CCNA Security and Compliance Questions

75 of 288 questions · Page 3/4 · Security and Compliance · Answers revealed

151
Multi-Selecteasy

Which TWO measures can be taken to protect data at rest in Amazon S3? (Select TWO.)

Select 2 answers
A.Enable S3 Server-Side Encryption (SSE-S3 or SSE-KMS)
B.Enable cross-region replication
C.Enable MFA Delete on the bucket
D.Create a bucket policy that denies s3:PutObject without the x-amz-server-side-encryption header
E.Use S3 Transfer Acceleration
AnswersA, D

SSE encrypts data at rest.

Why this answer

S3 Server-Side Encryption (SSE) and S3 Bucket Policies to deny unencrypted PUT requests are measures to protect data at rest. MFA Delete protects against accidental deletion, not encryption. Cross-region replication is for disaster recovery.

S3 Transfer Acceleration speeds up uploads.

152
MCQeasy

A DevOps engineer is configuring AWS CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are encrypted at rest using a customer-managed KMS key. What is the correct way to achieve this?

A.Use SSE-C with a customer-provided key when uploading logs to S3.
B.Enable client-side encryption before delivering logs to S3.
C.Enable default encryption on the S3 bucket using SSE-S3.
D.Specify a KMS key ID in the CloudTrail trail configuration and grant CloudTrail permissions to use the key.
AnswerD

Correct: CloudTrail can use a customer-managed KMS key for encryption.

Why this answer

Option B is correct because CloudTrail supports SSE-KMS with a customer-managed key. Option A is wrong because SSE-S3 uses S3-managed keys. Option C is wrong because SSE-C requires customer-provided keys, which is not supported by CloudTrail.

Option D is wrong because CloudTrail does not support client-side encryption.

153
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from 'example-bucket' from an IP address 10.0.0.5. However, the request is denied. What is the most likely reason?

A.The bucket 'example-bucket' does not exist in the account.
B.The policy uses 'aws:SourceIp' which is not supported for S3.
C.The IP address 10.0.0.5 is not in the allowed range.
D.The policy does not grant s3:ListBucket permission, which is required to access objects.
AnswerD

GetObject alone may not be sufficient if the user needs to list first.

Why this answer

Option B is correct because the policy uses a condition key 'aws:SourceIp' which is not evaluated correctly for S3; S3 uses 'aws:SourceIp' only when the request is authenticated via IAM, but for anonymous requests it doesn't apply. However, the more common issue is that the policy does not allow the s3:ListBucket action, which is required to list objects. Option A is wrong because the IP is within range.

Option C is wrong because the bucket exists. Option D is wrong because the policy allows GetObject.

154
MCQmedium

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role can create or modify VPCs, but should allow VPC usage for existing VPCs. Which SCP should be attached to the root OU?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:CreateVpc","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["ec2:CreateVpc","ec2:ModifyVpc"],"Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:*","Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["ec2:CreateVpc","ec2:DeleteVpc"],"Resource":"*"}]}
AnswerB

Denies only VPC creation and modification, allowing use of existing VPCs.

Why this answer

Option B is correct because the SCP with Deny effect for ec2:CreateVpc and ec2:ModifyVpc attributes, while allowing all other actions, meets the requirement. Option A would block all EC2 actions. Option C denies only CreateVpc but not ModifyVpc.

Option D is too permissive.

155
MCQhard

A company uses a centralized AWS KMS customer master key (CMK) in the security account to encrypt data in S3 buckets across multiple accounts. The S3 buckets are accessed by EC2 instances in the same accounts. The security team wants to ensure that the CMK can only be used by authorized IAM roles in the member accounts. Which policy configuration should be used?

A.Attach an IAM policy to the IAM roles in the member accounts that allows kms:Decrypt on the CMK.
B.Add a statement to the KMS key policy that grants the IAM roles in the member accounts permission to use the key.
C.Create a service control policy (SCP) that allows kms:Decrypt for the CMK.
D.Use a VPC endpoint policy for KMS to allow access from the member accounts' VPCs.
AnswerB

The key policy must explicitly allow the external accounts (or their IAM roles) to use the key. Then, the member accounts can delegate that permission to their roles via IAM policies.

Why this answer

To allow cross-account use of a KMS CMK, you must add a key policy that grants the necessary permissions to the IAM roles in the member accounts. The key policy should include a statement that allows the root user of the member accounts to delegate permissions, and then the member accounts must create IAM policies that grant their roles access. Option A is wrong because the key policy must explicitly allow the member accounts.

Option B is wrong because IAM policies in the member account alone are not sufficient without a key policy allowing the account. Option C is wrong because SCPs cannot grant permissions; they only deny.

156
MCQmedium

Refer to the exhibit. A security engineer sees this CloudTrail event. What action did the user 'admin' perform?

A.Encrypted data with a KMS key.
B.Rotated a KMS key.
C.Created a new KMS key.
D.Deleted a KMS key.
AnswerC

The event name is CreateKey and the resource is a KMS key.

Why this answer

Option B is correct because the event is CreateKey, and the resource is a KMS key. Option A is wrong because the event is not a key deletion. Option C is wrong because the event is not an encryption operation.

Option D is wrong because the event is not a key rotation.

157
MCQhard

A company uses AWS Organizations with 20 accounts. The Security team has configured AWS CloudTrail to deliver logs from all accounts to a central S3 bucket (central-bucket). The bucket policy allows CloudTrail to write objects and uses SSE-S3 encryption. Recently, auditors found that some log files were missing for a few hours. The CloudTrail console shows that trails are enabled in all accounts. The central-bucket has default encryption enabled. What is the MOST likely cause of the missing logs?

A.The CloudTrail trail is not configured to deliver to the central bucket from all regions
B.The S3 bucket policy contains a deny condition that requires aws:SecureTransport to be true, but CloudTrail uses HTTP
C.The IAM role used by CloudTrail does not have s3:PutObject permission
D.The S3 bucket policy denies access unless the PutObject request includes the x-amz-server-side-encryption header with value AES256
AnswerD

If the bucket policy requires the encryption header, and CloudTrail does not send it (since bucket has default encryption), the request is denied.

Why this answer

If the bucket's default encryption is SSE-S3, CloudTrail can write without issue. However, if the bucket policy denies writes that do not include encryption headers, but CloudTrail does not include them by default, then logs will be denied. The missing logs suggest a policy conflict.

Option A is the most direct cause; CloudTrail may not include the required encryption headers if the bucket policy requires them.

158
Multi-Selectmedium

A financial services company is migrating its applications to AWS. The compliance team requires that all Amazon S3 buckets containing personally identifiable information (PII) must have server-side encryption enabled and block public access. The DevOps team discovers that some S3 buckets are not compliant. Which TWO actions should the team take to enforce these requirements automatically for all current and future buckets? (Select TWO.)

Select 2 answers
A.Enable AWS CloudTrail to log all S3 API calls and send alerts when noncompliant buckets are created.
B.Use AWS Config managed rules to detect noncompliant buckets and automatically remediate by applying encryption and blocking public access.
C.Attach an IAM permissions boundary to all users that prevents them from creating or modifying S3 buckets.
D.Apply an S3 bucket policy to each existing bucket that denies all access unless encryption is enabled.
E.Create an SCP that denies the s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption actions when the required settings are not specified.
AnswersB, E

AWS Config can detect and auto-remediate.

Why this answer

AWS Config managed rules (e.g., s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited) can automatically detect noncompliant S3 buckets. Combined with AWS Config auto-remediation using Systems Manager Automation documents, the team can enforce encryption and block public access without manual intervention, ensuring all current and future buckets remain compliant.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail alerts) with preventive or corrective controls (like AWS Config auto-remediation or SCPs), leading them to select Option A instead of the automated enforcement mechanisms that actually fix noncompliant buckets.

159
MCQmedium

A company uses AWS Lambda functions to process sensitive data from an SQS queue. The Lambda function writes results to an S3 bucket. The security team requires that all data at rest in S3 be encrypted with a customer managed KMS key, and that the Lambda function only have access to decrypt the queue messages and encrypt the S3 objects. An IAM role is attached to the Lambda function. The engineer has configured the KMS key policy to allow the Lambda role to use the key. However, the Lambda function fails to write to S3 with a 'KMS access denied' error. The engineer verified that the S3 bucket has default encryption enabled with the same KMS key. Which additional step is most likely required?

A.Disable default encryption on the S3 bucket and configure the Lambda to use SSE-S3.
B.Add an inline policy to the Lambda role that allows kms:GenerateDataKey and kms:Encrypt actions for the KMS key.
C.Grant the Lambda role s3:PutObject permission on the bucket.
D.Modify the KMS key policy to allow the Lambda role to use the key without any conditions.
AnswerB

The role needs permissions to use the KMS key for encrypting S3 objects.

Why this answer

Even if the S3 bucket has default encryption, the Lambda function needs kms:GenerateDataKey permission (or kms:Encrypt) in its IAM role to encrypt objects when writing. The key policy allows the role, but the role's permissions policy must also include the necessary KMS actions. The error indicates that the role lacks the appropriate KMS action.

160
MCQhard

A company has a CloudFormation stack that creates an S3 bucket and an EC2 instance. The bucket policy must be updated to grant the EC2 instance read access. The DevOps engineer uses a custom resource backed by a Lambda function. However, the stack update fails because the Lambda function does not have permissions to update the bucket policy. What should the engineer do to resolve this issue while following security best practices?

A.Modify the custom resource to use the EC2 instance profile instead of a Lambda function.
B.Add an inline policy to the Lambda execution role that allows s3:PutBucketPolicy and ensure the bucket policy allows the EC2 instance role.
C.Attach a policy to the EC2 instance role that allows s3:GetObject on the bucket.
D.Update the Lambda execution role to include s3:PutBucketPolicy and add a bucket policy that grants s3:GetObject to the EC2 instance role.
AnswerD

Fixes both Lambda permission and bucket access.

Why this answer

Option D is correct because the Lambda function needs an IAM role with permissions to call s3:PutBucketPolicy, and the bucket policy should allow the EC2 instance role to read. Option A is wrong because adding inline policy to Lambda role is correct but does not address bucket policy. Option B is wrong because using instance profile directly for custom resource is not typical.

Option C is wrong because the Lambda function itself needs permissions, not the EC2 instance.

161
MCQmedium

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team requires that all data be encrypted at rest and that automated backups are also encrypted. Which configuration meets these requirements?

A.Use an S3 bucket policy to enforce encryption for backup files.
B.Enable encryption for the RDS instance using AWS KMS.
C.Enable encryption on automated backups only after creating a snapshot.
D.Enable encryption on the underlying EBS volumes using KMS.
AnswerB

Encrypts data at rest, automated backups, and snapshots.

Why this answer

Option D is correct because enabling encryption on the RDS instance encrypts the data, automated backups, and snapshots. Option A is wrong because encrypting the storage separately is not sufficient; RDS encryption is needed. Option B is wrong because snapshot encryption does not encrypt the live database.

Option C is wrong because RDS does not support S3 bucket policy for encryption.

162
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all new S3 buckets created in any account within the organization are configured with block public access enabled. Which approach is the most scalable and least operationally burdensome?

A.Use an AWS Config managed rule to detect non-compliant buckets and trigger a remediation Lambda function.
B.Enable AWS CloudTrail and create a metric filter to alert on bucket creation, then manually review.
C.Apply an S3 bucket policy in each account that denies s3:PutBucketPublicAccessBlock with a condition.
D.Attach an SCP to the organization root that denies s3:CreateBucket unless the request includes 's3:PutBucketPublicAccessBlock'.
AnswerD

Preventive and scalable.

Why this answer

Option C is correct because a service control policy (SCP) can deny the creation of S3 buckets without the 'BlockPublicAccess' settings. This applies to all accounts in the organization. Option A is wrong because AWS Config is reactive, not preventive.

Option B is wrong because it requires configuring each account individually. Option D is wrong because CloudTrail is for auditing, not prevention.

163
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across accounts are encrypted with AWS KMS. Which combination of controls should be used to enforce this?

A.Use an SCP to deny s3:PutBucketEncryption with encryption disabled, and AWS Config rules to detect non-compliant buckets.
B.Attach an IAM policy to all users denying s3:PutObject without KMS.
C.Use an SCP to deny s3:CreateBucket without encryption, and rely on CloudTrail to alert.
D.Use AWS Config rules only, with automatic remediation via Lambda.
AnswerA

SCP prevents non-compliant creation, Config detects existing violations.

Why this answer

Option A is correct because it combines preventive and detective controls. An SCP can deny the s3:PutBucketEncryption action unless the bucket is configured with KMS encryption, which prevents non-compliant buckets from being created or modified. AWS Config rules then detect any existing non-compliant buckets or changes that bypass the SCP, providing continuous compliance monitoring.

Exam trap

The trap here is that candidates often confuse object-level encryption (s3:PutObject) with bucket-level default encryption (s3:PutBucketEncryption), and fail to realize that an SCP is needed for preventive enforcement, not just detective or reactive controls.

How to eliminate wrong answers

Option B is wrong because it only controls s3:PutObject, which enforces encryption at the object level but does not prevent creation of unencrypted buckets or enforce bucket-level default encryption settings. Option C is wrong because relying solely on CloudTrail alerts provides only detective control after the fact, with no preventive enforcement to block non-compliant bucket creation. Option D is wrong because AWS Config rules with automatic remediation are reactive and may have a delay, whereas a preventive SCP is needed to block non-compliant actions in real time.

164
MCQhard

A company runs a critical application on AWS Lambda that processes sensitive data. The security team mandates that all data must be encrypted at rest and in transit. The Lambda function uses an environment variable to store a database password. The DevOps engineer has enabled encryption of environment variables using a KMS CMK. The Lambda function also needs to decrypt the password at runtime. The engineer attaches an IAM role to the Lambda function with permissions to decrypt using the KMS key. However, when the function executes, it fails with an error 'AccessDeniedException' when trying to decrypt the environment variable. The engineer checks the IAM role and confirms that it has kms:Decrypt permission. The KMS key policy allows the root user full access. What is the most likely cause?

A.The KMS key policy does not grant the Lambda execution role permission to use the key.
B.The Lambda function code is trying to decrypt the wrong ciphertext.
C.The KMS key has been disabled or scheduled for deletion.
D.The Lambda function is not in a VPC, and the KMS key is restricted to VPC endpoints.
AnswerA

Even if IAM policy allows, key policy must also allow.

Why this answer

To decrypt environment variables, Lambda uses kms:Decrypt on the key. However, Lambda also needs kms:GenerateDataKey? No. The issue might be that the Lambda function's execution role does not have kms:Decrypt on the specific key alias or ARN.

But the key policy allows root user, which includes all IAM users and roles? Actually, root user in the account has full access, but IAM roles are not automatically allowed unless the key policy grants them. The condition in the key policy might be missing. Option A is correct.

Option B is about VPC, not relevant. Option C is about the key being disabled, but then error would be different. Option D is about the function code, but the error is access denied.

165
MCQhard

A company runs a multi-account environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies all actions on DynamoDB tables unless the request includes a specific tag "Environment": "Production". The development team has an IAM role with full DynamoDB access in their account. When they try to create a DynamoDB table using the AWS CLI, they receive an access denied error. They are certain they included the tag. The DevOps engineer reviews the SCP and finds that it uses the condition key "aws:RequestTag". However, the engineer notices that the SCP also denies access if the request does not include the tag for tagging actions. What is the most likely reason for the access denied error?

A.The SCP requires an explicit allow statement in the IAM policy to override the deny.
B.The IAM role does not have permission to tag resources.
C.The CreateTable API does not accept tags in the request; tags must be added after creation using the TagResource API.
D.The SCP is not applied to the development account because it is in a different OU.
AnswerC

The CreateTable API does not support tagging at creation. The SCP condition fails because the tag is not present in the request.

Why this answer

Option C is correct because the `CreateTable` API in DynamoDB does not accept tags as part of the request parameters when creating a table. Tags can only be added after the table is created using the `TagResource` API or the `aws dynamodb tag-resource` CLI command. Since the SCP uses `aws:RequestTag` to require the tag on the initial request, and the `CreateTable` call cannot include tags, the request is denied regardless of whether the developer intended to include the tag.

Exam trap

The trap here is that candidates assume all AWS resource creation APIs support inline tagging, but DynamoDB's `CreateTable` does not, leading to a false belief that including the tag in the CLI command would satisfy the SCP condition.

How to eliminate wrong answers

Option A is wrong because SCPs do not require an explicit allow statement in IAM policies to override a deny; SCPs act as a boundary that cannot be overridden by any IAM policy within the account. Option B is wrong because the issue is not about the IAM role lacking permission to tag resources; the SCP denies the CreateTable action itself because the request cannot include the required tag, not because the role lacks tagging permissions. Option D is wrong because the SCP is applied to the development account via AWS Organizations, and the error occurs, confirming the SCP is in effect; being in a different OU does not prevent SCP application if the SCP is attached to the root or the OU containing the account.

166
MCQhard

A DevOps engineer is designing a CI/CD pipeline that builds a Docker image and pushes it to Amazon ECR. The pipeline must scan the image for vulnerabilities before deployment. Which service should be integrated?

A.AWS Security Hub
B.Amazon Inspector
C.Amazon ECR image scanning
D.AWS Config
AnswerC

ECR can automatically scan images on push.

Why this answer

Amazon ECR image scanning is the correct service because it is a native feature of Amazon ECR that automatically scans Docker images for software vulnerabilities (CVEs) when they are pushed to the repository. This scanning uses the Common Vulnerabilities and Exposures (CVE) database from the open-source Clair project and can be configured to trigger on push, making it the ideal choice for integrating vulnerability scanning directly into a CI/CD pipeline before deployment.

Exam trap

The trap here is that candidates confuse Amazon Inspector (which scans running containers for runtime vulnerabilities) with ECR image scanning (which scans the image at rest in the registry), leading them to select Inspector instead of the correct ECR-native feature.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (like GuardDuty, Inspector, and Macie) but does not perform its own image vulnerability scanning. Option B is wrong because Amazon Inspector is designed for host-level vulnerability scanning of EC2 instances and container workloads running on ECS/EKS, not for scanning container images stored in ECR. Option D is wrong because AWS Config is a service for evaluating and auditing resource configurations against compliance rules (e.g., ensuring ECR repositories are private), not for scanning images for software vulnerabilities.

167
MCQmedium

A company runs a critical application on EC2 instances that need to access an S3 bucket with sensitive data. The security team has enabled S3 bucket policies that require TLS for all requests (aws:SecureTransport). The application is failing to access the S3 bucket, and logs show errors like 'Access Denied'. The application uses the AWS SDK to make requests. What is the most likely cause of the failure?

A.The S3 bucket is accessed through a VPC endpoint that does not support TLS.
B.The application's IAM role does not have s3:GetObject permission.
C.The bucket policy requires a specific TLS version that the application does not support.
D.The application is using HTTP instead of HTTPS to connect to S3.
AnswerD

If the application makes requests over HTTP, they will not satisfy the aws:SecureTransport condition and will be denied by the bucket policy.

Why this answer

The bucket policy requires TLS, meaning all requests must be made over HTTPS. If the application is using HTTP instead of HTTPS, the request will be denied. The AWS SDK by default uses HTTPS for S3 endpoints, but if the endpoint URL is explicitly set to HTTP or if the SDK configuration is changed, it could cause the issue.

Option A is wrong because the bucket policy does not require specific cipher suites. Option B is wrong because IAM roles can access S3 if they have the right permissions. Option C is wrong because VPC endpoints do not affect the TLS requirement.

Option D is correct: if the application is using HTTP, it violates the bucket policy condition.

168
MCQhard

Given the above AWS CLI command output, which actions are allowed for the specified policy?

A.Only s3:GetObject is allowed
B.ec2:DescribeInstances and s3:GetObject are allowed; s3:ListBucket is denied
C.Only ec2:DescribeInstances is allowed
D.All three actions are allowed
AnswerB

The policy allows ec2:Describe* and s3:GetObject, so only those are allowed.

Why this answer

The simulate-custom-policy command tests the specified policy against the given actions and resources. For ec2:DescribeInstances, the action is allowed (ec2:Describe* covers it). For s3:GetObject, the action is allowed.

For s3:ListBucket, the action is not allowed because the policy only allows s3:GetObject, not s3:ListBucket. So two actions are allowed. Option A is correct.

169
MCQmedium

A company uses AWS CodePipeline to deploy applications. The pipeline must deploy to an Amazon ECS cluster. The security team requires that all deployment actions be logged and auditable. Which configuration should be used?

A.Enable VPC Flow Logs for the ECS cluster's VPC.
B.Enable Amazon S3 server access logs for the artifact bucket used by CodePipeline.
C.Enable AWS CloudTrail to record all API calls made by CodePipeline.
D.Enable Amazon CloudWatch Logs for the CodePipeline.
AnswerC

CloudTrail records API calls for auditing.

Why this answer

Option B is correct because CloudTrail logs all API calls, including those from CodePipeline. Option A is wrong because VPC Flow Logs log network traffic, not deployment actions. Option C is wrong because CloudWatch Logs logs application logs, not API calls.

Option D is wrong because S3 access logs log requests to S3, not pipeline actions.

170
MCQhard

A company is subject to regulatory compliance that requires all access to S3 buckets to be logged and monitored. The company has thousands of buckets. Which solution is MOST scalable and cost-effective?

A.Enable S3 server access logging on each bucket and aggregate logs into a central bucket
B.Enable AWS CloudTrail with data events for S3 and send logs to CloudWatch Logs
C.Use VPC Flow Logs to capture traffic to S3
D.Use AWS Config rules to track bucket access and publish to SNS
AnswerB

CloudTrail data events log all S3 object-level operations centrally.

Why this answer

Using AWS CloudTrail with data events for S3 provides detailed logging. Option B is wrong because S3 server access logs require enabling per bucket and storing in another bucket, which is less scalable. Option C is wrong because Config rules detect but don't log access.

Option D is wrong because VPC Flow Logs only capture network traffic, not S3 API calls.

171
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to block traffic from known malicious IP addresses before it reaches the ALB. What is the MOST effective approach?

A.Use AWS WAF with an IP set rule to block the malicious IP addresses.
B.Configure network ACLs on the ALB's subnet to block the malicious IPs.
C.Use AWS Network Firewall to inspect and block traffic at the VPC level.
D.Configure security groups to deny inbound traffic from the malicious IP addresses.
AnswerA

AWS WAF integrates with ALB and can block IPs via IP sets.

Why this answer

Option D is correct because AWS WAF integrated with ALB can block malicious IPs at the application layer. Option A is wrong because security groups are stateful and can only allow/deny by IP/CIDR, but managing large lists is cumbersome. Option B is wrong because NACLs are stateless and not suitable for fine-grained IP blocking at the application layer.

Option C is wrong because Network Firewall is for VPC-level inspection, not specifically for ALB.

172
MCQmedium

A DevOps engineer needs to store database credentials for an application running on Amazon ECS. The credentials must be automatically rotated every 30 days and encrypted at rest. Which solution meets these requirements with the LEAST operational overhead?

A.Store credentials in AWS Systems Manager Parameter Store as SecureString.
B.Encrypt credentials with AWS KMS and store them in a versioned S3 bucket.
C.Embed credentials as environment variables in the ECS task definition.
D.Store credentials in AWS Secrets Manager and configure automatic rotation.
AnswerD

Secrets Manager supports automatic rotation and encryption with KMS.

Why this answer

AWS Secrets Manager provides built-in automatic rotation and encryption using AWS KMS. Option A is correct. Option B is wrong because Parameter Store does not support automatic rotation natively.

Option C is wrong because manual rotation increases overhead. Option D is wrong because storing in environment variables is insecure and does not rotate.

173
MCQeasy

An application running on EC2 needs to access an S3 bucket. To follow the principle of least privilege, what is the recommended approach?

A.Store AWS access keys in the application configuration
B.Create an IAM role with a policy allowing only necessary S3 actions and attach it to the EC2 instance
C.Use an S3 bucket policy to allow access from the EC2 instance's public IP
D.Configure the EC2 security group to allow outbound access to S3
AnswerB

IAM roles provide temporary credentials and follow least privilege.

Why this answer

The best practice is to create an IAM role with a policy that grants only the required S3 actions and attach the role to the EC2 instance. This avoids using long-term credentials. Access keys are long-term and insecure.

Bucket policy can be used but is not the most secure for instance access. Security group is for network access, not API access.

174
Multi-Selectmedium

A company is using AWS CloudTrail to log API events. The security team wants to ensure that log files are tamper-proof and available for incident investigation. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Store logs in Amazon CloudWatch Logs.
B.Enable server-side encryption with S3-managed keys (SSE-S3).
C.Enable CloudTrail log file validation.
D.Enable S3 Object Lock on the S3 bucket storing the logs.
E.Use AWS KMS to encrypt the logs.
AnswersC, D

Creates digest files to verify log integrity.

Why this answer

Options A and D are correct. Enabling log file validation allows CloudTrail to create a digest file for integrity verification. Enabling S3 Object Lock prevents logs from being deleted or overwritten.

Option B: SSE-S3 provides encryption but not tamper-proofing. Option C: CloudWatch Logs does not provide file integrity. Option E: KMS encryption is for encryption, not integrity.

175
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can make changes to Amazon CloudWatch Logs configurations. Which approach should be used?

A.Use AWS Config rules to automatically revert changes to CloudWatch Logs
B.Create an SCP that denies cloudwatch:Put* and cloudwatch:Delete* actions and attach it to the root OU
C.Create an IAM policy that denies changes to CloudWatch Logs and apply it to all IAM users
D.Use AWS CloudTrail to monitor and alert on changes to CloudWatch Logs
AnswerB

SCPs can deny actions across all accounts in an organization.

Why this answer

Option B is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts within an organizational unit (OU). By attaching an SCP that denies cloudwatch:Put* and cloudwatch:Delete* actions to the root OU, you ensure that no IAM user or role in any account can modify or delete CloudWatch Logs configurations, regardless of any IAM policies attached directly to users or roles. This approach provides a guardrail that cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail or Config rules) with preventive controls (like SCPs), or mistakenly believe that an IAM policy applied to all users is sufficient, ignoring that IAM roles and account-level administrators can bypass such policies.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can detect and alert on non-compliant changes but cannot automatically revert changes to CloudWatch Logs; they only evaluate configuration against desired policies and can trigger remediation actions via Systems Manager Automation, but this is not a preventive control. Option C is wrong because an IAM policy applied to all IAM users does not prevent changes made by IAM roles or by users in other accounts, and it can be overridden by an account administrator who has full control over IAM policies within their own account. Option D is wrong because AWS CloudTrail only provides logging and monitoring of API calls; it does not prevent changes from occurring, only alerts after the fact.

176
MCQeasy

A developer needs to give a Lambda function read-only access to a DynamoDB table. What is the BEST practice to grant this permission?

A.Attach the policy directly to the Lambda function's configuration.
B.Create an IAM role with a policy that allows DynamoDB read actions, and attach the role to the Lambda function.
C.Store the AWS access keys in environment variables of the Lambda function.
D.Use a DynamoDB resource-based policy that grants access to the Lambda function's ARN.
AnswerB

This follows the principle of least privilege and uses temporary credentials.

Why this answer

Creating an IAM role with the required policy and attaching it to the Lambda function is the best practice. Option A is correct. Option B is wrong because attaching policies to Lambda functions directly is not supported.

Option C is wrong because hardcoding credentials is insecure. Option D is wrong because using the Lambda function's ARN as a principal in a resource-based policy is for cross-account access, not for the same account.

177
MCQmedium

A DevOps engineer needs to ensure that EC2 instances can access an S3 bucket without storing AWS credentials on the instances. Which solution meets this requirement?

A.Use an S3 bucket policy that grants access to the EC2 instance's public IP.
B.Store access keys in the EC2 user data script.
C.Create an IAM user and embed credentials in the application code.
D.Attach an IAM role to the EC2 instance with an S3 access policy.
AnswerD

The IAM role provides temporary credentials via the instance metadata service.

Why this answer

Option D is correct because attaching an IAM role to an EC2 instance allows the instance to obtain temporary security credentials from the AWS STS service via the instance metadata service (IMDS). The EC2 instance can then use these credentials to access the S3 bucket without any long-term AWS credentials being stored on the instance. This is the AWS-recommended best practice for granting permissions to AWS services running on EC2.

Exam trap

The trap here is that candidates may think storing credentials in user data or application code is acceptable, but the DOP-C02 exam specifically tests the principle of using IAM roles to avoid long-term credential storage on EC2 instances.

How to eliminate wrong answers

Option A is wrong because an S3 bucket policy that grants access based on an EC2 instance's public IP is not a secure or reliable method; public IPs can change (unless using an Elastic IP) and do not authenticate the identity of the requester, making it vulnerable to spoofing and not a substitute for AWS credentials. Option B is wrong because storing access keys in the EC2 user data script exposes long-term credentials in plaintext within the instance's metadata and logs, violating the requirement to avoid storing credentials on the instance. Option C is wrong because embedding IAM user credentials in application code stores long-term access keys directly on the instance, which is insecure and contradicts the principle of using temporary credentials via IAM roles.

178
Multi-Selecthard

Which THREE measures can be taken to protect sensitive data stored in an Amazon S3 bucket? (Choose three.)

Select 3 answers
A.Enable server access logging for the bucket.
B.Enable cross-region replication.
C.Enable default encryption on the bucket (SSE-S3 or SSE-KMS).
D.Block all public access to the bucket.
E.Configure a bucket policy that denies all access.
.Enable versioning on the bucket.
AnswersC, D

Default encryption ensures that all objects stored in the bucket are encrypted at rest.

Why this answer

Enabling default encryption, blocking public access, and enabling versioning are key security measures. Option A is wrong because bucket policies are used for access control, not for encryption. Option D is wrong because server access logs are for auditing, not protection.

Option E is wrong because cross-region replication is for disaster recovery, not security.

179
MCQmedium

A company is using AWS CodeCommit for source control. A developer accidentally committed a file containing AWS access keys. The keys have been removed from the file, but the commit history still contains them. What is the most secure way to remove the keys from the repository?

A.Delete the file from the repository and commit the deletion.
B.Use the AWS CLI command 'aws codecommit delete-file' with the --keep-history flag.
C.Use git filter-branch to remove the file from all commits and force push the changes.
D.Revert the commit that added the keys.
AnswerC

This rewrites history to completely remove the file from every commit, effectively purging the keys.

Why this answer

Git filter-branch can rewrite history to remove the file from all commits. However, AWS recommends using the AWS CLI's git-secrets or the AWS CodeCommit console's 'delete repository' option. But the most secure and straightforward approach is to use git filter-branch to purge the file and then force push.

Option A is wrong because simply reverting the commit leaves the keys in history. Option B is wrong because deleting the file and committing does not remove history. Option D is wrong because AWS does not provide a built-in command to remove a file from history.

180
MCQhard

A company is migrating to AWS and has a requirement to encrypt all data at rest and in transit. They are using AWS KMS with Customer Master Keys (CMKs) for encryption. The DevOps engineer has set up an S3 bucket with default encryption using SSE-KMS. The bucket policy allows access only to a specific IAM role. The engineer also enabled S3 bucket versioning and MFA Delete. However, when the engineer tries to download an object using the AWS CLI with the IAM role, the command fails with 'AccessDenied'. The IAM role has the following permissions: s3:GetObject, s3:ListBucket, kms:Decrypt, kms:DescribeKey. What is the most likely missing permission?

A.The IAM role is missing kms:GenerateDataKey permission.
B.The IAM role is missing kms:Encrypt permission.
C.The IAM role is missing kms:CreateGrant permission.
D.The KMS key policy does not grant the IAM role permission to decrypt using the key.
AnswerD

KMS key policies must explicitly grant access to IAM roles.

Why this answer

To download an object encrypted with SSE-KMS, the IAM role must have kms:GenerateDataKey (if uploading) and kms:Decrypt (if downloading). However, for GetObject, KMS requires kms:Decrypt. But there is also a need for kms:Encrypt? Actually, reading encrypted data requires only kms:Decrypt.

However, the error might be due to the IAM role not having kms:GenerateDataKey? No, that is for writing. The bucket policy might require kms:Encrypt? Wait. The common missing permission is kms:ReEncrypt? No.

Actually, for downloading, KMS permission needed is kms:Decrypt. But the error persists. Could be kms:DescribeKey is not needed.

But the most likely is that the KMS key policy does not grant the IAM role permissions. The key policy must allow the IAM role to use the key. The question says the IAM role has kms:Decrypt, but the key policy might not grant it.

Option A is correct. Option B is for writing. Option C is not needed.

Option D is for management.

181
Multi-Selectmedium

A company is using AWS Secrets Manager to rotate database credentials automatically. The DevOps engineer needs to ensure that the rotation process is secure and does not cause downtime. Which THREE steps should the engineer take?

Select 3 answers
A.Disable automatic rotation for the old secret version.
B.Set up CloudWatch alarms to monitor rotation failures.
C.Use a separate database user for rotation that has permissions to change passwords.
D.Configure the Lambda rotation function to use a VPC endpoint for Secrets Manager.
E.Grant the Lambda rotation function IAM permissions to read and update the secret.
AnswersB, C, E

Alerts on rotation failures help maintain security.

Why this answer

Option A is correct because the Lambda rotation function needs permissions to read and update the secret. Option C is correct because using a separate user for rotation allows the old credentials to remain valid during rotation. Option E is correct because CloudWatch alarms can detect rotation failures.

Option B is wrong because the rotation function should have network access to the database, but using a VPC endpoint is not required; the function can be in a VPC. Option D is wrong because disabling rotation for old secrets would break the rotation process.

182
MCQhard

A DevOps team uses AWS CodePipeline to deploy a web application. The application stores user session data in an ElastiCache Redis cluster. The security team mandates that all data in transit between the application and Redis must be encrypted. What should the team do?

A.Use a network ACL to allow only encrypted traffic on the Redis port.
B.Modify the application to use TLS when connecting to Redis.
C.Place the application and Redis cluster in the same VPC and use VPC peering.
D.Enable encryption in transit on the ElastiCache Redis cluster and configure the application to use TLS.
AnswerD

This ensures both sides support encryption in transit.

Why this answer

Option D is correct because ElastiCache Redis supports encryption in transit using TLS, which must be enabled at cluster creation. Option A is wrong because VPC peering does not encrypt traffic. Option B is wrong because NACLs do not encrypt.

Option C is wrong because the application must use TLS, but the cluster must also be configured to support it.

183
MCQeasy

An organization wants to grant cross-account access to an S3 bucket in Account A to a user in Account B. Which policy configuration is required?

A.A bucket policy in Account A and an IAM user policy in Account B
B.An S3 bucket ACL granting access to the user in Account B
C.An IAM user policy in Account B allowing access to the bucket
D.A bucket policy in Account A granting access to the user in Account B
AnswerA

Both policies are needed for cross-account access.

Why this answer

Cross-account access requires both a bucket policy in Account A granting access to the user in Account B and an IAM user policy in Account B allowing the user to access the bucket. Option A is wrong because only bucket policy is insufficient. Option C is wrong because only IAM policy is insufficient.

Option D is wrong because ACLs are legacy and not recommended.

184
MCQmedium

A DevOps engineer needs to enforce encryption in transit for all traffic between a fleet of EC2 instances and an Application Load Balancer (ALB). The ALB is configured with a TLS listener. Which step should the engineer take to ensure end-to-end encryption?

A.Configure the target group to use HTTP protocol
B.Configure the target group to use HTTPS protocol and install a certificate on each EC2 instance
C.Use security group rules to enforce encryption
D.Terminate TLS at the ALB and use HTTP to instances
AnswerB

HTTPS ensures encryption between ALB and instances.

Why this answer

To enforce encryption in transit, the ALB target group should use HTTPS protocol, which requires the instances to present a certificate. Option A is wrong because HTTP does not encrypt traffic. Option B is wrong because the TLS termination should be at the ALB, not re-encrypted.

Option D is wrong because security groups do not enforce encryption.

185
MCQeasy

A company uses AWS Secrets Manager to store database credentials. The security team wants to automatically rotate secrets every 30 days. The database is an Amazon RDS for PostgreSQL instance. The team has configured automatic rotation with a Lambda function that updates the password in RDS and Secrets Manager. However, after the first rotation, the application starts getting database connection errors. The application uses a connection string with the secret ARN and retrieves the secret from Secrets Manager at startup using the AWS SDK. Which of the following is the most likely cause of the connection errors?

A.The Lambda function is not configured with a sufficient timeout and is being throttled.
B.The application caches the secret at startup and does not refresh it after rotation.
C.The Lambda function does not have permission to update the secret in Secrets Manager.
D.The RDS instance has automatic password rotation enabled, which conflicts with Secrets Manager rotation.
AnswerB

Caching the secret prevents the application from using the new password.

Why this answer

Option B is correct because if the application caches the secret, it will not pick up the new password after rotation, leading to connection errors. Option A is incorrect because RDS automatic password rotation is not a feature; Secrets Manager handles rotation. Option C is incorrect because KMS permissions are needed to decrypt the secret, but if the application could access the secret initially, it likely has permissions.

Option D is incorrect because Lambda function concurrency is unlikely to cause connection errors; it would affect the rotation process itself.

186
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a web application. Security scanning must be integrated into the pipeline to check for vulnerabilities before deployment to production. Which action should be taken?

A.Add an Amazon Inspector scan action as a test stage in the pipeline
B.Enable AWS GuardDuty in the account
C.Activate AWS Trusted Advisor for security checks
D.Use AWS Config rules to check for vulnerabilities
AnswerA

Amazon Inspector can scan for software vulnerabilities and is integrated with CodePipeline.

Why this answer

Amazon Inspector can be integrated as a test action in CodePipeline to scan for vulnerabilities. GuardDuty is a threat detection service, not a scanning tool for code or containers. Config evaluates resource configurations.

Trusted Advisor provides best practice checks, not vulnerability scanning.

187
MCQmedium

A company uses AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific attribute in their SAML assertion can decrypt the data. Which KMS key policy should be used?

A.Create an S3 bucket policy that denies kms:Decrypt unless the request includes a specific tag.
B.Modify the KMS key policy to include a condition that allows kms:Decrypt only if the SAML assertion contains the specific attribute.
C.Attach a resource-based policy to the S3 bucket that allows decryption only for users with the specific attribute.
D.Use an IAM policy that grants kms:Decrypt only if the user has the specific attribute.
AnswerB

KMS key policies can use conditions based on SAML attributes to control decryption.

Why this answer

Option B is correct because KMS key policies can use the `kms:ViaService` or `kms:CallerPrincipal` conditions, but more importantly, they can reference SAML-based attributes using the `aws:PrincipalTag` or `saml:sub` conditions. By adding a condition in the KMS key policy that checks for a specific SAML assertion attribute (e.g., `saml:sub` or a custom SAML attribute mapped to an IAM role session tag), only users whose SAML assertion includes that attribute will be allowed to call `kms:Decrypt`. This directly enforces the security team's requirement at the key level, independent of S3 bucket policies or IAM policies.

Exam trap

The trap here is that candidates often confuse S3 bucket policies with KMS key policies, thinking they can control KMS decryption via S3 policies, when in reality KMS key policies are the only way to enforce conditions on the `kms:Decrypt` action at the key level.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies cannot deny `kms:Decrypt`; KMS API calls are governed by KMS key policies and IAM policies, not S3 resource policies. Option C is wrong because S3 bucket policies control access to S3 operations (e.g., `s3:GetObject`), not KMS decryption permissions; they cannot enforce conditions on the KMS `Decrypt` action itself. Option D is wrong because IAM policies alone cannot enforce conditions based on SAML assertion attributes unless those attributes are first mapped to IAM session tags or roles; the requirement is to control decryption at the KMS key level, and a KMS key policy with a SAML condition is the direct and correct mechanism.

188
MCQmedium

A company uses AWS WAF to protect a web application behind an Application Load Balancer. The security team notices an increase in false positives blocking legitimate traffic. Which action should be taken to reduce false positives while maintaining security?

A.Remove the rate-based rule that is causing false positives.
B.Replace AWS WAF with AWS Shield Advanced.
C.Adjust the rate-based rule threshold to a higher value.
D.Change the rule action from 'Block' to 'Count'.
AnswerC

Higher threshold reduces false positives while still blocking abuse.

Why this answer

Option B is correct because adjusting the rate-based rule threshold to a higher value will allow more legitimate traffic while still blocking excessive requests. Option A: Removing the rule would weaken security. Option C: Swapping to AWS Shield Advanced does not fine-tune rules.

Option D: Count mode logs but does not block; not maintaining security.

189
MCQhard

A key policy for a KMS customer managed key includes the above statement. An IAM role 'AdminRole' in account 123456789012 is allowed to decrypt. However, when the role attempts to decrypt data, it receives an access denied error. What is the MOST likely cause?

A.The action should be 'kms:Decrypt*'.
B.The resource should be the key ARN, not '*'.
C.The condition 'kms:GrantIsForAWSResource' is preventing direct API calls.
D.The principal ARN is incorrect.
AnswerC

This condition only allows decryption when the request comes from an AWS service, not from the IAM role directly.

Why this answer

The condition 'kms:GrantIsForAWSResource' restricts the permission to requests that come from AWS services that integrate with KMS, not from direct API calls by the role. Option B is correct. Option A is wrong because the principal is correctly specified.

Option C is wrong because the action is correct. Option D is wrong because the wildcard resource is fine for KMS key policies.

190
Multi-Selecteasy

A DevOps engineer is tasked with auditing all AWS API calls made in the account for compliance purposes. The engineer needs to ensure that the audit logs are tamper-proof and stored cost-effectively. Which TWO services should the engineer use?

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.Amazon S3 with Object Lock enabled
D.Amazon CloudWatch Logs
E.AWS KMS
AnswersB, C

CloudTrail records API calls.

Why this answer

Option B is correct because CloudTrail logs API calls and can be configured to deliver to S3. Option D is correct because S3 with object lock prevents log tampering. Option A is wrong because CloudWatch Logs is for application logs, not API calls.

Option C is wrong because Config records resource changes, not API calls. Option E is wrong because KMS encrypts but does not provide tamper-proof storage; object lock does.

191
Multi-Selecthard

A company is designing a secure CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline must deploy to an EC2 Auto Scaling group across multiple AWS accounts. The security requirements include: (1) no hardcoded credentials, (2) least privilege for cross-account access, (3) encrypted artifacts. Which THREE steps should the DevOps engineer implement? (Choose THREE.)

Select 3 answers
A.Use a customer-managed KMS key with a cross-account key policy to encrypt artifacts.
B.Store database credentials in AWS Secrets Manager and retrieve them in CodeBuild using the secrets manager action.
C.Store database credentials in AWS Systems Manager Parameter Store and retrieve them in CodeBuild.
D.Use AWS CodeCommit as the source repository with pull request approval rules.
E.Configure CodePipeline to assume an IAM role in the target account using a trust policy.
AnswersA, B, E

KMS cross-account key policies allow encryption across accounts.

Why this answer

Option A uses cross-account roles (correct). Option B uses KMS cross-account key (correct). Option D integrates CodeBuild with Secrets Manager (correct).

Option C (SSM parameter) is possible but Secrets Manager is more appropriate for credentials. Option E (CodeCommit) is not required.

192
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user requests an object from the 'example-bucket' bucket, specifically from the 'confidential' folder, over HTTP (not HTTPS). The source IP is within the 10.0.0.0/24 range. What will be the result of this request?

A.Denied, because the user does not have s3:GetObject permission on the confidential folder.
B.Allowed, because the Deny statement only applies to HTTPS.
C.Allowed, because the source IP is within the allowed range.
D.Denied, because the request uses HTTP and the Deny statement blocks it.
AnswerD

The Deny applies when SecureTransport is false (HTTP).

Why this answer

The Deny statement with SecureTransport false applies to all s3 actions on the confidential folder. Even though the source IP is allowed, the Deny for HTTP access will override the Allow. The request will be denied.

193
MCQmedium

A company uses AWS CodeBuild to build and test code. The build process requires access to a private PyPI repository hosted on an internal network. The CodeBuild project is configured with a VPC. However, the build fails with a timeout error when trying to connect to the PyPI repository. The security group for the CodeBuild project allows outbound HTTPS to 0.0.0.0/0. What is the most likely cause?

A.CodeBuild does not support VPC connectivity.
B.The VPC subnet has a NAT gateway that routes traffic to the internet instead of the internal network.
C.The security group for the PyPI repository does not allow inbound traffic from the CodeBuild security group.
D.The VPC subnet does not have a route to the internal network.
AnswerC

The repository's security group must have an inbound rule allowing HTTPS traffic from the security group associated with the CodeBuild project's ENI.

Why this answer

The private PyPI repository is in the internal network, which is likely accessible via a VPC. However, if the repository's security group does not allow inbound traffic from the CodeBuild security group, the connection will be blocked. The CodeBuild project's outbound rules are correct, but the repository side needs to allow inbound.

Option A is wrong because the subnet must have a route to the internal network, which is usually via a VPC peering or VPN. Option C is wrong because if the subnet has a NAT gateway, the traffic would go to the internet, not to the internal network. Option D is wrong because a VPC endpoint is for AWS services, not for on-premises resources.

194
MCQmedium

A company uses AWS CodePipeline to deploy a web application. The deployment includes an EC2 instance running behind an Application Load Balancer. The security team requires that all data in transit to the application be encrypted. Which configuration best meets this requirement without breaking the deployment?

A.Configure CodePipeline to use an encrypted artifact bucket.
B.Enable AWS WAF on the ALB to enforce HTTPS.
C.Create an HTTPS listener on the ALB with a certificate from AWS Certificate Manager and redirect HTTP to HTTPS.
D.Place a CloudFront distribution in front of the ALB and configure it to require HTTPS.
AnswerC

HTTPS listener with ACM certificate provides encryption in transit.

Why this answer

Option C is correct because the Application Load Balancer supports SSL/TLS termination using certificates from AWS Certificate Manager, enabling HTTPS encryption. Option A is wrong because CodePipeline does not encrypt traffic at the ALB level. Option B is wrong because AWS WAF is a web application firewall, not for encryption.

Option D is wrong because CloudFront can handle HTTPS, but adding it changes the architecture unnecessarily and may break the pipeline if not properly configured.

195
MCQeasy

Refer to the exhibit. A KMS key policy is configured as shown. What does this policy allow?

A.The role to decrypt any KMS key.
B.The role to decrypt via any AWS service.
C.The role to decrypt data encrypted by S3 in us-east-1.
D.Any IAM role to decrypt using this key.
AnswerC

The condition kms:ViaService limits decrypt to requests from S3 in us-east-1.

Why this answer

The policy allows the CrossAccountRole to call kms:Decrypt only when the request comes through S3 in us-east-1. Option D is correct.

196
MCQhard

Refer to the exhibit. A user outside the 192.0.2.0/24 IP range attempts to get an object from example-bucket. What will happen?

A.The request is allowed because the Allow statement matches
B.The request is allowed because there is no explicit Deny for GetObject
C.The request is denied because the policy is malformed
D.The request is denied because the Deny statement applies
AnswerD

Explicit Deny blocks the request.

Why this answer

The Deny statement explicitly denies all S3 actions if the IP is not in the allowed range. Since the user is outside, the Deny applies, overriding the Allow. Option A is wrong because the Deny blocks access.

Option B is wrong because the Deny is explicit. Option C is wrong because the policy is not malformed.

197
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet but must not be directly accessible from the internet. Which configuration allows this?

A.Set up a VPN connection to the company's on-premises network and route traffic through it.
B.Deploy a NAT gateway in a public subnet and route the private subnet's traffic through it.
C.Deploy a bastion host in the public subnet and configure the instance to use it.
D.Attach an internet gateway to the VPC and add a route to the private subnet route table.
AnswerB

NAT gateway enables outbound internet traffic while blocking inbound.

Why this answer

A NAT gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound connections. Option C is correct. Option A is wrong because an internet gateway alone does not provide outbound-only access for private instances.

Option B is wrong because a bastion host only provides SSH/RDP access, not general internet access. Option D is wrong because a VPN connection does not provide direct internet access.

198
MCQeasy

Given the above IAM policy, which action is permitted?

A.Invoke the Lambda function MyFunction in us-east-1 account 123456789012
B.Read objects from an S3 bucket
C.Create a Lambda function
D.Start an EC2 instance
AnswerA

The policy allows lambda:InvokeFunction on that specific ARN.

Why this answer

The policy explicitly allows the lambda:InvokeFunction action on the specified function ARN. Option A is correct. It does not allow other Lambda actions (B), S3 actions (C), or EC2 actions (D).

199
MCQeasy

A DevOps engineer needs to securely store and automatically rotate database credentials for a MySQL RDS instance. The credentials should be accessible to a Lambda function without hardcoding them. Which AWS service should be used?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.IAM roles for EC2
AnswerB

Secrets Manager offers automatic rotation for RDS databases and provides fine-grained access control via IAM.

Why this answer

AWS Secrets Manager provides the ability to store secrets and automatically rotate them for RDS databases. It also integrates with Lambda via the Secrets Manager API to retrieve secrets at runtime. Option A is wrong because Parameter Store can store secrets but does not support automatic rotation for RDS.

Option B is wrong because KMS is for encryption keys, not secret storage. Option D is wrong because IAM roles cannot store credentials; they provide permissions.

200
Multi-Selecthard

Which THREE of the following are valid methods to enforce encryption at rest for Amazon EBS volumes? (Choose three.)

Select 3 answers
A.Enable EBS encryption by default in the account.
B.Use the AWS CLI to encrypt an existing volume in place.
C.Encrypt the volume when creating it through the AWS Management Console.
D.Attach the volume to an EC2 instance and use OS-level encryption.
E.Create an unencrypted snapshot of the volume, copy it with encryption, and create a new volume from the encrypted snapshot.
AnswersA, C, E

This automatically encrypts all new EBS volumes.

Why this answer

Enabling EBS encryption by default at the account level ensures all new volumes are encrypted. You can also encrypt volumes when creating them via the console or CLI. You cannot encrypt an existing volume directly; you must create a snapshot, copy it with encryption, and create a new volume.

Attaching a volume does not encrypt it.

201
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. The instances currently use a self-signed certificate for the backend HTTPS listener. The engineer notices that the ALB health checks are failing, and the error message indicates 'TLS handshake failed'. The health check is configured as HTTPS. What should the engineer do to resolve the health check failure while maintaining encryption?

A.Install a valid certificate from AWS Certificate Manager (ACM) on each EC2 instance and configure the ALB target group to use HTTPS with that certificate.
B.Change the health check to use HTTP on port 80 and allow HTTP traffic from the ALB to the instances.
C.Configure the ALB to ignore certificate verification for health checks by setting the health check protocol to HTTPS and enabling 'ignore certificate' option.
D.Disable health checks on the ALB and rely on CloudWatch alarms to detect instance failures.
AnswerA

A valid certificate trusted by the ALB will allow the TLS handshake to succeed.

Why this answer

The ALB health check expects a valid certificate from the target. Self-signed certificates cause health checks to fail unless the ALB is configured to ignore certificate verification. The ALB can be configured to verify or skip verification.

To fix, the engineer should either configure the target group to use HTTP for health checks (while using HTTPS for data traffic) or configure the target group to use HTTPS with a certificate that the ALB trusts (e.g., from ACM). The simplest is to use HTTP health checks, but the requirement is to maintain encryption. However, health checks can be over HTTP if the data traffic uses HTTPS.

Alternatively, the engineer can install a certificate from ACM on the instances, but that is more complex. The most practical solution is to use HTTP for health checks (which is not encrypted) but the question says maintain encryption. The best answer is to install a trusted certificate (e.g., from ACM) on the instances.

202
MCQhard

A company has a requirement to store audit logs for 7 years. The logs are currently stored in Amazon S3 and are accessed infrequently. Which storage class provides the lowest cost while meeting the retention requirement?

A.S3 Intelligent-Tiering
B.S3 Standard
C.S3 Glacier Deep Archive
D.S3 One Zone-Infrequent Access
AnswerC

Lowest cost for long-term archival.

Why this answer

S3 Glacier Deep Archive is the lowest-cost storage class for long-term retention of data that is accessed rarely. Option A (S3 Standard) is expensive for long-term. Option B (S3 Intelligent-Tiering) may move data but has monitoring costs.

Option D (S3 One Zone-IA) is not for long-term durability.

203
MCQmedium

A DevOps team is deploying a web application on EC2 instances behind an ALB. The application must authenticate users using an external identity provider (IdP) that supports SAML 2.0. Which solution provides the simplest integration with the ALB?

A.Use Amazon Cognito user pools with SAML federation and integrate with ALB
B.Use AWS CloudFront with Lambda@Edge to validate SAML tokens
C.Install a SAML service provider library on each EC2 instance
D.Configure the ALB to use an SAML identity provider for authentication
AnswerD

ALB natively supports SAML IdP for user authentication.

Why this answer

ALB can authenticate users using SAML IdP. Option B is wrong because Cognito is for user pools, not direct SAML integration with ALB. Option C is wrong because CloudFront with Lambda@Edge adds complexity.

Option D is wrong because the application itself would need to handle SAML, adding overhead.

204
Multi-Selectmedium

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. What should be done? (Choose TWO.)

Select 2 answers
A.Attach a security group to the KMS key.
B.Modify the KMS key policy to include a condition that requires the kms:ViaService to be from the VPC endpoint.
C.Configure the S3 bucket policy to allow only requests from the VPC.
D.Create a service control policy (SCP) that denies KMS operations from outside the VPC.
E.Create a VPC endpoint for AWS KMS.
AnswersB, E

This condition restricts use of the key to requests coming through the VPC endpoint.

Why this answer

Options B and C are correct. A VPC endpoint for KMS allows private connectivity. A key policy with a condition for the VPC endpoint restricts usage.

Option A is wrong because SCPs cannot restrict KMS key usage. Option D is wrong because bucket policies cannot restrict KMS key usage. Option E is wrong because security groups do not apply to KMS.

205
Multi-Selecthard

A DevOps team is designing a solution to encrypt data at rest for an Amazon RDS for MySQL database. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Enable encryption after creating the RDS instance by modifying the instance
B.Enable SSL/TLS for the RDS instance
C.Use AWS KMS to create a customer managed key and assign it to the RDS instance
D.Enable encryption at rest when creating the RDS DB instance
E.Store the database files in an encrypted S3 bucket
AnswersC, D

KMS keys are used for RDS encryption.

Why this answer

Option A is correct: enable encryption at rest when creating the RDS instance. Option C is correct: use AWS KMS to manage the encryption key. Option B is wrong: encryption cannot be enabled on an unencrypted RDS instance after creation.

Option D is wrong: S3 is not used for RDS encryption. Option E is wrong: SSL/TLS is for encryption in transit, not at rest.

206
MCQmedium

A security audit reveals that an S3 bucket contains objects that are not encrypted. The bucket is configured with default encryption using SSE-S3. What is the most likely reason that objects are unencrypted?

A.The objects were uploaded with server-side encryption using AWS KMS
B.The bucket policy denies SSE-S3 encryption
C.The objects were uploaded before default encryption was enabled
D.The objects were uploaded with SSE-C
AnswerC

Default encryption does not encrypt existing objects.

Why this answer

Default encryption applies only to newly uploaded objects that do not have encryption settings. If objects were uploaded before default encryption was enabled, or if the PUT request explicitly specified no encryption, they may remain unencrypted. Option A is wrong because SSE-S3 does not require KMS.

Option B is wrong because default encryption applies to new objects. Option D is wrong because SSE-C is not relevant.

207
MCQeasy

A company has an Amazon RDS for MySQL database that stores sensitive data. The security team requires encryption at rest and in transit. Which combination of options meets these requirements?

A.Use AWS Certificate Manager to issue a certificate for the RDS instance
B.Place the RDS instance in a private subnet and use VPC peering
C.Enable encryption at rest on the RDS instance and enforce SSL connections
D.Use AWS KMS to encrypt the database before inserting data and decrypt on read
AnswerC

RDS encryption provides at-rest encryption; SSL provides in-transit encryption.

Why this answer

Encryption at rest is enabled by enabling RDS encryption. Encryption in transit is achieved by using SSL/TLS connections. Option A is correct.

Option B (AWS KMS with client-side encryption) would encrypt data before sending but does not use RDS encryption. Option C (VPC peering) does not encrypt. Option D (AWS Certificate Manager) is for certificates but not directly for RDS encryption.

208
Multi-Selectmedium

Which TWO actions can be taken to secure an Amazon S3 bucket that contains confidential data? (Choose TWO.)

Select 2 answers
A.Enable S3 Default Encryption.
B.Enable S3 Transfer Acceleration.
C.Enable S3 Cross-Region Replication.
D.Enable S3 Versioning.
E.Enable S3 Block Public Access.
AnswersA, E

Encrypts data at rest.

Why this answer

Correct options: A and D. Option A: Block public access prevents public exposure. Option D: Enable default encryption ensures data is encrypted at rest.

Option B is wrong because versioning helps with recovery, not security. Option C is wrong because cross-region replication is for disaster recovery. Option E is wrong because S3 Transfer Acceleration is for speed, not security.

209
MCQmedium

Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most likely security concern?

A.The bucket is now publicly accessible
B.The bucket policy grants the root user full access
C.The root user performed an action that should have been done by an IAM user
D.The bucket policy allows only authenticated users to read objects
AnswerA

Public access granted to all objects.

Why this answer

The bucket policy grants public read access to all objects in my-bucket, which is a security risk. Option A is wrong because the principal is '*', making it public. Option B is wrong because root user is not necessarily malicious but the policy is risky.

Option D is wrong because the policy is applied to the bucket, not the user.

210
MCQmedium

A company is using AWS CodeBuild as part of its CI/CD pipeline. The build projects need to access a private Amazon ECR repository to pull Docker images. What is the MOST secure way to grant CodeBuild access to ECR?

A.Configure a VPC endpoint for ECR and allow CodeBuild to connect through it.
B.Store ECR credentials in AWS Systems Manager Parameter Store and retrieve them in the buildspec.
C.Create a service role for CodeBuild with an IAM policy that grants ECR pull access.
D.Use the AWS CLI to retrieve an ECR authorization token and pass it to Docker.
AnswerC

CodeBuild assumes the service role to access ECR.

Why this answer

Option A is correct because CodeBuild can assume an IAM role with ECR permissions, and the role is passed in the build project configuration. Option B is wrong because storing credentials is insecure. Option C is wrong because ECR authorization tokens can be used but require handling credentials.

Option D is wrong because VPC endpoints do not grant access; IAM permissions are still needed.

211
MCQmedium

A DevOps engineer needs to allow an EC2 instance to write logs to CloudWatch Logs. The instance is configured with an instance profile that has the following IAM role attached. Which additional policy is required?

A.AmazonSQSFullAccess
B.AmazonDynamoDBFullAccess
C.CloudWatchLogsFullAccess
D.AmazonS3FullAccess
AnswerC

Provides necessary permissions for writing logs.

Why this answer

The instance profile's IAM role must include permissions to create log groups, log streams, and put log events. The `CloudWatchLogsFullAccess` managed policy grants all necessary actions (e.g., `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents`) for writing logs from an EC2 instance to CloudWatch Logs. Without this policy, the instance will receive an access denied error when the CloudWatch agent or SDK attempts to send log data.

Exam trap

The trap here is that candidates may assume any 'FullAccess' policy (like S3 or SQS) would work because they think logs are just files, but CloudWatch Logs is a distinct service with its own API and IAM actions, so only CloudWatch Logs-specific policies grant the required permissions.

How to eliminate wrong answers

Option A is wrong because AmazonSQSFullAccess grants permissions to send/receive messages from Amazon SQS queues, which is unrelated to writing logs to CloudWatch Logs. Option B is wrong because AmazonDynamoDBFullAccess provides full access to DynamoDB tables and indexes, not to CloudWatch Logs APIs. Option D is wrong because AmazonS3FullAccess allows read/write to S3 buckets, but CloudWatch Logs uses its own PutLogEvents API, not S3 operations.

212
MCQmedium

A company's security team requires that all API calls to AWS are logged for audit purposes. Which service should be enabled to capture and store these logs?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.Amazon VPC Flow Logs
AnswerA

CloudTrail logs all AWS API calls for auditing.

Why this answer

AWS CloudTrail is the correct service because it is specifically designed to log all API calls made to the AWS environment, including calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services. CloudTrail captures the identity of the caller, the time of the call, the source IP address, the request parameters, and the response elements, storing this information in a log file that can be delivered to an Amazon S3 bucket for long-term audit storage. This directly meets the security team's requirement to capture and store all API calls for audit purposes.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs with CloudTrail because both involve 'logging', but CloudWatch Logs is for application and system logs (e.g., from EC2 or Lambda), while CloudTrail is exclusively for AWS API call logs, and the question explicitly asks for 'API calls to AWS'.

How to eliminate wrong answers

Option B (Amazon CloudWatch Logs) is wrong because CloudWatch Logs is a service for monitoring, storing, and accessing log files from AWS resources (like EC2 instances, Lambda functions, or custom applications), not for capturing AWS API calls themselves; it can ingest CloudTrail logs as a data source but is not the primary service for API call logging. Option C (AWS Config) is wrong because AWS Config is a service that evaluates and records resource configuration changes and compliance over time, not the API calls that triggered those changes; it provides a configuration history but does not log the API requests. Option D (Amazon VPC Flow Logs) is wrong because VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC (e.g., source/destination IP, ports, protocol), not AWS API calls; it is a network-level logging feature, not an API-level audit trail.

213
MCQhard

An organization uses AWS Key Management Service (KMS) with customer-managed keys. The security policy requires automatic key rotation every year. A DevOps engineer notices that the key material is not rotating as expected. What is the most likely cause?

A.The key was created by importing key material; automatic rotation is not supported for imported keys.
B.The key must be re-imported annually to enable rotation.
C.The key is not enabled for rotation due to a billing limit.
D.The key is in a 'Pending Deletion' state and cannot be rotated.
AnswerA

Imported keys cannot be rotated automatically.

Why this answer

Option A is correct because automatic key rotation is not supported for imported key material. Option B is wrong because KMS does not charge extra for automatic rotation. Option C is wrong because KMS does not require re-importing for rotation; it's simply not available.

Option D is wrong because the key state does not prevent rotation.

214
MCQmedium

A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using customer-managed KMS keys. Additionally, any attempt to upload an unencrypted object must be denied. Which S3 bucket policy should be used?

A.Deny s3:PutObject unless the request includes s3:x-amz-server-side-encryption: true
B.Allow s3:PutObject with condition s3:x-amz-server-side-encryption: AES256
C.Allow s3:PutObject with condition kms:EncryptionContext: department:finance
D.Deny s3:PutObject unless the request includes s3:x-amz-server-side-encryption: aws:kms
AnswerD

Ensures KMS encryption and denies unencrypted uploads.

Why this answer

Option B is correct because the condition 's3:x-amz-server-side-encryption':'aws:kms' ensures objects are encrypted with KMS, and the Deny statement with 'Null':'s3:x-amz-server-side-encryption':true blocks unencrypted uploads. Option A is wrong because it allows SSE-S3, not KMS. Option C is wrong because it does not deny unencrypted uploads.

Option D is wrong because it allows any encryption.

215
Multi-Selecthard

A company is migrating to AWS and needs to comply with PCI DSS. They must encrypt all data at rest and in transit. Which THREE services or features should they use?

Select 3 answers
A.Elastic Load Balancing (ELB) with TLS termination.
B.AWS CloudTrail to log all API calls.
C.Amazon S3 server-side encryption (SSE-S3) for S3 objects.
D.AWS Key Management Service (KMS) to manage encryption keys.
E.AWS WAF to protect web applications.
AnswersA, C, D

ELB can terminate TLS, ensuring encryption in transit between clients and load balancer.

Why this answer

Option A is correct because Elastic Load Balancing (ELB) with TLS termination ensures encryption of data in transit between clients and the load balancer, which is a PCI DSS requirement for protecting cardholder data over public networks. By terminating TLS at the ELB, you can offload the cryptographic overhead while maintaining compliance with the encryption-in-transit mandate.

Exam trap

The trap here is that candidates often confuse compliance-related services (like CloudTrail for logging or WAF for security) with encryption-specific services, leading them to select options that are valid for security but do not directly satisfy the encryption-at-rest and encryption-in-transit mandates of PCI DSS.

216
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The pipeline must scan container images for vulnerabilities before deploying to Amazon ECS. Which service should the engineer use to perform the vulnerability scan?

A.AWS WAF
B.Amazon ECR image scanning
C.AWS Config
D.Amazon GuardDuty
AnswerB

ECR supports vulnerability scanning for container images.

Why this answer

Option B is correct because Amazon ECR can scan images for vulnerabilities. Option A is wrong because AWS WAF is a web application firewall. Option C is wrong because AWS Config is for compliance and resource inventory.

Option D is wrong because Amazon GuardDuty is a threat detection service for workloads.

217
Multi-Selecthard

A company uses AWS KMS to encrypt data at rest in S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which THREE steps should be taken?

Select 2 answers
A.Create a CloudWatch Events rule to notify the security team before the rotation date.
B.Configure an S3 bucket policy to enforce key rotation.
C.Enable automatic key rotation on the KMS key.
D.Ensure the key policy allows the kms:RotateKeyOnDemand action.
E.Create a new KMS key every year and update the application to use the new key.
AnswersA, C

CloudWatch Events can trigger notifications based on KMS key rotation events.

Why this answer

Option A is correct because automatic key rotation is enabled in KMS for symmetric keys. Option B is correct because key rotation rotates the backing key while keeping the same key ID. Option C is correct because a CloudWatch Events rule can notify before rotation.

Option D is wrong because manual rotation creates a new key, which is not automatic. Option E is wrong because S3 bucket policy does not manage key rotation.

218
MCQhard

A company is deploying a multi-tier application on AWS. The web tier must be publicly accessible, but the application tier must only be accessible from the web tier. The database tier should not be accessible from the internet at all. Which combination of security groups and network ACLs should be used?

A.Use security groups: allow 0.0.0.0/0 on all ports to web tier, allow all traffic between all instances.
B.Place all instances in the same security group with inbound rules allowing only ports 80/443 from 0.0.0.0/0.
C.Use security groups: allow 0.0.0.0/0 on port 80/443 to web tier, allow web tier security group to app tier, allow app tier security group to database tier.
D.Use network ACLs: allow 0.0.0.0/0 on port 80/443 to web subnet, allow web subnet to app subnet, allow app subnet to database subnet.
AnswerC

This correctly restricts access between tiers.

Why this answer

Security groups are stateful and default to deny all inbound. By allowing inbound on port 80/443 from 0.0.0.0/0 to the web tier, and allowing inbound from the web tier's security group to the app tier, and only allowing inbound from the app tier to the database tier, you achieve the required isolation. Network ACLs are stateless and not needed if security groups are properly configured.

219
Multi-Selectmedium

A DevOps engineer is tasked with encrypting data at rest for an Amazon RDS for MySQL database. Which TWO methods can achieve this?

Select 2 answers
A.Enable encryption when creating the DB instance using a customer-managed KMS key.
B.Enable encryption when creating the DB instance using the AWS managed KMS key.
C.Use the default RDS encryption with a customer-managed key without KMS.
D.Enable encryption on an existing unencrypted DB instance by modifying the instance.
E.Use client-side encryption with the RDS SDK.
AnswersA, B

Customer-managed key also works.

Why this answer

Options A and B are correct because enabling encryption at launch is the standard method, and using KMS with a custom key provides customer-managed encryption. Option C is wrong because you cannot enable encryption on an unencrypted DB instance after launch. Option D is wrong because the default RDS encryption uses KMS even with the AWS managed key.

Option E is wrong because client-side encryption is not a feature of RDS; it would need application-level changes.

220
Multi-Selecthard

A security team wants to automatically detect and remediate S3 buckets that are publicly accessible across multiple AWS accounts. Which solution is MOST efficient and scalable? (Choose THREE.)

Select 3 answers
A.Use AWS Trusted Advisor to check for open S3 buckets and send alerts.
B.Apply a service control policy (SCP) to deny s3:PutBucketAcl that makes buckets public.
C.Manually review each account's S3 bucket permissions weekly.
D.Use AWS Config with a managed rule to detect publicly accessible S3 buckets.
E.Use Amazon CloudWatch Events to trigger a Lambda function that remediates non-compliant buckets.
AnswersB, D, E

SCPs can prevent actions that make buckets public.

Why this answer

Options A, C, and E are correct. AWS Config can evaluate rules across accounts. SCPs can prevent public access.

Centralized logging via CloudWatch Events enables automation. Option B is wrong because manual review is not scalable. Option D is wrong because Trusted Advisor is per-account and manual.

221
MCQmedium

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role in any account can create or modify VPCs. Which SCP should be applied to the root OU?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:ModifyVpc","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:CreateVpc","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["ec2:CreateVpc","ec2:ModifyVpc"],"Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ec2:CreateVpc","ec2:ModifyVpc"],"Resource":"*"}]}
AnswerC

Correctly denies both CreateVpc and ModifyVpc.

Why this answer

Option C is correct because it denies both the ec2:CreateVpc and ec2:ModifyVpc actions, which covers all operations that could create or modify VPCs. A service control policy (SCP) with a Deny effect overrides any Allow permissions, ensuring that no IAM user or role in any account under the root OU can perform these actions, even if attached IAM policies grant them.

Exam trap

The trap here is that candidates often focus on only one action (Create or Modify) and forget that both are needed to fully prevent VPC creation and modification, or they mistakenly think an Allow SCP can restrict access when SCPs are primarily used for Deny boundaries.

How to eliminate wrong answers

Option A is wrong because it only denies ec2:ModifyVpc, leaving the ec2:CreateVpc action unblocked, so users could still create new VPCs. Option B is wrong because it only denies ec2:CreateVpc, leaving ec2:ModifyVpc unblocked, so existing VPCs could still be modified. Option D is wrong because an Allow statement in an SCP does not restrict access; SCPs are used to deny or allow permissions, but an Allow SCP does not override other Deny policies and, more importantly, does not prevent the actions—it would actually permit them, which is the opposite of the security team's requirement.

222
MCQmedium

A company is using AWS CloudTrail to log API activity. The security team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and alerted. What is the MOST secure and efficient way to achieve this?

A.Use AWS Trusted Advisor to check CloudTrail configuration and email the security team.
B.Enable Amazon GuardDuty and configure a custom threat list to monitor CloudTrail API calls.
C.Create an AWS Config rule to detect changes to CloudTrail configuration and send an SNS notification.
D.Create an Amazon CloudWatch Events rule that matches the UpdateTrail API call and triggers an SNS notification.
AnswerD

CloudWatch Events can match API calls in real time and trigger actions.

Why this answer

Option C is correct because a CloudWatch Events rule can capture the UpdateTrail API call and trigger an SNS notification for immediate alerting. Option A is wrong because Config rules evaluate resource configurations but do not provide real-time notifications. Option B is wrong because GuardDuty focuses on threat detection, not configuration changes.

Option D is wrong because Trusted Advisor provides best-practice checks but not real-time alerts.

223
MCQhard

A company is using AWS CodePipeline to deploy applications. The pipeline source is an S3 bucket that receives artifacts from a third-party vendor. The DevOps team needs to ensure that only artifacts signed by the vendor's KMS key are deployed. Which approach meets this requirement?

A.Use an IAM policy to restrict s3:GetObject to objects encrypted with the vendor's KMS key.
B.Use CodePipeline's built-in artifact signing feature.
C.Use S3 pre-signed URLs to download artifacts.
D.Configure S3 server-side encryption with AWS KMS using the vendor's KMS key and allow only that key.
AnswerD

Enables verification that objects are encrypted with the expected key.

Why this answer

Option C is correct because S3 supports envelope encryption with KMS, and the pipeline can verify the KMS key. Option A is wrong because S3 signed URLs do not verify the origin of the content. Option B is wrong because IAM policies can't enforce encryption on specific keys.

Option D is wrong because CodePipeline does not natively support artifact signing verification.

224
MCQmedium

A DevOps engineer needs to securely store database credentials for an application running on EC2. The credentials must be rotated automatically every 30 days. Which solution meets these requirements?

A.Use AWS Secrets Manager to store the credentials and configure automatic rotation with the RDS rotation Lambda blueprint.
B.Store credentials in AWS Systems Manager Parameter Store and use a Lambda function to rotate them.
C.Store credentials in an S3 bucket encrypted with KMS and use S3 Lifecycle policies to rotate the objects.
D.Use IAM roles to grant the EC2 instance access to the database, eliminating the need for credentials.
AnswerA

Secrets Manager supports automatic rotation via Lambda, including a built-in RDS rotation template.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, managing, and automatically rotating database credentials. It provides a built-in RDS rotation Lambda blueprint that can be configured to rotate credentials every 30 days without custom code. This fully managed rotation capability meets the requirement for automatic, scheduled rotation with minimal operational overhead.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store's ability to store secrets (with SecureString) with the automatic rotation capability, but Parameter Store lacks built-in rotation scheduling and requires custom Lambda code, making Secrets Manager the only fully managed solution for automatic credential rotation.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store does not natively support automatic rotation of credentials; while you can use a Lambda function to rotate them, this requires custom development and lacks the built-in rotation scheduling and integration with RDS that Secrets Manager provides. Option C is wrong because S3 Lifecycle policies are designed for object expiration and transition, not for rotating credential values; they cannot update the content of an object or trigger a credential change. Option D is wrong because IAM roles grant permissions to AWS services, not to databases; while IAM database authentication is supported for RDS (using an auth token), it eliminates the need for static credentials but does not involve rotating stored credentials every 30 days, and the question explicitly requires storing and rotating credentials.

225
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an S3 bucket. The Security team requires that the application never uses long-term credentials and that access is scoped to the specific ECS task. Which approach should be used?

A.Embed the IAM user credentials in the container image
B.Store AWS access keys in AWS Secrets Manager and retrieve them at runtime
C.Use an IAM role for the EC2 instance if using EC2 launch type
D.Create an IAM role for the ECS task and reference it in the task definition
AnswerD

The task IAM role provides temporary credentials automatically, scoped to the task.

Why this answer

Option D is correct because ECS tasks using the Fargate launch type can assume an IAM role that is specified in the task definition. This IAM role provides temporary credentials via the ECS task metadata endpoint, ensuring that the application never uses long-term credentials and that permissions are scoped precisely to that task. The Security team's requirements are fully met by this approach.

Exam trap

The trap here is that candidates may confuse the IAM role for the EC2 instance (Option C) with the ECS task role, or assume that Secrets Manager (Option B) is acceptable despite it still using long-term credentials, failing to recognize that Fargate tasks require a task-level IAM role for scoped, temporary access.

How to eliminate wrong answers

Option A is wrong because embedding IAM user credentials in the container image violates the requirement to never use long-term credentials and creates a security risk if the image is compromised. Option B is wrong because while Secrets Manager can securely store AWS access keys, those keys are still long-term credentials, which the Security team explicitly prohibits. Option C is wrong because the question specifies Fargate launch type, not EC2; an IAM role for the EC2 instance would not apply to Fargate tasks, and even with EC2 launch type, it would not scope access to the specific ECS task.

← PreviousPage 3 of 4 · 288 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security and Compliance questions.