CCNA Dva Security Questions

54 of 429 questions · Page 6/6 · Dva Security topic · Answers revealed

376
MCQmedium

A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The developer creates a certificate in AWS Certificate Manager (ACM) and associates it with the ALB listener on port 443. However, when users access the application, they receive a browser warning that the connection is not secure. The ALB is configured with a default SSL/TLS policy. What is the most likely cause of the issue?

A.The certificate is in a different region than the ALB.
B.The certificate was not imported correctly into ACM.
C.The ALB is using an outdated SSL/TLS policy.
D.The ALB cannot terminate HTTPS; the developer must configure HTTPS on the EC2 instances.
AnswerA

ACM certificates must be in the same region as the ALB.

Why this answer

ACM certificates are region-specific. If the certificate is created in a different AWS region than the ALB, the ALB cannot use it, causing the browser to warn that the connection is not secure. The ALB will fall back to its default self-signed certificate or no valid certificate, triggering the browser warning.

Exam trap

The trap here is that candidates assume ACM certificates are globally available, but they are region-specific, and the ALB must reference a certificate in the same region.

How to eliminate wrong answers

Option B is wrong because if the certificate were not imported correctly into ACM, it would not appear as valid or would fail association, but the question states the certificate was created in ACM and associated, so import is not the issue. Option C is wrong because an outdated SSL/TLS policy would cause compatibility issues or weaker security, not a browser warning about an insecure connection; the warning indicates no trusted certificate is presented. Option D is wrong because ALB can terminate HTTPS by default when a certificate is associated; the developer does not need to configure HTTPS on EC2 instances for termination at the load balancer.

377
MCQmedium

A company wants to securely store database credentials for a Lambda function. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS Systems Manager Parameter Store (Standard tier)
D.Amazon S3 with server-side encryption
AnswerA

Secrets Manager provides automatic rotation and encryption.

Why this answer

AWS Secrets Manager is designed for storing secrets like database credentials with automatic rotation.

378
MCQeasy

A company runs an application on Amazon EC2 instances that need to read data from an Amazon DynamoDB table. The developer must grant access to DynamoDB without storing any long-term credentials on the instance. Which approach should the developer use?

A.Store the AWS access key and secret key in a configuration file.
B.Use an IAM role and attach it to the EC2 instance profile.
C.Use an IAM user and store credentials in AWS Secrets Manager.
D.Use the DynamoDB table's resource-based policy to allow the EC2 instance.
AnswerB

This provides temporary credentials that are automatically rotated, following the principle of least privilege and security best practices.

Why this answer

Option B is correct because attaching an IAM role to an EC2 instance profile allows the instance to obtain temporary security credentials from the AWS Security Token Service (STS) via the instance metadata service. This eliminates the need to store long-term credentials on the instance, adhering to the principle of least privilege and improving security posture.

Exam trap

The trap here is that candidates may think resource-based policies (Option D) can grant access to EC2 instances, but DynamoDB resource-based policies only support principals like AWS accounts, IAM users, or IAM roles—not EC2 instances directly—and the correct mechanism for EC2 is always an IAM role attached to the instance profile.

How to eliminate wrong answers

Option A is wrong because storing AWS access keys and secret keys in a configuration file on the EC2 instance introduces long-term static credentials, which violates the requirement to avoid storing long-term credentials and increases the risk of credential leakage. Option C is wrong because using an IAM user and storing credentials in AWS Secrets Manager still requires the EC2 instance to retrieve and use long-term credentials (the IAM user's access keys) at some point, and the instance would need to authenticate to Secrets Manager, typically with another set of credentials, creating a circular dependency; the recommended approach for EC2 is always an IAM role. Option D is wrong because DynamoDB does not support resource-based policies that grant access to EC2 instances directly; resource-based policies in DynamoDB are used for cross-account access or service-to-service authorization, not for granting permissions to compute resources like EC2 instances.

379
MCQmedium

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The bucket policy allows s3:GetObject for the instance's IAM role, but the application is still getting access denied errors. What is the MOST likely cause?

A.The EC2 instance's security group does not allow outbound traffic to S3.
B.The S3 bucket is encrypted with SSE-KMS and the instance does not have kms:Decrypt permissions.
C.The S3 bucket has a block public access setting enabled.
D.The EC2 instance does not have an instance profile associated with the IAM role.
AnswerD

The IAM role must be attached to the EC2 instance via an instance profile.

Why this answer

The most likely cause is that the EC2 instance does not have an instance profile associated with the IAM role. Without an instance profile, the IAM role's credentials are not delivered to the instance metadata service, so the AWS SDK cannot assume the role to sign requests to S3. This results in access denied errors even though the bucket policy explicitly allows s3:GetObject for that role.

Exam trap

The trap here is that candidates often overlook the requirement to attach an instance profile to the EC2 instance, assuming that creating an IAM role and applying a bucket policy is sufficient, but the instance must be explicitly associated with the role via an instance profile to inherit its permissions.

How to eliminate wrong answers

Option A is wrong because security groups operate at the network layer and do not affect outbound traffic to S3 by default; outbound traffic is allowed unless explicitly denied, and S3 access uses HTTPS over port 443 which is typically open. Option B is wrong because while SSE-KMS requires kms:Decrypt permissions, the question states the bucket policy allows s3:GetObject for the role, and the error could be due to missing KMS permissions, but the most likely cause given the scenario is the missing instance profile, not KMS. Option C is wrong because block public access settings only restrict public (unauthenticated) access, not access from an IAM role that has been explicitly granted permissions via a bucket policy.

380
Multi-Selectmedium

A developer is configuring a Lambda function to access a DynamoDB table in a VPC. Which TWO steps are required to ensure the Lambda function can securely access DynamoDB? (Select TWO.)

Select 2 answers
A.Configure a NAT gateway in the VPC.
B.Attach the Lambda function to a VPC.
C.Create a VPC endpoint for DynamoDB in the VPC.
D.Add a route to the DynamoDB service in the subnet's route table.
E.Assign a security group to the Lambda function that allows outbound traffic to DynamoDB.
AnswersB, C

Lambda must be in the VPC to use VPC endpoint.

Why this answer

Option B is correct because attaching the Lambda function to a VPC allows it to access resources within the VPC, such as a DynamoDB table accessed via a VPC endpoint. Without VPC attachment, the Lambda function runs outside the VPC and cannot use VPC endpoints or security groups. Option C is correct because a VPC endpoint for DynamoDB (using AWS PrivateLink) enables private connectivity between the VPC and DynamoDB without traversing the public internet, which is required for secure access from a Lambda function in the VPC.

Exam trap

The trap here is that candidates often think a NAT gateway is required for any outbound traffic from a VPC, but for AWS services like DynamoDB, a VPC endpoint provides a more secure and direct path without internet exposure.

381
MCQmedium

A developer is creating an IAM policy to allow a Lambda function to write logs to CloudWatch. Which policy should be attached to the Lambda execution role?

A.AWSLambdaBasicExecutionRole
B.AdministratorAccess
C.AmazonDynamoDBFullAccess
D.AmazonS3FullAccess
AnswerA

This managed policy grants the necessary CloudWatch Logs permissions.

Why this answer

The AWSLambdaBasicExecutionRole managed policy grants permissions for Lambda to write logs to CloudWatch Logs, specifically allowing the logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents actions. This is the minimal set of permissions required for a Lambda function to send execution logs to CloudWatch, making it the correct choice for this use case.

Exam trap

The trap here is that candidates may mistakenly choose a broad policy like AdministratorAccess or a service-specific policy like AmazonDynamoDBFullAccess, thinking they need to grant 'full' permissions or that the Lambda function might need access to other services, when the question specifically asks only for CloudWatch logging permissions.

How to eliminate wrong answers

Option B (AdministratorAccess) is wrong because it grants full administrative permissions to all AWS services, which violates the principle of least privilege and is overly permissive for a Lambda function that only needs to write logs. Option C (AmazonDynamoDBFullAccess) is wrong because it provides full access to DynamoDB operations but does not include any CloudWatch Logs permissions, so the Lambda function would fail to write logs. Option D (AmazonS3FullAccess) is wrong because it grants full access to S3 buckets and objects but lacks the necessary CloudWatch Logs actions, making it irrelevant for logging purposes.

382
MCQmedium

A company is using AWS CodeCommit and wants to ensure that all commits are signed with a GPG key. What must the developer configure?

A.Ask developers to sign commits using git commit -S.
B.Configure an SSH key in the IAM user.
C.Use HTTPS with a password.
D.Create a repository policy that requires commits to be signed.
AnswerD

You can use IAM conditions or pre-receive hooks to enforce signed commits.

Why this answer

Option D is correct because AWS CodeCommit supports repository policies that can enforce commit signing using the 'refs/heads/' condition key with 'git:Signer' or 'git:CommitSigningRequired' to require that all commits pushed to the repository are signed with a valid GPG key. This policy is evaluated at push time, and if a commit is not signed, the push is rejected, ensuring compliance without relying on developer discipline.

Exam trap

The trap here is that candidates confuse client-side signing (git commit -S) with server-side enforcement, assuming that asking developers to sign commits is sufficient, when in fact only a repository policy can enforce the requirement at the AWS side.

How to eliminate wrong answers

Option A is wrong because 'git commit -S' is a client-side command that signs a commit locally, but it does not enforce signing across the repository; developers could omit the flag, and the push would still succeed. Option B is wrong because configuring an SSH key in the IAM user is used for authentication to CodeCommit (via SSH protocol), not for commit signing; GPG keys are managed separately in IAM for signing verification. Option C is wrong because using HTTPS with a password (or Git credentials) handles authentication only, not commit signing; it does not enforce or verify GPG signatures on commits.

383
MCQeasy

A company wants to give a third-party auditor read-only access to their AWS account for compliance purposes. What is the most appropriate way to grant this access?

A.Attach the AdministratorAccess managed policy to an IAM user.
B.Create an IAM role with the SecurityAudit managed policy and allow the auditor to assume it.
C.Create an IAM user with a custom policy that allows all actions.
D.Share the root account credentials with the auditor.
AnswerB

Least privilege and secure.

Why this answer

Option D is correct because an IAM role with the SecurityAudit policy provides read-only access to security services and is the least privilege. Option A is wrong because creating an IAM user is less secure than a role. Option B is wrong because root account access should never be shared.

Option C is wrong because the AdministratorAccess policy is not read-only.

384
MCQhard

A developer is deploying a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party OIDC provider. The developer wants to minimize latency and avoid managing sessions. What is the BEST approach to achieve this?

A.Use Amazon Cognito User Pools with the OIDC identity provider and integrate with API Gateway.
B.Use Lambda@Edge to validate tokens at CloudFront edge locations.
C.Use Amazon Cognito Identity Pools with the OIDC provider.
D.Implement a custom Lambda authorizer in API Gateway to validate tokens.
AnswerA

User Pools can validate tokens and integrate with API Gateway.

Why this answer

Option C is correct because Cognito User Pools with an OIDC identity provider can handle token-based authentication and integrate with API Gateway. Option A is wrong because Lambda@Edge is for CloudFront. Option B is wrong because Cognito Identity Pools are for AWS credentials, not OIDC auth.

Option D is wrong because custom authorizer adds latency and management overhead.

385
MCQeasy

A company has a DynamoDB table that stores personally identifiable information (PII). A developer needs to allow a Lambda function to read and write to this table. What is the MOST secure way to grant the Lambda function access?

A.Create an IAM role with a policy that allows DynamoDB read/write access and attach it to the Lambda function.
B.Use a resource-based policy on the DynamoDB table to allow the Lambda function's IAM role.
C.Create an IAM user with programmatic access and embed the credentials in the Lambda environment variables.
D.Have the Lambda function assume a role using AWS STS each time it runs.
AnswerA

IAM roles are the correct way to grant permissions to Lambda.

Why this answer

Option A is correct because an IAM role with an attached policy granting the necessary permissions is the most secure and best practice. Option B is wrong because IAM users should not be used for applications. Option C is wrong because resource-based policies on DynamoDB are not supported.

Option D is wrong because temporary credentials from STS are not needed when using a role.

386
Matchingmedium

Match each AWS CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Copy objects to/from S3

Invoke a Lambda function

Insert an item into DynamoDB

Deploy a CloudFormation stack

List EC2 instances

Why these pairings

CLI commands are frequently used in development and deployment.

387
MCQmedium

A company has an S3 bucket that stores sensitive customer data. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS. Additionally, they want to enforce that objects are not uploaded without encryption. Which bucket policy should be used?

A.Deny s3:PutObject if the request includes x-amz-server-side-encryption
B.Deny s3:PutObject unless the request includes x-amz-server-side-encryption with value aws:kms
C.Allow s3:PutObject only if the request uses a specific KMS key
D.Deny s3:PutObject unless the request includes x-amz-server-side-encryption with value AES256
AnswerB

This enforces SSE-KMS for all uploads.

Why this answer

Option B is correct because it uses a Deny effect with a condition that checks for the presence and value of the `x-amz-server-side-encryption` header. This policy explicitly denies any `s3:PutObject` request that does NOT include `x-amz-server-side-encryption` with the value `aws:kms`, thereby enforcing server-side encryption with AWS KMS (SSE-KMS) on all uploads.

Exam trap

The trap here is that candidates often confuse the encryption header values (`aws:kms` vs `AES256`) or mistakenly think that an Allow statement alone can enforce encryption, when in fact a Deny statement with a condition is required to block non-compliant requests.

How to eliminate wrong answers

Option A is wrong because it denies `s3:PutObject` if the request includes the `x-amz-server-side-encryption` header, which would block all encrypted uploads, not enforce them. Option C is wrong because it only allows `s3:PutObject` if a specific KMS key is used, but it does not enforce that encryption is present at all; a request without encryption could still be allowed if no explicit Deny is present. Option D is wrong because it enforces SSE-S3 (AES256) rather than SSE-KMS (aws:kms), which does not meet the requirement for server-side encryption with AWS KMS.

388
MCQhard

A company uses AWS CloudFormation to deploy resources. The templates are stored in an S3 bucket. A developer wants to ensure that only authorized users can create stacks from these templates. What should be implemented?

A.Use IAM policies to control who can call CreateStack and add S3 bucket policies to restrict template access.
B.Use a stack policy to restrict updates.
C.Enable CloudTrail to log template access.
D.Set the S3 bucket to private and rely on bucket policies.
AnswerA

Combines IAM and S3 policies for defense in depth.

Why this answer

Option A is correct because it combines two layers of access control: IAM policies restrict the ability to call the CreateStack API action, and S3 bucket policies restrict access to the template objects stored in S3. This ensures that even if a user has IAM permissions to create stacks, they cannot retrieve or use the template unless the S3 bucket policy also grants them access. Without both controls, an unauthorized user could bypass IAM by directly accessing the template URL or using a different AWS account.

Exam trap

The trap here is that candidates often assume S3 bucket policies alone are sufficient for access control, forgetting that IAM policies are required to authorize the CreateStack API call itself.

How to eliminate wrong answers

Option B is wrong because stack policies control updates to stack resources after creation, not who can create stacks from templates. Option C is wrong because CloudTrail logs API calls for auditing but does not enforce any access control or authorization. Option D is wrong because setting the S3 bucket to private and relying solely on bucket policies does not prevent an authorized S3 user from creating a stack with the template; it also fails to control the CreateStack API call itself, which is governed by IAM.

389
MCQhard

A company uses AWS Secrets Manager to store database credentials. The credentials must be automatically rotated every 30 days. The developer needs to configure rotation without exposing the secret to any IAM user directly. Which configuration steps should the developer take?

A.Enable automatic rotation and choose a rotation interval of 30 days. Secrets Manager will automatically rotate the secret using a built-in Lambda function.
B.Create a Lambda function with rotation logic, attach an IAM role with permissions to read and update the secret, and configure Secrets Manager to invoke the function every 30 days.
C.Use AWS Certificate Manager (ACM) to rotate the secret automatically every 30 days.
D.Store the secret in AWS Systems Manager Parameter Store and set a schedule to rotate it using a CloudWatch Events rule.
AnswerB

This is the correct approach. The Lambda function handles the rotation, and the execution role must have 'secretsmanager:GetSecretValue' and 'secretsmanager:PutSecretValue' permissions for the specific secret.

Why this answer

Option B is correct because AWS Secrets Manager does not provide a built-in Lambda function for rotating database credentials; you must create your own Lambda function that contains the rotation logic (e.g., querying the database, creating a new credential, and updating the secret). The Lambda function must be attached to an IAM role with permissions to read and update the secret, and Secrets Manager invokes this function based on the rotation schedule (every 30 days). This ensures the secret is never exposed directly to any IAM user, as only the Lambda function interacts with the secret programmatically.

Exam trap

The trap here is that candidates assume Secrets Manager provides a built-in Lambda function for all secret types, but in reality, you must create your own Lambda function for database credentials, while only AWS-managed secrets (like RDS) have pre-built rotation templates.

How to eliminate wrong answers

Option A is wrong because Secrets Manager does not include a built-in Lambda function for rotating secrets; you must provide your own custom Lambda function with the rotation logic. Option C is wrong because AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates, not for rotating database credentials stored in Secrets Manager. Option D is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it is a simple key-value store without built-in rotation capabilities, and using a CloudWatch Events rule would require custom scripting and does not integrate with Secrets Manager's native rotation features.

390
MCQmedium

A developer attached the IAM policy above to an IAM user. What is the effect when the user tries to download an object from the 'confidential' folder in 'example-bucket'?

A.The policy is invalid because Deny cannot be used with s3:*
B.The user can download only if the object is encrypted
C.The user is denied access because of the explicit Deny statement
D.The user can download the object because of the Allow statement
AnswerC

The Deny statement covers s3:* on the confidential folder, blocking the GetObject request.

Why this answer

The policy has an explicit Deny for all s3 actions on the confidential folder. Explicit Deny overrides any Allow. Therefore, the user will be denied access even though the first statement allows GetObject on all objects.

391
MCQmedium

A developer is creating a Lambda function that requires access to a DynamoDB table. The function will be invoked by an Amazon API Gateway REST API. What is the BEST way to secure this architecture?

A.Create an IAM role for the Lambda function with a policy granting access to the DynamoDB table.
B.Attach a resource-based policy to the DynamoDB table allowing Lambda access.
C.Use API Gateway to pass a shared secret to Lambda for DynamoDB access.
D.Store the DynamoDB access keys in the Lambda environment variables.
AnswerA

This is the secure and recommended approach.

Why this answer

Option A is correct because the Lambda function needs an execution role—an IAM role that Lambda assumes at runtime—with a policy that grants the specific DynamoDB actions (e.g., GetItem, PutItem) on the target table. This follows the principle of least privilege and is the standard AWS pattern for granting Lambda access to AWS resources. API Gateway invokes the Lambda function via a resource-based policy on the function itself, but that does not affect DynamoDB access; the Lambda execution role handles all downstream permissions.

Exam trap

The trap here is that candidates confuse resource-based policies (used for granting invocation permissions to other AWS accounts or services) with execution roles (used for granting the Lambda function permissions to access other AWS resources), leading them to incorrectly choose Option B or think Option C is a valid authentication method.

How to eliminate wrong answers

Option B is wrong because resource-based policies on DynamoDB tables are not supported; DynamoDB uses IAM policies attached to users, roles, or the table's own resource policy (only for cross-account access via VPC endpoints or AWS Organizations), not for granting access to a Lambda function in the same account. Option C is wrong because passing a shared secret via API Gateway to Lambda for DynamoDB access is insecure and unnecessary; secrets should never be passed through API Gateway payloads, and AWS recommends using IAM roles for service-to-service authentication. Option D is wrong because storing DynamoDB access keys (long-term credentials) in Lambda environment variables violates security best practices—they can be exposed in logs, console, or version history—and AWS strongly recommends using IAM roles with temporary credentials instead.

392
MCQmedium

A developer is configuring an S3 bucket to host a static website. The bucket policy allows public read access. However, users receive a 403 Forbidden error when accessing the website. What is the most likely cause?

A.The bucket is located in a different AWS region than the website endpoint.
B.The bucket name does not match the domain name.
C.The bucket has 'Block all public access' settings enabled.
D.The bucket is not configured with CloudFront as a content delivery network.
AnswerC

Block public access settings override bucket policies and deny public access.

Why this answer

Option C is correct because the 'Block all public access' settings in the S3 bucket's Permissions tab override any bucket policy that grants public read access. Even if the bucket policy explicitly allows s3:GetObject for Principal "*", enabling any of the four block public access settings (especially 'Block public access to buckets and objects granted through new public bucket policies' or 'Block public and cross-account access to buckets and objects through any public bucket policies') will cause S3 to reject all anonymous requests, resulting in a 403 Forbidden error when accessing the static website endpoint.

Exam trap

The trap here is that candidates assume a bucket policy granting public read access is sufficient for static website hosting, overlooking that S3's Block Public Access settings act as a separate, overriding permission layer that can silently deny all public access even when the bucket policy is correctly configured.

How to eliminate wrong answers

Option A is wrong because S3 static website hosting endpoints are region-specific (e.g., http://bucket-name.s3-website-us-east-1.amazonaws.com), but the bucket's region does not affect access permissions; a 403 Forbidden error is an authorization issue, not a routing issue. Option B is wrong because while a bucket name must match the domain name for custom domain mapping (e.g., via Route 53), the 403 Forbidden error occurs regardless of domain name mismatch; a mismatch would cause a DNS resolution failure or a different error (e.g., 404 NoSuchBucket), not a 403. Option D is wrong because CloudFront is not required for S3 static website hosting; S3 can serve content directly via its website endpoint, and the absence of CloudFront does not cause a 403 Forbidden error—it would only affect performance, caching, or HTTPS support if not configured.

393
MCQhard

A developer is deploying a Lambda function that needs to write logs to CloudWatch Logs. The function's execution role has the AWSLambdaBasicExecutionRole managed policy attached. However, logs are not being written. What is the MOST likely reason?

A.The Lambda function is using a customer-managed KMS key for log encryption.
B.The CloudWatch Logs agent is not installed on the Lambda execution environment.
C.The log group does not exist and the Lambda function cannot create it due to a resource-based policy.
D.The Lambda function's execution role does not have sufficient permissions.
AnswerC

The basic policy allows creation, but if a resource-based policy is blocking, it could fail.

Why this answer

The AWSLambdaBasicExecutionRole managed policy grants permissions to create log streams and write logs to CloudWatch Logs, but it does not grant the `logs:CreateLogGroup` permission. If the log group does not already exist, the Lambda function will fail to write logs because it cannot create the log group. A resource-based policy on the log group can further restrict creation, but the primary issue is the missing `logs:CreateLogGroup` permission in the execution role.

Exam trap

The trap here is that candidates assume the AWSLambdaBasicExecutionRole includes all necessary CloudWatch Logs permissions, but it deliberately excludes `logs:CreateLogGroup`, so the log group must exist beforehand.

How to eliminate wrong answers

Option A is wrong because using a customer-managed KMS key for log encryption would not prevent log writing; it would only require additional `kms:Decrypt` and `kms:Encrypt` permissions on the key, which are not part of the AWSLambdaBasicExecutionRole but would cause a different error (access denied) rather than silent failure. Option B is wrong because the CloudWatch Logs agent is not used in Lambda; Lambda uses the AWS SDK or the Lambda runtime to send logs directly to CloudWatch Logs via the `PutLogEvents` API. Option D is wrong because the AWSLambdaBasicExecutionRole does include the necessary `logs:CreateLogStream` and `logs:PutLogEvents` permissions; the missing permission is `logs:CreateLogGroup`, which is not in that policy, so the role has sufficient permissions for writing but not for creating the log group.

394
Multi-Selectmedium

Which TWO actions are recommended to secure an S3 bucket? (Choose 2)

Select 2 answers
A.Block public access at the bucket level
B.Disable versioning to reduce complexity
C.Use HTTP instead of HTTPS for faster access
D.Enable default encryption
E.Grant public read access via ACLs
AnswersA, D

Prevents unintended public access.

Why this answer

Options A and D are correct. A: Block public access is a key security measure. D: Enable default encryption ensures data at rest is encrypted.

B: Setting ACLs to public-read is insecure. C: Disabling version control reduces data protection. E: Using HTTP is insecure.

395
MCQeasy

Refer to the exhibit. A developer attached this bucket policy to an S3 bucket. Users from the 192.0.2.0/24 network can access objects, but users from a different network (203.0.113.0/24) get access denied. What change should be made to allow both networks?

A.Add a new statement with a different Principal.
B.Change the Condition to aws:SourceIp: "203.0.113.0/24".
C.Remove the Condition block entirely.
D.Change the Condition to use a list of IP ranges: ["192.0.2.0/24", "203.0.113.0/24"].
AnswerD

A list allows multiple IP ranges.

Why this answer

Option D is correct because the `aws:SourceIp` condition key accepts a list of IP ranges in an array format. By specifying both `192.0.2.0/24` and `203.0.113.0/24` in the condition, the bucket policy will grant access to requests originating from either network, resolving the access denied error for the second network.

Exam trap

The trap here is that candidates mistakenly think the `aws:SourceIp` condition key can only hold a single value, leading them to choose Option B, when in fact it accepts a list of IP ranges to allow multiple networks.

How to eliminate wrong answers

Option A is wrong because the `Principal` element in an S3 bucket policy specifies the AWS account or IAM entity allowed to access the bucket, not the network IP range; adding a different Principal would not fix the IP-based restriction. Option B is wrong because changing the condition to only `203.0.113.0/24` would deny access to the original `192.0.2.0/24` network, simply swapping which network is blocked. Option C is wrong because removing the `Condition` block entirely would allow all IP addresses to access the bucket, which is overly permissive and violates the principle of least privilege.

396
MCQmedium

A company is using an Application Load Balancer (ALB) to route traffic to a set of EC2 instances. The security team wants to ensure that only traffic from the ALB can reach the instances. Which security group configuration should be used?

A.Configure the EC2 instance security group to allow traffic from the ALB's private IP address range.
B.Configure the network ACL for the EC2 instance subnet to allow traffic from the ALB security group.
C.Configure the EC2 instance security group to allow traffic from the ALB security group.
D.Configure the EC2 instance security group to allow HTTP traffic from 0.0.0.0/0.
AnswerC

Referencing the ALB security group as source ensures only ALB traffic reaches instances.

Why this answer

Option A is correct because referencing the ALB security group as the source in the EC2 instance security group ensures that only traffic originating from the ALB is allowed. Option B is wrong because the ALB's private IP addresses can change if the ALB scales. Option C is wrong because a network ACL does not support security group IDs as sources.

Option D is wrong because allowing all HTTP traffic would defeat the purpose of restricting traffic to the ALB only.

397
MCQhard

A company has an S3 bucket with versioning enabled. A developer accidentally deleted an object. What must be done to recover it?

A.Copy the object from another bucket
B.Restore the object from Glacier Deep Archive
C.Delete the delete marker
D.Enable versioning on the bucket
AnswerC

Removing the delete marker restores the object.

Why this answer

With versioning enabled, when an object is deleted, a delete marker is added. To recover, the delete marker must be removed. Option A (restore from Glacier) is not relevant.

Option B (enable versioning) is already enabled. Option D (copy from another bucket) is unnecessary.

398
MCQmedium

An application running on EC2 needs to access an S3 bucket. The security team wants to avoid using long-term access keys. What is the most secure approach?

A.Generate an access key and secret key for an IAM user and store them on the instance.
B.Create a new IAM user and store the credentials in S3 with bucket policies.
C.Use AWS Systems Manager Parameter Store to store the credentials and retrieve them at runtime.
D.Launch the EC2 instance with an IAM role that grants S3 access.
AnswerD

Temporary credentials are automatically rotated.

Why this answer

Option D is correct because assigning an IAM role to an EC2 instance allows the instance to obtain temporary security credentials from the AWS Security Token Service (STS) automatically via the instance metadata service. This eliminates the need to store, rotate, or manage long-term access keys, adhering to the security team's requirement for a credential-less approach. The IAM role's permissions policy grants the EC2 instance access to the S3 bucket, and the credentials are automatically rotated by AWS before they expire.

Exam trap

The trap here is that candidates often confuse 'secure storage' (like Parameter Store or Secrets Manager) with 'no long-term credentials at all,' failing to recognize that an IAM role provides temporary credentials that are inherently more secure and require no key management on the instance.

How to eliminate wrong answers

Option A is wrong because storing an access key and secret key on the EC2 instance introduces long-term static credentials that can be compromised if the instance is breached, violating the security team's requirement to avoid long-term access keys. Option B is wrong because storing IAM user credentials in S3 with bucket policies still relies on long-term access keys and adds unnecessary complexity; bucket policies cannot securely protect the credentials themselves from unauthorized access. Option C is wrong because while Systems Manager Parameter Store can securely store secrets, the EC2 instance still needs a mechanism (such as an IAM role) to retrieve them at runtime, and using Parameter Store with long-term credentials stored as parameters does not eliminate the underlying risk of managing static keys.

399
Multi-Selecthard

A developer is designing a system that stores sensitive user data in DynamoDB. The data must be encrypted at rest and in transit. Which THREE actions should the developer take?

Select 3 answers
A.Enable DynamoDB encryption at rest using an AWS KMS managed key (SSE-KMS).
B.Enable DynamoDB encryption at rest using an AWS KMS customer managed key.
C.Use HTTPS for all API calls to DynamoDB.
D.Use TLS 1.2 for all connections.
E.Implement client-side encryption before writing items to DynamoDB.
AnswersA, B, C

Another valid option for encryption at rest.

Why this answer

Options A, B, and D are correct because DynamoDB automatically encrypts at rest with AWS owned keys by default, but using a KMS key gives more control. Option C is wrong because client-side encryption is not necessary if using HTTPS and server-side encryption. Option E is wrong because TLS is already used by default.

400
MCQmedium

A developer is building a serverless application using AWS Lambda. The application needs to access a DynamoDB table and an S3 bucket. What is the MOST secure way to provide the necessary permissions?

A.Create an IAM role with appropriate policies and attach it to the Lambda function.
B.Use a resource-based policy on the DynamoDB table and S3 bucket to grant access to the Lambda function.
C.Attach an inline policy directly to the Lambda function resource.
D.Store AWS access keys in environment variables of the Lambda function.
AnswerA

Lambda assumes the role to get temporary credentials.

Why this answer

Option A is correct because IAM roles for Lambda functions are the secure way to grant permissions without hardcoding credentials. Option B is wrong because environment variables with keys are insecure. Option C is wrong because Lambda does not support inline policies directly.

Option D is wrong because resource-based policies are for cross-account access, not Lambda.

401
MCQhard

A developer is configuring cross-account access to an S3 bucket. The bucket in Account A has a bucket policy granting access to an IAM role in Account B. The IAM role's trust policy allows the developer's IAM user in Account B to assume the role. When the developer tries to access the bucket from Account B using the assumed role, they receive an Access Denied error. Which additional step is required to resolve this?

A.Add the developer's IAM user ARN to the bucket policy in Account A.
B.Configure a VPC endpoint for S3 in Account A and attach it to the bucket policy.
C.Ensure the bucket policy grants the necessary permissions to the IAM role ARN from Account B.
D.Create an IAM user in Account A and grant it S3 access, then share the credentials with the developer.
AnswerC

Cross-account access requires the bucket policy to specify the principal as the IAM role ARN.

Why this answer

Option A is correct because the S3 bucket policy must grant access to the role ARN in Account B, and the role's trust policy must allow the developer's user to assume it. Option B is wrong because resource-based policies (bucket policy) can grant cross-account access without needing an IAM user in Account A. Option C is wrong because the bucket policy already grants access to the role.

Option D is wrong because S3 does not require VPC endpoints for cross-account access.

402
MCQhard

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with an attached policy that allows s3:GetObject on the bucket. However, the application is receiving Access Denied errors. What is a likely cause?

A.The IAM role does not have s3:ListBucket permission.
B.The EC2 instance is not associated with an instance profile.
C.The bucket policy has an explicit deny that overrides the IAM allow.
D.The bucket has S3 Block Public Access enabled.
AnswerC

Explicit deny in bucket policy takes precedence.

Why this answer

Option C is correct because if the bucket policy explicitly denies access, the deny overrides any allow from IAM. Option A is wrong because S3 does not require S3 Block Public Access for IAM role access. Option B is wrong because the instance profile needs an IAM role, not an IAM user.

Option D is wrong because S3 does not require the s3:ListBucket permission to get an object if you know the key.

403
MCQmedium

Given the IAM policy above, what is the effective permission for an IAM user?

A.No access to the bucket.
B.Full access to the bucket including delete.
C.Read-only access to the bucket.
D.Full access to the bucket except delete.
AnswerD

Explicit Deny overrides Allow.

Why this answer

The IAM policy grants the user s3:GetObject and s3:ListBucket permissions, which allow reading objects and listing the bucket, but explicitly denies s3:DeleteObject. Since an explicit deny overrides any allow, the effective permission is full access except delete. Option D is correct because the user can perform all actions except deleting objects.

Exam trap

The trap here is that candidates often overlook the explicit deny statement and assume that because the policy grants read and list permissions, the user has full read access, missing that the deny on delete restricts the effective permissions to full access except delete.

How to eliminate wrong answers

Option A is wrong because the policy grants read access (s3:GetObject and s3:ListBucket), so the user does have access to the bucket. Option B is wrong because the policy includes an explicit deny for s3:DeleteObject, which prevents full access including delete. Option C is wrong because the policy does not grant write permissions (e.g., s3:PutObject), but the user has read access plus the ability to list, which is not strictly read-only (though close); more importantly, the explicit deny on delete does not make it read-only—it still allows read and list actions, but the key point is that the correct answer is D, not C.

404
MCQmedium

A company runs an application on Amazon EC2 that needs to securely store database credentials. The security team requires that credentials be automatically rotated every 30 days to reduce the risk of compromise. The application must be able to retrieve the credentials at startup without storing them in code or configuration files. Which AWS service should the developer use?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store (SecureString)
C.AWS Key Management Service (KMS)
D.AWS Identity and Access Management (IAM) roles
AnswerA

Secrets Manager stores secrets securely and can automatically rotate them on a schedule, meeting the requirement.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, retrieve, and automatically rotate database credentials on a schedule (e.g., every 30 days) without requiring custom code. The application can retrieve credentials at startup via the Secrets Manager API using IAM permissions, eliminating the need to store secrets in code or configuration files. Secrets Manager natively supports automatic rotation for Amazon RDS, Redshift, and DocumentDB, and can be extended to other services via custom Lambda functions.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (SecureString) with Secrets Manager, overlooking that Parameter Store lacks native automatic rotation, which is a key requirement in the question.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store (SecureString) can store encrypted secrets but does not natively support automatic rotation of credentials; rotation would require custom automation via AWS Lambda or other services. Option C is wrong because AWS Key Management Service (KMS) is a key management and encryption service that does not store or rotate secrets; it only provides encryption keys for protecting data. Option D is wrong because AWS Identity and Access Management (IAM) roles provide temporary credentials for AWS service access, not for storing or rotating database credentials; they cannot be used to retrieve static secrets like database passwords.

405
MCQhard

A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?

A.Deny effect with a Condition: StringNotEquals on s3:x-amz-server-side-encryption-aws-kms-key-id
B.Deny effect with a Condition: StringEquals on s3:x-amz-server-side-encryption
C.Allow effect with a Condition: StringEquals on kms:RequestTag/key-id
D.Deny effect with a Condition: IpAddress on aws:SourceIp
AnswerA

This SCP will deny any PutObject request that specifies a KMS key that is not the required key. The StringNotEquals condition ensures that if the request does not use the specific key ID, the request is denied. This is the standard way to enforce encryption with a specific KMS key using SCPs.

Why this answer

Option A is correct because SCPs use a Deny effect to block non-compliant requests. The condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` with `StringNotEquals` ensures that any PutObject request that does not specify the exact KMS key alias/logs-key is denied. This enforces encryption with the required key for all S3 buckets containing 'logs' in their name.

Exam trap

The trap here is that candidates confuse `s3:x-amz-server-side-encryption` (which only checks encryption type) with `s3:x-amz-server-side-encryption-aws-kms-key-id` (which checks the specific KMS key), leading them to choose Option B instead of A.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption` only checks whether server-side encryption is enabled (e.g., AES256 or aws:kms), but does not verify the specific KMS key ID, so it cannot enforce the required key. Option C is wrong because Allow effects in SCPs are permissive and cannot deny non-compliant requests; also `kms:RequestTag/key-id` is not a valid condition key for S3 PutObject operations. Option D is wrong because `aws:SourceIp` restricts requests based on IP address, which is unrelated to encryption key enforcement.

406
MCQhard

A developer is building a serverless application with AWS Lambda that needs to read from an Amazon DynamoDB table. The Lambda function is in a VPC. What is the MOST secure way to grant the Lambda function access to DynamoDB?

A.Attach an IAM role to the Lambda function that allows the necessary DynamoDB actions.
B.Create a VPC endpoint for DynamoDB and associate a security group.
C.Store DynamoDB credentials in AWS Secrets Manager and retrieve them in the Lambda code.
D.Use an EC2 instance profile attached to the Lambda function's execution environment.
AnswerA

IAM roles provide temporary credentials and follow least privilege; this is the secure standard.

Why this answer

The best practice is to attach an IAM role to the Lambda function with a policy that grants only the required DynamoDB actions (e.g., GetItem, Query). Lambda does not require a VPC endpoint for DynamoDB if it has internet access via a NAT gateway, but the IAM role is essential. Option A is wrong because VPC endpoints are for private connectivity, not authorization.

Option C is wrong because hard-coding keys is insecure. Option D is wrong because Lambda does not use instance profiles.

407
MCQeasy

A developer wants to ensure that an S3 bucket only allows HTTPS requests. What S3 bucket policy condition should be used?

A.aws:CurrentTime
B.aws:MultiFactorAuthPresent
C.aws:SourceIp
D.aws:SecureTransport
AnswerD

This condition evaluates to true if the request uses HTTPS.

Why this answer

Option B is correct because the aws:SecureTransport condition checks if the request was sent using SSL/TLS. Option A is wrong because that condition checks for a specific source IP. Option C is wrong because that condition checks the current time.

Option D is wrong because that condition checks for multi-factor authentication.

408
MCQmedium

Refer to the exhibit. A developer deploys this CloudFormation template. The Lambda function needs to write objects to an S3 bucket named 'my-app-bucket'. What must the developer add to the template?

A.Add an S3 bucket policy allowing the Lambda function's ARN to write objects.
B.Add a policy statement to LambdaExecutionRole allowing 's3:*' on 'arn:aws:s3:::my-app-bucket'.
C.Add a KMS key policy to allow the Lambda function to use a customer managed key.
D.Add a new policy statement to LambdaExecutionRole allowing 's3:PutObject' on 'arn:aws:s3:::my-app-bucket/*'.
AnswerD

This grants the necessary S3 write permission to the Lambda function.

Why this answer

Option D is correct because the Lambda function requires an IAM policy attached to its execution role to grant permissions for specific S3 actions. The `s3:PutObject` action on the `arn:aws:s3:::my-app-bucket/*` resource ARN precisely allows writing objects to the bucket, following the principle of least privilege. Without this policy statement, the Lambda function will receive an access denied error when trying to write to S3.

Exam trap

The trap here is that candidates often confuse bucket-level ARNs with object-level ARNs, selecting overly permissive options like `s3:*` on the bucket ARN instead of scoping the exact action and resource, or incorrectly assuming an S3 bucket policy is needed for same-account Lambda access.

How to eliminate wrong answers

Option A is wrong because an S3 bucket policy is used to grant cross-account access or public access, not to grant permissions to a Lambda function within the same account; the Lambda function's execution role is the correct mechanism. Option B is wrong because it uses a wildcard `s3:*` action and the bucket-level ARN `arn:aws:s3:::my-app-bucket` instead of the object-level ARN `arn:aws:s3:::my-app-bucket/*`, which is overly permissive and does not correctly scope the `s3:PutObject` permission to objects within the bucket. Option C is wrong because there is no indication that the S3 bucket uses a customer managed KMS key; the question only states the Lambda function needs to write objects, and KMS key policy is only relevant if server-side encryption with KMS is enabled, which is not mentioned.

409
MCQmedium

A developer is using CloudFront to serve content from an S3 bucket. The bucket contains sensitive data and should only be accessible through CloudFront. How can the developer enforce this?

A.Set the bucket policy to allow access only from CloudFront IP addresses.
B.Set the bucket policy to allow access only from AWS services.
C.Set the bucket policy to allow public read access and use CloudFront signed URLs.
D.Create an origin access identity (OAI) and grant it read access in the bucket policy.
AnswerD

Best practice for private content.

Why this answer

Option D is correct because an Origin Access Identity (OAI) is a special CloudFront user that you can associate with your distribution. By configuring the S3 bucket policy to grant read access only to that OAI, you ensure that content can only be retrieved via CloudFront, not directly from the S3 endpoint. This enforces the requirement that the bucket is accessible exclusively through CloudFront.

Exam trap

The trap here is that candidates often assume restricting by CloudFront IP addresses (Option A) is a valid approach, but AWS explicitly warns that CloudFront IP ranges are not static and should not be used for access control in bucket policies.

How to eliminate wrong answers

Option A is wrong because CloudFront IP addresses are not static and can change over time; using them in a bucket policy would require constant updates and is not a supported or reliable method for restricting access. Option B is wrong because there is no generic 'AWS services' principal in S3 bucket policies; you must specify a specific service principal or user, and this approach would not restrict access to CloudFront only. Option C is wrong because allowing public read access defeats the purpose of restricting access to CloudFront; signed URLs can control who accesses content via CloudFront, but the bucket itself would remain publicly accessible, violating the requirement.

410
MCQhard

A Lambda function needs to write logs to CloudWatch Logs. The developer attaches an IAM role with a policy that allows logs:CreateLogGroup and logs:PutLogEvents. However, logs are not appearing. What is the most likely cause?

A.The Lambda function is not configured to use a VPC.
B.The IAM role does not have a trust policy that allows Lambda to assume it.
C.The IAM policy does not include logs:CreateLogStream.
D.The CloudWatch Logs log group does not exist.
AnswerC

Lambda needs CreateLogStream to create a log stream before writing log events.

Why this answer

Lambda requires the `logs:CreateLogStream` permission to create a log stream within a log group before it can write log events. Without this permission, the function can create the log group but cannot create the individual log stream needed to store log entries, causing logs to silently fail to appear.

Exam trap

The trap here is that candidates assume `logs:CreateLogGroup` and `logs:PutLogEvents` are sufficient, overlooking the mandatory `logs:CreateLogStream` permission required for the log stream creation step between group creation and event writing.

How to eliminate wrong answers

Option A is wrong because Lambda functions can write logs to CloudWatch Logs without being in a VPC; VPC configuration affects network access but not log delivery. Option B is wrong because the Lambda function already has an IAM role attached, meaning the trust policy (which allows Lambda to assume the role) was already validated when the role was assigned to the function. Option D is wrong because CloudWatch Logs automatically creates the log group if it does not exist when the Lambda function first invokes, provided the IAM policy includes `logs:CreateLogGroup`.

411
MCQeasy

A company wants to enforce that all IAM users use multi-factor authentication (MFA) when accessing the AWS Management Console. Which IAM policy condition key should be used in a policy attached to each user or group to deny access if MFA is not present?

A.aws:RequestedRegion
B.aws:MultiFactorAuthPresent
C.aws:SourceIp
D.aws:SecureTransport
AnswerB

This condition key checks whether the user authenticated with MFA. It can be used to deny access if MFA is not present.

Why this answer

The correct condition key is `aws:MultiAuthFactorPresent`, which is a boolean value that is `true` when the user has authenticated using a valid MFA device. By using this key in a `Deny` effect policy (often combined with `Bool` condition), you can block any API call or console access that does not include MFA authentication. This is the standard AWS approach to enforce MFA for console access.

Exam trap

The trap here is that candidates often confuse `aws:MultiFactorAuthPresent` with `aws:MultiFactorAuthAge` (which checks how long ago MFA was used) or assume that `aws:SecureTransport` (HTTPS) is equivalent to MFA enforcement.

How to eliminate wrong answers

Option A is wrong because `aws:RequestedRegion` restricts access based on the AWS region the request is made to, not authentication factors. Option C is wrong because `aws:SourceIp` restricts access based on the IP address of the requester, not MFA status. Option D is wrong because `aws:SecureTransport` checks whether the request uses SSL/TLS (HTTPS), not whether MFA was used.

412
MCQeasy

A developer needs to grant an IAM user access to an S3 bucket owned by another AWS account. Which method should be used?

A.Create an IAM role in the bucket owner account and allow the user to assume it.
B.Create a new IAM user in the bucket owner account for the developer.
C.Attach a bucket policy to the bucket that allows the user's IAM user ARN.
D.Add the user to a bucket ACL granting access.
AnswerC

Bucket policy can grant cross-account access.

Why this answer

Cross-account access requires a bucket policy in the account owning the bucket, granting access to the IAM user ARN from the other account.

413
Multi-Selecteasy

Which of the following are valid ways to secure access to an Amazon S3 bucket? (Choose TWO.)

Select 2 answers
A.Bucket policies
B.CloudFront distribution
C.IAM policies
D.Network ACLs
E.Security groups
AnswersA, C

Bucket policies define access permissions for the bucket.

Why this answer

Bucket policies are a form of resource-based policy that you attach directly to an S3 bucket. They allow you to grant or deny access to the bucket and its objects for principals (users, roles, or AWS accounts) using the AWS JSON policy language. This is a primary and native way to control access to S3 resources, making option A correct.

Exam trap

The trap here is that candidates confuse network-level security controls (like NACLs and Security Groups) with resource-level access controls, mistakenly thinking they can be applied to S3 buckets, which are global services not bound to a VPC subnet.

414
MCQmedium

A company wants to securely store secrets for a Lambda function. Which AWS service should they use?

A.AWS Secrets Manager
B.Amazon S3 with server-side encryption
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager is designed for secure secret storage and automatic rotation.

Why this answer

AWS Secrets Manager is designed to securely store and rotate secrets, making it the best choice for this use case. Option A (SSM Parameter Store) can store secrets but lacks automatic rotation. Option C (KMS) is a key management service, not a secret store.

Option D (S3 with encryption) is not a dedicated secrets service.

415
MCQhard

A company runs a web application on EC2 instances in an Auto Scaling group. The application uses an IAM role to access an S3 bucket that stores user uploads. Recently, the security team discovered that some uploaded files contain malicious content. The team wants to implement a solution that automatically scans new objects for malware and blocks access if threats are detected. The solution must be cost-effective and minimize latency for legitimate uploads. The developer is tasked with designing this solution. Which approach should the developer take?

A.Use S3 Batch Operations to run a scanning script on all existing objects and then schedule periodic scans.
B.Use S3 Object Lambda to transform objects upon retrieval and check for malware.
C.Enable Amazon Macie on the S3 bucket to automatically detect malicious content.
D.Enable Amazon GuardDuty with S3 protection, configure an S3 event notification to trigger a Lambda function that scans new objects using a third-party malware engine, and update the bucket policy to deny access to objects that fail the scan.
AnswerD

Provides real-time scanning and access control.

Why this answer

Option D is correct because using Amazon GuardDuty with S3 protection and an S3 Event Notification to trigger a Lambda function for scanning provides automated threat detection and response. Option A is wrong because S3 Object Lambda is for modifying objects, not scanning. Option B is wrong because Macie is for sensitive data discovery, not malware.

Option C is wrong because S3 Batch Operations is for large-scale batch jobs, not real-time scanning.

416
MCQmedium

A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that the encryption keys be rotated every 90 days and that access to the keys be auditable. Which solution meets these requirements with the LEAST operational overhead?

A.Use SSE-S3 with default encryption enabled.
B.Use client-side encryption with the AWS Encryption SDK.
C.Use SSE-C with keys stored in AWS Secrets Manager.
D.Use SSE-KMS with a customer managed key and enable automatic key rotation.
AnswerD

KMS automatic rotation meets the 90-day requirement and provides auditing.

Why this answer

Option B is correct because SSE-KMS with automatic key rotation meets the requirements with minimal overhead. Option A is wrong because SSE-S3 uses S3-managed keys that cannot be rotated on a schedule. Option C is wrong because SSE-C requires managing keys yourself.

Option D is wrong because client-side encryption adds complexity.

417
MCQmedium

A company stores application logs in an Amazon S3 bucket. The security team requires that all objects uploaded to the bucket must be encrypted at rest using an AWS KMS key. The developer needs to enforce this by denying any PutObject request that does not use the required encryption. Which bucket policy condition should be used?

A."s3:x-amz-server-side-encryption": "aws:kms"
B."s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc"
C."s3:x-amz-server-side-encryption": "AES256"
D."kms:EncryptionContext": "service:s3"
AnswerB

This condition enforces that the exact KMS key with the specified ARN is used for server-side encryption. Denying requests that do not match this condition ensures all objects use the required key.

Why this answer

Option B is correct because the condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` allows you to enforce that a specific KMS key ARN is used for server-side encryption. By setting this condition to the exact KMS key ARN, any PutObject request that does not include the required `x-amz-server-side-encryption-aws-kms-key-id` header with the matching key ID will be denied, ensuring all objects are encrypted with the mandated KMS key.

Exam trap

The trap here is that candidates often confuse `s3:x-amz-server-side-encryption` (which only checks the encryption type, not the specific key) with `s3:x-amz-server-side-encryption-aws-kms-key-id` (which enforces the exact KMS key ARN), leading them to pick Option A instead of B.

How to eliminate wrong answers

Option A is wrong because `s3:x-amz-server-side-encryption` with value `aws:kms` only enforces that KMS encryption is used, but does not restrict which KMS key is used, so a different KMS key could be employed, failing the security requirement. Option C is wrong because `AES256` specifies SSE-S3 encryption, not SSE-KMS, which does not meet the requirement to use an AWS KMS key. Option D is wrong because `kms:EncryptionContext` is a condition key for KMS actions (like Decrypt), not for S3 PutObject, and it does not enforce encryption on the S3 side.

418
MCQmedium

A company is using Amazon Cognito for user authentication. The developers need to add multi-factor authentication (MFA) for security. Which Cognito feature should be enabled?

A.Cognito Sync
B.Cognito User Pools with MFA configuration
C.Cognito Developer Authenticated Identities
D.Cognito Identity Pools
AnswerB

User pools support MFA directly.

Why this answer

Option C is correct because Cognito user pools support MFA, including SMS and TOTP. Option A is wrong because Cognito identity pools are for federated identities, not user pools. Option B is wrong because Cognito sync is for synchronizing user data.

Option D is wrong because Cognito developer authenticated identities are for custom authentication flows.

419
MCQhard

A developer is deploying an application on EC2 instances behind an Application Load Balancer. The application must support mutual TLS (mTLS) authentication between clients and the load balancer. Which configuration is required?

A.Use a Network Load Balancer (NLB) with TLS listeners.
B.Configure listener rules on the ALB to require client certificates.
C.Create a trust store in AWS Certificate Manager Private CA and associate it with the ALB.
D.Use Amazon CloudFront with a custom origin and require client certificates.
AnswerC

Trust store enables mTLS on ALB.

Why this answer

Option C is correct because mutual TLS (mTLS) on an Application Load Balancer requires a trust store that contains the trusted Certificate Authority (CA) certificates used to validate client certificates. This trust store must be created in AWS Certificate Manager Private CA and then associated with the ALB's listener rules. The ALB then performs client certificate verification during the TLS handshake, ensuring both the server and client present valid certificates.

Exam trap

The trap here is that candidates often confuse 'requiring client certificates' with simply configuring a listener rule, not realizing that mTLS on ALB specifically requires a trust store in ACM Private CA to perform certificate validation.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) with TLS listeners does not support mTLS; NLB only supports server-side TLS termination and does not have the capability to validate client certificates. Option B is wrong because configuring listener rules on the ALB to 'require client certificates' is not a valid configuration; ALB listener rules control routing based on request attributes (like path or host header), not TLS-level client certificate validation. Option D is wrong because Amazon CloudFront with a custom origin can forward client certificates to the origin, but it does not natively perform mTLS validation at the edge; the validation would need to be handled by the origin server, not by CloudFront itself.

420
Multi-Selectmedium

A developer is troubleshooting an issue where an IAM user cannot perform 's3:ListBucket' on a bucket. Which TWO factors could cause this denial?

Select 2 answers
A.The bucket is in a different region than the user's default region.
B.An explicit deny statement in the bucket policy.
C.The bucket is encrypted with AWS KMS.
D.The user has a permissions boundary that does not include s3:ListBucket.
E.The user's IAM policy does not include s3:ListBucket.
AnswersB, E

Explicit denies override any allows.

Why this answer

Option B is correct because an explicit deny statement in a bucket policy overrides any allow that might exist from an IAM policy or other sources. AWS IAM evaluates all policies (identity-based and resource-based) and an explicit deny always takes precedence, effectively blocking the s3:ListBucket action regardless of other permissions.

Exam trap

The trap here is that candidates confuse a permissions boundary with an explicit deny, thinking that a missing allow in the boundary blocks access, when in fact only an explicit deny or the absence of any allow (from all applicable policies) causes denial.

421
MCQmedium

A developer is troubleshooting an issue where an AWS Lambda function cannot write logs to Amazon CloudWatch Logs. The Lambda function has an execution role with a policy that allows logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Which additional configuration is likely missing?

A.The CloudWatch Logs log group is encrypted with a customer-managed KMS key.
B.The log group name must start with '/aws/lambda/'.
C.The Lambda function is in a VPC without a VPC endpoint for CloudWatch Logs.
D.The Lambda function is not configured with a log group name.
AnswerC

If the function is in a VPC, it needs either a NAT gateway or a VPC endpoint to reach CloudWatch Logs.

Why this answer

Option C is correct because when a Lambda function is attached to a VPC, it loses default internet connectivity, including the ability to reach the CloudWatch Logs API endpoints. Even if the execution role grants the necessary permissions, the function cannot send logs unless a VPC endpoint for CloudWatch Logs (com.amazonaws.region.logs) is created in the VPC, or the function has a NAT gateway to route traffic to the public endpoint.

Exam trap

The trap here is that candidates often assume IAM permissions are the only requirement for CloudWatch Logs integration, overlooking the network connectivity constraints introduced by VPC attachment.

How to eliminate wrong answers

Option A is wrong because if the log group is encrypted with a customer-managed KMS key, the Lambda execution role would need additional kms:Decrypt and kms:GenerateDataKey permissions, but the question states the role already has the necessary CloudWatch Logs actions, and the issue is about missing configuration, not missing permissions. Option B is wrong because log group names do not have to start with '/aws/lambda/'; Lambda can write to any log group it has permissions for, though the default log group name pattern is '/aws/lambda/<function-name>'. Option D is wrong because Lambda automatically creates a log group named '/aws/lambda/<function-name>' if it does not exist, and the function does not require explicit configuration of a log group name.

422
MCQmedium

An IAM policy is attached to a user. The user tries to delete an object in 'example-bucket' from IP address 198.51.100.5. What happens?

A.The user is denied from deleting the object.
B.The user can delete the object because the Allow statement grants all actions on the bucket.
C.The user can delete the object because there is no explicit Deny for their IP.
D.The user can delete the object because the Deny condition is met.
AnswerA

The Deny statement blocks DeleteObject from IPs outside 203.0.113.0/24.

Why this answer

The IAM policy includes an explicit Deny statement that denies the s3:DeleteObject action when the request originates from IP address 198.51.100.5. In AWS IAM, an explicit Deny overrides any Allow statement, so the user is denied from deleting the object regardless of any Allow permissions.

Exam trap

The trap here is that candidates often assume an Allow statement alone grants access, forgetting that an explicit Deny with a matching condition takes precedence and blocks the action.

How to eliminate wrong answers

Option B is wrong because the Allow statement is overridden by the explicit Deny for the specific IP address; AWS IAM evaluates Deny statements before Allow statements. Option C is wrong because an explicit Deny does not require the condition to be unmet—it applies when the condition is met, and here the condition (IP address match) is satisfied. Option D is wrong because the Deny condition is met (the request comes from 198.51.100.5), which triggers the Deny, not an Allow; the user cannot delete the object.

423
MCQeasy

A developer needs to allow an IAM user to stop and start EC2 instances but not terminate them. Which IAM policy effect and action combination should be used?

A.Allow ec2:StopInstances and ec2:StartInstances
B.Allow ec2:StopInstances, ec2:StartInstances, and ec2:TerminateInstances
C.Deny ec2:TerminateInstances
D.Allow ec2:StartInstances and ec2:TerminateInstances
AnswerA

Allows stop and start without termination.

Why this answer

Option A is correct because the policy should allow ec2:StopInstances and ec2:StartInstances, but not ec2:TerminateInstances. Option B is wrong because Deny would block all actions. Option C is wrong because it includes ec2:TerminateInstances.

Option D is wrong because it also includes termination.

424
MCQhard

An S3 bucket policy allows GetObject from another account, but objects encrypted with SSE-KMS still return AccessDenied. Which additional authorization is required?

A.The caller must be allowed to use the KMS key for decrypt operations
B.The caller must own the destination VPC
C.The bucket must enable static website hosting
D.The object key must end with .kms
AnswerA

Correct for the stated requirement.

Why this answer

When an S3 object is encrypted with SSE-KMS, the S3 bucket policy granting GetObject access is not sufficient because S3 must also decrypt the object before returning it. The AWS KMS key policy must grant the caller kms:Decrypt permission, and the caller's IAM policy must also allow kms:Decrypt on the specific KMS key. Without this additional KMS authorization, S3 returns AccessDenied even if the bucket policy allows GetObject.

Exam trap

The trap here is that candidates assume a bucket policy granting s3:GetObject is sufficient for all objects, forgetting that SSE-KMS adds a separate authorization layer via KMS key policies that must explicitly allow the decrypt operation.

How to eliminate wrong answers

Option B is wrong because VPC ownership is irrelevant to S3 object access; S3 bucket policies and KMS permissions control cross-account access, not network ownership. Option C is wrong because static website hosting is a feature for serving public content and has no bearing on KMS-encrypted object access or cross-account authorization. Option D is wrong because the object key suffix has no effect on KMS authorization; SSE-KMS encryption is determined by the object's encryption settings, not its filename.

425
Multi-Selecteasy

Which TWO are features of AWS Identity and Access Management (IAM)? (Choose 2)

Select 2 answers
A.Encrypt S3 objects automatically
B.Monitor network traffic
C.Define fine-grained permissions with policies
D.Manage EC2 instance lifecycle
E.Create and manage IAM users and groups
AnswersC, E

Policies are central to IAM.

Why this answer

Options A and D are correct. A: IAM allows creating users and groups. D: IAM policies define permissions.

B: Managing EC2 instances is not an IAM function. C: Encrypting S3 objects is not an IAM function. E: Monitoring network traffic is not an IAM function.

426
Multi-Selectmedium

Which THREE components are required to enable encryption in transit for an Application Load Balancer? (Choose THREE.)

Select 3 answers
A.A security group rule allowing inbound traffic on port 443
B.An SSL/TLS certificate from ACM or uploaded to IAM
C.A listener configured on port 443 with the certificate
D.Server Name Indication (SNI) support
E.An HTTP to HTTPS redirect rule
AnswersA, B, C

The security group must allow HTTPS traffic.

Why this answer

A security group rule allowing inbound traffic on port 443 is required because the Application Load Balancer (ALB) must accept HTTPS traffic from clients. Without this rule, the ALB's network interface will drop encrypted connections, preventing any TLS handshake from completing. This ensures that traffic between clients and the ALB is encrypted in transit.

Exam trap

The trap here is that candidates often confuse optional features like SNI or redirect rules as mandatory requirements, when in fact only the security group rule, the certificate, and the listener on port 443 are strictly necessary for encryption in transit.

427
MCQeasy

A developer needs to grant an IAM user access to an S3 bucket for read-only operations. Which IAM policy action should be used?

A.s3:PutObject
B.s3:DeleteObject
C.s3:ListBucket
D.s3:GetObject
AnswerD

Allows reading objects, which is read-only.

Why this answer

Option B is correct because s3:GetObject allows reading objects from S3. Option A is wrong because s3:PutObject allows writing. Option C is wrong because s3:ListBucket allows listing but not reading object content.

Option D is wrong because s3:DeleteObject allows deletion.

428
MCQeasy

A developer is using the AWS CLI to upload a file to an S3 bucket with server-side encryption. The bucket is configured with default encryption (SSE-S3). The developer wants to ensure the object is encrypted with SSE-KMS instead. What should the developer do?

A.Use the --kms-key-id parameter with a KMS key ARN
B.Use the --sse aws:kms parameter when uploading
C.No action needed; the bucket default encryption will apply
D.Change the bucket policy to require SSE-KMS
AnswerB

Explicitly requesting SSE-KMS overrides the bucket default.

Why this answer

Option B is correct because the developer must explicitly specify the server-side encryption method at the time of upload using the `--sse aws:kms` parameter in the AWS CLI. This overrides the bucket's default SSE-S3 encryption, ensuring the object is encrypted with SSE-KMS. Without this parameter, the object inherits the bucket's default encryption (SSE-S3), regardless of any other settings.

Exam trap

The trap here is that candidates assume bucket default encryption always applies to all objects, but in reality, request-level encryption parameters take precedence over bucket defaults, and the developer must explicitly specify SSE-KMS to override SSE-S3.

How to eliminate wrong answers

Option A is wrong because the `--kms-key-id` parameter is used to specify a specific KMS key ARN when SSE-KMS is already selected, but it does not enable SSE-KMS by itself; the `--sse aws:kms` parameter must also be provided. Option C is wrong because the bucket's default encryption (SSE-S3) will apply automatically, which does not meet the developer's requirement for SSE-KMS; the default is not overridden without explicit request-level parameters. Option D is wrong because changing the bucket policy to require SSE-KMS only enforces that objects must be encrypted with SSE-KMS at the bucket level, but the developer still needs to specify `--sse aws:kms` in the upload command to comply with that policy and achieve the desired encryption.

429
MCQeasy

An application running on EC2 instances needs to access an S3 bucket securely. Which of the following is the BEST practice for managing credentials?

A.Store the AWS access key and secret key in a configuration file on the EC2 instance.
B.Use an IAM user with programmatic access and attach a policy allowing S3 access.
C.Launch the EC2 instance with an IAM role that grants S3 access.
D.Use a shared secret key stored in AWS Secrets Manager and retrieve it at runtime.
AnswerC

Best practice, temporary credentials.

Why this answer

Option C is correct because assigning an IAM role to an EC2 instance is the AWS-recommended best practice for securely granting permissions to AWS services. The instance automatically obtains temporary security credentials from the instance metadata service (IMDS), eliminating the need to hardcode or manage long-term access keys. This approach follows the principle of least privilege and avoids the security risks of storing credentials on disk.

Exam trap

The trap here is that candidates often confuse IAM users with IAM roles, mistakenly thinking that creating a dedicated IAM user with programmatic access is a secure practice, when in fact IAM roles are the correct and secure method for EC2-to-S3 access because they eliminate the need to manage long-term credentials.

How to eliminate wrong answers

Option A is wrong because storing AWS access keys and secret keys in a configuration file on the EC2 instance is a security risk; if the instance is compromised, the credentials are exposed and can be used indefinitely. Option B is wrong because using an IAM user with programmatic access requires distributing and managing long-term access keys, which violates the AWS security best practice of using IAM roles for EC2 workloads. Option D is wrong because while AWS Secrets Manager securely stores secrets, retrieving a shared secret key at runtime still introduces a long-term credential that must be managed and rotated, whereas an IAM role provides temporary, automatically rotated credentials without any secret management overhead.

← PreviousPage 6 of 6 · 429 questions total

Ready to test yourself?

Try a timed practice session using only Dva Security questions.