CCNA Security and Compliance Questions

75 of 288 questions · Page 2/4 · Security and Compliance · Answers revealed

76
MCQeasy

A DevOps engineer needs to rotate database credentials stored in AWS Secrets Manager automatically every 30 days. What is the simplest way to achieve this?

A.Enable automatic rotation in Secrets Manager with a rotation interval of 30 days.
B.Store the credentials in Systems Manager Parameter Store and use a scheduled automation to update them.
C.Create a CloudWatch Events rule that triggers a Lambda function to rotate the secret.
D.Write a custom Lambda function that rotates the secret and schedule it with CloudWatch Events.
AnswerA

Secrets Manager supports automatic rotation for supported services.

Why this answer

Option A is correct because Secrets Manager has built-in automatic rotation with customizable rotation intervals. Option B is wrong because Lambda functions are used for custom rotation, not automatic. Option C is wrong because Parameter Store does not support automatic rotation.

Option D is wrong because CloudWatch Events can trigger rotation but the simplest way is to use Secrets Manager's built-in feature.

77
MCQeasy

A DevOps engineer needs to securely store database credentials for an application running on Amazon ECS. Which AWS service should be used to manage the credentials and provide them to the ECS tasks?

A.AWS Secrets Manager
B.Amazon S3 with server-side encryption
C.AWS Systems Manager
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager provides secure storage, automatic rotation, and fine-grained access control for secrets.

Why this answer

Option C is correct because AWS Secrets Manager is designed to securely store and rotate secrets, and can be integrated with ECS via task roles. Option A is wrong because Parameter Store can store parameters but is not as focused on secrets management. Option B is wrong because Systems Manager is broader and not specifically for secrets.

Option D is wrong because S3 is not secure for storing secrets without encryption and access control.

78
MCQhard

Refer to the exhibit. An S3 bucket policy is configured as shown. A user from IP 192.0.2.10 is unable to download an object from the bucket. What is the most likely cause?

A.The bucket policy requires HTTPS, but the user is using HTTP.
B.The policy does not allow s3:ListBucket, so the user cannot list objects.
C.The bucket policy does not allow s3:GetObjectVersion.
D.The IP address is not in the allowed range.
AnswerB

Without ListBucket, the user cannot see the objects to download them via the console.

Why this answer

The bucket policy does not grant the s3:ListBucket action, so the user cannot list objects. The GetObject action allows reading a specific object if the key is known, but the user might be trying to list first, or the bucket is not public. However, the most common issue is that the user needs s3:ListBucket to navigate.

Option B is correct.

79
MCQmedium

A company needs to store audit logs for 7 years to meet compliance requirements. Which S3 storage class is the most cost-effective for long-term archival?

A.S3 Glacier Deep Archive
B.S3 Intelligent-Tiering
C.S3 Standard
D.S3 Glacier Flexible Retrieval
AnswerA

Deep Archive is the lowest-cost storage class for long-term retention.

Why this answer

S3 Glacier Deep Archive is the lowest-cost storage class for long-term archival. Option D is correct.

80
MCQeasy

A company wants to centralize logging of all API calls made within their AWS account for auditing. Which service should they use?

A.Amazon S3 access logs
B.AWS CloudTrail
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerB

Records all API calls for auditing and compliance.

Why this answer

Option B is correct because AWS CloudTrail records API calls for auditing. Option A is wrong because CloudWatch Logs is for log storage, not API call recording. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because S3 is storage, not a logging service.

81
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The Security team requires that all encryption keys be automatically rotated annually. Which key type should be used to meet this requirement?

A.Asymmetric KMS key
B.AWS managed symmetric key
C.Customer managed symmetric key
D.Custom key store backed by AWS CloudHSM
AnswerB

AWS managed keys are automatically rotated every year, meeting the requirement without additional configuration.

Why this answer

AWS managed KMS keys (AWS managed keys) are automatically rotated every year. Customer managed keys require manual rotation or key rotation configuration. AWS managed keys are used for services like S3, EBS, and RDS.

82
MCQmedium

An organization has a compliance requirement to automatically detect and alert on any IAM user creation in all AWS accounts. Which combination of services should be used to meet this requirement?

A.Amazon GuardDuty and Amazon SNS
B.Amazon S3 server access logs and Amazon Athena
C.AWS Config and AWS Lambda
D.AWS CloudTrail and Amazon CloudWatch Events
AnswerD

CloudTrail logs API calls; CloudWatch Events can trigger alerts on specific events.

Why this answer

AWS CloudTrail captures all IAM user creation events as `CreateUser` API calls. Amazon CloudWatch Events (now Amazon EventBridge) can be configured with a rule that matches this specific event pattern and triggers an alert via Amazon SNS. This combination provides real-time detection and notification without custom code.

Exam trap

The trap here is that candidates often confuse AWS Config (which evaluates resource configurations) with CloudTrail (which records API activity), leading them to select Option C, but AWS Config cannot trigger alerts on API call events like `CreateUser`; it only reacts to configuration changes after they have occurred.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail management events for malicious activity, but it does not provide a native mechanism to trigger custom alerts on specific IAM user creation events; it focuses on anomalies and threats, not compliance-driven event monitoring. Option B is wrong because Amazon S3 server access logs record requests made to an S3 bucket, not IAM user creation events, and using Athena to query them would require a separate mechanism to capture CloudTrail logs into S3, adding latency and complexity; this approach is not designed for real-time alerting on IAM actions. Option C is wrong because AWS Config evaluates resource configurations against rules and can detect changes, but it is not designed for real-time event-driven alerting on API calls; it operates on configuration snapshots and compliance evaluations, not on streaming API events like `CreateUser`.

83
MCQeasy

A company uses AWS KMS to encrypt data in S3. They want to audit who used which KMS key and when. Which AWS service should they use?

A.Amazon CloudWatch
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail records KMS API calls like Decrypt, Encrypt, GenerateDataKey for auditing.

Why this answer

AWS CloudTrail is the correct service because it records all AWS KMS API calls, including the key ID, the principal who made the request, the time of the request, and the source IP address. These logs are delivered to an S3 bucket and can be queried using CloudTrail Insights or Athena to audit KMS key usage for S3 decryption events.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs (which can store logs) with CloudTrail (which captures the API audit trail), leading them to pick CloudWatch because they think 'audit logs' are just logs, but only CloudTrail records the specific KMS API calls needed for key usage auditing.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, alarms, and logs, but it does not natively capture the detailed API-level audit trail of KMS key usage; it can only visualize CloudTrail events if they are streamed to it. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS, VPC flow logs, and CloudTrail events for malicious activity, but it is not designed to provide a direct audit log of who used which KMS key and when. Option D is wrong because AWS Config is a resource inventory and compliance service that tracks configuration changes to AWS resources, not the API calls that use KMS keys for encryption or decryption operations.

84
MCQmedium

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service should be used to implement this rotation?

A.AWS Lambda with custom rotation logic
B.AWS Config
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerC

Secrets Manager supports automatic rotation of secrets, including IAM access keys.

Why this answer

AWS Secrets Manager allows automatic rotation of secrets, including IAM user access keys, with a customizable rotation period. Option B is correct because AWS Secrets Manager directly supports this use case. Option A (AWS Systems Manager Parameter Store) cannot rotate credentials.

Option C (AWS Lambda) could be used but is not the primary service. Option D (AWS Config) is for compliance checking, not rotation.

85
MCQhard

A company is using AWS CodePipeline with an S3 source action. The pipeline must be triggered only when a new object is uploaded to a specific prefix, and the pipeline should not have access to objects outside that prefix. Which configuration meets these requirements?

A.Use an S3 event notification to trigger a Lambda function that starts the pipeline.
B.Configure the S3 source action with a specific object key and use a bucket policy to allow only that key.
C.Configure the S3 source action with a CloudWatch event that has a prefix filter, and attach an IAM policy to the pipeline role that allows only the specific prefix.
D.Use a separate S3 bucket for the pipeline's source artifacts.
AnswerC

The CloudWatch event with prefix filter ensures only objects in that prefix trigger the pipeline, and the IAM policy restricts access to that prefix.

Why this answer

Using an S3 CloudWatch event with a prefix filter and a resource policy on the S3 bucket that restricts access to the prefix ensures both conditions. Option D is correct. Option A is wrong because a single S3 event without prefix filter would trigger on all objects.

Option B is wrong because a bucket policy allowing only the prefix does not restrict the pipeline's IAM role. Option C is wrong because the S3 source action by default has access to the entire bucket.

86
MCQeasy

A DevOps engineer needs to grant cross-account access to an S3 bucket in Account A for a user in Account B. Which combination of policies is required?

A.An S3 bucket policy in Account A and an IAM policy in Account B.
B.An IAM role in Account A and an IAM policy in Account B.
C.Only an IAM policy in Account B.
D.Only an S3 bucket policy in Account A.
AnswerA

Both policies are required for cross-account access.

Why this answer

An S3 bucket policy in Account A granting access to Account B's user, and an IAM user policy in Account B allowing access to the bucket. Option C is correct.

87
MCQmedium

A company has an S3 bucket containing sensitive data. They need to ensure that all access to the bucket is logged and that any unauthorized access attempts are immediately notified. Which combination of services should be used?

A.Amazon CloudWatch Logs and Amazon SNS
B.VPC Flow Logs and Amazon GuardDuty
C.AWS CloudTrail and Amazon CloudWatch Alarms
D.Amazon S3 server access logs and Amazon Macie
AnswerD

Server access logs record requests; Macie can alert on sensitive data.

Why this answer

Option B is correct because S3 server access logs provide logging, and Amazon Macie can alert on sensitive data exposure. Option A is wrong because CloudTrail logs API calls but not data-level access to S3. Option C is wrong because VPC Flow Logs are for network traffic, not S3 access.

Option D is wrong because CloudWatch Logs alone does not provide notifications.

88
MCQeasy

A company is using Amazon S3 to store sensitive data. The security team mandates that all data must be encrypted at rest using server-side encryption with AWS Key Management Service (SSE-KMS). The DevOps engineer must ensure that any new objects uploaded to the bucket are automatically encrypted. What should the engineer do?

A.Enable CORS on the bucket to allow encrypted uploads.
B.Apply a bucket policy that denies PutObject unless the request includes the x-amz-server-side-encryption header with aws:kms.
C.Enable default encryption on the S3 bucket and select AWS-KMS as the encryption method.
D.Enable S3 Versioning to protect encrypted objects.
AnswerC

Default encryption applies SSE-KMS to all objects.

Why this answer

Option A is correct because enabling default encryption on the S3 bucket with SSE-KMS ensures all objects are encrypted with KMS. Option B is wrong because bucket policies only enforce encryption headers, not default encryption, and can be bypassed. Option C is wrong because CORS is for cross-origin requests.

Option D is wrong because versioning does not encrypt data.

89
MCQhard

A DevOps engineer is configuring AWS Config to detect changes to security group rules. The engineer wants to receive near-real-time notifications when a security group rule that allows inbound SSH traffic is created. Which combination of services and configurations should the engineer use? (Choose the best answer.)

A.Enable Amazon GuardDuty and create a custom threat list for SSH access.
B.Create an AWS Config rule to evaluate security groups, and configure an Amazon EventBridge rule to match 'Config Rules Compliance Change' events and trigger an SNS topic.
C.Use AWS CloudTrail to monitor CreateSecurityGroup API calls and send events to CloudWatch Logs.
D.Set up AWS Config to send configuration change notifications directly to an SNS topic.
AnswerB

EventBridge can capture Config compliance changes and send to SNS.

Why this answer

Option B is correct because AWS Config uses managed rules (like restricted-ssh) and can stream configuration changes to CloudWatch Events (now Amazon EventBridge), which triggers a Lambda function to send SNS notifications. Option A is wrong because AWS Config does not directly send to SNS without an intermediary. Option C is wrong because GuardDuty focuses on threats, not configuration changes.

Option D is wrong because CloudTrail logs API calls but not configuration state changes directly; using Config is more appropriate.

90
MCQhard

A company is running a critical application on an Amazon EC2 instance that needs to access an S3 bucket. The application must use temporary credentials that automatically rotate. The DevOps engineer must ensure that the credentials are never stored on disk. Which approach meets these requirements?

A.Store the credentials in AWS Secrets Manager and retrieve them at application startup.
B.Attach an IAM role to the EC2 instance and use the instance profile to obtain temporary credentials from the instance metadata service.
C.Use AWS Systems Manager Parameter Store to store the credentials and retrieve them using the EC2 instance's IAM role.
D.Generate an access key and secret key for an IAM user and store them in a configuration file on the EC2 instance.
AnswerB

Instance profiles provide temporary credentials that are automatically rotated and never stored on disk.

Why this answer

Option B is correct because attaching an IAM role to the EC2 instance and using the instance profile allows the application to obtain temporary credentials from the EC2 instance metadata service (IMDS). These credentials are automatically rotated by AWS before they expire, and they are never stored on disk—they are fetched on-demand from the metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/). This satisfies both the requirement for automatic rotation and the prohibition against disk storage.

Exam trap

The trap here is that candidates may confuse AWS Secrets Manager or Parameter Store with a solution for automatic credential rotation, not realizing that those services store static secrets unless explicitly configured with rotation via Lambda, whereas an IAM instance profile inherently provides automatically rotating temporary credentials without any disk storage.

How to eliminate wrong answers

Option A is wrong because while AWS Secrets Manager can store and rotate credentials, the application would still need to retrieve and hold them in memory, and the credentials stored there are long-term IAM user keys or secrets, not automatically rotating temporary credentials from an instance profile. Option C is wrong because AWS Systems Manager Parameter Store can store credentials, but it does not inherently rotate them; the stored credentials would be static unless manually updated, and the application would still need to handle them in memory, not leveraging the automatic rotation of instance metadata service credentials. Option D is wrong because storing access keys and secret keys in a configuration file on disk directly violates the requirement that credentials never be stored on disk, and these static credentials do not automatically rotate.

91
Multi-Selectmedium

Which TWO of the following are benefits of using AWS Certificate Manager (ACM) to manage SSL/TLS certificates? (Choose two.)

Select 2 answers
A.Ability to use the same certificate on multiple EC2 instances.
B.Support for wildcard certificates only.
C.Automatic renewal of certificates.
D.Integration with Elastic Load Balancing and Amazon CloudFront.
E.Free certificates for use on any AWS service.
AnswersC, D

ACM automatically renews certificates, reducing administrative burden.

Why this answer

ACM automatically renews certificates before expiry, reducing manual overhead. It integrates with AWS services like ALB and CloudFront for easy deployment. ACM can export certificates for use on EC2 instances, but that is not a primary benefit; the main benefits are automatic renewal and integration.

92
MCQmedium

A company is using AWS CloudTrail to log API calls. The security team needs to ensure that log files are tamper-proof and can be used to verify integrity. Which feature should be enabled?

A.Server-side encryption (SSE-S3)
B.CloudTrail log file integrity validation
C.S3 Object Lock
D.MFA delete on the S3 bucket
AnswerB

This feature provides a digest file that can be used to verify log integrity.

Why this answer

CloudTrail log file integrity validation uses SHA-256 hashing and digital signing to ensure logs have not been tampered with. S3 object lock prevents deletion but not modification. MFA delete protects deletion but not modification.

SSE encrypts data at rest but does not protect integrity.

93
Multi-Selectmedium

A company uses AWS Organizations with SCPs to enforce security policies. The security team needs to ensure that no IAM user or role can disable AWS CloudTrail or delete CloudTrail logs. Which TWO approaches should be combined to achieve this? (Choose TWO.)

Select 2 answers
A.Use a service control policy to deny s3:DeleteObject on the CloudTrail S3 bucket.
B.Enable MFA Delete on the CloudTrail S3 bucket.
C.Apply an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail for all accounts.
D.Enable CloudTrail log file validation.
E.Attach an IAM policy to all users denying cloudtrail:StopLogging.
AnswersC, D

SCPs can enforce restrictions across all accounts in the organization.

Why this answer

Option A (SCP) prevents root user and all accounts in the organization from performing the actions. Option E (CloudTrail log file validation) ensures integrity but does not prevent deletion. Option B (service control policy) is the same as A, but SCP is the correct term.

Option C (IAM policy) is less effective as it can be overridden by account admins. Option D (S3 MFA Delete) adds extra protection but is not the primary method.

94
MCQeasy

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all new member accounts automatically receive a specific AWS Config rule to require encryption on Amazon EBS volumes. Which solution meets this requirement with the least operational overhead?

A.Use an SCP to deny the creation of unencrypted EBS volumes and use AWS Config to detect noncompliant volumes.
B.Use a service control policy (SCP) to deny the ability to disable the AWS Config rule and use a custom AWS Config rule that evaluates EBS encryption.
C.Use an AWS Config aggregator in the management account to monitor compliance across accounts.
D.Use AWS CloudFormation StackSets to deploy a stack with the Config rule to all existing and new accounts.
AnswerB

SCPs can enforce that Config rules are enabled, and a custom Config rule can enforce EBS encryption.

Why this answer

Option B is correct because using an SCP to deny the ability to disable the AWS Config rule ensures the rule remains active across all accounts, while the custom AWS Config rule evaluates EBS encryption compliance. This combination enforces the requirement automatically for new member accounts with minimal operational overhead, as SCPs are applied at the organization level and AWS Config rules can be deployed via AWS Config conformance packs or organization-level rules without manual intervention.

Exam trap

The trap here is that candidates often confuse SCPs with direct enforcement mechanisms, thinking an SCP alone can deploy or enforce a Config rule, when in fact SCPs only deny API actions and must be paired with a separate deployment method like organization-level AWS Config rules.

How to eliminate wrong answers

Option A is wrong because an SCP that denies the creation of unencrypted EBS volumes does not enforce an AWS Config rule; it only prevents creation but does not detect or remediate existing noncompliant volumes, and it does not automatically deploy the Config rule to new accounts. Option C is wrong because an AWS Config aggregator only provides a centralized view of compliance across accounts but does not enforce or deploy the Config rule to new accounts. Option D is wrong because CloudFormation StackSets require manual setup and ongoing management to deploy to new accounts as they are added, which introduces higher operational overhead compared to using organization-level AWS Config rules or SCPs.

95
MCQeasy

A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the target account is 222222222222. Which combination of a bucket policy and an IAM policy correctly grants the target account access?

A.Bucket policy: { "Effect": "Allow", "Principal": "222222222222", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } and IAM policy: same as A
B.Bucket policy: { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::222222222222:root" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } and IAM policy: { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" }
C.Only bucket policy as in A
D.Only IAM policy as in A
AnswerB

Both policies are needed and correctly specified.

Why this answer

Cross-account S3 access requires a bucket policy in the source account that grants permissions to the target account's root or a specific role, and an IAM policy in the target account that allows the user to access the bucket. Option A is correct. Option B is missing the bucket policy.

Option C is missing the IAM policy. Option D uses an incorrect syntax.

96
MCQmedium

A security engineer runs the above CLI command to investigate IAM user 'Bob'. The output shows Bob logged in and then created a new IAM user. Which additional information should the engineer look for to determine if this was a security incident?

A.The event name for the user creation.
B.The time the new user was last modified.
C.The source IP address from the CloudTrail event details.
D.The IAM group memberships of the new user.
AnswerC

The source IP can help identify if the login came from an unusual location.

Why this answer

To determine if the activity is malicious, the engineer should check the source IP address from the CloudTrail event details. Option B is correct. Option A is wrong because the event name is already known.

Option C is wrong because CloudTrail does not log the timestamp of the resource's last modification. Option D is wrong because the IAM user's group membership is not directly relevant to the login event.

97
MCQmedium

A company has a multi-account AWS environment using AWS Organizations. They want to centrally manage user access to all accounts using single sign-on (SSO) and enforce multi-factor authentication (MFA). Which service should they use?

A.Use AWS Secrets Manager to store and rotate IAM user credentials.
B.Create IAM users in each account and share the credentials securely.
C.Use Amazon Cognito user pools with an identity broker.
D.Use AWS IAM Identity Center (AWS SSO) to manage access and enforce MFA.
AnswerD

IAM Identity Center provides centralized SSO and MFA enforcement across multiple AWS accounts.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides a centralized place to manage user access and permissions across all AWS accounts in an AWS Organization. It natively supports enforcing multi-factor authentication (MFA) through an identity source (e.g., the built-in identity store or an external IdP) and integrates directly with AWS Organizations to grant single sign-on access without needing to create IAM users in each account.

Exam trap

The trap here is that candidates often confuse Amazon Cognito (a customer identity service) with workforce identity management, or assume that storing credentials in Secrets Manager or creating per-account IAM users is a viable centralized solution, when in fact AWS IAM Identity Center is the only service designed for multi-account SSO with MFA enforcement in an AWS Organizations context.

How to eliminate wrong answers

Option A is wrong because AWS Secrets Manager is designed to securely store and rotate secrets (like database credentials or API keys), not to manage user identities or enforce MFA for SSO access. Option B is wrong because creating IAM users in each account and sharing credentials manually violates the principle of least privilege, creates a massive administrative overhead, and does not provide centralized SSO or consistent MFA enforcement across accounts. Option C is wrong because Amazon Cognito user pools are intended for customer-facing identity and access management for web and mobile applications, not for managing workforce access to AWS accounts via SSO with MFA enforcement across an AWS Organization.

98
MCQhard

A DevOps team is deploying a multi-tier application on AWS. The application must comply with PCI DSS. Which combination of services should be used to encrypt data in transit between the web tier and the application tier?

A.AWS Certificate Manager (ACM) and Application Load Balancer (ALB)
B.AWS CloudHSM and Classic Load Balancer
C.AWS KMS and VPC Peering
D.AWS WAF and Amazon CloudFront
AnswerA

ACM provides TLS certificates that can be used with ALB to encrypt traffic in transit between layers.

Why this answer

For encryption in transit, using TLS certificates managed by ACM and enforced by an Application Load Balancer is the standard approach. CloudHSM or KMS are for key storage but not directly for in-transit encryption. VPC Peering does not provide encryption.

99
MCQhard

A DevOps engineer executed the CLI command shown in the exhibit. After creation, the security team requires that the log files be encrypted with a KMS key that is rotated every 90 days. The current key is a customer managed key with automatic rotation enabled set to 365 days. What should the engineer do to meet the requirement?

A.Use the existing key and change the rotation period in KMS
B.Disable automatic rotation and manually rotate the key every 90 days
C.Modify the KMS key to set the rotation period to 90 days
D.Create a new KMS key with automatic rotation set to 90 days and update the trail with the new key
AnswerD

Create a new key with the desired rotation and update the trail's KMS key.

Why this answer

To change the KMS key or its rotation period, you must update the trail. You can specify a new key with the --kms-key-id parameter when updating the trail. Changing the key rotation period is done through KMS, not CloudTrail.

But the question is about meeting the 90-day rotation. The engineer should update the trail to use a different KMS key that has a rotation period of 90 days. Note: You cannot change the rotation period of an existing KMS key; you must create a new one.

However, the options: B is correct because you can update the trail to use a new key with the desired rotation. A is wrong because you cannot change rotation period of existing key; you create a new key. C is wrong because the key is already used; you can't modify its rotation period.

D is wrong because disabling rotation is opposite.

100
MCQeasy

A company wants to securely store database credentials used by an application running on Amazon EC2. The credentials should be automatically rotated every 90 days. Which AWS service should be used?

A.AWS IAM
B.AWS KMS
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager provides automatic rotation of secrets, including database credentials.

Why this answer

AWS Secrets Manager is designed for securely storing secrets and provides automatic rotation. Systems Manager Parameter Store can store secrets but does not natively support rotation without custom automation. KMS is for encryption keys, not secret rotation.

101
MCQmedium

A company is migrating a legacy application to AWS. The application requires cross-account access to an S3 bucket in a different AWS account. The security team wants to follow the principle of least privilege. How should the DevOps engineer configure the access?

A.Generate an access key for the root user of the source account and use it in the application.
B.Create an IAM role in the source account with necessary permissions and attach a bucket policy in the target account granting access to that role.
C.Create an IAM user in the target account with access keys and store them in AWS Secrets Manager.
D.Create an IAM user in the source account with programmatic access and a bucket policy allowing that user.
AnswerB

Least privilege and secure cross-account access.

Why this answer

Option D is correct because using an IAM role in the source account with a bucket policy in the target account that allows the role is the recommended cross-account access pattern. Option A is wrong because using root user credentials is insecure. Option B is wrong because access keys should not be hardcoded.

Option C is wrong because IAM users in the source account should not be used directly; a role is preferred.

102
MCQhard

Refer to the exhibit. An IAM policy is attached to an IAM user. Which of the following actions will be allowed by this policy?

A.DescribeInstances on an instance in us-east-1
B.StartInstances on an instance in us-east-1
C.DescribeInstances on an instance in us-west-2
D.StopInstances on an instance in us-east-1
AnswerA

Allowed by the first statement and not denied because condition is false.

Why this answer

Option B is correct because the Deny statement only denies ec2 actions on instances when the requested region is NOT us-east-1. Since DescribeInstances is allowed by the first statement and the Deny does not apply to DescribeInstances (action is ec2:*, but the condition only denies if region is not us-east-1, and if the request is for us-east-1, the condition is false, so the Deny does not apply. However, note that the Deny statement denies all ec2 actions (including DescribeInstances) on instances when the condition is met.

But if the request is for us-east-1, the condition is false, so no Deny, so DescribeInstances in us-east-1 is allowed. Option A is wrong because StopInstances is an ec2 action on an instance, and if the region is us-east-1, the condition is false, so the Deny does not apply, but the Allow statement only allows DescribeInstances, not StopInstances. Since there is no explicit Allow for StopInstances, it is implicitly denied.

Option C is wrong because if the region is us-west-2, the condition is true, so the Deny applies to all ec2 actions on instances, including DescribeInstances, so it is denied. Option D is wrong because although the Deny would apply to StartInstances if region is not us-east-1, but if region is us-east-1, the Deny does not apply, but there is no Allow for StartInstances, so it is implicitly denied.

103
MCQhard

A company requires that all secrets (e.g., database passwords) used by Lambda functions be rotated automatically every 30 days. Which combination of services should be used?

A.AWS CloudHSM and AWS Lambda
B.AWS Secrets Manager and AWS Lambda
C.AWS Systems Manager Parameter Store and AWS Lambda
D.AWS KMS and AWS Lambda
AnswerB

Secrets Manager provides automatic rotation and Lambda can retrieve secrets.

Why this answer

AWS Secrets Manager is the correct choice because it natively supports automatic secret rotation on a configurable schedule (e.g., every 30 days) using a Lambda function as the rotation handler. Secrets Manager directly integrates with Lambda to invoke the rotation logic, updating the secret value and propagating the change to the target database or service without custom infrastructure. CloudHSM, Parameter Store, and KMS do not provide built-in, scheduled rotation of secrets with automatic Lambda invocation.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with AWS Secrets Manager (which is purpose-built for rotation), or they assume KMS or CloudHSM can manage secrets directly when they only handle encryption keys.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM is a hardware security module for key generation and cryptographic operations, not a service for storing or rotating secrets like database passwords; it lacks any built-in rotation scheduling or Lambda integration for secret rotation. Option C is wrong because AWS Systems Manager Parameter Store can store secrets but does not natively support automatic rotation; any rotation would require custom orchestration and polling, whereas Secrets Manager provides managed rotation with a single API call. Option D is wrong because AWS KMS is a key management service for encryption keys, not a secret store; it cannot store or rotate secrets like database passwords, and while it can encrypt secrets stored elsewhere, it does not provide rotation logic.

104
Multi-Selecteasy

A company wants to enable AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The security team requires that logs be encrypted at rest and that any unauthorized deletion of log files be prevented. Which TWO actions should the security team take? (Choose TWO.)

Select 2 answers
A.Create a trail in the management account that applies to all accounts in the organization.
B.Enable default encryption with SSE-S3 on the S3 bucket where CloudTrail delivers logs.
C.Configure CloudTrail to send logs to Amazon CloudWatch Logs and enable encryption using an AWS KMS key.
D.Enable S3 Object Lock on the destination S3 bucket to prevent log file deletion.
E.Enable CloudTrail Insights to detect unusual API activity.
AnswersA, D

A trail applied to the organization logs all accounts.

Why this answer

Option A is correct because enabling CloudTrail for all accounts in the organization ensures centralized logging. Option D is correct because S3 Object Lock prevents deletion of log files. Option B is incorrect because KMS with a customer managed key provides encryption, but the key must be created beforehand, not just enabled.

Option C is incorrect because CloudWatch Logs encryption uses KMS, not S3 SSE. Option E is incorrect because CloudTrail can be configured to log management events by default, and this is not about data events.

105
Multi-Selectmedium

A company wants to monitor and detect suspicious API activity across all AWS accounts in an organization. Which TWO services should be used together?

Select 2 answers
A.Amazon Inspector
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersC, D

CloudWatch Logs can receive CloudTrail logs and create metric filters for suspicious activity.

Why this answer

Amazon CloudWatch Logs is correct because it can centrally aggregate and store API activity logs from all AWS accounts in an organization. When combined with AWS CloudTrail, which records API calls, CloudWatch Logs enables real-time monitoring and alerting on suspicious API patterns using metric filters and alarms.

Exam trap

The trap here is that candidates often pick GuardDuty (Option E) because it is a security service, but the question specifically asks for services to monitor and detect suspicious API activity, which requires the log capture and analysis capabilities of CloudTrail and CloudWatch Logs, not GuardDuty's threat detection which consumes those logs as a downstream source.

106
MCQmedium

A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using server-side encryption with customer-managed keys (SSE-KMS). When uploading an object via the AWS CLI, which parameter must be included to enforce this?

A.--kms-key-id <key-id>
B.--sse AES256
C.--encryption aws:kms
D.--server-side-encryption aws:kms
AnswerD

This parameter enables SSE-KMS.

Why this answer

The --server-side-encryption parameter with value 'aws:kms' specifies SSE-KMS. Option C is correct. Option A is wrong because --sse with value 'AES256' is for SSE-S3.

Option B is wrong because --kms-key-id only specifies the key ID, but encryption must be enabled. Option D is wrong because --encryption is not a valid parameter.

107
MCQeasy

A company wants to centrally manage and apply policies across multiple AWS accounts in an AWS Organization. Which service should be used to define and enforce compliance rules?

A.AWS Organizations Service Control Policies (SCPs)
B.AWS Config rules
C.AWS CloudTrail
D.IAM policies
AnswerA

SCPs centrally control permissions across accounts.

Why this answer

AWS Organizations Service Control Policies (SCPs) are the correct choice because they centrally manage permissions across all accounts in an AWS Organization by defining maximum allowable permissions. SCPs act as a guardrail, restricting what member accounts can do, even if IAM policies within those accounts grant broader access. This makes SCPs the ideal service for enforcing compliance rules at the organization level.

Exam trap

The trap here is that candidates often confuse AWS Config rules (which detect non-compliance) with SCPs (which enforce compliance), leading them to choose Config instead of SCPs for policy enforcement.

How to eliminate wrong answers

Option B is wrong because AWS Config rules evaluate resource configurations for compliance against desired states, but they do not enforce or prevent actions; they only detect and report non-compliance. Option C is wrong because AWS CloudTrail records API activity for auditing and governance, but it cannot define or enforce policies—it is a logging service. Option D is wrong because IAM policies are attached to users, groups, or roles within a single account and cannot centrally manage permissions across multiple accounts in an AWS Organization.

108
MCQmedium

A DevOps engineer is troubleshooting a failed CodeBuild project. The build fails with an error: 'Access Denied: Unable to put object to S3.' The build project has an S3 bucket as the artifact store. What should the engineer do to resolve this issue?

A.Add s3:PutObject permission to the CodeBuild service role for the artifact bucket.
B.Enable server-side encryption on the artifact bucket.
C.Enable CloudWatch Logs for the build project.
D.Add s3:GetObject permission to the CodeBuild service role for the source bucket.
AnswerA

The service role lacks write permission.

Why this answer

Option A is correct because the CodeBuild service role needs s3:PutObject permission. Option B is wrong because the issue is about writing artifacts, not reading source. Option C is wrong because CloudWatch Logs is for logs, not artifacts.

Option D is wrong because KMS is for encryption, not direct write permission.

109
MCQeasy

A DevOps engineer needs to allow an AWS Lambda function to write logs to Amazon CloudWatch Logs. What should the engineer do?

A.Attach an IAM role to the Lambda function's instance profile.
B.Attach an IAM policy to the Lambda execution role that allows logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.
C.Generate an access key for the Lambda function and configure the function to use it.
D.Create a resource-based policy on the CloudWatch Logs log group that allows the Lambda function to write.
AnswerB

The execution role is the standard way to grant permissions to a Lambda function.

Why this answer

Option A is correct because Lambda functions assume an IAM role (execution role) that grants permissions. Option B is wrong because Lambda functions do not use access keys. Option C is wrong because Lambda functions do not have instance profiles.

Option D is wrong because resource-based policies are for cross-account access, not for Lambda to CloudWatch.

110
MCQeasy

An organization needs to audit all AWS API calls made in their account for compliance purposes. Which AWS service should they enable?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerC

Records API calls for auditing.

Why this answer

Option D is correct because AWS CloudTrail records API activity. Option A is wrong because CloudWatch Logs stores logs but does not record API calls. Option B is wrong because AWS Config tracks resource configuration changes, not API calls.

Option C is wrong because Amazon GuardDuty is a threat detection service.

111
Multi-Selectmedium

A company uses AWS CodePipeline for CI/CD. The security team requires that all code changes be scanned for secrets before deployment. The pipeline consists of a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team wants to automatically scan for secrets and block the pipeline if any secrets are found. Which THREE actions should the team take? (Choose THREE.)

Select 3 answers
A.Add a scanning action in the deploy stage to scan after deployment.
B.Configure the build project to fail the build if the scanning tool returns a non-zero exit code.
C.Add a scanning action in the build stage using a custom action or a third-party action from AWS Marketplace.
D.Configure an S3 bucket policy to deny access if secrets are detected.
E.Grant the CodeBuild service role permissions to retrieve the scanning tool from an S3 bucket.
AnswersB, C, E

A failed build stops the pipeline.

Why this answer

Option A is correct because using a scanning action in the build stage can catch secrets. Option C is correct because CodeBuild can fail the build if secrets are found, preventing deployment. Option E is correct because IAM permissions are needed for CodeBuild to access the scanning tool.

Option B is incorrect because S3 bucket policies are not relevant. Option D is incorrect because post-deployment scanning would not block the pipeline before deployment.

112
MCQhard

A company's security policy requires that all EC2 instances must be launched with an IAM role that provides least privilege access. A DevOps engineer needs to enforce this across the organization. Which approach is MOST effective?

A.Create an SCP that denies ec2:RunInstances if the specified IAM role is not the approved role
B.Create a service control policy (SCP) that denies the ec2:RunInstances action unless an instance profile is attached
C.Use AWS Config to detect instances without the required role and terminate them via Lambda
D.Create an IAM policy that denies ec2:RunInstances unless the instance is launched with the required IAM role, and attach it to all users
AnswerD

IAM policies can use condition keys like iam:PassedToService to enforce specific roles.

Why this answer

Using an IAM policy with a condition that denies instance launch unless a specific IAM role is attached. Option A is wrong because it only restricts instance profiles, not the launch. Option B is wrong because SCPs cannot enforce a specific role attachment.

Option D is wrong because instance metadata service does not enforce roles.

113
MCQeasy

A DevOps engineer is designing a CI/CD pipeline that deploys code to an EC2 instance. The engineer needs to securely store and retrieve database credentials used by the application. Which AWS service should be used?

A.Amazon S3 with server-side encryption
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.AWS Key Management Service (KMS)
AnswerC

Secrets Manager provides secure storage and automatic rotation of secrets.

Why this answer

Option B is correct because AWS Secrets Manager is designed to securely store and rotate secrets like database credentials. Option A is wrong because Systems Manager Parameter Store can store secrets but lacks automatic rotation. Option C is wrong because KMS is for encryption keys, not secret storage.

Option D is wrong because S3 is not designed for secret management.

114
MCQmedium

A company is using AWS Organizations with multiple accounts. The Security team wants to centrally manage IAM roles that can be assumed by users in member accounts. Which solution should be used to enforce that only specific roles can be assumed across accounts, while ensuring that the policy updates are automatically applied to all accounts?

A.Create an IAM role in each member account with a trust policy that allows the Security account, and use AWS CloudFormation StackSets to deploy the roles.
B.Use AWS Single Sign-On (SSO) to assign permissions to users across accounts.
C.Create an IAM role in the Security account with a trust policy that references a service control policy (SCP) in AWS Organizations.
D.Create a resource-based policy on each IAM role in the member accounts that allows the Security account to assume the role.
AnswerC

SCPs can restrict IAM actions across accounts, and the trust policy can reference the SCP to enforce central control.

Why this answer

Option C is correct because it leverages AWS Organizations and Service Control Policies (SCPs) to centrally enforce which IAM roles can be assumed across member accounts. An SCP applied to an OU or account can explicitly deny the `sts:AssumeRole` action for any role that does not match a specific ARN pattern, ensuring that only the Security account's designated roles are assumable. Since SCPs are automatically inherited by all accounts in the organization, policy updates are applied without manual intervention.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can grant permissions (they only deny or allow by default), or they assume that resource-based policies (Option D) are sufficient for centralized enforcement without realizing they lack automatic propagation across accounts.

How to eliminate wrong answers

Option A is wrong because while CloudFormation StackSets can deploy IAM roles across accounts, they do not enforce that only specific roles are assumable—any role created with a permissive trust policy could be used, and updates require redeployment. Option B is wrong because AWS SSO manages user permissions and access to AWS accounts via permission sets, but it does not centrally control which IAM roles can be assumed by users in member accounts; it is a separate identity federation service. Option D is wrong because resource-based policies on IAM roles in member accounts would require manual updates in each account and do not provide automatic, organization-wide enforcement of which roles are assumable.

115
Multi-Selectmedium

A company wants to audit all changes to IAM policies in their AWS account. Which THREE services can be used to capture and alert on IAM policy changes? (Choose THREE.)

Select 3 answers
A.AWS Config
B.AWS CloudTrail
C.AWS Trusted Advisor
D.Amazon EventBridge
E.Amazon Inspector
AnswersA, B, D

Can track changes to IAM resources and evaluate rules.

Why this answer

Options A, B, and D are correct. AWS CloudTrail logs all IAM API calls. AWS Config can track resource changes and trigger rules.

Amazon EventBridge can create rules to detect specific CloudTrail events and trigger notifications. Option C: AWS Trusted Advisor provides best practice checks, not change auditing. Option E: Amazon Inspector is for security vulnerabilities.

116
MCQhard

A company runs a web application on EC2 behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting (XSS) attacks. Which AWS service should they use?

A.Configure security groups to allow only HTTP/HTTPS traffic.
B.Configure network ACLs to block common attack patterns based on IP ranges.
C.Deploy AWS WAF in front of the ALB and create rules to block SQL injection and XSS.
D.Enable AWS Shield Advanced to protect the ALB.
AnswerC

AWS WAF provides managed rules for SQL injection and XSS at the application layer.

Why this answer

AWS WAF is a web application firewall that integrates directly with Application Load Balancers to inspect HTTP/HTTPS requests for common attack patterns. It provides managed rule sets specifically designed to block SQL injection and cross-site scripting (XSS) attacks at the application layer, which is exactly what this scenario requires.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups, NACLs) or DDoS protection (Shield) with application-layer filtering, failing to recognize that only a web application firewall like AWS WAF can inspect HTTP payloads for injection attacks.

How to eliminate wrong answers

Option A is wrong because security groups operate at the network layer (Layer 3/4) and only filter traffic based on IP addresses, ports, and protocols; they cannot inspect application-layer payloads for SQL injection or XSS patterns. Option B is wrong because network ACLs are stateless packet filters that also operate at the network layer and cannot parse HTTP request bodies or query strings for malicious content; blocking IP ranges does not prevent application-layer attacks. Option D is wrong because AWS Shield Advanced provides DDoS protection against volumetric and state-exhaustion attacks at the network and transport layers, but it does not include the application-layer inspection capabilities needed to detect and block SQL injection or XSS.

117
Multi-Selecthard

Which THREE components are necessary to implement a secure VPC with a public subnet and a private subnet that hosts a database? (Choose THREE.)

Select 3 answers
A.AWS Site-to-Site VPN connection.
B.Internet Gateway attached to the VPC.
C.NAT Gateway in the public subnet.
D.VPC Peering connection to a central VPC.
E.Security group for the database allowing traffic only from the application tier.
AnswersB, C, E

Provides internet access to public subnet.

Why this answer

Correct options: A, B, and D. Option A: NAT Gateway allows private subnet instances to access the internet. Option B: Internet Gateway allows public subnet instances to access the internet.

Option D: Security groups act as firewalls for the database. Option C is wrong because VPN is not necessary. Option E is wrong because VPC Peering is for connecting VPCs.

118
MCQmedium

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in all accounts are encrypted with SSE-S3. They plan to use an SCP to deny the creation of unencrypted buckets. The DevOps engineer writes an SCP with a Deny effect for s3:PutBucketEncryption without a condition. However, when testing, an administrator in a member account is able to create a bucket without encryption. The engineer checks CloudTrail and sees that the bucket was created with a PutBucket call that did not include the x-amz-server-side-encryption header. What is the most likely reason the SCP did not prevent this?

A.The SCP should also deny s3:PutBucketDefaultEncryption, which is the correct action for default encryption.
B.The SCP denies s3:PutBucketEncryption, but the bucket creation does not call that action; it calls s3:CreateBucket. The SCP should deny s3:CreateBucket with a condition on the encryption parameter.
C.The SCP is not attached to the organizational unit that contains the member account.
D.The member account is the management account of the organization, so SCPs do not apply.
AnswerB

s3:PutBucketEncryption is for modifying encryption after creation.

Why this answer

SCPs can deny the s3:PutBucketEncryption action, but the bucket is created with PutBucket, which is a different action. To enforce encryption at creation, the SCP should deny s3:CreateBucket with a condition that the encryption is not set. Option A is correct.

Option B is about default encryption, which is a separate setting. Option C is about the SCP being attached to the wrong OU. Option D is about management account, but the test was in a member account.

119
MCQeasy

A company wants to ensure that all S3 buckets are encrypted at rest by default. Which S3 feature should be enabled at the bucket level to automatically encrypt new objects?

A.S3 Object Lock
B.Bucket policy with a Deny for unencrypted uploads
C.S3 Versioning
D.Default encryption
AnswerD

Default encryption automatically encrypts new objects.

Why this answer

S3 default encryption allows you to set a default encryption behavior for a bucket, so that all new objects are encrypted at rest automatically. Bucket policies can enforce encryption but do not automatically encrypt. Object lock is for retention.

Versioning is for object versions.

120
MCQmedium

A company uses AWS Secrets Manager to store database credentials. The security team requires that secrets be automatically rotated every 30 days. Which rotation strategy should the engineer configure to meet this requirement with minimal operational overhead?

A.Manually rotate the secret every 30 days using the AWS CLI.
B.Store the secret in AWS Systems Manager Parameter Store with a SecureString parameter.
C.Enable automatic rotation using the pre-built Lambda rotation function for the database type.
D.Enable automatic rotation with a custom Lambda function.
AnswerC

Secrets Manager provides pre-built rotation templates for common databases.

Why this answer

Secrets Manager can automatically rotate secrets using a Lambda function. The easiest way is to use the pre-built Lambda rotation function for the specific database type (e.g., Amazon RDS). Creating a custom Lambda function is more overhead.

Manually rotating via CLI defeats automation. Using Systems Manager Parameter Store with SecureString does not provide built-in rotation.

121
Multi-Selecthard

A DevOps team needs to enforce that all S3 buckets in an AWS account are encrypted at rest. Which THREE steps should be taken to achieve this? (Choose THREE.)

Select 3 answers
A.Configure AWS Config rules to detect buckets without encryption
B.Use an S3 bucket policy to deny PutObject requests that do not include encryption headers
C.Enable S3 server access logging
D.Enable default encryption on each S3 bucket
E.Enable S3 Transfer Acceleration
AnswersA, B, D

Detects and can trigger remediation.

Why this answer

Using a bucket policy to deny PUT requests without encryption ensures objects are encrypted on upload. AWS Config rules can detect non-compliant buckets. S3 default encryption ensures new objects are encrypted.

Option B is irrelevant; Option D is about logging.

122
Multi-Selectmedium

A company needs to audit all changes to IAM policies in their AWS account. Which services can be used to track and log these changes? (Select TWO.)

Select 2 answers
A.Amazon S3
B.Amazon CloudWatch Logs
C.AWS Config
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersC, D

Config can track changes to IAM policies and provide a history of configuration changes.

Why this answer

AWS CloudTrail logs API calls, including IAM policy changes. AWS Config can track configuration changes to IAM resources. CloudWatch Logs stores logs but does not track changes itself.

GuardDuty is for threat detection. S3 is storage.

123
Multi-Selecthard

Which THREE of the following are best practices for managing IAM roles in AWS Organizations? (Choose three.)

Select 3 answers
A.Use service control policies (SCPs) to set permission boundaries.
B.Share the root user credentials of the master account with administrators.
C.Use a single IAM user with full permissions across all accounts.
D.Use IAM roles to delegate access to users and services across accounts.
E.Create IAM roles with the principle of least privilege.
AnswersA, D, E

SCPs help centrally control permissions for all accounts.

Why this answer

Using IAM roles to delegate access across accounts is a best practice. Creating roles with least privilege and using service control policies (SCPs) to enforce permission boundaries are also best practices. Sharing root user credentials is never a best practice.

Using a single IAM user across accounts is not recommended.

124
MCQhard

A company needs to enforce that all EC2 instances launched in an AWS account use a specific Amazon Machine Image (AMI) that is approved by the security team. Which combination of services should be used?

A.AWS Organizations SCP and AWS CloudTrail
B.AWS Config rule to check AMI ID and AWS Systems Manager Automation to remediate non-compliant instances
C.AWS Lambda and Amazon SNS
D.AWS CloudTrail and Amazon CloudWatch Events
AnswerB

Config detects, Systems Manager automates remediation.

Why this answer

AWS Config can detect non-compliant instances and AWS Systems Manager Automation can automatically remediate by stopping or terminating them. Option B is correct. Option A (SCP) cannot enforce AMI IDs.

Option C (CloudTrail) only logs. Option D (Lambda) could be used but is not the primary service.

125
MCQeasy

A company needs to ensure that all API calls made to AWS are encrypted in transit. Which of the following is the correct way to enforce this?

A.Use an IAM policy with a condition that denies access unless the request uses HTTPS.
B.Configure security groups to allow only HTTPS traffic.
C.Use AWS Key Management Service (KMS) to create a key and require encryption.
D.Enable AWS CloudTrail to log all API calls.
AnswerA

You can attach an IAM policy with a condition key 'aws:SecureTransport' set to 'false' to deny access, thus enforcing HTTPS for all API calls.

Why this answer

All AWS API endpoints support HTTPS (TLS) by default. To enforce encrypted access, you should use AWS Certificate Manager (ACM) to provide TLS certificates for your own services, but for AWS API calls, the encryption is inherent. However, the question asks to ensure that API calls to AWS are encrypted.

The correct approach is to use a resource-based policy like an S3 bucket policy that denies requests that are not using HTTPS (aws:SecureTransport). For other services, you can use IAM policies with conditions. Option A is wrong because security groups do not enforce encryption.

Option B is wrong because CloudTrail logs API calls but does not enforce encryption. Option C is wrong because KMS is for encryption keys, not for enforcing HTTPS.

126
MCQmedium

Refer to the exhibit. A security team wants to enforce that passwords expire after 60 days. Which action should be taken?

A.Use the AWS Management Console to change the password policy for each IAM user
B.Create a new IAM user and set the password policy on that user
C.Delete the current password policy and create a new one
D.Use the update-account-password-policy CLI command with --max-password-age 60
AnswerD

This command updates the password policy.

Why this answer

The current MaxPasswordAge is 90 days. To change it to 60, use the update-account-password-policy command. Option A is wrong because that command changes other settings.

Option B is wrong because the policy is account-level. Option C is wrong because the CLI can modify the policy.

127
MCQeasy

A company has a security policy requiring that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. The DevOps engineer needs to enforce this policy. What is the simplest way to achieve this?

A.Use Amazon Cognito to require MFA for console access.
B.Create an IAM policy that denies all actions unless MFA is present, and attach it to all IAM users or groups.
C.Enable MFA delete on the root account.
D.Enable MFA on the S3 bucket policy.
AnswerB

This policy enforces MFA for all API calls.

Why this answer

Option A is correct because an IAM policy with a condition for aws:MultiFactorAuthPresent: true can be attached to a group or user to deny access if MFA is not used. Option B is wrong because MFA cannot be enforced at the resource level for S3. Option C is wrong because it only applies to root user, not IAM users.

Option D is wrong because Cognito is for application users, not AWS console access.

128
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which KMS key type should the company use to meet this requirement without manual intervention?

A.Customer managed key
B.Imported key material
C.Custom key store (CloudHSM)
D.AWS managed key
AnswerA

Customer managed keys can be configured for automatic annual rotation.

Why this answer

AWS managed keys (AWS managed key) are automatically rotated every three years, not every year. Customer managed keys (Customer managed key) can be configured for automatic annual rotation. Imported key material cannot be automatically rotated.

A Custom key store does not support automatic rotation.

129
Multi-Selectmedium

A DevOps engineer is designing a secure CI/CD pipeline. Which TWO of the following are best practices for securing secrets in the pipeline?

Select 2 answers
A.Use encrypted environment variables in CodeBuild.
B.Store secrets in a parameter file in the source repository.
C.Hardcode secrets in CloudFormation template parameters.
D.Use S3 bucket policies to restrict access to secret files.
E.Store secrets in AWS Secrets Manager and retrieve them during the build.
AnswersA, E

CodeBuild supports encrypted environment variables.

Why this answer

Options A and D are correct because AWS Secrets Manager is a secure service for storing secrets, and environment variables in CodeBuild can be encrypted. Option B is wrong because storing secrets in source code is insecure. Option C is wrong because S3 bucket policies do not encrypt secrets.

Option E is wrong because hardcoding secrets in CloudFormation templates is insecure.

130
MCQeasy

A startup wants to provide temporary, limited-privilege AWS access to external contractors who will assist with a project. The contractors do not have AWS accounts. The company wants to avoid creating IAM users for each contractor. They need a solution that allows contractors to log in to the AWS Management Console for a limited time. Which AWS service should the engineer use?

A.Use AWS SSO with an external identity provider, and grant access to an AWS account with a permission set.
B.Create IAM users for each contractor and attach a policy with a condition to expire access after the project.
C.Use Amazon Cognito user pools to create temporary user accounts.
D.Provide the contractors with the root user credentials of a separate AWS account.
AnswerA

AWS SSO allows granting temporary console access to external users.

Why this answer

AWS SSO can be used to grant external users access to AWS accounts via a portal, with temporary credentials. You can invite users as external members in AWS SSO, and they can log in with their own email and receive temporary credentials. IAM roles cannot be directly assumed without AWS credentials.

Cognito is for app users. IAM users would require creating permanent users.

131
Multi-Selecteasy

A company is using AWS KMS to encrypt data. Which TWO statements about AWS KMS key rotation are correct? (Choose TWO.)

Select 2 answers
A.Customer managed keys can be configured for automatic rotation
B.Keys imported into KMS support automatic rotation
C.Automatic rotation is enabled by default for customer managed keys
D.Automatic rotation can be disabled for AWS managed keys
E.AWS managed keys are automatically rotated every year
AnswersA, E

You can enable automatic rotation for customer managed keys.

Why this answer

AWS managed keys are rotated automatically every year. Customer managed keys can have automatic rotation enabled, but it is not enabled by default. Option C is wrong because AWS managed keys cannot have automatic rotation disabled.

Option E is wrong because imported key material does not support automatic rotation.

132
Multi-Selecthard

Which THREE services can be used to protect a VPC from malicious traffic? (Choose 3.)

Select 3 answers
A.Network ACLs
B.Security Groups
C.AWS Shield
D.Amazon Route 53 Resolver
E.AWS Network Firewall
AnswersA, B, E

NACLs provide stateless firewall rules at the subnet level.

Why this answer

Network ACLs (NACLs) are stateless, subnet-level firewalls that filter traffic based on rules evaluating source/destination IP, protocol, and port. They provide an additional layer of defense by explicitly allowing or denying inbound and outbound traffic at the subnet boundary, making them a correct choice for protecting a VPC from malicious traffic.

Exam trap

The trap here is that candidates often confuse AWS Shield (a DDoS protection service) with a VPC-level firewall, not realizing it operates at the edge/global layer and does not filter traffic within the VPC itself.

133
MCQhard

An organization wants to enforce that all Amazon S3 buckets are encrypted with SSE-S3. Which AWS service can be used to automatically remediate non-compliant buckets?

A.AWS CloudTrail
B.AWS Config rules with auto-remediation
C.IAM policies
D.AWS Service Catalog
AnswerB

Config can detect non-compliant buckets and trigger remediation.

Why this answer

Option D is correct because AWS Config with managed rules and auto-remediation can enforce encryption. Option A is wrong because IAM can deny non-encrypted put, but not remediate existing buckets. Option B is wrong because CloudTrail is for logging.

Option C is wrong because Service Catalog is for provisioning approved resources.

134
MCQhard

A company uses AWS Organizations with multiple accounts. The Security team needs to enforce that all newly created S3 buckets in any account are configured with server-side encryption (SSE-S3 or SSE-KMS) and block public access. Which approach should be used?

A.Use AWS CloudTrail to monitor bucket creation and trigger a Lambda function to remediate noncompliant buckets.
B.Create an IAM policy in each account that denies s3:CreateBucket unless encryption is specified and public access is blocked.
C.Apply a service control policy (SCP) to the root organizational unit that denies s3:CreateBucket unless the request includes the x-amz-server-side-encryption header and the PublicAccessBlockConfiguration.
D.Use AWS Config rules with automatic remediation to delete or remediate noncompliant buckets after creation.
AnswerC

SCPs can be applied at the organization root or to specific OUs to enforce preventive controls across all accounts. This SCP condition ensures that any CreateBucket request must include the required parameters.

Why this answer

Service control policies (SCPs) in AWS Organizations can be used to deny actions that do not include encryption settings or that allow public access. Option A is wrong because IAM policies are account-specific and cannot be applied globally across all accounts from a central location. Option B is wrong because CloudTrail cannot enforce configurations.

Option D is wrong because Config rules can detect noncompliant buckets but not prevent creation.

135
MCQhard

A company's security policy requires that all data in transit between on-premises and AWS is encrypted. Which AWS service provides a dedicated network connection with encryption?

A.AWS Transit Gateway
B.AWS Direct Connect + VPN
C.Amazon VPC peering
D.AWS Site-to-Site VPN over the internet
AnswerB

Combining Direct Connect with an IPSec VPN provides a dedicated encrypted link.

Why this answer

AWS Direct Connect with IPSec VPN provides a dedicated encrypted connection. Option A is correct.

136
Multi-Selectmedium

A company wants to implement a least-privilege security model for its IAM users. Which TWO practices should be applied?

Select 2 answers
A.Use IAM policy conditions to restrict access based on IP address or time of day.
B.Use only resource-based policies to manage permissions.
C.Attach the AdministratorAccess managed policy to all IAM users.
D.Use the AWS account root user for daily administrative tasks.
E.Grant permissions based on the specific actions and resources needed.
AnswersA, E

Conditions add granularity to permissions.

Why this answer

Option A is correct because granting only required permissions is the principle of least privilege. Option B is correct because using conditions can further restrict permissions. Option C is wrong because using root user is not secure.

Option D is wrong because resource-based policies are not always applicable. Option E is wrong because AdministratorAccess violates least privilege.

137
MCQmedium

A company is using AWS CodePipeline to deploy a web application. The pipeline includes a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team requires that all artifacts be encrypted at rest and in transit. Which configuration ensures encryption for all stages?

A.Enable AWS KMS encryption on the CodePipeline artifact bucket and use SSH for CodeCommit.
B.Use an AWS Certificate Manager (ACM) certificate for CodeBuild and CodeDeploy endpoints.
C.Enable default encryption on the S3 artifact bucket and ensure all connections use HTTPS.
D.Encrypt the CodePipeline artifact using the pipeline's built-in encryption feature.
AnswerC

Ensures encryption at rest and in transit.

Why this answer

Option B is correct because enabling default encryption on the S3 artifact bucket ensures encryption at rest, and using HTTPS for all endpoints ensures encryption in transit. Option A is wrong because KMS encryption for CodePipeline is not automatic. Option C is wrong because CodeCommit already uses HTTPS; additional steps not needed.

Option D is wrong because encryption at rest is not automatically enabled.

138
Multi-Selecthard

A company is using AWS CloudTrail to log API calls across all accounts in AWS Organizations. The security team wants to ensure that CloudTrail logs are not tampered with and are available for forensic analysis. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Disable public access to the S3 bucket using block public access settings.
B.Enable MFA delete on the S3 bucket.
C.Enable CloudTrail log file validation.
D.Use AWS Backup to create backups of the CloudTrail S3 bucket.
E.Enable server-side encryption with AWS KMS (SSE-KMS) on the S3 bucket storing CloudTrail logs.
AnswersC, E

Log file validation allows you to verify that log files have not been modified.

Why this answer

Options A and C are correct. Option A enables log file validation, which provides integrity verification. Option C enables S3 server-side encryption to protect data at rest.

Option B is wrong because CloudTrail does not support AWS Backup. Option D is wrong because disabling S3 public access is good but not sufficient. Option E is wrong because MFA delete adds protection but is not a CloudTrail feature.

139
MCQeasy

A DevOps engineer needs to ensure that all API calls made to AWS services are logged for auditing purposes. Which AWS service should be enabled?

A.AWS CloudTrail
B.AWS Config
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerA

Records API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail records API calls for auditing. Option A is wrong because CloudWatch Logs is for log storage, not recording API calls. Option B is wrong because AWS Config records resource configuration changes.

Option D is wrong because VPC Flow Logs capture network traffic.

140
MCQeasy

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?

A.AWS Shield Advanced
B.Amazon GuardDuty
C.AWS Network Firewall
D.AWS WAF
AnswerD

Web application firewall for SQL injection, XSS, etc.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. It allows you to create rules that filter and monitor HTTP(S) requests based on conditions such as IP addresses, HTTP headers, URI strings, and SQL injection or cross-site scripting patterns. By integrating with an Application Load Balancer, AWS WAF can inspect incoming traffic and block malicious requests before they reach the EC2 instances.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield or GuardDuty, mistakenly thinking that DDoS protection or general threat detection covers application-layer attacks like SQL injection and XSS, when in fact only a web application firewall (WAF) can inspect and filter HTTP request payloads at Layer 7.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks, not against application-layer exploits like SQL injection or XSS. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not inspect or filter HTTP request payloads for web exploits. Option C is wrong because AWS Network Firewall is a managed firewall service that filters traffic at the network and transport layers (Layer 3/4) using stateful inspection and intrusion prevention, but it does not provide application-layer (Layer 7) inspection for SQL injection or XSS patterns.

141
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. They need to ensure that all resources created by CloudFormation are tagged with a 'CostCenter' tag. The tag must be applied automatically to all resources in the stack. What should they do?

A.Use AWS Service Catalog to enforce tagging on all products.
B.Create an AWS Config rule to detect untagged resources and trigger auto-remediation.
C.Specify the tag in the CloudFormation stack's Tags parameter, which applies the tag to all resources in the stack.
D.Use a custom Lambda function as a CloudFormation hook to tag resources after creation.
AnswerC

Stack-level tags are automatically applied to all resources that support tagging during creation.

Why this answer

Option C is correct because CloudFormation allows you to specify stack-level tags in the Tags parameter when creating or updating a stack. These tags are automatically propagated to all resources that support tagging within the stack, ensuring consistent cost allocation without additional custom logic or post-creation remediation.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing a reactive or custom approach (like AWS Config rules or Lambda hooks) when CloudFormation provides a built-in, declarative mechanism to apply tags automatically at stack creation time.

How to eliminate wrong answers

Option A is wrong because AWS Service Catalog is a service for creating and managing a catalog of approved products, not for enforcing tags on CloudFormation stacks directly; it can apply tags to provisioned products but does not automatically tag all resources within a stack. Option B is wrong because AWS Config rules are reactive—they detect non-compliant resources after creation and can trigger auto-remediation, but they do not prevent the initial creation of untagged resources and add latency and complexity. Option D is wrong because using a custom Lambda function as a CloudFormation hook to tag resources after creation is an unnecessary workaround; CloudFormation natively supports stack-level tags that are applied at creation time, making a custom hook redundant and less efficient.

142
Multi-Selectmedium

A company uses AWS Organizations to manage multiple accounts. The Security team wants to prevent member accounts from disabling AWS CloudTrail or deleting CloudTrail log files. Which TWO actions should the Security team take in the organization's management account? (Choose TWO.)

Select 2 answers
A.Create an SCP to deny cloudtrail:UpdateTrail.
B.Create an IAM policy in each member account to deny cloudtrail:StopLogging.
C.Create an SCP to deny s3:DeleteObject on the CloudTrail log bucket.
D.Enable AWS CloudTrail from the management account with organization trail.
E.Create an SCP to deny cloudtrail:StopLogging and cloudtrail:DeleteTrail.
AnswersC, E

This prevents deletion of log files.

Why this answer

Option C is correct because an SCP that denies s3:DeleteObject on the CloudTrail log bucket prevents member accounts from deleting log files stored in S3, even if they have full administrative permissions. This is a critical control to ensure log integrity and compliance with security policies.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM policies in member accounts can enforce controls, or they overlook that denying UpdateTrail is insufficient because StopLogging and DeleteTrail are separate actions that must also be blocked.

143
MCQhard

A DevOps engineer runs the command above and gets the output shown. The engineer then tries to delete a versioned object from the bucket without using MFA. What will happen?

A.The delete request will fail with an AccessDenied error.
B.The object will be permanently deleted.
C.The object will be deleted but can be recovered from the 'Delete Markers' list.
D.The object will be deleted and a new version will be created.
AnswerA

MFA Delete requires MFA to delete object versions.

Why this answer

Option C is correct because MFA Delete is enabled, so deleting a versioned object requires MFA. Option A is wrong because versioning is enabled, so objects are not permanently deleted without MFA. Option B is wrong because even though MFA Delete is enabled, it does not prevent listing.

Option D is wrong because the delete will fail without MFA.

144
MCQmedium

A company uses Amazon Inspector to assess the security of EC2 instances. The security team receives an alert that a high-severity vulnerability (CVE-2023-XXXX) was found on an EC2 instance running a critical application. The application is behind an Application Load Balancer (ALB) and uses an Auto Scaling group. The vulnerability has a known patch, but patching requires a reboot. The security team needs to remediate the vulnerability with minimal downtime. Which approach should the team take?

A.Create a new launch template with an updated AMI that includes the patch. Update the Auto Scaling group to use the new launch template and perform a rolling update.
B.Remove the instance from the Auto Scaling group, disable health checks on the ALB, and apply the patch manually.
C.Use AWS Systems Manager Patch Manager to apply the patch on the instance without rebooting, then verify the vulnerability is resolved.
D.Stop the vulnerable instance, apply the patch, and start it again. Re-register it with the ALB.
AnswerA

This replaces instances with patched ones without downtime.

Why this answer

Option A is correct because creating a new launch template with the patched AMI, updating the Auto Scaling group, and performing a rolling update ensures that instances are replaced with minimal downtime. Option B is incorrect because stopping and patching the instance would cause downtime for that specific instance, and it may not be in the Auto Scaling group. Option C is incorrect because using the same AMI but applying a patch user data script may not work reliably and does not ensure a clean state.

Option D is incorrect because disabling the ALB health check would cause traffic to be sent to the vulnerable instance, increasing risk.

145
MCQmedium

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline deploys a critical application. Which security practice should the engineer implement to prevent unauthorized changes to the pipeline?

A.Encrypt the pipeline artifacts using AWS KMS
B.Use SNS to send notifications when the pipeline is updated
C.Attach an IAM policy that uses a condition to allow only specific users or roles to modify the pipeline
D.Enable AWS CloudTrail and create a CloudWatch Events rule to notify on pipeline changes
AnswerC

IAM policies can restrict pipeline updates to authorized principals.

Why this answer

Using IAM conditions to restrict pipeline modifications to authorized users. Option A is wrong because CloudWatch Events detect changes but don't prevent them. Option B is wrong because pipeline notifications inform but don't prevent.

Option D is wrong because encrypting artifacts doesn't prevent pipeline changes.

146
MCQeasy

A company uses AWS Organizations with multiple accounts. The security team has implemented an SCP that denies the creation of IAM users. However, a developer in the 'development' account was able to create an IAM user. The DevOps engineer is asked to investigate. The SCP is attached to the root organizational unit (OU) and also to the 'development' OU. The 'development' account is a member of the 'development' OU. The SCP effect is 'Deny' on the 'iam:CreateUser' action. The developer's IAM permissions are managed by an IAM policy that allows 'iam:*'. The engineer checks CloudTrail and sees that the CreateUser API call succeeded. What is the most likely reason?

A.The 'development' account is the management account of the organization, so SCPs do not apply to it.
B.The SCP is attached at the root OU but not inherited by the 'development' OU due to an explicit deny on inheritance.
C.The SCP is not effective because the developer's IAM policy explicitly allows iam:CreateUser and SCPs cannot override explicit allows.
D.The SCP is not applied because the account has a resource-based policy that overrides the SCP.
AnswerA

SCPs do not affect the management account.

Why this answer

SCPs do not affect the management account of AWS Organizations. The 'development' account might be the management account. If it is, SCPs do not apply.

Option A is incorrect because SCPs are not evaluated by IAM policies. Option B is incorrect because SCPs are not resource-based policies. Option C is plausible but the management account is the most likely.

147
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple accounts? (Choose 2.)

Select 2 answers
A.Amazon S3
B.Amazon CloudWatch
C.AWS Organizations
D.AWS Control Tower
E.AWS Lambda
AnswersC, D

Organizations allows central management of service control policies (SCPs).

Why this answer

AWS Organizations allows you to centrally manage and enforce security policies across multiple accounts by using Service Control Policies (SCPs). SCPs define the maximum permissions for accounts in an organization, enabling you to restrict access to services or actions without requiring per-account configuration. AWS Control Tower provides a managed service that automates the setup of a multi-account environment with pre-built guardrails, which are implemented using SCPs and AWS Config rules to enforce security and compliance policies consistently.

Exam trap

The trap here is that candidates often confuse AWS Organizations with AWS Control Tower, thinking they are mutually exclusive, but Control Tower actually builds on Organizations to provide a higher-level managed governance solution, making both correct for central policy enforcement.

148
MCQmedium

A security audit reveals that EC2 instances have security groups with overly permissive inbound rules allowing all traffic (0.0.0.0/0) on SSH port 22. What is the BEST way to remediate this at scale?

A.Use AWS Config with a managed rule to detect and auto-remediate.
B.Apply a service control policy (SCP) to deny opening port 22.
C.Manually update each security group to restrict SSH to known IPs.
D.Use CloudWatch Events to trigger a Lambda function that modifies security groups.
AnswerA

Automated detection and remediation at scale.

Why this answer

Option A is correct because AWS Config with a managed rule like 'restricted-ssh' can detect and remediate non-compliant security groups. Option B is wrong because manually updating is not scalable. Option C is wrong because SCPs do not control security group rules directly.

Option D is wrong because a Lambda function triggered by CloudWatch Events could work but AWS Config provides built-in remediation.

149
Multi-Selecthard

A company needs to enforce that all IAM users must use multi-factor authentication (MFA) to perform any AWS Console actions. Which TWO steps should be taken to enforce this?

Select 2 answers
A.Attach the policy to all IAM users or a group containing all users
B.Create an SCP in AWS Organizations
C.Create an IAM policy that uses the aws:MultiFactorAuthPresent condition key to deny access if false
D.Set an account alias for the root user
E.Enable CloudTrail to log MFA usage
AnswersA, C

The policy must be applied to users to take effect.

Why this answer

To enforce MFA, you need an IAM policy that denies actions if MFA is not present, and you must attach that policy to all users or a group. Creating an SCP can enforce across accounts but is not needed for single account. CloudTrail does not enforce.

Account alias is unrelated.

150
Multi-Selecthard

Which THREE AWS services can be used to centrally manage and enforce security policies across multiple accounts in AWS Organizations? (Select THREE.)

Select 3 answers
A.AWS Config Conformance Packs
B.AWS Organizations Service Control Policies (SCPs)
C.AWS Systems Manager
D.AWS CloudTrail
E.AWS Firewall Manager
AnswersA, B, E

Conformance packs can enforce compliance rules across accounts.

Why this answer

AWS Config Conformance Packs enable you to deploy and enforce a collection of AWS Config rules and remediation actions across multiple accounts and Regions in an AWS Organization. They provide a centralized way to ensure that resources comply with internal policies by using a YAML template that defines the rules and parameters, which are then applied to all member accounts via AWS Config aggregators and StackSets.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (audit logging) with a policy enforcement tool, or assume AWS Systems Manager can centrally enforce security policies across accounts, when it is actually designed for operational tasks like patch management and automation, not policy governance.

← PreviousPage 2 of 4 · 288 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security and Compliance questions.