Which TWO measures can be taken to protect data at rest in Amazon S3? (Select TWO.)
SSE encrypts data at rest.
75 of 288 questions · Page 3/4 · Security Compliance topic · Answers revealed
Which TWO measures can be taken to protect data at rest in Amazon S3? (Select TWO.)
SSE encrypts data at rest.
A DevOps engineer is configuring AWS CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are encrypted at rest using a customer-managed KMS key. What is the correct way to achieve this?
Correct: CloudTrail can use a customer-managed KMS key for encryption.
Why this answer
Option B is correct because CloudTrail supports SSE-KMS with a customer-managed key. Option A is wrong because SSE-S3 uses S3-managed keys. Option C is wrong because SSE-C requires customer-provided keys, which is not supported by CloudTrail.
Option D is wrong because CloudTrail does not support client-side encryption.
Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from 'example-bucket' from an IP address 10.0.0.5. However, the request is denied. What is the most likely reason?
GetObject alone may not be sufficient if the user needs to list first.
Why this answer
Option B is correct because the policy uses a condition key 'aws:SourceIp' which is not evaluated correctly for S3; S3 uses 'aws:SourceIp' only when the request is authenticated via IAM, but for anonymous requests it doesn't apply. However, the more common issue is that the policy does not allow the s3:ListBucket action, which is required to list objects. Option A is wrong because the IP is within range.
Option C is wrong because the bucket exists. Option D is wrong because the policy allows GetObject.
A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role can create or modify VPCs, but should allow VPC usage for existing VPCs. Which SCP should be attached to the root OU?
Denies only VPC creation and modification, allowing use of existing VPCs.
Why this answer
Option B is correct because the SCP with Deny effect for ec2:CreateVpc and ec2:ModifyVpc attributes, while allowing all other actions, meets the requirement. Option A would block all EC2 actions. Option C denies only CreateVpc but not ModifyVpc.
Option D is too permissive.
A company uses a centralized AWS KMS customer master key (CMK) in the security account to encrypt data in S3 buckets across multiple accounts. The S3 buckets are accessed by EC2 instances in the same accounts. The security team wants to ensure that the CMK can only be used by authorized IAM roles in the member accounts. Which policy configuration should be used?
The key policy must explicitly allow the external accounts (or their IAM roles) to use the key. Then, the member accounts can delegate that permission to their roles via IAM policies.
Why this answer
To allow cross-account use of a KMS CMK, you must add a key policy that grants the necessary permissions to the IAM roles in the member accounts. The key policy should include a statement that allows the root user of the member accounts to delegate permissions, and then the member accounts must create IAM policies that grant their roles access. Option A is wrong because the key policy must explicitly allow the member accounts.
Option B is wrong because IAM policies in the member account alone are not sufficient without a key policy allowing the account. Option C is wrong because SCPs cannot grant permissions; they only deny.
Refer to the exhibit. A security engineer sees this CloudTrail event. What action did the user 'admin' perform?
The event name is CreateKey and the resource is a KMS key.
Why this answer
Option B is correct because the event is CreateKey, and the resource is a KMS key. Option A is wrong because the event is not a key deletion. Option C is wrong because the event is not an encryption operation.
Option D is wrong because the event is not a key rotation.
A company uses AWS Organizations with 20 accounts. The Security team has configured AWS CloudTrail to deliver logs from all accounts to a central S3 bucket (central-bucket). The bucket policy allows CloudTrail to write objects and uses SSE-S3 encryption. Recently, auditors found that some log files were missing for a few hours. The CloudTrail console shows that trails are enabled in all accounts. The central-bucket has default encryption enabled. What is the MOST likely cause of the missing logs?
If the bucket policy requires the encryption header, and CloudTrail does not send it (since bucket has default encryption), the request is denied.
Why this answer
If the bucket's default encryption is SSE-S3, CloudTrail can write without issue. However, if the bucket policy denies writes that do not include encryption headers, but CloudTrail does not include them by default, then logs will be denied. The missing logs suggest a policy conflict.
Option A is the most direct cause; CloudTrail may not include the required encryption headers if the bucket policy requires them.
A financial services company is migrating its applications to AWS. The compliance team requires that all Amazon S3 buckets containing personally identifiable information (PII) must have server-side encryption enabled and block public access. The DevOps team discovers that some S3 buckets are not compliant. Which TWO actions should the team take to enforce these requirements automatically for all current and future buckets? (Select TWO.)
AWS Config can detect and auto-remediate.
Why this answer
AWS Config managed rules (e.g., s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited) can automatically detect noncompliant S3 buckets. Combined with AWS Config auto-remediation using Systems Manager Automation documents, the team can enforce encryption and block public access without manual intervention, ensuring all current and future buckets remain compliant.
Exam trap
The trap here is that candidates often confuse detective controls (like CloudTrail alerts) with preventive or corrective controls (like AWS Config auto-remediation or SCPs), leading them to select Option A instead of the automated enforcement mechanisms that actually fix noncompliant buckets.
A company uses AWS Lambda functions to process sensitive data from an SQS queue. The Lambda function writes results to an S3 bucket. The security team requires that all data at rest in S3 be encrypted with a customer managed KMS key, and that the Lambda function only have access to decrypt the queue messages and encrypt the S3 objects. An IAM role is attached to the Lambda function. The engineer has configured the KMS key policy to allow the Lambda role to use the key. However, the Lambda function fails to write to S3 with a 'KMS access denied' error. The engineer verified that the S3 bucket has default encryption enabled with the same KMS key. Which additional step is most likely required?
The role needs permissions to use the KMS key for encrypting S3 objects.
Why this answer
Even if the S3 bucket has default encryption, the Lambda function needs kms:GenerateDataKey permission (or kms:Encrypt) in its IAM role to encrypt objects when writing. The key policy allows the role, but the role's permissions policy must also include the necessary KMS actions. The error indicates that the role lacks the appropriate KMS action.
A company has a CloudFormation stack that creates an S3 bucket and an EC2 instance. The bucket policy must be updated to grant the EC2 instance read access. The DevOps engineer uses a custom resource backed by a Lambda function. However, the stack update fails because the Lambda function does not have permissions to update the bucket policy. What should the engineer do to resolve this issue while following security best practices?
Fixes both Lambda permission and bucket access.
Why this answer
Option D is correct because the Lambda function needs an IAM role with permissions to call s3:PutBucketPolicy, and the bucket policy should allow the EC2 instance role to read. Option A is wrong because adding inline policy to Lambda role is correct but does not address bucket policy. Option B is wrong because using instance profile directly for custom resource is not typical.
Option C is wrong because the Lambda function itself needs permissions, not the EC2 instance.
A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team requires that all data be encrypted at rest and that automated backups are also encrypted. Which configuration meets these requirements?
Encrypts data at rest, automated backups, and snapshots.
Why this answer
Option D is correct because enabling encryption on the RDS instance encrypts the data, automated backups, and snapshots. Option A is wrong because encrypting the storage separately is not sufficient; RDS encryption is needed. Option B is wrong because snapshot encryption does not encrypt the live database.
Option C is wrong because RDS does not support S3 bucket policy for encryption.
A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all new S3 buckets created in any account within the organization are configured with block public access enabled. Which approach is the most scalable and least operationally burdensome?
Preventive and scalable.
Why this answer
Option C is correct because a service control policy (SCP) can deny the creation of S3 buckets without the 'BlockPublicAccess' settings. This applies to all accounts in the organization. Option A is wrong because AWS Config is reactive, not preventive.
Option B is wrong because it requires configuring each account individually. Option D is wrong because CloudTrail is for auditing, not prevention.
A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across accounts are encrypted with AWS KMS. Which combination of controls should be used to enforce this?
SCP prevents non-compliant creation, Config detects existing violations.
Why this answer
Option A is correct because it combines preventive and detective controls. An SCP can deny the s3:PutBucketEncryption action unless the bucket is configured with KMS encryption, which prevents non-compliant buckets from being created or modified. AWS Config rules then detect any existing non-compliant buckets or changes that bypass the SCP, providing continuous compliance monitoring.
Exam trap
The trap here is that candidates often confuse object-level encryption (s3:PutObject) with bucket-level default encryption (s3:PutBucketEncryption), and fail to realize that an SCP is needed for preventive enforcement, not just detective or reactive controls.
How to eliminate wrong answers
Option B is wrong because it only controls s3:PutObject, which enforces encryption at the object level but does not prevent creation of unencrypted buckets or enforce bucket-level default encryption settings. Option C is wrong because relying solely on CloudTrail alerts provides only detective control after the fact, with no preventive enforcement to block non-compliant bucket creation. Option D is wrong because AWS Config rules with automatic remediation are reactive and may have a delay, whereas a preventive SCP is needed to block non-compliant actions in real time.
A company runs a critical application on AWS Lambda that processes sensitive data. The security team mandates that all data must be encrypted at rest and in transit. The Lambda function uses an environment variable to store a database password. The DevOps engineer has enabled encryption of environment variables using a KMS CMK. The Lambda function also needs to decrypt the password at runtime. The engineer attaches an IAM role to the Lambda function with permissions to decrypt using the KMS key. However, when the function executes, it fails with an error 'AccessDeniedException' when trying to decrypt the environment variable. The engineer checks the IAM role and confirms that it has kms:Decrypt permission. The KMS key policy allows the root user full access. What is the most likely cause?
Even if IAM policy allows, key policy must also allow.
Why this answer
To decrypt environment variables, Lambda uses kms:Decrypt on the key. However, Lambda also needs kms:GenerateDataKey? No. The issue might be that the Lambda function's execution role does not have kms:Decrypt on the specific key alias or ARN.
But the key policy allows root user, which includes all IAM users and roles? Actually, root user in the account has full access, but IAM roles are not automatically allowed unless the key policy grants them. The condition in the key policy might be missing. Option A is correct.
Option B is about VPC, not relevant. Option C is about the key being disabled, but then error would be different. Option D is about the function code, but the error is access denied.
A company runs a multi-account environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies all actions on DynamoDB tables unless the request includes a specific tag "Environment": "Production". The development team has an IAM role with full DynamoDB access in their account. When they try to create a DynamoDB table using the AWS CLI, they receive an access denied error. They are certain they included the tag. The DevOps engineer reviews the SCP and finds that it uses the condition key "aws:RequestTag". However, the engineer notices that the SCP also denies access if the request does not include the tag for tagging actions. What is the most likely reason for the access denied error?
The CreateTable API does not support tagging at creation. The SCP condition fails because the tag is not present in the request.
Why this answer
Option C is correct because the `CreateTable` API in DynamoDB does not accept tags as part of the request parameters when creating a table. Tags can only be added after the table is created using the `TagResource` API or the `aws dynamodb tag-resource` CLI command. Since the SCP uses `aws:RequestTag` to require the tag on the initial request, and the `CreateTable` call cannot include tags, the request is denied regardless of whether the developer intended to include the tag.
Exam trap
The trap here is that candidates assume all AWS resource creation APIs support inline tagging, but DynamoDB's `CreateTable` does not, leading to a false belief that including the tag in the CLI command would satisfy the SCP condition.
How to eliminate wrong answers
Option A is wrong because SCPs do not require an explicit allow statement in IAM policies to override a deny; SCPs act as a boundary that cannot be overridden by any IAM policy within the account. Option B is wrong because the issue is not about the IAM role lacking permission to tag resources; the SCP denies the CreateTable action itself because the request cannot include the required tag, not because the role lacks tagging permissions. Option D is wrong because the SCP is applied to the development account via AWS Organizations, and the error occurs, confirming the SCP is in effect; being in a different OU does not prevent SCP application if the SCP is attached to the root or the OU containing the account.
A DevOps engineer is designing a CI/CD pipeline that builds a Docker image and pushes it to Amazon ECR. The pipeline must scan the image for vulnerabilities before deployment. Which service should be integrated?
ECR can automatically scan images on push.
Why this answer
Amazon ECR image scanning is the correct service because it is a native feature of Amazon ECR that automatically scans Docker images for software vulnerabilities (CVEs) when they are pushed to the repository. This scanning uses the Common Vulnerabilities and Exposures (CVE) database from the open-source Clair project and can be configured to trigger on push, making it the ideal choice for integrating vulnerability scanning directly into a CI/CD pipeline before deployment.
Exam trap
The trap here is that candidates confuse Amazon Inspector (which scans running containers for runtime vulnerabilities) with ECR image scanning (which scans the image at rest in the registry), leading them to select Inspector instead of the correct ECR-native feature.
How to eliminate wrong answers
Option A is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (like GuardDuty, Inspector, and Macie) but does not perform its own image vulnerability scanning. Option B is wrong because Amazon Inspector is designed for host-level vulnerability scanning of EC2 instances and container workloads running on ECS/EKS, not for scanning container images stored in ECR. Option D is wrong because AWS Config is a service for evaluating and auditing resource configurations against compliance rules (e.g., ensuring ECR repositories are private), not for scanning images for software vulnerabilities.
A company runs a critical application on EC2 instances that need to access an S3 bucket with sensitive data. The security team has enabled S3 bucket policies that require TLS for all requests (aws:SecureTransport). The application is failing to access the S3 bucket, and logs show errors like 'Access Denied'. The application uses the AWS SDK to make requests. What is the most likely cause of the failure?
If the application makes requests over HTTP, they will not satisfy the aws:SecureTransport condition and will be denied by the bucket policy.
Why this answer
The bucket policy requires TLS, meaning all requests must be made over HTTPS. If the application is using HTTP instead of HTTPS, the request will be denied. The AWS SDK by default uses HTTPS for S3 endpoints, but if the endpoint URL is explicitly set to HTTP or if the SDK configuration is changed, it could cause the issue.
Option A is wrong because the bucket policy does not require specific cipher suites. Option B is wrong because IAM roles can access S3 if they have the right permissions. Option C is wrong because VPC endpoints do not affect the TLS requirement.
Option D is correct: if the application is using HTTP, it violates the bucket policy condition.
Given the above AWS CLI command output, which actions are allowed for the specified policy?
The policy allows ec2:Describe* and s3:GetObject, so only those are allowed.
Why this answer
The simulate-custom-policy command tests the specified policy against the given actions and resources. For ec2:DescribeInstances, the action is allowed (ec2:Describe* covers it). For s3:GetObject, the action is allowed.
For s3:ListBucket, the action is not allowed because the policy only allows s3:GetObject, not s3:ListBucket. So two actions are allowed. Option A is correct.
A company uses AWS CodePipeline to deploy applications. The pipeline must deploy to an Amazon ECS cluster. The security team requires that all deployment actions be logged and auditable. Which configuration should be used?
CloudTrail records API calls for auditing.
Why this answer
Option B is correct because CloudTrail logs all API calls, including those from CodePipeline. Option A is wrong because VPC Flow Logs log network traffic, not deployment actions. Option C is wrong because CloudWatch Logs logs application logs, not API calls.
Option D is wrong because S3 access logs log requests to S3, not pipeline actions.
A company is subject to regulatory compliance that requires all access to S3 buckets to be logged and monitored. The company has thousands of buckets. Which solution is MOST scalable and cost-effective?
CloudTrail data events log all S3 object-level operations centrally.
Why this answer
Using AWS CloudTrail with data events for S3 provides detailed logging. Option B is wrong because S3 server access logs require enabling per bucket and storing in another bucket, which is less scalable. Option C is wrong because Config rules detect but don't log access.
Option D is wrong because VPC Flow Logs only capture network traffic, not S3 API calls.
A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to block traffic from known malicious IP addresses before it reaches the ALB. What is the MOST effective approach?
AWS WAF integrates with ALB and can block IPs via IP sets.
Why this answer
Option D is correct because AWS WAF integrated with ALB can block malicious IPs at the application layer. Option A is wrong because security groups are stateful and can only allow/deny by IP/CIDR, but managing large lists is cumbersome. Option B is wrong because NACLs are stateless and not suitable for fine-grained IP blocking at the application layer.
Option C is wrong because Network Firewall is for VPC-level inspection, not specifically for ALB.
A DevOps engineer needs to store database credentials for an application running on Amazon ECS. The credentials must be automatically rotated every 30 days and encrypted at rest. Which solution meets these requirements with the LEAST operational overhead?
Secrets Manager supports automatic rotation and encryption with KMS.
Why this answer
AWS Secrets Manager provides built-in automatic rotation and encryption using AWS KMS. Option A is correct. Option B is wrong because Parameter Store does not support automatic rotation natively.
Option C is wrong because manual rotation increases overhead. Option D is wrong because storing in environment variables is insecure and does not rotate.
An application running on EC2 needs to access an S3 bucket. To follow the principle of least privilege, what is the recommended approach?
IAM roles provide temporary credentials and follow least privilege.
Why this answer
The best practice is to create an IAM role with a policy that grants only the required S3 actions and attach the role to the EC2 instance. This avoids using long-term credentials. Access keys are long-term and insecure.
Bucket policy can be used but is not the most secure for instance access. Security group is for network access, not API access.
A company is using AWS CloudTrail to log API events. The security team wants to ensure that log files are tamper-proof and available for incident investigation. Which TWO actions should be taken? (Choose TWO.)
Creates digest files to verify log integrity.
Why this answer
Options A and D are correct. Enabling log file validation allows CloudTrail to create a digest file for integrity verification. Enabling S3 Object Lock prevents logs from being deleted or overwritten.
Option B: SSE-S3 provides encryption but not tamper-proofing. Option C: CloudWatch Logs does not provide file integrity. Option E: KMS encryption is for encryption, not integrity.
A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can make changes to Amazon CloudWatch Logs configurations. Which approach should be used?
SCPs can deny actions across all accounts in an organization.
Why this answer
Option B is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts within an organizational unit (OU). By attaching an SCP that denies cloudwatch:Put* and cloudwatch:Delete* actions to the root OU, you ensure that no IAM user or role in any account can modify or delete CloudWatch Logs configurations, regardless of any IAM policies attached directly to users or roles. This approach provides a guardrail that cannot be overridden by account administrators.
Exam trap
The trap here is that candidates often confuse detective controls (like CloudTrail or Config rules) with preventive controls (like SCPs), or mistakenly believe that an IAM policy applied to all users is sufficient, ignoring that IAM roles and account-level administrators can bypass such policies.
How to eliminate wrong answers
Option A is wrong because AWS Config rules can detect and alert on non-compliant changes but cannot automatically revert changes to CloudWatch Logs; they only evaluate configuration against desired policies and can trigger remediation actions via Systems Manager Automation, but this is not a preventive control. Option C is wrong because an IAM policy applied to all IAM users does not prevent changes made by IAM roles or by users in other accounts, and it can be overridden by an account administrator who has full control over IAM policies within their own account. Option D is wrong because AWS CloudTrail only provides logging and monitoring of API calls; it does not prevent changes from occurring, only alerts after the fact.
A developer needs to give a Lambda function read-only access to a DynamoDB table. What is the BEST practice to grant this permission?
This follows the principle of least privilege and uses temporary credentials.
Why this answer
Creating an IAM role with the required policy and attaching it to the Lambda function is the best practice. Option A is correct. Option B is wrong because attaching policies to Lambda functions directly is not supported.
Option C is wrong because hardcoding credentials is insecure. Option D is wrong because using the Lambda function's ARN as a principal in a resource-based policy is for cross-account access, not for the same account.
A DevOps engineer needs to ensure that EC2 instances can access an S3 bucket without storing AWS credentials on the instances. Which solution meets this requirement?
The IAM role provides temporary credentials via the instance metadata service.
Why this answer
Option D is correct because attaching an IAM role to an EC2 instance allows the instance to obtain temporary security credentials from the AWS STS service via the instance metadata service (IMDS). The EC2 instance can then use these credentials to access the S3 bucket without any long-term AWS credentials being stored on the instance. This is the AWS-recommended best practice for granting permissions to AWS services running on EC2.
Exam trap
The trap here is that candidates may think storing credentials in user data or application code is acceptable, but the DOP-C02 exam specifically tests the principle of using IAM roles to avoid long-term credential storage on EC2 instances.
How to eliminate wrong answers
Option A is wrong because an S3 bucket policy that grants access based on an EC2 instance's public IP is not a secure or reliable method; public IPs can change (unless using an Elastic IP) and do not authenticate the identity of the requester, making it vulnerable to spoofing and not a substitute for AWS credentials. Option B is wrong because storing access keys in the EC2 user data script exposes long-term credentials in plaintext within the instance's metadata and logs, violating the requirement to avoid storing credentials on the instance. Option C is wrong because embedding IAM user credentials in application code stores long-term access keys directly on the instance, which is insecure and contradicts the principle of using temporary credentials via IAM roles.
Which THREE measures can be taken to protect sensitive data stored in an Amazon S3 bucket? (Choose three.)
Default encryption ensures that all objects stored in the bucket are encrypted at rest.
Why this answer
Enabling default encryption, blocking public access, and enabling versioning are key security measures. Option A is wrong because bucket policies are used for access control, not for encryption. Option D is wrong because server access logs are for auditing, not protection.
Option E is wrong because cross-region replication is for disaster recovery, not security.
A company is using AWS CodeCommit for source control. A developer accidentally committed a file containing AWS access keys. The keys have been removed from the file, but the commit history still contains them. What is the most secure way to remove the keys from the repository?
This rewrites history to completely remove the file from every commit, effectively purging the keys.
Why this answer
Git filter-branch can rewrite history to remove the file from all commits. However, AWS recommends using the AWS CLI's git-secrets or the AWS CodeCommit console's 'delete repository' option. But the most secure and straightforward approach is to use git filter-branch to purge the file and then force push.
Option A is wrong because simply reverting the commit leaves the keys in history. Option B is wrong because deleting the file and committing does not remove history. Option D is wrong because AWS does not provide a built-in command to remove a file from history.
A company is migrating to AWS and has a requirement to encrypt all data at rest and in transit. They are using AWS KMS with Customer Master Keys (CMKs) for encryption. The DevOps engineer has set up an S3 bucket with default encryption using SSE-KMS. The bucket policy allows access only to a specific IAM role. The engineer also enabled S3 bucket versioning and MFA Delete. However, when the engineer tries to download an object using the AWS CLI with the IAM role, the command fails with 'AccessDenied'. The IAM role has the following permissions: s3:GetObject, s3:ListBucket, kms:Decrypt, kms:DescribeKey. What is the most likely missing permission?
KMS key policies must explicitly grant access to IAM roles.
Why this answer
To download an object encrypted with SSE-KMS, the IAM role must have kms:GenerateDataKey (if uploading) and kms:Decrypt (if downloading). However, for GetObject, KMS requires kms:Decrypt. But there is also a need for kms:Encrypt? Actually, reading encrypted data requires only kms:Decrypt.
However, the error might be due to the IAM role not having kms:GenerateDataKey? No, that is for writing. The bucket policy might require kms:Encrypt? Wait. The common missing permission is kms:ReEncrypt? No.
Actually, for downloading, KMS permission needed is kms:Decrypt. But the error persists. Could be kms:DescribeKey is not needed.
But the most likely is that the KMS key policy does not grant the IAM role permissions. The key policy must allow the IAM role to use the key. The question says the IAM role has kms:Decrypt, but the key policy might not grant it.
Option A is correct. Option B is for writing. Option C is not needed.
Option D is for management.
A company is using AWS Secrets Manager to rotate database credentials automatically. The DevOps engineer needs to ensure that the rotation process is secure and does not cause downtime. Which THREE steps should the engineer take?
Alerts on rotation failures help maintain security.
Why this answer
Option A is correct because the Lambda rotation function needs permissions to read and update the secret. Option C is correct because using a separate user for rotation allows the old credentials to remain valid during rotation. Option E is correct because CloudWatch alarms can detect rotation failures.
Option B is wrong because the rotation function should have network access to the database, but using a VPC endpoint is not required; the function can be in a VPC. Option D is wrong because disabling rotation for old secrets would break the rotation process.
A DevOps team uses AWS CodePipeline to deploy a web application. The application stores user session data in an ElastiCache Redis cluster. The security team mandates that all data in transit between the application and Redis must be encrypted. What should the team do?
This ensures both sides support encryption in transit.
Why this answer
Option D is correct because ElastiCache Redis supports encryption in transit using TLS, which must be enabled at cluster creation. Option A is wrong because VPC peering does not encrypt traffic. Option B is wrong because NACLs do not encrypt.
Option C is wrong because the application must use TLS, but the cluster must also be configured to support it.
An organization wants to grant cross-account access to an S3 bucket in Account A to a user in Account B. Which policy configuration is required?
Both policies are needed for cross-account access.
Why this answer
Cross-account access requires both a bucket policy in Account A granting access to the user in Account B and an IAM user policy in Account B allowing the user to access the bucket. Option A is wrong because only bucket policy is insufficient. Option C is wrong because only IAM policy is insufficient.
Option D is wrong because ACLs are legacy and not recommended.
A DevOps engineer needs to enforce encryption in transit for all traffic between a fleet of EC2 instances and an Application Load Balancer (ALB). The ALB is configured with a TLS listener. Which step should the engineer take to ensure end-to-end encryption?
HTTPS ensures encryption between ALB and instances.
Why this answer
To enforce encryption in transit, the ALB target group should use HTTPS protocol, which requires the instances to present a certificate. Option A is wrong because HTTP does not encrypt traffic. Option B is wrong because the TLS termination should be at the ALB, not re-encrypted.
Option D is wrong because security groups do not enforce encryption.
A company uses AWS Secrets Manager to store database credentials. The security team wants to automatically rotate secrets every 30 days. The database is an Amazon RDS for PostgreSQL instance. The team has configured automatic rotation with a Lambda function that updates the password in RDS and Secrets Manager. However, after the first rotation, the application starts getting database connection errors. The application uses a connection string with the secret ARN and retrieves the secret from Secrets Manager at startup using the AWS SDK. Which of the following is the most likely cause of the connection errors?
Caching the secret prevents the application from using the new password.
Why this answer
Option B is correct because if the application caches the secret, it will not pick up the new password after rotation, leading to connection errors. Option A is incorrect because RDS automatic password rotation is not a feature; Secrets Manager handles rotation. Option C is incorrect because KMS permissions are needed to decrypt the secret, but if the application could access the secret initially, it likely has permissions.
Option D is incorrect because Lambda function concurrency is unlikely to cause connection errors; it would affect the rotation process itself.
A DevOps team uses AWS CodePipeline to deploy a web application. Security scanning must be integrated into the pipeline to check for vulnerabilities before deployment to production. Which action should be taken?
Amazon Inspector can scan for software vulnerabilities and is integrated with CodePipeline.
Why this answer
Amazon Inspector can be integrated as a test action in CodePipeline to scan for vulnerabilities. GuardDuty is a threat detection service, not a scanning tool for code or containers. Config evaluates resource configurations.
Trusted Advisor provides best practice checks, not vulnerability scanning.
A company uses AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific attribute in their SAML assertion can decrypt the data. Which KMS key policy should be used?
KMS key policies can use conditions based on SAML attributes to control decryption.
Why this answer
Option B is correct because KMS key policies can use the `kms:ViaService` or `kms:CallerPrincipal` conditions, but more importantly, they can reference SAML-based attributes using the `aws:PrincipalTag` or `saml:sub` conditions. By adding a condition in the KMS key policy that checks for a specific SAML assertion attribute (e.g., `saml:sub` or a custom SAML attribute mapped to an IAM role session tag), only users whose SAML assertion includes that attribute will be allowed to call `kms:Decrypt`. This directly enforces the security team's requirement at the key level, independent of S3 bucket policies or IAM policies.
Exam trap
The trap here is that candidates often confuse S3 bucket policies with KMS key policies, thinking they can control KMS decryption via S3 policies, when in reality KMS key policies are the only way to enforce conditions on the `kms:Decrypt` action at the key level.
How to eliminate wrong answers
Option A is wrong because S3 bucket policies cannot deny `kms:Decrypt`; KMS API calls are governed by KMS key policies and IAM policies, not S3 resource policies. Option C is wrong because S3 bucket policies control access to S3 operations (e.g., `s3:GetObject`), not KMS decryption permissions; they cannot enforce conditions on the KMS `Decrypt` action itself. Option D is wrong because IAM policies alone cannot enforce conditions based on SAML assertion attributes unless those attributes are first mapped to IAM session tags or roles; the requirement is to control decryption at the KMS key level, and a KMS key policy with a SAML condition is the direct and correct mechanism.
A company uses AWS WAF to protect a web application behind an Application Load Balancer. The security team notices an increase in false positives blocking legitimate traffic. Which action should be taken to reduce false positives while maintaining security?
Higher threshold reduces false positives while still blocking abuse.
Why this answer
Option B is correct because adjusting the rate-based rule threshold to a higher value will allow more legitimate traffic while still blocking excessive requests. Option A: Removing the rule would weaken security. Option C: Swapping to AWS Shield Advanced does not fine-tune rules.
Option D: Count mode logs but does not block; not maintaining security.
A key policy for a KMS customer managed key includes the above statement. An IAM role 'AdminRole' in account 123456789012 is allowed to decrypt. However, when the role attempts to decrypt data, it receives an access denied error. What is the MOST likely cause?
This condition only allows decryption when the request comes from an AWS service, not from the IAM role directly.
Why this answer
The condition 'kms:GrantIsForAWSResource' restricts the permission to requests that come from AWS services that integrate with KMS, not from direct API calls by the role. Option B is correct. Option A is wrong because the principal is correctly specified.
Option C is wrong because the action is correct. Option D is wrong because the wildcard resource is fine for KMS key policies.
A DevOps engineer is tasked with auditing all AWS API calls made in the account for compliance purposes. The engineer needs to ensure that the audit logs are tamper-proof and stored cost-effectively. Which TWO services should the engineer use?
CloudTrail records API calls.
Why this answer
Option B is correct because CloudTrail logs API calls and can be configured to deliver to S3. Option D is correct because S3 with object lock prevents log tampering. Option A is wrong because CloudWatch Logs is for application logs, not API calls.
Option C is wrong because Config records resource changes, not API calls. Option E is wrong because KMS encrypts but does not provide tamper-proof storage; object lock does.
A company is designing a secure CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline must deploy to an EC2 Auto Scaling group across multiple AWS accounts. The security requirements include: (1) no hardcoded credentials, (2) least privilege for cross-account access, (3) encrypted artifacts. Which THREE steps should the DevOps engineer implement? (Choose THREE.)
KMS cross-account key policies allow encryption across accounts.
Why this answer
Option A uses cross-account roles (correct). Option B uses KMS cross-account key (correct). Option D integrates CodeBuild with Secrets Manager (correct).
Option C (SSM parameter) is possible but Secrets Manager is more appropriate for credentials. Option E (CodeCommit) is not required.
Refer to the exhibit. An IAM policy is attached to a user. The user requests an object from the 'example-bucket' bucket, specifically from the 'confidential' folder, over HTTP (not HTTPS). The source IP is within the 10.0.0.0/24 range. What will be the result of this request?
The Deny applies when SecureTransport is false (HTTP).
Why this answer
The Deny statement with SecureTransport false applies to all s3 actions on the confidential folder. Even though the source IP is allowed, the Deny for HTTP access will override the Allow. The request will be denied.
A company uses AWS CodeBuild to build and test code. The build process requires access to a private PyPI repository hosted on an internal network. The CodeBuild project is configured with a VPC. However, the build fails with a timeout error when trying to connect to the PyPI repository. The security group for the CodeBuild project allows outbound HTTPS to 0.0.0.0/0. What is the most likely cause?
The repository's security group must have an inbound rule allowing HTTPS traffic from the security group associated with the CodeBuild project's ENI.
Why this answer
The private PyPI repository is in the internal network, which is likely accessible via a VPC. However, if the repository's security group does not allow inbound traffic from the CodeBuild security group, the connection will be blocked. The CodeBuild project's outbound rules are correct, but the repository side needs to allow inbound.
Option A is wrong because the subnet must have a route to the internal network, which is usually via a VPC peering or VPN. Option C is wrong because if the subnet has a NAT gateway, the traffic would go to the internet, not to the internal network. Option D is wrong because a VPC endpoint is for AWS services, not for on-premises resources.
A company uses AWS CodePipeline to deploy a web application. The deployment includes an EC2 instance running behind an Application Load Balancer. The security team requires that all data in transit to the application be encrypted. Which configuration best meets this requirement without breaking the deployment?
HTTPS listener with ACM certificate provides encryption in transit.
Why this answer
Option C is correct because the Application Load Balancer supports SSL/TLS termination using certificates from AWS Certificate Manager, enabling HTTPS encryption. Option A is wrong because CodePipeline does not encrypt traffic at the ALB level. Option B is wrong because AWS WAF is a web application firewall, not for encryption.
Option D is wrong because CloudFront can handle HTTPS, but adding it changes the architecture unnecessarily and may break the pipeline if not properly configured.
Refer to the exhibit. A KMS key policy is configured as shown. What does this policy allow?
The condition kms:ViaService limits decrypt to requests from S3 in us-east-1.
Why this answer
The policy allows the CrossAccountRole to call kms:Decrypt only when the request comes through S3 in us-east-1. Option D is correct.
Refer to the exhibit. A user outside the 192.0.2.0/24 IP range attempts to get an object from example-bucket. What will happen?
Explicit Deny blocks the request.
Why this answer
The Deny statement explicitly denies all S3 actions if the IP is not in the allowed range. Since the user is outside, the Deny applies, overriding the Allow. Option A is wrong because the Deny blocks access.
Option B is wrong because the Deny is explicit. Option C is wrong because the policy is not malformed.
A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet but must not be directly accessible from the internet. Which configuration allows this?
Why this answer
A NAT gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound connections. Option C is correct. Option A is wrong because an internet gateway alone does not provide outbound-only access for private instances.
Option B is wrong because a bastion host only provides SSH/RDP access, not general internet access. Option D is wrong because a VPN connection does not provide direct internet access.
Given the above IAM policy, which action is permitted?
The policy allows lambda:InvokeFunction on that specific ARN.
Why this answer
The policy explicitly allows the lambda:InvokeFunction action on the specified function ARN. Option A is correct. It does not allow other Lambda actions (B), S3 actions (C), or EC2 actions (D).
A DevOps engineer needs to securely store and automatically rotate database credentials for a MySQL RDS instance. The credentials should be accessible to a Lambda function without hardcoding them. Which AWS service should be used?
Secrets Manager offers automatic rotation for RDS databases and provides fine-grained access control via IAM.
Why this answer
AWS Secrets Manager provides the ability to store secrets and automatically rotate them for RDS databases. It also integrates with Lambda via the Secrets Manager API to retrieve secrets at runtime. Option A is wrong because Parameter Store can store secrets but does not support automatic rotation for RDS.
Option B is wrong because KMS is for encryption keys, not secret storage. Option D is wrong because IAM roles cannot store credentials; they provide permissions.
Which THREE of the following are valid methods to enforce encryption at rest for Amazon EBS volumes? (Choose three.)
This automatically encrypts all new EBS volumes.
Why this answer
Enabling EBS encryption by default at the account level ensures all new volumes are encrypted. You can also encrypt volumes when creating them via the console or CLI. You cannot encrypt an existing volume directly; you must create a snapshot, copy it with encryption, and create a new volume.
Attaching a volume does not encrypt it.
A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. The instances currently use a self-signed certificate for the backend HTTPS listener. The engineer notices that the ALB health checks are failing, and the error message indicates 'TLS handshake failed'. The health check is configured as HTTPS. What should the engineer do to resolve the health check failure while maintaining encryption?
A valid certificate trusted by the ALB will allow the TLS handshake to succeed.
Why this answer
The ALB health check expects a valid certificate from the target. Self-signed certificates cause health checks to fail unless the ALB is configured to ignore certificate verification. The ALB can be configured to verify or skip verification.
To fix, the engineer should either configure the target group to use HTTP for health checks (while using HTTPS for data traffic) or configure the target group to use HTTPS with a certificate that the ALB trusts (e.g., from ACM). The simplest is to use HTTP health checks, but the requirement is to maintain encryption. However, health checks can be over HTTP if the data traffic uses HTTPS.
Alternatively, the engineer can install a certificate from ACM on the instances, but that is more complex. The most practical solution is to use HTTP for health checks (which is not encrypted) but the question says maintain encryption. The best answer is to install a trusted certificate (e.g., from ACM) on the instances.
A company has a requirement to store audit logs for 7 years. The logs are currently stored in Amazon S3 and are accessed infrequently. Which storage class provides the lowest cost while meeting the retention requirement?
Lowest cost for long-term archival.
Why this answer
S3 Glacier Deep Archive is the lowest-cost storage class for long-term retention of data that is accessed rarely. Option A (S3 Standard) is expensive for long-term. Option B (S3 Intelligent-Tiering) may move data but has monitoring costs.
Option D (S3 One Zone-IA) is not for long-term durability.
A DevOps team is deploying a web application on EC2 instances behind an ALB. The application must authenticate users using an external identity provider (IdP) that supports SAML 2.0. Which solution provides the simplest integration with the ALB?
ALB natively supports SAML IdP for user authentication.
Why this answer
ALB can authenticate users using SAML IdP. Option B is wrong because Cognito is for user pools, not direct SAML integration with ALB. Option C is wrong because CloudFront with Lambda@Edge adds complexity.
Option D is wrong because the application itself would need to handle SAML, adding overhead.
A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. What should be done? (Choose TWO.)
This condition restricts use of the key to requests coming through the VPC endpoint.
Why this answer
Options B and C are correct. A VPC endpoint for KMS allows private connectivity. A key policy with a condition for the VPC endpoint restricts usage.
Option A is wrong because SCPs cannot restrict KMS key usage. Option D is wrong because bucket policies cannot restrict KMS key usage. Option E is wrong because security groups do not apply to KMS.
A DevOps team is designing a solution to encrypt data at rest for an Amazon RDS for MySQL database. Which TWO actions should the team take? (Choose TWO.)
KMS keys are used for RDS encryption.
Why this answer
Option A is correct: enable encryption at rest when creating the RDS instance. Option C is correct: use AWS KMS to manage the encryption key. Option B is wrong: encryption cannot be enabled on an unencrypted RDS instance after creation.
Option D is wrong: S3 is not used for RDS encryption. Option E is wrong: SSL/TLS is for encryption in transit, not at rest.
A security audit reveals that an S3 bucket contains objects that are not encrypted. The bucket is configured with default encryption using SSE-S3. What is the most likely reason that objects are unencrypted?
Default encryption does not encrypt existing objects.
Why this answer
Default encryption applies only to newly uploaded objects that do not have encryption settings. If objects were uploaded before default encryption was enabled, or if the PUT request explicitly specified no encryption, they may remain unencrypted. Option A is wrong because SSE-S3 does not require KMS.
Option B is wrong because default encryption applies to new objects. Option D is wrong because SSE-C is not relevant.
A company has an Amazon RDS for MySQL database that stores sensitive data. The security team requires encryption at rest and in transit. Which combination of options meets these requirements?
Why this answer
Encryption at rest is enabled by enabling RDS encryption. Encryption in transit is achieved by using SSL/TLS connections. Option A is correct.
Option B (AWS KMS with client-side encryption) would encrypt data before sending but does not use RDS encryption. Option C (VPC peering) does not encrypt. Option D (AWS Certificate Manager) is for certificates but not directly for RDS encryption.
Which TWO actions can be taken to secure an Amazon S3 bucket that contains confidential data? (Choose TWO.)
Encrypts data at rest.
Why this answer
Correct options: A and D. Option A: Block public access prevents public exposure. Option D: Enable default encryption ensures data is encrypted at rest.
Option B is wrong because versioning helps with recovery, not security. Option C is wrong because cross-region replication is for disaster recovery. Option E is wrong because S3 Transfer Acceleration is for speed, not security.
Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most likely security concern?
Public access granted to all objects.
Why this answer
The bucket policy grants public read access to all objects in my-bucket, which is a security risk. Option A is wrong because the principal is '*', making it public. Option B is wrong because root user is not necessarily malicious but the policy is risky.
Option D is wrong because the policy is applied to the bucket, not the user.
A company is using AWS CodeBuild as part of its CI/CD pipeline. The build projects need to access a private Amazon ECR repository to pull Docker images. What is the MOST secure way to grant CodeBuild access to ECR?
CodeBuild assumes the service role to access ECR.
Why this answer
Option A is correct because CodeBuild can assume an IAM role with ECR permissions, and the role is passed in the build project configuration. Option B is wrong because storing credentials is insecure. Option C is wrong because ECR authorization tokens can be used but require handling credentials.
Option D is wrong because VPC endpoints do not grant access; IAM permissions are still needed.
A DevOps engineer needs to allow an EC2 instance to write logs to CloudWatch Logs. The instance is configured with an instance profile that has the following IAM role attached. Which additional policy is required?
Provides necessary permissions for writing logs.
Why this answer
The instance profile's IAM role must include permissions to create log groups, log streams, and put log events. The `CloudWatchLogsFullAccess` managed policy grants all necessary actions (e.g., `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents`) for writing logs from an EC2 instance to CloudWatch Logs. Without this policy, the instance will receive an access denied error when the CloudWatch agent or SDK attempts to send log data.
Exam trap
The trap here is that candidates may assume any 'FullAccess' policy (like S3 or SQS) would work because they think logs are just files, but CloudWatch Logs is a distinct service with its own API and IAM actions, so only CloudWatch Logs-specific policies grant the required permissions.
How to eliminate wrong answers
Option A is wrong because AmazonSQSFullAccess grants permissions to send/receive messages from Amazon SQS queues, which is unrelated to writing logs to CloudWatch Logs. Option B is wrong because AmazonDynamoDBFullAccess provides full access to DynamoDB tables and indexes, not to CloudWatch Logs APIs. Option D is wrong because AmazonS3FullAccess allows read/write to S3 buckets, but CloudWatch Logs uses its own PutLogEvents API, not S3 operations.
A company's security team requires that all API calls to AWS are logged for audit purposes. Which service should be enabled to capture and store these logs?
CloudTrail logs all AWS API calls for auditing.
Why this answer
AWS CloudTrail is the correct service because it is specifically designed to log all API calls made to the AWS environment, including calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services. CloudTrail captures the identity of the caller, the time of the call, the source IP address, the request parameters, and the response elements, storing this information in a log file that can be delivered to an Amazon S3 bucket for long-term audit storage. This directly meets the security team's requirement to capture and store all API calls for audit purposes.
Exam trap
The trap here is that candidates often confuse CloudWatch Logs with CloudTrail because both involve 'logging', but CloudWatch Logs is for application and system logs (e.g., from EC2 or Lambda), while CloudTrail is exclusively for AWS API call logs, and the question explicitly asks for 'API calls to AWS'.
How to eliminate wrong answers
Option B (Amazon CloudWatch Logs) is wrong because CloudWatch Logs is a service for monitoring, storing, and accessing log files from AWS resources (like EC2 instances, Lambda functions, or custom applications), not for capturing AWS API calls themselves; it can ingest CloudTrail logs as a data source but is not the primary service for API call logging. Option C (AWS Config) is wrong because AWS Config is a service that evaluates and records resource configuration changes and compliance over time, not the API calls that triggered those changes; it provides a configuration history but does not log the API requests. Option D (Amazon VPC Flow Logs) is wrong because VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC (e.g., source/destination IP, ports, protocol), not AWS API calls; it is a network-level logging feature, not an API-level audit trail.
An organization uses AWS Key Management Service (KMS) with customer-managed keys. The security policy requires automatic key rotation every year. A DevOps engineer notices that the key material is not rotating as expected. What is the most likely cause?
Imported keys cannot be rotated automatically.
Why this answer
Option A is correct because automatic key rotation is not supported for imported key material. Option B is wrong because KMS does not charge extra for automatic rotation. Option C is wrong because KMS does not require re-importing for rotation; it's simply not available.
Option D is wrong because the key state does not prevent rotation.
A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using customer-managed KMS keys. Additionally, any attempt to upload an unencrypted object must be denied. Which S3 bucket policy should be used?
Ensures KMS encryption and denies unencrypted uploads.
Why this answer
Option B is correct because the condition 's3:x-amz-server-side-encryption':'aws:kms' ensures objects are encrypted with KMS, and the Deny statement with 'Null':'s3:x-amz-server-side-encryption':true blocks unencrypted uploads. Option A is wrong because it allows SSE-S3, not KMS. Option C is wrong because it does not deny unencrypted uploads.
Option D is wrong because it allows any encryption.
A company is migrating to AWS and needs to comply with PCI DSS. They must encrypt all data at rest and in transit. Which THREE services or features should they use?
ELB can terminate TLS, ensuring encryption in transit between clients and load balancer.
Why this answer
Option A is correct because Elastic Load Balancing (ELB) with TLS termination ensures encryption of data in transit between clients and the load balancer, which is a PCI DSS requirement for protecting cardholder data over public networks. By terminating TLS at the ELB, you can offload the cryptographic overhead while maintaining compliance with the encryption-in-transit mandate.
Exam trap
The trap here is that candidates often confuse compliance-related services (like CloudTrail for logging or WAF for security) with encryption-specific services, leading them to select options that are valid for security but do not directly satisfy the encryption-at-rest and encryption-in-transit mandates of PCI DSS.
A DevOps engineer is designing a CI/CD pipeline for a microservices application. The pipeline must scan container images for vulnerabilities before deploying to Amazon ECS. Which service should the engineer use to perform the vulnerability scan?
ECR supports vulnerability scanning for container images.
Why this answer
Option B is correct because Amazon ECR can scan images for vulnerabilities. Option A is wrong because AWS WAF is a web application firewall. Option C is wrong because AWS Config is for compliance and resource inventory.
Option D is wrong because Amazon GuardDuty is a threat detection service for workloads.
A company uses AWS KMS to encrypt data at rest in S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which THREE steps should be taken?
CloudWatch Events can trigger notifications based on KMS key rotation events.
Why this answer
Option A is correct because automatic key rotation is enabled in KMS for symmetric keys. Option B is correct because key rotation rotates the backing key while keeping the same key ID. Option C is correct because a CloudWatch Events rule can notify before rotation.
Option D is wrong because manual rotation creates a new key, which is not automatic. Option E is wrong because S3 bucket policy does not manage key rotation.
A company is deploying a multi-tier application on AWS. The web tier must be publicly accessible, but the application tier must only be accessible from the web tier. The database tier should not be accessible from the internet at all. Which combination of security groups and network ACLs should be used?
This correctly restricts access between tiers.
Why this answer
Security groups are stateful and default to deny all inbound. By allowing inbound on port 80/443 from 0.0.0.0/0 to the web tier, and allowing inbound from the web tier's security group to the app tier, and only allowing inbound from the app tier to the database tier, you achieve the required isolation. Network ACLs are stateless and not needed if security groups are properly configured.
A DevOps engineer is tasked with encrypting data at rest for an Amazon RDS for MySQL database. Which TWO methods can achieve this?
Customer-managed key also works.
Why this answer
Options A and B are correct because enabling encryption at launch is the standard method, and using KMS with a custom key provides customer-managed encryption. Option C is wrong because you cannot enable encryption on an unencrypted DB instance after launch. Option D is wrong because the default RDS encryption uses KMS even with the AWS managed key.
Option E is wrong because client-side encryption is not a feature of RDS; it would need application-level changes.
A security team wants to automatically detect and remediate S3 buckets that are publicly accessible across multiple AWS accounts. Which solution is MOST efficient and scalable? (Choose THREE.)
SCPs can prevent actions that make buckets public.
Why this answer
Options A, C, and E are correct. AWS Config can evaluate rules across accounts. SCPs can prevent public access.
Centralized logging via CloudWatch Events enables automation. Option B is wrong because manual review is not scalable. Option D is wrong because Trusted Advisor is per-account and manual.
A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role in any account can create or modify VPCs. Which SCP should be applied to the root OU?
Correctly denies both CreateVpc and ModifyVpc.
Why this answer
Option C is correct because it denies both the ec2:CreateVpc and ec2:ModifyVpc actions, which covers all operations that could create or modify VPCs. A service control policy (SCP) with a Deny effect overrides any Allow permissions, ensuring that no IAM user or role in any account under the root OU can perform these actions, even if attached IAM policies grant them.
Exam trap
The trap here is that candidates often focus on only one action (Create or Modify) and forget that both are needed to fully prevent VPC creation and modification, or they mistakenly think an Allow SCP can restrict access when SCPs are primarily used for Deny boundaries.
How to eliminate wrong answers
Option A is wrong because it only denies ec2:ModifyVpc, leaving the ec2:CreateVpc action unblocked, so users could still create new VPCs. Option B is wrong because it only denies ec2:CreateVpc, leaving ec2:ModifyVpc unblocked, so existing VPCs could still be modified. Option D is wrong because an Allow statement in an SCP does not restrict access; SCPs are used to deny or allow permissions, but an Allow SCP does not override other Deny policies and, more importantly, does not prevent the actions—it would actually permit them, which is the opposite of the security team's requirement.
A company is using AWS CloudTrail to log API activity. The security team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and alerted. What is the MOST secure and efficient way to achieve this?
CloudWatch Events can match API calls in real time and trigger actions.
Why this answer
Option C is correct because a CloudWatch Events rule can capture the UpdateTrail API call and trigger an SNS notification for immediate alerting. Option A is wrong because Config rules evaluate resource configurations but do not provide real-time notifications. Option B is wrong because GuardDuty focuses on threat detection, not configuration changes.
Option D is wrong because Trusted Advisor provides best-practice checks but not real-time alerts.
A company is using AWS CodePipeline to deploy applications. The pipeline source is an S3 bucket that receives artifacts from a third-party vendor. The DevOps team needs to ensure that only artifacts signed by the vendor's KMS key are deployed. Which approach meets this requirement?
Enables verification that objects are encrypted with the expected key.
Why this answer
Option C is correct because S3 supports envelope encryption with KMS, and the pipeline can verify the KMS key. Option A is wrong because S3 signed URLs do not verify the origin of the content. Option B is wrong because IAM policies can't enforce encryption on specific keys.
Option D is wrong because CodePipeline does not natively support artifact signing verification.
A DevOps engineer needs to securely store database credentials for an application running on EC2. The credentials must be rotated automatically every 30 days. Which solution meets these requirements?
Secrets Manager supports automatic rotation via Lambda, including a built-in RDS rotation template.
Why this answer
AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, managing, and automatically rotating database credentials. It provides a built-in RDS rotation Lambda blueprint that can be configured to rotate credentials every 30 days without custom code. This fully managed rotation capability meets the requirement for automatic, scheduled rotation with minimal operational overhead.
Exam trap
The trap here is that candidates often confuse AWS Systems Manager Parameter Store's ability to store secrets (with SecureString) with the automatic rotation capability, but Parameter Store lacks built-in rotation scheduling and requires custom Lambda code, making Secrets Manager the only fully managed solution for automatic credential rotation.
How to eliminate wrong answers
Option B is wrong because AWS Systems Manager Parameter Store does not natively support automatic rotation of credentials; while you can use a Lambda function to rotate them, this requires custom development and lacks the built-in rotation scheduling and integration with RDS that Secrets Manager provides. Option C is wrong because S3 Lifecycle policies are designed for object expiration and transition, not for rotating credential values; they cannot update the content of an object or trigger a credential change. Option D is wrong because IAM roles grant permissions to AWS services, not to databases; while IAM database authentication is supported for RDS (using an auth token), it eliminates the need for static credentials but does not involve rotating stored credentials every 30 days, and the question explicitly requires storing and rotating credentials.
A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an S3 bucket. The Security team requires that the application never uses long-term credentials and that access is scoped to the specific ECS task. Which approach should be used?
The task IAM role provides temporary credentials automatically, scoped to the task.
Why this answer
Option D is correct because ECS tasks using the Fargate launch type can assume an IAM role that is specified in the task definition. This IAM role provides temporary credentials via the ECS task metadata endpoint, ensuring that the application never uses long-term credentials and that permissions are scoped precisely to that task. The Security team's requirements are fully met by this approach.
Exam trap
The trap here is that candidates may confuse the IAM role for the EC2 instance (Option C) with the ECS task role, or assume that Secrets Manager (Option B) is acceptable despite it still using long-term credentials, failing to recognize that Fargate tasks require a task-level IAM role for scoped, temporary access.
How to eliminate wrong answers
Option A is wrong because embedding IAM user credentials in the container image violates the requirement to never use long-term credentials and creates a security risk if the image is compromised. Option B is wrong because while Secrets Manager can securely store AWS access keys, those keys are still long-term credentials, which the Security team explicitly prohibits. Option C is wrong because the question specifies Fargate launch type, not EC2; an IAM role for the EC2 instance would not apply to Fargate tasks, and even with EC2 launch type, it would not scope access to the specific ECS task.
Ready to test yourself?
Try a timed practice session using only Security Compliance questions.