CCNA Security and Compliance Questions

63 of 288 questions · Page 4/4 · Security and Compliance · Answers revealed

226
MCQmedium

A company uses AWS CodeBuild to build and test code. The build process needs to access a private Amazon RDS database to run integration tests. What is the most secure way to provide database credentials to the build project?

A.Store the credentials as environment variables in the build project configuration.
B.Store the credentials in AWS Systems Manager Parameter Store as a SecureString parameter.
C.Store the credentials in AWS Secrets Manager and grant the CodeBuild service role permission to retrieve them.
D.Store the credentials in an encrypted S3 bucket and download them during the build phase.
AnswerC

Secrets Manager provides secure, auditable access to secrets.

Why this answer

Option B is correct because AWS Secrets Manager provides secure storage and retrieval of secrets, and CodeBuild can access them using a service role. Option A is wrong because environment variables are visible in plain text. Option C is wrong because storing credentials in S3 is less secure and requires additional access.

Option D is wrong because parameter store does not support automatic rotation.

227
MCQmedium

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. What is the most likely cause?

A.The Lambda function's execution role lacks the required IAM permissions.
B.The Lambda function is not configured to access the VPC where the RDS instance resides.
C.The secret rotation schedule is set to less than 24 hours.
D.The Lambda function does not have permission to access the S3 bucket.
AnswerB

Without VPC access, Lambda cannot reach the database, causing timeout.

Why this answer

The most likely cause of the timeout error is that the Lambda function is not configured to access the VPC where the RDS instance resides. When Secrets Manager rotates a secret for an RDS database, the rotation Lambda function must connect to the database to update the credentials. If the Lambda function is not attached to the same VPC (or a VPC with proper routing and security group rules), it cannot reach the RDS instance, causing network connection attempts to hang until the function times out.

Exam trap

The trap here is that candidates often confuse IAM permission errors (which produce immediate failures) with network connectivity issues (which cause timeouts), leading them to incorrectly select the IAM role option when the symptom is a timeout rather than an access denied error.

How to eliminate wrong answers

Option A is wrong because IAM permission issues typically result in an access denied error, not a timeout; the Lambda function would fail immediately with a 403 or similar, not hang until the timeout limit. Option C is wrong because the rotation schedule (e.g., every 24 hours or less) does not cause individual rotation executions to timeout; the schedule only controls how often rotation is triggered, not the duration of the Lambda invocation. Option D is wrong because Secrets Manager rotation for RDS does not require S3 bucket access; the Lambda function only needs network connectivity to the database and permissions to call Secrets Manager APIs, not S3.

228
MCQmedium

A DevOps engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket. The instance has an IAM role attached with a policy that allows s3:GetObject. The S3 bucket policy explicitly denies access to the instance's role. What is the result?

A.Access is denied only if the bucket is encrypted
B.Access is allowed only if the instance is in the same region
C.Access is allowed because the IAM role allows it
D.Access is denied because the bucket policy explicitly denies
AnswerD

The explicit deny in the bucket policy takes precedence over the allow.

Why this answer

An explicit deny in any policy overrides any allow. The bucket policy deny takes precedence over the IAM role allow, so access is denied. Evaluation logic is that an explicit deny prevents access.

229
MCQhard

A company has a multi-account AWS environment managed by AWS Organizations. The DevOps team uses AWS CloudFormation StackSets to deploy a standard VPC across all member accounts. The security team has noticed that in some accounts, the VPC is being modified after deployment, allowing inbound SSH access from the internet. The team wants to automatically detect and remediate these changes. The current setup includes: AWS Config enabled in all accounts with a rule that checks for unrestricted SSH access; an SNS topic in the management account that receives compliance change notifications; and a Lambda function in the management account that can remediate by updating the security group rules. However, the remediation is not working consistently. What is the most likely reason, and what is the best solution?

A.The AWS Config rule is not evaluating correctly in member accounts.
B.The Lambda function's IAM role does not have permissions to modify security groups in member accounts.
C.The SNS topic is not delivering messages to the Lambda function due to cross-account access issues.
D.CloudFormation StackSets is overriding the changes, causing a race condition.
AnswerB

Remediation requires appropriate IAM permissions in each account.

Why this answer

Option C is correct because AWS Config rules in member accounts cannot directly trigger cross-account remediation via SNS unless the Lambda function has permission to modify resources in those accounts. The most likely issue is that the Lambda function's IAM role does not have permissions to modify security groups in member accounts. The best solution is to use AWS Config conformance packs with remediation actions that are deployed to each member account, which can then execute remediation locally.

Option A is wrong because the Config rule itself is working (it detects changes). Option B is wrong because the SNS topic is receiving notifications, but the Lambda function's role lacks cross-account permissions. Option D is wrong because StackSets are for initial deployment, not for ongoing compliance.

230
MCQmedium

An S3 bucket has the above bucket policy. What is the effect of this policy?

A.It allows anonymous access to the bucket over HTTPS
B.It denies all access to the bucket regardless of protocol
C.It denies access to the bucket if the request is not sent over HTTPS
D.It allows access only from specific IP addresses
AnswerC

The Deny effect with condition aws:SecureTransport false blocks non-HTTPS requests.

Why this answer

The policy denies all S3 actions when aws:SecureTransport is false, i.e., when the request is not using HTTPS. This effectively enforces HTTPS for all access to the bucket. Option A is correct.

It does not allow anonymous access (B). It does not deny all access (C). It does not allow only specific IPs (D).

231
MCQmedium

Refer to the exhibit. A DevOps engineer created an IAM role 'MyLambdaRole' for a Lambda function. The Lambda function needs to write logs to CloudWatch Logs. However, the function is not able to create log streams. What is the most likely missing configuration?

A.The role name is not prefixed with 'AWSLambda'.
B.The role does not have an inline or managed policy that grants permissions for CloudWatch Logs.
C.The role ARN is incorrectly formatted.
D.The trust policy does not allow Lambda to assume the role.
AnswerB

Missing permissions for logging.

Why this answer

Option A is correct because the role lacks an attached policy for CloudWatch Logs permissions (logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents). Option B is wrong because the trust policy is correct. Option C is wrong because the role name is fine.

Option D is wrong because the ARN is correct.

232
MCQhard

A company uses AWS CodePipeline to deploy a web application to an Auto Scaling group. The security team requires that all artifacts in the pipeline be encrypted at rest. The pipeline uses an S3 bucket as the artifact store. Which combination of actions should the DevOps engineer take to meet this requirement with minimal operational overhead?

A.Use AWS Certificate Manager to encrypt the artifacts.
B.Enable S3 default encryption with SSE-S3 on the artifact bucket.
C.Use an AWS Lambda function to encrypt artifacts after each pipeline stage.
D.Create a customer-managed KMS key and configure the pipeline to use it for artifact encryption.
AnswerB

Simplest method with minimal overhead.

Why this answer

Option D is correct because enabling default encryption on the S3 bucket with SSE-S3 is the simplest way to encrypt all objects at rest. Option A is wrong because SSE-KMS requires managing a KMS key and additional permissions. Option B is wrong because client-side encryption is not natively supported by CodePipeline.

Option C is wrong because it only encrypts new objects, not existing; but default encryption applies to all new objects, and existing ones can be copied.

233
Multi-Selecthard

A security team wants to enforce that all Amazon S3 buckets in the organization are encrypted at rest. Which actions can achieve this? (Select THREE.)

Select 3 answers
A.Enable S3 Block Public Access at the account level
B.Set up Cross-Region Replication for all buckets
C.Configure an AWS Config rule to detect unencrypted buckets and trigger remediation
D.Apply a bucket policy that denies PutObject requests without the x-amz-server-side-encryption header
E.Use an SCP to require encryption on all S3 buckets
AnswersC, D, E

Config can automatically remediate by applying encryption.

Why this answer

You can create an SCP to deny creation of buckets without encryption, use a Config rule to detect noncompliant buckets, and use a bucket policy to deny PutObject without encryption headers. S3 Block Public Access is for preventing public access, not encryption. Cross-Region Replication does not enforce encryption.

234
MCQmedium

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all unused IAM users are automatically identified and removed after 90 days of inactivity. What is the MOST effective solution?

A.Use the IAM credential report to review last activity dates and manually delete users.
B.Enable CloudTrail Insights to detect inactive users and send alerts.
C.Use an AWS Config rule to detect IAM users and trigger a Lambda function to delete them after 90 days.
D.Use IAM Access Analyzer to generate findings for unused access and automate user removal with a Lambda function.
AnswerD

Access Analyzer tracks unused access and can trigger automation.

Why this answer

Option C is correct because IAM Access Analyzer can track unused access and generate findings, which can be used to automate user removal. Option A is wrong because IAM credential report is manual. Option B is wrong because Config can detect user creation but not inactivity.

Option D is wrong because CloudTrail logs API calls but requires custom analysis.

235
MCQeasy

A developer wants to grant an EC2 instance read-only access to a specific S3 bucket. Which AWS mechanism should they use to securely provide credentials to the instance?

A.Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables in the AMI.
B.Create an IAM role with the required permissions and attach it to the EC2 instance as an instance profile.
C.Store AWS access keys in the EC2 user data script.
D.Retrieve the credentials from AWS Systems Manager Parameter Store using a custom script.
AnswerB

Instance profiles provide automatic rotation of temporary credentials and are the recommended best practice.

Why this answer

Option B is correct because IAM roles with instance profiles provide temporary, automatically rotated credentials to EC2 instances via the AWS STS service. This eliminates the need to hardcode or store long-term access keys on the instance, adhering to the principle of least privilege and improving security posture.

Exam trap

The trap here is that candidates may think storing credentials in user data or an AMI is acceptable for automation, but the exam emphasizes that any static, long-term credentials on an instance are insecure and violate AWS best practices, whereas IAM roles provide secure, temporary, and automatically rotated credentials.

How to eliminate wrong answers

Option A is wrong because embedding AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in an AMI creates static, long-term credentials that are difficult to rotate, can be exposed if the AMI is shared or copied, and violate security best practices. Option C is wrong because storing access keys in EC2 user data is insecure—user data is visible to anyone with access to the instance metadata (e.g., via http://169.254.169.254/latest/user-data) and keys are not automatically rotated. Option D is wrong because while Systems Manager Parameter Store can store credentials, it requires the instance to have an IAM role or static keys to retrieve them, and it does not natively provide automatic credential rotation or direct integration with EC2's credential provider chain; a custom script adds complexity and potential security gaps.

236
MCQeasy

A company wants to automatically detect and respond to suspicious activity in their AWS account. Which service should be used to generate alerts based on threat intelligence?

A.Amazon GuardDuty
B.AWS Config
C.Amazon Inspector
D.Amazon CloudWatch
AnswerA

GuardDuty uses threat intelligence to detect suspicious activity.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior using threat intelligence. Inspector is for vulnerability scanning. Config is for resource configuration.

CloudWatch is for monitoring metrics and logs but does not have built-in threat intelligence.

237
Multi-Selectmedium

Which TWO AWS services can be used to monitor and detect unauthorized access to AWS resources? (Choose two.)

Select 2 answers
A.AWS Shield
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS CloudTrail
E.AWS Config
AnswersB, D

GuardDuty is a threat detection service that uses machine learning and anomaly detection to identify unauthorized behavior.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior by analyzing VPC Flow Logs, DNS logs, and AWS CloudTrail management and data events. It uses machine learning and integrated threat intelligence to detect anomalies such as unusual API calls, crypto-mining activity, or compromised credentials, making it a correct choice for detecting unauthorized access.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with a security monitoring service, but Config does not analyze logs or detect unauthorized access; it only records resource state changes and evaluates compliance rules.

238
MCQeasy

A company wants to centrally manage user access to multiple AWS accounts using federated identity. Which AWS service should be used to create a single sign-on (SSO) solution?

A.AWS IAM Identity Center (AWS SSO)
B.AWS Organizations
C.AWS Directory Service for Microsoft Active Directory
D.Amazon Cognito
AnswerA

IAM Identity Center provides SSO across multiple AWS accounts.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it is purpose-built to centrally manage user access and permissions across multiple AWS accounts and applications from a single place. It allows you to create or connect your existing identity source (e.g., Active Directory, Okta, Azure AD) and then define fine-grained permission sets that map users or groups to specific roles in each account, enabling a true single sign-on (SSO) experience without needing to create IAM users in every account.

Exam trap

The trap here is that candidates often confuse AWS Organizations (which manages accounts and policies) with IAM Identity Center (which manages user identities and SSO), or they think that Directory Service alone provides SSO across accounts, when in fact it only provides the directory backend and requires an additional federation service like IAM Identity Center to bridge authentication to multiple AWS accounts.

How to eliminate wrong answers

Option B (AWS Organizations) is wrong because it provides centralized governance and policy management for multiple AWS accounts (e.g., via Service Control Policies), but it does not handle user authentication or SSO; it is a prerequisite for using IAM Identity Center but not the SSO solution itself. Option C (AWS Directory Service for Microsoft Active Directory) is wrong because it is a managed Microsoft AD directory service that can serve as an identity source, but it does not natively provide the multi-account permission management or SSO portal; you would still need IAM Identity Center to federate access across accounts. Option D (Amazon Cognito) is wrong because it is designed for customer-facing identity and access management for web and mobile applications, not for managing workforce access to AWS accounts or providing SSO across multiple AWS accounts.

239
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every 365 days. Which type of KMS key should be used?

A.AWS owned key
B.Custom key store backed by CloudHSM
C.Customer managed key (CMK)
D.AWS managed key (aws/s3)
AnswerC

Customer managed keys allow you to enable automatic rotation with a customizable period (default 365 days).

Why this answer

AWS managed keys (aws/s3) are automatically rotated every year (365 days). Customer managed keys allow you to set a custom rotation period (any length between 90 days and 10 years) but require enabling rotation. The key is that aws/s3 keys rotate automatically without any configuration.

However, the question says 'all encryption keys' and 'every 365 days' - both options can achieve that, but aws/s3 keys are automatically rotated, while customer managed keys need rotation enabled. The best practice is to use the most appropriate. But note: customer managed keys can be rotated automatically if you enable it.

The question might be ambiguous, but typical exam scenario: use customer managed keys for more control. However, the security team requires automatic rotation; both can do it. The nuance: customer managed keys have a rotation period that you can set, but the default is 365 days when you enable rotation.

So both work. But the question says 'which type' - likely they want customer managed because it allows you to control the policy. However, aws/s3 keys are automatically rotated and cannot be customized.

Since the requirement is 'every 365 days', which is the default for both, but aws/s3 keys are already rotated on that schedule. I think the answer is 'Customer managed key' because it's a key you own and have control over the rotation policy. Actually, aws/s3 keys are rotated annually, but you cannot view or manage them.

For compliance, you might need to control the key. So I'll go with customer managed key.

240
Multi-Selectmedium

A company is designing a secure CI/CD pipeline using AWS CodePipeline. The pipeline must comply with the principle of least privilege for IAM permissions. Which TWO actions should the DevOps engineer take? (Choose TWO.)

Select 2 answers
A.Use the same IAM role for all pipeline stages to simplify management.
B.Use an SCP to deny all pipeline actions except those explicitly allowed.
C.Attach an IAM policy to the pipeline itself that grants full access to all services.
D.Scope IAM policies to specific resources, such as specific S3 buckets and CodeBuild projects.
E.Create separate IAM roles for CodeBuild and CodeDeploy with only the permissions they require.
AnswersD, E

Resource-level scope limits permissions.

Why this answer

Option A is correct because using separate roles for each action limits permissions. Option D is correct because scoping permissions to specific resources follows least privilege. Option B is wrong because a single role with all permissions is not least privilege.

Option C is wrong because using the same role is not secure. Option E is wrong because SCPs are for organization-level, not pipeline.

241
Multi-Selecthard

A company's Security team wants to detect and alert on the creation of IAM users with console access. Which THREE services should be used?

Select 3 answers
A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.Amazon GuardDuty
E.Amazon CloudWatch Alarms
AnswersA, B, E

CloudTrail records all IAM user creation events.

Why this answer

CloudTrail logs the CreateUser and CreateLoginProfile API calls. CloudWatch Logs can receive CloudTrail logs and create metric filters. CloudWatch Alarms can trigger on the metric.

Config can track resource changes but not as efficient for alerting on API calls. GuardDuty does not specifically focus on IAM user creation.

242
MCQeasy

A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation is configured to occur every 30 days. The DevOps engineer notices that the latest secret version is not being used by the application after rotation. The application is an EC2 instance that retrieves the secret using the AWS SDK. The engineer checks the secret and sees that the rotation succeeded and the new version is marked as 'AWSCURRENT'. The EC2 instance role has permissions to retrieve the secret. What is the most likely reason the application is still using the old secret?

A.The application caches the secret value and does not refresh it until the cache expires or the application is restarted.
B.The secret is in a different AWS Region than the application.
C.The EC2 instance does not have permission to call secretsmanager:GetSecretValue.
D.The rotation Lambda function is not updating the secret version label to AWSCURRENT.
AnswerA

Caching is a common cause of stale secrets.

Why this answer

The application might be caching the secret and not refreshing it after rotation. Option A is correct. Option B is about rotation function, but rotation succeeded.

Option C is about the secret being in different region, but the application uses same region. Option D is about the application's IAM role missing permission, but it has permissions.

243
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS. Which approach should be used to ensure compliance?

A.Attach a service control policy (SCP) to all accounts that denies s3:PutBucketEncryption or s3:PutObject without encryption.
B.Apply an S3 bucket policy on each account's buckets to deny unencrypted object uploads.
C.Create an IAM policy in the master account that denies S3:PutObject without encryption.
D.Use AWS Config rules to evaluate S3 bucket encryption and trigger a remediation action via AWS Systems Manager Automation.
AnswerA

SCPs can centrally prevent actions across all accounts in the organization.

Why this answer

Option D is correct because a service control policy (SCP) can deny actions that create or modify S3 buckets without encryption. Option A is wrong because Config rules only detect non-compliance, they don't enforce. Option B is wrong because bucket policies are per-bucket and cannot be applied globally.

Option C is wrong because an IAM policy in the master account does not affect member accounts.

244
Multi-Selecteasy

Which TWO AWS services can be used to monitor for unauthorized API calls in an AWS account? (Choose two.)

Select 2 answers
A.AWS Config
B.Amazon S3
C.Amazon CloudWatch Logs
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersD, E

CloudTrail records API calls and can be used to detect unauthorized calls.

Why this answer

AWS CloudTrail records API calls and can be used to monitor for unauthorized activity. AWS Config evaluates resource configurations against rules. GuardDuty provides intelligent threat detection using CloudTrail logs, VPC Flow Logs, and DNS logs.

CloudWatch Logs can store logs but does not directly monitor for unauthorized calls. S3 is for storage.

245
MCQeasy

Refer to the exhibit. This S3 bucket policy allows the root user of account 111122223333 to perform which actions?

A.Change the bucket policy
B.Delete objects from the bucket
C.Read and write objects in the bucket
D.List objects in the bucket
AnswerC

GetObject and PutObject allow reading and writing objects.

Why this answer

The policy grants s3:GetObject and s3:PutObject to the root user of the specified account. It does not grant other actions. The resource is objects under my-bucket.

The principal is the root user of the other account.

246
MCQhard

A company has a requirement to rotate database credentials every 30 days for an Amazon RDS for MySQL instance. The credentials are currently stored in AWS Secrets Manager. The DevOps engineer needs to implement automatic rotation without modifying the application code. Which solution should be used?

A.Create a scheduled job that runs every 30 days to update the secret in Secrets Manager with a new password.
B.Store the credentials in AWS Systems Manager Parameter Store and configure automatic rotation using a Lambda function.
C.Use the AWS RDS automatic password rotation feature, which automatically updates the password every 30 days.
D.Configure Secrets Manager to automatically rotate the secret every 30 days using a Lambda rotation function, and have the application retrieve the secret using the Secrets Manager API.
AnswerD

Secrets Manager provides built-in rotation for RDS with a Lambda function, and the application can retrieve credentials on-the-fly.

Why this answer

Option D is correct because AWS Secrets Manager natively supports automatic rotation of secrets using a Lambda function that updates both the secret in Secrets Manager and the password in the RDS MySQL instance. This solution meets the 30-day rotation requirement without modifying application code, as the application retrieves the current secret via the Secrets Manager API, which automatically handles versioning and caching.

Exam trap

The trap here is that candidates may confuse AWS Secrets Manager's automatic rotation with a simple scheduled update of the secret value, or mistakenly believe that RDS or Parameter Store have built-in rotation capabilities, when in fact only Secrets Manager with a Lambda rotation function provides a fully automated, code-free solution.

How to eliminate wrong answers

Option A is wrong because creating a scheduled job to update the secret in Secrets Manager does not change the password in the RDS instance, leaving the database credential out of sync. Option B is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of database credentials; it lacks the built-in rotation mechanism and Lambda integration that Secrets Manager provides. Option C is wrong because Amazon RDS does not have an automatic password rotation feature; password rotation must be implemented manually or via Secrets Manager with a Lambda function.

247
MCQeasy

A DevOps engineer needs to temporarily grant an external auditor read-only access to a specific S3 bucket for 24 hours. What is the most secure way to grant this access?

A.Generate a pre-signed URL for the objects and share the URL with the auditor.
B.Create an IAM user with a policy granting read-only access to the bucket.
C.Add a bucket policy that grants read-only access to the auditor's AWS account.
D.Share the access keys of an existing IAM user with the auditor.
AnswerA

Time-limited and does not require IAM user.

Why this answer

Option B is correct because a pre-signed URL grants time-limited access without sharing credentials. Option A is wrong because attaching a policy directly to the user grants permanent access. Option C is wrong because bucket policies are permanent.

Option D is wrong because sharing access keys violates security best practices.

248
MCQmedium

Refer to the exhibit. The command is run to investigate a potential security incident. The output shows no events. Which of the following is the MOST likely reason?

A.CloudTrail is not enabled to log management events in us-east-1
B.The CloudTrail trail is configured to log only data events
C.The event name is misspelled; it should be "Console Login"
D.The IAM user running the command does not have cloudtrail:LookupEvents permission
AnswerB

If the trail logs only data events, management events like ConsoleLogin are not recorded.

Why this answer

CloudTrail trails are region-specific unless configured to log all regions. Option A is wrong because CloudTrail logs management events by default. Option B is wrong because the command is correct.

Option D is wrong because the user may not have permission, but that would typically result in an access denied error, not empty output.

249
MCQeasy

A DevOps engineer needs to ensure that all API calls made to AWS are recorded for auditing purposes. Which AWS service should be used?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon VPC Flow Logs
AnswerA

CloudTrail records all AWS API calls for auditing.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS, including the identity of the caller, the time of the call, the source IP address, and the request parameters. This provides a complete audit trail of user activity and API usage, which is essential for auditing, security analysis, and compliance requirements.

Exam trap

The trap here is confusing AWS Config (which tracks resource configuration changes) with CloudTrail (which records API calls), as both are used for auditing but serve fundamentally different purposes.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it evaluates and records resource configuration changes over time, not API calls; it tracks resource state and compliance rules, not the API actions that caused changes. Option C (Amazon CloudWatch Logs) is wrong because it aggregates and stores log data from applications and AWS services, but it does not natively capture API call records; it requires CloudTrail to deliver logs to it. Option D (Amazon VPC Flow Logs) is wrong because it captures IP traffic metadata (source/destination IP, ports, protocol) for network interfaces in a VPC, not the API calls made to AWS services.

250
MCQmedium

A company uses AWS KMS to encrypt data in S3. The security team requires that the key material be rotated every 90 days. What should be done to meet this requirement?

A.Create a customer managed key and enable automatic yearly rotation.
B.Use an AWS managed key (SSE-S3) and enable rotation.
C.Use a custom key store with imported key material and enable automatic rotation.
D.Create a customer managed key and manually rotate it every 90 days.
AnswerD

Customer managed keys support manual rotation.

Why this answer

Option D is correct because AWS KMS customer managed keys support manual rotation, which allows you to rotate the key material every 90 days as required. Automatic key rotation for customer managed keys is only available with a minimum rotation period of 365 days (yearly), so it cannot meet a 90-day requirement. Manual rotation creates a new backing key while retaining the old one for decryption of previously encrypted data, ensuring compliance with the 90-day rotation policy.

Exam trap

The trap here is that candidates assume automatic rotation can be configured to any interval, but AWS KMS only supports automatic rotation with a fixed 365-day period for customer managed keys, so a 90-day requirement forces manual rotation.

How to eliminate wrong answers

Option A is wrong because automatic yearly rotation for customer managed keys has a fixed period of 365 days, which cannot be changed to 90 days. Option B is wrong because AWS managed keys (SSE-S3) do not support user-controlled rotation; they are rotated automatically by AWS but the rotation schedule is not configurable and does not meet a specific 90-day requirement. Option C is wrong because a custom key store with imported key material does not support automatic rotation; you must manually re-import new key material to rotate, and automatic rotation is not available for imported keys.

251
MCQeasy

A company wants to automate patching of EC2 instances running Amazon Linux 2 while ensuring compliance with security policies. Which AWS service should be used?

A.AWS Trusted Advisor
B.Amazon Inspector
C.AWS Config
D.AWS Systems Manager Patch Manager
AnswerD

Patch Manager automates the patching process for EC2 instances.

Why this answer

AWS Systems Manager Patch Manager is the service designed to automate patching across EC2 instances and on-premises servers. Option A is wrong because AWS Config is for compliance auditing, not patching. Option B is wrong because Amazon Inspector is for vulnerability assessment.

Option D is wrong because AWS Trusted Advisor is for best practice checks.

252
MCQeasy

A security engineer needs to audit who accessed a specific S3 object and from which IP address over the past 30 days. Which AWS service should be used?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.Amazon S3 server access logs
D.AWS Config
AnswerC

Server access logs provide detailed records of requests.

Why this answer

Option D is correct because S3 server access logs provide detailed records of requests, including requester identity and IP address. Option A is wrong because CloudTrail records management events but not data events by default. Option B is wrong because CloudWatch Logs can store logs but not generate them.

Option C is wrong because Config records resource configuration, not access.

253
Multi-Selecthard

Which THREE measures can be taken to ensure that EC2 instances are compliant with a security policy that requires all instances to be in a VPC with specific tags? (Select THREE.)

Select 3 answers
A.Use AWS Config rules to detect non-compliant instances.
B.Use EC2 Auto Scaling to launch instances only in the correct VPC.
C.Apply an SCP that denies ec2:RunInstances unless the instance is in the correct VPC.
D.Use a custom AWS Lambda function triggered by CloudTrail to tag instances.
E.Use CloudWatch alarms to monitor instance launches.
AnswersA, C, D

Detects missing tags or non-VPC instances.

Why this answer

AWS Config rules can evaluate EC2 instances against a desired configuration, such as being in a VPC with specific tags. By using a custom or managed rule (e.g., 'required-tags' or 'ec2-instance-in-vpc'), you can detect non-compliant instances and trigger remediation actions. This provides continuous monitoring and reporting of compliance status without blocking the launch itself.

Exam trap

The trap here is that candidates confuse detective controls (AWS Config) with preventive controls (SCPs) or assume that monitoring tools like CloudWatch can enforce compliance, when in fact they only alert on operational metrics.

254
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to restrict the use of specific instance types across all accounts to reduce costs and enforce compliance. Which approach should be used?

A.Use AWS Config rules to detect non-compliant instance types
B.Apply a service control policy (SCP) to the root organizational unit to deny the instance types
C.Create IAM policies in each account to deny the use of the instance types
D.Use AWS CloudFormation templates to enforce instance type selection
AnswerB

SCPs can deny actions across all accounts.

Why this answer

SCPs in AWS Organizations allow central control over permissions across all accounts, including restricting instance types. Option A is wrong because IAM policies within accounts can be overridden by administrators. Option B is wrong because Config rules only detect non-compliance, not prevent.

Option D is wrong because CloudFormation is not an enforcement mechanism across all accounts.

255
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting attacks. Which AWS service should be integrated with the ALB?

A.AWS Network Firewall
B.AWS WAF
C.AWS Shield Advanced
D.Amazon GuardDuty
AnswerB

AWS WAF can be associated with an ALB to filter SQL injection and XSS attacks.

Why this answer

AWS WAF is a web application firewall that integrates directly with Application Load Balancers to inspect HTTP/HTTPS traffic. It uses managed rule groups to block common attack patterns like SQL injection (e.g., detecting malicious SQL keywords in query strings) and cross-site scripting (e.g., identifying script tags in user input). This makes it the correct choice for protecting web applications at Layer 7.

Exam trap

The trap here is that candidates confuse AWS WAF (Layer 7 application firewall) with AWS Network Firewall (Layer 3/4 stateful firewall) or AWS Shield (DDoS protection), not realizing that only WAF provides the specific rule sets needed for SQL injection and XSS mitigation.

How to eliminate wrong answers

Option A is wrong because AWS Network Firewall operates at Layers 3 and 4 (network and transport) and cannot inspect HTTP payloads for SQL injection or XSS patterns. Option C is wrong because AWS Shield Advanced provides DDoS protection at Layers 3/4 and 7 but does not include web application firewall rules for SQLi/XSS; it focuses on volumetric attack mitigation. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, not inline HTTP request inspection.

256
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to prevent an S3 bucket from being publicly accessible? (Choose two.)

Select 2 answers
A.Enable S3 Versioning on the bucket.
B.Enable S3 Block Public Access at the bucket level.
C.Enable S3 Server Access Logging.
D.Configure a bucket policy that explicitly denies anonymous access.
E.Configure a lifecycle policy to delete objects.
AnswersB, D

This blocks all public access to the bucket.

Why this answer

Option B is correct because enabling S3 Block Public Access at the bucket level provides a centralized, override-proof mechanism to prevent any public access to the bucket, regardless of other policies or ACLs. This setting blocks all public access by default, including access granted via bucket policies, access control lists (ACLs), or object-level permissions, and cannot be overridden by any other S3 configuration.

Exam trap

The trap here is that candidates may think enabling S3 Versioning or Server Access Logging can prevent public access, but these features are designed for data protection and auditing, not for access control enforcement.

257
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to secure a web application running on EC2 instances behind an Application Load Balancer? (Choose two.)

Select 2 answers
A.Configure the EC2 instance security group to allow inbound traffic from 0.0.0.0/0 on port 443.
B.Use a network ACL to allow inbound HTTP/S traffic only from the ALB's subnet.
C.Place the EC2 instances behind an Amazon CloudFront distribution.
D.Enable AWS WAF on the ALB to filter malicious requests.
E.Configure the EC2 instance security group to allow inbound traffic only from the ALB's security group.
AnswersD, E

AWS WAF provides a web application firewall that can block common attacks like SQL injection and cross-site scripting.

Why this answer

Using AWS WAF on the ALB protects against common web exploits. Ensuring the EC2 security groups only allow traffic from the ALB security group prevents direct access to EC2. Option A is wrong because allowing all traffic to EC2 is insecure.

Option C is wrong because a network ACL is stateless and less granular; security groups are better for this. Option E is wrong because CloudFront is a CDN, not a security feature for the ALB.

258
MCQeasy

A company needs to store sensitive data in Amazon S3 with encryption at rest. Which option provides the MOST control over the encryption keys?

A.Client-Side Encryption
B.Server-Side Encryption with Customer-Provided Keys (SSE-C)
C.Server-Side Encryption with S3-Managed Keys (SSE-S3)
D.Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
AnswerB

Customer provides and manages their own keys.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) gives you full control over the encryption keys because you provide and manage the key material yourself. Amazon S3 performs the encryption and decryption operations, but it never stores your keys; you must supply the key with each request. This is the only option where the customer retains complete ownership and lifecycle management of the encryption keys, including rotation and deletion.

Exam trap

The trap here is that candidates often confuse SSE-KMS with full key control because KMS allows you to create and manage customer-managed keys, but SSE-C is the only option where you physically own and supply the key material yourself, and AWS never stores it.

How to eliminate wrong answers

Option A is wrong because Client-Side Encryption means you encrypt the data before sending it to S3, which gives you control over keys but does not use S3's server-side encryption at rest as specified in the question. Option C is wrong because SSE-S3 uses Amazon-managed keys where AWS handles all key management, rotation, and storage, giving you no control over the keys. Option D is wrong because SSE-KMS uses AWS KMS-managed keys; while you can create and manage customer-managed KMS keys, the key material is still stored and managed by AWS, and you cannot directly control the underlying key material or its lifecycle as you can with SSE-C.

259
MCQhard

A DevOps engineer is troubleshooting a failed AWS CodeBuild project. The build fails with an error indicating that the IAM role does not have permission to describe Amazon ECR repositories. The role used by CodeBuild has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ecr:GetAuthorizationToken","ecr:BatchCheckLayerAvailability","ecr:GetDownloadUrlForLayer","ecr:BatchGetImage"],"Resource":"*"}]}. What is the missing permission?

A.ecr:InitiateLayerUpload
B.ecr:GetRepositoryPolicy
C.ecr:ListImages
D.ecr:DescribeRepositories
AnswerD

The policy lacks the DescribeRepositories permission, which is required to list and describe repositories.

Why this answer

The policy allows several ECR actions but does not include 'ecr:DescribeRepositories'. The error specifically mentions 'describe' which is that action. The other actions are present.

260
MCQhard

A company uses AWS CloudFormation to manage infrastructure as code. The security team requires that all changes to CloudFormation stacks be reviewed and approved before execution. The team has enabled StackSets to deploy stacks across multiple accounts. A junior developer accidentally runs a stack update that modifies a production security group, opening SSH access to 0.0.0.0/0. The security team wants to prevent this type of incident in the future. They need a solution that enforces a mandatory approval workflow for all stack updates, while still allowing automated deployments from approved CI/CD pipelines. Which solution meets these requirements?

A.Use CloudFormation change sets and require that they be manually executed by a senior engineer.
B.Create an IAM policy that denies cloudformation:UpdateStack unless the request is made using a specific service role with a path /ci-cp/, and configure the CI/CD pipeline to assume that role.
C.Attach a resource-based policy to the stack that denies updates from any principal that does not have a specific tag.
D.Enable termination protection on all production stacks and require MFA for stack updates.
AnswerB

This enforces that only the CI/CD pipeline can perform updates, and the service role can be tightly controlled.

Why this answer

Option C is correct because using a service role with a specific path and condition in the IAM policy ensures that only approved CI/CD roles can assume the service role to perform stack operations. Additionally, using StackSets with approval workflows via Service Catalog or custom approval steps can enforce review. Option A is incorrect because enabling termination protection does not prevent updates.

Option B is incorrect because using a change set with manual approval is not automated and does not prevent the developer from using the same role to execute the change set without approval. Option D is incorrect because IAM policies cannot prevent a user from making changes directly; they can only allow or deny actions. A blanket deny would block all updates.

261
MCQmedium

A company is using AWS CodeBuild to build and test a Java application. The build process requires access to a private Maven repository hosted on an internal HTTPS server. The DevOps engineer has configured CodeBuild to use a VPC and placed the build environment in a private subnet. The security group for the build environment allows outbound HTTPS to the Maven repository's security group. The Maven repository server is in the same VPC but in a different private subnet. The build fails with a 'Connection refused' error when trying to download dependencies. The engineer checks the security group rules and confirms they are correct. What is the most likely cause?

A.The private DNS resolution is failing because the VPC does not have Route53 Resolver enabled.
B.The CodeBuild buildspec is using the wrong URL for the Maven repository.
C.The security group on the Maven repository server does not allow inbound HTTPS from the CodeBuild security group.
D.The network ACL on the private subnets is blocking outbound ephemeral ports.
AnswerC

Inbound rules are needed for the server to accept connections.

Why this answer

The Maven repository server likely has a security group that does not allow inbound HTTPS from the CodeBuild security group. The engineer only checked outbound rule on CodeBuild side, but need inbound rule on the server side. Option A is correct.

Option B is about Route53, not relevant. Option C is about NACL, which is stateless, but security group is stateful, so outbound rule alone is not enough. Option D is about the buildspec being incorrect, but the error is connection refused, which suggests network issue.

262
MCQmedium

A company is deploying a web application on AWS and needs to ensure that all traffic to the application is encrypted in transit. The application runs behind an Application Load Balancer (ALB). Which configuration should be used to enforce HTTPS-only access?

A.Configure the web server on the EC2 instances to only respond to HTTPS requests.
B.Create an HTTPS listener on the ALB and configure a redirect rule from HTTP to HTTPS.
C.Configure the security group of the ALB to only allow inbound HTTPS traffic.
D.Use AWS CloudFront with a custom SSL certificate and set the viewer protocol policy to Redirect HTTP to HTTPS.
AnswerB

This enforces HTTPS by redirecting all HTTP requests to HTTPS at the ALB level.

Why this answer

Option B is correct because the ALB can be configured with an HTTPS listener that redirects HTTP traffic to HTTPS, ensuring encrypted transit. Option A is wrong because security groups only control traffic at the instance level, not the ALB listener. Option C is wrong because CloudFront can enforce HTTPS but adds complexity and cost.

Option D is wrong because modifying the application code is not a scalable or secure approach compared to ALB-level enforcement.

263
MCQmedium

A company is using AWS KMS to encrypt sensitive data stored in Amazon S3. The security team wants to ensure that the KMS keys cannot be deleted accidentally. What should be done?

A.Enable deletion protection on the KMS key.
B.Set the key state to disabled.
C.Enable automatic key rotation.
D.Create a backup of the key material in AWS Secrets Manager.
AnswerA

Deletion protection prevents accidental deletion of the KMS key.

Why this answer

Option B is correct because enabling key rotation does not prevent deletion. Option C is correct because a backup of the key material does not prevent deletion. Option D is correct because disabling keys does not prevent deletion.

The correct approach is to enable deletion protection on the KMS key.

264
MCQmedium

A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest and access should be limited to the security team. Which solution is MOST secure and scalable?

A.Use an IAM role in each account that grants write access to the central bucket, and use S3 default encryption.
B.Configure each account to write logs to its own S3 bucket, then replicate to a central bucket using S3 Cross-Region Replication.
C.Create a central S3 bucket with a bucket policy that requires encryption (aws:SecureTransport and SSE-KMS) and restricts access to a security team IAM role.
D.Use Amazon CloudWatch Logs in each account and export logs to a central S3 bucket using a Lambda function.
AnswerC

Bucket policies can enforce encryption and limit access, and KMS provides encryption at rest.

Why this answer

Using a centralized S3 bucket with KMS encryption and bucket policies that enforce encryption and limit access is the best approach. Option B is correct because it combines encryption with access control. Option A (separate buckets) is less scalable.

Option C (CloudWatch Logs) is not encrypted at rest by default and not centralized to S3. Option D (IAM with S3) can be complex and less secure than bucket policies.

265
MCQhard

A company uses AWS CodePipeline to deploy a web application. The pipeline uses artifacts stored in an S3 bucket. The Security team requires that all artifacts be encrypted in transit and at rest, and that the pipeline only access the bucket using a specific VPC endpoint. Which configuration meets these requirements?

A.Configure an IAM role for CodePipeline with a policy that allows s3:GetObject and s3:PutObject, and attach a bucket policy that allows only that role
B.Create a VPC endpoint for S3 and attach a bucket policy that denies access unless aws:SourceVpce matches the endpoint and aws:SecureTransport is true, and use S3 default encryption
C.Use an S3 bucket with a lifecycle policy to expire old artifacts
D.Enable S3 block public access and use SSE-S3 encryption on the bucket
AnswerB

The bucket policy enforces HTTPS and VPC endpoint, and default encryption ensures at-rest encryption.

Why this answer

To enforce encryption in transit and at rest and restrict to a VPC endpoint, you must configure a bucket policy that denies access unless the request uses HTTPS (for transit) and server-side encryption (for at rest), and aws:SourceVpce condition. IAM roles alone cannot enforce VPC endpoint restriction.

266
MCQeasy

A company wants to ensure that all API calls made within its AWS account are logged for auditing purposes. Which AWS service should be enabled to meet this requirement?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.VPC Flow Logs
AnswerB

CloudTrail records API calls for auditing.

Why this answer

AWS CloudTrail is the service that records API activity in an AWS account, making it the correct choice. Option B is incorrect because CloudWatch Logs is for log storage and monitoring, not for recording API calls. Option C is incorrect because AWS Config tracks resource configuration changes, not API calls.

Option D is incorrect because VPC Flow Logs capture network traffic, not API calls.

267
MCQmedium

A company requires that all access to their S3 buckets be encrypted in transit. Which configuration achieves this?

A.Use CloudFront with the bucket as origin and enforce HTTPS only between viewer and CloudFront.
B.Enable default encryption on the bucket.
C.Use a bucket policy that denies requests when aws:SecureTransport is false.
D.Set the bucket policy to require SSE-KMS.
AnswerC

Correctly enforces HTTPS by denying non-secure transport.

Why this answer

Option C is correct because using a bucket policy with a condition that denies requests when `aws:SecureTransport` is `false` explicitly enforces encryption in transit for all access to the S3 bucket. This policy ensures that any HTTP (non-TLS) request is denied, while HTTPS requests are allowed, meeting the requirement that all access be encrypted in transit.

Exam trap

The trap here is confusing encryption in transit with encryption at rest; candidates often pick options like default encryption or SSE-KMS, which only address data at rest, not the requirement for HTTPS enforcement.

How to eliminate wrong answers

Option A is wrong because it only enforces HTTPS between the viewer and CloudFront, but the connection between CloudFront and the S3 origin can still be HTTP unless an additional policy or setting enforces HTTPS there, leaving a gap in transit encryption. Option B is wrong because default encryption on the bucket only encrypts data at rest (server-side encryption), not in transit; it does not enforce HTTPS for client connections. Option D is wrong because requiring SSE-KMS enforces encryption at rest using AWS KMS keys, but it does not control whether the data is transmitted over HTTPS or HTTP; transit encryption is a separate concern.

268
MCQhard

A DevOps engineer applies the S3 bucket policy shown in the exhibit to enforce encryption and secure transport. After applying the policy, users report that they can still upload objects without encryption. What is the most likely cause?

A.The Null condition incorrectly allows uploads without encryption.
B.The bucket policy does not apply to cross-account uploads.
C.The first Deny statement only denies encryption types other than aws:kms, but allows encryption with AES256.
D.The bucket policy lacks an explicit Allow statement for s3:PutObject.
AnswerC

The condition StringNotEquals aws:kms does not deny AES256 because AES256 is not equal to aws:kms, so the Deny does not apply.

Why this answer

Option C is correct because the first Deny statement in the bucket policy uses a condition that checks if the `s3:x-amz-server-side-encryption` header is not equal to `aws:kms`. This means it only denies uploads that use encryption types other than `aws:kms`, such as `AES256` (SSE-S3) or no encryption. Since `AES256` is not `aws:kms`, the Deny does not trigger for SSE-S3 uploads, allowing them to proceed without the required KMS encryption.

Exam trap

AWS often tests the nuance that a `StringNotEquals` condition in a Deny statement only blocks the specified value, not all other values, leading candidates to mistakenly think the Deny covers all encryption types when it only covers the one explicitly listed.

How to eliminate wrong answers

Option A is wrong because the Null condition in the policy checks if the `s3:x-amz-server-side-encryption` header is absent (i.e., null), which correctly denies unencrypted uploads; it does not incorrectly allow them. Option B is wrong because S3 bucket policies apply to all principals, including cross-account uploads, unless explicitly scoped otherwise; the policy does not restrict the principal, so cross-account uploads are also subject to the same conditions. Option D is wrong because S3 bucket policies do not require an explicit Allow statement for `s3:PutObject`; the default effect of a Deny is to block, and the policy's Deny statements are sufficient to enforce encryption, but the logic flaw is in the condition, not the absence of an Allow.

269
MCQmedium

A company uses AWS CodeBuild to build and test code. The security team requires that all build artifacts be encrypted at rest. Which action should the DevOps engineer take to meet this requirement?

A.Create a customer-managed KMS key and specify it in the CodeBuild project's artifacts encryption settings.
B.Use an S3 bucket policy to deny write operations unless the request includes the x-amz-server-side-encryption header.
C.Enable default encryption on the S3 bucket used for CodeBuild artifacts.
D.Configure the CodeBuild project to use an encrypted EBS volume for the build environment.
AnswerC

Default encryption enforces SSE-S3 or SSE-KMS on all objects.

Why this answer

Option A is correct because CodeBuild stores artifacts in an S3 bucket; enabling default encryption on that bucket ensures all objects are encrypted. Option B is wrong because CodeBuild artifacts are stored in S3, not EBS. Option C is wrong because the artifact bucket is managed by the customer.

Option D is wrong although it could work, but enabling default encryption on the bucket is simpler and more direct.

270
MCQhard

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. Which configuration change is MOST likely to resolve the issue?

A.Increase the Lambda function timeout.
B.Increase the Lambda function memory.
C.Place the Lambda function in the same VPC as the RDS instance.
D.Configure the Lambda function to retry on failure.
AnswerA

A longer timeout can prevent timeout errors.

Why this answer

The Lambda function is timing out during the secret rotation process, which involves connecting to the RDS database, generating a new password, and updating the secret. Increasing the Lambda function timeout directly addresses the symptom by allowing more time for the rotation to complete, especially if the database response is slow or the network latency is high. This is the most direct fix for a timeout error, as the default Lambda timeout (3 seconds) is often insufficient for database operations.

Exam trap

The trap here is that candidates may confuse a timeout error with a connectivity error and incorrectly choose to place the Lambda in the same VPC, overlooking that the function must already be in the VPC to even attempt the rotation.

How to eliminate wrong answers

Option B is wrong because increasing memory can improve CPU performance but does not extend the maximum execution duration; timeout errors are resolved by increasing the timeout value, not memory. Option C is wrong because the Lambda function must already be in the same VPC as the RDS instance to connect to it; if it were not, the error would be a connection timeout or access denied, not a generic timeout. Option D is wrong because retrying on failure would only re-execute the same failing code, which would still timeout again; it does not address the root cause of insufficient execution time.

271
MCQmedium

A company is migrating a legacy application to AWS. The application requires a shared file system accessible from multiple EC2 instances. The compliance team mandates encryption at rest and in transit, with automatic key rotation. Which storage solution meets these requirements?

A.Amazon EFS with encryption at rest and in transit
B.Amazon S3 with server-side encryption
C.Amazon EBS with encryption enabled
D.Amazon FSx for Windows File Server with encryption
AnswerA

EFS provides a shared file system with encryption at rest (KMS) and in transit, and supports automatic key rotation via KMS.

Why this answer

EFS supports encryption at rest with AWS KMS and encryption in transit via TLS, and can enable automatic key rotation by using a KMS key with automatic rotation. S3 is object storage, not a shared file system. FSx for Windows File Server requires manual key rotation.

EBS is block storage, not shared.

272
MCQhard

A company has a Lambda function that processes sensitive data and needs to access an RDS database. The security team requires that the database credentials are automatically rotated every 30 days. Which service should be used to store and rotate the credentials?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon DynamoDB
D.AWS IAM roles
AnswerA

Secrets Manager provides automatic rotation of credentials.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, manage, and automatically rotate database credentials for services like RDS. It supports native, built-in rotation for Amazon RDS (MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB) without requiring custom Lambda functions. The automatic rotation can be scheduled at a desired interval (e.g., every 30 days) using a rotation schedule defined in the secret's configuration, and it integrates directly with RDS to update the credentials on both the secret and the database.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation and RDS integration, making it unsuitable for the 30-day rotation requirement.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of credentials; it is a hierarchical store for configuration data and secrets but requires custom automation (e.g., a Lambda function) to rotate values, and it lacks native integration with RDS for credential rotation. Option C is wrong because Amazon DynamoDB is a NoSQL database service, not a secrets management service; it cannot natively store or rotate credentials, and using it would require building custom encryption and rotation logic, violating the security team's requirement for automated rotation. Option D is wrong because AWS IAM roles are used to grant permissions to AWS resources (e.g., Lambda to access RDS) but cannot store or rotate database credentials; IAM roles provide temporary credentials for AWS API calls, not for database user passwords, and RDS database authentication via IAM is possible but does not involve storing or rotating static credentials.

273
Drag & Dropmedium

Drag and drop the steps to set up an AWS CloudFormation stack with a nested stack.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First upload the nested stack template, then create the parent template, then validate, then create stack, then monitor.

274
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts are encrypted with AES-256 (SSE-S3) and that public access is blocked. The team wants to use a preventive control that automatically remediates non-compliant buckets. Which solution should the security team implement?

A.Create a Service Control Policy (SCP) that denies s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption if the bucket is not configured correctly.
B.Enable CloudTrail to log all S3 API calls and set up a CloudWatch Events rule to notify the security team.
C.Use AWS Identity and Access Management (IAM) policies to deny access to S3 buckets that do not have encryption enabled.
D.Use AWS Config rules to detect non-compliant buckets and trigger a Lambda function to remediate.
AnswerA

SCPs are preventive controls that block non-compliant actions before they happen.

Why this answer

Option C is correct because an SCP can deny actions that create or modify buckets without encryption or with public access enabled. This is a preventive control that applies to all accounts in the organization. Option A is incorrect because AWS Config rules are detective, not preventive; they can trigger auto-remediation but after the fact.

Option B is incorrect because CloudTrail is for logging, not enforcement. Option D is incorrect because Service Control Policies can only be applied to accounts or OUs, not to resources directly; but they can deny the bucket creation/modification actions.

275
MCQeasy

Refer to the exhibit. A DevOps engineer attaches the IAM policy to an IAM user. The user reports being unable to download objects from the S3 bucket. What is the likely cause?

A.The bucket policy denies access to the user
B.The policy is malformed because the Resource element is incorrect
C.The policy does not allow s3:ListBucket, which is required for the AWS CLI to list objects
D.The user's access key is expired
AnswerC

Many CLI commands like 'aws s3 cp' require ListBucket to list objects first.

Why this answer

The policy only allows s3:GetObject, but the user may be trying to list objects or access a bucket that requires additional permissions. Option A is wrong because the policy allows GetObject. Option B is wrong because the policy is not malformed.

Option D is wrong because the user is allowed to access the bucket.

276
MCQhard

A company runs a web application on Amazon ECS with Fargate launch type behind an Application Load Balancer (ALB). The application uses an RDS MySQL database. The security team performed a penetration test and discovered that the application is vulnerable to SQL injection. The development team has deployed a WAF web ACL to the ALB that includes rules to block SQL injection attacks. However, after the deployment, the application started returning 403 errors for legitimate requests, and the security team needs to investigate. The team also wants to ensure that only approved AWS services can access the RDS database. The current security groups are configured with a rule that allows inbound traffic from the ALB security group to the RDS database on port 3306. Which combination of actions should the security team take to resolve the issue and improve the security posture?

A.Disable the WAF rules that are causing false positives and add network ACLs to block all traffic to the database except from the ALB.
B.Remove the WAF web ACL and rely on security group ingress rules that allow all traffic from the VPC CIDR to the database.
C.Switch the WAF web ACL to count mode and add a second ALB in front of the database to filter traffic.
D.Switch the WAF web ACL to count mode while tuning the rules, and implement an IAM policy to restrict database access to specific AWS services using the aws:SourceArn condition key.
AnswerD

Count mode allows safe tuning; IAM policies can restrict access to the database from approved services.

Why this answer

Option C is correct because counting mode allows the team to see which requests would be blocked without actually blocking them, allowing fine-tuning of the WAF rules. Also, using an IAM policy with condition keys to restrict access to the database from only approved services (like Lambda or specific EC2 instances) adds a layer of defense. Option A is incorrect because disabling the WAF rule is not a security best practice; it would leave the application vulnerable.

Option B is incorrect because adding a second ALB does not solve the problem and increases complexity. Option D is incorrect because allowing all traffic to the database from the VPC defeats the purpose of security groups and increases the attack surface.

277
MCQhard

A company runs a production application on Amazon ECS with Fargate launch type. The application uses an RDS MySQL database. The security team requires that all traffic between the application and the database be encrypted in transit. Currently, the database security group allows inbound traffic from the ECS tasks' security group on port 3306 (MySQL). The application uses the standard MySQL client connection without SSL. After enabling SSL on the RDS instance, the application starts failing to connect. The error logs show 'SSL connection error: protocol version mismatch'. The application runs on a custom Docker image based on Amazon Linux 2. The DevOps engineer needs to fix the connection issue. Which course of action should the engineer take?

A.Update the Docker image to include the latest MySQL client libraries that support TLS 1.2.
B.Update the application code to connect using SSL with the --ssl-mode=REQUIRED flag.
C.Modify the RDS parameter group to allow TLS 1.0 and 1.1.
D.Create a VPC peering connection and route traffic through a VPN.
AnswerA

Fixes the protocol version mismatch by using a client that supports required TLS version.

Why this answer

The error indicates that the MySQL client in the container does not support the TLS version required by RDS. The simplest solution is to modify the application connection string to use the '--ssl-mode=REQUIRED' flag or equivalent, but the error persists even after that. The actual fix is to update the MySQL client libraries in the container image to a version that supports TLS 1.2, as RDS requires TLS 1.2 or higher.

Alternatively, the engineer can configure RDS to accept TLS 1.0, but that is not secure. Changing the security group or using SSH tunneling does not address the TLS version mismatch.

278
Multi-Selectmedium

A company needs to ensure that an EC2 instance can only be launched using a specific Amazon Machine Image (AMI) that has been approved by the security team. Which TWO actions should be taken?

Select 2 answers
A.Tag the approved AMI and use resource-based policies to allow only tagged AMIs.
B.Create an IAM policy that denies ec2:RunInstances unless the AMI ID matches the approved AMI.
C.Use an AWS Organizations service control policy (SCP) to restrict AMI usage across accounts.
D.Create an AWS Config rule to check that EC2 instances are launched from the approved AMI.
E.Enable CloudTrail to log all EC2 RunInstances calls and alert on unapproved AMIs.
AnswersB, C

IAM policy can conditionally allow or deny actions based on AMI ID.

Why this answer

Option B is correct because an IAM policy with a condition for ec2:Owner or ec2:ImageId can restrict which AMIs can be used. Option C is correct because an SCP in AWS Organizations can enforce this across accounts. Option A is wrong because Config rules only detect non-compliance, not prevent.

Option D is wrong because tagging does not enforce AMI usage. Option E is wrong because CloudTrail is for logging.

279
MCQhard

A company's security team suspects that an attacker has compromised an IAM user's access keys. The keys were used to launch instances in an unauthorized region. What is the FASTEST way to mitigate the threat?

A.Delete the IAM user.
B.Change the IAM user's password.
C.Rotate the access keys immediately.
D.Attach an AWS WAF to block the attacker's IP address.
AnswerC

Rotating keys invalidates the old keys and stops unauthorized use.

Why this answer

Rotating the access keys immediately invalidates the compromised keys, preventing further unauthorized use without disrupting the IAM user's other permissions or requiring a full user recreation. This is the fastest mitigation because it directly revokes the attacker's access while allowing the legitimate user to continue using new keys after rotation.

Exam trap

The trap here is that candidates confuse password changes (console access) with access key rotation (programmatic access), or they overcorrect by deleting the entire user instead of simply rotating the compromised keys.

How to eliminate wrong answers

Option A is wrong because deleting the IAM user is an overly drastic measure that removes all permissions and associated resources, causing unnecessary downtime and operational overhead; it is not the fastest way to stop key-based access. Option B is wrong because changing the IAM user's password only affects console login credentials, not access keys, so it does nothing to mitigate the threat from compromised programmatic keys. Option D is wrong because AWS WAF is a web application firewall that operates at the application layer (HTTP/HTTPS) and cannot block IAM access key usage, which occurs at the AWS API level via Signature Version 4 signing.

280
MCQeasy

A company uses Amazon CloudWatch Logs to store application logs. The security team requires that logs be encrypted at rest using a customer-managed AWS KMS key. The team has enabled encryption on the CloudWatch Logs log group using a KMS key. However, after enabling encryption, the application fails to write logs to the log group. The application uses an IAM role that has the following permissions: logs:CreateLogStream, logs:PutLogEvents, and logs:DescribeLogStreams. Which additional permission does the application need?

A.kms:Encrypt
B.kms:GenerateDataKey
C.kms:CreateGrant
D.kms:Decrypt
AnswerA

The role needs encrypt permission to write to the encrypted log group.

Why this answer

Option A is correct because to write to an encrypted log group, the IAM role needs kms:Encrypt permission for the KMS key. Option B is incorrect because kms:Decrypt is for reading, not writing. Option C is incorrect because kms:GenerateDataKey is used for envelope encryption, but CloudWatch Logs encryption uses direct encryption.

Option D is incorrect because kms:CreateGrant is used to grant access to a key, not to write logs.

281
MCQeasy

A DevOps engineer must ensure that all API calls in an AWS account are logged for compliance. The logs should be stored in an S3 bucket with server-side encryption enabled. Which two services should be used together to meet these requirements?

A.AWS CloudTrail and Amazon CloudWatch Logs
B.AWS CloudTrail and Amazon S3
C.Amazon VPC Flow Logs and Amazon S3
D.AWS Config and AWS CloudTrail
AnswerB

CloudTrail logs API calls and delivers to S3, which supports server-side encryption.

Why this answer

Option C is correct because AWS CloudTrail logs API calls and can deliver logs to an S3 bucket. S3 server-side encryption can be enabled on the bucket. Option A: Config records resource changes, not API calls.

Option B: CloudWatch Logs can store logs but not automatically encrypt; also not the primary service for API logging. Option D: VPC Flow Logs capture network traffic, not API calls.

282
MCQhard

A company has a VPC with public and private subnets. They launch an EC2 instance in a private subnet that needs to download patches from the internet. Which solution is MOST secure and scalable?

A.Create a NAT Gateway in a public subnet and update the private route table.
B.Launch a proxy server in a public subnet and route traffic through it.
C.Assign an Elastic IP to the instance in the private subnet.
D.Use a VPC endpoint to the Amazon Linux repository.
AnswerA

Secure and scalable outbound internet access.

Why this answer

Option C is correct because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet and receive responses, without allowing inbound traffic. Option A is wrong because a public subnet exposes the instance to inbound traffic. Option B is wrong because a proxy server is less scalable and requires management.

Option D is wrong because a VPC endpoint is for AWS services, not general internet.

283
MCQeasy

A developer needs to allow an EC2 instance to read from an S3 bucket. Which is the most secure way to grant this access?

A.Use the root user credentials of the AWS account.
B.Store AWS access keys in the instance's user data and use them in the application.
C.Create an S3 bucket policy that allows the EC2 instance's public IP address.
D.Create an IAM role with an S3 read policy and attach it to the EC2 instance profile.
AnswerD

This is the best practice for granting permissions to AWS services.

Why this answer

Option A is correct because an IAM role attached to the EC2 instance allows temporary credentials without hardcoding keys. Option B is wrong because storing keys in the instance is insecure. Option C is wrong because root credentials are highly privileged and should never be used.

Option D is wrong because resource-based policies on S3 can grant access to IAM roles, but the role must still be attached to the instance.

284
Multi-Selecthard

A security audit reveals that an S3 bucket contains objects that are publicly accessible. The DevOps engineer must prevent any future public access to the bucket and all objects within it. Which THREE actions should the engineer take? (Choose THREE.)

Select 3 answers
A.Enable Block Public Access settings on the bucket.
B.Disable object ACLs on the bucket.
C.Remove any bucket policy that grants public read access.
D.Apply an SCP that denies s3:PutBucketPolicy that would make objects public.
E.Enable S3 server access logging.
AnswersA, C, D

Prevents any future public access at bucket level.

Why this answer

Option A is correct because blocking public access at the bucket level prevents future public access. Option B is correct because using an SCP can enforce no public access for all accounts. Option C is correct because removing the bucket policy that grants public access is necessary.

Option D is wrong because ACLs are not the only method; bucket policy can also grant public access. Option E is wrong because enabling server access logging does not affect public access.

285
MCQhard

A company needs to audit all changes to security groups in a multi-account environment. The logs must be centrally stored and immutable. Which solution meets these requirements with minimal operational overhead?

A.Enable VPC Flow Logs in each VPC and aggregate them in Amazon CloudWatch Logs
B.Enable AWS CloudTrail in all accounts, deliver logs to a central S3 bucket with S3 Object Lock enabled
C.Enable Amazon GuardDuty and send findings to a central S3 bucket
D.Enable AWS Config rules to detect security group changes and store results in a central S3 bucket
AnswerB

CloudTrail captures API calls and S3 Object Lock provides immutability.

Why this answer

AWS CloudTrail logs all API calls, including security group changes. Sending CloudTrail logs from all accounts to a central S3 bucket with Object Lock enabled ensures immutability. Option A is correct.

Option B (AWS Config) records state changes but not API calls. Option C (VPC Flow Logs) logs network traffic, not security group changes. Option D (Amazon GuardDuty) is for threat detection.

286
Multi-Selecteasy

Which TWO actions can help protect an AWS account's root user? (Choose TWO.)

Select 2 answers
A.Do not create access keys for the root user; use IAM users instead
B.Delete the root user after creating administrative IAM users
C.Enable multi-factor authentication (MFA) on the root user
D.Rotate the root user password every 30 days
E.Change the root user's email address to a group email
AnswersA, C

Avoid using root user for programmatic access.

Why this answer

Option A is correct: enable MFA on the root user. Option B is correct: avoid using root user for daily tasks. Option C is wrong: root user credentials cannot be rotated automatically.

Option D is wrong: root user cannot be deleted. Option E is wrong: root user email can't be changed easily and is not a security best practice.

287
MCQeasy

A DevOps engineer needs to grant an IAM user temporary access to an S3 bucket for exactly one hour. Which AWS service should be used to generate temporary credentials?

A.Amazon Cognito
B.AWS SSO
C.AWS STS
D.AWS IAM
AnswerC

STS generates temporary credentials with a specified duration.

Why this answer

AWS STS (Security Token Service) is used to generate temporary, limited-privilege credentials for IAM users or federated users. IAM roles provide temporary credentials but are assumed, not generated for a specific user. Cognito is for identity federation with mobile/web apps.

SSO provides single sign-on access.

288
MCQeasy

A company is using Amazon RDS for MySQL and needs to encrypt the database at rest. Which action should be taken to enable encryption?

A.Create a read replica with encryption enabled
B.Use AWS Secrets Manager to encrypt the data
C.Enable encryption when creating the DB instance
D.Modify the existing DB instance and enable encryption
AnswerC

Encryption at rest must be enabled during creation.

Why this answer

Encryption at rest for RDS can only be enabled at creation time. Option B is wrong because encryption cannot be added later. Option C is wrong because enabling encryption on an existing instance is not supported.

Option D is wrong because client-side encryption is not native and requires application changes.

← PreviousPage 4 of 4 · 288 questions total

Ready to test yourself?

Try a timed practice session using only Security and Compliance questions.