies all ListBucket actions, preventing listing any bucket.

Option B grants access to all buckets. Option D is invalid syntax.

134
MCQeasy

A developer wants to encrypt data in transit between an API Gateway REST API and its clients. Which configuration should be used?

A.Use a custom domain name with a certificate from ACM.
B.Implement client-side encryption using a JavaScript library.
C.Use the default HTTPS endpoint provided by API Gateway.
D.Attach an AWS WAF web ACL to the API Gateway.
AnswerC

API Gateway automatically provides HTTPS for REST APIs, encrypting data in transit.

Why this answer

Option C is correct because API Gateway REST APIs automatically provide an HTTPS endpoint using TLS for data in transit encryption. This default endpoint uses an Amazon-issued certificate, ensuring encryption between clients and API Gateway without any additional configuration. The developer only needs to use the default HTTPS URL provided by API Gateway to satisfy the requirement.

Exam trap

The trap here is that candidates often overcomplicate the solution by assuming a custom domain or additional services like WAF are needed for encryption, when the default HTTPS endpoint already provides TLS encryption for data in transit.

How to eliminate wrong answers

Option A is wrong because using a custom domain name with a certificate from ACM is an optional feature for branding or custom DNS, not a requirement for encrypting data in transit; the default HTTPS endpoint already provides encryption. Option B is wrong because client-side encryption using a JavaScript library encrypts data before sending it over the network, but it does not address the requirement of encrypting data in transit between the client and API Gateway; the transport layer (TLS) is already encrypted by the default HTTPS endpoint, and client-side encryption adds unnecessary complexity and is not a standard approach for transport encryption. Option D is wrong because AWS WAF is a web application firewall that protects against common web exploits, not a mechanism for encrypting data in transit; it operates at the application layer and does not provide TLS/SSL encryption.

135
MCQhard

A company wants to grant a third-party vendor access to an Amazon S3 bucket in the company's AWS account. The vendor has their own AWS account. The company requires the vendor to include a unique identifier in each request to verify their identity before granting access. Which policy element should the company include in the S3 bucket policy?

A.Condition with sts:ExternalId
B.Condition with aws:SourceArn
C.Condition with aws:SourceAccount
D.Principal element with the vendor's AWS account ID
AnswerA

Correct. The sts:ExternalId condition key in the bucket policy ensures that the request includes a specific external ID, which the vendor must supply when assuming the role.

Why this answer

The `sts:ExternalId` condition key is specifically designed for scenarios where a third party (the vendor) needs to access AWS resources in your account, and you want to ensure that the vendor includes a unique identifier in each request. This prevents the confused deputy problem by requiring the vendor to pass the external ID in the `AssumeRole` call or directly in the request to S3 when using role-based access. By including this condition in the bucket policy, the company can verify that the request originates from the intended vendor and not from another entity trying to misuse the permissions.

Exam trap

The trap here is that candidates often confuse `aws:SourceArn` or `aws:SourceAccount` with identity verification, but these are used for resource-based policies to restrict based on the source of the request, not for enforcing a unique per-request identifier from a third-party vendor.

How to eliminate wrong answers

Option B is wrong because `aws:SourceArn` is used to restrict requests based on the ARN of the resource that originated the request, typically for services like SNS or S3 events, not for verifying a third-party vendor's identity with a unique identifier. Option C is wrong because `aws:SourceAccount` is used to restrict requests based on the AWS account ID of the resource that originated the request, but it does not enforce a unique, per-request identifier that the vendor must include. Option D is wrong because the `Principal` element only specifies which AWS account or IAM entity is allowed to access the bucket, but it does not enforce a unique identifier in each request; it merely grants access based on the account ID, which does not prevent confused deputy attacks or verify the vendor's specific identity per request.

136
MCQhard

A developer is using AWS Lambda to process sensitive data. The Lambda function needs to access a DynamoDB table that is encrypted with a customer-managed CMK. The developer is using the default Lambda execution role. What must be done to allow Lambda to decrypt the DynamoDB table?

A.Add a policy to the Lambda execution role allowing dynamodb:GetItem.
B.Add a policy to the KMS key that allows the Lambda execution role to perform kms:Decrypt.
C.Configure a VPC endpoint for DynamoDB.
D.Modify the Lambda function to call KMS Decrypt API.
AnswerB

DynamoDB uses KMS to decrypt on behalf of the caller.

Why this answer

Option D is correct because Lambda needs permission to use the KMS key to decrypt DynamoDB. The KMS key policy must allow the Lambda execution role to perform kms:Decrypt. Option A is wrong because granting DynamoDB access does not include KMS.

Option B is wrong because VPC endpoints are not required. Option C is wrong because Lambda does not need to call KMS directly if the key policy allows it.

137
MCQeasy

A developer needs to grant an IAM role in the same AWS account read-only access to objects in a specific S3 bucket. The bucket is configured with a bucket policy that has an explicit Deny statement denying all principals except the root user. Which approach should the developer use to grant the required access?

A.Modify the bucket policy to allow the IAM role explicitly, or remove the Deny statement
B.Attach an IAM policy to the role that allows s3:GetObject on the bucket
C.Use an S3 access point instead of the bucket directly
D.Make the bucket public to allow all access
AnswerA

Correct. The bucket policy's explicit Deny must be adjusted to permit access to the IAM role.

Why this answer

The bucket policy contains an explicit Deny that overrides any allow permissions, including those granted by an IAM policy attached to the role. To grant the IAM role read-only access, the developer must either remove the Deny statement or add an explicit Allow for the role in the bucket policy, because an explicit Deny in a resource-based policy cannot be overridden by an identity-based policy.

Exam trap

The trap here is that candidates assume an IAM policy attached to the role is sufficient to override a bucket policy's explicit Deny, but they forget that explicit Deny always wins regardless of the source of the allow.

How to eliminate wrong answers

Option B is wrong because attaching an IAM policy that allows s3:GetObject to the role is insufficient; the explicit Deny in the bucket policy will still block access, as explicit Deny statements take precedence over any allow. Option C is wrong because an S3 access point uses the same underlying bucket policy; the explicit Deny in the bucket policy would still apply to requests made through the access point unless the bucket policy is modified. Option D is wrong because making the bucket public would grant access to everyone, which violates the principle of least privilege and does not specifically grant read-only access to the IAM role.

138
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from my-bucket that was uploaded without server-side encryption. What happens?

A.The request succeeds because the condition only applies to PutObject.
B.The request is denied because the object is not encrypted with SSE-KMS.
C.The request is denied because the bucket policy requires encryption.
D.The request succeeds because the policy allows s3:GetObject.
AnswerB

Condition requires SSE-KMS.

Why this answer

Option B is correct because the condition requires the object to have SSE-KMS encryption. Since the object was uploaded without encryption, the condition is not met, and the request is denied. Option A is wrong because the policy does not allow unencrypted access.

Option C is wrong because the condition applies to GetObject, not just PutObject. Option D is wrong because AWS does not automatically encrypt at rest by default.

139
MCQmedium

A company uses AWS Secrets Manager to store database credentials. The application runs on Amazon EC2 instances with an IAM role attached. How should the application retrieve the secret securely?

A.Use AWS Systems Manager Parameter Store with a secure string parameter
B.Store the secret ID in an environment variable and use the AWS SDK to retrieve it
C.Store the secret in an S3 bucket with server-side encryption
D.Hardcode the secret in the application code
AnswerB

Using the IAM role, the application can call Secrets Manager with the secret ID stored in an environment variable.

Why this answer

The best practice is to use the IAM role to call Secrets Manager APIs. The role must have a policy allowing secretsmanager:GetSecretValue. The application can then retrieve the secret at runtime using the AWS SDK.

140
MCQhard

A company uses an Amazon S3 bucket to store sensitive documents. The security team requires that all objects uploaded to the bucket must be encrypted at rest using server-side encryption with a customer-managed KMS key (SSE-KMS). A developer needs to enforce this by denying any PutObject request that does not specify the required encryption. Which bucket policy condition should be used?

A."Condition": {"StringNotEquals": {"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc123"}}
B."Condition": {"StringNotEquals": {"s3:x-amz-server-side-encryption": "aws:kms"}}
C."Condition": {"Null": {"s3:x-amz-server-side-encryption-aws-kms-key-id": "true"}}
D."Condition": {"ArnNotEquals": {"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc123"}}
AnswerA

This condition key allows you to specify the exact KMS key ARN that must be used. A StringNotEquals condition will deny requests that do not use the correct key.

Why this answer

Option A is correct because the condition `s3:x-amz-server-side-encryption-aws-kms-key-id` with `StringNotEquals` explicitly denies any PutObject request that does not specify the exact customer-managed KMS key ARN. This enforces SSE-KMS with a specific key, meeting the security team's requirement that all objects must be encrypted at rest using that key.

Exam trap

The trap here is that candidates often confuse the condition key for the encryption type (`s3:x-amz-server-side-encryption`) with the condition key for the specific KMS key ID (`s3:x-amz-server-side-encryption-aws-kms-key-id`), leading them to pick Option B which only enforces SSE-KMS but not a specific customer-managed key.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption` with `aws:kms` only checks that SSE-KMS is used, but does not enforce a specific customer-managed KMS key; it would allow any KMS key, including the default AWS-managed key. Option C is wrong because the `Null` condition on `s3:x-amz-server-side-encryption-aws-kms-key-id` would deny requests where the key ID is not present, but it would not enforce that the key is the specific customer-managed key; it could be any KMS key ID. Option D is wrong because `ArnNotEquals` is not a valid condition operator for S3 bucket policies; the correct operator for string comparison is `StringNotEquals`.

141
MCQeasy

A developer needs to encrypt data in an S3 bucket. The company requires that the encryption key be managed by AWS but with the ability to audit key usage. Which S3 encryption option should the developer use?

A.Server-Side Encryption with AWS KMS (SSE-KMS).
B.Client-side encryption.
C.Server-Side Encryption with S3-Managed Keys (SSE-S3).
D.Server-Side Encryption with Customer-Provided Keys (SSE-C).
AnswerA

SSE-KMS allows you to audit key usage via CloudTrail and manage keys centrally.

Why this answer

SSE-KMS uses AWS KMS to manage the key and provides CloudTrail logs for key usage. SSE-S3 does not provide separate audit logs for key usage. SSE-C requires the customer to manage keys.

Client-side encryption does not use S3 server-side encryption.

142
MCQeasy

A developer needs to share an S3 bucket with a third-party AWS account. The third-party will upload files to the bucket using their own IAM users. The developer creates a bucket policy that grants s3:PutObject to the third-party account's root user. However, the third-party reports that their IAM users cannot upload files. What is the MOST likely reason?

A.The third-party's IAM users do not have an IAM policy allowing s3:PutObject.
B.The bucket policy must include a condition requiring encryption.
C.The bucket policy should grant access to the IAM user ARN instead of the root user.
D.The developer must create IAM users in their own account for the third-party.
AnswerA

Cross-account access requires permissions from both sides.

Why this answer

Option A is correct because the bucket policy grants access to the root user, but the IAM users also need explicit permissions from their own account via an IAM policy. Option B is wrong because the bucket policy is not missing a condition; it's a permissions issue. Option C is wrong because the bucket policy grants PutObject to the root, but not to the users.

Option D is wrong because S3 does not require user creation in the owning account for cross-account access.

143
MCQmedium

A developer is using AWS CodePipeline to deploy a web application. The pipeline includes a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage using CodeDeploy to EC2 instances. The application stores sensitive data in an S3 bucket. The developer needs to ensure that the S3 bucket is only accessible from the EC2 instances and not from any other AWS service or account. The EC2 instances have an IAM role that allows s3:GetObject. What additional configuration is required?

A.Use SSE-KMS encryption on the bucket.
B.Enable S3 Block Public Access on the bucket.
C.Add a bucket policy that allows access only from the VPC endpoint or specific IP addresses of the EC2 instances.
D.Move the sensitive data to a different S3 bucket and update the application.
AnswerC

Restricts access to the instances.

Why this answer

Option C is correct because a bucket policy that restricts access to the S3 bucket from a specific VPC endpoint or the EC2 instances' IP addresses ensures that only requests originating from those sources are allowed. This complements the IAM role's s3:GetObject permission by adding a network-level condition, preventing other AWS services or accounts from accessing the bucket even if they have valid IAM credentials. The condition key `aws:SourceVpce` or `aws:SourceIp` in the bucket policy enforces this restriction.

Exam trap

The trap here is that candidates often confuse encryption (SSE-KMS) or public access controls (Block Public Access) with network-level access restrictions, failing to realize that IAM permissions alone are insufficient to prevent access from other AWS services or accounts that have their own valid credentials.

How to eliminate wrong answers

Option A is wrong because SSE-KMS encryption protects data at rest but does not control access to the bucket; it only ensures data is encrypted, not who can read it. Option B is wrong because S3 Block Public Access prevents public access from the internet but does not restrict access from other AWS services or accounts that have valid IAM credentials. Option D is wrong because moving the data to a different bucket does not solve the access control issue; the same problem would persist unless additional restrictions are applied.

144
Multi-Selecthard

A company has an IAM policy that allows s3:GetObject for all users in the account. However, a specific user is receiving access denied errors. Which TWO possible causes should the developer investigate?

Select 2 answers
A.An SCP at the organization level denies s3:GetObject.
B.The user is using an incorrect region endpoint.
C.The user's IAM role has an attached policy that denies s3:GetObject.
D.The S3 bucket is in a different AWS account.
E.A bucket policy explicitly denies the user.
AnswersA, E

SCPs can deny even if IAM allows.

Why this answer

A bucket policy with an explicit Deny overrides the IAM policy. Also, a service control policy (SCP) at the organizational level can deny access.

145
Multi-Selecthard

A developer is designing a system to store sensitive user data in Amazon S3. The data must be encrypted at rest and the encryption keys must be rotated annually. Which services can be used to meet these requirements? (Choose THREE.)

Select 3 answers
A.Amazon S3 SSE-KMS
B.AWS Secrets Manager
C.AWS Certificate Manager (ACM)
D.AWS KMS
E.AWS CloudHSM
AnswersA, B, D

SSE-KMS uses KMS keys that can be rotated.

Why this answer

Amazon S3 SSE-KMS (Server-Side Encryption with AWS KMS managed keys) allows you to encrypt data at rest in S3 using customer master keys (CMKs) stored in AWS KMS. With SSE-KMS, you can enable automatic annual rotation of the CMK by configuring key rotation in AWS KMS, which meets the requirement for rotating encryption keys annually.

Exam trap

The trap here is that candidates often confuse AWS KMS with AWS CloudHSM, thinking both support automatic key rotation, but CloudHSM requires manual rotation and lacks native S3 integration for SSE.

146
MCQhard

An application uses a custom KMS key to encrypt data. The application runs on an EC2 instance. To decrypt data, the application must call KMS. What is the BEST practice to securely provide the KMS key ID to the application?

A.Hardcode the key ID in the application code
B.Store the key ID in a configuration file on the instance
C.Retrieve the key ID using the instance's IAM role
D.Use an environment variable to pass the key ID to the application
AnswerD

Environment variables are a secure way to pass configuration to applications.

Why this answer

Option D is correct because the key ID can be stored in an environment variable on the instance, which is retrieved by the application. Option A is wrong because storing the key ID in a configuration file is less secure. Option B is wrong because hardcoding is insecure.

Option C is wrong because an IAM role does not directly provide the key ID.

147
MCQhard

A developer is deploying a web application on EC2 instances behind an Application Load Balancer. The application needs to authenticate users via a third-party identity provider (IdP) that supports OpenID Connect (OIDC). The developer wants to offload authentication to the ALB. Which configuration is required?

A.Install and configure an OIDC client on the EC2 instances.
B.Configure Amazon Cognito as an identity provider and integrate with the ALB.
C.Register the third-party IdP as an OIDC identity provider in IAM, then configure the ALB listener rule to authenticate users using that provider.
D.Create an IAM role for the EC2 instances that allows them to assume the identity of the user.
AnswerC

ALB can authenticate against any OIDC-compliant IdP registered in IAM.

Why this answer

Option C is correct because ALB can authenticate users via OIDC by configuring a rule that uses an OIDC IdP. The developer must register the IdP in IAM as an OIDC identity provider, then configure the ALB listener rule to use that provider. Option A is incorrect because Cognito is not required if the IdP supports OIDC directly.

Option B is incorrect because the ALB handles authentication, not the EC2 instances. Option D is incorrect because IAM roles are for AWS services, not user authentication.

148
Drag & Dropmedium

Drag and drop the steps to deploy a containerized application using AWS ECS with Fargate in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First define the task, then create the cluster, register the task definition, create the service, and optionally attach a load balancer.

149
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. A developer needs to allow an IAM role in the production account to read objects from an S3 bucket in the development account. The bucket is encrypted with an AWS KMS customer managed key (CMK) in the development account. Which of the following is required to enable this cross-account access?

A.Grant the production account's root user access to the KMS key and the S3 bucket.
B.Add a bucket policy allowing the production account's IAM role and a KMS key policy granting the same role.
C.Create an IAM role in the production account with permissions to access the S3 bucket and KMS key.
D.Enable S3 bucket logging to allow cross-account access.
AnswerB

The bucket policy grants access to the bucket, and the KMS key policy allows decryption of encrypted objects.

Why this answer

Option B is correct because cross-account access to an S3 bucket encrypted with a KMS customer managed key requires both a bucket policy that grants the production account's IAM role s3:GetObject permission and a KMS key policy that grants the same role kms:Decrypt permission. The bucket policy authorizes the S3 operation, while the key policy authorizes decryption of the object; both policies must explicitly allow the cross-account principal.

Exam trap

The trap here is that candidates often assume a bucket policy alone is sufficient for cross-account access, forgetting that KMS-encrypted objects require a separate key policy grant for the decrypt permission.

How to eliminate wrong answers

Option A is wrong because granting the production account's root user access is overly broad and unnecessary; the principle of least privilege requires granting only the specific IAM role, not the entire root account. Option C is wrong because creating an IAM role in the production account with permissions to access the S3 bucket and KMS key does not solve the cross-account authorization; the development account's bucket policy and KMS key policy must explicitly allow the production account's role, not just the role having permissions in its own account. Option D is wrong because enabling S3 bucket logging only records access events and does not grant any cross-account permissions; it is irrelevant to authorization.

150
MCQeasy

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to read the files and write results to a DynamoDB table. What is the MOST secure way to grant the necessary permissions?

A.Attach a resource-based policy to the S3 bucket and DynamoDB table allowing access from the Lambda function.
B.Create an IAM execution role for Lambda with permissions to read from S3 and write to DynamoDB.
C.Configure the S3 bucket policy to allow the Lambda function's ARN.
D.Store AWS access keys in the Lambda environment variables.
AnswerB

Execution roles are the best practice for Lambda permissions.

Why this answer

Option A is correct because Lambda execution roles are the recommended way to grant permissions to Lambda functions. Option B is wrong because resource-based policies on S3 and DynamoDB are used for cross-account access, not for Lambda. Option C is wrong because hardcoding credentials is insecure.

Option D is wrong because S3 bucket policies do not grant Lambda permissions; they grant access to the bucket.

← PreviousPage 2 of 6 · 429 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dva Security questions.