CCNA Security Compliance Questions

75 of 288 questions · Page 1/4 · Security Compliance topic · Answers revealed

1
MCQhard

A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that EBS snapshots are shared with another account without exposing the underlying data. What is the correct approach?

A.Share the encrypted snapshot without modifying the KMS key policy.
B.Create an unencrypted copy of the snapshot and share it.
C.Share the encrypted snapshot and also share the KMS key with the target account.
D.Share the encrypted snapshot and update the KMS key policy to allow the target account to use the key.
AnswerD

Target account can then create encrypted volumes from the snapshot.

Why this answer

Option D is correct because sharing an encrypted EBS snapshot requires the KMS key policy to grant the target account permission to use the key (via kms:Decrypt and kms:CreateGrant). Without this, the target account cannot decrypt the snapshot to create volumes or copies. AWS KMS enforces that the key policy explicitly allows cross-account access, and the target account must have the corresponding IAM permissions.

Exam trap

The trap here is that candidates often confuse sharing the KMS key itself (which is impossible) with updating the key policy to grant cross-account usage, leading them to select Option C.

How to eliminate wrong answers

Option A is wrong because sharing an encrypted snapshot without modifying the KMS key policy denies the target account the ability to decrypt the snapshot, making it unusable. Option B is wrong because creating an unencrypted copy of an encrypted snapshot would expose the underlying data in plaintext, violating the security requirement. Option C is wrong because sharing the KMS key with the target account is not a supported operation; KMS keys cannot be shared or transferred; instead, you must update the key policy to grant cross-account usage permissions.

2
MCQeasy

A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation function is failing with a permission error. Which IAM policy should be attached to the Lambda execution role to allow Secrets Manager to invoke the rotation function?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"lambda:*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"lambda:InvokeFunction","Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"secretsmanager:*","Resource":"*"}]}
AnswerC

Allows Secrets Manager to invoke the Lambda function.

Why this answer

Option C is correct because Secrets Manager needs to invoke the Lambda function. Option A is wrong because it grants full Lambda access, which is excessive. Option B is wrong because it grants Secrets Manager access, not function invocation.

Option D is wrong because it grants S3 access.

3
MCQmedium

A company runs a production application on EC2 instances behind an Application Load Balancer (ALB). The application handles sensitive data. The Security team wants to encrypt all traffic between the ALB and the EC2 instances using TLS. They have created a self-signed certificate on each instance. However, the ALB health checks are failing with a 502 error. The instances are healthy when accessed directly via SSH. What is the MOST likely cause?

A.The target group health check is configured to use HTTPS, but the self-signed certificate is not trusted by the ALB
B.The EC2 instances are not configured with a certificate that matches the ALB's domain name
C.The ALB is configured to use a different TLS protocol version than the instances
D.The security groups on the EC2 instances do not allow inbound traffic from the ALB
AnswerA

ALB does not trust self-signed certificates by default, causing health checks to fail.

Why this answer

ALB health checks use HTTPS with a certificate that must be trusted by the target group. Self-signed certificates are not trusted by default. Option C directly addresses this.

Option A would cause connection issues but not specifically health checks. Option B could cause failures if mismatched, but self-signed certs generally don't cause that. Option D is about instance security groups, not TLS.

4
Multi-Selectmedium

A company uses AWS CodeBuild to build and test code. The build jobs need to access a private S3 bucket to download dependencies. Which THREE steps are required to securely grant access?

Select 3 answers
A.Configure the S3 bucket policy to allow access from the CodeBuild service principal
B.Set up a VPC endpoint for S3
C.Create an IAM role with a policy that allows s3:GetObject on the bucket
D.Create a KMS key and grant CodeBuild access to it
E.Attach the IAM role to the CodeBuild project in the service role field
AnswersA, C, E

The bucket policy must explicitly allow the role to access the bucket, unless the role has cross-account permissions.

Why this answer

To grant CodeBuild access to an S3 bucket, you need an IAM role that allows the required actions, attach it to the CodeBuild project, and also ensure the bucket policy allows the role. KMS key is not required if SSE-S3 is used. VPC endpoint is optional.

5
MCQeasy

A DevOps engineer needs to ensure that all API calls made to AWS are logged for compliance. The logs must be stored in S3 for at least 7 years. Which AWS service should they use?

A.VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerD

CloudTrail records all AWS API calls and can deliver logs to S3 for long-term retention.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS, including the identity, source IP, and timestamp, and can deliver log files to an S3 bucket for long-term retention. The requirement to store logs for at least 7 years aligns with CloudTrail's ability to integrate with S3 lifecycle policies for archival or deletion after a specified period.

Exam trap

The trap here is that candidates often confuse CloudTrail with CloudWatch Logs or AWS Config, thinking that any logging service can capture API calls, but only CloudTrail is designed specifically for auditing AWS API activity.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) for VPCs, not API calls to AWS services. Option B is wrong because AWS Config records resource configuration changes and evaluates compliance rules, but it does not log API calls. Option C is wrong because Amazon CloudWatch Logs is designed for real-time monitoring and log storage from applications and AWS services, but it is not the primary service for auditing AWS API calls; CloudTrail is the dedicated service for that purpose.

6
MCQhard

A company wants to enforce that S3 buckets are not publicly accessible. Which AWS service can continuously monitor and automatically remediate non-compliant buckets?

A.AWS Config
B.Amazon Macie
C.AWS Security Hub
D.AWS Trusted Advisor
AnswerA

Config can evaluate rules and trigger remediation actions.

Why this answer

AWS Config with managed rules can evaluate bucket policies and use automatic remediation via Systems Manager Automation. Option B is correct.

7
MCQeasy

A company uses AWS Secrets Manager to store database credentials for a legacy application running on an on-premises server. The application retrieves the secret via the AWS SDK. Recently, the database password was rotated in Secrets Manager, but the application continued to use the old password and failed to connect. The application code is correct and uses the latest SDK. The IAM role attached to the server has the secretsmanager:GetSecretValue permission. What is the MOST likely cause?

A.The IAM role does not have permission to list secrets
B.The application is using the wrong secret ID
C.The secret rotation Lambda function is failing
D.The application is caching the secret and not refreshing it after rotation
AnswerD

Secrets Manager SDK caches credentials by default; the application may need to force refresh or wait for cache expiry.

Why this answer

If the secret is rotated, the application may still have the old version cached. By default, Secrets Manager caches credentials for a certain period. Option A is the most likely.

Option B would cause immediate failure. Option C is unrelated to rotation. Option D would also cause immediate failure.

8
Multi-Selectmedium

Which TWO actions can be taken to protect an S3 bucket from being publicly accessible? (Select TWO.)

Select 2 answers
A.Use an SCP to deny s3:PutBucketPolicy.
B.Enable default encryption on the bucket.
C.Enable S3 Block Public Access settings on the bucket.
D.Enable MFA Delete on the bucket.
E.Use CloudFront to serve the bucket content.
AnswersA, C

Prevents users from setting a public bucket policy.

Why this answer

Option A is correct because an SCP (Service Control Policy) can explicitly deny the s3:PutBucketPolicy action at the AWS Organizations level, which prevents any IAM principal in affected accounts from attaching a public bucket policy. This is a preventive guardrail that overrides any permissive IAM permissions, ensuring the bucket cannot be made publicly accessible via policy statements.

Exam trap

The trap here is that candidates often confuse security features like encryption or MFA Delete with access control mechanisms, failing to recognize that only explicit policy restrictions (SCP or Block Public Access) can prevent public accessibility.

9
MCQhard

Refer to the exhibit. The S3 bucket policy is applied to a bucket. An application attempts to upload an object to the bucket using HTTP (not HTTPS). What will happen?

A.The upload fails because the condition matches HTTP requests
B.The upload succeeds if the bucket also has an allow policy for the user
C.The upload succeeds because there is no explicit allow statement
D.The upload fails because the bucket policy does not allow any access
AnswerA

Deny applies when SecureTransport is false.

Why this answer

The policy denies all s3 actions when SecureTransport is false (i.e., HTTP). Option A is wrong because the deny overrides any allow. Option B is wrong because the condition matches HTTP requests.

Option D is wrong because the policy explicitly denies HTTP.

10
Matchingmedium

Match each AWS security and identity service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages users, groups, roles, and permissions

Creates and manages encryption keys

Rotates and manages secrets like database credentials

DDoS protection service

Web application firewall

Why these pairings

These are key services for security and access control.

11
MCQhard

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance with the tag 'Environment=production' in us-east-1. What will happen?

A.The action is denied because the Deny statement explicitly denies the action for production instances.
B.The action is allowed because there is no explicit Deny for the user.
C.The action is denied only if the instance is in the us-east-1 region.
D.The action is allowed because the Allow statement grants ec2:TerminateInstances.
AnswerA

Explicit Deny wins.

Why this answer

Option C is correct because the Deny statement explicitly denies TerminateInstances for instances with tag Environment=production, regardless of any Allow. Option A is wrong because Deny overrides Allow. Option B is wrong because the Deny applies to all instances with that tag.

Option D is wrong because the Deny is explicit.

12
MCQmedium

A company uses AWS Lambda to process sensitive data stored in Amazon S3. The Lambda function is triggered by S3 object creation events. The security team requires that all data in transit be encrypted using TLS 1.2 or higher. The Lambda function currently uses the AWS SDK to download objects from S3 using HTTP (not HTTPS). The team also needs to ensure that the Lambda function only accesses S3 objects that are encrypted with a specific AWS KMS key. The Lambda execution role already has permissions to decrypt with that KMS key. Which combination of actions should the security team take to meet the requirements?

A.Configure the Lambda function to use HTTPS when calling S3, and add a bucket policy that requires the x-amz-server-side-encryption-aws-kms-key-id header to match the specific KMS key.
B.Configure the Lambda function to use a VPC endpoint for S3, and update the bucket policy to deny requests that do not use TLS 1.2.
C.Enable default encryption on the S3 bucket using the specific KMS key, and update the Lambda function to use the AWS SDK's default client, which uses HTTPS.
D.Place a CloudFront distribution in front of the S3 bucket, and configure the Lambda function to access S3 through CloudFront using HTTPS.
AnswerA

HTTPS ensures encryption in transit; bucket policy with condition on KMS key ensures objects are encrypted with the specified key.

Why this answer

Option B is correct because configuring the S3 client to use HTTPS and setting the endpoint to use TLS 1.2 ensures encryption in transit. Additionally, using an S3 bucket policy with a condition that requires the presence of the specific KMS key encrypts the object and restricts access. Option A is incorrect because S3 does not support VPC endpoints for TLS enforcement; VPC endpoints use AWS PrivateLink but do not enforce TLS version.

Option C is incorrect because CloudFront does not enforce TLS 1.2 by default and adds complexity. Option D is incorrect because enabling default encryption does not enforce TLS 1.2 for connections.

13
MCQmedium

A DevOps engineer needs to securely store and automatically rotate database credentials for a web application running on Amazon ECS. Which solution should be used?

A.Use AWS KMS to generate and rotate a data key for encrypting the credentials in a file on ECS.
B.Store the credentials in AWS Systems Manager Parameter Store as a SecureString. Use a Lambda function to rotate them.
C.Store the credentials in AWS Secrets Manager and configure rotation. Grant the ECS task IAM role permission to retrieve the secret.
D.Use AWS Certificate Manager to store the credentials as a certificate.
AnswerC

Secrets Manager supports automatic rotation and ECS can retrieve secrets.

Why this answer

AWS Secrets Manager can store database credentials and automatically rotate them on a schedule. The ECS task can retrieve the credentials using the Secrets Manager secret. Option A is correct.

Option B (SSM Parameter Store) can store secrets but does not support automatic rotation. Option C (AWS KMS) is for encryption keys, not credential rotation. Option D (AWS Certificate Manager) is for SSL/TLS certificates.

14
Multi-Selecthard

Which THREE are features of AWS Key Management Service (KMS) that help with compliance requirements? (Choose 3)

Select 3 answers
A.Automatic password generation for databases.
B.Automatic key rotation every year (optional).
C.Key policies to control access to keys.
D.Integration with AWS CloudTrail for auditing key usage.
E.Automatic deletion of keys after a specified period.
AnswersB, C, D

Automated rotation helps meet compliance requirements for cryptographic key lifecycle.

Why this answer

Option B is correct because AWS KMS supports optional automatic annual key rotation for customer managed keys. This helps meet compliance frameworks (e.g., PCI DSS, SOC, HIPAA) that require periodic cryptographic key rotation to limit the amount of data encrypted under a single key. When enabled, KMS automatically rotates the key material once per year, creating a new backing key while retaining the old one for decryption of previously encrypted data.

Exam trap

The trap here is that candidates confuse KMS key rotation with the automatic deletion or expiry of keys, or they mistakenly associate KMS with password generation features that belong to other AWS services like Secrets Manager.

15
MCQmedium

A DevOps engineer needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption key be managed by AWS and rotated automatically. Which encryption option should be used?

A.Server-side encryption with customer-provided keys (SSE-C)
B.Server-side encryption with AWS KMS managed keys (SSE-KMS) using a customer-managed key
C.Client-side encryption with an AWS KMS managed key
D.Server-side encryption with Amazon S3 managed keys (SSE-S3)
AnswerD

SSE-S3 uses AWS-managed keys with automatic rotation.

Why this answer

SSE-S3 uses AWS-managed keys and automatically rotates them, meeting the requirement. Option A (SSE-C) requires customer-managed keys and no automatic rotation. Option B (SSE-KMS with customer-managed key) does not automatically rotate unless configured.

Option D (client-side encryption) does not use AWS-managed keys.

16
MCQmedium

A company wants to centralize IAM user management across multiple AWS accounts. The company currently uses individual IAM users in each account. What is the BEST practice for centralized access control?

A.Use AWS Organizations and AWS IAM Identity Center (AWS SSO) to manage users centrally.
B.Create the same IAM users in each account with identical permissions.
C.Create IAM roles in each account and allow cross-account access from a central account.
D.Use IAM federation with an external identity provider and assign permissions based on SAML attributes.
AnswerA

IAM Identity Center provides centralized user management and SSO.

Why this answer

Option B is correct because AWS Organizations with IAM Identity Center allows centralized user management and single sign-on. Option A is wrong because cross-account roles require individual user management. Option C is wrong because sharing IAM users across accounts is not supported.

Option D is wrong because federation alone does not centralize user management.

17
Multi-Selectmedium

A company is designing a secure CI/CD pipeline. Which TWO actions should be taken to protect secrets (e.g., API keys) used in the pipeline? (Choose TWO.)

Select 2 answers
A.Encrypt secrets with AWS KMS and store the encrypted value in the source code
B.Store secrets in AWS Secrets Manager
C.Use IAM roles to grant the CI/CD service access to secrets
D.Store secrets in plaintext in the buildspec file
E.Pass secrets as environment variables in the build
AnswersB, C

Secrets Manager provides secure storage and rotation.

Why this answer

AWS Secrets Manager stores and rotates secrets securely. IAM roles should be used to grant access to secrets without hardcoding. Storing secrets in buildspec or environment variables is insecure.

Using KMS to encrypt secrets is good, but the question asks for TWO best practices: using Secrets Manager and IAM roles.

18
Multi-Selecthard

A DevOps team is designing a CI/CD pipeline that deploys a web application on Amazon ECS. The application must be compliant with PCI DSS, which requires encryption of data at rest and in transit, and logging of all access. Which THREE actions should the team implement to meet these requirements? (Choose THREE.)

Select 3 answers
A.Enable AWS CloudTrail and Amazon ECS logs to capture all API calls and container logs.
B.Store database credentials in AWS Systems Manager Parameter Store.
C.Use VPC endpoints to access ECS and ECR APIs.
D.Enable ECS task definition encryption using AWS KMS for environment variables and sensitive data.
E.Configure an Application Load Balancer (ALB) with an HTTPS listener using an SSL/TLS certificate.
AnswersA, D, E

Logging is required for auditing access.

Why this answer

Option A is correct because AWS CloudTrail captures all API calls to the AWS environment, providing an audit trail of who accessed what and when, which is required for PCI DSS logging. Amazon ECS logs (via CloudWatch Logs or FireLens) capture container-level access and application logs, ensuring comprehensive logging of all access to the application and underlying infrastructure.

Exam trap

The trap here is that candidates often confuse security best practices (like storing secrets in Parameter Store or using VPC endpoints) with mandatory compliance actions for encryption and logging, leading them to select options that are helpful but not directly required by PCI DSS for the specific three actions.

19
MCQhard

A company's security team notices that an IAM user has permissions to terminate EC2 instances but should only be allowed to stop them. The current policy allows ec2:TerminateInstances. What is the most secure way to prevent termination while allowing stop?

A.Use an SCP to deny ec2:TerminateInstances for the entire account.
B.Modify the existing policy to include ec2:StopInstances and remove ec2:TerminateInstances.
C.Add a Deny statement for ec2:TerminateInstances with a condition for the user's ARN.
D.Attach a separate managed policy that denies ec2:TerminateInstances to the user.
AnswerC

Explicitly denies termination for that user while allowing stop via other policies.

Why this answer

Option B is correct because adding a Deny for ec2:TerminateInstances with a condition for the specific user explicitly blocks the action. Option A is wrong because changing the policy to allow ec2:StopInstances without removing ec2:TerminateInstances still allows termination. Option C is wrong because a service control policy (SCP) can also deny but is less targeted.

Option D is wrong because attaching a Deny policy to the user is effective, but using a Deny in the same policy is simpler.

20
MCQmedium

A DevOps engineer is designing a CI/CD pipeline that deploys to production. The security team mandates that all code changes must be reviewed and signed off by two senior developers before deployment. How can this be enforced?

A.Use CloudWatch Events to trigger a manual approval step in CodePipeline.
B.Restrict push access to the production branch to only the two senior developers.
C.Use AWS Lambda to send a notification when a change is pushed.
D.Set up a pull request approval rule in CodeCommit requiring two approvals.
AnswerD

Enforces code review and approval before merging.

Why this answer

Option D is correct because CodeCommit's pull request approval rules allow you to require a specific number of approvals before a pull request can be merged. By configuring an approval rule template that requires two approvals from senior developers, you enforce the mandatory code review and sign-off before any change is merged into the production branch, which then triggers the CI/CD pipeline.

Exam trap

The trap here is that candidates often confuse deployment-stage approvals (like CodePipeline manual approval) with pre-merge code review approvals, failing to recognize that the security requirement must be enforced at the source code repository level before the pipeline even starts.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events can trigger a manual approval step in CodePipeline, but this only enforces approval at the deployment stage, not the code review and sign-off requirement before the change is even merged into the production branch. Option B is wrong because restricting push access to only two senior developers does not enforce a mandatory two-person review process; a single developer could still push directly without any review. Option C is wrong because using Lambda to send a notification when a change is pushed does not enforce any approval or review requirement; it merely informs stakeholders without blocking the change.

21
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to secure an AWS account root user? (Choose 2.)

Select 2 answers
A.Share the root user password with the team.
B.Create an IAM role for the root user.
C.Delete or disable the root user access keys.
D.Use the root user for daily administrative tasks.
E.Enable multi-factor authentication (MFA) for the root user.
AnswersC, E

Root user access keys should be avoided.

Why this answer

Enabling MFA and not creating access keys for the root user are best practices. Options B and D are correct.

22
MCQeasy

A company wants to centrally manage and audit access to AWS KMS keys across multiple accounts. Which AWS feature should be used?

A.AWS Config aggregated rules
B.Cross-account IAM roles
C.AWS CloudTrail with organization trail
D.AWS Organizations tag policies
AnswerC

Organization trails aggregate logs from all accounts.

Why this answer

AWS CloudTrail can log KMS key usage across accounts and be aggregated in a central account. Option B is correct. Option A (IAM) is per-account.

Option C (AWS Config) does not audit key usage. Option D (AWS Organizations) does not audit.

23
MCQhard

A DevOps engineer needs to ensure that an S3 bucket policy enforces encryption in transit for all access. Which policy statement should be added?

A.{"Effect":"Deny","Condition":{"StringEquals":{"aws:SecureTransport":"true"}}}
B.{"Effect":"Allow","Condition":{"Bool":{"aws:SecureTransport":"false"}}}
C.{"Effect":"Allow","Condition":{"Bool":{"aws:SecureTransport":"true"}}}
D.{"Effect":"Deny","Condition":{"Bool":{"aws:SecureTransport":"false"}}}
AnswerD

Denies access when SecureTransport is false, effectively requiring HTTPS.

Why this answer

To enforce encryption in transit, use a condition that denies access unless the request uses 'aws:SecureTransport' set to 'true'. This requires a Deny effect with the condition.

24
MCQmedium

A company is using AWS Secrets Manager to store database credentials for a multi-tier application. The application runs on EC2 instances in an Auto Scaling group. The DevOps engineer has configured the instances to retrieve the secret at boot time using a script that calls the AWS CLI. Recently, the security team discovered that the secret was exposed in the instance's user data logs. The engineer needs to implement a more secure method to access the secret without storing it in user data. The application code can be modified. The environment uses IAM roles for EC2. Which solution best meets the security requirements?

A.Store the secret in a configuration file on the EC2 instance and encrypt the file system.
B.Store the secret in AWS Systems Manager Parameter Store and retrieve it via the AWS CLI at boot time.
C.Modify the application code to use the AWS SDK to retrieve the secret from Secrets Manager using the instance's IAM role.
D.Use a KMS key to encrypt the secret and store the encrypted value in user data.
AnswerC

This retrieves the secret at runtime without storing it in user data or on disk.

Why this answer

Option B is correct because using the AWS SDK with the IAM role attached to the EC2 instance retrieves the secret programmatically without storing it in user data. The IAM role should have permissions to access the secret. Option A is wrong because hardcoding still stores the secret in the code or configuration.

Option C is wrong because the EC2 Systems Manager Parameter Store is another option but the question is about Secrets Manager, and storing the secret in Parameter Store still requires retrieval at runtime; the same pattern applies, but using the SDK with IAM role is the standard secure method. Option D is wrong because the KMS key is used for encryption, not for retrieving the secret; the secret is already encrypted.

25
Multi-Selecthard

A company has an IAM policy that allows users to manage their own passwords and MFA devices. The policy includes a condition that requires MFA for all API operations except for changing passwords and MFA. Which THREE statements are true about this policy? (Choose THREE.)

Select 3 answers
A.The policy creates an IAM role for MFA enforcement.
B.The policy applies to the AWS account root user.
C.The policy uses NotAction to exclude password and MFA actions.
D.The policy uses the aws:MultiFactorAuthPresent condition key.
E.The policy must be attached to IAM users or groups.
AnswersC, D, E

NotAction allows those actions without MFA.

Why this answer

Options A, C, and E are correct. The condition with Bool: aws:MultiFactorAuthPresent ensures that if MFA is not present (except for allowed actions), access is denied. The policy uses NotAction to allow password and MFA changes without MFA.

The policy must be attached to users or groups to take effect. Option B: The policy does not apply to the root user. Option D: The policy does not create an IAM role; it is an identity-based policy.

26
MCQeasy

A DevOps engineer is configuring AWS Config rules to detect non-compliant security groups. The rule should trigger if any security group allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS managed Config rule should be used?

A.vpc-sg-open-only-to-authorized-ports
B.ec2-security-group-attached-to-eni
C.restricted-ssh
D.incoming-ssh-disabled
AnswerC

Checks for SSH from 0.0.0.0/0.

Why this answer

Option A is correct because 'restricted-ssh' is the managed rule that checks for SSH access from 0.0.0.0/0. Option B is wrong because 'incoming-ssh-disabled' is not a managed rule. Option C is wrong because 'vpc-sg-open-only-to-authorized-ports' is not specific to SSH.

Option D is wrong because 'ec2-security-group-attached-to-eni' checks attachment, not rules.

27
MCQmedium

The IAM policy above is attached to a user. The user tries to stop an EC2 instance. What will happen?

A.The user is denied due to an implicit deny.
B.The user cannot stop the instance because there is no explicit allow for all instances.
C.The user cannot stop the instance because the Deny statement overrides the Allow.
D.The user can stop the instance.
AnswerD

Explicit allow for StopInstances.

Why this answer

Option A is correct because the policy explicitly allows ec2:StopInstances and does not deny it. Option B is wrong because there is no explicit deny for StopInstances. Option C is wrong because the deny only applies to TerminateInstances.

Option D is wrong because the policy allows StopInstances.

28
Multi-Selecteasy

A DevOps engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which TWO methods can achieve this?

Select 2 answers
A.Create an IAM role in the source account with read access to the bucket, and allow users in that account to assume the role.
B.Enable S3 Block Public Access on the bucket.
C.Generate pre-signed URLs for each object and distribute them only to users in the target account.
D.Write a bucket policy that uses the aws:SourceAccount condition to allow access only from the specific account.
E.Set a bucket ACL that grants read access to the target account's canonical ID.
AnswersA, D

Assuming a role in the source account grants cross-account access.

Why this answer

Options A and D are correct. Bucket policy with condition can restrict to specific source account. IAM roles in the source account can grant cross-account access.

Option B (pre-signed URLs) works for individual objects but not as a general restriction. Option C (block public access) does not restrict to a specific account. Option E (ACL) is legacy and less secure.

29
MCQmedium

A DevOps engineer needs to encrypt data in transit between an Application Load Balancer (ALB) and backend EC2 instances. The application uses HTTPS. What is the simplest way to achieve this encryption?

A.Use an AWS Private Certificate Authority to issue certificates for the instances.
B.Use a Network Load Balancer instead with TLS listeners.
C.Place both ALB and instances in a VPC with default security groups.
D.Configure the ALB listener to use HTTPS, and configure the target group to use HTTPS with a self-signed certificate on the instances.
AnswerD

This encrypts traffic between ALB and instances.

Why this answer

An ALB can terminate HTTPS at the listener and then communicate with backend instances using HTTP if desired. However, to encrypt in transit, you can use HTTPS between ALB and instances as well. The simplest way is to install the same certificate on both ALB and instances, but ALB can use a self-signed certificate.

Using an internal CA or ACM Private CA is more complex. Using a TCP listener does not provide encryption.

30
MCQeasy

A company uses AWS Secrets Manager to store database credentials. The security team needs to automatically rotate the secrets every 30 days. Which action should be taken?

A.Enable automatic rotation on the secret and configure the rotation interval to 30 days
B.Manually rotate the secret every 30 days using the AWS Management Console
C.Store the secret in AWS Systems Manager Parameter Store and use a scheduled Lambda to update it
D.Use AWS KMS to rotate the secret by re-encrypting with a new key
AnswerA

Secrets Manager supports automatic rotation with a Lambda function.

Why this answer

Secrets Manager can automatically rotate secrets using a Lambda function. Option A is wrong because rotation is not enabled by default. Option C is wrong because manual rotation is not automatic.

Option D is wrong because Systems Manager Parameter Store does not natively rotate secrets.

31
MCQeasy

A company has an S3 bucket with sensitive data. The security team requires that all data uploaded to the bucket be automatically encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). How can this be enforced?

A.Enable default encryption on the S3 bucket with SSE-KMS.
B.Use an S3 bucket policy that denies PutObject requests without the x-amz-server-side-encryption header.
C.Enable AWS CloudTrail to monitor uploads and alert on unencrypted objects.
D.Create an IAM policy that requires all S3 operations to use SSE-KMS.
AnswerB

Bucket policy can enforce encryption headers.

Why this answer

Option B is correct because S3 bucket policies can deny uploads that do not include the x-amz-server-side-encryption header. Option A is wrong because default encryption applies to objects without encryption headers, but doesn't enforce encryption. Option C is wrong because IAM policies can require encryption but bucket policies are more direct.

Option D is wrong because CloudTrail logs actions but does not enforce encryption.

32
MCQhard

A company uses AWS Organizations with multiple accounts. The security team requires that all newly created S3 buckets in any account automatically have default encryption enabled and block public access. Which solution is MOST operationally efficient?

A.Use AWS CloudTrail to monitor bucket creation and trigger a Lambda function to apply settings
B.Apply a service control policy (SCP) that denies creation of buckets without encryption and public access block
C.Create a bucket policy on each existing bucket and rely on developers to apply it to new buckets
D.Use AWS Config rules to detect non-compliant buckets and send notifications
AnswerB

SCPs are preventive and apply organization-wide automatically.

Why this answer

Using an SCP in AWS Organizations allows enforcing policies across all accounts. Option A is wrong because it only works at account level per bucket. Option B is wrong because CloudTrail only logs, it doesn't enforce.

Option D is wrong because Config can detect but not automatically remediate without additional automation.

33
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that any changes to IAM roles must be reviewed and approved by a security engineer before deployment. The DevOps engineer needs to implement a gating mechanism. Which approach should the engineer use?

A.Use AWS Config to detect changes to IAM roles and trigger a Lambda function that reverts the change.
B.Apply a service control policy that denies iam:CreateRole and iam:UpdateAssumeRolePolicy across the organization.
C.Add a condition to the IAM policy that requires MFA for any CloudFormation action.
D.Create a CodePipeline that deploys CloudFormation stacks and include a manual approval step for changes that modify IAM resources.
AnswerD

Manual approval step enforces review before deployment.

Why this answer

Option B is correct because CloudFormation StackSets with approval gates in CodePipeline allow manual approval steps before applying updates. Option A is wrong because AWS Config detects changes but does not prevent them. Option C is wrong because IAM policy conditions cannot prevent CloudFormation from creating roles.

Option D is wrong because service control policies affect all actions, not just IAM changes, and are too broad.

34
Multi-Selectmedium

Which THREE are components of the AWS Shared Responsibility Model? (Choose THREE.)

Select 3 answers
A.AWS is responsible for patching customer applications on EC2
B.Customers are responsible for managing IAM users and permissions
C.AWS is responsible for managing customer IAM roles
D.Customers are responsible for securing their data in the cloud
E.AWS is responsible for the security of the cloud infrastructure
AnswersB, D, E

IAM is customer-managed.

Why this answer

Option A is correct: AWS secures the infrastructure. Option B is correct: customers secure their data. Option C is correct: customers manage IAM.

Option D is wrong: AWS does not manage customer IAM. Option E is wrong: AWS does not patch customer applications.

35
MCQmedium

An S3 bucket has the above bucket policy. What is the net effect on GetObject requests?

A.All anonymous users can read objects
B.All requests are denied
C.Only requests from IP range 192.0.2.0/24 are allowed
D.Only authenticated users can read objects
AnswerC

Deny with condition allows only that IP range.

Why this answer

The Allow statement grants public read access. The Deny statement denies all S3 actions when the source IP is not in 192.0.2.0/24. Since a Deny overrides an Allow, only requests from within that IP range are allowed.

Option C is correct.

36
MCQmedium

A DevOps engineer created the IAM policy shown in the exhibit and attached it to a user. The user tries to upload an object to my-bucket without specifying the ACL. Why does the upload fail?

A.The Effect should be Deny for this policy to work
B.The resource ARN is incorrect; it should be arn:aws:s3:::my-bucket
C.The user does not have permission to list the bucket
D.The policy condition requires the ACL to be bucket-owner-full-control, but the user did not specify it
AnswerD

The condition is not met, so the request is implicitly denied.

Why this answer

The policy condition requires the ACL to be 'bucket-owner-full-control'. If the user does not specify an ACL, the default is usually 'private', which does not satisfy the condition. Therefore the action is denied.

The resource ARN is correct. The action is allowed. The condition specifies StringEquals, which is correct for comparison.

37
MCQeasy

A company uses AWS CodeBuild for CI/CD. The build project needs to access a private S3 bucket to download artifacts. What is the MOST secure way to grant access?

A.Embed the access keys in the buildspec.yml file.
B.Create an IAM role with read access to the bucket and attach it to the CodeBuild project.
C.Use an S3 bucket policy that grants public read access.
D.Store AWS access keys in CodeBuild environment variables.
AnswerB

IAM roles provide temporary credentials and are more secure.

Why this answer

Using an IAM role with a trust policy for CodeBuild is the most secure method because it avoids long-term credentials. Option B is correct. Option A is wrong because storing access keys in environment variables is less secure.

Option C is wrong because embedding keys in the buildspec file is insecure. Option D is wrong because bucket policies can be used but require the principal to be an IAM user/role; still, the build project should use a role.

38
Multi-Selecteasy

Which TWO are best practices for securing an Amazon RDS database? (Choose 2)

Select 2 answers
A.Enable public accessibility for easy management.
B.Use a single Availability Zone to reduce complexity.
C.Launch the RDS instance in a private subnet.
D.Enable encryption at rest using AWS KMS.
E.Grant direct IAM user access to the database.
AnswersC, D

Placing the database in a private subnet restricts direct internet access.

Why this answer

Option A (private subnet) and Option C (encryption at rest) are correct. Option B is wrong because public accessibility should be disabled. Option D is wrong because a single Availability Zone reduces availability, not security.

Option E is wrong because IAM users are not used for database authentication directly; RDS supports IAM database authentication but it's not a best practice for all cases.

39
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail logs. What is the most effective way to enforce this control?

A.Require all accounts to use the same CloudTrail trail.
B.Apply a Service Control Policy that denies cloudtrail:DeleteTrail and cloudtrail:StopLogging.
C.Create an IAM policy in each account that denies cloudtrail:DeleteTrail.
D.Configure CloudTrail to log to an S3 bucket in a centralized logging account and deny access to the bucket from member accounts.
AnswerB

SCPs are applied at the organization level and cannot be overridden by account admins.

Why this answer

Option D is correct because a Service Control Policy (SCP) can deny actions like cloudtrail:DeleteTrail and cloudtrail:StopLogging across all accounts in the organization. Option A is wrong because CloudTrail is a regional service, and disabling in one region would still affect logs. Option B is wrong because IAM policies are per-account and can be overridden by account admins.

Option C is wrong because limiting to one trail is not a control; accounts could still modify that trail.

40
Multi-Selecthard

A company is using AWS Lambda to process sensitive data. The security team requires that the Lambda function only be invoked from within a specific VPC and that the function's environment variables be encrypted at rest. Which TWO actions should the DevOps engineer take to meet these requirements?

Select 2 answers
A.Enable AWS KMS encryption for the Lambda function's environment variables using a customer-managed key.
B.Enable encryption for CloudWatch Logs using a KMS key.
C.Configure the Lambda function to be VPC-enabled and set up a VPC endpoint for Lambda.
D.Assign an IAM execution role with permissions to access a KMS key.
E.Attach a resource-based policy to the Lambda function that denies invoke unless the request comes from the VPC.
AnswersA, C

KMS encryption protects environment variables at rest.

Why this answer

Option A is correct because configuring the Lambda function to access a VPC and using a VPC endpoint for Lambda ensures invocation only from within the VPC. Option D is correct because using AWS KMS to encrypt environment variables meets the encryption requirement. Option B is wrong because resource-based policies control which principals can invoke, but cannot restrict to VPC origin alone.

Option C is wrong because CloudWatch Logs encryption is separate from environment variables. Option E is wrong because execution role permissions do not encrypt environment variables.

41
Multi-Selecthard

A company wants to monitor and detect anomalous API calls in their AWS account. Which THREE AWS services should they use together to achieve this?

Select 3 answers
A.AWS CloudTrail
B.Amazon Inspector
C.Amazon CloudWatch Logs
D.AWS Config
E.Amazon GuardDuty
AnswersA, C, E

Logs API calls.

Why this answer

AWS CloudTrail is correct because it records all API calls made in the AWS account, providing the raw data needed to detect anomalous activity. By enabling CloudTrail on all regions and logging to a centralized S3 bucket, you capture the identity, source IP, and request parameters for every API call, which is essential for anomaly detection.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration changes) with CloudTrail (which tracks API calls), or they think Amazon Inspector (a vulnerability scanner) can detect anomalous API behavior when it is designed for a completely different purpose.

42
MCQeasy

A DevOps engineer is designing an AWS Lambda function that needs to read secrets from AWS Secrets Manager. What is the most secure way to provide the Lambda function access to the secret?

A.Assign an IAM execution role to the Lambda function with a policy that allows secretsmanager:GetSecretValue on the specific secret.
B.Store the secret in AWS Systems Manager Parameter Store and grant the Lambda function access to the parameter.
C.Encrypt the secret using AWS KMS and pass the encrypted value as an environment variable.
D.Store the secret in an environment variable in the Lambda function.
AnswerA

This follows least privilege and uses IAM permissions.

Why this answer

Option B is correct because the Lambda execution role should have an IAM policy with permissions to access the specific secret. Option A is wrong because hardcoding secrets is insecure. Option C is wrong because SSM Parameter Store is separate; if using Secrets Manager, permissions should be on that service.

Option D is wrong because environment variables are not encrypted by default and are visible in the console.

43
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies the creation of IAM users and roles with full admin access. The SCP is attached to all accounts. However, a DevOps engineer in a member account reports that they are able to create an IAM role with an administrator access policy attached. The engineer uses the AWS Management Console to create the role. The SCP is confirmed to be in place. What is the most likely reason the SCP is not preventing the role creation?

A.SCPs are not inherited by member accounts from the root.
B.The SCP is not attached to the member account's root organizational unit.
C.The engineer's IAM policy allows iam:CreateRole and overrides the SCP.
D.The SCP only denies iam:CreateUser, but the engineer is creating a role (iam:CreateRole).
AnswerD

If the SCP statement only specifies iam:CreateUser, it would not prevent creating IAM roles. The engineer could create a role with admin privileges.

Why this answer

SCPs do not affect the management account. If the member account is the management account or if the SCP was not applied correctly, it might not work. However, the most common reason is that SCPs only deny actions if the SCP explicitly denies them.

If the SCP denies the creation of IAM roles with full admin access, but the engineer is creating the role in the AWS Management Console, the SCP should block it. However, SCPs are evaluated before IAM policies, so if the SCP denies the action, it should be blocked. The likely issue is that the SCP is not applied to the specific account or the SCP statement is incorrect.

But among the options, the most plausible is that the SCP does not apply to the management account, and the engineer might be using the management account. However, the question says member account. Another possibility is that the SCP does not deny the iam:CreateRole action with the administrator policy; it might deny only the iam:AttachRolePolicy action.

Option A suggests the SCP only denies iam:CreateUser, not iam:CreateRole. Option B suggests the SCP is not attached to the account. Option C suggests the SCP is applied to the root but not inherited.

Option D suggests the engineer has an IAM policy that overrides the SCP, which is false because SCPs cannot be overridden by IAM policies. The correct answer is A: the SCP only denies iam:CreateUser, not iam:CreateRole.

44
MCQmedium

An organization uses AWS Organizations with multiple accounts. The Security team needs to enforce a policy that prohibits the creation of S3 buckets with public access in any account. Which policy type should be used?

A.Service control policy (SCP)
B.IAM permissions boundary
C.AWS CloudTrail trail
D.AWS Config rule
AnswerA

SCPs can be applied to organizational units or the entire organization to deny actions like s3:PutBucketPublicAccessBlock.

Why this answer

Service control policies (SCPs) allow you to centrally control permissions across all accounts in an organization. SCPs can deny actions like creating public buckets. IAM policies are account-specific.

AWS Config rules can detect but not prevent.

45
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A Security Engineer needs to ensure that the EC2 instances can only access the specific S3 bucket and no other AWS services. Which solution meets these requirements?

A.Attach a bucket policy to the S3 bucket that allows access only from the ALB's security group.
B.Create an IAM role with a policy that grants s3:PutObject and s3:GetObject access to the specific bucket, and attach the role to the EC2 instances as an instance profile.
C.Configure a VPC endpoint for S3 and modify the route table to route S3 traffic through the endpoint.
D.Create a security group that allows outbound HTTPS traffic only to the S3 bucket's IP address range.
AnswerB

This grants the EC2 instances only the permissions needed for that bucket, and they cannot access other AWS services unless additional policies are attached.

Why this answer

Using an instance profile with an IAM role that has a policy granting s3:PutObject and s3:GetObject only to the specific bucket ensures that the EC2 instances can only access that bucket. Option A is wrong because an S3 bucket policy restricting access to the ALB cannot enforce what the instances themselves do. Option B is wrong because security groups do not filter S3 access.

Option D is wrong because a VPC endpoint alone does not restrict which resources the instances can access; it only provides private connectivity.

46
Multi-Selecteasy

Which AWS services can be used to protect a web application from common web exploits like SQL injection and cross-site scripting? (Select TWO.)

Select 2 answers
A.AWS WAF
B.AWS Shield Advanced
C.Amazon CloudFront with AWS WAF
D.Amazon Inspector
E.Amazon Cognito
AnswersA, C

WAF can inspect HTTP requests and block SQL injection and XSS.

Why this answer

AWS WAF is a web application firewall that filters malicious requests. CloudFront can be integrated with WAF to provide protection at the edge. Shield Advanced provides DDoS protection, not application-layer exploits.

Cognito is for authentication. Inspector is for vulnerability scanning.

47
MCQmedium

Refer to the exhibit. An EC2 instance with the IAM role MyAppRole is running. An application on the instance tries to delete an object from the S3 bucket 'example-bucket'. What will happen?

A.The request is allowed because the instance has full access to the bucket.
B.The request is denied because the bucket policy overrides the IAM role.
C.The request is denied because the IAM role does not have the s3:DeleteObject permission.
D.The request is allowed because the role has s3:GetObject permission, which includes delete.
AnswerC

The policy only allows s3:ListBucket and s3:GetObject.

Why this answer

Option A is correct because the policy does not grant s3:DeleteObject permission. The request will be denied. Option B is wrong because the role does not have the required permission.

Option C is wrong because the request will not be allowed. Option D is wrong because the error is different.

48
MCQmedium

An IAM policy is attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' even though they are connecting from within the 10.0.0.0/16 IP range. What is the MOST likely reason?

A.The policy needs an additional condition for VPC endpoint.
B.The policy does not allow the s3:ListBucket action.
C.The user is accessing S3 through a VPC endpoint, but the condition only works for public IP addresses.
D.The resource ARN is missing the bucket-level permission.
AnswerC

The aws:SourceIp condition does not work for VPC endpoint traffic; use aws:VpcSourceIp instead.

Why this answer

The condition 'aws:SourceIp' evaluates the IP address of the requester. However, if the user is accessing S3 through a VPC endpoint, the source IP is a private IP from the VPC, but the condition works only for public IP addresses. Option C is correct.

Option A is wrong because the policy allows GetObject. Option B is wrong because the resource is correct. Option D is wrong because the condition is for source IP, not VPC endpoint.

49
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. They need a preventive control that applies to all current and future accounts. Which approach should they use?

A.Use a service control policy (SCP) in the Organizations root to deny PutBucketEncryption actions when encryption settings do not include AES256 or aws:kms.
B.Use AWS Config rules to detect unencrypted buckets and automatically apply encryption using a remediation action.
C.Enable AWS CloudTrail to log all S3 API calls and send alerts when non-compliant buckets are created.
D.Create an IAM policy in each account that denies PutBucketEncryption unless encryption is enabled.
AnswerA

SCPs are preventive controls that apply organization-wide, including future accounts.

Why this answer

A service control policy (SCP) applied at the Organizations root can deny the creation or modification of S3 buckets that do not have encryption enabled, specifically requiring AES256 or aws:kms. This is a preventive control that applies to all current and future accounts in the organization, as SCPs are inherited by all accounts and cannot be overridden by IAM policies within those accounts.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config or CloudTrail) with preventive controls (like SCPs), or assume that IAM policies applied per account are sufficient for organization-wide enforcement, failing to recognize that SCPs are the only mechanism that applies uniformly to all accounts, including future ones.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are detective, not preventive; they can detect non-compliant buckets and trigger remediation, but they do not prevent the non-compliant action from occurring in the first place. Option C is wrong because CloudTrail is a logging service that records API calls after they happen; it cannot prevent the creation of unencrypted buckets, only alert on them. Option D is wrong because IAM policies are account-specific and must be manually applied to each account; they do not scale to future accounts automatically and can be overridden by account administrators with sufficient permissions.

50
MCQeasy

A company uses AWS CloudTrail to log all API calls across multiple accounts. The logs are stored in an S3 bucket in the management account. The security team wants to ensure that the logs are not tampered with and that any unauthorized modification is detected. The DevOps engineer has enabled CloudTrail log file integrity validation. The engineer also sets up an S3 lifecycle policy to transition logs to Glacier after 90 days. Additionally, the engineer enables S3 server access logging and sends the logs to a different bucket. A few months later, the security team suspects that some logs have been deleted. The engineer checks the CloudTrail digest files and finds that the latest digest file is missing. What is the most likely cause?

A.The S3 lifecycle policy is set to expire objects after 90 days, which deleted the digest file.
B.The S3 bucket has default encryption enabled, causing the digest files to be unreadable.
C.The server access logging is writing access logs to the same bucket, causing overwrites.
D.The S3 bucket has Object Lock enabled, which prevents deletion of any objects.
AnswerA

Lifecycle expiration deletes objects after the specified days.

Why this answer

CloudTrail log file integrity validation uses digest files to verify logs. If a digest file is missing, it could be due to lifecycle policy deleting it prematurely. Glacier transition does not delete the original file; it transitions to Glacier storage class.

But if the lifecycle policy includes expiration, it could delete the object. Option A is correct. Option B is about encryption, not deletion.

Option C is about server access logs, which are separate. Option D is about S3 Object Lock, which would prevent deletion.

51
MCQmedium

A DevOps engineer needs to grant cross-account access to an S3 bucket in Account A for users in Account B. The users in Account B must be able to list objects and read them. What is the most secure way to configure this access?

A.Create a bucket policy in Account A that grants access to the IAM user ARNs from Account B.
B.Create a KMS key in Account A and share it with Account B to decrypt objects.
C.Create a bucket policy in Account A granting access to the root user of Account B, and create an IAM policy in Account B allowing the users to access the bucket.
D.Create an IAM role in Account A with trust policy allowing Account B to assume it, and attach a policy granting S3 access.
AnswerC

This is the standard cross-account S3 access pattern.

Why this answer

Option C is correct because it combines a bucket policy in Account A granting access to Account B's root or specific ARN, and an IAM policy in Account B allowing users to access that bucket. Option A is wrong because a bucket policy alone is insufficient; Account B users also need IAM permissions. Option B is wrong because an IAM role in Account A with a trust policy from Account B is a common pattern, but the question specifies users in Account B, so the role approach works but requires users to assume the role; option C is more direct for S3 access.

Option D is wrong because KMS is for encryption, not access control.

52
MCQeasy

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. Which AWS service can automatically manage the encryption keys with minimal configuration?

A.SSE-C
B.SSE-KMS
C.SSE-S3
D.Client-side encryption
AnswerC

SSE-S3 automatically manages encryption keys with no additional configuration.

Why this answer

SSE-S3 (Server-Side Encryption with S3-Managed Keys) is the correct answer because it requires minimal configuration: you simply enable it on the bucket or object, and AWS fully manages the encryption keys, including rotation and protection, without any additional setup or key management overhead.

Exam trap

The trap here is that candidates often confuse SSE-S3 with SSE-KMS, assuming that any key management service (KMS) is required for automated encryption, but SSE-S3 provides fully automated key management with even less configuration than SSE-KMS.

How to eliminate wrong answers

Option A (SSE-C) is wrong because it requires you to provide and manage your own encryption keys, which adds configuration complexity and does not automate key management. Option B (SSE-KMS) is wrong because while it automates key management, it requires you to create and configure a KMS key, set IAM policies, and optionally manage key rotation, which is more configuration than SSE-S3. Option D (Client-side encryption) is wrong because it requires you to encrypt data before uploading to S3, meaning you must manage keys and encryption logic entirely on the client side, which is the opposite of minimal configuration.

53
Multi-Selecteasy

A company wants to protect its AWS account credentials. Which TWO practices are recommended by AWS? (Choose TWO.)

Select 2 answers
A.Generate and share access keys for all users.
B.Store IAM user passwords in a shared document.
C.Enable multi-factor authentication (MFA) for privileged users.
D.Use the root user for daily administrative tasks.
E.Use IAM roles for applications that require AWS access.
AnswersC, E

Adds security.

Why this answer

Option B is correct because MFA adds an extra layer of security. Option D is correct because IAM roles are preferred for applications. Option A is wrong because root user should not be used daily.

Option C is wrong because access keys should be rotated regularly. Option E is wrong because sharing passwords is insecure.

54
MCQeasy

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to achieve this?

A.Store the access keys in AWS Secrets Manager and enable automatic rotation.
B.Use AWS CloudTrail to detect old keys and send notifications to administrators.
C.Use IAM's built-in access key rotation feature.
D.Use AWS Config with a custom Lambda function to rotate keys when they are older than 90 days.
AnswerD

AWS Config can evaluate IAM user keys and trigger a custom Lambda function to rotate them. This is a common pattern for key rotation.

Why this answer

AWS IAM does not have a built-in automatic rotation for access keys. However, AWS Config can be used with a custom Lambda function to rotate keys based on a rule. Alternatively, you could use AWS Secrets Manager to manage the keys, but it does not natively rotate IAM access keys.

The most straightforward way is to use AWS Config with a custom rule that triggers a Lambda function to rotate keys. Option A is wrong because IAM does not have automatic rotation. Option B is wrong because Secrets Manager does not natively support IAM access key rotation.

Option D is wrong because CloudTrail is for logging, not rotation.

55
Multi-Selecteasy

Which TWO AWS services can be used to manage secrets and database credentials securely? (Choose TWO.)

Select 2 answers
A.AWS CloudFormation
B.AWS Secrets Manager
C.Amazon S3
D.AWS Identity and Access Management (IAM)
E.AWS Systems Manager Parameter Store
AnswersB, E

Manages secrets with rotation.

Why this answer

AWS Secrets Manager is purpose-built for securely storing, rotating, and managing secrets such as database credentials, API keys, and other sensitive data. It provides built-in integration with Amazon RDS, Redshift, and DocumentDB to automatically rotate credentials on a schedule, eliminating the need for manual updates. This makes it a correct choice for the question's requirement to manage secrets and database credentials securely.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secure strings) with a full secrets management solution, but Parameter Store lacks native automatic rotation and is better suited for configuration data rather than database credentials that require scheduled rotation.

56
MCQmedium

A DevOps team is deploying a web application on EC2 behind an Application Load Balancer. They need to encrypt traffic between the ALB and the EC2 instances. Which action should they take?

A.Configure the ALB to use HTTPS with a certificate and the target group to use HTTPS.
B.Configure security group to allow only HTTPS.
C.Install a certificate on the ALB and use HTTP.
D.Enable encryption in transit on the ALB.
AnswerA

Encrypts traffic from ALB to instances.

Why this answer

Option D is correct because the ALB can terminate HTTPS and re-encrypt traffic to instances using HTTPS. Option A is wrong because the ALB does not automatically encrypt traffic to instances. Option B is wrong because installing a certificate on the ALB alone does not encrypt backend traffic.

Option C is wrong because security groups do not encrypt traffic.

57
MCQeasy

A company is using AWS KMS to encrypt data at rest for S3 objects. The security team wants to rotate the KMS key annually. Which action should the team take to implement automatic key rotation?

A.Enable automatic key rotation when creating the KMS key
B.Create a new key manually each year and update the S3 bucket policy
C.Use AWS Certificate Manager (ACM) to rotate the KMS key
D.Use an AWS managed key, which rotates automatically every year
AnswerA

Automatic rotation can be enabled at creation and will rotate yearly.

Why this answer

AWS KMS supports automatic annual rotation for customer managed keys. Option A is wrong because automatic rotation is enabled at key creation. Option C is wrong because manual rotation is not automatic.

Option D is wrong because you cannot rotate AWS managed keys.

58
Multi-Selecteasy

Which TWO AWS services can be used to manage and rotate database credentials automatically? (Select TWO.)

Select 2 answers
A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.AWS CloudFormation
D.AWS KMS
E.AWS IAM
AnswersA, B

Can store secrets and with custom Lambda can rotate.

Why this answer

Option A is correct because AWS Secrets Manager provides automatic rotation for supported databases. Option D is correct because AWS Systems Manager Parameter Store (SecureString) can store secrets, but rotation requires custom Lambda. However, Secrets Manager is the primary service for automatic rotation.

Option B is wrong because KMS does not rotate secrets. Option C is wrong because IAM does not store database credentials. Option E is wrong because CloudFormation does not manage credential rotation.

59
MCQmedium

A DevOps engineer receives an alert that an EC2 instance has been compromised. The instance is part of an Auto Scaling group. What is the first step the engineer should take to isolate the instance?

A.Create a snapshot of the instance's root volume
B.Detach the instance from the Auto Scaling group and remove it from the load balancer
C.Create an AMI of the instance for analysis
D.Terminate the instance immediately
AnswerB

Isolates the instance by stopping traffic and decoupling from ASG.

Why this answer

Detaching the instance from the Auto Scaling group and removing it from the load balancer stops traffic, then security groups can be applied to block all traffic. Option A is wrong because termination may destroy evidence. Option B is wrong because snapshotting does not isolate.

Option C is wrong because AMI creation is not immediate isolation.

60
MCQeasy

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with AWS Key Management Service (SSE-KMS) and enforce that all new objects are encrypted. Which bucket policy statement should be added?

A.{"Effect":"Deny","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:ServerSideEncryption":"awskms"}}}
B.{"Effect":"Deny","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:us-east-1:123456789012:key/1234-5678-9012"}}}
C.{"Effect":"Deny","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:us-east-1:123456789012:key/1234-5678-9012"}}}
D.{"Effect":"Deny","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"}}}
AnswerC

Correctly denies PutObject if the KMS key ID does not match.

Why this answer

Option A is correct because it denies s3:PutObject if the encryption key is not the specified KMS key. Option B is wrong because it denies PutObject if encryption is not AES256, which enforces SSE-S3, not SSE-KMS. Option C is wrong because the condition key s3:x-amz-server-side-encryption-aws-kms-key-id is not valid.

Option D is wrong because the condition key s3:ServerSideEncryption is not a valid condition key.

61
Multi-Selectmedium

A security engineer is designing a secure VPC architecture for a web application. The application must be isolated from the internet and only accessible through a load balancer. Which TWO actions should the engineer take?

Select 2 answers
A.Place the EC2 instances in a private subnet with no internet gateway attachment.
B.Attach an Internet Gateway to the VPC and route the private subnet to it.
C.Configure a network ACL on the private subnet to allow inbound traffic on all ephemeral ports.
D.Configure the security group for the EC2 instances to allow traffic only from the ALB's security group.
E.Set up an AWS Direct Connect connection for the instances to access the internet.
AnswersA, D

Private subnets prevent direct internet access to instances.

Why this answer

Option A is correct because placing EC2 instances in a private subnet without an internet gateway ensures they have no direct path to the internet, meeting the isolation requirement. This forces all traffic to and from the instances to go through the load balancer, which is the only entry point for the application.

Exam trap

The trap here is that candidates often confuse the need for a network ACL to allow ephemeral ports (Option C) as a necessary step for inbound traffic from the ALB, but security groups handle stateful filtering and the ALB's security group is the correct source, while network ACLs are stateless and require explicit rules for both inbound and outbound traffic, which is not the primary action for isolation.

62
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic to the ALB must be encrypted (HTTPS) and that the ALB must only accept traffic from CloudFront. The DevOps engineer has configured CloudFront with an origin pointing to the ALB, and the ALB has a listener on port 443 with a valid SSL certificate. The engineer also added a security group rule to the ALB that allows HTTPS traffic only from CloudFront's IP ranges. However, users are reporting intermittent 503 errors. The engineer checks CloudFront logs and sees that some requests are failing with 'Origin Connect Error'. What is the most likely cause?

A.The ALB has a Web Application Firewall (WAF) that is blocking requests from CloudFront.
B.The security group rule is using an outdated list of CloudFront IP ranges, and CloudFront has added new IP ranges that are being blocked.
C.The SSL certificate on the ALB is not trusted by CloudFront, causing handshake failures.
D.The ALB idle timeout is set too low, causing CloudFront to close connections prematurely.
AnswerB

CloudFront IP ranges change; using a static list is unreliable.

Why this answer

CloudFront uses a large set of IP addresses that change over time. Using a security group with a static list of CloudFront IPs is not recommended because the IPs change. Instead, the ALB should use a custom header that CloudFront adds.

Option A is correct: the security group blocks new CloudFront IPs not in the list. Option B (SSL mismatch) would cause a different error. Option C (timeout) would be more consistent.

Option D (WAF) would return 403, not 503.

63
MCQeasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally enforce that S3 buckets in all accounts block public access. Which policy should be attached to the root organizational unit to achieve this?

A.Configure a bucket policy on each S3 bucket to deny public access.
B.Create an AWS Config rule to mark noncompliant buckets.
C.Attach an IAM policy to the root user of each account.
D.Attach a service control policy (SCP) to the root organizational unit.
AnswerD

SCPs can deny actions that make S3 buckets public across all accounts in the organization.

Why this answer

Service control policies (SCPs) can be applied to organizational units to restrict permissions across member accounts. Option B is correct because SCPs allow denial of actions that would make S3 buckets public. Option A is wrong because IAM policies are account-specific and cannot be applied centrally to all accounts.

Option C is wrong because AWS Config rules can detect but not enforce. Option D is wrong because a bucket policy is per-bucket and cannot be applied globally.

64
Multi-Selectmedium

Which TWO actions are effective ways to protect an AWS account root user? (Choose 2)

Select 2 answers
A.Use a strong, complex password and change it every 90 days.
B.Use the root user for everyday administrative tasks.
C.Enable multi-factor authentication (MFA) on the root user.
D.Rotate the root user password every 30 days.
E.Delete or disable the root user access keys.
AnswersC, E

MFA adds an extra layer of security.

Why this answer

Option A (MFA) and Option C (no access keys) are correct. Option B is wrong because a strong password alone is not sufficient; MFA is critical. Option D is wrong because using root user regularly increases risk.

Option E is wrong because a single password change is not a protection mechanism.

65
MCQhard

A company has an AWS Lambda function that processes sensitive data. The function needs to access an RDS database with credentials stored in Secrets Manager. What is the MOST secure way to grant the Lambda function access to the secret?

A.Use AWS KMS to encrypt the credentials and pass them as parameters.
B.Attach an IAM role to the Lambda function with permissions to read the secret and retrieve it at runtime.
C.Store the credentials directly in the Lambda function's environment variables.
D.Use Lambda environment variables with encryption enabled.
AnswerB

Securely grants access without embedding secrets.

Why this answer

Option A is correct because using an IAM role with the necessary permissions and retrieving the secret at runtime is standard practice. Option B is wrong because embedding secrets in environment variables is insecure. Option C is wrong because KMS is for encryption, not storing secrets.

Option D is wrong because Lambda environment variables can be encrypted but still expose secrets in logs.

66
MCQeasy

The AWS Config rule 's3-bucket-ssl-requests-only' returns NON_COMPLIANT for the bucket 'my-bucket'. What does this mean?

A.The bucket's policy does not deny requests that are not using SSL.
B.The bucket is publicly accessible.
C.The bucket does not have server access logging enabled.
D.The bucket does not have default encryption enabled.
AnswerA

Correct interpretation of the rule.

Why this answer

Option B is correct because the rule checks that bucket policies deny HTTP requests. Option A is wrong because the rule checks the bucket policy, not encryption. Option C is wrong because the rule checks for SSL, not logging.

Option D is wrong because the rule does not check public access.

67
MCQeasy

A company wants to centralize audit logs from multiple AWS accounts into a single S3 bucket. The logs must be encrypted at rest using a KMS key. Which solution is the MOST secure and scalable?

A.Create an IAM role in each account and manually copy logs to a central bucket
B.Configure each account's CloudTrail to send logs to a central S3 bucket with a bucket policy that grants cross-account permissions
C.Use Amazon Kinesis Data Firehose to stream logs to S3
D.Use AWS Config rules to aggregate logs into a central bucket
AnswerB

This is the standard approach; CloudTrail can deliver to a central bucket, and KMS encryption can be applied.

Why this answer

Using AWS CloudTrail with an organization trail to deliver logs to a central S3 bucket is the recommended approach for multi-account logging. KMS encryption can be enabled on the bucket. Cross-account IAM roles can be complex and less centralized.

68
MCQeasy

A DevOps engineer needs to store secrets such as database passwords for a serverless application. Which AWS service is most appropriate?

A.Amazon DynamoDB with encryption
B.Amazon S3 with server-side encryption
C.AWS Systems Manager Parameter Store (SecureString)
D.AWS Secrets Manager
AnswerD

Designed for secrets with rotation and fine-grained access.

Why this answer

Option C is correct because AWS Secrets Manager is designed for managing secrets with automatic rotation. Option A is wrong because Systems Manager Parameter Store can store secrets but lacks built-in rotation. Option B is wrong because S3 is not secure by default for secrets.

Option D is wrong because DynamoDB is a database, not a secrets manager.

69
MCQmedium

Refer to the exhibit. A CloudTrail trail named ManagementTrail is configured as shown. Which events will be logged?

A.Only read management events.
B.Only write management events.
C.Only S3 data events.
D.All management events for the account.
AnswerD

ReadWriteType: All and IncludeManagementEvents: true logs all management events.

Why this answer

The CloudTrail trail named ManagementTrail is configured to log management events, and by default, when you create a trail in the CloudTrail console, it logs both read and write management events unless you specifically choose to log only one type. The exhibit shows no filtering for read-only or write-only events, so all management events (both read and write) for the account will be logged. This is the standard behavior for a trail that does not have an event selector restricting the event type.

Exam trap

AWS often tests the misconception that a trail named 'ManagementTrail' only logs management events of a specific type (read or write), but the default behavior is to log all management events unless an explicit event selector is configured to filter them.

How to eliminate wrong answers

Option A is wrong because selecting 'Only read management events' would require explicitly configuring an event selector with ReadOnly set to true, which is not shown in the exhibit. Option B is wrong because selecting 'Only write management events' would require explicitly configuring an event selector with ReadOnly set to false, which is not shown. Option C is wrong because S3 data events are not management events; they are a separate category that must be explicitly enabled via event selectors, and the exhibit shows no such configuration.

70
MCQhard

A company uses Amazon Inspector to scan EC2 instances for vulnerabilities. The security team discovers that a critical vulnerability is present on an instance, but the instance is part of an Auto Scaling group. What is the MOST efficient way to remediate this vulnerability while ensuring the Auto Scaling group remains operational?

A.Patch the instance manually via SSH, then create a new AMI from it and update the launch configuration.
B.Detach the instance from the Auto Scaling group, patch it, and reattach it.
C.Use AWS Systems Manager Patch Manager to patch the instance and then set the instance to not receive future updates.
D.Create a new AMI with the patch, update the Auto Scaling group's launch template, and terminate instances one by one to trigger replacement.
AnswerD

This ensures all new instances are patched with minimal disruption.

Why this answer

The most efficient way is to create a new Amazon Machine Image (AMI) with the vulnerability patched, update the Auto Scaling group's launch configuration/template to use the new AMI, and then perform a rolling update (e.g., by terminating instances one by one). Manually patching each instance is inefficient because Auto Scaling will launch new instances from the old AMI. Using AWS Systems Manager Patch Manager can patch on the fly but does not update the launch template for future instances.

Isolating the instance does not fix the root cause.

71
Multi-Selectmedium

Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)

Select 2 answers
A.Use the root user for daily administrative tasks
B.Create access keys for the root user to use with CLI
C.Create an IAM user with administrator access and use that instead
D.Enable multi-factor authentication (MFA) for the root user
E.Delete the root user after creating an IAM admin user
AnswersC, D

Avoid using root user for daily tasks.

Why this answer

Best practices for root user include enabling MFA, using a strong password, and not using root for daily tasks. Deleting the root user is not possible. Access keys should not be created for root user.

72
MCQhard

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from the S3 bucket 'example-bucket' from an IP address of 10.1.2.3. What will happen?

A.The request is denied because the policy does not include a Deny statement.
B.The request is denied because the policy does not explicitly allow the action.
C.The result depends on the bucket policy.
D.The request is allowed because the condition matches the IP address.
AnswerD

The IP 10.1.2.3 is within the 10.0.0.0/8 CIDR range.

Why this answer

Option B is correct because the policy allows s3:GetObject only if the condition matches. The IP 10.1.2.3 falls within 10.0.0.0/8, so the condition is satisfied. Option A is wrong because the condition is met.

Option C is wrong because the policy does not specify a Deny. Option D is wrong because the bucket policy is not shown.

73
MCQeasy

A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the destination account is 222222222222. Which policy should be attached to the S3 bucket?

A.Attach an IAM policy to the user in account 111111111111 allowing s3:GetObject.
B.Set the bucket ACL to grant full control to account 222222222222.
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::222222222222:root"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111111111111:root"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}]}
AnswerC

Bucket policy grants cross-account access to objects.

Why this answer

Option C is correct because it uses a bucket policy to grant cross-account access to the S3 bucket. The policy specifies the destination account (222222222222) as the principal, allowing s3:GetObject on the bucket's objects. This is the standard AWS approach for cross-account S3 access, as bucket policies can grant permissions to principals in other AWS accounts.

Exam trap

The trap here is that candidates often confuse which account's ARN to use in the Principal field, mistakenly using the source account (111111111111) instead of the destination account (222222222222), or they incorrectly assume an IAM policy in the source account can grant cross-account access.

How to eliminate wrong answers

Option A is wrong because attaching an IAM policy to a user in the source account (111111111111) does not grant access to the destination account; it only grants permissions to that specific user within the source account. Option B is wrong because bucket ACLs are legacy and do not support granting cross-account access to objects in a bucket that has S3 Object Ownership enabled (default since April 2023), and they are less secure and flexible than bucket policies. Option D is wrong because it specifies the source account (111111111111) as the principal, which would only grant access to the source account itself, not the destination account (222222222222).

74
MCQhard

A company is using AWS CodePipeline to deploy a web application across multiple AWS accounts using CloudFormation stack sets. The pipeline is in the tools account, and it deploys to production account. The security team requires that all CloudFormation changes to production account be reviewed and approved by a senior engineer. Which approach meets this requirement?

A.Use AWS CloudTrail to monitor deployments and send notifications for review.
B.Configure an IAM policy that denies CloudFormation actions in the production account except for a specific role used by the senior engineer.
C.Add a manual approval step in the CodePipeline before the CloudFormation deployment stage.
D.Use a service control policy (SCP) to prevent CloudFormation changes from the tools account.
AnswerC

This allows a designated approver to review the deployment and approve or reject it before the stack set update is executed.

Why this answer

Using a manual approval action in CodePipeline before the CloudFormation deployment allows a senior engineer to review and approve changes. Option A is wrong because CloudTrail is not a review mechanism; it logs actions after they occur. Option C is wrong because restricting IAM permissions would prevent the pipeline from deploying at all.

Option D is wrong because SCPs are for preventive controls, not for manual approval workflows.

75
MCQmedium

A security audit reveals that an IAM user has long-term access keys that have not been rotated in over 90 days. What is the most secure way to enforce key rotation?

A.Use an AWS Lambda function to automatically rotate keys.
B.Manually rotate keys every 90 days.
C.Use IAM roles instead of long-term access keys.
D.Delete the user and create a new one.
AnswerC

IAM roles provide temporary credentials that do not require rotation.

Why this answer

Option C is correct because the most secure way to eliminate the risk of long-term access key compromise is to avoid using them altogether. IAM roles provide temporary security credentials via AWS Security Token Service (STS), which automatically expire (default 1 hour, max 12 hours) and are rotated transparently by the AWS SDK or CLI. This removes the need for manual or automated key rotation, aligning with the AWS Well-Architected Framework's principle of using temporary credentials.

Exam trap

The trap here is that candidates focus on 'rotation' as a process (automated or manual) rather than recognizing that the most secure solution is to eliminate the need for rotation entirely by using IAM roles with temporary credentials.

How to eliminate wrong answers

Option A is wrong because while a Lambda function can automate key rotation, it still relies on long-term access keys (the user still exists with keys that must be rotated), and implementing such a solution introduces complexity, potential security gaps (e.g., Lambda execution role permissions), and does not eliminate the fundamental risk of long-term credentials. Option B is wrong because manual rotation every 90 days is error-prone, relies on human compliance, and does not address the underlying security issue that long-term keys can be exfiltrated and used for extended periods before detection. Option D is wrong because deleting and recreating the user does not solve the problem—the new user would still have long-term access keys that require rotation, and this approach disrupts workflows without addressing the root cause.

Page 1 of 4 · 288 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Compliance questions.