CCNA Network Security Governance Questions

75 of 421 questions · Page 3/6 · Network Security Governance topic · Answers revealed

151
MCQeasy

A security engineer is designing a VPC with public and private subnets. The company requires that all outbound traffic from private subnets to the internet must go through a single IP address for logging and compliance. Which service should be used?

A.Transit Gateway
B.Internet Gateway
D.VPC Endpoint
AnswerC

A NAT Gateway provides outbound-only internet access with a single IP.

Why this answer

Option A is correct because a NAT Gateway provides outbound internet access from private subnets with a single Elastic IP. Option B is wrong because an Internet Gateway allows inbound and outbound traffic from public subnets. Option C is wrong because a VPC Endpoint is for accessing AWS services privately.

Option D is wrong because a Transit Gateway is for connecting multiple VPCs and on-premises networks.

152
MCQeasy

An IAM policy is attached to a user. What is the effect when the user attempts to launch an EC2 instance of type m5.large?

A.The action is allowed because the policy allows t2.micro instances.
B.The action is allowed because there is no explicit allow for RunInstances.
C.The action is denied because the condition is not met.
D.The action is denied because the instance type does not equal t2.micro.
AnswerD

The Deny statement with the condition StringNotEquals blocks all instance types except t2.micro.

Why this answer

Option D is correct because the IAM policy explicitly allows the `ec2:RunInstances` action only when the condition `ec2:InstanceType` equals `t2.micro`. Since the user is attempting to launch an `m5.large` instance, the condition is not satisfied, and the default implicit deny applies, resulting in the action being denied.

Exam trap

AWS often tests the concept that a conditional allow does not become a deny when the condition fails—instead, the default implicit deny applies, which candidates may misinterpret as an explicit denial based on the condition.

How to eliminate wrong answers

Option A is wrong because the policy does not allow all instance types; it only allows `t2.micro`, so launching `m5.large` is not permitted. Option B is wrong because there is an explicit allow for `RunInstances` in the policy, but it is conditional; the absence of an explicit allow for the specific instance type means the default deny applies. Option C is wrong because the condition is not met (the instance type is not `t2.micro`), which causes the allow to not apply, but the denial is due to the implicit deny, not because the condition itself is evaluated as a denial.

153
MCQhard

A company has a hybrid network with an AWS Transit Gateway connecting multiple VPCs and an on-premises data center via AWS Direct Connect. The security team requires that all traffic between VPCs must be inspected by a centralized firewall appliance deployed in a security VPC. They have configured a Transit Gateway with a route table that has blackhole routes for all VPC CIDRs except the security VPC, and the security VPC appliance performs inspection and returns traffic to the Transit Gateway. Recently, they added a new VPC for a critical application. After configuration, some traffic from the new VPC to other VPCs is being dropped. The network engineer verifies that the Transit Gateway route table includes a blackhole route for the new VPC's CIDR and that the security VPC's firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

A.The security VPC's network ACLs are blocking return traffic from the firewall appliance back to the Transit Gateway.
B.The new VPC's route table does not have a default route pointing to the Transit Gateway attachment.
C.The Transit Gateway route table propagates the new VPC's CIDR, overriding the static blackhole route.
D.The Transit Gateway route table does not have a static route pointing to the security VPC attachment for the new VPC's CIDR.
AnswerD

The Transit Gateway route table must have a route for the new VPC's CIDR pointing to the security VPC attachment so that traffic from the new VPC is forwarded to the firewall for inspection. Without this route, traffic is blackholed.

154
Multi-Selectmedium

Which TWO of the following are valid methods to secure data at rest in Amazon S3? (Choose two.)

Select 2 answers
A.Use SSE-S3 (Server-Side Encryption with S3 managed keys).
B.Use SSL/TLS to encrypt data during transfer.
C.Use client-side encryption before uploading objects.
D.Use a VPC endpoint to restrict access to the bucket.
E.Configure a network ACL to block unauthorized access.
AnswersA, C

SSE-S3 encrypts data at rest.

Why this answer

Options B and C are correct. Server-side encryption with S3 managed keys (SSE-S3) is a valid method. Client-side encryption where the customer encrypts data before uploading is also valid.

Option A is incorrect because SSL/TLS encrypts data in transit, not at rest. Option D is incorrect because network ACLs do not encrypt data. Option E is incorrect because VPC endpoints do not encrypt data.

155
MCQhard

A security engineer is troubleshooting connectivity issues. An EC2 instance cannot access the internet. The instance is in a private subnet with a route table that has a default route (0.0.0.0/0) pointing to a NAT gateway. The NAT gateway is in a public subnet with an Elastic IP. The security group allows all outbound traffic. What is the most likely cause?

A.The network ACL in the public subnet is blocking inbound traffic to the NAT gateway
B.The NAT gateway does not have a security group allowing outbound traffic
C.The internet gateway is not attached to the VPC
D.The route table in the private subnet has no route to the NAT gateway
AnswerA

NAT gateway needs inbound allowance for return traffic.

Why this answer

Option A is correct because the network ACL in the public subnet must allow inbound traffic from the internet to the NAT gateway's Elastic IP. Option B is wrong because the route table in the private subnet is correct. Option C is wrong because the NAT gateway's security group is not a thing; it uses security groups for instances.

Option D is wrong because the internet gateway is required and assumed attached.

156
MCQmedium

A company has a VPC with public and private subnets. They have a web application running on EC2 instances in an Auto Scaling group in the public subnets. The application needs to read and write data to an S3 bucket. They want to ensure that traffic to S3 does not traverse the internet. The security team also requires that all traffic to S3 be logged. The current setup uses a NAT Gateway for outbound internet access. However, the NAT Gateway is a single point of failure and costs are high. They want to replace it with a more cost-effective and highly available solution that meets the logging requirement. What should they do?

A.Set up a VPN connection to an on-premises data center and route S3 traffic through the VPN, enabling VPC Flow Logs.
B.Create a Gateway VPC Endpoint for S3, enable VPC Flow Logs, and remove the NAT Gateway after verifying no other outbound internet traffic is needed.
C.Create an Interface VPC Endpoint for S3 in each Availability Zone, enable VPC Flow Logs, and remove the NAT Gateway.
D.Create a Gateway VPC Endpoint for S3, enable VPC Flow Logs, and keep the NAT Gateway for other outbound traffic.
AnswerB

Gateway Endpoint is free and highly available; VPC Flow Logs provide logging; removing the NAT Gateway reduces cost and SPOF.

Why this answer

Option C is correct. A Gateway VPC Endpoint for S3 is free, highly available by design, and does not require a NAT Gateway. VPC Flow Logs can capture traffic to the endpoint for logging.

Option A is wrong because an Interface Endpoint incurs costs. Option B is wrong because removing the NAT Gateway would break other internet access. Option D is wrong because a VPN does not provide direct S3 access and adds complexity.

157
MCQmedium

A security engineer is troubleshooting connectivity between an EC2 instance in a private subnet and an S3 bucket. The instance has a VPC gateway endpoint for S3, and the route table has a route to the endpoint. The security group for the instance allows all outbound traffic. However, the instance cannot access the S3 bucket. What is the most likely cause?

A.The security group outbound rule does not allow traffic to the S3 prefix list.
B.The VPC endpoint is not associated with the route table.
C.The route table does not have a route to a NAT gateway.
D.The S3 bucket policy does not allow access from the VPC endpoint.
AnswerA

Gateway endpoints are accessed via prefix list; security group must allow egress to that prefix list.

Why this answer

Option A is correct because VPC gateway endpoints use prefix lists, and the security group outbound rule must allow traffic to the S3 prefix list ID. Option B is wrong because the instance is in a private subnet; internet traffic would go through NAT, but S3 access should use the gateway endpoint. Option C is wrong because S3 buckets are accessed via the endpoint, not via the internet.

Option D is wrong because the route is present, but security group may still block.

158
MCQmedium

A company uses AWS Organizations with SCPs to restrict access. The security team notices that users in the 'Developers' account can launch EC2 instances with public IP addresses, even though the SCP denies ec2:AssociateAddress. What is the most likely reason?

A.The SCP was applied to the wrong organizational unit.
B.The users logged in as the root user of the account.
C.The SCP only applies to the root user, not IAM users.
D.The users assumed an IAM role that bypasses the SCP.
AnswerB

Root user actions are not restricted by SCPs.

Why this answer

Option C is correct because SCPs do not affect the root user of a member account; root user actions are not restricted by SCPs. Option A is wrong because SCPs apply to all IAM users and roles, not just root. Option B is wrong because SCPs are not bypassed by IAM roles.

Option D is wrong because SCPs apply to all accounts, but root user is exempt.

159
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. They want to ensure that only traffic from specific on-premises IP ranges is allowed into the production VPC. Which approach should they use?

A.Configure the Direct Connect gateway to only advertise specific prefixes to the Transit Gateway.
B.Deploy AWS Network Firewall in the production VPC and configure stateful rule groups to allow only the on-premises IP ranges.
C.Use Transit Gateway route tables to blackhole traffic from other IP ranges.
D.Create a VPC peering connection between the on-premises network and the production VPC.
AnswerB

AWS Network Firewall can inspect and filter traffic between the Transit Gateway attachment and the production VPC.

Why this answer

AWS Transit Gateway supports route tables and can propagate routes from Direct Connect virtual interfaces. To filter traffic, you can use a network firewall appliance or AWS Network Firewall. However, the simplest approach is to use security groups and network ACLs within the VPC, but the question is about Transit Gateway.

The best practice is to use AWS Network Firewall to inspect and filter traffic between attachments. Option C is correct. Option A (VPC peering) is not relevant.

Option B (Direct Connect gateway) does not filter traffic. Option D (Transit Gateway route tables) does not filter by IP; they only determine routing.

160
MCQeasy

A company is using AWS WAF to protect its web application. The security team wants to block requests that contain SQL injection patterns. Which WAF rule type should be used?

A.SQL injection match condition
B.Geographic match rule
C.IP set rule
D.Rate-based rule
AnswerA

AWS WAF includes managed rule groups specifically for SQL injection detection.

Why this answer

Option B is correct because AWS WAF has a managed rule group for SQL injection that can be added to the web ACL. Option A is incorrect because rate-based rules are for DDoS protection. Option C is incorrect because geo-match rules block based on geographic location.

Option D is incorrect because IP set rules block based on source IP addresses.

161
MCQhard

A company runs a multi-tier application on AWS. The web tier consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application tier runs on EC2 instances in a separate Auto Scaling group, and the database tier uses an Amazon RDS MySQL instance. All resources are in the same VPC. The security team has identified that the application tier instances are receiving traffic from unknown IP addresses on port 22 (SSH). The team wants to ensure that only the web tier instances can communicate with the application tier on the application port (8080), and only from a specific security group. Additionally, the database tier should only accept traffic from the application tier on port 3306. Currently, the security groups are configured as follows: Web-SG allows inbound from 0.0.0.0/0 on ports 80 and 443; App-SG allows inbound from 0.0.0.0/0 on port 8080 and from 0.0.0.0/0 on port 22; DB-SG allows inbound from 0.0.0.0/0 on port 3306. The team has also noticed that the web tier instances can be accessed via SSH from the internet. Which course of action should the team take to remediate the security issues?

A.Update Web-SG to allow SSH from a specific management CIDR. Leave App-SG and DB-SG as is because they are not directly accessible from the internet.
B.Remove inbound SSH rules from all security groups and rely on AWS Systems Manager Session Manager for administrative access.
C.Update Web-SG to allow SSH from a specific management CIDR. Update App-SG to allow inbound on port 8080 from Web-SG only, and remove inbound SSH from App-SG (or restrict to management CIDR). Update DB-SG to allow inbound on port 3306 from App-SG only.
D.Use network ACLs on the subnets to restrict traffic between tiers instead of security groups.
AnswerC

This properly restricts traffic to only necessary sources and removes open SSH access.

Why this answer

The correct action is to update the security groups to restrict inbound traffic: Web-SG should allow SSH only from a trusted management IP, not from 0.0.0.0/0. App-SG should allow inbound on port 8080 only from Web-SG, and not allow SSH from 0.0.0.0/0. DB-SG should allow inbound on port 3306 only from App-SG.

Option A achieves this. Option B only addresses the web tier SSH issue. Option C removes SSH entirely, which might be needed for management.

Option D uses network ACLs but NACLs are stateless and would require complex rules; security groups are more appropriate for this use case.

162
MCQhard

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The security team needs to centralize inspection of all traffic between VPCs using a third-party firewall appliance in a shared services VPC. What is the most scalable and highly available design?

A.Use VPC peering to connect all VPCs to the shared services VPC and route traffic through the firewall.
B.Create a Transit Gateway with separate route tables for each VPC and a shared route table for the inspection VPC. Use Gateway Load Balancer to distribute traffic to a fleet of firewall instances.
C.Attach all VPCs to a Transit Gateway and configure a Network Load Balancer in the shared services VPC to distribute traffic to firewall instances.
D.Attach all VPCs to a Transit Gateway and use a single firewall instance with elastic network interfaces in each VPC.
AnswerB

This design is scalable and highly available, with Gateway Load Balancer for inspection and Transit Gateway for routing.

Why this answer

Option B is correct because it combines AWS Transit Gateway with separate route tables per VPC and a shared inspection route table, enabling centralized traffic steering to a fleet of firewall instances behind a Gateway Load Balancer (GWLB). GWLB transparently distributes traffic across multiple firewall instances at the network layer (GENEVE protocol), providing both horizontal scalability and high availability without introducing a single point of failure or requiring complex VPC peering meshes.

Exam trap

The trap here is that candidates often confuse Network Load Balancer (NLB) with Gateway Load Balancer (GWLB), assuming NLB can transparently inspect traffic, but GWLB is the only AWS load balancer designed for inline traffic inspection with third-party appliances.

How to eliminate wrong answers

Option A is wrong because VPC peering creates a full mesh of point-to-point connections that does not scale beyond a few VPCs, and it lacks centralized route control, forcing all traffic through a single firewall in the shared services VPC without built-in load balancing or failover. Option C is wrong because a Network Load Balancer (NLB) operates at Layer 4 and cannot transparently intercept traffic for stateful inspection without additional configuration (e.g., proxy or NAT), whereas GWLB is designed specifically for transparent traffic inspection using GENEVE encapsulation. Option D is wrong because a single firewall instance with elastic network interfaces (ENIs) in each VPC creates a brittle, non-scalable architecture with a single point of failure and no load balancing, violating high availability and scalability requirements.

163
MCQeasy

A company wants to audit all network traffic to and from EC2 instances for security analysis. Which AWS service should they enable?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
AnswerA

VPC Flow Logs capture information about IP traffic to and from network interfaces.

Why this answer

VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC. Option D is correct. AWS CloudTrail records API calls, not network traffic.

AWS Config records resource configuration changes. Amazon GuardDuty analyzes logs and flows for threats, but it does not capture the raw traffic itself.

164
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have public subnets (10.0.1.0/24, 10.0.2.0/24) and private subnets (10.0.3.0/24, 10.0.4.0/24) in two Availability Zones. An Internet Gateway is attached to the VPC, and a NAT Gateway is in public subnet 10.0.1.0/24. The private subnets route 0.0.0.0/0 to the NAT Gateway. The security team notices that instances in private subnet 10.0.3.0/24 can reach the internet, but instances in private subnet 10.0.4.0/24 cannot. Both private subnets have the same route table configuration. The network ACLs for both private subnets are set to allow all inbound and outbound traffic. What is the most likely cause of the issue?

A.The route table for the public subnet 10.0.1.0/24 does not have a route to the Internet Gateway.
B.The security group on the instances in private subnet 10.0.4.0/24 is blocking outbound traffic.
C.The network ACL for private subnet 10.0.4.0/24 is blocking outbound traffic.
D.The route table for private subnet 10.0.4.0/24 does not have a route to the NAT Gateway.
AnswerA

The NAT Gateway needs a route to the Internet Gateway through its subnet's route table.

Why this answer

Option B is correct because if the NAT Gateway is in subnet 10.0.1.0/24, the route table for that subnet must have a route to the Internet Gateway for the NAT Gateway to work. Without that route, the NAT Gateway cannot send traffic to the internet. Option A is wrong because the route tables for private subnets are correct.

Option C is wrong because the network ACLs allow all traffic. Option D is wrong because security groups on the instances would affect both subnets equally.

165
MCQhard

A company's security team notices that a VPC flow log record shows an outbound connection from a private EC2 instance to an IP address in a restricted country. The security group allows outbound 0.0.0.0/0 for TCP 443. The network ACL allows outbound traffic to 0.0.0.0/0 on ephemeral ports. The company uses AWS Network Firewall with a firewall policy that has a stateful rule group that denies traffic to the restricted country. The flow log shows the traffic was accepted. What is the most likely cause?

A.VPC Flow Logs are not capturing all traffic.
B.The subnet's route table does not have a route that sends traffic to the AWS Network Firewall endpoint.
C.The network ACL inbound rule blocks the return traffic.
D.The security group outbound rule is not configured correctly.
AnswerB

If the route table does not point to the firewall, traffic bypasses the firewall and the stateful rule is not evaluated.

Why this answer

Option C is correct because AWS Network Firewall's stateful rules are evaluated only for traffic that goes through the firewall endpoint. If the subnet's route table does not point to the firewall endpoint, traffic bypasses the firewall. Option A is wrong because VPC Flow Logs capture traffic after security group and NACL evaluation.

Option B is wrong because security group allows outbound HTTPS. Option D is wrong because network ACL allows outbound traffic.

166
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs. The security team wants to inspect all traffic between VPCs with a third-party firewall appliance deployed in a centralized inspection VPC. What is the MOST efficient way to route traffic to the inspection VPC?

A.Create VPC peering connections between all VPCs and route traffic through the inspection VPC.
B.Use AWS PrivateLink to route traffic through the inspection VPC.
C.Configure Transit Gateway route tables with a blackhole route for the inter-VPC traffic and a route pointing to the inspection VPC.
D.Attach a Network Load Balancer in each VPC and route traffic through it.
AnswerC

This allows traffic between VPCs to be forced through the inspection VPC for firewall inspection.

Why this answer

Option B is correct because Transit Gateway route tables can be used to steer inter-VPC traffic to the inspection VPC via a central appliance. Option A is wrong because VPC peering does not support transitive routing. Option C is wrong because Network Load Balancer is not needed for traffic inspection.

Option D is wrong because PrivateLink does not support traffic inspection.

167
Multi-Selectmedium

A company is designing a network security architecture for a multi-account environment using AWS Organizations. Which TWO services can be used to centrally manage security policies across all accounts?

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.AWS Organizations Service Control Policies (SCPs)
D.AWS Firewall Manager
E.Amazon VPC
AnswersC, D

SCPs centrally control permissions across accounts.

Why this answer

AWS Firewall Manager centrally manages WAF rules and Shield protections across accounts. AWS Organizations SCPs centrally control permissions. Option C is wrong because AWS Config is per-account.

Option D is wrong because CloudTrail is per-account. Option E is wrong because VPC is per-account.

168
Multi-Selecthard

Which THREE are valid methods to secure data in transit between a VPC and an on-premises network over the internet? (Choose three.)

Select 3 answers
A.VPC Endpoint (Gateway or Interface)
B.AWS Direct Connect with a VPN
C.AWS Client VPN
D.VPC Peering
E.AWS Site-to-Site VPN
AnswersB, C, E

Combines Direct Connect for reliability and VPN for encryption.

Why this answer

Options A, C, and D are correct. A VPN connection uses IPsec to encrypt traffic. Client VPN provides secure tunnels for individual clients.

Direct Connect is a physical connection but does not encrypt; however, a VPN over Direct Connect does encrypt. Option B is wrong because VPC Peering is for VPC-to-VPC, not for on-premises. Option E is wrong because VPC Endpoints are for private AWS service access, not for on-premises connectivity.

169
MCQhard

A company uses AWS Direct Connect to connect their on-premises network to AWS. They want to encrypt all traffic between their on-premises router and the AWS Direct Connect location. Which solution should they implement?

A.Use an IPsec VPN over the internet for additional encryption.
B.Use AWS PrivateLink to create a secure connection.
C.Enable MACsec on the Direct Connect connection.
D.Use TLS to encrypt the traffic at the application layer.
AnswerC

MACsec encrypts the Direct Connect link at Layer 2.

Why this answer

Option C is correct: MACsec provides encryption at Layer 2 for Direct Connect. Option A is wrong because IPsec VPN over the internet is not over Direct Connect. Option B is wrong because TLS is for application layer.

Option D is wrong because AWS PrivateLink is for VPC endpoints.

170
Multi-Selecthard

A security engineer is designing a network security architecture for a hybrid cloud environment. The company has an AWS Direct Connect connection to its on-premises data center. They want to ensure that all traffic between on-premises and AWS is encrypted and that the encryption is enforced at the network layer. Which TWO solutions should the engineer consider?

Select 2 answers
A.Enable MACsec on the Direct Connect dedicated connection.
B.Set up an SSL VPN between on-premises and AWS.
C.Use VPC Peering to connect on-premises to AWS.
D.Configure an IPsec VPN over the Direct Connect virtual interface.
E.Use TLS encryption at the application layer.
AnswersA, D

MACsec provides Layer 2 encryption on the Direct Connect physical link.

Why this answer

Option A (IPsec VPN over Direct Connect) is correct because it creates an encrypted tunnel over the Direct Connect link. Option D (MACsec) is correct because it provides encryption at Layer 2 on the Direct Connect connection. TLS is Layer 5+ and not network layer.

SSL VPN is not relevant. VPC Peering does not apply to on-premises.

171
MCQeasy

A company wants to restrict access to an S3 bucket so that only objects with server-side encryption using AWS KMS (SSE-KMS) can be uploaded. Which bucket policy condition should be used?

A.kms:ViaService
B.s3:x-amz-server-side-encryption
C.aws:SourceVpce
D.s3:x-amz-server-side-encryption-aws-kms-key-id
AnswerD

This condition enforces a specific KMS key ID for SSE-KMS.

Why this answer

Option B is correct because the s3:x-amz-server-side-encryption-aws-kms-key-id condition key allows you to enforce a specific KMS key ID. Option A is wrong because s3:x-amz-server-side-encryption checks for AES256 or aws:kms but does not enforce a specific key. Option C is wrong because kms:ViaService is a KMS condition, not an S3 condition.

Option D is wrong because aws:SourceVpce restricts VPC endpoint, not encryption.

172
MCQeasy

A company wants to block outbound traffic from a VPC to the internet except through a NAT Gateway for updates to specific software repositories. Which AWS service should be used to control outbound traffic?

A.Security Groups
B.Route Tables
C.VPC Endpoints
D.Network ACLs
AnswerD

Network ACLs are stateless and can control outbound traffic at the subnet level.

Why this answer

Option B is correct because Network ACLs can be attached to subnets to control inbound and outbound traffic at the subnet level, and can be used to block outbound internet traffic except through the NAT Gateway. Option A is wrong because VPC endpoints are for private connectivity to AWS services, not for controlling outbound internet traffic. Option C is wrong because Security Groups are stateful and cannot block outbound traffic based on destination IP ranges in a granular manner.

Option D is wrong because Route Tables control routing, not filtering.

173
MCQhard

Refer to the exhibit. An IAM role ARN is shown. A security engineer wants to allow an EC2 instance to assume this role. What is required for the EC2 instance to successfully assume the role?

A.The trust policy must specify the EC2 instance's private IP address.
B.The role's trust policy must allow the EC2 service principal to assume the role, and the EC2 instance must be launched with an instance profile that includes this role.
C.The role's permissions policy must include an Allow for the EC2 instance's security group.
D.The EC2 instance must have a public IP address to access the IAM endpoint.
AnswerB

The trust policy grants the EC2 service permission to assume the role, and the instance profile associates the role with the instance.

Why this answer

Option A is correct because the trust policy of the role must allow the EC2 service to assume it. Additionally, the EC2 instance must have an instance profile with the role attached. Option B is incorrect because the role's permissions policy defines what the role can do, not who can assume it.

Option C is incorrect because the EC2 instance does not need a public IP. Option D is incorrect because the trust policy must allow ec2.amazonaws.com, not the instance's IP address.

174
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no VPC in any account can have an internet gateway attached. Which option meets this requirement?

A.Create an IAM policy that denies ec2:AttachInternetGateway and attach it to each account's admin role.
B.Use security groups to block traffic from internet gateways.
C.Apply a service control policy (SCP) that denies ec2:AttachInternetGateway at the root level.
D.Use network ACLs to block traffic from internet gateways.
AnswerC

SCPs centrally control permissions for all accounts in the organization and can deny the action.

Why this answer

Option D is correct because a service control policy (SCP) can be applied to the root or OUs to deny the ec2:AttachInternetGateway action. Option A is wrong because IAM roles are per-account and not centrally enforced. Option B is wrong because security groups do not control internet gateway attachments.

Option C is wrong because network ACLs do not control internet gateway attachments.

175
MCQeasy

A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) across multiple Availability Zones. The application uses a MySQL database on an RDS instance in a private subnet. Security compliance requires that all traffic between the ALB and EC2 instances must be encrypted. The security team finds that the ALB currently sends traffic to the EC2 instances using HTTP on port 80. The EC2 security group allows inbound HTTP traffic from the ALB security group. The team needs to implement encryption with minimal changes and without disrupting the application. Which solution meets these requirements?

A.Set up an AWS Client VPN endpoint and have the ALB send traffic through the VPN to the EC2 instances.
B.Deploy an internal ALB in front of the EC2 instances and configure it with an HTTPS listener. Route traffic from the public ALB to the internal ALB.
C.Modify the ALB listener to use HTTPS on port 443. Create a new target group with protocol HTTPS on port 443. Install a valid SSL/TLS certificate on each EC2 instance. Update the EC2 security group to allow inbound HTTPS from the ALB security group.
D.Replace the ALB with a Network Load Balancer (NLB) and use TLS listeners to the EC2 instances.
AnswerC

This encrypts traffic between ALB and EC2 with minimal changes.

Why this answer

Option C is correct because it directly modifies the existing ALB to use an HTTPS listener on port 443, creates a new target group with HTTPS on port 443, and requires installing a valid SSL/TLS certificate on each EC2 instance. This ensures all traffic between the ALB and EC2 instances is encrypted with TLS, meeting the security requirement with minimal changes and no disruption to the application. The EC2 security group update to allow inbound HTTPS from the ALB security group completes the configuration.

Exam trap

The trap here is that candidates may think simply changing the ALB listener to HTTPS is enough, but they overlook the requirement to create a new target group with HTTPS protocol and install certificates on the EC2 instances to encrypt the traffic between the ALB and the instances, not just the client-to-ALB leg.

How to eliminate wrong answers

Option A is wrong because introducing an AWS Client VPN endpoint adds unnecessary complexity, latency, and cost; it does not encrypt traffic between the ALB and EC2 instances natively and would disrupt the existing architecture. Option B is wrong because deploying an internal ALB in front of the EC2 instances creates an unnecessary hop and does not encrypt the traffic between the public ALB and the internal ALB unless that leg is also configured with HTTPS, which still requires changes to the EC2 instances and adds complexity. Option D is wrong because replacing the ALB with an NLB would require reconfiguring the entire load balancing setup, potentially disrupting the application, and NLBs do not support native HTTPS health checks or path-based routing that the application may rely on; TLS listeners on an NLB still require certificates on the EC2 instances, but the change is more invasive than modifying the existing ALB.

176
MCQmedium

A security engineer is designing a network firewall solution for a VPC with multiple subnets. The solution must inspect traffic between instances in the same VPC, including traffic within the same subnet. Which AWS service should be used?

A.Security Groups
B.VPC Flow Logs
C.AWS Network Firewall
D.AWS WAF
AnswerC

Provides stateful and stateless inspection for all VPC traffic.

Why this answer

Option A is correct because AWS Network Firewall can inspect traffic between subnets and within a subnet when deployed in a VPC. Option B is wrong because AWS WAF is for web application layer 7 inspection, not for general network traffic. Option C is wrong because Security Groups are stateless and cannot perform deep packet inspection.

Option D is wrong because VPC Flow Logs only capture metadata, not inspect packets.

177
Multi-Selectmedium

A company wants to implement a defense-in-depth strategy for a web application hosted on AWS. Which TWO services should they use to protect against common web exploits and DDoS attacks?

Select 2 answers
A.AWS WAF
B.AWS Shield Advanced
C.Amazon Inspector
D.AWS Network Firewall
E.Amazon GuardDuty
AnswersA, B

WAF protects against web exploits.

Why this answer

Option A and C are correct: AWS WAF protects against web exploits like SQL injection, and AWS Shield Advanced provides enhanced DDoS protection. Option B is wrong because Network Firewall is for network-level filtering, not specifically web exploits. Option D is wrong because GuardDuty is for threat detection, not inline prevention.

Option E is wrong because Inspector is for vulnerability scanning.

178
Multi-Selectmedium

Which TWO measures can be taken to protect an AWS account's root user credentials? (Choose two.)

Select 2 answers
A.Create an IAM user with administrative privileges and use that instead of the root user
B.Use the root user for daily administrative tasks
C.Delete the root user account after creating IAM users
D.Enable multi-factor authentication (MFA) on the root user
E.Store the root user credentials in a shared password manager
AnswersA, D

Best practice is to use IAM users for administration.

Why this answer

Options B and D are correct. Enabling MFA and creating an IAM admin user are best practices. Option A is wrong because using root user regularly is not recommended.

Option C is wrong because deleting the root user is not possible. Option E is wrong because sharing credentials is insecure.

179
MCQeasy

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which AWS service should be used to provide internet access to instances in the private subnets without assigning public IP addresses?

A.NAT gateway in a public subnet.
B.Internet gateway attached to the VPC.
C.VPC Gateway Endpoint for Amazon S3.
D.Site-to-Site VPN connection.
AnswerA

NAT gateway enables outbound internet access for private instances.

Why this answer

Option A is correct because a NAT gateway allows instances in private subnets to initiate outbound traffic to the internet. Option B is wrong because Internet Gateway alone does not provide NAT; it requires public IPs. Option C is wrong because VPN does not provide direct internet access.

Option D is wrong because VPC endpoint is for accessing AWS services.

180
MCQeasy

A company wants to allow a specific IP address range to access an EC2 instance in a private subnet using a bastion host. The bastion host is in a public subnet. Which security group configuration is correct?

A.Bastion security group: inbound SSH from the private instance security group. Private instance security group: inbound SSH from the bastion security group.
B.Bastion security group: inbound SSH from the private instance security group. Private instance security group: inbound SSH from the IP range.
C.Bastion security group: inbound SSH from the IP range. Private instance security group: inbound SSH from the IP range.
D.Bastion security group: inbound SSH from the IP range. Private instance security group: inbound SSH from the bastion security group.
AnswerD

This follows the principle of least privilege.

Why this answer

Option A is correct because the bastion host should allow SSH from the IP range, and the private instance should allow SSH only from the bastion host's security group. Option B is wrong because the bastion host should not allow SSH from the private instance. Option C is wrong because the private instance should not allow SSH from the internet.

Option D is wrong because the bastion host should not allow SSH from the private instance.

181
Multi-Selecthard

A company has a VPC with multiple subnets and uses AWS Transit Gateway to connect to on-premises via AWS Direct Connect. They want to implement network segmentation so that certain VPCs can only communicate with specific on-premises networks. Which THREE components should they use? (Choose THREE.)

Select 3 answers
A.VPC peering connections
B.Direct Connect gateway
C.Transit Gateway association to Direct Connect gateway
D.Transit Gateway route tables
E.Site-to-Site VPN connection
AnswersB, C, D

Provides connectivity to on-premises networks.

Why this answer

Options A, C, and D are correct. Transit Gateway route tables allow separate routing domains, Direct Connect gateways route traffic to on-premises, and gateway associations link the gateways. Option B is wrong because VPC peering is not needed with Transit Gateway.

Option E is wrong because VPN is not required if using Direct Connect.

182
MCQhard

A company is using AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets across the organization are encrypted with AWS KMS. Which approach should be used to enforce this policy?

A.Configure each S3 bucket with a bucket policy that denies access if encryption is not used.
B.Apply a service control policy (SCP) at the root level that denies S3 bucket creation unless encryption is configured.
C.Use AWS Config rules to detect unencrypted S3 buckets and automatically remediate them.
D.Create an IAM policy that denies creating S3 buckets without encryption and attach it to all users.
AnswerB

SCPs can be applied to organizational units to centrally enforce policies across accounts.

Why this answer

Option C is correct because a service control policy (SCP) can be applied to the root organizational unit to deny creation or modification of S3 buckets without KMS encryption. Option A is incorrect because an SCP cannot be applied to individual S3 buckets; it applies to accounts. Option B is incorrect because IAM policies are account-specific and cannot enforce across the organization.

Option D is incorrect because bucket policies are per-bucket and not centrally enforced.

183
Multi-Selectmedium

Which TWO features are provided by AWS Shield Advanced that are not available in AWS Shield Standard? (Choose 2)

Select 2 answers
A.Automatic web application firewall rule updates
B.DDoS cost protection
C.Access to detailed DDoS logs
D.24/7 access to the AWS DDoS Response Team
E.Network-layer DDoS protection
AnswersB, D

Shield Advanced offers protection against scaling charges due to DDoS.

Why this answer

Option A is correct because Shield Advanced provides DDoS cost protection for scaling resources. Option D is correct because Shield Advanced includes 24/7 access to the DDoS Response Team. Option B is wrong because network-layer protection is available in Standard.

Option C is wrong because basic logging is available without Shield. Option E is wrong because WAF is separate; Shield Advanced includes WAF at no extra cost but does not manage rules automatically.

184
Multi-Selectmedium

Which TWO actions should be taken to secure an EC2 instance that is used as a bastion host? (Choose 2)

Select 2 answers
A.Use a security group that only allows necessary inbound ports
B.Use HTTPS instead of SSH for administration
C.Place the bastion host in a private subnet
D.Restrict inbound SSH access to a specific IP range using security group
E.Allow all inbound traffic on port 22 in the network ACL
AnswersA, D

Minimize attack surface.

Why this answer

Option A is correct because a bastion host should only expose necessary inbound ports (typically TCP 22 for SSH) to minimize the attack surface. By using a security group that restricts inbound traffic to only required ports, you enforce the principle of least privilege at the network layer, preventing unauthorized access to other services that might be running on the instance.

Exam trap

AWS often tests the misconception that a bastion host should be placed in a private subnet for security, but the correct design requires it to be in a public subnet to serve as an entry point, with security group restrictions providing the necessary protection.

185
MCQeasy

A company has a VPC with public and private subnets. The public subnet hosts a web server that must be accessible from the internet. The private subnet hosts a database that should only be accessible from the web server. Which security group configuration should be used?

A.Database security group: inbound rule allowing traffic from the web server security group on the database port
B.Database security group: inbound rule allowing traffic from the VPC CIDR on the database port
C.Database security group: inbound rule allowing traffic from the web server's private IP on the database port
D.Database security group: inbound rule allowing traffic from 0.0.0.0/0 on the database port
AnswerA

This ensures only the web server can reach the database.

Why this answer

Security groups can reference other security groups as sources. Option A is correct because it allows traffic from the web server's security group. Option B is wrong because it allows all traffic from the VPC CIDR, which is too permissive.

Option C is wrong because it allows all inbound traffic. Option D is wrong because it allows traffic from the web server but not specifically via its security group.

186
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team needs to block a specific IP address range that has been launching DDoS attacks. The solution must be implemented at the network edge, before traffic reaches the ALB. What should the security team do?

A.Update the security group for the ALB to deny traffic from the IP range.
B.Create an AWS WAF web ACL with an IP set rule that blocks the IP range and attach it to the ALB.
C.Add a network ACL rule on the ALB's subnet to deny inbound traffic from the IP range.
D.Deploy Amazon CloudFront in front of the ALB and use AWS WAF to block the IP range at CloudFront.
AnswerB

WAF at the ALB blocks traffic before it reaches the backend.

Why this answer

AWS WAF web ACL attached to the ALB can filter traffic based on IP addresses. Option B is correct because WAF is deployed at the edge (ALB or CloudFront) and can block IP sets. Option A is wrong because security groups are stateful but work at the instance level, not at the edge.

Option C is wrong because NACLs are applied at the subnet level, but ALB is in a subnet, so traffic reaches the ALB first; NACL is stateless and less suitable for layer 7 filtering. Option D is wrong because CloudFront with WAF is also edge, but the question says 'before traffic reaches the ALB' and ALB is already in place; adding CloudFront changes the architecture.

187
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic to the application be inspected by a third-party firewall appliance for compliance. The firewall appliance must be deployed in a separate VPC and must inspect traffic without introducing a single point of failure. Which architecture meets these requirements?

A.Configure the Application Load Balancer to send all traffic to the firewall appliance using Proxy Protocol v2.
B.Use AWS Direct Connect to route all traffic through the firewall appliance.
C.Use AWS Network Firewall to inspect traffic.
D.Deploy Gateway Load Balancer endpoints in the application VPC and attach them to the firewall appliance in the inspection VPC across multiple Availability Zones.
AnswerD

Gateway Load Balancer allows transparent inspection of traffic by third-party appliances and supports multi-AZ deployment.

Why this answer

Option B is correct because using Gateway Load Balancer endpoints across multiple Availability Zones with the firewall appliance in a separate VPC allows traffic to be routed through the firewall for inspection while maintaining high availability. Option A is wrong because AWS Network Firewall does not support routing traffic to a third-party appliance in a different VPC. Option C is wrong because Direct Connect does not provide traffic inspection.

Option D is wrong because Proxy Protocol does not enable traffic inspection.

188
MCQhard

A company uses AWS Site-to-Site VPN to connect its on-premises network to a VPC. The VPN tunnel is up, but traffic from on-premises cannot reach EC2 instances in the VPC. The EC2 instances have a security group that allows inbound ICMP from the on-premises CIDR. What is the most likely cause?

A.The security group rule is using the wrong protocol.
B.The VPN connection does not have static routes configured.
C.The subnet route table does not have a route for the on-premises CIDR pointing to the virtual private gateway.
D.The subnet is not associated with the main route table.
AnswerC

Without this route, traffic from on-premises cannot be routed to the subnet.

Why this answer

Option B is correct because the route table of the VPC subnet must have a route pointing the on-premises CIDR to the virtual private gateway (VGW). Option A is wrong because the VPN static routes are configured on the customer gateway side. Option C is wrong because the security group rule is correct.

Option D is wrong because the route table association is not the issue.

189
MCQmedium

A company uses AWS Organizations and has multiple VPCs in different accounts. They want to centrally manage network firewall rules for all VPCs using a single firewall policy. Which AWS service should they use?

A.AWS Firewall Manager
B.AWS WAF
C.AWS Network Firewall
D.AWS Shield Advanced
AnswerA

Centrally manages firewall policies across accounts.

Why this answer

Option A is correct. AWS Firewall Manager allows you to centrally manage firewall rules across accounts and VPCs. Option B is wrong because Network Firewall is a per-VPC service.

Option C is wrong because Shield is for DDoS. Option D is wrong because WAF is for web ACLs, not network firewalls.

190
MCQeasy

A company wants to centrally manage and enforce security policies across multiple AWS accounts and VPCs. They need to ensure that all VPCs have a specific set of rules, such as disabling public subnets. Which AWS service should be used?

A.AWS Organizations with Service Control Policies (SCPs)
B.AWS Identity and Access Management (IAM)
C.AWS Shield
D.AWS Config
AnswerA

SCPs allow central control over the maximum permissions for accounts, enabling enforcement of network policies.

Why this answer

Option D is correct because AWS Organizations with Service Control Policies (SCPs) can centrally control permissions across accounts. Option A is wrong because AWS Config evaluates resource configurations but does not enforce policies. Option B is wrong because IAM is for users and roles, not for VPC-level controls.

Option C is wrong because AWS Shield is for DDoS protection.

191
Multi-Selecthard

A company has a VPC with public and private subnets. They use a NAT Gateway in the public subnet to allow instances in the private subnet to access the internet. The security team wants to ensure that all outbound traffic from the private subnet is logged and inspected. Which THREE services should they use together to achieve this? (Choose THREE.)

Select 3 answers
A.VPC Flow Logs
B.AWS Direct Connect
C.AWS Network Firewall
D.Amazon Route 53 Resolver DNS Firewall
E.AWS Transit Gateway
AnswersA, C, D

Flow logs capture IP traffic information for logging.

192
MCQmedium

A security engineer is designing a network ACL for a public subnet. The subnet hosts a web server on port 443. Which inbound and outbound rules should be configured to allow HTTPS traffic from the internet? (Assume default deny all rule.)

A.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 1024-65535 to 0.0.0.0/0.
B.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0.
C.Inbound: allow TCP 1024-65535 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0.
D.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0 for responses.
AnswerA

This allows incoming HTTPS and outgoing return traffic on ephemeral ports.

Why this answer

Option C is correct because NACLs are stateless; you need explicit rules for both inbound and outbound traffic. Inbound rule allows HTTPS from internet, outbound rule allows return traffic (ephemeral ports) to internet. Option A is wrong because it does not allow return traffic.

Option B is wrong because outbound rule is too restrictive (only port 443). Option D is wrong because inbound rule is too restrictive (only port 443 from ephemeral ports).

193
MCQeasy

A company wants to allow its developers to access Amazon RDS databases from their on-premises network without traversing the public internet. Which solution meets this requirement?

A.Use a NAT gateway in the VPC
B.Create a VPC endpoint for RDS
C.Configure VPC Peering between the on-premises network and the VPC
D.Establish an AWS Site-to-Site VPN connection
AnswerD

A VPN connection securely connects on-premises to the VPC, allowing private access to RDS.

Why this answer

Option B is correct because an AWS Site-to-Site VPN connection creates an encrypted tunnel between on-premises and the VPC, allowing private access to RDS. Option A is wrong because RDS does not have a VPC endpoint. Option C is wrong because NAT gateways are used for outbound traffic to the internet, not inbound.

Option D is wrong because VPC Peering connects VPCs, not on-premises networks.

194
MCQhard

Refer to the exhibit. A network engineer reviews the NACL entries for a subnet. What is the effect of this NACL on inbound traffic?

A.Only SSH from the internal network and HTTPS from any IP are allowed.
B.All inbound traffic is allowed.
C.Only HTTPS traffic is allowed from any IP.
D.All inbound traffic is denied.
AnswerA

Inbound rules allow SSH from 10.0.0.0/16 and HTTPS from 0.0.0.0/0.

Why this answer

Option B is correct. Inbound rules: Rule 100 allows SSH from 10.0.0.0/16. Rule 200 allows HTTPS from anywhere.

Rule 300 denies all other traffic. So only SSH from 10.0.0.0/16 and HTTPS from anywhere are allowed. Option A is wrong because SSH is not allowed from anywhere.

Option C is wrong because HTTPS is allowed. Option D is wrong because the NACL is not fully open.

195
Multi-Selectmedium

A company is designing a network security architecture for a multi-tier application. Which TWO of the following are best practices for implementing defense in depth?

Select 2 answers
A.Use network ACLs as stateful firewalls at the subnet level
B.Use security groups to control traffic between instances
C.Attach internet gateways to all subnets for high availability
D.Place web servers in public subnets and application servers in private subnets
E.Use the same security group for all tiers to simplify management
AnswersB, D

Security groups act as instance-level firewalls.

Why this answer

Option A is correct because placing web servers in public subnets and app servers in private subnets adds a layer of separation. Option C is correct because using security groups as instance-level firewalls provides granular control. Option B is wrong because network ACLs are stateless and not stateful.

Option D is wrong because public subnets should not have direct internet access for tiers that don't need it. Option E is wrong because using the same security group for all tiers reduces security.

196
MCQmedium

A company wants to use AWS Certificate Manager (ACM) to provide a TLS certificate for a website hosted on an ALB. The domain is example.com, and the certificate must be renewed automatically. Which type of certificate should be requested?

A.A private certificate issued by ACM Private CA
B.A self-signed certificate generated with OpenSSL
C.A certificate imported into ACM from a third-party CA
D.A public certificate issued by ACM with DNS validation
AnswerD

ACM handles renewal automatically.

Why this answer

Option B is correct because ACM automatically renews public certificates if DNS validation is used. Option A is wrong because private certificates are not for public websites. Option C is wrong because imported certificates must be manually renewed.

Option D is wrong because self-signed certificates are not trusted by browsers.

197
Multi-Selecthard

A company wants to implement a defense-in-depth strategy for a web application hosted on AWS. Which THREE services should they combine to protect against common web attacks and network threats?

Select 3 answers
A.Amazon GuardDuty
B.AWS WAF
C.AWS Shield Advanced
D.AWS Direct Connect
E.AWS Certificate Manager (ACM)
AnswersA, B, C

GuardDuty provides intelligent threat detection by analyzing logs and network traffic.

Why this answer

A defense-in-depth strategy for web applications includes AWS WAF to protect against web exploits, AWS Shield Advanced for DDoS protection, and Amazon GuardDuty for threat detection. Option A, C, and E are correct. Option B (AWS Certificate Manager) is for SSL/TLS certificates, not security.

Option D (AWS Direct Connect) is for dedicated network connectivity, not security.

198
MCQeasy

Refer to the exhibit. An EC2 instance is associated with the IAM role shown. Which action can the EC2 instance perform?

A.Read objects from any S3 bucket.
B.Write objects to any S3 bucket.
C.Delete objects from any S3 bucket.
D.Upload objects to any S3 bucket.
AnswerA

s3:Get* includes GetObject.

Why this answer

Option A is correct. The policy allows s3:Get* and s3:List* actions, which include GetObject. Option B is wrong because PutObject is not allowed.

Option C is wrong because DeleteObject is not allowed. Option D is wrong because no write actions are allowed.

199
MCQhard

A company is using AWS Certificate Manager (ACM) to manage SSL/TLS certificates for an Application Load Balancer (ALB). The security team notices that an ACM-issued certificate is about to expire. How can they automate renewal?

A.Set a CloudWatch alarm to send a notification when the certificate is about to expire, then manually renew.
B.Manually remove the certificate from ACM and re-issue a new one.
C.Use AWS Certificate Manager's automatic renewal feature; no additional configuration is required if the certificate was issued by ACM.
D.Configure an AWS Lambda function to monitor certificate expiration and re-issue the certificate.
AnswerC

ACM automatically renews certificates it issued, provided the domain validation records are in place.

Why this answer

ACM automatically renews certificates issued by ACM if the domain is validated with DNS or email. No manual action is needed. Imported certificates must be manually renewed.

Removing and re-adding is not automatic. Lambda is unnecessary.

200
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. They have a central inspection VPC that uses AWS Network Firewall to inspect traffic. The security team wants to ensure that all traffic between VPCs and between VPCs and on-premises is routed through the inspection VPC. They have created a transit gateway route table for each VPC and the Direct Connect/VPN attachments. They have configured the route tables to propagate routes from the inspection VPC's attachment. However, traffic is still bypassing the inspection VPC. What should the security team do to ensure traffic is inspected?

A.Enable route propagation for all attachments in the transit gateway route tables.
B.Create static routes in each VPC's transit gateway route table pointing to the inspection VPC attachment for all destination CIDRs, and remove any routes that point directly to other attachments.
C.Configure network ACLs in the inspection VPC to block traffic that does not come from the transit gateway.
D.Create VPC peering connections between all VPCs and the inspection VPC.
AnswerB

Static routes can force traffic to the inspection VPC.

Why this answer

Option C is correct because to force traffic through the inspection VPC, you must use transit gateway route tables with specific routes pointing to the inspection VPC's attachment, and ensure that no other routes allow direct communication. Option A is wrong because enabling route propagation alone does not force traffic through inspection; the inspection VPC must be the next hop. Option B is wrong because VPC peering bypasses the transit gateway.

Option D is wrong because network ACLs in the inspection VPC do not affect routing in the transit gateway.

201
MCQeasy

A company has a requirement to encrypt all data in transit between its on-premises network and AWS over a VPN connection. Which solution provides encryption in transit?

A.AWS Site-to-Site VPN
B.AWS Transit Gateway
C.VPC Peering
D.AWS Direct Connect
AnswerA

Uses IPsec to encrypt traffic between on-premises and AWS.

Why this answer

Option A is correct because AWS Site-to-Site VPN uses IPsec tunnels to encrypt data in transit. Option B is wrong because Direct Connect does not natively encrypt traffic; encryption must be added at the application layer. Option C is wrong because VPC Peering does not encrypt traffic.

Option D is wrong because Transit Gateway alone does not provide encryption.

202
MCQhard

A company is migrating a legacy application to AWS. The application requires that all network traffic between two VPCs be inspected by a third-party firewall appliance. The firewall must be able to inspect traffic bidirectionally and automatically fail over if the appliance becomes unhealthy. Which architecture meets these requirements?

A.Use AWS Transit Gateway with a Network Load Balancer in front of multiple firewall appliances
B.Use VPC Peering between the two VPCs and route traffic through a firewall instance in one of the VPCs
C.Deploy a single firewall instance in a shared VPC and route all inter-VPC traffic through it
D.Use AWS PrivateLink to connect the VPCs and place the firewall in the consumer VPC
AnswerA

Transit Gateway enables centralized routing, and NLB provides health checks and failover.

Why this answer

Option B is correct because Transit Gateway with Network Load Balancer for firewall appliances supports asymmetric routing and health checks for failover. Option A is wrong because VPC Peering does not support central inspection without additional routing. Option C is wrong because a single instance is a single point of failure.

Option D is wrong because an ALB at Layer 7 is not suitable for all traffic types (e.g., non-HTTP).

203
MCQeasy

Refer to the exhibit. A company applies this bucket policy to an S3 bucket. What is the effect of the policy?

A.All requests are denied
B.Only HTTPS requests are allowed, and HTTP requests are denied
C.Only HTTP requests are allowed
D.All requests are allowed
AnswerB

The Deny effect blocks HTTP requests; HTTPS requests are implicitly allowed.

Why this answer

This policy denies all S3 actions on the bucket if the request is not using HTTPS (SecureTransport false). Option A is wrong because it does not allow all. Option B is wrong because it denies HTTP only.

Option C is wrong because it does not allow HTTPS.

204
MCQmedium

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive data that should only be accessible from the corporate network (192.0.2.0/24). What is a potential security issue with this policy?

A.The condition should be applied to the Principal element
B.The Resource ARN is missing the bucket name
C.The policy does not require authentication; anonymous access is allowed from the specified IP range
D.The IP address range is not specific enough
AnswerC

The Principal is "*", which includes anonymous users.

Why this answer

Option B is correct because the policy allows any authenticated AWS user (Principal: "*") to access objects from the specified IP range, but it does not require authentication. Unauthenticated requests from the allowed IP range will also be allowed if the bucket is public. Option A is wrong because the IP condition is correct.

Option C is wrong because the condition is on the action, not on the principal. Option D is wrong because the resource ARN is correct.

205
MCQhard

A company has a Direct Connect connection to AWS. They want to encrypt all traffic between their on-premises network and their VPC. Which solution meets this requirement?

A.Use MACsec on the Direct Connect connection.
B.Set up a VPN connection over the Direct Connect link using IPsec.
C.Enable encryption on the Direct Connect virtual interface.
D.Use TLS for all traffic between on-premises and AWS.
AnswerB

IPsec VPN over Direct Connect encrypts all traffic between the customer gateway and the VPC.

Why this answer

Option D is correct because Direct Connect does not provide encryption; you must use IPsec VPN over the Direct Connect link or a MACsec at the physical layer. Option A is wrong because Direct Connect itself does not encrypt traffic. Option B is wrong because TLS is for application layer, not all traffic.

Option C is wrong because AWS Site-to-Site VPN can be used over Direct Connect to encrypt traffic.

206
MCQhard

An IAM policy is applied to a user. The user reports that they cannot run 'aws ec2 describe-instances --region eu-west-1' but can run the same command in us-east-1. What is the most likely reason?

A.The policy only applies to resources in us-east-1, so other regions are implicitly denied.
B.The policy condition uses StringEquals, which only allows requests from us-east-1.
C.The policy denies ec2:Describe* when the region is not us-east-1.
D.The policy allows ec2:Describe* in all regions, but the user lacks permissions in eu-west-1.
AnswerC

The condition denies requests to regions other than us-east-1.

Why this answer

Option C is correct because the condition 'StringNotEquals' with 'aws:RequestedRegion' denies the action if the region is not us-east-1. Option A is wrong because the policy explicitly denies ec2:Describe* actions. Option B is wrong because the condition is StringNotEquals, not StringEquals.

Option D is wrong because the policy does not specify resource-level conditions.

207
MCQmedium

A company has an Amazon RDS for MySQL database in a private subnet. The database should only be accessible from a specific fleet of EC2 instances in the same VPC. Which combination of security controls should be used to meet this requirement?

A.Use a network ACL on the private subnet that allows MySQL traffic from the EC2 instances' IP addresses.
B.Set up a VPN connection between the EC2 instances and the RDS instance.
C.Use a security group for the RDS instance that allows inbound MySQL traffic from the security group of the EC2 instances.
D.Enable IAM database authentication for the RDS instance and require EC2 instances to use IAM credentials.
AnswerC

Security group rules can reference other security groups, providing instance-level access control.

Why this answer

Option A is correct because a security group on the RDS instance that allows inbound traffic from the security group of the EC2 instances restricts access to only those instances. Option B is wrong because network ACLs are stateless and less granular. Option C is wrong because IAM database authentication is for user authentication, not network access.

Option D is wrong because a VPN connection is not needed for in-VPC access.

208
Multi-Selecteasy

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The security team needs to protect the application from common web exploits like SQL injection and cross-site scripting. Which TWO AWS services should be used together?

Select 2 answers
A.AWS Shield Advanced
B.AWS WAF
C.AWS Network Firewall
D.Amazon GuardDuty
E.AWS Firewall Manager
AnswersA, B

DDoS protection.

Why this answer

Options B and D are correct. Option B: AWS WAF integrates with ALB to filter web requests. Option D: AWS Shield Advanced provides enhanced DDoS protection.

Option A is wrong because AWS Network Firewall is for network layer, not web application layer. Option C is wrong because Amazon GuardDuty is for threat detection, not prevention. Option E is wrong because AWS Firewall Manager is for central management, not direct protection.

209
Multi-Selecteasy

Which TWO statements about AWS Key Management Service (KMS) are correct? (Choose two.)

Select 2 answers
A.Customer master keys (CMKs) can be automatically rotated every year.
B.KMS uses symmetric encryption only.
C.KMS can store encrypted data.
D.KMS is a regional service.
E.You cannot import your own key material into KMS.
AnswersA, D

AWS KMS can automatically rotate CMKs annually.

Why this answer

Options A and E are correct. KMS is a regional service (A). Customer master keys (CMKs) can be automatically rotated yearly (E).

Option B is wrong because KMS does not store data; it encrypts data keys. Option C is wrong because KMS uses envelope encryption. Option D is wrong because you can import your own key material.

210
MCQeasy

A company needs to audit all changes to security groups in their AWS account. Which AWS service should they use?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.VPC Flow Logs
AnswerB

CloudTrail records all API calls, including security group modifications.

Why this answer

Option B is correct because AWS CloudTrail records API calls, including changes to security groups. Option A is wrong because AWS Config records resource configuration changes but is not primarily for auditing API calls. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because CloudWatch Logs stores logs but does not capture API calls by default.

211
Multi-Selecteasy

A company needs to log all network traffic to and from EC2 instances for security analysis. Which TWO services can capture this data? (Choose 2)

Select 2 answers
A.AWS Config
B.VPC Flow Logs
C.AWS CloudTrail
D.Traffic Mirroring
E.Amazon CloudWatch Logs
AnswersB, D

Flow Logs capture network traffic metadata.

Why this answer

Options B and C are correct. VPC Flow Logs capture metadata about network traffic. Traffic Mirroring captures actual packet content.

Option A is wrong because CloudTrail logs API calls, not network traffic. Option D is wrong because CloudWatch Logs is for log storage, not capture. Option E is wrong because AWS Config records configuration changes.

212
MCQmedium

A security engineer needs to block traffic from a specific country from reaching an Application Load Balancer. Which AWS service should be used to accomplish this?

A.Network ACLs on the VPC subnet
B.Security groups associated with the ALB
C.Route 53 Resolver DNS Firewall
D.AWS WAF web ACL associated with the ALB
AnswerD

AWS WAF supports geo-match conditions to block traffic from specific countries.

Why this answer

AWS WAF can be associated with an ALB to create IP set rules that block traffic based on geographic origin. Option A is wrong because Security Groups do not support geo-blocking. Option B is wrong because NACLs operate at the subnet level and do not support geo-blocking.

Option D is wrong because Route 53 Resolver DNS Firewall filters DNS queries, not HTTP traffic.

213
MCQhard

A company attaches the above bucket policy to an S3 bucket. A user from the IP range 203.0.113.0/24 makes a request over HTTPS (TLS) to download an object from the bucket. Will the request succeed?

A.Yes, but only if the request also includes a valid AWS signature.
B.No, because the Allow statement is overridden by the Deny statement.
C.No, because the Deny statement denies all requests regardless of the condition.
D.Yes, because the request uses HTTPS and comes from the allowed IP range.
AnswerD

The Deny only blocks non-HTTPS requests, and the Allow permits the IP range.

Why this answer

Option D is correct because the bucket policy includes an Allow statement that grants s3:GetObject access to requests coming from the IP range 203.0.113.0/24 over HTTPS (using the aws:SecureTransport condition). The Deny statement only denies requests that do not use HTTPS (i.e., aws:SecureTransport equals false), so a request from the allowed IP range using TLS is not affected by the Deny and is permitted by the Allow statement.

Exam trap

AWS often tests the nuance that an explicit Deny only applies when its conditions are fully satisfied, and candidates mistakenly assume any Deny statement automatically blocks all requests regardless of conditions.

How to eliminate wrong answers

Option A is wrong because the policy does not require a valid AWS signature; the Allow statement uses only IP address and HTTPS conditions, and anonymous requests from the allowed IP range over HTTPS are permitted without authentication. Option B is wrong because the Deny statement does not override the Allow statement for this request; the Deny only applies when aws:SecureTransport is false, which is not the case for an HTTPS request. Option C is wrong because the Deny statement does not deny all requests; it is conditional on the request not using HTTPS, so requests over HTTPS are not denied.

214
Multi-Selectmedium

A company is designing a multi-account AWS environment using AWS Organizations. They need to enforce that all new S3 buckets created across accounts have encryption enabled and block public access. Which TWO approaches meet these requirements? (Choose two.)

Select 2 answers
A.Apply a service control policy (SCP) to the root organizational unit that denies s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption if the configuration does not meet requirements.
B.Use an S3 bucket policy that denies all principals unless encryption is enabled.
C.Create an AWS Config conformance pack with rules that check for encryption and public access, and auto-remediate non-compliant buckets.
D.Enable AWS CloudTrail to monitor bucket creation and send alerts to the security team.
E.Create an IAM role in each account that requires MFA for creating S3 buckets.
AnswersA, C

Correct: SCPs can deny non-compliant actions across accounts.

Why this answer

Option A is correct because SCPs can deny actions that create buckets without encryption or with public access allowed, enforcing the policy across all accounts. Option C is correct because AWS Config rules can be applied via a conformance pack to detect and remediate non-compliant buckets. Option B is wrong because CloudTrail only logs API calls; it cannot enforce or remediate.

Option D is wrong because IAM roles in individual accounts cannot enforce organization-wide policies; they grant permissions to principals. Option E is wrong because bucket policies are per-bucket and cannot be enforced globally across all accounts.

215
MCQmedium

A company wants to ensure that all traffic to and from its Amazon EC2 instances in a VPC is inspected by a third-party security appliance. The instances are in private subnets and must maintain their private IP addresses. Which solution should be used?

A.Deploy a Transit Gateway with a site-to-site VPN to the appliance
B.Configure a Gateway Load Balancer and Gateway Load Balancer endpoints in the VPC
C.Use VPC Peering to connect to a central inspection VPC
D.Set up a Network Load Balancer in front of the instances
AnswerB

Gateway Load Balancer with GWLBe allows transparent inline inspection of traffic.

Why this answer

Option A is correct because Gateway Load Balancer with a Gateway Load Balancer endpoint (GWLBe) allows you to insert third-party appliances inline for traffic inspection without changing the instances' IP addresses. Option B is wrong because a Network Load Balancer is for load balancing, not inline inspection. Option C is wrong because VPC Peering does not provide traffic inspection.

Option D is wrong because a Transit Gateway with a VPN does not provide inline inspection.

216
MCQhard

A company has a hybrid network with an AWS Direct Connect connection to a VPC. They also have a site-to-site VPN connection as a backup. The VPC routing tables are configured with a route to the on-premises CIDR via the virtual private gateway. The network engineer notices that traffic from the VPC to on-premises is not using the Direct Connect connection even when it is healthy. What is the most likely cause?

A.The VPC route table has a more specific route pointing to the VPN connection
B.The VPN connection is down
C.The VPN connection is attached to a Customer Gateway
D.The Direct Connect virtual interface is in the 'Down' state
AnswerA

If the VPN BGP route is more specific (e.g., /24 vs /16), it will take precedence over the static route to Direct Connect.

Why this answer

Option A is correct because when both Direct Connect and VPN are configured, the VPC route table typically has a single route to the on-premises CIDR via the virtual private gateway. Without more specific routing, the VPN BGP route may be preferred depending on route propagation and prefix matching. Option B is wrong because the VPN connection being down would not cause traffic to avoid Direct Connect.

Option C is wrong because the Direct Connect virtual interface must be in the 'Available' state to pass traffic. Option D is wrong because the AWS Site-to-Site VPN connection uses a virtual private gateway or transit gateway, not a Customer Gateway as the target.

217
MCQeasy

A company wants to securely connect an on-premises data center to a VPC in AWS. The connection must be encrypted and use the public internet. The company has a moderate volume of traffic and needs a quick setup. Which solution meets these requirements?

A.AWS Client VPN
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerC

Site-to-Site VPN provides encrypted tunnels over the internet and can be set up quickly.

Why this answer

Option B is correct because AWS Site-to-Site VPN creates an encrypted IPSec tunnel over the public internet and can be set up quickly. Option A is wrong because Direct Connect provides a dedicated connection, not over the internet. Option C is wrong because Client VPN is for individual client connections, not site-to-site.

Option D is wrong because Transit Gateway is a network transit hub, not a connection method.

218
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet for software updates. The company wants to ensure that all outbound traffic goes through a single, highly available IP address for whitelisting purposes. Which solution should be used?

A.Launch a NAT instance in a public subnet and assign an Elastic IP. Configure the private subnet route table to point to the NAT instance.
B.Create an internet gateway and attach it to the private subnet, then configure the route table.
C.Create a VPC endpoint for Amazon S3 and route software update traffic through that endpoint.
D.Create a NAT gateway in each Availability Zone and assign the same Elastic IP to both.

Why this answer

Option B is correct because a NAT gateway in each AZ provides high availability and a single elastic IP per AZ, but if you need a single IP, you can use a single NAT gateway in one AZ (with a single EIP) or use a NAT instance with an EIP. However, the requirement is highly available and single IP. A NAT gateway in each AZ would have multiple IPs.

Option A is wrong because NAT instance is not highly available. Option C is wrong because internet gateway in private subnet is not allowed. Option D is wrong because VPC endpoint for S3 does not provide internet access.

219
MCQeasy

A company needs to block traffic from a specific IP address range in their VPC. Which component should be used?

A.Route table
B.Network ACL
C.Internet gateway
D.Security group
AnswerB

NACLs can deny traffic from specific IP ranges.

Why this answer

Option D is correct: Network ACLs are stateless and can block IP ranges at the subnet level. Option A is wrong because security groups are stateful and can't deny specific IPs (only allow). Option B is wrong because route tables control routing, not filtering.

Option C is wrong because internet gateway is a gateway, not a filter.

220
MCQmedium

A company wants to securely connect an on-premises data center to a VPC using AWS Site-to-Site VPN. The security team requires that all traffic between the on-premises network and the VPC be encrypted and that the VPN tunnel be highly available. Which design BEST meets these requirements?

A.Use AWS Direct Connect with a private VIF and enable encryption on the connection.
B.Create a single VPN tunnel with a virtual private gateway and enable encryption.
C.Create two VPN tunnels to the same virtual private gateway for redundancy.
D.Create a VPN connection with two tunnels, each terminating on a different virtual private gateway in the same VPC.
AnswerD

Provides encryption and high availability via diverse endpoints.

Why this answer

Option D is correct because using two VPN tunnels to two different AWS endpoints provides high availability and encryption. Option A is wrong because a single VPN tunnel is not highly available. Option B is wrong because Direct Connect does not provide encryption by default.

Option C is wrong because two tunnels to the same endpoint still has a single point of failure.

221
Multi-Selecteasy

A company wants to encrypt all data in transit between an Application Load Balancer (ALB) and its target EC2 instances. Which TWO actions should be taken?

Select 2 answers
A.Enable Client Certificate Authentication on the ALB
B.Configure the target group to use HTTPS as the protocol
C.Add a listener rule to forward traffic based on path
D.Configure the ALB listener to use HTTPS
E.Configure security groups to allow only HTTPS traffic
AnswersB, D

HTTPS target group ensures traffic from ALB to targets is encrypted.

Why this answer

Options A and D are correct. The ALB listener must use HTTPS to terminate SSL. The target group for the ALB must use HTTPS protocol to encrypt traffic to targets.

Option B is wrong because listener rules do not affect encryption. Option C is wrong because security group rules do not encrypt traffic. Option E is wrong because Client Certificate Authentication is for client-to-ALB, not ALB-to-target.

222
MCQmedium

A company is using AWS WAF to protect its web application. The security team notices that the WAF logs show a high number of requests from a specific IP address range that are being blocked by the SQL injection rule. However, the application team reports that legitimate users from that IP range are unable to access the application. Which action should the security team take to resolve this issue while maintaining security?

A.Disable the SQL injection rule for the specific IP range.
B.Increase the rate limit for the entire WAF.
C.Add the IP range to the allow list in the WAF.
D.Create a rate-based rule to limit requests from the IP range.
AnswerD

A rate-based rule allows legitimate traffic while blocking excessive requests that may be malicious.

Why this answer

Option C is correct because creating a rate-based rule can limit the request rate from the IP range, allowing legitimate traffic while still blocking excessive requests. Option A is wrong because disabling the SQL injection rule removes protection. Option B is wrong because allowing the entire IP range bypasses security.

Option D is wrong because increasing the rate limit for the entire WAF is not granular enough.

223
Multi-Selecthard

A company needs to ensure that all outbound internet traffic from a VPC goes through a centralized inspection appliance. The VPC has multiple subnets. Which THREE steps are required to implement this?

Select 3 answers
A.Configure security groups to allow outbound traffic from the instances
B.Launch a NAT gateway in a public subnet and associate it with an Elastic IP
C.Attach an Internet Gateway to the VPC and route all traffic to it
D.Create VPC endpoints for all required AWS services
E.Configure route tables in each private subnet to send 0.0.0.0/0 traffic to a NAT gateway in a public subnet
AnswersA, B, E

Security groups must allow outbound traffic for instances to communicate.

Why this answer

Options A, C, and D are correct. An egress-only Internet Gateway is used for IPv6, but for IPv4, the default route points to a NAT gateway or appliance. However, the question implies IPv4; using a NAT gateway is common.

Option A (route table) is essential. Option C (security groups) allows traffic. Option D (NAT gateway in public subnet) provides outbound connectivity.

Option B is wrong because VPC endpoints are for AWS services, not internet. Option E is wrong because IGW is for inbound, not outbound inspection.

224
Multi-Selecthard

A company is designing a multi-VPC architecture with AWS Transit Gateway. The security requirements include: (1) all inter-VPC traffic must be inspected by a central firewall, (2) traffic to the internet must egress through a centralized egress VPC, and (3) traffic to on-premises via Direct Connect must go through the same inspection firewall. Which THREE components are required to meet these requirements?

Select 3 answers
A.VPC peering connections between all VPCs
B.AWS Network Firewall in an inspection VPC
C.Virtual Private Gateway (VGW) attachment to the inspection VPC
D.NAT gateways in each VPC
E.AWS Transit Gateway with multiple route tables
AnswersB, C, E

Provides centralized traffic inspection.

Why this answer

Option A (Transit Gateway with route tables) is needed to control traffic routing. Option C (Network Firewall in inspection VPC) provides traffic inspection. Option E (Virtual Private Gateway attached to inspection VPC) allows Direct Connect traffic to be routed through the firewall.

Option B is wrong because NAT Gateway is for internet egress, but the requirement is for centralized egress VPC which may use NAT Gateway, but NAT Gateway alone is not a component required for all three requirements. Option D is wrong because VPC Peering is not used with Transit Gateway.

225
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket. The security team wants to ensure that traffic to S3 does not traverse the internet. Which solution meets this requirement?

A.Create a VPC gateway endpoint for S3 and attach an endpoint policy that restricts access to the specific bucket
B.Establish a VPN connection to the on-premises network and route through it
C.Set up a NAT gateway in the public subnet and route private subnet traffic to it
D.Deploy a proxy server in the public subnet and configure the instance to use it
AnswerA

Traffic stays within AWS network.

Why this answer

Option A is correct because a VPC gateway endpoint for S3 allows private subnet instances to access S3 without internet. Option B is wrong because NAT gateway still uses internet. Option C is wrong because a proxy server introduces internet.

Option D is wrong because VPN is for on-premises, not S3.

← PreviousPage 3 of 6 · 421 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Security Governance questions.