CCNA Design Secure Architectures Questions

75 of 336 questions · Page 2/5 · Design Secure Architectures · Answers revealed

76
MCQmedium

Account 3000 owns a customer-managed KMS key (key-K). A data processing team in account 4000 needs to decrypt data encrypted with key-K. The role in account 4000 already has an identity policy allowing kms:Decrypt on key-K. Despite this, decrypt requests fail with an AccessDenied error referencing KMS. What is the most likely missing authorization step?

A.Update key-K’s key policy in account 3000 to allow kms:Decrypt for the specific role principal in account 4000.
B.Update the S3 bucket policy to allow kms:Decrypt for account 4000 principals on key-K.
C.Enable AWS managed key rotation on key-K and remove the existing key policy.
D.Switch the access from a role to an IAM user because KMS only supports user principals.
AnswerA

For customer-managed KMS keys, key policy is a required authorization layer. Even with an IAM identity policy granting kms:Decrypt, KMS will deny the request unless the key policy also authorizes the calling principal to use the key for Decrypt.

Why this answer

The correct answer is A because KMS key policies are resource-based policies that must explicitly grant cross-account access. Even though the role in account 4000 has an identity-based policy allowing kms:Decrypt, the key policy in account 3000 (the key owner) must also include a statement that permits the specific role principal from account 4000 to perform kms:Decrypt on key-K. Without this, the KMS service will deny the request due to the lack of a valid authorization path.

Exam trap

The trap here is that candidates assume identity-based policies alone are sufficient for cross-account KMS operations, forgetting that KMS requires an explicit resource-based policy (key policy) grant for the external principal.

How to eliminate wrong answers

Option B is wrong because the S3 bucket policy controls access to S3 objects, not KMS key permissions; the error is specifically from KMS, not S3. Option C is wrong because enabling AWS managed key rotation is not applicable to customer-managed keys (CMKs) and removing the key policy would break all existing permissions, not fix the cross-account issue. Option D is wrong because KMS supports both IAM roles and IAM users as principals; the problem is the missing key policy, not the principal type.

77
MCQhard

Based on the exhibit, an application role in Account B can reach an S3 bucket in Account A, but reads fail with AccessDenied on KMS. The bucket objects use SSE-KMS with a customer managed key in Account A. What change is required so the application can decrypt the objects while keeping the access restricted?

A.Add the Account B role ARN to the KMS key policy with kms:Decrypt and kms:DescribeKey permissions, scoped to S3 usage in us-east-1.
B.Add s3:GetEncryptionConfiguration to the Account B IAM policy so S3 can use the customer managed key on reads.
C.Change the bucket to SSE-S3 because SSE-S3 always allows cross-account reads without any KMS policy changes.
D.Add the Account B role to the bucket ACL with FULL_CONTROL so S3 can bypass KMS on behalf of the reader.
AnswerA

S3 object retrieval with SSE-KMS requires that KMS authorize decryption, and that authorization must exist in the key policy for a CMK in another account. Scoping the statement to the specific role and S3 usage keeps the access narrow while allowing the object read to succeed.

Why this answer

Option A is correct because when using SSE-KMS with a customer managed key, cross-account access requires the KMS key policy to explicitly grant the external IAM role (from Account B) the kms:Decrypt and kms:DescribeKey permissions. Without these, S3 can retrieve the encrypted object, but KMS will deny the decryption request, resulting in an AccessDenied error. Scoping the policy to S3 usage in us-east-1 follows the principle of least privilege while enabling the necessary decryption.

Exam trap

The trap here is that candidates often focus only on the S3 bucket policy or IAM permissions, forgetting that SSE-KMS with a customer managed key requires explicit cross-account grants in the KMS key policy, not just in S3 or IAM policies.

How to eliminate wrong answers

Option B is wrong because s3:GetEncryptionConfiguration is a read-only permission that retrieves the bucket's encryption configuration, not a permission that allows S3 to use the KMS key for decryption; it does not grant any KMS decrypt rights. Option C is wrong because changing the bucket to SSE-S3 would remove the KMS requirement, but it violates the requirement to keep access restricted and does not address the existing SSE-KMS setup; moreover, SSE-S3 does not inherently allow cross-account reads without proper bucket policies. Option D is wrong because bucket ACLs do not interact with KMS; granting FULL_CONTROL via ACL cannot bypass KMS decryption permissions, as S3 still needs to call KMS on behalf of the reader, which requires explicit KMS key policy grants.

78
MCQmedium

Company A runs an internal app in account A. The app needs to upload objects to an S3 bucket in account B. When the app calls S3, it receives AccessDenied for s3:PutObject. The team already created an IAM role in account B named UploadRole with a policy allowing s3:PutObject. They did not yet set up any trust relationship. Which change most directly fixes the access problem with least privilege?

A.Create IAM user access keys in account A and attach the UploadRole policy directly to those keys.
B.Update the trust policy on UploadRole (account B) to allow sts:AssumeRole from the app’s IAM role or principal in account A.
C.Add s3:PutObject permissions to the bucket policy in account B for all principals in account A.
D.Attach an SCP (service control policy) in AWS Organizations to deny sts:AssumeRole unless the caller uses an MFA device.
AnswerB

A cross-account role requires both an IAM permissions policy and a trust policy. The trust policy must allow the specific principal in account A to call sts:AssumeRole into account B’s role. With that trust in place, the app can obtain temporary credentials and then use the UploadRole permissions for s3:PutObject.

Why this answer

The app in account A needs to assume the UploadRole in account B to gain s3:PutObject permissions. Without a trust policy on UploadRole that allows sts:AssumeRole from the app's IAM principal in account A, the role cannot be assumed, and the S3 PutObject call fails with AccessDenied. Updating the trust policy is the most direct fix and follows least privilege by granting only the necessary cross-account role assumption.

Exam trap

The trap here is that candidates often think bucket policies alone can grant cross-account access without considering the need for role assumption and trust policies, leading them to choose Option C as a simpler but overly permissive solution.

How to eliminate wrong answers

Option A is wrong because attaching the UploadRole policy directly to IAM user access keys in account A would create long-term credentials and violate least privilege, and the policy is defined in account B and cannot be attached to account A users; cross-account access requires role assumption, not direct policy attachment. Option C is wrong because adding s3:PutObject to the bucket policy for all principals in account A is overly permissive and does not leverage the existing UploadRole, violating least privilege by granting blanket access to the entire account A. Option D is wrong because an SCP denying sts:AssumeRole unless MFA is used would block the legitimate cross-account role assumption needed to fix the access problem, making the issue worse.

79
MCQhard

A claims portal must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control? The design must avoid adding custom operational scripts.

A.Tag encrypted volumes after creation
B.Enable VPC Flow Logs
C.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
D.Run a daily Lambda function to encrypt unencrypted volumes
AnswerC

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

Option C is correct because an SCP (Service Control Policy) at the AWS Organizations level can deny the ec2:CreateVolume API call when the encryption condition (aws:RequestTag/Encrypted or ec2:Encrypted) is false. This is a preventive control that blocks the creation of unencrypted volumes before they exist, and it requires no custom operational scripts, aligning with the design constraint.

Exam trap

The trap here is that candidates often confuse detective or corrective controls (like tagging or Lambda remediation) with preventive controls, or they mistakenly think VPC Flow Logs can enforce encryption policies.

How to eliminate wrong answers

Option A is wrong because tagging encrypted volumes after creation is a detective or corrective control, not preventive; it does not stop unencrypted volumes from being created. Option B is wrong because VPC Flow Logs capture network traffic metadata and have no ability to enforce encryption policies on EBS volumes. Option D is wrong because running a daily Lambda function to encrypt unencrypted volumes is a reactive corrective control that relies on custom operational scripts, violating the 'avoid adding custom operational scripts' requirement.

80
MCQmedium

A company stores RDS database credentials in AWS Systems Manager Parameter Store as SecureString parameters. The security team requires that database passwords rotate automatically every 30 days. Which change should a solutions architect recommend?

A.Create a scheduled EventBridge rule to invoke a Lambda function that updates the Parameter Store SecureString value every 30 days
B.Migrate the credentials to AWS Secrets Manager and enable automatic rotation with a 30-day schedule
C.Enable Parameter Store SecureString automatic rotation in the AWS console
D.Configure AWS Config to detect password age and trigger an SNS notification after 30 days
AnswerB

Secrets Manager provides native automatic rotation for RDS with a managed Lambda function. This meets the requirement with minimal operational overhead.

Why this answer

AWS Secrets Manager provides native automatic rotation for RDS credentials using a managed Lambda function that rotates the secret on a defined schedule and updates the database password atomically.

Parameter Store SecureString does not support built-in automatic rotation — rotation must be implemented manually with custom automation. Secrets Manager is specifically designed for secrets requiring lifecycle management including rotation, auditing, and fine-grained access control.

Exam trap

Both services encrypt values using KMS, which causes candidates to treat them as equivalent. Only Secrets Manager provides automatic rotation with managed Lambda integration and rotation history. Parameter Store is appropriate for configuration values and static secrets.

Whenever automatic rotation is a security policy requirement, Secrets Manager is the answer.

Why the other options are wrong

A

Creating a custom EventBridge rule + Lambda for rotation works but requires development and maintenance effort. It lacks native rotation history and is more complex than the purpose-built Secrets Manager solution.

C

There is no built-in automatic rotation toggle in Parameter Store. This feature does not exist in the Parameter Store console — automatic rotation is a Secrets Manager capability.

D

AWS Config detects and alerts on compliance drift but cannot automatically rotate a database password. SNS notification is a detection mechanism, not a remediation mechanism.

81
MCQhard

Based on the exhibit, an application in the same AWS account can upload and read objects in an S3 bucket encrypted with a customer managed KMS key, but GetObject fails with an AccessDenied error from AWS KMS. The IAM role already has s3:GetObject, s3:PutObject, kms:Decrypt, and kms:GenerateDataKey permissions. What change most directly fixes the issue while preserving least privilege?

A.Add an S3 bucket ACL that grants the application role full control over objects.
B.Update the KMS key policy to allow the application role to use the key, ideally with a kms:ViaService condition for S3.
C.Replace the customer managed key with the AWS managed S3 key so IAM permissions become sufficient.
D.Add an S3 bucket policy that grants s3:GetObject and s3:PutObject to the role for all objects.
AnswerB

KMS key policy must explicitly trust the principal. Adding a role-scoped statement with kms:ViaService keeps access limited to S3 use only.

Why this answer

The error is an AccessDenied from AWS KMS, not from S3, which means the IAM role has the required S3 permissions (s3:GetObject) and KMS API permissions (kms:Decrypt), but the KMS key policy does not explicitly grant the role access to the key. Since customer managed KMS keys require a key policy to grant IAM principals permission to use the key (IAM policies alone are insufficient unless the key policy delegates such authority), updating the key policy to allow the role with a kms:ViaService condition for S3 directly resolves the KMS-side denial while preserving least privilege.

Exam trap

The trap here is that candidates see 'AccessDenied' and assume the S3 bucket policy or ACL is missing, when the error message explicitly states it is from AWS KMS, meaning the fix must be at the KMS key policy level, not the S3 resource policy.

How to eliminate wrong answers

Option A is wrong because S3 bucket ACLs control access to S3 objects themselves, not KMS key permissions; the error is from KMS, not S3, so an ACL cannot fix a KMS AccessDenied. Option C is wrong because switching to the AWS managed S3 key (SSE-S3) would remove the need for KMS permissions entirely, but it changes the encryption type and does not preserve the use of a customer managed key as required by the scenario; it also violates least privilege by removing control over the key. Option D is wrong because the IAM role already has s3:GetObject and s3:PutObject permissions, and the error is from KMS, not S3; adding a bucket policy for the same S3 actions does not address the missing KMS key policy grant.

82
MCQmedium

Developers for a e-learning platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

A.Disable CloudTrail during troubleshooting
B.Use IAM Identity Center permission sets with time-bound access processes and CloudTrail auditing
C.Attach AdministratorAccess permanently to every developer role
D.Create shared administrator access keys for the team
AnswerB

Federated access with permission sets and audited temporary assignments reduces standing privilege.

Why this answer

IAM Identity Center permission sets allow you to define fine-grained permissions and assign them to users or groups with time-bound access (e.g., using a session duration or approval workflow). Combined with CloudTrail, every API call made during the elevated session is logged for audit, meeting the security team's requirements for approvals, expiry, and audit logging.

Exam trap

The trap here is that candidates may think IAM roles with a trust policy and temporary credentials are sufficient, but they overlook that IAM Identity Center provides centralized, time-bound permission sets with built-in approval workflows and audit integration, which is the best fit for the given requirements.

How to eliminate wrong answers

Option A is wrong because disabling CloudTrail during troubleshooting would eliminate audit logging, directly violating the security team's requirement for audit logging. Option C is wrong because permanently attaching AdministratorAccess to every developer role grants unrestricted, persistent elevated access with no expiry or approval process, violating the principle of least privilege and the need for time-bound access. Option D is wrong because creating shared administrator access keys for the team removes individual accountability, prevents proper audit trails (as actions cannot be attributed to a specific user), and provides no expiry or approval mechanism.

83
Multi-Selecthard

A third-party payroll vendor in another AWS account must assume a role in your account to write a daily settlement file to Amazon S3. You want to prevent confused-deputy attacks and make every assumed session traceable in CloudTrail back to an individual vendor user. Which three trust-policy or session controls should be used? Select three.

Select 3 answers
A.Specify the exact vendor role ARN as the trusted principal in the role trust policy.
B.Require an external ID in the trust policy conditions.
C.Require sts:SourceIdentity when the vendor assumes the role.
D.Use a wildcard principal and rely on the S3 bucket policy to narrow access later.
E.Give the vendor long-term IAM user credentials in your account for easier auditing.
AnswersA, B, C

The trust policy should name only the specific vendor role that is allowed to assume the role in your account. Restricting the principal minimizes the trust boundary and prevents unrelated identities from attempting the assumption path.

Why this answer

Option A is correct because specifying the exact vendor role ARN as the trusted principal in the trust policy ensures that only that specific role in the vendor's account can assume the role, preventing any other entity from impersonating the vendor. This is a key control to limit the trust boundary and avoid confused-deputy attacks.

Exam trap

The trap here is that candidates often think a bucket policy alone can control role assumption, but it cannot—the trust policy is the only mechanism to restrict which external principals can assume a role, and confused-deputy protections require explicit conditions like external ID and source identity.

84
MCQeasy

Several EC2 instances in different Availability Zones need to read and write the same shared file system. The file storage should stay available if one AZ has a problem. Which service should the team choose?

A.Amazon EBS
B.Amazon EFS
C.Amazon S3 only
D.Instance store
AnswerB

Amazon EFS is a managed shared file system that can be mounted by multiple EC2 instances across multiple Availability Zones. It is a strong fit when applications need the same files at the same time and must remain available even if one AZ experiences issues. The service is highly available by design and reduces operational work compared with self-managed file servers.

Why this answer

Amazon EFS provides a fully managed, scalable, and elastic NFS file system that can be mounted concurrently by multiple EC2 instances across different Availability Zones. It is designed for high availability and durability by storing data redundantly across multiple AZs within a region, ensuring continued access even if one AZ fails.

Exam trap

The trap here is that candidates often confuse EBS Multi-Attach (which only supports a limited number of instances in the same AZ and requires a cluster-aware file system) with the true multi-AZ shared file system capability of EFS.

How to eliminate wrong answers

Option A is wrong because Amazon EBS volumes are tied to a single Availability Zone and cannot be attached to EC2 instances in different AZs simultaneously; they also lack native multi-AZ file sharing. Option C is wrong because Amazon S3 is an object storage service, not a shared file system; it does not support POSIX file locking or concurrent read/write operations typical of a file system. Option D is wrong because instance store provides ephemeral block storage that is physically attached to the host EC2 instance, cannot be shared across instances, and data is lost if the instance stops or terminates.

85
MCQmedium

A SaaS vendor will access your AWS resources by assuming an IAM role in your account. You want to prevent confused-deputy attacks and ensure the vendor can only assume the role using an agreed external identifier. Your role trust policy currently allows sts:AssumeRole from the vendor’s principal, but it does not include any external ID protection. Which change is the best next step?

A.Add a condition to the trust policy: Condition = {"StringEquals": {"sts:ExternalId": "vendor-agreed-id"}}.
B.Add a condition to the trust policy: Condition = {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}}.
C.Remove sts:AssumeRole and replace it with sts:AssumeRoleWithWebIdentity to use the vendor’s browser-based tokens.
D.Add a condition to the role permissions policy (not the trust policy) requiring aws:PrincipalTag/ExternalId to equal the external identifier.
AnswerA

Using sts:ExternalId in the trust policy ensures only assume-role requests presenting the correct external identifier are allowed. This directly mitigates confused-deputy attacks by binding authorization to a value the vendor must know. It also keeps the permissions model clean, because the check is enforced during the STS AssumeRole request.

Why this answer

Option A is correct because the `sts:ExternalId` condition key is specifically designed to prevent confused-deputy problems. By adding `{"StringEquals": {"sts:ExternalId": "vendor-agreed-id"}}` to the trust policy, you ensure that the vendor must provide the agreed external ID in the `AssumeRole` API call, which only the legitimate vendor knows. This prevents a malicious third party from tricking the vendor into assuming a role in your account on their behalf.

Exam trap

The trap here is that candidates often confuse where to place the condition (trust policy vs. permissions policy) or mistakenly think IP-based restrictions or changing the API action are appropriate solutions for confused-deputy prevention.

How to eliminate wrong answers

Option B is wrong because restricting by source IP (`aws:SourceIp`) does not prevent confused-deputy attacks; the vendor's IP address could be spoofed or the vendor might use multiple IPs, and it does not enforce a shared secret between you and the vendor. Option C is wrong because `sts:AssumeRoleWithWebIdentity` is used for federated users with web identity tokens (e.g., from Cognito, Google, Facebook), not for a vendor's AWS principal assuming a role; the vendor needs `sts:AssumeRole` to use their IAM role or user. Option D is wrong because the condition must be in the trust policy (the resource-based policy that controls who can assume the role), not in the role's permissions policy (which controls what the role can do after assumption); the `aws:PrincipalTag/ExternalId` condition does not exist as a standard condition key for this purpose.

86
MCQeasy

A single EC2 instance hosts a database that needs low-latency block storage and a persistent volume that remains attached to the instance. Which AWS storage service is the best fit?

A.Amazon S3
B.Amazon EBS
C.Amazon EFS
D.AWS Storage Gateway
AnswerB

EBS provides persistent block storage that can be attached to an EC2 instance with low latency.

Why this answer

Amazon EBS provides persistent block-level storage volumes that can be attached to a single EC2 instance, offering low-latency performance suitable for database workloads. Unlike ephemeral instance store volumes, EBS volumes persist independently of the instance's lifecycle, ensuring data durability even when the instance is stopped or terminated.

Exam trap

The trap here is confusing Amazon EBS with instance store volumes, where candidates might think instance store is persistent, but EBS is the correct choice for persistent block storage that survives instance stops and terminations.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service accessed via HTTP/HTTPS APIs, not a block storage device, and cannot be attached as a local volume to an EC2 instance for low-latency database operations. Option C is wrong because Amazon EFS is a file-level storage service using NFSv4.1, designed for shared access across multiple instances, not for low-latency block storage attached to a single instance. Option D is wrong because AWS Storage Gateway is a hybrid storage service that bridges on-premises environments with AWS cloud storage (e.g., via iSCSI or NFS), not a native block storage volume directly attachable to an EC2 instance.

87
MCQhard

A order processing API must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

A.Run a daily Lambda function to encrypt unencrypted volumes
B.Enable VPC Flow Logs
C.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
D.Tag encrypted volumes after creation
AnswerC

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

Option C is correct because Service Control Policies (SCPs) are a preventive control that can deny the ec2:CreateVolume API call when the encryption condition (ec2:Encrypted) is false. This ensures that no unencrypted EBS volumes can be created at the account level, regardless of IAM permissions. SCPs operate at the AWS Organizations root, OU, or account level and are evaluated before any IAM policies, making them the strongest preventive mechanism.

Exam trap

The trap here is confusing detective/reactive controls (like Lambda remediation) with preventive controls (like SCPs), leading candidates to choose a solution that fixes the problem after it occurs rather than blocking it entirely.

How to eliminate wrong answers

Option A is wrong because running a daily Lambda function to encrypt unencrypted volumes is a detective/reactive control, not a preventive one; it does not block the creation of unencrypted volumes and leaves a window of exposure. Option B is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) and have no ability to enforce encryption policies on EBS volumes; they are a monitoring tool, not a preventive control. Option D is wrong because tagging encrypted volumes after creation is a labeling action that does not prevent unencrypted volumes from being created; it is a detective or organizational control, not a preventive one.

88
Multi-Selectmedium

A company is building a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must meet strict security and compliance requirements. The company needs to ensure that all data stored in DynamoDB is encrypted at rest using a customer-managed key, that the Lambda function can only access the specific DynamoDB table it needs, and that API requests are authenticated and authorized. Which of the following actions should the company take? (Choose four.)

Select 4 answers
.Create an AWS KMS customer managed key and configure DynamoDB to use it for encryption at rest.
.Attach an IAM role to the Lambda function with a policy that grants dynamodb:GetItem and dynamodb:PutItem actions on the specific DynamoDB table ARN.
.Configure API Gateway to use an IAM authorizer to allow only authenticated AWS users or roles to invoke the API.
.Store the customer managed key directly in the Lambda function's environment variables for easy access.
.Enable DynamoDB Streams and configure the Lambda function to process stream records without any additional security configuration.
.Use AWS KMS grants in the Lambda function's IAM policy to allow it to use the customer managed key for encryption operations.

Why this answer

Creating an AWS KMS customer managed key and configuring DynamoDB to use it for encryption at rest ensures that the data is encrypted using a key that the company controls, meeting strict compliance requirements. Attaching an IAM role to the Lambda function with a policy that grants only the necessary DynamoDB actions on the specific table ARN follows the principle of least privilege. Configuring API Gateway to use an IAM authorizer ensures that only authenticated AWS users or roles can invoke the API, providing authentication and authorization.

Using AWS KMS grants in the Lambda function's IAM policy allows the function to use the customer managed key for encryption operations, which is necessary for encrypting and decrypting data in DynamoDB when using client-side encryption or when the key is used for other cryptographic operations.

Exam trap

The trap here is that candidates may think storing the KMS key directly in environment variables is acceptable for 'easy access,' but AWS explicitly prohibits this due to security risks, and the exam tests understanding of proper key management via IAM policies and KMS grants.

89
Multi-Selectmedium

A data lake stores raw files in a single Amazon S3 bucket that is shared by three internal analytics teams. Each team should access only its own prefix, and the company wants to eliminate ACL management because objects come from multiple producers. Which three changes should the architect make? Select three.

Select 3 answers
A.Create a separate S3 access point for each team and scope it to that team’s prefix.
B.Leave ACLs enabled so each producer can grant permissions directly on uploaded objects.
C.Set Object Ownership to Bucket owner enforced so ACLs are disabled.
D.Use bucket or access point policies to restrict access to the allowed principals and prefixes.
E.Make the bucket public and rely on application-layer authorization for data protection.
AnswersA, C, D

Access points let you expose different policy boundaries on the same bucket. They are a good fit when multiple teams need controlled access to different prefixes without creating separate buckets.

Why this answer

Option A is correct because S3 Access Points allow you to create separate access points scoped to specific prefixes within a shared bucket, enabling each analytics team to access only its own prefix without managing ACLs. This simplifies access control by using access point policies that restrict access to the allowed principals and prefixes, aligning with the requirement to eliminate ACL management.

Exam trap

The trap here is that candidates may think ACLs are necessary for multi-producer environments, but AWS recommends disabling ACLs and using bucket policies or access point policies with Object Ownership set to 'Bucket owner enforced' to simplify access control.

90
MCQmedium

You use Amazon CloudFront in front of a private content S3 origin. To mitigate an OWASP Top 10 issue, you created a WAF web ACL and associated it to the CloudFront distribution, but attacks are still reaching the origin. CloudWatch logs show the web ACL rules never match for the CloudFront requests. What is the most likely configuration mistake?

A.The WAF web ACL intended for CloudFront must be created in the us-east-1 (N. Virginia) region (CloudFront scope), even if the rest of the stack is in another region.
B.WAF rules only evaluate requests after they reach the origin, so the absence of matches means the origin is blocking traffic first.
C.For CloudFront, you must use a regional WAF endpoint and cannot use a global web ACL.
D.WAF web ACL rules never apply to signed URLs or signed cookies, so the web ACL is bypassed by design.
AnswerA

CloudFront-scoped WAF web ACLs use a global scope that is provisioned/managed in us-east-1. Creating the web ACL in the wrong region (or with the wrong scope) prevents CloudFront from evaluating the expected web ACL rules, which would lead to no rule matches in logs.

Why this answer

When using AWS WAF with CloudFront, the web ACL must be created in the US East (N. Virginia) region (us-east-1) because CloudFront is a global service that only supports WAF web ACLs with a global scope, which are always defined in us-east-1. If the web ACL is created in any other region, it will be a regional web ACL and cannot be associated with a CloudFront distribution, causing the rules to never be evaluated against incoming requests.

This explains why CloudWatch logs show no rule matches—the web ACL is effectively not attached to the CloudFront distribution.

Exam trap

The trap here is that candidates assume WAF web ACLs can be created in any region for CloudFront, not realizing that CloudFront requires a global-scope web ACL that must be created in us-east-1, regardless of where the origin or other resources reside.

How to eliminate wrong answers

Option B is wrong because WAF rules evaluate requests at the edge before they reach the origin; the absence of matches indicates the web ACL is not being applied, not that the origin is blocking traffic. Option C is wrong because for CloudFront, you must use a global web ACL (created in us-east-1), not a regional WAF endpoint—regional endpoints are for Application Load Balancers, API Gateway, or other regional services. Option D is wrong because WAF web ACL rules do apply to requests using signed URLs or signed cookies; signed URLs/cookies control access to the content but do not bypass WAF inspection.

91
MCQmedium

An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?

A.Enable KMS automatic key rotation for the customer-managed key in account B.
B.Update the KMS key policy in account B to allow the instance role’s principal from account A to call kms:Decrypt and kms:CreateGrant.
C.Attach the key policy as an IAM permissions policy to the instance role in account A only; key policies are not evaluated cross-account.
D.Disable encryption on the EBS volume until authorization is fixed, then re-enable encryption after mount.
AnswerB

Customer-managed KMS keys use resource-based key policies to control cross-account usage. Even if the IAM role in account A has kms:Decrypt permissions, the account B key policy must also allow that principal to use the key. Including kms:Decrypt (and often kms:CreateGrant) resolves cross-account mount authorization.

Why this answer

The instance role in account A has an IAM policy allowing kms:Decrypt on the key ARN, but cross-account KMS access requires the key policy in account B to explicitly grant the external principal (the instance role's ARN) the necessary permissions. Without a key policy statement allowing kms:Decrypt and kms:CreateGrant for the account A role, KMS will deny the decryption request, causing the mount to fail. Option B correctly identifies that the key policy in account B must be updated to authorize the cross-account principal.

Exam trap

The trap here is that candidates assume an IAM policy on the instance role is sufficient for cross-account KMS access, but KMS requires the key policy in the owning account to explicitly authorize the external principal, as IAM policies alone cannot grant cross-account permissions.

How to eliminate wrong answers

Option A is wrong because enabling automatic key rotation does not grant cross-account permissions; it only rotates the key material periodically. Option C is wrong because IAM policies alone cannot authorize cross-account access to a KMS key; the key policy in the owning account must explicitly allow the external principal. Option D is wrong because disabling encryption on an encrypted EBS volume is not supported; you cannot toggle encryption on an existing volume, and the underlying authorization issue must be resolved via key policy updates.

92
Multi-Selecthard

A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.

Select 3 answers
A.Create an S3 gateway VPC endpoint and associate it with the private subnets' route tables.
B.Add a bucket policy that denies requests when aws:SecureTransport is false.
C.Add a bucket policy condition that requires SSE-KMS using the approved CMK for uploads.
D.Deploy a NAT Gateway in each Availability Zone and route artifact traffic through it.
E.Use the S3 static website endpoint because it automatically enforces HTTPS.
AnswersA, B, C

A gateway endpoint lets private instances reach S3 without traversing a NAT Gateway. This reduces cost while keeping the traffic on the AWS network path.

Why this answer

Option A is correct because creating an S3 gateway VPC endpoint allows EC2 instances in private subnets to access S3 without traversing the internet, eliminating the need for a NAT Gateway and its associated costs. The endpoint uses AWS’s internal network, and associating it with the private subnets' route tables ensures traffic to S3 is routed through the endpoint.

Exam trap

The trap here is that candidates often assume a NAT Gateway is required for private subnet internet access, but an S3 gateway VPC endpoint provides direct, cost-free connectivity to S3 without internet routing.

93
MCQeasy

A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?

A.Use an IAM permission boundary on roles/users that developers create, so the developers’ effective permissions are capped by the boundary policy.
B.Rely only on their IAM managed policies and instruct developers to self-check against internal guidelines.
C.Use a service control policy (SCP) that applies only to the developers’ IAM users in the account.
D.Use a KMS key policy to restrict IAM actions, because IAM actions can be controlled with KMS.
AnswerA

Permission boundaries constrain the maximum permissions that an identity can receive. Even if developers attach an identity policy that allows broader actions, the effective permissions are limited to the intersection of the identity policy and the boundary.

Why this answer

IAM permission boundaries are the correct mechanism because they allow a developer to create IAM roles or users, but explicitly cap the maximum permissions those entities can have. The boundary policy acts as a ceiling, so even if a developer attaches a permissive managed policy, the effective permissions are the intersection of the boundary and the attached policy. This directly enforces the requirement that developers cannot grant themselves permissions beyond a specific limit.

Exam trap

The trap here is confusing service control policies (SCPs) with permission boundaries, as both can limit permissions, but SCPs apply account-wide and cannot be selectively applied to only developers' IAM users, while permission boundaries are attached directly to the IAM entity.

How to eliminate wrong answers

Option B is wrong because relying on self-checking against internal guidelines is a manual process with no technical enforcement, so developers could easily grant themselves excessive permissions. Option C is wrong because service control policies (SCPs) apply to all IAM users and roles in an AWS account (or OU) and cannot be scoped to only a subset of IAM users; they also do not prevent a developer from creating a new user or role without a boundary. Option D is wrong because KMS key policies control access to cryptographic operations on KMS keys, not IAM actions; IAM actions are governed by IAM policies, not KMS.

94
MCQmedium

A mobile app reads the same product catalog items repeatedly throughout the day. The DynamoDB table is already properly keyed, but read latency is still a problem during sales events. The team can tolerate eventually consistent reads and wants the least disruptive change. What should they add?

A.Add a global secondary index for every frequently viewed product attribute.
B.Enable DynamoDB Accelerator to cache frequently accessed items in memory.
C.Switch the table to on-demand capacity mode to reduce latency.
D.Move the catalog to Aurora and use a read replica for every region.
AnswerB

DynamoDB Accelerator, or DAX, is the best fit for repeated reads of the same items when eventual consistency is acceptable. It provides an in-memory cache in front of DynamoDB and can dramatically reduce read latency for hot catalog items during traffic spikes. Because the table schema is already sound, DAX adds performance without forcing a redesign of keys or access patterns.

Why this answer

DynamoDB Accelerator (DAX) is a fully managed, in-memory cache that reduces read latency for frequently accessed items by orders of magnitude, from single-digit milliseconds to microseconds. Since the team can tolerate eventually consistent reads, DAX is ideal because it caches read results and serves them without additional DynamoDB read capacity consumption, making it the least disruptive change — no schema changes or application rewrites are required.

Exam trap

The trap here is that candidates often confuse throughput scaling (on-demand capacity) with latency reduction, or they over-engineer the solution by migrating to a different database when a simple caching layer (DAX) is the least disruptive and most cost-effective fix.

How to eliminate wrong answers

Option A is wrong because adding a global secondary index for every frequently viewed attribute does not reduce read latency for existing queries; it only provides alternative access patterns and increases write costs and storage. Option C is wrong because switching to on-demand capacity mode handles traffic spikes but does not reduce per-request latency; it only eliminates capacity planning, not the inherent read latency of DynamoDB. Option D is wrong because moving the catalog to Aurora with read replicas is a massive architectural change that introduces relational overhead, increases complexity, and is far more disruptive than adding a caching layer; it also does not leverage the existing DynamoDB investment.

95
MCQmedium

A claims portal stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

A.S3 server access logging
B.S3 versioning only
C.S3 Object Lock in compliance mode with an appropriate retention period
D.S3 lifecycle expiration after seven years
AnswerC

Object Lock compliance mode enforces write-once-read-many retention that even privileged users cannot bypass during the retention period.

Why this answer

C is correct because S3 Object Lock in compliance mode enforces a write-once-read-many (WORM) model that prevents any user, including the root user, from overwriting or deleting objects for the specified retention period. This meets the compliance team's requirement that logs cannot be altered or removed for seven years, as compliance mode provides the highest level of protection and cannot be bypassed or shortened.

Exam trap

The trap here is that candidates often confuse versioning (which only preserves history but allows deletion via delete markers) with Object Lock's ability to enforce immutability, or they mistakenly think server access logging or lifecycle policies can prevent data modification.

How to eliminate wrong answers

Option A is wrong because S3 server access logging only records requests made to the bucket (audit trail), but does not prevent overwrites or deletions of existing objects. Option B is wrong because S3 versioning alone preserves previous versions of objects but does not prevent deletion of the current version or overwriting of object data; a delete marker can still be placed, and objects can be permanently deleted if versioning is suspended. Option D is wrong because S3 lifecycle expiration after seven years would automatically delete objects after that period, but it does not prevent premature deletion or overwriting before the seven-year mark.

96
Multi-Selectmedium

A data lake stores raw files in a single Amazon S3 bucket that is shared by three internal analytics teams. Each team should access only its own prefix, and the company wants to eliminate ACL management because objects come from multiple producers. Which three changes should the architect make? Select three.

Select 3 answers
A.Create a separate S3 access point for each team and scope it to that team’s prefix.
B.Leave ACLs enabled so each producer can grant permissions directly on uploaded objects.
C.Set Object Ownership to Bucket owner enforced so ACLs are disabled.
D.Use bucket or access point policies to restrict access to the allowed principals and prefixes.
E.Make the bucket public and rely on application-layer authorization for data protection.
AnswersA, C, D

Access points let you expose different policy boundaries on the same bucket. They are a good fit when multiple teams need controlled access to different prefixes without creating separate buckets.

Why this answer

Option A is correct because S3 Access Points allow you to create network endpoints with dedicated access policies scoped to specific prefixes. By creating one access point per team and restricting each to its own prefix, you enforce team-level isolation without managing ACLs on individual objects.

Exam trap

The trap here is that candidates may think ACLs are necessary for multi-producer scenarios, but AWS recommends disabling ACLs and using bucket policies or access point policies with 'Bucket owner enforced' to centralize access control.

97
MCQmedium

A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

A.Enable S3 Transfer Acceleration
B.Create an IAM policy that denies s3:GetObject to anonymous users
C.Enable S3 Block Public Access at the account or bucket level
D.Enable server access logging on the bucket
AnswerC

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

Option C is correct because S3 Block Public Access provides a definitive override that prevents any public access to objects regardless of other policies. When enabled at the account or bucket level, it blocks all public access settings, including those from bucket policies, access control lists (ACLs), or object ACLs, ensuring that even if a developer later adds an overly broad bucket policy, the objects remain private. This is the only mechanism that cannot be overridden by a bucket policy, making it the appropriate choice for a strict no-public-access requirement.

Exam trap

The trap here is that candidates often choose an IAM policy (Option B) thinking it can block public access, but they miss that bucket policies can grant permissions to anonymous users independently of IAM, making S3 Block Public Access the only guaranteed safeguard.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using AWS edge locations and has no effect on access control or public accessibility. Option B is wrong because an IAM policy that denies s3:GetObject to anonymous users only applies to IAM principals; it does not block access granted by a bucket policy that explicitly allows public access, as bucket policies can grant permissions to anonymous principals (e.g., `"Principal": "*"`) independently of IAM. Option D is wrong because server access logging records requests made to the bucket for auditing purposes but does not enforce any access restrictions or prevent public access.

98
Multi-Selectmedium

An organization lets application teams create IAM roles in member accounts. Security wants every newly created role to stay within an approved permission ceiling, and teams must not be able to remove that ceiling later. Which two controls best meet the requirement? Select two.

Select 2 answers
A.Attach the approved permissions boundary to every role created by the teams.
B.Use an SCP that denies iam:CreateRole or iam:PutRolePermissionsBoundary unless the approved boundary ARN is specified.
C.Use an S3 bucket policy to prevent the roles from gaining extra privileges.
D.Rely on a role trust policy to limit the permissions the role can have.
E.Use a session policy attached to one assumed-role session to enforce the ceiling permanently.
AnswersA, B

A permissions boundary caps the maximum permissions a role can ever receive, even if the role's inline or managed policies are broader. It is the right mechanism for defining a permission ceiling.

Why this answer

Option A is correct because a permissions boundary is an IAM feature that sets the maximum permissions a role can have. By attaching an approved permissions boundary to every newly created role, the organization enforces a permission ceiling that cannot be exceeded, even if the role has additional policies attached. This directly meets the requirement of keeping roles within an approved ceiling.

Exam trap

The trap here is that candidates may think a session policy or trust policy can permanently restrict permissions, but session policies are temporary and trust policies only control who can assume the role, not the role's maximum permissions.

99
Multi-Selectmedium

A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.

Select 2 answers
A.Create an S3 gateway VPC endpoint and update the route tables for the private subnets.
B.Place a NAT gateway in the public subnet so the private instances can reach AWS services.
C.Create an interface VPC endpoint for AWS Secrets Manager and allow the workload security group to reach it.
D.Assign public IPv4 addresses to the instances and restrict them with security groups.
E.Use VPC peering to the AWS service endpoints instead of VPC endpoints.
AnswersA, C

An S3 gateway endpoint provides private access to S3 without sending traffic over the internet. It is the correct endpoint type for S3 and integrates through route tables.

Why this answer

Option A is correct because an S3 gateway VPC endpoint allows private subnet instances to access S3 via AWS's private network without needing internet access or a NAT gateway. The endpoint uses route table entries to direct S3 traffic through the gateway, which is a horizontally scaled, redundant component that does not require public IPs.

Exam trap

The trap here is that candidates often confuse gateway VPC endpoints (which work only for S3 and DynamoDB) with interface VPC endpoints (which work for most other AWS services), and may incorrectly assume a NAT gateway is required for all private subnet outbound traffic.

100
Multi-Selecthard

A company runs a steady inventory API on AWS Fargate and AWS Lambda during the day, plus a nightly batch render farm on EC2 that can be interrupted and retried. The finance team wants the lowest predictable discount for the always-on compute and the lowest possible cost for the batch jobs. Which two purchasing choices should the architect recommend? Select two.

Select 2 answers
A.Purchase a Compute Savings Plan for the steady Fargate and Lambda usage.
B.Purchase Standard Reserved Instances for the steady Fargate and Lambda usage.
C.Run the batch render farm on Spot Instances.
D.Use On-Demand Instances for the batch render farm to avoid interruptions.
E.Move the render farm to Dedicated Hosts to improve price predictability.
AnswersA, C

Compute Savings Plans apply across EC2, Fargate, Lambda, and other supported compute services, so they fit steady mixed compute well.

Why this answer

Option A is correct because a Compute Savings Plan offers the lowest predictable discount (up to 66% compared to On-Demand) and automatically applies to Fargate and Lambda usage, covering the always-on inventory API without requiring instance family or region commitments. This provides flexibility while still delivering significant savings over On-Demand pricing.

Exam trap

The trap here is that candidates often confuse Reserved Instances (which apply only to EC2) with Savings Plans (which cover Fargate and Lambda), leading them to select Standard Reserved Instances for serverless workloads, which is incorrect.

101
Multi-Selecthard

A company is encrypting sensitive S3 data for a order processing API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Select 2 answers
A.A larger KMS key rotation period
B.A key policy that limits key administrators and key users
C.IAM policies that grant kms:Decrypt only to required application roles
D.S3 Transfer Acceleration
AnswersB, C

The KMS key policy is the primary resource policy that controls who can administer or use the key.

Why this answer

Option B is correct because a KMS key policy explicitly defines which principals (IAM users, roles, or AWS accounts) are allowed to administer or use the key. By limiting key administrators and key users in the key policy, you prevent unauthorized principals from accidentally invoking KMS operations on the key, even if they have broad IAM permissions. This is a fundamental resource-based control that overrides any IAM policy that would otherwise grant access.

Exam trap

The trap here is that candidates often confuse key rotation (a cryptographic hygiene control) with access control, or they think S3 Transfer Acceleration somehow affects KMS authorization, when in reality it only optimizes network transfer performance.

102
MCQeasy

You want to protect an Application Load Balancer (ALB) from common web exploits using AWS WAF. The application is not using CloudFront. Which AWS WAF deployment scope should you choose so the WAF rules apply to the ALB?

A.Use AWS WAF regional scope (associate the web ACL with the ALB resource)
B.Use AWS WAF CloudFront (global) scope and associate the web ACL with the ALB
C.Use AWS Shield Advanced and rely on it to inspect payloads for SQL injection and XSS
D.Use security groups only, because they can detect SQL injection patterns in HTTP requests
AnswerA

ALBs are regional resources. When you protect an ALB without CloudFront, you should use the regional WAF scope and associate the web ACL directly with the ALB, so WAF can inspect incoming requests destined for that ALB.

Why this answer

AWS WAF offers two deployment scopes: regional and CloudFront (global). Since the application is using an Application Load Balancer (ALB) without CloudFront, you must choose the regional scope. This allows you to associate the web ACL directly with the ALB resource, enabling AWS WAF to inspect HTTP/HTTPS requests for common web exploits like SQL injection and cross-site scripting (XSS) at the regional endpoint.

Exam trap

The trap here is that candidates may assume AWS WAF always requires CloudFront or that Shield Advanced provides application-layer inspection, but the exam tests the specific requirement that regional WAF is the only option for ALB without CloudFront.

How to eliminate wrong answers

Option B is wrong because AWS WAF CloudFront (global) scope can only be associated with Amazon CloudFront distributions, not with an ALB directly; attempting to associate a global web ACL with an ALB is not supported. Option C is wrong because AWS Shield Advanced provides DDoS protection and does not inspect application-layer payloads for SQL injection or XSS; that is the function of AWS WAF. Option D is wrong because security groups operate at the network layer (Layer 3/4) and cannot inspect HTTP request payloads or detect application-layer attack patterns like SQL injection or XSS.

103
MCQhard

A mobile banking backend uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend? The design must avoid adding custom operational scripts.

A.Store the database password in user data
B.IAM database authentication for RDS with an EC2 instance role
C.Use a security group rule that allows only application instances
D.Embed the database password in the AMI
AnswerB

IAM database authentication allows the application to use temporary AWS credentials instead of stored database passwords.

Why this answer

IAM database authentication for RDS allows EC2 instances to authenticate to PostgreSQL using a short-lived token generated via the IAM instance profile, eliminating the need to store credentials on the instance. The token is obtained by calling the RDS generate_db_auth_token API with the instance's IAM role, and it is valid for 15 minutes by default. This approach satisfies the requirement for short-lived credentials and avoids custom operational scripts.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) with authentication mechanisms, or assume that storing credentials in user data or AMIs is acceptable because they are 'hidden' from the OS, when in fact they are still long-lived and accessible via metadata or AMI inspection.

How to eliminate wrong answers

Option A is wrong because storing the database password in user data leaves it in plaintext on the instance metadata, which is accessible to any process or user with access to the instance, and it does not provide short-lived credentials. Option C is wrong because security group rules only control network access at the transport layer; they do not handle authentication or credential management, so credentials would still need to be stored on the instance. Option D is wrong because embedding the database password in the AMI hard-codes a long-lived credential into the image, which violates the requirement to avoid storing credentials on EC2 and does not provide short-lived credentials.

104
Multi-Selecthard

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The business wants to avoid a reactive-only remediation approach.

Select 2 answers
A.Interface VPC endpoint for Systems Manager
B.Internet gateway attached to the VPC
C.NAT gateway in each Availability Zone
D.Gateway VPC endpoint for Amazon S3
AnswersA, D

Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.

Why this answer

An Interface VPC endpoint for Systems Manager (using AWS PrivateLink) allows the private application to securely read parameters from Parameter Store without traversing the internet. A Gateway VPC endpoint for S3 provides a private, highly available route to download objects from S3 using the S3 service's prefix list and route table entries, avoiding NAT or internet gateways. Together, these endpoints ensure all traffic stays within the AWS network, meeting the requirement to avoid public internet routing.

Exam trap

The trap here is that candidates often confuse Gateway VPC endpoints (which only work for S3 and DynamoDB) with Interface VPC endpoints (which work for many AWS services like Systems Manager), and they may incorrectly select NAT gateways as a 'private' solution, not realizing NAT gateways still require an internet gateway and public IPs, making them a reactive, internet-dependent approach.

105
MCQmedium

A team runs an application on Amazon EC2 that connects to an Aurora database. The database password must rotate automatically every 30 days, and the application should retrieve the current secret at runtime using an IAM role. Which AWS service is the best fit?

A.AWS Systems Manager Parameter Store standard parameters.
B.AWS Secrets Manager with rotation enabled.
C.AWS KMS, because KMS stores credentials and rotates them automatically.
D.Amazon S3 with server-side encryption and versioning.
AnswerB

Secrets Manager is designed for secure secret storage with built-in rotation support and fine-grained access through IAM. In this case, the application can retrieve the current database credentials at runtime with its EC2 role, while the secret is rotated on a schedule without embedding passwords in code. This reduces operational risk, improves auditability, and avoids manual password changes that often cause outages.

Why this answer

AWS Secrets Manager is the best fit because it natively supports automatic rotation of database credentials on a schedule (e.g., every 30 days) and integrates directly with Amazon RDS/Aurora to update the password. The application can retrieve the current secret at runtime using an IAM role attached to the EC2 instance, without hardcoding credentials. Secrets Manager also provides built-in secret rotation with Lambda, ensuring zero downtime during password changes.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native rotation) with Secrets Manager, or incorrectly assume KMS can store and rotate credentials because it handles encryption keys.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store standard parameters do not support automatic rotation of secrets; they are designed for static configuration data and require custom automation to rotate passwords. Option C is wrong because AWS KMS is a key management service for encryption keys, not a service for storing or rotating credentials; it does not store secrets or provide rotation capabilities. Option D is wrong because Amazon S3 with server-side encryption and versioning is a storage service that lacks native rotation scheduling and secret retrieval via IAM roles; it would require custom application logic to manage password rotation and retrieval, adding complexity and security risks.

106
Matchinghard

Match each database availability event to the AWS failover behavior that best describes it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The standby in another Availability Zone is promoted, and the same database endpoint remains in use after a brief reconnect.

Aurora promotes another healthy instance to writer while the shared storage layer stays intact across Availability Zones.

A manual failover can be triggered so the standby becomes primary before the reboot finishes.

Only that reader is removed from the reader set; the cluster can still serve read traffic through the remaining healthy readers.

Why these pairings

Multi-AZ RDS automatically fails over to standby; read replicas require manual redirect; Aurora uses replicas for failover; without replicas, Aurora recovers in-place.

107
MCQmedium

A Lambda function for a claims portal needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

A.AWS Systems Manager Parameter Store SecureString without automation
B.An encrypted object in Amazon S3
C.A KMS-encrypted Lambda environment variable
D.AWS Secrets Manager with rotation enabled
AnswerD

Secrets Manager stores secrets securely and supports automatic rotation using a rotation Lambda function.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, automatically rotating, and managing secrets like database passwords. It supports automatic rotation every 30 days via a built-in Lambda rotation function, and it avoids storing the password in environment variables, which are visible in the Lambda console and logs.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store SecureString with Secrets Manager, assuming Parameter Store can also handle automatic rotation, but Parameter Store lacks native rotation capabilities and requires custom automation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store SecureString can store encrypted secrets but does not support automatic rotation without additional custom automation (e.g., a scheduled Lambda function). Option B is wrong because an encrypted object in Amazon S3 requires manual management of encryption keys and rotation, and the Lambda function would need to download and decrypt the object each time, adding complexity and latency. Option C is wrong because a KMS-encrypted Lambda environment variable, while encrypted at rest, is still stored as an environment variable that can be exposed in the Lambda function's configuration, logs, or error messages, and it does not support automatic rotation.

108
MCQmedium

An application runs on EC2 instances in private subnets in a VPC. There is no NAT gateway. The instances need to download objects from S3 over HTTPS and also call DynamoDB. The security group outbound rules allow TCP 443 to the VPC endpoint addresses. After deployment, the app times out when connecting to S3, but it can reach DynamoDB. Which single change is most likely to restore S3 connectivity?

A.Create a Gateway VPC endpoint for S3 and associate it with the private subnet route tables that contain the instances.
B.Replace the security group egress rule to allow all outbound traffic to 0.0.0.0/0 on TCP 443.
C.Add an Internet Gateway to the VPC and route the private subnet’s 0.0.0.0/0 to the IGW.
D.Switch from network ACLs to security groups by removing the existing NACL allow rules for ephemeral ports.
AnswerA

S3 connectivity without NAT typically requires a Gateway VPC endpoint. For a gateway endpoint, you must update the route tables to direct S3 traffic to the endpoint. If DynamoDB works but S3 times out, it often means DynamoDB has the required endpoint while S3 is missing or not routed via the correct route tables.

Why this answer

The application runs in private subnets without a NAT Gateway, so it cannot reach the internet. A Gateway VPC Endpoint for S3 allows private subnet instances to access S3 over the AWS network without internet connectivity. The security group already permits outbound TCP 443 to the endpoint addresses, so the missing piece is the route table association that directs S3 traffic to the endpoint.

Exam trap

The trap here is that candidates often assume a security group egress rule to 0.0.0.0/0 is sufficient, forgetting that private subnets without a NAT Gateway have no internet path, so the traffic is silently dropped.

How to eliminate wrong answers

Option B is wrong because allowing all outbound traffic to 0.0.0.0/0 on TCP 443 does not help; the instances are in private subnets with no internet path, so traffic to the internet will still be dropped. Option C is wrong because adding an Internet Gateway and routing 0.0.0.0/0 to it would require a NAT Gateway or assigning public IPs to the instances, which is not mentioned and would break the private subnet design. Option D is wrong because network ACLs are stateless and must allow ephemeral ports for return traffic, but the issue is about outbound connectivity to S3, not NACL misconfiguration; security groups already handle stateful filtering.

109
MCQmedium

An application encrypts data directly with AWS KMS using an encryption context. Your KMS key policy includes a condition that allows kms:Decrypt only when the encryption context contains: "purpose" = "myapp-secrets" After a deployment, decryption fails. CloudTrail shows kms:Decrypt was called, but it was denied by the key policy due to the encryption context condition. What is the best fix?

A.Update the application code to supply the correct encryption context "purpose" = "myapp-secrets" when calling decrypt (and encrypt if rotating).
B.Add kms:Decrypt to the IAM role attached to the application without changing the key policy.
C.Disable the encryption context condition in the KMS key policy to avoid future failures.
D.Rotate the KMS key immediately and re-encrypt all secrets with a different key ID.
AnswerA

If the KMS key policy enforces an encryption context match, decrypt must provide the same context keys and values used during encryption. Aligning the encryption context fixes policy enforcement without weakening the key policy.

Why this answer

Option A is correct because the decryption failure is directly caused by the application not supplying the required encryption context in the decrypt call. The KMS key policy condition explicitly requires the encryption context to include 'purpose'='myapp-secrets' for kms:Decrypt. Without this context, the request is denied regardless of IAM permissions.

Updating the application code to pass the correct encryption context during both encrypt and decrypt operations resolves the issue.

Exam trap

The trap here is that candidates may think IAM permissions alone can override key policy conditions, but KMS requires both IAM and key policy to allow an action, and conditions in the key policy are evaluated strictly.

How to eliminate wrong answers

Option B is wrong because adding kms:Decrypt to the IAM role does not override the key policy condition; KMS requires both IAM permissions and key policy to allow the action, and the key policy condition explicitly denies decryption without the correct encryption context. Option C is wrong because disabling the encryption context condition weakens security by removing a critical access control that ensures only authorized applications with the correct context can decrypt data. Option D is wrong because rotating the KMS key does not address the root cause—the encryption context mismatch—and re-encrypting with a different key ID would still fail if the application does not supply the required context.

110
Multi-Selectmedium

A company is hosting a web application on Amazon ECS Fargate behind an Application Load Balancer. The application needs to authenticate users using Amazon Cognito and store session data in Amazon ElastiCache for Redis. The security team mandates that all traffic between the ALB and ECS tasks must not traverse the public internet, and that session data in ElastiCache is encrypted at rest. Which three steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
.Configure the ALB to be internal-facing and place the ECS tasks in public subnets.
.Deploy the ECS tasks in private subnets and configure the ALB as an internal load balancer.
.Enable encryption at rest on the ElastiCache for Redis cluster using a customer-managed key in AWS KMS.
.Use a security group on the ECS tasks that allows inbound traffic only from the ALB's security group.
.Place the ECS tasks in a public subnet and use network ACLs to block inbound traffic from the internet.
.Configure the ElastiCache cluster to use in-transit encryption only.

Why this answer

Deploying ECS tasks in private subnets with an internal ALB ensures traffic between the ALB and tasks does not traverse the public internet, as internal load balancers have only private IP addresses. Enabling encryption at rest on ElastiCache for Redis with a customer-managed KMS key meets the security mandate for encrypted session data. Using a security group on ECS tasks that allows inbound traffic only from the ALB's security group provides a precise, stateful firewall rule that enforces the traffic flow restriction.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' with 'in-transit encryption' or think that placing tasks in public subnets with network ACLs is sufficient to prevent public internet traffic, but network ACLs are stateless and cannot guarantee traffic only from the ALB, and public subnets still have a route to the internet gateway.

111
MCQeasy

A team runs a CPU-intensive image processing service on Amazon EC2. The service spends most of its time resizing and compressing images, and the team wants the best price-performance starting point for compute-heavy work. Which EC2 instance family should they choose?

A.Memory optimized instances
B.Compute optimized instances
C.Storage optimized instances
D.General purpose instances
AnswerB

These instances are designed for workloads that need strong CPU performance and efficient compute price-performance.

Why this answer

Compute optimized instances (C family) are designed for workloads that benefit from high-performance processors, such as batch processing, media transcoding, and image processing. Since the team's service is CPU-intensive (resizing and compressing images), the C family provides the best price-performance starting point for compute-heavy work.

Exam trap

The trap here is that candidates may confuse 'CPU-intensive' with 'memory-intensive' or 'storage-intensive' and choose a general purpose instance (D) thinking it is a safe default, but the question specifically asks for the best price-performance starting point for compute-heavy work, which is the compute optimized family.

How to eliminate wrong answers

Option A is wrong because memory optimized instances (R, X families) are designed for workloads that require large amounts of memory, such as in-memory databases or real-time big data analytics, not CPU-intensive image processing. Option C is wrong because storage optimized instances (I, D families) are designed for workloads that require high sequential read/write access to large datasets on local storage, such as data warehousing or distributed file systems, not CPU-bound tasks. Option D is wrong because general purpose instances (M, T families) offer a balanced mix of compute, memory, and networking, but for CPU-intensive workloads, compute optimized instances provide better price-performance due to their higher clock speeds and optimized processor features.

112
MCQeasy

You use a customer managed AWS KMS key (CMK) to encrypt objects in an S3 bucket using SSE-KMS. A specific IAM role must be able to decrypt objects. Where should you grant kms:Decrypt permissions so that the role can decrypt data encrypted with that CMK?

A.In the KMS key policy, allowing kms:Decrypt (and any other required KMS permissions) for the role’s principal ARN.
B.Only in the S3 bucket policy by granting s3:GetObject, because S3 bucket policy controls decryption.
C.Only in the IAM role identity policy; the KMS key policy does not need changes for SSE-KMS.
D.By enabling S3 default encryption; KMS permissions are automatically granted to all IAM roles in the account.
AnswerA

With SSE-KMS, KMS decryption is authorized by KMS for the specific CMK. The CMK key policy is a primary authorization layer; if the key policy does not allow kms:Decrypt for the role (or a matching principal), S3 requests that require KMS decryption will fail even if the S3 or IAM identity policies allow s3:GetObject.

Why this answer

When using a customer managed KMS key (CMK) with SSE-KMS, the KMS key policy is the primary access control mechanism. To allow a specific IAM role to decrypt objects, you must grant kms:Decrypt (and typically kms:DescribeKey) in the key policy for that role's principal ARN. Without this explicit permission in the key policy, the role will be denied decryption even if it has s3:GetObject permissions, because KMS enforces its own authorization.

Exam trap

The trap here is that candidates assume S3 bucket policies or IAM identity policies alone are sufficient for decryption, forgetting that KMS enforces its own authorization layer and the key policy is the gatekeeper for all KMS operations.

How to eliminate wrong answers

Option B is wrong because S3 bucket policies control access to S3 operations (like s3:GetObject) but do not grant KMS permissions; decryption with SSE-KMS requires separate KMS authorization. Option C is wrong because an IAM role identity policy alone is insufficient if the KMS key policy does not grant access to the role; the key policy must explicitly allow the role (or the account) to use the key. Option D is wrong because enabling S3 default encryption does not automatically grant KMS permissions to IAM roles; KMS key policies and IAM policies must still be configured to allow decryption.

113
MCQmedium

Your AWS Organization uses a Service Control Policy (SCP) that includes a Deny statement for secretsmanager:GetSecretValue for all member accounts in the "Finance" OU when requests are made outside us-east-1. An application role has an IAM policy that allows secretsmanager:GetSecretValue for the required secret in us-west-2. In us-west-2, requests fail with AccessDenied. What is the most appropriate action?

A.Update the application role IAM policy to include us-west-2 in the resource ARN.
B.Create a permission boundary that removes the deny behavior for the member account.
C.Modify the SCP to allow secretsmanager:GetSecretValue in us-west-2 for the Finance OU (if that aligns with policy intent), or move the workload to us-east-1.
D.Use sts:AssumeRole into another account that is not in the Finance OU to bypass the SCP.
AnswerC

Because the SCP contains an explicit Deny based on region and OU, the correct remedy is to change the SCP conditions (or operate within allowed regions). SCP evaluation is performed before/independent of IAM identity policies for the permission decision.

Why this answer

SCPs are deny-by-default and act as an outer boundary on all IAM policies in member accounts. Even if the application role's IAM policy allows secretsmanager:GetSecretValue in us-west-2, the SCP's explicit Deny for requests outside us-east-1 overrides that allow. The correct fix is either to modify the SCP to permit the action in us-west-2 (if that aligns with organizational intent) or to relocate the workload to us-east-1, because SCPs cannot be overridden by any IAM policy within the account.

Exam trap

The trap here is that candidates assume IAM policies alone control access and forget that SCPs act as a global deny filter that cannot be bypassed by any IAM-level configuration, leading them to incorrectly choose options that modify IAM policies or use cross-account roles.

How to eliminate wrong answers

Option A is wrong because the IAM policy already allows the action for the secret in us-west-2 (the resource ARN is not the issue); the failure is caused by the SCP's Deny, not a missing resource ARN. Option B is wrong because permission boundaries restrict the maximum permissions an IAM role can have, but they cannot override an SCP Deny; SCPs are evaluated before permission boundaries and a Deny in an SCP always takes precedence. Option D is wrong because assuming a role in another account does not bypass SCPs; the SCP applies to all principals in the member account, and the assumed role would still be subject to the SCP of the target account if it is also in the Finance OU, or the SCP of the source account if the trust policy is evaluated.

114
Multi-Selectmedium

A company stores customer invoices in an Amazon S3 bucket. The application must keep the bucket private, ACLs should not be used, and customers should receive temporary download links for individual invoices. Which three changes should the architect make? Select three.

Select 3 answers
A.Enable S3 Block Public Access on both the bucket and the AWS account.
B.Continue using object ACLs so each customer invoice can be made public briefly.
C.Configure Bucket owner enforced object ownership to disable ACLs.
D.Generate presigned URLs for customers to download specific invoices for a limited time.
E.Move the bucket to another AWS Region to isolate it from the internet.
AnswersA, C, D

Block Public Access prevents accidental public exposure through bucket policies, ACLs, and other public settings. It is a strong baseline control when the data must remain private.

Why this answer

Option A is correct because enabling S3 Block Public Access at both the bucket and account level ensures that no public access is granted to the bucket or its objects, which aligns with the requirement to keep the bucket private. This setting overrides any other permissions that might inadvertently allow public access, providing a strong security baseline.

Exam trap

The trap here is that candidates may think moving a bucket to a different region or making objects public briefly are valid solutions, but the exam tests the understanding that S3 Block Public Access and presigned URLs are the correct mechanisms for private, temporary access without ACLs.

115
MCQmedium

A web application for a order processing API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

A.Security groups on the application instances
B.Network ACLs on the public subnets
C.AWS WAF associated with the Application Load Balancer
D.AWS Shield Advanced only
AnswerC

AWS WAF can inspect HTTP requests and block common web exploits when associated with an ALB.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS) attacks. By associating an AWS WAF web ACL with the Application Load Balancer, you can filter and monitor HTTP/HTTPS requests based on customizable rules, providing application-layer protection with minimal operational overhead since AWS manages the underlying infrastructure and rule updates.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups and network ACLs) with application-layer protection, assuming they can filter HTTP-level attacks, when in fact only AWS WAF can inspect and block SQL injection and XSS at the application layer.

How to eliminate wrong answers

Option A is wrong because security groups act as a virtual firewall at the instance level, controlling inbound and outbound traffic based on IP addresses and ports; they do not inspect application-layer payloads and cannot detect or block SQL injection or XSS attacks. Option B is wrong because network ACLs are stateless, subnet-level filters that evaluate traffic based on IP addresses, ports, and protocols; they lack the ability to parse HTTP request bodies or headers for malicious patterns. Option D is wrong because AWS Shield Advanced provides DDoS protection against volumetric attacks but does not include application-layer filtering for SQL injection or XSS; it must be combined with AWS WAF for such threats.

116
MCQmedium

A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

A.Enable server access logging on the bucket
B.Enable S3 Transfer Acceleration
C.Create an IAM policy that denies s3:GetObject to anonymous users
D.Enable S3 Block Public Access at the account or bucket level
AnswerD

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

Option D is correct because S3 Block Public Access provides a definitive override that prevents any public access to objects, regardless of bucket policies or object ACLs. When enabled at the account or bucket level, it blocks all public access settings, ensuring that even if a developer later adds an overly broad bucket policy, the objects remain inaccessible to anonymous users. This is essential for compliance with healthcare regulations like HIPAA, where data must never be publicly exposed.

Exam trap

The trap here is that candidates often think an IAM policy can block anonymous users, but IAM policies never apply to unauthenticated requests—only bucket policies and S3 Block Public Access can control anonymous access.

How to eliminate wrong answers

Option A is wrong because enabling server access logging only records requests made to the bucket; it does not prevent public access or enforce any security controls. Option B is wrong because S3 Transfer Acceleration is a performance feature that speeds up uploads over long distances using AWS edge locations; it has no impact on access permissions or public accessibility. Option C is wrong because an IAM policy that denies s3:GetObject to anonymous users is not effective—IAM policies apply only to authenticated IAM principals, not to anonymous (unauthenticated) users; anonymous access is controlled by bucket policies and ACLs, not IAM.

117
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a e-learning platform. The partner has its own AWS account. What is the most secure scalable access pattern?

A.Copy the objects to a public website bucket
B.Create an IAM user in the company account and share the access keys
C.Create a bucket policy that grants the partner role least-privilege access to the required prefix
D.Make the objects public and rely on difficult-to-guess object names
AnswerC

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option C is correct because it uses a resource-based bucket policy that grants the partner's AWS account (via its root user or an IAM role) least-privilege read-only access to a specific prefix. This approach avoids sharing long-term credentials, leverages AWS's cross-account trust mechanism, and scales securely without managing additional IAM users.

Exam trap

The trap here is that candidates often choose Option B (sharing IAM user credentials) because it seems straightforward, but AWS recommends cross-account roles with bucket policies for secure, auditable, and scalable access without managing external users.

How to eliminate wrong answers

Option A is wrong because copying objects to a public website bucket removes all access control, exposing data to the internet and violating the principle of least privilege. Option B is wrong because creating an IAM user in the company account and sharing access keys introduces long-term static credentials that must be rotated, can be leaked, and do not scale across multiple partner accounts. Option D is wrong because making objects public with difficult-to-guess names relies on security through obscurity, which is not a secure pattern—objects can be discovered via enumeration or leaks, and S3 does not enforce access control based on name complexity.

118
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a customer analytics portal. The partner has its own AWS account. What is the most secure scalable access pattern?

A.Make the objects public and rely on difficult-to-guess object names
B.Create a bucket policy that grants the partner role least-privilege access to the required prefix
C.Copy the objects to a public website bucket
D.Create an IAM user in the company account and share the access keys
AnswerB

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option B is correct because a bucket policy that grants the partner's IAM role (from the partner's AWS account) least-privilege access to a specific prefix is the most secure and scalable pattern. This uses cross-account IAM roles, avoiding long-term credentials and allowing the partner to manage their own users and permissions. The bucket policy explicitly trusts the partner's AWS account, and the partner assumes the role to access only the required objects, following the principle of least privilege.

Exam trap

The trap here is that candidates often choose Option D (sharing IAM user access keys) because it seems straightforward, but the exam tests the understanding that cross-account IAM roles are more secure and scalable than sharing static credentials.

How to eliminate wrong answers

Option A is wrong because making objects public with difficult-to-guess names relies on security through obscurity, which is not a secure pattern; objects can be discovered via enumeration or accidental exposure, and it violates AWS's shared responsibility model. Option C is wrong because copying objects to a public website bucket exposes the data to the internet without any access control, which is insecure and does not scale for read-only access by a specific partner. Option D is wrong because creating an IAM user in the company account and sharing access keys introduces long-term static credentials that must be rotated and managed, increasing the risk of leakage; it also does not scale across multiple partners and violates the principle of using IAM roles for cross-account access.

119
MCQmedium

Company A runs an internal app in account A. The app needs to upload objects to an S3 bucket in account B. When the app calls S3, it receives AccessDenied for s3:PutObject. The team already created an IAM role in account B named UploadRole with a policy allowing s3:PutObject. They did not yet set up any trust relationship. Which change most directly fixes the access problem with least privilege?

A.Create IAM user access keys in account A and attach the UploadRole policy directly to those keys.
B.Update the trust policy on UploadRole (account B) to allow sts:AssumeRole from the app’s IAM role or principal in account A.
C.Add s3:PutObject permissions to the bucket policy in account B for all principals in account A.
D.Attach an SCP (service control policy) in AWS Organizations to deny sts:AssumeRole unless the caller uses an MFA device.
AnswerB

A cross-account role requires both an IAM permissions policy and a trust policy. The trust policy must allow the specific principal in account A to call sts:AssumeRole into account B’s role. With that trust in place, the app can obtain temporary credentials and then use the UploadRole permissions for s3:PutObject.

Why this answer

The app in account A needs to assume the UploadRole in account B to gain s3:PutObject permissions. Without a trust policy on UploadRole that allows sts:AssumeRole from the app's IAM principal in account A, the role cannot be assumed, resulting in AccessDenied. Updating the trust policy directly establishes the cross-account trust relationship with least privilege, as it grants only the necessary assume-role capability.

Exam trap

The trap here is that candidates often think bucket policies alone can solve cross-account access, but without a trust policy on the IAM role, the app cannot assume the role to obtain the required permissions.

How to eliminate wrong answers

Option A is wrong because creating IAM user access keys in account A and attaching the UploadRole policy directly to those keys violates least privilege (access keys are long-term credentials) and does not solve the cross-account trust issue—the policy is in account B and cannot be attached to account A keys. Option C is wrong because adding s3:PutObject permissions to the bucket policy in account B for all principals in account A is overly permissive (grants access to all principals in account A) and does not leverage the existing UploadRole, violating least privilege. Option D is wrong because attaching an SCP to deny sts:AssumeRole unless MFA is used would block the legitimate cross-account role assumption entirely, making the problem worse, and SCPs apply only within an organization, not to cross-account access between separate accounts.

120
MCQmedium

A public API for a image sharing application is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used? The design must avoid adding custom operational scripts.

A.A VPC endpoint policy
B.API keys only
C.JWT authorizer configured for the OpenID Connect issuer
D.IAM authorization for all internet users
AnswerC

A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.

Why this answer

C is correct because the scenario requires standards-based token authentication from an external OpenID Connect (OIDC) provider, and API Gateway's JWT authorizer natively validates JWTs issued by OIDC providers without requiring custom code. This authorizer verifies the token's signature, expiry, and issuer against the OIDC discovery endpoint, meeting the requirement to avoid custom operational scripts.

Exam trap

The trap here is that candidates often confuse API keys (simple identification) with token-based authentication (JWT/OIDC), or incorrectly assume IAM authorization can be used for external identity federation without custom Lambda authorizers or STS-based token exchange.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint policy controls access to API Gateway via VPC endpoints, not authentication for internet clients using OIDC tokens. Option B is wrong because API keys only provide simple identification and throttling, not authentication or authorization based on standards-based tokens from an external OIDC provider. Option D is wrong because IAM authorization is designed for AWS-authenticated principals (e.g., IAM users/roles), not for internet users presenting tokens from an external OIDC provider, and it would require custom scripts to map OIDC tokens to IAM roles.

121
MCQeasy

A production application stores critical data on an Amazon EBS volume. The team wants a simple backup method that allows the volume to be restored later if the server is lost. What should they use?

A.Amazon S3 bucket versioning
B.Amazon EBS snapshots
C.AWS Security Hub
D.Amazon CloudFront invalidations
AnswerB

EBS snapshots are the native backup mechanism for EBS volumes. They capture point-in-time copies that can later be used to create a new volume, making them a simple and reliable way to restore data after a server or volume loss. Snapshots are incremental, so repeated backups are efficient and suitable for ongoing protection.

Why this answer

Amazon EBS snapshots are the correct choice because they provide a simple, incremental backup method for EBS volumes. Snapshots capture the data on the volume at a specific point in time and are stored in Amazon S3, allowing the volume to be restored to a new EC2 instance if the original server is lost. This directly meets the requirement for a backup that enables restoration after server failure.

Exam trap

The trap here is that candidates might confuse EBS snapshots with S3 versioning, thinking that S3 can directly back up EBS volumes, but EBS snapshots are the native, designed service for this purpose.

How to eliminate wrong answers

Option A is wrong because Amazon S3 bucket versioning is designed to protect objects within an S3 bucket by preserving, retrieving, and restoring previous versions, not for backing up EBS volumes attached to EC2 instances. Option C is wrong because AWS Security Hub is a security posture management service that aggregates and prioritizes security findings from various AWS services, not a backup or restore mechanism for EBS volumes. Option D is wrong because Amazon CloudFront invalidations are used to remove cached content from CloudFront edge locations, not for backing up or restoring EBS volumes.

122
MCQmedium

A team wants detective controls to investigate suspected exfiltration from an S3 bucket. They need to know when objects are accessed (GetObject) and also when new encrypted objects are written. They already enabled AWS CloudTrail for management events, but their investigation shows no visibility into object-level reads/writes in the logs they review. Which CloudTrail configuration change most directly provides the missing object-level visibility?

A.Enable CloudTrail data events for the specific S3 bucket so that GetObject and PutObject operations are logged at the object level.
B.Enable AWS Config delivery to a separate bucket and create a rule to detect noncompliant S3 policies; this will automatically generate GetObject logs.
C.Turn on VPC Flow Logs for the VPC hosting the S3 gateway endpoint, because network logs show S3 object read and write details.
D.Add an S3 bucket policy that denies all GetObject requests unless the caller uses TLS; the denial events will create investigation logs automatically.
AnswerA

CloudTrail management events cover control-plane activity, not per-object access details in S3. Enabling S3 data events (object-level logging) causes CloudTrail to record events like GetObject and PutObject for the targeted bucket and prefixes. This directly addresses the missing visibility symptom described. It also limits logging scope when you specify the bucket/prefix.

Why this answer

CloudTrail management events do not include object-level operations like GetObject or PutObject. By enabling CloudTrail data events for the specific S3 bucket, you capture object-level read (GetObject) and write (PutObject) API calls, including those for encrypted objects, providing the missing visibility for detective controls.

Exam trap

The trap here is that candidates confuse management events (which log bucket-level operations like CreateBucket) with data events (which log object-level operations like GetObject), assuming management events cover all S3 activity.

How to eliminate wrong answers

Option B is wrong because AWS Config evaluates resource compliance and can detect noncompliant policies, but it does not generate GetObject logs; it only records configuration changes and compliance states, not data access events. Option C is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log S3 object-level API operations like GetObject or PutObject; they lack application-layer details. Option D is wrong because adding a bucket policy to deny requests without TLS would only generate denial events for non-TLS requests, not log all GetObject or PutObject operations; it is a preventive control, not a detective one, and does not provide comprehensive object-level visibility.

123
MCQmedium

A high-frequency trading analytics service runs on several EC2 instances in the same Availability Zone. The application exchanges small messages between nodes and is sensitive to microsecond-level network latency. Which design best meets the requirement?

A.Place the instances in a cluster placement group in one Availability Zone.
B.Place the instances in a spread placement group across multiple Availability Zones.
C.Place the instances in a partition placement group within one Availability Zone.
D.Deploy the instances behind an Application Load Balancer in multiple Availability Zones.
AnswerA

A cluster placement group places instances physically close together within one Availability Zone, which improves network throughput and reduces latency between nodes. That is the right fit for tightly coupled workloads that exchange frequent small messages and need the lowest possible east-west latency. It also keeps the design simple because the application already runs in a single AZ.

Why this answer

A cluster placement group is designed for low-latency, high-throughput scenarios by placing instances in a single Availability Zone with non-blocking, fully bisectioned bandwidth and microsecond-level latency. This meets the requirement for microsecond-sensitive inter-node communication in high-frequency trading.

Exam trap

The trap here is that candidates confuse 'fault isolation' (spread/partition groups) with 'performance optimization' (cluster groups), or assume a load balancer can reduce latency when it actually adds overhead.

How to eliminate wrong answers

Option B is wrong because a spread placement group spreads instances across distinct hardware (or Availability Zones), increasing network latency due to physical distance and cross-AZ data transfer costs, which is unsuitable for microsecond-sensitive traffic. Option C is wrong because a partition placement group isolates instances into logical partitions (e.g., for large distributed systems like HDFS or Cassandra) but does not optimize for the lowest possible latency between all nodes; it focuses on fault isolation, not microsecond-level performance. Option D is wrong because an Application Load Balancer operates at Layer 7 (HTTP/HTTPS) and introduces significant latency overhead (milliseconds), which is incompatible with microsecond-level inter-node messaging; it also does not address direct node-to-node communication.

124
MCQhard

Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?

A.Add a permission boundary to the developer role that points to ApprovedAppBoundary.
B.Add an SCP that denies iam:CreateRole and iam:PutRolePermissionsBoundary unless the request specifies the ApprovedAppBoundary ARN.
C.Use an S3 bucket policy to block policy documents that grant AdministratorAccess.
D.Require team members to use STS session policies when they create new roles.
AnswerB

An SCP can enforce organization-wide guardrails so roles cannot be created without the required boundary.

Why this answer

Option B is correct because a Service Control Policy (SCP) at the organization root or in the member account's OU can deny IAM actions unless the required permissions boundary (ApprovedAppBoundary) is specified. This prevents any role creation or modification that would bypass the boundary, even if the developer has full IAM permissions in their account. SCPs are the only control that can enforce this across all principals in an account, including the account root user.

Exam trap

The trap here is that candidates assume an IAM permission boundary on the developer role is sufficient, but SCPs are the only way to enforce a mandatory boundary across all principals in an account, including those with full administrative access.

How to eliminate wrong answers

Option A is wrong because adding a permission boundary to the developer role only restricts that specific role's actions, but a developer with broad IAM permissions could still create a new role without a boundary or with a different boundary, bypassing the restriction. Option C is wrong because an S3 bucket policy controls access to S3 resources, not IAM role creation or permissions boundaries; it cannot enforce IAM policies across the account. Option D is wrong because requiring STS session policies does not prevent a developer from creating a role without a permissions boundary; session policies only apply to temporary credentials and do not restrict the role creation action itself.

125
MCQeasy

You manage multiple AWS accounts under AWS Organizations. A compliance requirement states: no account is allowed to create new IAM access keys for IAM users. Local administrators may attempt to override permissions. Which mechanism should you use to enforce this guardrail across all accounts?

A.An IAM permissions policy attached to a role that only your security team uses
B.An Organizations service control policy (SCP) that explicitly denies CreateAccessKey
C.A KMS key policy that blocks key creation and reuse
D.A permission boundary on a single IAM role
AnswerB

SCPs provide guardrails that apply to all principals in member accounts. By explicitly denying the IAM action at the organization level, you can prevent access key creation even if local IAM policies would otherwise allow it.

Why this answer

An SCP is the correct mechanism because it operates at the AWS Organizations root, OU, or account level to define a central guardrail that cannot be overridden by any IAM principal, including account administrators. By explicitly denying the `iam:CreateAccessKey` action, the SCP ensures that no IAM user in any account can create new access keys, fulfilling the compliance requirement across all accounts.

Exam trap

The trap here is that candidates often confuse SCPs with IAM permission boundaries or think that a restrictive IAM policy on a single role can enforce a global guardrail, but only SCPs provide organization-wide, unoverridable control over all principals.

How to eliminate wrong answers

Option A is wrong because an IAM permissions policy attached to a role used only by the security team does not prevent local administrators from creating access keys; it only restricts what that specific role can do, and local admins with full permissions can still create keys. Option C is wrong because KMS key policies control access to encryption keys, not IAM access keys; they have no effect on the `iam:CreateAccessKey` API action. Option D is wrong because a permission boundary limits the maximum permissions for a single IAM role but does not apply to all users or accounts, and it can be overridden by an account admin who can modify the boundary or create new roles without it.

126
MCQeasy

A microservice needs to read exactly one secret value from AWS Secrets Manager. Which IAM permission statement provides the best least-privilege approach to allow the microservice to retrieve that secret value?

A.Allow secretsmanager:GetSecretValue on all secrets using Resource: "*"
B.Allow secretsmanager:GetSecretValue only on the specific secret ARN required by the service
C.Allow secretsmanager:* on the secret name prefix using a wildcard pattern
D.Allow secretsmanager:GetSecretValue on the AWS account root ARN
AnswerB

Restricting the Resource to the exact Secrets Manager secret ARN limits retrieval to only that secret. This minimizes exposure and follows least-privilege practices. (If the secret is encrypted with a customer-managed KMS key, additional KMS permissions may be required for decrypting the ciphertext, but the Secrets Manager permission itself should still be scoped tightly.)

Why this answer

Option B is correct because it grants the minimum necessary permission—secretsmanager:GetSecretValue—scoped to the exact Amazon Resource Name (ARN) of the secret the microservice needs. This follows the AWS least-privilege principle by restricting access to a single action on a single resource, preventing the microservice from reading other secrets even if compromised.

Exam trap

The trap here is that candidates often choose a broad wildcard or 'all resources' permission (Option A or C) thinking it simplifies management, but the SAA-C03 exam consistently tests the principle of least privilege by requiring the most restrictive resource and action scope.

How to eliminate wrong answers

Option A is wrong because using Resource: '*' allows the microservice to retrieve any secret in the account, violating least privilege by granting broad read access. Option C is wrong because allowing secretsmanager:* on a wildcard prefix grants all Secrets Manager actions (including rotation, deletion, and tagging) on multiple secrets, far exceeding the single read requirement. Option D is wrong because the AWS account root ARN is not a valid resource ARN for Secrets Manager; secrets are identified by their own ARNs, not the root account ARN.

127
MCQeasy

A Lambda function processes CPU-heavy JSON transformations and often runs slower than expected. The team wants to improve performance without changing the code. What should they try first?

A.Increase the Lambda memory setting
B.Move the function to Amazon S3
C.Change the function to an ALB target
D.Disable CloudWatch logging
AnswerA

Increasing memory also gives Lambda more CPU, which often improves performance for CPU-bound functions.

Why this answer

Increasing the Lambda memory setting allocates more CPU power proportionally, as AWS Lambda allocates CPU credits linearly with memory (up to 10,240 MB). For CPU-heavy JSON transformations, this directly reduces execution time without any code changes, making it the simplest and most effective first step.

Exam trap

The trap here is that candidates assume performance issues must be solved by code optimization or architectural changes, overlooking that Lambda's memory setting directly controls CPU power, making it the simplest fix for CPU-bound functions.

How to eliminate wrong answers

Option B is wrong because Amazon S3 is an object storage service, not a compute environment; moving a Lambda function to S3 is impossible and reflects a misunderstanding of service boundaries. Option C is wrong because changing the function to an ALB target does not alter its CPU or memory allocation; ALB merely routes HTTP requests to the Lambda, offering no performance improvement for CPU-bound tasks. Option D is wrong because disabling CloudWatch logging does not free up CPU resources; Lambda execution and logging are asynchronous, and logging overhead is negligible compared to CPU-intensive processing.

128
MCQmedium

Company A stores encrypted log files in its S3 bucket using SSE-KMS with a customer-managed KMS key. A partner application in Company B uploads objects into Company A's bucket using an IAM role in Company B. Uploads fail with an error indicating KMS access is denied (kms:Encrypt not authorized). Neither the partner IAM policy nor the S3 bucket policy currently mentions KMS. What is the most secure and correct change to allow cross-account uploads to succeed?

A.In Company A's KMS key policy, allow Company B's partner role principal to use the key for kms:Encrypt, kms:GenerateDataKey, and kms:DescribeKey, and also add a matching IAM policy in Company B that grants the partner role those same KMS actions on Company A's key ARN, constrained to the target S3 bucket context when possible.
B.In Company B's IAM policy, allow kms:Encrypt on Company A's KMS key ARN, without changing Company A's key policy.
C.Create a new KMS key in Company B and configure Company A's S3 bucket to use that key for SSE-KMS.
D.Disable key policy restrictions by setting the KMS key to enabled and removing all policy statements so that encryption automatically works for any principal.
AnswerA

Cross-account SSE-KMS requires both the KMS key policy in the key owner account and an IAM policy in the caller account to allow the required KMS actions. Scoping the permissions to the specific bucket or encryption context reduces blast radius.

Why this answer

Option A is correct because cross-account SSE-KMS uploads require both the KMS key policy in Company A to explicitly grant the partner role principal the necessary KMS actions (kms:Encrypt, kms:GenerateDataKey, kms:DescribeKey) and an IAM policy in Company B that allows the partner role to call those actions on Company A's key ARN. The bucket policy alone cannot authorize KMS operations; KMS key policies act as the primary access control for customer-managed keys, and without the key policy grant, the partner role's IAM permissions are insufficient. Constraining the IAM policy to the target S3 bucket context (using kms:ViaService or kms:EncryptionContext conditions) adds a security best practice by limiting the key's use to only that specific S3 bucket.

Exam trap

The trap here is that candidates assume an IAM policy in the partner account is sufficient for cross-account KMS access, overlooking that KMS key policies are the mandatory gatekeeper for external principals, and that the key policy must explicitly grant the external role.

How to eliminate wrong answers

Option B is wrong because KMS key policies are the authoritative access control for customer-managed keys; without a key policy grant to Company B's role, Company B's IAM policy alone cannot authorize KMS actions on Company A's key, even if the IAM policy allows it. Option C is wrong because S3 bucket SSE-KMS encryption is configured per object or bucket default; Company A's bucket is already set to use Company A's KMS key, and using a different key from Company B would break the existing encryption setup and likely cause decryption failures for Company A. Option D is wrong because removing all policy statements from a KMS key effectively denies all principals (including the key's AWS account) from using the key, making encryption impossible for anyone; KMS requires an explicit allow in the key policy for any principal to use the key.

129
Multi-Selecthard

A e-learning platform uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Select 2 answers
A.Enable CloudFront standard logging
B.Configure Origin Access Control for the S3 origin
C.Enable S3 static website hosting
D.Use an S3 bucket policy that allows access only from the CloudFront distribution
AnswersB, D

Origin Access Control allows CloudFront to securely access a private S3 bucket.

Why this answer

Origin Access Control (OAC) is the recommended way to restrict access to an S3 bucket so that it only accepts requests from a specific CloudFront distribution. By configuring OAC, CloudFront signs requests to S3 using a trusted identity, and the bucket policy denies any direct access that does not include that signature, effectively preventing users from bypassing CloudFront.

Exam trap

The trap here is that candidates often think enabling logging or static website hosting somehow restricts access, when in fact only a properly configured bucket policy combined with OAC (or OAI) can enforce that all traffic goes through CloudFront.

130
MCQmedium

A legacy market-data service runs on EC2 and exposes a custom TCP protocol. Clients must connect over TCP with very low latency, and the team wants static IP addresses at the load-balancing layer. Which AWS service is the best fit?

A.Application Load Balancer, because it provides advanced routing for all protocols.
B.Network Load Balancer, because it supports TCP, static IPs, and very low latency.
C.Amazon API Gateway, because it can front any network protocol with throttling.
D.Amazon CloudFront, because it can route traffic to EC2 instances at the edge.
AnswerB

A Network Load Balancer is the best fit for a custom TCP service that needs extremely low latency and static IP addresses. NLB operates at Layer 4, preserves high throughput, and is commonly used when protocol simplicity and performance matter more than application-layer routing features. It matches the workload's network requirements without adding unnecessary HTTP-specific behavior.

Why this answer

The Network Load Balancer (NLB) operates at Layer 4, supports TCP traffic natively, provides static IP addresses per Availability Zone, and delivers very low latency by processing packets without inspecting application-layer headers. This makes it the ideal choice for a legacy market-data service that requires a custom TCP protocol and fixed IPs at the load-balancing layer.

Exam trap

The trap here is that candidates often confuse the ALB's 'advanced routing' capabilities with support for all protocols, but ALB is strictly Layer 7 and cannot handle raw TCP or custom protocols, making NLB the only correct choice for TCP with static IPs and low latency.

How to eliminate wrong answers

Option A is wrong because the Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS/gRPC) and cannot handle raw TCP or custom TCP protocols; it would terminate the TCP connection and require HTTP-level routing. Option C is wrong because Amazon API Gateway only supports RESTful, HTTP, WebSocket, or GraphQL APIs over HTTPS/WebSocket, not arbitrary TCP protocols. Option D is wrong because Amazon CloudFront is a content delivery network (CDN) that works over HTTP/HTTPS and cannot forward raw TCP traffic or provide static IP addresses at the load-balancing layer.

131
MCQeasy

A database administrator wants a regular backup of an Amazon RDS database so the team can restore to a recent point in time if needed. Which AWS feature should they use?

A.RDS automated backups and snapshots
B.Amazon Route 53 alias records
C.Security groups
D.AWS WAF rules
AnswerA

RDS automated backups and snapshots provide point-in-time recovery capability for the database.

Why this answer

Amazon RDS automated backups and snapshots provide the ability to restore a database to any point within the backup retention period (up to 35 days). Automated backups include transaction logs for point-in-time recovery, while manual snapshots are user-initiated backups stored until explicitly deleted. This directly meets the requirement for regular backups and point-in-time restore capability.

Exam trap

The trap here is that candidates may confuse security groups or WAF rules with backup mechanisms because they are common security services, but they have no role in data persistence or recovery.

How to eliminate wrong answers

Option B is wrong because Amazon Route 53 alias records are a DNS routing feature used to map domain names to AWS resources, not a backup mechanism. Option C is wrong because security groups act as virtual firewalls controlling inbound and outbound traffic to RDS instances, they do not perform backups. Option D is wrong because AWS WAF rules are used to filter and monitor HTTP/HTTPS requests to protect web applications from common exploits, they have no role in database backup or restore operations.

132
MCQmedium

An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports. Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports. What is the most likely reason the traffic fails, and what should be updated?

A.NACLs are stateless, so you must update the NACL to allow the return (outbound) ephemeral port range; security groups alone cannot override a blocked NACL.
B.NACLs are stateful and automatically track connections; the fix is to add a new inbound rule to the security group for client source ports.
C.The issue is caused by ALB health checks; configure a new target group health check on port 80 so traffic can be routed.
D.Because instances are in private subnets, add a NAT gateway so return traffic can reach the internet over dynamic routing.
AnswerA

Stateless NACLs require both inbound and outbound rules. Missing outbound for ephemeral ports will block return traffic even if SG rules are correct.

Why this answer

Network ACLs are stateless, meaning they do not automatically allow return traffic. Even though the security group allows inbound HTTPS from the ALB, the NACL blocks the response traffic because it lacks an outbound rule for ephemeral ports (typically 1024-65535). Since NACLs are evaluated before security groups, a missing outbound allow rule causes the connection to time out.

Exam trap

The trap here is that candidates assume security groups alone handle all traffic filtering, forgetting that NACLs are stateless and require explicit outbound rules for return traffic, especially for ephemeral ports.

How to eliminate wrong answers

Option B is wrong because NACLs are stateless, not stateful; they do not automatically track connections, so adding an inbound rule to the security group does not fix the missing outbound NACL rule. Option C is wrong because the issue is not related to ALB health checks; health checks use the same traffic path and would also fail due to the NACL, and changing the health check port does not address the stateless NACL problem. Option D is wrong because the instances are in private subnets behind an ALB, and return traffic to the ALB does not require a NAT gateway; the ALB and instances communicate within the VPC, and the failure is due to NACL rules, not internet routing.

133
MCQhard

Based on the exhibit, a company wants EC2 instances in private subnets to access Amazon S3 without using a NAT gateway, and bucket access must be allowed only when requests come through the approved VPC endpoint. Which design is the most appropriate?

A.Use the S3 gateway VPC endpoint and keep the bucket policy that denies requests unless aws:SourceVpce matches the approved endpoint.
B.Use an interface VPC endpoint for S3 only, because gateway endpoints cannot be used with bucket policies.
C.Add a NAT gateway and remove the bucket policy condition because the NAT route will automatically secure the S3 traffic.
D.Move the bucket policy restriction to a security group attached to the S3 bucket so only the VPC endpoint can reach it.
AnswerA

For S3, a gateway VPC endpoint is the correct private-connectivity option for EC2 instances in private subnets. The route table sends S3 prefix-list traffic to the gateway endpoint, so requests stay on the AWS network instead of traversing a NAT gateway or the public internet. The bucket policy condition on aws:SourceVpce then ensures that even valid AWS-authenticated requests are accepted only when they arrive through the approved endpoint ID.

Why this answer

Option A is correct because an S3 gateway VPC endpoint allows EC2 instances in private subnets to access S3 without traversing the internet or requiring a NAT gateway. By adding a bucket policy condition that denies access unless `aws:SourceVpce` matches the approved VPC endpoint ID, you ensure that only requests originating from that specific endpoint are allowed, meeting the security requirement.

Exam trap

The trap here is that candidates often confuse gateway endpoints with interface endpoints, assuming gateway endpoints cannot enforce bucket policies, or they mistakenly think security groups can be applied to S3 buckets, leading them to choose option D.

How to eliminate wrong answers

Option B is wrong because gateway endpoints for S3 can absolutely be used with bucket policies; in fact, the `aws:SourceVpce` condition is specifically designed for gateway endpoints. Option C is wrong because adding a NAT gateway would route traffic through the internet, which is unnecessary and violates the requirement to avoid using a NAT gateway; also, removing the bucket policy condition would leave the bucket open to any request, not just those through the VPC endpoint. Option D is wrong because S3 buckets do not support security groups; security groups are network-level constructs for EC2 instances and cannot be attached to S3 buckets.

134
Multi-Selecthard

A company operates 40 AWS accounts and wants chargeback by application, environment, and business unit. Finance needs detailed line items, and engineering wants consistent monthly reports without manual spreadsheet work. The current tagging scheme is inconsistent, and many resources are missing billing metadata. Which three actions should the architect recommend? Select three.

Select 3 answers
A.Standardize cost allocation tags such as Application, Environment, and BusinessUnit.
B.Activate the approved tags as cost allocation tags in the billing console.
C.Enable the AWS Cost and Usage Report and store it in S3 for Athena queries.
D.Use AWS Budgets alone because it provides the most detailed line-item attribution.
E.Rely only on the Cost Explorer console for chargeback accuracy.
AnswersA, B, C

Consistent tags are the foundation of chargeback because they let costs be grouped accurately by the business dimensions finance cares about.

Why this answer

Option A is correct because standardizing cost allocation tags like Application, Environment, and BusinessUnit ensures consistent metadata across all 40 accounts. This is a prerequisite for accurate chargeback, as AWS Cost Allocation Tags allow you to group resources by these dimensions for detailed billing reports.

Exam trap

The trap here is that candidates may think AWS Budgets or Cost Explorer alone can provide detailed chargeback data, but neither offers the raw line-item granularity and queryability that the CUR with Athena provides for automated reporting.

135
MCQeasy

An order-processing application becomes slow when traffic spikes. The frontend should stay responsive even if downstream workers are temporarily overloaded. What should the team add to the design?

A.Amazon SQS queue between the frontend and the workers
B.A larger NAT Gateway
C.A single bigger EC2 instance for the worker
D.An Amazon Route 53 health check on the frontend
AnswerA

SQS buffers work so the frontend can respond quickly while workers process messages at their own pace. It smooths spikes and supports retries when processing is delayed.

Why this answer

Adding an Amazon SQS queue between the frontend and the workers decouples the components, allowing the frontend to remain responsive by immediately offloading requests to the queue even when downstream workers are overloaded. The workers can then process messages at their own pace, and the queue acts as a buffer to absorb traffic spikes without blocking the frontend.

Exam trap

The trap here is that candidates often confuse scaling solutions (like larger instances or NAT Gateways) with decoupling patterns, failing to recognize that asynchronous message queuing is the correct approach to keep the frontend responsive under load.

How to eliminate wrong answers

Option B is wrong because a larger NAT Gateway only increases the network throughput for outbound traffic from private subnets, but does not address the decoupling or buffering needed to handle worker overload. Option C is wrong because a single bigger EC2 instance for the worker still represents a single point of failure and cannot elastically scale to absorb traffic spikes; it does not provide the asynchronous decoupling required. Option D is wrong because an Amazon Route 53 health check on the frontend only monitors the frontend's availability and can trigger failover, but it does not buffer or decouple requests from overloaded downstream workers.

136
MCQmedium

A public API for a financial reporting platform is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

A.JWT authorizer configured for the OpenID Connect issuer
B.IAM authorization for all internet users
C.API keys only
D.A VPC endpoint policy
AnswerA

A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.

Why this answer

Option A is correct because the scenario requires standards-based token authentication from an external OpenID Connect (OIDC) provider. API Gateway's JWT authorizer can validate JSON Web Tokens (JWTs) directly against the OIDC issuer's well-known configuration (JWKS URI) without custom Lambda code, making it the simplest and most secure choice for token-based authentication.

Exam trap

The trap here is that candidates often confuse IAM authorization (for AWS internal services) with token-based authentication for external clients, or they assume API keys alone are sufficient for security, ignoring the requirement for standards-based token validation.

How to eliminate wrong answers

Option B is wrong because IAM authorization is designed for AWS principals (users/roles) using Signature Version 4 signing, not for internet clients with external OIDC tokens. Option C is wrong because API keys only provide basic identification and rate limiting, not authentication or authorization against a standards-based token issuer. Option D is wrong because a VPC endpoint policy controls access to the API Gateway via VPC endpoints, not authentication of client tokens from an external OIDC provider.

137
MCQeasy

An S3 bucket uses a customer-managed KMS key as the default for SSE-KMS encryption. A service role will upload objects using s3:PutObject. Assuming the role already has permission to write to the bucket, which KMS permission is most directly required for the role to let S3 encrypt the object during upload?

A.kms:GenerateDataKey (and optionally kms:DescribeKey)
B.kms:Decrypt only
C.kms:CreateAlias and kms:UpdateAlias only
D.kms:ScheduleKeyDeletion and kms:CancelKeyDeletion only
AnswerA

For SSE-KMS uploads, S3 uses KMS to generate a data key for encrypting the object. kms:GenerateDataKey is the direct permission required for that flow. kms:DescribeKey can be useful for validation or troubleshooting, but it is not the core cryptographic permission.

Why this answer

When S3 uses SSE-KMS with a customer-managed KMS key, the service calls KMS to generate a data key for encrypting the object. The s3:PutObject operation requires the caller to have kms:GenerateDataKey permission on the KMS key so that S3 can obtain the plaintext and encrypted versions of the data key. Optionally, kms:DescribeKey may be needed for S3 to verify the key exists, but kms:GenerateDataKey is the most directly required permission.

Exam trap

The trap here is that candidates often confuse kms:Decrypt (needed for GET/read operations) with kms:GenerateDataKey (needed for PUT/write operations), or they assume any KMS permission will work because S3 handles encryption transparently.

How to eliminate wrong answers

Option B is wrong because kms:Decrypt is used for reading or decrypting objects, not for uploading new objects with SSE-KMS. Option C is wrong because kms:CreateAlias and kms:UpdateAlias are for managing key aliases, not for encrypting data during upload. Option D is wrong because kms:ScheduleKeyDeletion and kms:CancelKeyDeletion are key lifecycle management actions, unrelated to the encryption process for PutObject.

138
MCQeasy

A CI pipeline needs to upload build artifacts only to s3://ci-artifacts/uploads/*. You also want the pipeline to list only objects under uploads/ to verify that the upload succeeded. Which IAM policy approach is the best fit for least privilege?

A.Allow s3:PutObject on arn:aws:s3:::ci-artifacts/uploads/* and allow s3:ListBucket on arn:aws:s3:::ci-artifacts with a condition that restricts s3:prefix to uploads/.
B.Allow s3:PutObject on arn:aws:s3:::ci-artifacts/* and allow s3:ListBucket on arn:aws:s3:::ci-artifacts without any prefix condition.
C.Allow s3:GetObject on arn:aws:s3:::ci-artifacts/uploads/* so the pipeline can confirm artifacts exist.
D.Allow s3:PutObject on arn:aws:s3:::ci-artifacts/uploads/* and also allow s3:DeleteObject on arn:aws:s3:::ci-artifacts/uploads/*.
AnswerA

This scopes object writes to only the uploads/ prefix (resource-level restriction for s3:PutObject) and scopes object listing to only that same prefix by restricting the ListBucket request via the s3:prefix condition key (bucket-level authorization for s3:ListBucket).

Why this answer

Option A is correct because it grants the minimum required permissions: s3:PutObject on the specific uploads/ path for uploading artifacts, and s3:ListBucket on the bucket with a condition restricting the s3:prefix to uploads/ to list only objects under that prefix. This follows the least privilege principle by scoping both actions to the exact resources needed.

Exam trap

The trap here is that candidates often confuse s3:GetObject with s3:ListBucket for verifying uploads, or they forget to restrict the s3:prefix condition on ListBucket, leading to overly permissive policies.

How to eliminate wrong answers

Option B is wrong because it allows s3:PutObject on the entire bucket (arn:aws:s3:::ci-artifacts/*) instead of restricting to uploads/, and allows s3:ListBucket without a prefix condition, which would list all objects in the bucket, violating least privilege. Option C is wrong because s3:GetObject is not needed to verify upload success; listing objects (s3:ListBucket) is the correct action to confirm an object exists after upload. Option D is wrong because it grants s3:DeleteObject, which is unnecessary for the pipeline's requirements and introduces excessive permissions that could allow accidental or malicious deletion of artifacts.

139
MCQmedium

A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

A.Enable S3 Block Public Access at the account or bucket level
B.Create an IAM policy that denies s3:GetObject to anonymous users
C.Enable server access logging on the bucket
D.Enable S3 Transfer Acceleration
AnswerA

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

S3 Block Public Access provides a definitive override that prevents any public access to objects, regardless of bucket policies or object ACLs. By enabling this setting at the account or bucket level, the architect ensures that even if a developer later adds an overly broad bucket policy, the S3 service will block all public access. This is the only option that directly and permanently prevents public exposure.

Exam trap

The trap here is that candidates often think an IAM deny policy (Option B) is sufficient, but they miss that bucket policies can grant access to anonymous users independently of IAM, making S3 Block Public Access the only reliable safeguard.

How to eliminate wrong answers

Option B is wrong because an IAM policy that denies s3:GetObject to anonymous users does not block access granted via a bucket policy that explicitly allows public access; bucket policies can override IAM policies for anonymous principals. Option C is wrong because server access logging only records requests to the bucket, it does not enforce any access restrictions. Option D is wrong because S3 Transfer Acceleration is a performance feature that speeds up uploads over long distances, it has no effect on access control or public accessibility.

140
Multi-Selecthard

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The architecture review board prefers a managed AWS-native control.

Select 2 answers
A.Interface VPC endpoint for Systems Manager
B.Internet gateway attached to the VPC
C.NAT gateway in each Availability Zone
D.Gateway VPC endpoint for Amazon S3
AnswersA, D

Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.

Why this answer

Interface VPC endpoints (AWS PrivateLink) for Systems Manager allow EC2 instances in private subnets to access Parameter Store without traversing the internet. Gateway VPC endpoints for S3 provide a highly available, managed route to S3 via the VPC route table, requiring no NAT or internet gateway. Both are AWS-native, managed services that meet the architecture review board's preference.

Exam trap

The trap here is that candidates often confuse gateway VPC endpoints (for S3 and DynamoDB) with interface endpoints (for most other AWS services), or incorrectly assume NAT gateways are required for all private subnet outbound traffic, when managed endpoints can bypass the internet entirely.

141
MCQmedium

Account B has an IAM role that includes kms:Decrypt for a specific KMS key ARN in account A. However, when the role tries to read an S3 object encrypted with that CMK, the application fails with AccessDenied: not authorized to perform kms:Decrypt. CloudTrail shows the KMS API call is denied by key policy. What is the most secure and correct fix?

A.Update the IAM role in account B to include kms:Encrypt and kms:GenerateDataKey; then kms:Decrypt will start working automatically.
B.Update the KMS key policy in account A to allow the account B role principal to use kms:Decrypt on the key.
C.Disable key policy for the CMK by switching to S3-managed encryption, because KMS key policies are always enforced regardless of grants.
D.Create an SCP in account A that allows kms:Decrypt for all accounts, avoiding changes to the key policy.
AnswerB

Cross-account use of a CMK requires the KMS key policy (in the CMK’s account) to allow the external principal to perform kms:Decrypt. Since CloudTrail shows the denial is by key policy, updating the key policy to grant the account B role kms:Decrypt on the specific key is the correct and least-privilege solution.

Why this answer

Option B is correct because cross-account access to a customer managed KMS key (CMK) requires the key policy to explicitly grant the external IAM role principal the necessary permissions (e.g., kms:Decrypt). Even if the IAM role in Account B has an IAM policy allowing kms:Decrypt, the KMS key policy in Account A acts as a resource-based policy that must also allow the action; without this, the request is denied by the key policy, as shown in CloudTrail.

Exam trap

The trap here is that candidates often assume IAM permissions alone are sufficient for cross-account KMS operations, forgetting that KMS key policies are resource-based and must explicitly grant access to external principals.

How to eliminate wrong answers

Option A is wrong because adding kms:Encrypt and kms:GenerateDataKey to the IAM role does not resolve the key policy denial; the issue is the key policy in Account A, not the IAM permissions in Account B, and kms:Decrypt does not automatically work from other actions. Option C is wrong because disabling the CMK and switching to S3-managed encryption (SSE-S3) is not a secure fix for cross-account access; it removes customer control over encryption keys and does not address the need for cross-account KMS decryption. Option D is wrong because SCPs (Service Control Policies) are used to restrict permissions within an AWS organization, not to grant cross-account access; they cannot override a key policy denial, and creating an SCP that allows kms:Decrypt for all accounts would be insecure and ineffective.

142
MCQmedium

Based on the exhibit, what is the most appropriate change to restore application access while keeping encryption at rest with customer-managed KMS controls?

A.Change the bucket to SSE-S3 so the application no longer depends on KMS permissions.
B.Update the KMS key policy or add a grant so AppServerRole can use the key for decrypt and data key operations.
C.Move the EC2 instance into the same Availability Zone as the S3 bucket to reduce encryption errors.
D.Attach AmazonS3FullAccess to the application role so S3 can bypass KMS authorization.
AnswerB

For SSE-KMS objects, the caller needs permission to use the KMS key as well as S3 permissions. The role already has S3 access, but KMS is denying Decrypt because the key policy does not allow the role. Adding the role through the key policy or a grant, together with the needed KMS actions, resolves the failure while preserving customer-managed encryption.

Why this answer

The application is failing because AppServerRole lacks the necessary permissions to use the customer-managed KMS key for decrypting S3 objects. By updating the KMS key policy or adding a grant to allow the role to perform `kms:Decrypt` and `kms:GenerateDataKey` operations, you restore access while maintaining encryption at rest with customer-managed KMS controls.

Exam trap

The trap here is that candidates often assume S3 bucket policies alone control access to encrypted objects, forgetting that SSE-KMS requires separate KMS key permissions that must be explicitly granted to the IAM role or user.

How to eliminate wrong answers

Option A is wrong because switching to SSE-S3 removes customer-managed KMS controls, violating the requirement to keep encryption at rest with customer-managed KMS. Option C is wrong because S3 buckets are global resources not tied to Availability Zones, and encryption errors are unrelated to AZ placement. Option D is wrong because attaching AmazonS3FullAccess does not grant KMS permissions; S3 still requires KMS authorization for decrypting SSE-KMS encrypted objects, and this would not bypass KMS authorization.

143
Multi-Selecthard

A financial reporting platform uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly? The design must avoid adding custom operational scripts.

Select 2 answers
A.Use an S3 bucket policy that allows access only from the CloudFront distribution
B.Enable CloudFront standard logging
C.Enable S3 static website hosting
D.Configure Origin Access Control for the S3 origin
AnswersA, D

The bucket policy should trust the CloudFront distribution and deny direct public access.

Why this answer

Option A is correct because an S3 bucket policy that explicitly denies access to any principal except the CloudFront distribution's origin access identity (OAI) or origin access control (OAC) ensures that direct requests to the S3 bucket endpoint are rejected. This policy leverages the aws:SourceArn or aws:SourceIp condition key to restrict access solely to CloudFront, preventing users from bypassing the CDN and hitting the bucket directly.

Exam trap

The trap here is that candidates often confuse logging or static website hosting with security controls, not realizing that only explicit bucket policies or OAC/OAI configurations actually enforce the restriction to CloudFront traffic.

144
MCQhard

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a e-learning platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

A.A security group rule that allows HTTPS to S3
B.A condition that matches aws:RequestedRegion to the bucket Region
C.A deny statement for all IAM users except the EC2 role
D.A condition that matches aws:sourceVpce to the endpoint ID
AnswerD

The aws:sourceVpce condition restricts S3 access to requests that arrive through the specified VPC endpoint.

Why this answer

Option D is correct because the bucket policy can use the `aws:sourceVpce` condition key to restrict access to requests originating from a specific VPC endpoint (interface or Gateway VPC endpoint). This ensures that only traffic routed through that endpoint can access the S3 bucket, meeting the security team's requirement for regulated exports.

Exam trap

The trap here is that candidates often confuse `aws:sourceVpce` with `aws:SourceIp` or `aws:sourceVpc`, thinking a VPC or IP-based condition is sufficient, but only the specific VPC endpoint ID ensures the traffic used the designated endpoint.

How to eliminate wrong answers

Option A is wrong because security group rules control network traffic at the instance level, not the bucket policy level, and cannot enforce that traffic must come through a specific VPC endpoint. Option B is wrong because `aws:RequestedRegion` checks the AWS Region in the request, not the VPC endpoint, and does not restrict traffic to a specific endpoint. Option C is wrong because denying all IAM users except the EC2 role does not enforce the VPC endpoint requirement; it only controls identity-based access, not the network path.

145
MCQmedium

A media company has users around the world uploading 1 to 5 GB files directly to a single Amazon S3 bucket. Upload times are slow from distant regions, but the app must keep using S3 as the destination. What should the architects enable to improve upload performance?

A.Amazon CloudFront for origin caching of uploaded files.
B.Amazon S3 Transfer Acceleration on the bucket.
C.Provisioned IOPS EBS volumes attached to a transfer server.
D.Amazon EFS with a mount target in each Region.
AnswerB

S3 Transfer Acceleration improves upload performance over long distances by routing traffic through AWS edge locations and optimized network paths to the target bucket. This is a strong fit for globally distributed users uploading large files directly to S3. It preserves the same storage destination while making the transfer path faster and more consistent for remote clients.

Why this answer

Amazon S3 Transfer Acceleration (B) uses AWS edge locations to accelerate uploads over the public internet. When a user uploads a file, the data is sent to the nearest edge location via optimized network paths, then forwarded over AWS's private backbone to the S3 bucket. This reduces latency and improves throughput for large files (1–5 GB) from distant regions, directly addressing the slow upload times while keeping S3 as the destination.

Exam trap

The trap here is confusing CloudFront's edge caching for downloads with S3 Transfer Acceleration's edge-based upload optimization, leading candidates to select CloudFront (A) even though it does not improve upload performance to S3.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) for caching and delivering frequently accessed objects to end users, not for accelerating uploads to an origin bucket; it does not optimize the upload path from clients to S3. Option C is wrong because Provisioned IOPS EBS volumes are block storage for EC2 instances, not a service for improving network upload performance to S3; attaching them to a transfer server would add unnecessary complexity and cost without addressing the geographic latency issue. Option D is wrong because Amazon EFS is a shared file system for EC2 instances, not a replacement for S3 as the upload destination; mounting it in each region would require a separate application architecture and does not accelerate direct uploads to the existing S3 bucket.

146
MCQmedium

Developers for a B2B file exchange site need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

A.Attach AdministratorAccess permanently to every developer role
B.Create shared administrator access keys for the team
C.Disable CloudTrail during troubleshooting
D.Use IAM Identity Center permission sets with time-bound access processes and CloudTrail auditing
AnswerD

Federated access with permission sets and audited temporary assignments reduces standing privilege.

Why this answer

IAM Identity Center (formerly AWS SSO) enables time-bound permission sets that grant temporary elevated access with automatic expiry, satisfying the security team's requirements for approvals and audit logging via AWS CloudTrail. This approach follows the principle of least privilege by providing just-in-time access rather than permanent permissions, and all actions are recorded in CloudTrail for compliance.

Exam trap

The trap here is that candidates may think permanent AdministratorAccess (Option A) is acceptable for developers, failing to recognize that AWS explicitly requires temporary credentials with approval workflows for elevated access in secure architectures.

How to eliminate wrong answers

Option A is wrong because permanently attaching AdministratorAccess to every developer role violates the principle of least privilege, creates a standing privilege that cannot enforce expiry or approvals, and increases the attack surface. Option B is wrong because shared administrator access keys lack individual accountability, cannot enforce time-bound access or approvals, and bypass CloudTrail's ability to attribute actions to specific users. Option C is wrong because disabling CloudTrail during troubleshooting removes audit logging entirely, which directly contradicts the security team's requirement for audit logging and violates AWS security best practices.

147
MCQmedium

A web application for a mobile banking backend is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

A.Security groups on the application instances
B.AWS WAF associated with the Application Load Balancer
C.Network ACLs on the public subnets
D.AWS Shield Advanced only
AnswerB

AWS WAF can inspect HTTP requests and block common web exploits when associated with an ALB.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). By associating an AWS WAF web ACL with the Application Load Balancer, you can filter and monitor HTTP(S) requests based on rules that block these attack patterns, all without managing any infrastructure. This provides the required protection with minimal operational overhead because AWS WAF is a fully managed service that integrates directly with ALB.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups, NACLs) with application-layer protection, assuming that blocking ports or IP ranges is sufficient to stop web application attacks like SQL injection and XSS.

How to eliminate wrong answers

Option A is wrong because security groups act as a virtual firewall at the instance level, controlling inbound and outbound traffic based on IP addresses and ports; they cannot inspect application-layer payloads for SQL injection or XSS patterns. Option C is wrong because network ACLs are stateless, operate at the subnet level, and only filter traffic based on IP addresses, ports, and protocols — they have no capability to parse HTTP request bodies or headers for malicious content. Option D is wrong because AWS Shield Advanced provides DDoS protection and cost protection against scaling, but it does not include the application-layer rule sets needed to block SQL injection or XSS attacks; those require a web application firewall like AWS WAF.

148
Multi-Selecthard

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The team wants the control to be enforceable during normal operations.

Select 2 answers
A.Interface VPC endpoint for Systems Manager
B.Internet gateway attached to the VPC
C.NAT gateway in each Availability Zone
D.Gateway VPC endpoint for Amazon S3
AnswersA, D

Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.

Why this answer

An Interface VPC endpoint (AWS PrivateLink) for Systems Manager allows the private subnets to securely access Systems Manager Parameter Store without traversing the internet, using private IP addresses within the VPC. This ensures traffic stays within the AWS network and is enforceable via VPC endpoint policies and security groups.

Exam trap

AWS often tests the distinction between Interface VPC endpoints (for services like Systems Manager, API Gateway, and Kinesis) and Gateway VPC endpoints (for S3 and DynamoDB), and candidates mistakenly assume a NAT gateway or internet gateway is required for private subnets to access these services.

149
MCQmedium

A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies. Which design best meets all requirements?

A.Create an IAM user for each developer and keep the existing broad permissions, rotating keys every 90 days.
B.Use an IAM role that developers assume for deployments; attach least-privilege policies for ECS and Auto Scaling; and attach a permission boundary that does not allow iam:* actions, so additional inline or managed policies cannot grant IAM permissions.
C.Attach a policy that allows ecs:* and autoscaling:* and rely on developers to self-review that no IAM statements are added to their roles.
D.Create a single shared IAM role with full administrator permissions so developers can troubleshoot faster when deployments fail.
AnswerB

Assuming a role provides temporary credentials and removes long-lived keys. Least-privilege policies limit allowed actions, and a permission boundary caps the role's effective permissions so IAM actions cannot be gained through later policy changes.

Why this answer

Option B is correct because it uses an IAM role with temporary credentials (via AWS STS AssumeRole), satisfying the requirement to avoid long-lived access keys. The least-privilege policies for ECS and Auto Scaling grant only the necessary permissions, while the permission boundary explicitly denies iam:* actions, preventing developers from escalating privileges by attaching new policies. This combination ensures developers can deploy ECS services but cannot modify IAM in any way.

Exam trap

The trap here is that candidates may think a permission boundary is only for limiting resource access, but it is specifically designed to prevent privilege escalation by restricting IAM actions, which is the key to meeting the 'IAM changes impossible' requirement.

How to eliminate wrong answers

Option A is wrong because rotating keys every 90 days still uses long-lived access keys, which violates the requirement for temporary credentials and does not prevent key leakage or IAM modification. Option C is wrong because relying on developers to self-review is not a technical control; it allows them to potentially attach IAM policies to their roles, violating the requirement that IAM changes be impossible. Option D is wrong because a single shared IAM role with full administrator permissions violates least privilege, allows IAM modifications, and does not use temporary credentials per developer.

150
MCQhard

A SaaS vendor’s automation account in Account B needs to assume a role in a customer account in Account A to read a specific S3 bucket and publish a deployment status file. The customer is worried about confused deputy attacks because multiple customers use the same vendor software. Which trust-policy design best meets the requirement?

A.Allow the Account B root principal to assume the role if the caller knows the role ARN.
B.Allow only the vendor’s specific IAM principal to assume the role and require a unique sts:ExternalId condition.
C.Attach a permissions boundary to the role so that the vendor cannot exceed the approved permissions.
D.Require MFA for the role assumption because it ensures only the vendor’s production automation can use the role.
AnswerB

This is the standard confused deputy protection pattern for third-party cross-account access. The trust policy limits who can call AssumeRole, and the sts:ExternalId condition lets the customer require a customer-specific value that the vendor must supply. That prevents another customer or a malicious party from reusing the same role ARN successfully.

Why this answer

Option B is correct because the `sts:ExternalId` condition is specifically designed to prevent the confused deputy problem in cross-account role assumptions. By requiring a unique external ID that only the customer knows, the customer ensures that the vendor's automation can only assume the role when acting on behalf of that specific customer, even if multiple customers use the same vendor software.

Exam trap

The trap here is that candidates often confuse MFA or permissions boundaries as solutions for the confused deputy problem, when in fact only the `sts:ExternalId` condition directly mitigates this specific threat by providing a customer-specific identifier in the trust policy.

How to eliminate wrong answers

Option A is wrong because allowing the Account B root principal to assume the role based solely on knowing the role ARN provides no protection against confused deputy attacks; any IAM entity in Account B (including compromised or malicious principals) could assume the role. Option C is wrong because a permissions boundary limits the maximum permissions the role can grant, but it does not address the confused deputy threat; it controls scope, not identity verification. Option D is wrong because requiring MFA ensures the caller is authenticated via a second factor, but it does not prevent a confused deputy scenario where the vendor's automation could be tricked into assuming the role on behalf of a different customer; MFA does not provide a customer-specific identifier.

← PreviousPage 2 of 5 · 336 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design Secure Architectures questions.