CCNA Network Security Governance Questions

75 of 421 questions · Page 4/6 · Network Security Governance topic · Answers revealed

226
MCQeasy

A company needs to provide temporary, limited-privilege credentials to users so they can access AWS resources from mobile apps. Which AWS service should they use?

A.AWS Key Management Service (KMS)
B.Amazon Cognito user pools
C.AWS Security Token Service (STS)
D.IAM user with access keys
AnswerC

STS provides temporary, limited-privilege credentials.

Why this answer

AWS STS allows you to request temporary credentials. Option B is wrong because IAM user credentials are long-term. Option C is wrong because Cognito is for user pools.

Option D is wrong because KMS is for encryption keys.

227
MCQmedium

A company has an AWS Direct Connect connection and wants to ensure that all traffic from its VPC to an S3 bucket in another region stays within the AWS network. How should this be accomplished?

A.Create a VPC Gateway Endpoint for S3 in the source VPC
B.Create a VPC Interface Endpoint for S3 in the source VPC
C.Use a NAT gateway in the VPC and route traffic through the Direct Connect public VIF
D.Establish a VPN connection to the S3 bucket
AnswerC

Using a public VIF with Direct Connect allows traffic to S3 in any region via the AWS backbone, keeping it off the public internet.

Why this answer

Option A is correct because a VPC Gateway Endpoint for S3 is regional and allows traffic to stay within the AWS network only within the same region. For cross-region access, using a Gateway Endpoint in the source region combined with a Direct Connect connection does not keep traffic on the AWS network; it goes over the public internet. The correct approach is to use a VPC Gateway Endpoint in the source region to access S3 in the same region, but for cross-region, you must use a Direct Connect Virtual Interface (public VIF) or a Direct Connect Gateway to route traffic via AWS backbone.

Option B is wrong because a VPC interface endpoint for S3 is not supported. Option C is wrong because a NAT gateway would route traffic over the internet. Option D is wrong because a VPN does not keep traffic on the AWS backbone for cross-region S3 access.

228
Multi-Selectmedium

A company is designing a network security architecture for a VPC that hosts a multi-tier application. The security team wants to implement defense in depth. Which three layers of security should be configured?

Select 3 answers
A.Security groups
B.AWS WAF
C.AWS Identity and Access Management (IAM) policies
D.VPC Flow Logs
E.Network ACLs
AnswersA, B, E

Instance-level firewall.

Why this answer

Security groups act as virtual firewalls at the instance level. Network ACLs provide stateless filtering at the subnet level. AWS WAF protects web applications at the application layer.

Option A, C, and D are correct. Option B is wrong because IAM is identity and access management, not network security. Option E is wrong because VPC Flow Logs are for monitoring, not blocking traffic.

229
MCQeasy

A company needs to audit all changes to security groups in a VPC. Which AWS service should be used?

A.VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch
D.AWS CloudTrail
AnswerD

CloudTrail records all API calls made in the account, including security group modifications.

Why this answer

Option C is correct because AWS CloudTrail records API calls, including changes to security groups, and can be used for auditing. Option A is wrong because CloudWatch is for monitoring metrics and logs, not API activity. Option B is wrong because VPC Flow Logs capture network traffic, not API changes.

Option D is wrong because AWS Config can track resource changes but is not primarily for auditing API calls; it focuses on resource configuration.

230
MCQmedium

A company wants to audit all changes to security group rules in their AWS account. Which AWS service should be used to record these changes?

A.AWS CloudTrail
B.AWS Config
C.VPC Flow Logs
D.Amazon Inspector
AnswerA

CloudTrail records all API calls, including security group modifications.

Why this answer

Option B is correct: AWS CloudTrail records API calls, including changes to security group rules. Option A is wrong because AWS Config records resource configurations and changes, but CloudTrail is more direct for API auditing. However, for auditing changes, CloudTrail is the primary service.

Option C is wrong because VPC Flow Logs capture network traffic, not configuration changes. Option D is wrong because Amazon Inspector assesses vulnerabilities.

231
MCQeasy

A company is using AWS WAF to protect a web application. They want to block requests that originate from known malicious IP addresses. Which WAF rule type should be used?

A.String match condition
B.Regex match condition
C.SQL injection match condition
D.IP set match condition
AnswerD

IP set match condition allows blocking or allowing requests based on source IP.

Why this answer

IP set match conditions are used to match the source IP address of a request against a list of IP addresses. Regex, string match, and SQL injection are for other attack types.

232
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to use a proxy server running on an EC2 instance in the public subnet. The security group for the proxy server must allow inbound HTTP/HTTPS from the instance in the private subnet. The security group for the private instance must allow outbound HTTP/HTTPS to the proxy server. However, the private instance cannot connect to the proxy. What is the most likely cause?

A.The security group for the private instance does not allow outbound traffic to the proxy server.
B.The network ACL for the private subnet blocks inbound traffic from the proxy.
C.The route table for the private subnet has a default route pointing to a NAT gateway instead of the proxy server.
D.The security group for the proxy server does not allow inbound traffic from the private instance's security group.
AnswerC

If the default route points to a NAT gateway, traffic to the internet goes through the NAT gateway instead of the proxy.

Why this answer

Option B is correct because the route table of the private subnet likely has a default route to a NAT gateway or internet gateway, causing traffic to bypass the proxy. The private instance's security group allows outbound HTTP/HTTPS to the proxy, but the subnet route may not point to the proxy. Option A is wrong because the network ACL must allow both inbound and outbound traffic; if it blocks inbound, the proxy cannot receive requests.

Option C is wrong because the proxy's security group allows inbound from the private instance. Option D is wrong because the private instance's security group allows outbound to the proxy.

233
MCQhard

A company is setting up a cross-account VPC peering connection between VPC A (account 1) and VPC B (account 2). The security team wants to ensure that only specific TCP ports are allowed between the VPCs. They have configured the route tables and the VPC peering connection is active. Which additional configuration is required to enforce the port restriction?

A.Modify the network ACLs in both VPCs to allow inbound traffic only on the required ports.
B.Use network ACLs with stateful filtering to allow only the required ports.
C.Update the security groups in both VPCs to allow inbound traffic only on the required ports from the peered VPC's CIDR or security group.
D.Configure the route tables to deny traffic on all ports except the allowed ones.
AnswerC

Security groups can restrict traffic based on port and protocol at the instance level.

Why this answer

Option B is correct because security groups can be used to control traffic at the instance level based on ports. Option A is wrong because VPC peering does not support security group referencing across accounts by default; you need to update the security group to reference the peered VPC's security group. Option C is wrong because network ACLs are stateless and apply at the subnet level, not at the instance level, and they cannot reference security groups.

Option D is wrong because network ACLs do not support stateful inspection like security groups.

234
MCQeasy

A company has an S3 bucket that stores sensitive documents. They need to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Additionally, they want to prevent any uploads that do not specify the required KMS key. Which combination of bucket policy and default encryption should they implement?

A.Enable default encryption on the bucket with SSE-KMS using the required KMS key, and add a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header with the required key ARN.
B.Enable default encryption with SSE-S3, and add a bucket policy that denies s3:PutObject unless the request uses the required KMS key.
C.Use a bucket policy that requires the kms:Encrypt permission for the required key, but do not enable default encryption.
D.Enable default encryption with SSE-KMS using the required key, and rely on IAM policies to enforce encryption, not bucket policies.
AnswerA

Default encryption ensures objects are encrypted if no header is provided. The bucket policy enforces that uploads must use the specific KMS key.

235
MCQmedium

A company uses AWS Certificate Manager (ACM) to provision SSL/TLS certificates for their Application Load Balancer (ALB). They want to ensure that the ALB only accepts connections using TLS 1.2 or higher. How should they configure this?

A.Use ACM to generate a certificate that only supports TLS 1.2.
B.Configure the ALB with an appropriate security policy that enforces TLS 1.2.
C.Configure the ALB to use a CloudFront distribution with a TLS policy.
D.Use AWS Route 53 to enforce TLS version at the DNS level.
AnswerB

ALB security policies allow specifying minimum TLS protocol version.

Why this answer

Option C is correct because security policies on the ALB can specify the TLS version. Option A is wrong because ACM does not control TLS version; it provides certificates. Option B is wrong because CloudFront is a different service.

Option D is wrong because Route 53 does not handle TLS version enforcement.

236
MCQeasy

A company has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. A security engineer needs to restrict access to only the company's public IP range (203.0.113.0/24). What is the correct way to modify the security group rule?

A.Edit the existing inbound rule and change the source CIDR to 203.0.113.0/24.
B.Add a new inbound rule allowing SSH from 203.0.113.0/24 and keep the existing rule.
C.Remove the security group rule and add a new rule to deny SSH from 0.0.0.0/0.
D.Create a network ACL that denies SSH from 0.0.0.0/0.
AnswerA

This restricts SSH access to the specified IP range.

Why this answer

Option A is correct because the CIDR should be changed from 0.0.0.0/0 to 203.0.113.0/24. Option B is wrong because adding a second rule does not remove the open rule. Option C is wrong because NACLs operate at the subnet level.

Option D is wrong because removing the rule and adding a new deny rule is not how security groups work; security groups are allow-only.

237
MCQeasy

A company wants to ensure that all IAM users have multi-factor authentication (MFA) enabled. Which AWS service can be used to enforce this policy?

A.AWS Organizations SCP
B.AWS Config
C.IAM policy with a condition for aws:MultiFactorAuthPresent
D.AWS CloudTrail
AnswerC

An IAM policy can require MFA for all actions.

Why this answer

Option B is correct because IAM policies can require MFA for API calls. Option A is wrong because SCPs can enforce at the account level but require MFA to be set in IAM first. Option C is wrong because CloudTrail is for logging, not enforcement.

Option D is wrong because Config can detect non-compliance but cannot enforce the policy.

238
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization have block public access enabled. Which approach should be used?

A.Use AWS CloudTrail to monitor bucket creation and alert.
B.Use AWS Config rules to detect and remediate noncompliant buckets.
C.Apply a service control policy (SCP) that denies bucket creation without block public access.
D.Create an IAM role in each account that restricts bucket permissions.
AnswerC

SCPs can centrally enforce policies across all accounts.

Why this answer

Option C is correct because a service control policy (SCP) can deny the s3:PutBucketPublicAccessBlock action or enforce the block public access settings. Option A is wrong because IAM roles in each account would require manual management. Option B is wrong because CloudTrail only logs, does not enforce.

Option D is wrong because AWS Config can detect noncompliance but not enforce automatically in real-time.

239
Multi-Selectmedium

A company has a VPC with a CIDR of 10.0.0.0/16. The VPC contains a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to use a VPC endpoint for S3. Which TWO configurations are required?

Select 2 answers
A.Assign a public IP address to the EC2 instance.
B.Create an endpoint policy that allows access to the S3 bucket.
C.Deploy a NAT gateway in the public subnet.
D.Add a route in the private subnet's route table pointing to the gateway endpoint.
E.Attach a security group to the gateway endpoint.
AnswersB, D

The endpoint policy controls which resources can be accessed via the endpoint.

Why this answer

Option A is correct because a gateway endpoint for S3 must have a route in the private subnet's route table pointing to the endpoint. Option C is correct because the endpoint policy must allow the instance to access the specific bucket. Option B is wrong because gateway endpoints do not use ENIs or security groups.

Option D is wrong because gateway endpoints are free; no need to assign a public IP. Option E is wrong because NAT gateway is not needed when using a VPC endpoint.

240
Multi-Selecthard

A company's security team is designing a solution to restrict S3 bucket access based on the requester's network. The company has a set of on-premises IP ranges and wants to ensure that only requests originating from those IPs can access the bucket. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Configure the EC2 instances in the VPC to use Elastic IPs and allow those IPs in the bucket policy
B.Create a VPC endpoint for S3 and attach a VPC endpoint policy that restricts access to the specific bucket
C.Use AWS WAF to inspect HTTP requests to the bucket
D.Enable S3 Block Public Access on the bucket
E.Create an S3 bucket policy that uses the aws:SourceIp condition to allow access only from the on-premises IP ranges
AnswersB, E

This ensures that even if requests originate from the VPC, they must go through the endpoint and be subject to the policy.

Why this answer

Options A and C are correct. A bucket policy with a source IP condition restricts access to requests from specified IPs. A VPC endpoint with a VPC endpoint policy restricting to the bucket ensures that requests from within the VPC (which may have different IPs due to NAT) are only allowed if they come through the endpoint and meet the policy.

Option B is wrong because EC2 instance IPs are dynamic. Option D is wrong because it does not restrict IPs. Option E is wrong because AWS WAF is for web traffic, not S3 access control.

241
Multi-Selecthard

A company needs to ensure that all outbound traffic from a VPC goes through a centralized inspection appliance in a different VPC. Which TWO actions must be taken to achieve this?

Select 2 answers
A.Deploy VPC endpoints for all AWS services used.
B.Use AWS Direct Connect Gateway to route traffic between VPCs.
C.Create VPC peering connections between all VPCs.
D.Use AWS Transit Gateway with appropriate route tables to direct traffic to the inspection VPC.
E.Configure the inspection VPC to forward traffic to its destination after inspection.
AnswersD, E

Transit Gateway supports transitive routing through route tables.

Why this answer

Option A is correct: Transit Gateway with route tables can direct traffic to the inspection VPC. Option C is correct: The inspection VPC must have routes to forward traffic back. Option B is wrong: VPC peering does not support transitive routing.

Option D is wrong: Direct Connect is for on-premises. Option E is wrong: VPC endpoints do not route general internet traffic.

242
Multi-Selectmedium

A company wants to inspect traffic between VPCs in the same region using a third-party security appliance. Which THREE components are needed? (Choose 3)

Select 3 answers
A.VPC Peering connections between all VPCs
B.NAT Gateways in each VPC
C.AWS Transit Gateway
D.Route tables in the inspection VPC directing traffic through the appliance
E.A dedicated inspection VPC for the security appliance
AnswersC, D, E

Transit Gateway enables hub-and-spoke connectivity.

Why this answer

Options A, C, and D are correct. A Transit Gateway is needed to interconnect VPCs. The security appliance must be in a dedicated VPC.

Appliance VPC route tables must route traffic through the appliance. Option B is wrong because VPC Peering cannot do centralized inspection. Option E is wrong because NAT Gateway is for outbound internet, not inter-VPC inspection.

243
MCQmedium

A company is using AWS Client VPN to provide remote access to their VPC. They want to ensure that only authenticated users from their corporate Active Directory can access the VPN. Which authentication method should they use?

A.IAM authorization
B.SAML-based federated authentication
C.Certificate-based authentication using AWS Certificate Manager
D.Mutual authentication
AnswerB

SAML allows integration with Active Directory for user authentication.

Why this answer

Option C is correct because AWS Client VPN supports SAML-based federated authentication with Active Directory. Option A is wrong because certificate-based authentication does not tie to Active Directory users. Option B is wrong because mutual authentication still uses certificates.

Option D is wrong because IAM authorization is for AWS API access, not VPN authentication.

244
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to ensure that traffic between VPCs is inspected by a centralized security appliance running in a security VPC. Which configuration should be used?

A.Configure network ACLs in each VPC to deny traffic directly between VPCs.
B.Attach the VPCs to the Transit Gateway and configure route tables to send inter-VPC traffic to the security VPC via a blackhole route.
C.Create VPC peering connections between each VPC and the security VPC, then update route tables.
D.Use NAT gateways in each VPC to route traffic through the security VPC.
AnswerB

Forces traffic through the security VPC for inspection.

Why this answer

Option A is correct because Transit Gateway route tables with route propagation and blackhole routes enable inspection. Option B is wrong because VPC peering is not centralized. Option C is wrong because NAT gateways are for outbound only.

Option D is wrong because Network ACLs are stateless and not designed for traffic inspection routing.

245
MCQmedium

A company wants to restrict access to an Amazon S3 bucket so that only traffic from a specific AWS Direct Connect virtual interface (VIF) can access it. Which combination of steps should the company take?

A.Attach an S3 bucket policy that denies access unless the source IP is the public IP address of the Direct Connect VIF.
B.Create a VPC endpoint for S3 with a VPC endpoint policy that allows access only from the VPC, and configure the VPC route table to route S3 traffic through the Direct Connect VIF.
C.Create a network ACL that allows S3 traffic only from the Direct Connect CIDR block and associate it with the VPC subnet connected to the VIF.
D.Configure the Direct Connect VIF with a public IP address and use an S3 bucket policy that allows access only from that IP address.
AnswerB

This ensures that S3 traffic must traverse the VPC endpoint, and the route table forces traffic through the Direct Connect VIF, restricting access to that path.

Why this answer

Option C is correct because using a VPC endpoint with a VPC endpoint policy and a VPC route table that routes traffic through the Direct Connect VIF ensures that only traffic from that VIF can access the S3 bucket. Option A is wrong because network ACLs are stateless and not appropriate for this use case. Option B is wrong because a bucket policy with an IP address condition does not enforce the path through the Direct Connect VIF.

Option D is wrong because Direct Connect does not assign public IP addresses to VIFs.

246
MCQhard

A financial services company is required to encrypt all data at rest and in transit. They have an Amazon S3 bucket with server-side encryption enabled (SSE-S3) and are using HTTPS for all API calls. During an audit, the auditor points out that the bucket policy does not explicitly deny requests that do not use HTTPS. Which of the following should the company add to the bucket policy to enforce HTTPS?

A.{"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::bucketname/*","Condition":{"Bool":{"aws:SecureTransport":"true"}}}
B.{"Effect":"Allow","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::bucketname/*","Condition":{"Bool":{"aws:SecureTransport":"true"}}}
C.{"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::bucketname/*","Condition":{"Bool":{"aws:SecureTransport":"true"}}}
D.{"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::bucketname/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}
AnswerD

This denies requests when SecureTransport is false, effectively requiring HTTPS.

Why this answer

Option B is correct because the condition block with aws:SecureTransport false and a Deny effect ensures that any request not using HTTPS is denied. Option A is wrong because using Bool with true would allow only HTTPS, but the condition should be false to deny non-HTTPS. Option C is wrong because it allows HTTPS requests but does not deny non-HTTPS.

Option D is wrong because it denies when SecureTransport is true, which would block HTTPS requests.

247
MCQmedium

A company wants to restrict access to an S3 bucket so that only traffic from a specific AWS account is allowed. Which S3 bucket policy condition key should be used to achieve this?

A.aws:PrincipalAccount
B.aws:Referer
C.aws:SourceAccount
D.aws:SourceArn
AnswerC

'aws:SourceAccount' ensures the request comes from a specific AWS account.

Why this answer

Using the 'aws:SourceAccount' condition key ensures that only requests originating from the specified AWS account are allowed. Option A is wrong because 'aws:PrincipalAccount' checks the principal's account, not the source account. Option B is wrong because 'aws:SourceArn' checks the ARN of the source resource.

Option D is wrong because 'aws:Referer' checks the HTTP referer header.

248
MCQeasy

A company has a VPC with public and private subnets. They want to allow instances in the private subnet to download software updates from the internet while preventing inbound traffic from the internet. Which AWS service should they use?

A.VPC Peering
C.Internet Gateway
D.VPN Connection
AnswerB

A NAT Gateway enables outbound internet from private subnets.

Why this answer

A NAT Gateway allows outbound internet traffic from private subnets while blocking inbound traffic. Option A is wrong because an Internet Gateway allows inbound traffic. Option B is wrong because a VPC Peering connection does not provide internet access.

Option D is wrong because a VPN connection does not provide internet access.

249
MCQmedium

A company uses AWS Shield Advanced to protect their web application against DDoS attacks. They have configured automatic application layer DDoS mitigation with AWS WAF. During a recent attack, the application experienced increased latency, and some legitimate users were blocked. The security team reviews the WAF logs and finds that many requests from legitimate IPs were rate-limited. The team had set a rate-based rule with a threshold of 100 requests per 5 minutes. What is the most likely reason legitimate users were blocked?

A.The rate-based rule is set to block requests for 24 hours after the threshold is exceeded, and once triggered, all requests from that IP are blocked indefinitely.
B.The WAF web ACL is associated with an Application Load Balancer that is not configured for sticky sessions, causing requests from the same user to be distributed across multiple IPs.
C.The rate-based rule uses the source IP address as the aggregation key, and legitimate users behind a NAT gateway share the same public IP, causing the aggregate rate to exceed the threshold.
D.The rate-based rule is evaluating requests before the WAF allows them, and the threshold is too low, but the rule action is set to 'count' instead of 'block', so it should not block traffic.
AnswerC

When multiple legitimate users share a single public IP (e.g., via NAT), their combined requests can exceed the rate limit, causing blocking of all users behind that IP.

250
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to inspect all traffic between VPCs and on-premises using a centralized firewall appliance. Which architecture meets this requirement?

A.Deploy AWS Network Firewall in each VPC and route all traffic through it.
B.Connect all VPCs to on-premises via AWS Direct Connect and inspect traffic on-premises.
C.Create VPC peering connections between each VPC and the firewall VPC.
D.Use Transit Gateway with a central inspection VPC that hosts the firewall appliance.
AnswerD

Centralized inspection via Transit Gateway route tables.

Why this answer

Option B is correct because a Transit Gateway with a centralized inspection VPC allows routing traffic through firewall appliances. Option A is wrong because VPC peering does not centralize inspection. Option C is wrong because Direct Connect alone does not provide inspection.

Option D is wrong because AWS Network Firewall can be deployed in a VPC, but the question asks for architecture; inspection VPC is the best design pattern.

251
Multi-Selectmedium

A company is designing a security group configuration for a three-tier application. The web servers must be accessible from the internet on ports 80 and 443. The application servers must only communicate with the web servers on port 8080. The database servers must only communicate with the application servers on port 3306. Which TWO of the following are best practices for implementing this with security groups? (Choose TWO.)

Select 2 answers
A.Use the security group ID of the web tier as the source in the app tier inbound rule.
B.Use the CIDR block of the subnet for the source security group rules.
C.Use network ACLs to enforce rules at the subnet level instead of security groups.
D.Use the security group ID of the app tier as the source in the database tier inbound rule.
E.Assign the same security group to all instances to simplify management.
AnswersA, D

Restricts inbound traffic to only resources with the web security group.

Why this answer

Options B and D are correct. Using security group IDs as source/destination ensures that only resources with that security group can communicate. Option A is wrong because using CIDR blocks is less secure.

Option C is wrong because NACLs are not as fine-grained. Option E is wrong because using a single security group for all tiers violates least privilege.

252
Multi-Selectmedium

A company is building a serverless application using Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. The security team requires that all API requests are authenticated and authorized, and that the Lambda function has only the necessary permissions to access DynamoDB. Which THREE steps should be taken?

Select 3 answers
A.Place the Lambda function inside a VPC and use a VPC endpoint for DynamoDB.
B.Configure API Gateway to use an Amazon Cognito user pool or a Lambda authorizer for authentication.
C.Use API keys in API Gateway to authenticate requests.
D.Create an IAM role for the Lambda function with a policy that allows only the required DynamoDB actions.
E.Attach a resource-based policy to the DynamoDB table that allows access only from the Lambda function's IAM role.
AnswersB, D, E

Provides authentication.

Why this answer

Options A, C, and D are correct. Option A: Cognito or Lambda authorizer provides authentication. Option C: IAM roles with least privilege for Lambda.

Option D: Resource-based policy on DynamoDB to restrict access to the Lambda function. Option B is wrong because API keys are for usage plans, not authentication. Option E is wrong because VPC endpoints are not required for serverless; the function can access DynamoDB over the internet.

253
MCQhard

A security engineer is troubleshooting connectivity issues between two VPCs connected via a VPC Peering connection. The VPCs are in different accounts. The security groups in both VPCs allow traffic between the CIDRs. The route tables have the appropriate entries. However, instances in VPC A cannot communicate with instances in VPC B. What is the most likely cause?

A.The VPC Peering connection does not support transitive routing through an intermediate VPC or on-premises network.
B.The VPC Peering connection requires an IAM role to be assumed for cross-account communication.
C.The security group in VPC A does not allow inbound traffic from VPC B's CIDR.
D.The network ACL in VPC A does not allow return traffic from VPC B.
AnswerA

VPC Peering is non-transitive; if there is a VPN or another VPC in the path, traffic will be dropped.

Why this answer

Option B is correct because VPC Peering connections do not support transitive routing, so if there is an intermediate gateway, traffic will not flow. Option A is incorrect because security groups are stateful and allow return traffic automatically. Option C is incorrect because VPC Peering does not require an IAM role.

Option D is incorrect because NACLs are stateless and return traffic must be allowed, but the problem states security groups allow traffic, not NACLs.

254
MCQeasy

A company wants to centrally manage firewall rules across multiple VPCs in different AWS accounts. Which AWS service should they use?

A.AWS Network Firewall with AWS Firewall Manager
B.Security Groups
C.AWS WAF
D.Network ACLs
AnswerA

AWS Network Firewall provides centralized management through Firewall Manager.

Why this answer

Option C is correct because AWS Network Firewall can be centrally managed using AWS Firewall Manager. Option A is wrong because Security Groups are per-VPC and not centrally managed. Option B is wrong because Network ACLs are per-subnet.

Option D is wrong because AWS WAF is for web application layer, not network firewall.

255
MCQhard

A company needs to meet compliance requirements that mandate encryption of all data in transit between EC2 instances in the same VPC. The instances are in different subnets and communicate using TCP port 443. Which solution should a network engineer implement?

A.Configure the application to use TLS for communication.
B.Enable VPC Flow Logs to monitor for unencrypted traffic.
C.Use AWS Certificate Manager (ACM) to provision certificates and enable encryption automatically.
D.Deploy a VPN connection between the instances.
AnswerA

This ensures encryption in transit as required.

Why this answer

Option C is correct because enabling TLS on the application ensures end-to-end encryption. Option A is wrong because AWS Certificate Manager does not automatically encrypt traffic; it provides certificates. Option B is wrong because VPNs are not needed for same-VPC traffic.

Option D is wrong because VPC Flow Logs do not encrypt traffic.

256
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). They have an AWS Network Firewall deployed in a firewall subnet. They want to inspect all traffic between subnet A and subnet B. Which TWO actions are required? (Choose two.)

Select 2 answers
A.Attach a transit gateway to the VPC and route traffic through it.
B.Configure the Network Firewall rule group to allow the desired traffic between subnets.
C.Add a route in subnet A's route table that sends traffic to subnet B via the Network Firewall endpoint's elastic network interface.
D.Create a VPC peering connection between subnet A and subnet B.
E.Create a security group rule that allows traffic between subnet A and subnet B.
AnswersB, C

The firewall must have rules to allow the traffic after routing it through.

Why this answer

Options B and D are correct because Network Firewall requires route tables to direct traffic to the firewall endpoint, and firewall rules must allow the traffic. Option A is wrong because security groups are not used to route traffic. Option C is wrong because VPC peering is not needed.

Option E is wrong because the firewall endpoint is in a firewall subnet, not a transit gateway.

257
MCQhard

A company has a VPC with multiple subnets and uses AWS Network Firewall to inspect traffic. The security team notices that traffic to a specific IP (10.0.0.10) is being dropped unexpectedly. The firewall policy has a stateful rule group that allows all traffic. What is the MOST likely cause?

A.The stateful rule group has an implicit deny for that IP
B.AWS Shield Advanced is blocking the traffic
C.The stateless default action is set to drop
D.The subnet's route table does not have a route to the firewall endpoint
AnswerC

Stateless rules are evaluated first; if default action is drop, traffic is dropped regardless of stateful rules.

Why this answer

Option C is correct because Network Firewall evaluates stateless rules first, and a stateless default drop action would drop traffic before stateful rules are considered. Option A is wrong because stateful rules allow all. Option B is wrong because route table directs traffic to firewall.

Option D is wrong because AWS Shield is for DDoS protection.

258
MCQhard

A company wants to centrally manage and enforce VPC security group rules across multiple accounts in AWS Organizations. Which AWS service should be used?

A.AWS Config
B.AWS CloudFormation StackSets
C.AWS Firewall Manager
D.IAM Policies
AnswerC

Firewall Manager centrally enforces security group rules.

Why this answer

Option B is correct because AWS Firewall Manager allows central management of security group rules across accounts. Option A is wrong because AWS Config is for compliance, not enforcement. Option C is wrong because AWS CloudFormation StackSets can deploy resources but not enforce ongoing compliance.

Option D is wrong because IAM Policies don't configure security groups.

259
MCQmedium

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs is encrypted in transit. They also want to minimize changes to existing VPC route tables. Which solution should they use?

A.Use a transit VPC architecture with EC2-based VPN appliances in a security VPC that encrypt traffic between VPCs.
B.Enable Transit Gateway VPN attachments between each VPC and the Transit Gateway with IPsec VPN.
C.Use AWS Network Firewall to inspect and encrypt traffic between VPCs.
D.Implement VPC peering with encryption enabled.
AnswerA

EC2 VPN appliances (e.g., using IPsec) can be deployed in a security VPC to encrypt traffic between VPCs. Traffic is routed through the Transit Gateway to the security VPC, then encrypted and forwarded.

260
MCQmedium

A company uses AWS Certificate Manager (ACM) to issue certificates for a fleet of Application Load Balancers. The security team requires that only specific IAM roles can request, renew, or delete ACM certificates. Which policy type should be used to enforce this?

A.AWS managed policies such as AWSCertificateManagerFullAccess
B.Service control policies (SCPs) in AWS Organizations
C.IAM identity-based policies attached to the IAM roles
D.Resource-based policies attached to the ACM certificates
AnswerC

IAM policies control access to ACM actions.

Why this answer

Option B is correct because ACM does not support resource-based policies; IAM policies are used to control access. Option A is wrong because ACM does not support resource-based policies. Option C is wrong because service control policies apply to all accounts in an organization, not to specific roles.

Option D is wrong because AWS Managed Policies are predefined but can be customized; the question asks for the policy type, not a specific policy.

261
MCQeasy

A company is using AWS CloudHSM to store sensitive encryption keys. Which of the following is a security best practice for managing the HSM?

A.Disable two-factor authentication for the HSM to simplify management.
B.Use AWS KMS to automatically rotate the CloudHSM partition password.
C.Store the CloudHSM security officer (CO) password in AWS Secrets Manager.
D.Allow AWS to manage the CloudHSM cluster by granting AWS support access.
AnswerC

Best practice to protect the CO password.

Why this answer

Option A is correct because CloudHSM requires client-side authentication using certificates; best practice is to store the security officer password in a secure password manager. Option B is wrong because CloudHSM does not use KMS keys. Option C is wrong because CloudHSM is a dedicated hardware appliance; the cluster is managed by the customer.

Option D is wrong because AWS does not have root access to CloudHSM clusters.

262
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no EC2 instance in any account can be launched with a public IP address unless it is in a specific VPC. Which solution will meet this requirement?

A.Create a service control policy (SCP) that denies ec2:RunInstances if the request includes an association with a public IP address, unless the VPC is the allowed one.
B.Create an IAM policy that denies ec2:RunInstances if the subnet is not in the allowed VPC, and attach it to all IAM users.
C.Enable AWS CloudTrail and create a CloudWatch Events rule to stop any instance with a public IP.
D.Use AWS Config rules to detect non-compliant instances and automatically terminate them.
AnswerA

Correct: SCPs can enforce restrictions across all accounts in the organization.

Why this answer

Option B is correct because an SCP can be applied at the root OU to deny the ec2:RunInstances action if the request includes a parameter to assign a public IP address, using a condition key like ec2:AssociatePublicIpAddress. Option A is wrong because IAM policies need to be applied in each account individually. Option C is wrong because Config can detect but not prevent.

Option D is wrong because CloudTrail logs but does not prevent.

263
MCQhard

A company has a requirement to audit all network traffic leaving a VPC. The traffic includes traffic to the internet, to on-premises via VPN, and to other VPCs via Transit Gateway. Which AWS service can capture and log all outbound traffic for compliance analysis?

A.VPC Traffic Mirroring
B.VPC Flow Logs
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerA

Traffic Mirroring copies network traffic for analysis and compliance.

Why this answer

Option D is correct because VPC Traffic Mirroring captures and copies traffic for analysis. Option A is wrong because Flow Logs log metadata, not full packets. Option B is wrong because CloudTrail logs API calls, not network traffic.

Option C is wrong because GuardDuty detects threats but does not log all traffic.

264
MCQhard

An IAM policy is created and attached to a user. The user reports they cannot stop a production EC2 instance. What is the most likely reason?

A.The EC2 instance does not have the tag Environment=production
B.The policy is missing a region condition
C.The policy is not attached to the user's group
D.The policy does not include ec2:StopInstances
AnswerA

Condition requires the tag.

Why this answer

Option C is correct because the condition key ec2:ResourceTag/Environment requires the instance to have the tag 'Environment' with value 'production', and the user's IAM policy also needs to allow ec2:StopInstances on the instance; however, the condition is applied to the action, so if the instance lacks the tag, the action is denied. Option A is wrong because the policy allows the action. Option B is wrong because the policy is attached.

Option D is wrong because the policy doesn't specify regions.

265
MCQhard

A company uses AWS Certificate Manager (ACM) to issue a public SSL/TLS certificate for a domain hosted on Route 53. The certificate is used by an Application Load Balancer. After renewal, the ALB continues to serve the old certificate. What is the most likely cause?

A.The certificate was not imported into ACM correctly.
B.The ALB listener is not configured to use the new certificate.
C.The certificate is a private certificate and cannot be used with an ALB.
D.DNS validation failed during renewal.
AnswerB

After ACM renewal, the listener must be updated to use the new certificate.

Why this answer

Option A is correct because ACM automatically renews certificates but the ALB may not use the new certificate until it is redeployed or the listener is updated. Option B is wrong because the certificate is public and can be used with an ALB. Option C is wrong because ACM uses DNS validation with Route 53 automatically.

Option D is wrong because ACM does not need to import the certificate; it issues it.

266
MCQmedium

A company is using AWS Client VPN to allow remote employees to access resources in a VPC. The security team wants to enforce multi-factor authentication (MFA) for all VPN connections. Which configuration should be used?

A.Attach a security group to the Client VPN endpoint that only allows MFA-authenticated traffic
B.Use AWS Managed Microsoft AD for authentication
C.Use mutual authentication with client certificates
D.Use SAML-based federation with an identity provider that requires MFA
AnswerD

SAML federation allows integration with an IdP that can enforce MFA.

Why this answer

AWS Client VPN supports mutual authentication and can use SAML-based identity federation with an IdP that requires MFA. Option A is wrong because client certificates alone do not enforce MFA. Option B is wrong because Active Directory alone does not enforce MFA.

Option D is wrong because security groups do not enforce authentication.

267
MCQhard

Refer to the exhibit. A company has attached this bucket policy to an S3 bucket. An EC2 instance in VPC vpc-12345 is trying to access the bucket but is getting access denied. The EC2 instance has a public IP of 198.51.100.10. What is the MOST likely reason?

A.The policy does not have an explicit allow for the instance's IP
B.The EC2 instance's source IP is not in the allowed IP range
C.Both conditions must be met for access
D.The EC2 instance does not have the s3:GetObject permission
AnswerB

The instance has a different public IP; the IP condition is not met, and the VPC condition only applies if accessed via VPC endpoint.

Why this answer

Option B is correct. The policy has two allow statements: one for source IP range and one for source VPC. The EC2 instance's source IP (198.51.100.10) is not in the allowed IP range (203.0.113.0/24).

The second statement allows requests from the VPC, but the condition aws:SourceVpc is only present when the request comes through a VPC endpoint (Gateway or Interface endpoint). If the EC2 instance accesses S3 via the internet (public IP), the aws:SourceVpc condition is not satisfied, so the second statement does not apply. The first statement does not allow the IP, resulting in implicit deny.

Option A is wrong because the policy allows GetObject. Option C is wrong because the policy does not require both conditions. Option D is wrong because there is no explicit deny.

268
MCQmedium

A security engineer needs to audit all API calls made in an AWS account for compliance. The engineer wants to capture the source IP address and the user agent for each call. Which AWS service should be used?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.VPC Flow Logs
AnswerB

CloudTrail logs API calls with source IP and user agent.

Why this answer

AWS CloudTrail records API calls and includes source IP and user agent. Option B is wrong because VPC Flow Logs capture network traffic, not API calls. Option C is wrong because CloudWatch Logs stores logs but does not capture API calls directly.

Option D is wrong because AWS Config records resource changes, not API calls.

269
MCQeasy

A company wants to allow its employees to securely access internal web applications hosted in a VPC without using a VPN. The solution must authenticate users against the company's Active Directory and apply fine-grained access controls. Which AWS service should be used?

A.AWS Single Sign-On (SSO)
B.AWS Verified Access
C.AWS Client VPN
D.Application Load Balancer with OIDC authentication
AnswerB

Provides secure access without VPN, integrates with AD.

Why this answer

Option C is correct because AWS Verified Access provides secure access to corporate applications without a VPN, integrating with identity providers like Active Directory. Option A is wrong because AWS Client VPN requires VPN client software. Option B is wrong because AWS SSO is for federating access to AWS accounts, not applications.

Option D is wrong because ALB with OIDC is possible but requires public exposure or VPN; Verified Access is purpose-built.

270
MCQhard

A company has a VPC with multiple security groups. An EC2 instance in security group A needs to communicate with an RDS instance in security group B on port 3306. The security team wants to minimize exposure. What should the inbound rule in security group B be?

A.Allow inbound TCP 3306 from the CIDR block of the subnet where the EC2 instance resides
B.Allow inbound TCP 3306 from 0.0.0.0/0
C.Allow inbound TCP 3306 from the private IP address of the EC2 instance
D.Allow inbound TCP 3306 from security group A
AnswerD

Precise and secure.

Why this answer

Option C is correct because referencing security group A as source allows traffic from any instance associated with security group A, which is the most specific and secure. Option A is wrong because it allows traffic from any instance in the VPC (0.0.0.0/0). Option B is wrong because it allows traffic from the entire subnet.

Option D is wrong because it allows traffic from the instance's IP, but if the instance is replaced, the IP may change.

271
Multi-Selectmedium

A company is designing a network security architecture for a multi-tier application. The web tier must be accessible from the internet, but the application and database tiers must not. Which TWO design choices meet these requirements? (Choose two.)

Select 2 answers
A.Use a VPC Gateway Endpoint for the web tier to access the internet.
B.Use a NAT gateway in a public subnet to provide internet access to the app and database tiers for updates.
C.Use a security group on the web tier to allow HTTP/HTTPS from 0.0.0.0/0, and security groups on the app and database tiers that only allow traffic from the web tier security group.
D.Place all tiers in a public subnet with a security group that restricts access to the app and database tiers.
E.Place the web tier in a public subnet with an internet gateway in the route table, and the app and database tiers in private subnets.
AnswersC, E

Security groups provide granular control; web tier allows internet, app and database only accept traffic from web.

Why this answer

Options B and C are correct because public subnets for the web tier with a security group that allows HTTP/HTTPS from the internet, and private subnets for app and database tiers with no internet gateway route, ensure the required access. Option A is wrong because a single public subnet for all tiers exposes app and database. Option D is wrong because a NAT gateway is for outbound traffic, not inbound.

Option E is wrong because a VPC endpoint does not provide internet access to the web tier.

272
Multi-Selecteasy

A security team needs to block outbound traffic from an EC2 instance to known malicious IP addresses while allowing all other outbound traffic. Which THREE steps should be taken? (Choose three.)

Select 3 answers
A.Configure network ACLs to deny outbound traffic to the malicious IPs.
B.Update the VPC route table to send traffic for the malicious IPs to a network firewall appliance.
C.Deploy AWS Network Firewall in the VPC to perform stateful inspection.
D.Create a firewall rule in AWS Network Firewall that denies traffic to the malicious IPs.
E.Modify the security group for the EC2 instance to deny outbound traffic to the malicious IPs.
AnswersB, C, D

Correct: Route traffic to firewall for inspection.

Why this answer

Option A is correct because the VPC route table directs traffic; the malicious IPs must be routed to a network firewall appliance. Option B is correct because a network firewall (like AWS Network Firewall) can inspect and block traffic to specific IPs. Option D is correct because the firewall rule should explicitly deny traffic to the malicious IPs.

Option C is wrong because Security Groups are stateful and can only allow/deny inbound/outbound based on source/destination, not specific IPs in a scalable way; they are not designed for blocklists. Option E is wrong because NACLs are stateless and do not support stateful inspection or application-layer filtering.

273
MCQmedium

A company wants to restrict access to an S3 bucket so that only requests originating from a specific AWS account can read objects. Which bucket policy condition should be used?

A.aws:Referer
B.aws:PrincipalAccount
C.aws:SourceAccount
D.aws:SourceArn
AnswerC

This condition key is used to restrict access based on the account that owns the resource making the request.

Why this answer

Option A is correct because aws:SourceAccount is the condition key for specifying the source account. Option B is wrong because aws:SourceArn is for services like SNS. Option C is wrong because aws:PrincipalAccount is not a valid condition key.

Option D is wrong because aws:Referer is for HTTP referer header.

274
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is behind a NAT gateway in the public subnet. The security team wants to allow only outbound HTTPS traffic from the instance. Which configuration should be used?

A.Security group on the instance with outbound rule allowing HTTPS
B.VPC gateway endpoint for S3
C.Network ACL on the private subnet with outbound rule allowing HTTPS and inbound rule allowing return traffic
D.Security group on the NAT gateway with outbound rule allowing HTTPS
AnswerC

NACLs are stateless and require explicit inbound rules for return traffic.

Why this answer

A NACL on the private subnet can control inbound and outbound traffic. For outbound HTTPS, allow outbound ephemeral ports and inbound port 443 for return traffic. Option B is wrong because security groups are stateful and automatically allow return traffic, but they do not filter by destination port in the inbound direction for stateful traffic.

However, the question asks for a configuration that allows only outbound HTTPS; a security group with outbound rule for HTTPS works, but NACLs are also commonly used. But the best answer is NACL because it provides stateless filtering. Option C is wrong because the NAT gateway's security group (if it had one) would not apply to traffic from the private instance.

Option D is wrong because VPC endpoints are for AWS services, not internet.

275
MCQmedium

A company is designing a VPC with private subnets for databases and public subnets for web servers. They need to allow the web servers to make outbound internet requests for software updates but prevent inbound traffic from the internet. Which configuration should they use?

A.Deploy a NAT Gateway in a public subnet and add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT Gateway.
B.Deploy a NAT Gateway in the private subnet and route the private subnet traffic through it.
C.Attach an Internet Gateway to the VPC and route the private subnet traffic through it.
D.Deploy a proxy server in the private subnet and configure the web servers to use it.
AnswerA

This allows outbound internet traffic from the private subnet while blocking inbound unsolicited traffic.

Why this answer

Option C is correct because a NAT Gateway in a public subnet allows outbound internet traffic from private subnets while blocking unsolicited inbound traffic. Option A is wrong because an Internet Gateway alone would allow inbound traffic. Option B is wrong because a NAT Gateway in a private subnet cannot access the internet.

Option D is wrong because a proxy in a public subnet could work but is more complex and not the simplest solution.

276
Multi-Selectmedium

A company wants to monitor and log all network traffic within a VPC for security analysis. Which THREE services can be used to achieve this?

Select 3 answers
A.VPC Flow Logs
B.Amazon CloudWatch
C.AWS Network Firewall
D.AWS Traffic Mirroring
E.Amazon S3
AnswersA, C, D

VPC Flow Logs capture metadata about IP traffic.

Why this answer

VPC Flow Logs capture IP traffic information. AWS Network Firewall provides stateful inspection and logs. AWS Traffic Mirroring replicates network traffic for analysis.

Option D is wrong because CloudWatch is for monitoring, not capturing traffic. Option E is wrong because S3 is storage.

277
MCQhard

A company uses AWS Shield Advanced for DDoS protection. During an attack, the security team notices that legitimate traffic is being throttled. They want to allow certain known IP addresses to bypass Shield Advanced rate-based rules. What should they do?

A.Disable rate-based rules during the attack
B.Use Shield Advanced automatic application layer DDoS mitigation
C.Create an AWS WAF rule with an IP set that allows the known IPs, and place it before the rate-based rule
D.Create an allow list in AWS Shield Advanced to exempt the IPs from all protections
AnswerC

This allows legitimate IPs to bypass rate-based restrictions.

Why this answer

Option C is correct because AWS WAF rules can be configured with IP sets to allow traffic from specific IPs before applying rate-based rules. Option A is wrong because Shield Advanced does not support custom allow lists directly; it works with WAF. Option B is wrong because disabling rate-based rules would remove protection for all traffic.

Option D is wrong because Shield Advanced does not have a bypass feature; it uses WAF for custom rules.

278
MCQeasy

A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its backend targets. Which AWS service should be used to terminate TLS at the ALB and re-encrypt traffic to the targets?

A.AWS Certificate Manager (ACM)
B.AWS Shield
C.Application Load Balancer with HTTPS listeners
D.AWS WAF
AnswerC

ALB can terminate TLS and re-encrypt to targets.

Why this answer

An ALB can terminate TLS and optionally re-encrypt traffic to targets using HTTPS. Option A is wrong because AWS Certificate Manager provides certificates, not encryption. Option B is wrong because AWS WAF is for web application firewall.

Option D is wrong because AWS Shield is for DDoS protection.

279
MCQmedium

A security team needs to log all rejected traffic to an internet-facing Network Load Balancer (NLB) for compliance. Which configuration should they use?

A.Enable VPC Flow Logs on the NLB subnets
B.Enable AWS CloudTrail for the NLB
C.Enable access logs on an Application Load Balancer in front of the NLB
D.Enable access logs on the NLB
AnswerD

NLB access logs capture information about rejected traffic.

Why this answer

Option D is correct because NLB access logs capture information about rejected traffic when enabled. Option A is wrong because VPC Flow Logs do not capture traffic that is rejected by the NLB itself before reaching the target. Option B is wrong because CloudTrail logs API calls, not network traffic.

Option C is wrong because ALB is a different load balancer type and does not apply to NLB.

280
MCQeasy

A company is deploying a web application that must be accessible over the internet from specific IP addresses only. The application runs behind an Application Load Balancer (ALB) in a VPC. Which AWS service should be used to restrict access to the ALB based on source IP addresses?

A.Security groups attached to the ALB
B.AWS WAF with IP set rules
C.Network ACLs on the ALB's subnets
D.AWS Shield Advanced
AnswerA

Security groups can be associated with an ALB to allow inbound traffic from specific CIDR blocks.

Why this answer

Option A is correct because security groups are stateful firewalls that can be attached to ALBs to allow traffic from specific IP addresses. Option B is wrong because network ACLs are stateless and operate at the subnet level, not directly on the ALB. Option C is wrong because AWS WAF is a web application firewall that inspects HTTP requests, not simply IP filtering.

Option D is wrong because AWS Shield Advanced is a DDoS protection service, not for IP-based access control.

281
Multi-Selecthard

A company is using AWS Direct Connect to connect on-premises to AWS. The security team wants to encrypt all traffic traversing the Direct Connect link. Which TWO options can achieve this?

Select 2 answers
A.Establish an IPsec VPN tunnel over the Direct Connect virtual interface
B.Enable MACsec on the Direct Connect dedicated connection
C.Use TLS on all applications
D.Use VPC gateway endpoints for S3
E.Rely on Direct Connect's physical security
AnswersA, B

IPsec provides encryption at the network layer.

Why this answer

Option A is correct because IPsec VPN over Direct Connect can encrypt traffic. Option D is correct because MACsec provides encryption at Layer 2 for dedicated connections. Option B is wrong because TLS is for application-level encryption, not link-level.

Option C is wrong because VPC endpoints do not encrypt the Direct Connect link. Option E is wrong because Direct Connect by itself does not provide encryption.

282
Multi-Selecthard

A company has a VPC with multiple subnets and is using Network Access Analyzer to identify unintended network access. It reports that an EC2 instance in a private subnet has a route to an internet gateway. Which two actions should be taken to remediate this?

Select 2 answers
A.Ensure the EC2 instance does not have a public IP address
B.Remove the route to the internet gateway from the subnet's route table
C.Assign a public IP address to the instance
D.Update the security group to deny outbound traffic to 0.0.0.0/0
E.Attach a NAT gateway to the private subnet
AnswersA, B

Without a public IP, internet traffic is not possible even with route.

Why this answer

The instance should not have a route to the internet. Removing the route from the subnet's route table and ensuring the instance does not have a public IP are correct. Option A and D are correct.

Option B is wrong because a NAT gateway would still allow outbound internet. Option C is wrong because security groups do not affect routing. Option E is wrong because the instance may not have a public IP already.

283
MCQmedium

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC. The security team wants to block a list of known malicious IP addresses from accessing the application. Which service should they use to implement this protection?

A.Network ACLs on the ALB subnet with deny rules
B.AWS WAF with an IP set rule that blocks the malicious IPs
C.AWS Shield Advanced with automatic IP blocking
D.Security Groups for the ALB with deny rules
AnswerB

WAF integrates with ALB and can block IPs.

Why this answer

Option A is correct because AWS WAF with IP set rules can block malicious IPs. Option B is wrong because Shield Advanced provides DDoS protection, not IP blocking. Option C is wrong because Network ACLs are stateless and less efficient for this use case.

Option D is wrong because Security Groups are stateful but not designed for IP blocking at the ALB level.

284
Multi-Selectmedium

A company is designing a network security architecture for a multi-account environment using AWS Organizations. The security team needs to enforce that all VPCs use a specific set of security group rules for inbound SSH access. Which TWO steps should the team take? (Choose two.)

Select 2 answers
A.Use AWS Config rules to detect non-compliant security groups and trigger automatic remediation.
B.Enable AWS CloudTrail to log all security group changes and send alerts.
C.Enable Amazon GuardDuty to monitor for malicious traffic.
D.Use a service control policy (SCP) to deny the ec2:AuthorizeSecurityGroupIngress action if the rule does not comply with the standard.
E.Create an IAM role in each account that only allows creation of compliant security groups.
AnswersA, D

Config can detect and remediate.

Why this answer

SCPs can deny creation of security groups that don't meet rules, and AWS Config can detect non-compliant groups. Options B and D are correct. Option A is wrong because IAM roles don't enforce across accounts.

Option C is wrong because CloudTrail logs but doesn't enforce. Option E is wrong because GuardDuty is for threats.

285
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy should they use?

A.Create an IAM policy that restricts access to the VPC and attach it to all users.
B.Attach a security group to the S3 bucket that allows traffic from the VPC.
C.Add a bucket policy with a condition that requires aws:SourceVpc to be the VPC ID.
D.Create a VPC Endpoint policy that allows access only from the VPC.
AnswerC

This condition ensures requests originate from the specified VPC.

Why this answer

Option D is correct because S3 bucket policies can use aws:SourceVpc condition key to restrict access to a specific VPC. Option A is wrong because security groups are not used for S3. Option B is wrong because VPC Endpoint policies control actions but not source VPC.

Option C is wrong because IAM policies are attached to users/roles, not to the bucket.

286
MCQmedium

Refer to the exhibit. A network engineer runs the above command and sees this network ACL configuration. The subnet associated with this ACL contains an EC2 instance that is failing to receive inbound HTTP traffic (TCP 80) from the internet. What is the MOST likely cause?

A.The inbound deny rule is associated with the wrong subnet
B.The inbound deny rule for TCP (port range) blocks all TCP traffic
C.The outbound rule does not allow return traffic
D.The inbound allow rule is not wide enough
AnswerB

Rule number 100 denies TCP traffic (protocol 6) from 0.0.0.0/0, which includes HTTP (TCP 80). The rule is evaluated before the allow rule.

Why this answer

Option A is correct. The inbound deny rule (Rule 100) for TCP (Protocol 6) from 0.0.0.0/0 denies all TCP traffic, including HTTP. Even though there is a later allow-all rule (Rule 200), network ACLs evaluate rules in ascending order, so the deny rule is evaluated first and blocks the traffic.

Option B is wrong because the outbound rule allows all traffic. Option C is wrong because the allow rule exists but is after the deny. Option D is wrong because the deny rule applies to all CIDR blocks.

287
Multi-Selectmedium

A company has a security requirement to log and monitor all DNS queries made by EC2 instances in a VPC. Which TWO AWS solutions can meet this requirement?

Select 2 answers
A.Enable Amazon Route 53 Resolver Query Logging.
B.Use AWS CloudTrail to log DNS queries.
C.Enable Amazon Route 53 Resolver DNS Firewall with logging.
D.Use Amazon CloudWatch Logs with a custom agent to capture DNS logs.
E.Enable VPC Flow Logs.
AnswersA, C

This service logs all DNS queries made by resources in the VPC.

Why this answer

Option A (Amazon Route 53 Resolver DNS Firewall) provides DNS query logging. Option D (Amazon Route 53 Resolver Query Logging) specifically logs queries. VPC Flow Logs log IP traffic, not DNS.

CloudWatch Logs can store logs but does not capture DNS queries natively. AWS CloudTrail logs API calls, not DNS queries.

288
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via a VPN. They want to ensure that traffic between VPCs is inspected by a centralized security appliance. How should they design the network?

A.Create VPC Peering connections between each VPC and the inspection VPC.
B.Configure Transit Gateway with appliance mode and route traffic through a dedicated inspection VPC.
C.Use security groups in each VPC to restrict traffic and enable VPC Flow Logs for auditing.
D.Place the security appliance in each VPC and use Network Firewall to inspect traffic.
AnswerB

Appliance mode ensures that traffic from one VPC to another is always routed via the inspection VPC.

Why this answer

Option B is correct because Transit Gateway supports appliance mode that forces traffic to be routed through a specific VPC where the security appliance resides. Option A is wrong because VPC Peering does not support transitive routing. Option C is wrong because Network Firewall can inspect traffic but does not require Transit Gateway; however, the question specifically asks for a design with Transit Gateway.

Option D is wrong because Security Groups cannot inspect traffic at the network level.

289
MCQmedium

A company uses AWS Direct Connect to connect its on-premises network to AWS. The security team wants to encrypt all traffic traversing the Direct Connect link. Which solution should be used?

A.Enable encryption on the Direct Connect virtual interface
B.Use TLS on all applications that communicate across the link
C.Establish an IPsec VPN tunnel over the Direct Connect link
D.Use VPC endpoints for all AWS services accessed
AnswerC

Provides encryption for all traffic over the link.

Why this answer

Option D is correct because IPsec VPN over Direct Connect provides encryption while maintaining low latency. Option A is wrong because Direct Connect does not inherently encrypt. Option B is wrong because TLS is for application layer, not link.

Option C is wrong because VPC endpoints are for specific services.

290
MCQmedium

A company hosts a multi-tier web application in a VPC. The web servers are in a public subnet, and the application servers are in a private subnet. The application servers need to access a third-party API over the internet. The company wants to ensure that the application servers' IP addresses are not exposed to the internet, and that all outbound traffic to the internet is logged. Additionally, the company wants to restrict outbound traffic to only the specific API endpoints. Which solution should be used?

A.Use a VPC endpoint for the third-party API service.
B.Attach an internet gateway directly to the private subnet and configure the route table to send default traffic to the internet gateway. Use security groups to restrict outbound traffic to the API endpoints. Enable VPC Flow Logs for logging.
C.Deploy a proxy server in the public subnet and configure the application servers to use the proxy. Restrict outbound traffic from the proxy using security groups. Log proxy access logs.
D.Deploy a NAT gateway in the public subnet and add a route in the private subnet's route table pointing to the NAT gateway. Use security groups on the application servers to restrict outbound traffic to the API endpoints. Enable logs on the NAT gateway using VPC Flow Logs or NAT gateway logs.
AnswerD

The NAT gateway provides outbound internet access with private IPs, and security groups control traffic. Logging can be enabled via VPC Flow Logs.

Why this answer

Option D is correct. A NAT gateway in a public subnet allows instances in private subnets to access the internet while hiding their private IPs. By controlling the outbound rules in the security group or using a network firewall, you can restrict traffic to specific API endpoints.

AWS CloudWatch Logs or VPC Flow Logs can capture the NAT gateway logs. Option A is incorrect because an internet gateway in the private subnet would expose private IPs. Option B is incorrect because a proxy server would add complexity.

Option C is incorrect because a VPC endpoint cannot be used for internet API access.

291
Multi-Selecteasy

A company needs to audit network traffic in a VPC for compliance. Which THREE AWS services can be used to capture and analyze network traffic?

Select 3 answers
A.AWS Config
B.Traffic Mirroring
C.VPC Flow Logs
D.AWS Network Firewall
E.AWS CloudTrail
AnswersB, C, D

Traffic Mirroring captures and inspects traffic.

Why this answer

Option A is correct because VPC Flow Logs capture IP traffic information. Option B is correct because Traffic Mirroring captures and inspects traffic. Option D is correct because AWS Network Firewall can log traffic.

Option C is wrong because CloudTrail logs API calls, not network traffic. Option E is wrong because AWS Config monitors resource configurations, not traffic.

292
Multi-Selecthard

A company is designing a network architecture for a highly sensitive application that must meet strict compliance requirements. The application is deployed in a VPC with multiple subnets. The company needs to ensure that all traffic between subnets is encrypted and that no traffic can bypass the encryption. Which THREE steps should be taken?

Select 3 answers
A.Use network ACLs to block all traffic except encrypted protocols (e.g., IPSec).
B.Set up VPN connections between each subnet's route tables.
C.Deploy a VPC CNI plugin that supports encryption for pods.
D.Use security groups to allow only encrypted traffic.
E.Enable VPC Flow Logs to detect unencrypted traffic.
AnswersA, B, C

NACLs can block unencrypted traffic by blocking non-IPSec ports.

Why this answer

Option B is correct because using NACLs to block non-encrypted traffic enforces encryption at the subnet level. Option C is correct because a VPC CNI plugin can enforce encryption for Kubernetes workloads. Option E is correct because using VPNs between subnets can provide encryption.

Option A is wrong because security groups do not enforce encryption. Option D is wrong because VPC Flow Logs only monitor traffic, they do not enforce encryption.

293
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from an S3 bucket in the same AWS region. The company wants to ensure that traffic does not traverse the internet. Which solution is MOST cost-effective?

A.Attach an Internet Gateway to the VPC and route the private subnet traffic directly to S3.
B.Create a Gateway VPC Endpoint for S3 and add a route in the private subnet's route table to the endpoint.
C.Create an Interface VPC Endpoint for S3 in the private subnet.
D.Deploy a NAT Gateway in a public subnet and route the private subnet traffic through it to access S3.
AnswerB

Gateway VPC Endpoints are free and allow private access to S3 without internet.

Why this answer

Option D is correct because a Gateway VPC Endpoint for S3 allows private connectivity to S3 without cost, and it does not require a NAT Gateway or Internet Gateway. Option A is wrong because a NAT Gateway would incur hourly charges and data processing fees. Option B is wrong because an Internet Gateway is not needed and would allow internet traffic.

Option C is wrong because an Interface VPC Endpoint for S3 incurs hourly charges.

294
MCQmedium

A company has a VPC with multiple subnets. They want to block all traffic from the internet to their private subnets, but allow outbound internet traffic from those subnets through a NAT Gateway. Which configuration should they use?

A.Route table with 0.0.0.0/0 -> NAT Gateway
B.Route table with 0.0.0.0/0 -> Virtual Private Gateway
C.Route table with 0.0.0.0/0 -> VPC Peering Connection
D.Route table with 0.0.0.0/0 -> Internet Gateway
AnswerA

This allows outbound traffic only, as NAT Gateway does not allow inbound connections from the internet.

Why this answer

Option B is correct because a route table associated with the private subnets should have a default route (0.0.0.0/0) pointing to the NAT Gateway. Option A is wrong because a public subnet route to an Internet Gateway would allow inbound traffic. Option C is wrong because a route to a Virtual Private Gateway is for VPN connections.

Option D is wrong because a route to a VPC peering connection is for peered VPCs.

295
Matchingmedium

Match each AWS networking feature to its purpose for high availability or fault tolerance.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Static public IP that can be remapped to another instance

DNS-based routing to healthy endpoints

Distributes traffic evenly across all registered targets in all AZs

Improves availability and performance using Anycast IPs

Captures IP traffic information for troubleshooting

Why these pairings

These features help ensure resilience and observability.

296
Multi-Selectmedium

A security engineer is designing a network security solution for a multi-tier application. The web tier must be accessible from the internet on ports 80 and 443. The application tier must only accept traffic from the web tier. The database tier must only accept traffic from the application tier on port 3306. Which THREE network access control mechanisms should be used?

Select 3 answers
A.Security groups that allow traffic from specific security groups for the database tier.
B.AWS WAF to filter traffic to the database tier.
C.IAM policies to restrict access to the database.
D.Network ACLs to provide stateless filtering at the subnet level.
E.Security groups that reference other security groups as sources.
AnswersA, D, E

Database security groups should allow inbound traffic from the application security group.

Why this answer

Option A is correct because security groups can be used to allow traffic between tiers based on security group IDs. Option C is correct because network ACLs provide stateless filtering at the subnet level. Option E is correct because security groups for the database tier can reference the application tier security group.

Option B is wrong because IAM is for identity management, not network filtering. Option D is wrong because AWS WAF is for web application firewall at the application layer, not for network-level access between tiers.

297
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple accounts? (Choose two.)

Select 2 answers
A.AWS Config
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.AWS Identity and Access Management (IAM)
E.AWS Organizations
AnswersA, E

Can evaluate resource configurations against desired policies across accounts.

Why this answer

Options B and C are correct. AWS Organizations allows you to centrally manage accounts and apply service control policies (SCPs). AWS Config can enforce rules across accounts.

Option A is wrong because IAM is per-account. Option D is wrong because CloudTrail is for logging, not policy enforcement. Option E is wrong because VPC Flow Logs are for network monitoring.

298
MCQhard

A security engineer is troubleshooting an issue where Amazon Inspector is not finding any vulnerabilities in an EC2 instance. The instance has the AWS Systems Manager Agent (SSM Agent) installed and is managed by AWS Systems Manager. What is the most likely reason for Inspector not reporting findings?

A.The EC2 instance does not have an IAM role that allows Inspector to scan it.
B.The EC2 instance is in a private subnet without a NAT gateway.
C.The EC2 instance's security group blocks outbound traffic to the Inspector service.
D.The EC2 instance is not managed by AWS Systems Manager.
AnswerD

Inspector requires SSM Agent and instance managed by Systems Manager to perform assessments.

Why this answer

Inspector requires the SSM Agent to be installed and the instance to be properly registered with Systems Manager. If the instance is not managed by Systems Manager, Inspector cannot perform assessments. Missing IAM role, Security Groups, or Subnet would not prevent Inspector from running; they affect other aspects.

299
MCQhard

A company uses AWS Direct Connect to connect their on-premises network to AWS. They have a VPC with a virtual private gateway (VGW) and a private VIF attached to it. They recently added a second Direct Connect connection for redundancy. Both connections are active and advertised via BGP. The on-premises network uses BGP with the same AS number. After configuration, they notice that traffic is not load-balanced as expected; instead, all traffic flows through one connection. What is the most likely cause?

A.The on-premises router has a static route pointing to the primary connection, overriding BGP learned routes.
B.Both Direct Connect connections are in the same AWS region and use the same VGW, so traffic cannot be load-balanced.
C.The on-premises router is configured with a higher local preference for one of the BGP sessions, causing it to prefer that path.
D.The Direct Connect connections are using different VLANs, causing asymmetric routing.
AnswerC

BGP path selection can be influenced by local preference. If one session has a higher local preference, all traffic will use that path.

300
MCQhard

Refer to the exhibit. A company applies this bucket policy to an S3 bucket. Users in a different VPC with IP range 10.0.0.0/16 are able to access objects, but users in a different VPC with IP range 10.1.0.0/16 cannot. What is the most likely cause?

A.The bucket policy uses the wrong condition key
B.The users are accessing the bucket through a NAT Gateway, which changes the source IP
C.The bucket policy specifies the wrong resource ARN
D.The bucket policy does not specify a principal
AnswerB

NAT changes private IP to public IP, which does not match the condition.

Why this answer

The condition 'aws:SourceIp' checks the source IP address. If the users in 10.1.0.0/16 are accessing via a NAT, the source IP will be the NAT's public IP, not the private IP, and will not match the condition. Option A is wrong because the policy allows all principals.

Option B is wrong because the resource is correct. Option C is wrong because the action is correct.

← PreviousPage 4 of 6 · 421 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Security Governance questions.