CCNA Design Secure Architectures Questions

75 of 336 questions · Page 3/5 · Design Secure Architectures · Answers revealed

151
MCQmedium

A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole". What is the most appropriate fix?

A.Add an allow statement for the vendor in the role’s trust policy to permit sts:AssumeRole from the vendor account (and include any required ExternalId condition).
B.Attach the same allow policy to the vendor account’s existing IAM user so the user can call sts:AssumeRole directly into your role.
C.Replace the AssumeRole call with GetCallerIdentity so the vendor can infer permissions without assuming the role.
D.Enable MFA on the vendor’s IAM user and require MFA for your role using condition keys in the permissions policy.
AnswerA

AssumeRole is blocked unless the role trust policy allows the vendor principal. The role’s permissions policy alone cannot permit assumption.

Why this answer

The error 'Not authorized to perform: sts:AssumeRole' indicates that the role's trust policy does not grant the external AWS account (555566667777) permission to assume the role. The trust policy must include an Allow statement with the sts:AssumeRole action, specifying the external account as the principal, and optionally an ExternalId condition to prevent the confused deputy problem. Without this trust policy configuration, even if the permissions policy allows the required API calls, the vendor cannot assume the role.

Exam trap

The trap here is that candidates often confuse the role's permissions policy (which defines what actions the role can perform) with the trust policy (which defines who can assume the role), leading them to incorrectly modify the permissions policy or the vendor's IAM user instead of the trust policy.

How to eliminate wrong answers

Option B is wrong because attaching the allow policy to the vendor account's IAM user does not grant the user permission to call sts:AssumeRole; the trust policy on the role must explicitly allow the external account (or the user) to assume the role, and the policy attached to the user only controls what the user can do after assuming the role, not the assumption itself. Option C is wrong because GetCallerIdentity only returns details about the caller's identity and does not grant any permissions to read data; it cannot substitute for assuming a role to access resources. Option D is wrong because enabling MFA on the vendor's IAM user and requiring MFA in the role's permissions policy does not address the missing trust policy; the role's trust policy must first allow the vendor to assume the role, and MFA conditions are additional constraints, not a fix for the fundamental authorization failure.

152
MCQmedium

A public API for a e-learning platform is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

A.A VPC endpoint policy
B.IAM authorization for all internet users
C.API keys only
D.JWT authorizer configured for the OpenID Connect issuer
AnswerD

A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.

Why this answer

Option D is correct because API Gateway supports JWT authorizers that validate JSON Web Tokens (JWTs) issued by an external OpenID Connect (OIDC) provider. This allows the API to authenticate clients using standards-based tokens without managing a custom Lambda authorizer, and it directly integrates with the OIDC issuer's JWKS endpoint to verify token signatures.

Exam trap

The trap here is that candidates often confuse API keys (which only identify the caller for usage plans) with authentication mechanisms, or assume IAM authorization can validate third-party OIDC tokens, when in fact IAM authorization requires AWS credentials, not external tokens.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint policy controls access to API Gateway from within a VPC, not authentication for internet-based clients using OIDC tokens. Option B is wrong because IAM authorization is designed for AWS-authenticated principals (e.g., IAM users, roles) and does not validate tokens from external OpenID Connect providers; it uses AWS Signature Version 4, not OIDC tokens. Option C is wrong because API keys only provide simple rate limiting and usage plans, not authentication or authorization; they do not validate the identity of the caller or support OIDC token verification.

153
MCQmedium

A Lambda function for a healthcare document service needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

A.A KMS-encrypted Lambda environment variable
B.An encrypted object in Amazon S3
C.AWS Systems Manager Parameter Store SecureString without automation
D.AWS Secrets Manager with rotation enabled
AnswerD

Secrets Manager stores secrets securely and supports automatic rotation using a rotation Lambda function.

Why this answer

AWS Secrets Manager is the correct choice because it is designed specifically for storing and automatically rotating database credentials. It supports native rotation for Amazon RDS, Redshift, and DocumentDB with a built-in Lambda rotation function, and it can rotate secrets on a schedule (e.g., every 30 days) without storing the password in environment variables. This meets the healthcare document service's requirement for automatic rotation and secure storage.

Exam trap

The trap here is that candidates often confuse Systems Manager Parameter Store (which can store SecureStrings) with Secrets Manager, but Parameter Store lacks automatic rotation, making it unsuitable for a 30-day rotation requirement without additional custom automation.

How to eliminate wrong answers

Option A is wrong because storing a KMS-encrypted password in a Lambda environment variable does not support automatic rotation; you would have to manually update the environment variable and redeploy the function. Option B is wrong because an encrypted object in Amazon S3 is a static storage mechanism with no built-in rotation capability, and accessing it requires managing S3 permissions and decryption logic manually. Option C is wrong because AWS Systems Manager Parameter Store SecureString without automation can store a secure password but lacks native rotation scheduling; you would need to build a custom rotation solution, whereas Secrets Manager provides this out of the box.

154
MCQeasy

A company serves a public API through a CloudFront distribution. They want to automatically block common web exploits (for example, OWASP Top 10–style threats) without building custom detection logic. Which AWS service configuration best meets the goal?

A.Enable AWS WAF with AWS Managed Rules and associate the web ACL with the CloudFront distribution.
B.Enable AWS Shield Advanced only; it fully replaces the need for WAF rule evaluation.
C.Attach a security group rule to the ALB to block malicious patterns based on HTTP request bodies.
D.Use Security Hub to block requests automatically when it detects suspicious activity.
AnswerA

AWS WAF inspects HTTP(S) requests and applies allow/block decisions based on rule matches. AWS Managed Rules provide prebuilt protections for common threat patterns, and attaching the WAF web ACL to CloudFront applies filtering at the edge.

Why this answer

AWS WAF with AWS Managed Rules provides pre-configured rule sets specifically designed to block common web exploits, including OWASP Top 10 threats, without requiring custom detection logic. By associating the web ACL with a CloudFront distribution, the filtering occurs at the edge, protecting the origin from malicious traffic before it reaches the application.

Exam trap

The trap here is confusing AWS Shield Advanced (which handles volumetric DDoS attacks) with AWS WAF (which handles application-layer threats like OWASP Top 10), leading candidates to believe Shield alone can replace WAF rule evaluation.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides DDoS protection and cost mitigation, but it does not include application-layer rule evaluation for OWASP Top 10 threats; it is not a replacement for WAF. Option C is wrong because security groups operate at the network layer (Layer 3/4) and cannot inspect HTTP request bodies or application-layer payloads to block patterns like SQL injection or XSS. Option D is wrong because AWS Security Hub is a security posture management service that aggregates findings and does not have the capability to automatically block requests in real-time; it lacks inline traffic inspection and enforcement actions.

155
Multi-Selecthard

Security responders suspect exfiltration from an Amazon S3 bucket that stores sensitive reports encrypted with a customer managed KMS key. They need to identify which IAM principal downloaded each object and whether any principals called KMS Decrypt on the key during the same time window. Which two detective controls should be enabled? Select two.

Select 2 answers
A.Enable CloudTrail data events for the S3 bucket.
B.Include CloudTrail management events for KMS API calls on the customer managed key.
C.Enable S3 Object Lock in compliance mode.
D.Turn on default bucket encryption with SSE-KMS.
E.Enable MFA Delete on the bucket.
AnswersA, B

S3 data events record object-level API activity such as GetObject, PutObject, and DeleteObject, along with the IAM principal or role session that made the call. That visibility is required to determine exactly who downloaded which object and when.

Why this answer

Option A is correct because enabling CloudTrail data events for the S3 bucket captures detailed logs of object-level operations, including GetObject (download) requests. This allows you to identify which IAM principal downloaded each object, including the source IP, user agent, and request time. Without data events, CloudTrail only logs management-level actions (e.g., bucket creation) and misses object-level access.

Exam trap

The trap here is that candidates often think CloudTrail management events cover all KMS activity, but KMS Decrypt on a customer managed key is indeed a management event, while S3 object downloads require data events; confusing these two event types leads to missing the correct pairing.

156
MCQmedium

A static website uses an Amazon S3 bucket as the origin for an Amazon CloudFront distribution. The team accidentally configured the S3 bucket policy to allow s3:GetObject to Principal "*", so objects are accessible via direct S3 URLs. They want to ensure objects are retrievable only through CloudFront. What is the best corrective action?

A.Remove public access from the bucket and update the bucket policy to allow GetObject only from CloudFront using the distribution’s SourceArn (and use CloudFront origin access control or origin access identity).
B.Enable S3 static website hosting and disable CloudFront, because website hosting blocks direct object URL access.
C.Add a WAF rule that rate-limits requests to the S3 bucket domain to make direct access impractical.
D.Turn on S3 object versioning so that attackers cannot read previous objects.
AnswerA

Restricting the bucket policy to CloudFront’s principal with a SourceArn condition prevents direct S3 access while enabling CloudFront.

Why this answer

Option A is correct because the S3 bucket policy currently allows s3:GetObject from any principal, making objects publicly accessible via direct S3 URLs. By removing public access and updating the policy to restrict GetObject to only requests that originate from the CloudFront distribution (using either Origin Access Control or Origin Access Identity), objects become retrievable exclusively through CloudFront, preventing direct S3 access.

Exam trap

The trap here is that candidates may think enabling S3 static website hosting or versioning solves the access control issue, but neither changes the bucket policy—only explicitly restricting the policy to CloudFront’s identity prevents direct S3 URL access.

How to eliminate wrong answers

Option B is wrong because enabling S3 static website hosting does not block direct object URL access; the S3 website endpoint is separate from the REST API endpoint, but the bucket policy still controls access, and objects remain accessible via direct S3 URLs unless the policy is restricted. Option C is wrong because a WAF rule applied to the S3 bucket domain is ineffective—WAF is a CloudFront feature and cannot be attached directly to an S3 bucket endpoint; rate-limiting would not prevent direct access, only reduce its frequency. Option D is wrong because enabling object versioning does not restrict access; it only preserves previous object versions, and without a restrictive bucket policy, all versions remain publicly accessible via direct S3 URLs.

157
MCQmedium

A public API for a customer analytics portal is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

A.API keys only
B.JWT authorizer configured for the OpenID Connect issuer
C.IAM authorization for all internet users
D.A VPC endpoint policy
AnswerB

A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.

Why this answer

Option B is correct because the scenario requires standards-based token authentication from an external OpenID Connect (OIDC) provider. API Gateway's JWT authorizer natively validates JSON Web Tokens (JWTs) issued by OIDC providers by verifying the token's signature against the provider's JWKS endpoint, checking the `iss` and `aud` claims, and enforcing token expiration. This directly meets the requirement without needing custom Lambda authorizers or additional infrastructure.

Exam trap

The trap here is that candidates confuse API keys (which are static and not standards-based) with JWT tokens (which are cryptographically signed and verifiable), or assume IAM authorization can be used for external identities without understanding that IAM requires AWS credentials, not OIDC tokens.

How to eliminate wrong answers

Option A is wrong because API keys only provide simple identification and rate limiting, not authentication or authorization; they do not validate token signatures, claims, or issuer trust. Option C is wrong because IAM authorization is designed for AWS internal identities (IAM users/roles) and requires AWS Signature V4 signing, which is not compatible with external OIDC tokens or internet-based clients without custom signing logic. Option D is wrong because a VPC endpoint policy controls access to API Gateway via VPC endpoints, not authentication; it cannot validate OIDC tokens or handle client identity from the public internet.

158
MCQmedium

A microservice running in ECS retrieves a secret from AWS Secrets Manager. The secret is encrypted with a customer-managed CMK. An administrator re-keyed the secret to a new CMK (the key ARN changed), but kept the same KMS alias name. After re-keying, the service fails with an error from KMS: AccessDenied for kms:Decrypt. The ECS task role’s IAM policy still grants kms:Decrypt but only for the old CMK ARN. What is the best remediation to restore access while maintaining least privilege?

A.Update the IAM policy to allow kms:Decrypt for all CMKs in the account using a wildcard resource (for example, arn:aws:kms:region:account-id:key/*).
B.Update the ECS task role IAM policy to grant kms:Decrypt on the CMK alias ARN (arn:aws:kms:region:account-id:alias/<alias-name>) or to include the new CMK ARN, so decrypt authorization matches the re-keyed CMK.
C.Change the application to decrypt the secret itself using SSE-C keys so Secrets Manager no longer needs KMS.
D.Enable KMS key rotation for the old CMK so the CMK ARN resolves to the new key.
AnswerB

Since the IAM policy references only the old CMK ARN, it no longer matches the CMK used after re-keying. Using the alias ARN maintains least privilege and continues to work because the alias now points to the new CMK.

Why this answer

Option B is correct because the ECS task role's IAM policy still references the old CMK ARN, but the secret is now encrypted with a new CMK. Since KMS authorization is based on the key ARN (not the alias), the policy must be updated to grant kms:Decrypt on the new CMK ARN or on the alias ARN (which resolves to the current underlying key). This restores access while maintaining least privilege by scoping permissions to the specific key used for decryption.

Exam trap

The trap here is that candidates assume KMS aliases can be used directly in IAM resource ARNs for authorization, but IAM policies that specify a key ARN (not an alias ARN) will fail after re-keying because the secret's encryption key has changed to a different CMK.

How to eliminate wrong answers

Option A is wrong because using a wildcard resource (arn:aws:kms:region:account-id:key/*) grants kms:Decrypt on all CMKs in the account, violating least privilege and potentially exposing other encrypted resources. Option C is wrong because SSE-C keys are used for Amazon S3 server-side encryption, not for Secrets Manager; Secrets Manager relies on KMS for envelope encryption, and changing to SSE-C would not integrate with Secrets Manager's native KMS-based encryption. Option D is wrong because enabling KMS key rotation for the old CMK does not change the key ARN; rotation creates new backing key material but retains the same key ID and ARN, so the old CMK ARN still does not authorize decryption of a secret encrypted with a different CMK.

159
MCQmedium

A service reads encrypted data from Amazon S3. The S3 objects use a customer-managed CMK. The IAM role used by the service has kms:Decrypt in its identity policy, but decryption fails with a KMS error stating the role is not authorized to perform kms:CreateGrant. The CMK’s key policy allows kms:Decrypt for the role but does not include kms:CreateGrant. What is the most appropriate change to resolve the failure while preserving least privilege?

A.Add kms:CreateGrant permission to the CMK key policy for the role (scoped to the necessary CMK), keeping other KMS permissions minimal.
B.Enable key rotation because it makes grant creation unnecessary.
C.Add kms:DescribeKey to the key policy and remove kms:Decrypt to reduce permissions.
D.Update the IAM role to use kms:ScheduleKeyDeletion so future decrypt attempts succeed.
AnswerA

The error explicitly indicates missing authorization to create grants (kms:CreateGrant). Some AWS services require creating a grant to use a key on behalf of a principal. Adding only kms:CreateGrant to the key policy for the specific role resolves the failure with minimal additional access.

Why this answer

The error indicates that the service requires a grant to allow the KMS key to be used in a cryptographic operation that involves a grant-based workflow (e.g., using the S3 bucket key or cross-account access). The IAM role has kms:Decrypt, but the key policy does not grant kms:CreateGrant, which is necessary for the service to create a grant on the CMK. Adding kms:CreateGrant to the key policy scoped to the role resolves the failure while adhering to least privilege by only granting the minimum additional permission needed.

Exam trap

The trap here is that candidates assume IAM permissions alone are sufficient for all KMS operations, but key policies must explicitly allow kms:CreateGrant when a service needs to create a grant on a customer-managed CMK.

How to eliminate wrong answers

Option B is wrong because enabling key rotation does not eliminate the need for kms:CreateGrant; key rotation changes the underlying key material but does not affect grant-based authorization requirements. Option C is wrong because adding kms:DescribeKey does not resolve the missing kms:CreateGrant, and removing kms:Decrypt would break the decryption operation entirely. Option D is wrong because kms:ScheduleKeyDeletion is used to schedule key deletion, which would make the key unusable and is unrelated to grant creation or decryption authorization.

160
MCQeasy

A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?

A.Add an S3 bucket policy Deny statement for s3:PutObject when aws:sourceVpce is not equal to vpce-0abc123example.
B.Add an S3 bucket policy Deny statement that blocks requests unless the principal uses MFA.
C.Enable Block Public Access and remove the public bucket policy statement.
D.Attach an IAM policy to the workload role that allows s3:PutObject only to the bucket ARN.
AnswerA

A bucket policy can use the request context key aws:sourceVpce to distinguish requests that came through a particular VPC endpoint. Using a Deny with a condition such as StringNotEquals on aws:sourceVpce blocks PutObject unless the request reached S3 via that specific Gateway Endpoint. Requests that arrive by other network paths will not match the required endpoint ID and will be denied.

Why this answer

Option A is correct because it uses an S3 bucket policy with a Deny statement that explicitly denies any s3:PutObject request unless the request originates from the specified VPC Endpoint (vpce-0abc123example). The aws:sourceVpce condition key evaluates the VPC endpoint ID from which the request is made, ensuring that only traffic through that specific Gateway VPC Endpoint is allowed. This enforces the security requirement at the bucket level, overriding any other policies that might allow access from other sources.

Exam trap

The trap here is that candidates often confuse IAM policies (which control who can act) with bucket policies (which control how and from where access is allowed), leading them to choose an IAM-based solution (Option D) that does not enforce the network-level restriction required by the scenario.

How to eliminate wrong answers

Option B is wrong because requiring MFA does not restrict requests to a specific VPC Endpoint; it only adds an authentication factor, which does not enforce the network-level restriction. Option C is wrong because Block Public Access and removing public policies prevent public access but do not restrict requests to a specific VPC Endpoint; private traffic from other sources (e.g., the internet via a NAT gateway) would still be allowed. Option D is wrong because an IAM policy attached to the workload role controls what the role can do but does not restrict the network path; the workload could still send requests from any network interface, not just the specified VPC Endpoint.

161
MCQmedium

A backup process restores a 2 TB production database from an EBS snapshot onto a new volume. During the first hours after restore, the application sees slow reads whenever previously unused blocks are accessed. What is the best way to avoid this performance issue in future restores?

A.Increase the volume size to give the database more free space.
B.Enable Fast Snapshot Restore on the snapshots used for recovery.
C.Move the database files to Amazon EFS after the restore completes.
D.Use magnetic standard volumes because they avoid snapshot hydration delays.
AnswerB

Fast Snapshot Restore removes the initial performance penalty that occurs when a restored EBS volume reads blocks that have not yet been hydrated. By pre-warming the snapshot data in the target AZ, it helps ensure consistent read performance immediately after restore. This is especially valuable for databases and other workloads that must recover quickly without waiting for the background hydration process.

Why this answer

When an EBS volume is restored from a snapshot, it is lazily loaded from Amazon S3 in the background. Accessing data blocks that have not yet been loaded triggers a read penalty because the volume must fetch them from S3 before serving the I/O. Enabling Fast Snapshot Restore (FSR) pre-warms the snapshot data so that restored volumes have full performance immediately, eliminating the slow reads on first access.

Exam trap

The trap here is that candidates may think increasing volume size or switching to a different storage class will fix the lazy hydration delay, but only Fast Snapshot Restore directly addresses the root cause by pre-initializing the data blocks.

How to eliminate wrong answers

Option A is wrong because increasing volume size does not affect the lazy hydration process; it only adds more uninitialized blocks that would also suffer from the same slow-read penalty. Option C is wrong because moving database files to Amazon EFS after restore does not solve the initial slow-read problem; EFS has its own latency characteristics and does not eliminate the need to hydrate the EBS volume. Option D is wrong because magnetic standard volumes (st1/sc1 or previous standard) are slower and still require lazy hydration from snapshots; they do not avoid the hydration delay and would actually perform worse than gp3 or io2 volumes.

162
MCQmedium

Your company requires that all requests to an S3 bucket use HTTPS and that all objects uploaded to the bucket are encrypted at rest. You manage the S3 bucket policy and want enforcement that does not rely on application code compliance. Which bucket policy change best enforces both requirements?

A.Add a Deny statement for all S3 actions on the bucket and its objects when aws:SecureTransport is false, and add a Deny statement for s3:PutObject when the request does not specify server-side encryption with AES256 (s3:x-amz-server-side-encryption = "AES256").
B.Use S3 website hosting to redirect users to HTTPS and rely on bucket default encryption for all uploads.
C.Add a Deny statement for s3:GetObject when aws:SecureTransport is false, and enable default encryption on the bucket.
D.Allow only IAM principals from your account to access the bucket and require clients to configure HTTPS in their applications.
AnswerA

This enforces HTTPS for all S3 requests by denying any non-TLS access and enforces encryption at rest by denying uploads that do not request SSE-S3. Because the controls are in the bucket policy, compliance does not depend on application behavior.

Why this answer

Option A is correct because it uses a Deny statement with the `aws:SecureTransport` condition to block any request that does not use HTTPS, enforcing encryption in transit. It also adds a Deny statement for `s3:PutObject` when the request does not include the `x-amz-server-side-encryption` header set to `AES256`, ensuring that all uploaded objects are encrypted at rest with SSE-S3. This policy-based enforcement works regardless of application code, meeting the requirement for non-reliance on client-side compliance.

Exam trap

The trap here is that candidates often confuse default encryption with policy-based enforcement, assuming that enabling default encryption on the bucket alone guarantees all objects are encrypted at rest, but it does not prevent clients from overriding it with unencrypted uploads via the request header.

How to eliminate wrong answers

Option B is wrong because S3 website hosting only redirects HTTP to HTTPS for web traffic, but it does not enforce HTTPS for API requests (e.g., via SDK or CLI), and default encryption only encrypts objects at rest, not in transit. Option C is wrong because it only denies `s3:GetObject` when `aws:SecureTransport` is false, leaving other actions like `s3:PutObject` unencrypted in transit, and enabling default encryption does not enforce that uploads specify encryption headers—it only applies if the request lacks encryption headers, which can be overridden. Option D is wrong because restricting access to IAM principals does not enforce HTTPS or encryption at rest; it only controls authorization, and requiring clients to configure HTTPS in their applications relies on application code compliance, which the question explicitly wants to avoid.

163
MCQmedium

Based on the exhibit, what is the most appropriate fix so the workload in Account A can access the S3 bucket in Account B without using long-lived access keys?

A.Create an IAM role in Account B, trust Account A's AppRole to assume it with STS, and then access the bucket using temporary credentials.
B.Attach AmazonS3FullAccess to the instance profile role in Account A and keep using the same direct access path.
C.Add an SCP to Account A that allows S3 actions against buckets in Account B.
D.Enable S3 versioning on the bucket so cross-account requests are automatically trusted.
AnswerA

Assuming a role in the target account is a clean cross-account pattern that uses temporary credentials instead of static keys. The trust policy in Account B controls who may assume the role, and the role in B can then be given the exact S3 permissions needed. This is easy to revoke centrally by changing the trust relationship or role policy.

Why this answer

Option A is correct because it uses AWS Security Token Service (STS) to allow the workload in Account A to assume an IAM role in Account B, obtaining temporary credentials that grant access to the S3 bucket. This eliminates the need for long-lived access keys and follows the principle of least privilege, as the role can be scoped to specific S3 actions and resources.

Exam trap

The trap here is that candidates often confuse SCPs with resource-based policies or assume that attaching a managed policy to an instance profile automatically grants cross-account access, overlooking the need for explicit trust and bucket policies in the target account.

How to eliminate wrong answers

Option B is wrong because attaching AmazonS3FullAccess to the instance profile role in Account A does not enable cross-account access; S3 bucket policies in Account B must explicitly grant permissions to the IAM role in Account A, and using long-lived keys from the instance profile still violates the requirement to avoid long-lived access keys. Option C is wrong because Service Control Policies (SCPs) are used to restrict permissions within an AWS Organization and cannot grant cross-account access to resources in another account; they only deny or allow actions within the account where the SCP is applied. Option D is wrong because enabling S3 versioning on the bucket does not affect cross-account authentication or authorization; versioning is a data management feature that tracks object versions and has no impact on IAM permissions or trust relationships.

164
MCQmedium

A company hosts a image sharing application on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

A.AWS Systems Manager Session Manager with the required instance role
B.An internet gateway attached to the private subnet
C.A public Elastic IP address on each instance
D.A bastion host with SSH open to 0.0.0.0/0
AnswerA

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows administrators to establish secure shell (SSH) or PowerShell (RDP) sessions to EC2 instances without opening any inbound ports. It uses the SSM Agent and the AWS Systems Manager service, which initiates outbound connections to the AWS cloud over HTTPS (port 443). The required instance role grants permissions for the agent to communicate with Systems Manager, enabling secure, auditable access without public IP addresses or bastion hosts.

Exam trap

The trap here is that candidates often default to a bastion host (Option D) as a traditional solution, but fail to recognize that a bastion host still requires opening SSH/RDP to the internet (even if only to the bastion), which violates the 'without opening SSH or RDP ports to the internet' constraint.

How to eliminate wrong answers

Option B is wrong because an internet gateway attached to a private subnet does not provide direct connectivity to instances; it only enables outbound internet access via a NAT device, and does not allow inbound administrative connections without opening ports. Option C is wrong because assigning a public Elastic IP address to each instance would expose them to the internet, requiring SSH or RDP ports to be open, which violates the requirement to not open those ports. Option D is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes the bastion to the entire internet, creating a security risk and still requires opening SSH (port 22) to the internet, which directly contradicts the requirement.

165
MCQeasy

Your company uses an OIDC identity provider to let users assume an IAM role without long-term AWS credentials. In the IAM role trust policy, which STS action must be allowed to support this type of federation?

A.sts:AssumeRoleWithWebIdentity
B.sts:AssumeRole
C.sts:GetCallerIdentity
D.sts:TagSession
AnswerA

OIDC/web identity federation uses sts:AssumeRoleWithWebIdentity in the trust policy.

Why this answer

Option A is correct because sts:AssumeRoleWithWebIdentity is the STS API action specifically designed for federated users authenticated by an OIDC or SAML identity provider. This action returns temporary security credentials without requiring long-term AWS access keys, enabling the OIDC-based federation described in the question.

Exam trap

The trap here is that candidates confuse sts:AssumeRoleWithWebIdentity with sts:AssumeRole, not realizing that the former is required for OIDC/SAML federation while the latter is for IAM users or AWS services.

How to eliminate wrong answers

Option B is wrong because sts:AssumeRole is used for cross-account access or for roles assumed by IAM users or AWS services, not for web identity federation with an OIDC provider. Option C is wrong because sts:GetCallerIdentity simply returns details about the IAM user or role whose credentials are used to make the call; it does not initiate any federation or credential issuance. Option D is wrong because sts:TagSession is used to apply tags to an already-assumed role session, not to perform the initial federation or role assumption.

166
Multi-Selecthard

A reporting application in Account B must read files from an S3 bucket in Account A. The bucket contains objects encrypted with a customer managed KMS key in Account A. The application role in Account B already has an identity policy allowing s3:GetObject on the bucket prefix, but requests still fail with AccessDenied. Which two changes are required for the application to read the objects? Select two.

Select 2 answers
A.Add a bucket policy in Account A that allows the Account B role to perform s3:GetObject on the required prefix.
B.Add the Account B role to the KMS key policy in Account A with permission to use kms:Decrypt.
C.Attach an IAM policy in Account B that grants s3:* on the bucket and its objects.
D.Create an S3 gateway endpoint in Account B so the application can reach the bucket privately.
E.Add an SCP in Account A that allows the Account B role to bypass KMS encryption checks.
AnswersA, B

Cross-account S3 access requires a resource-based permission on the bucket. The bucket policy must explicitly allow the external role to read the needed prefix, otherwise the bucket owner blocks the request even if the role's identity policy allows it.

Why this answer

Option A is correct because cross-account S3 access requires the destination account (Account A) to explicitly grant access via a bucket policy that allows the source account's role (Account B) to perform s3:GetObject on the specified prefix. Without this bucket policy, the S3 service in Account A will deny the request, even if the IAM identity policy in Account B permits the action. Option B is correct because the objects are encrypted with a customer managed KMS key in Account A; the application role in Account B must be added to the KMS key policy with kms:Decrypt permission to decrypt the objects during retrieval.

Both the S3 bucket policy and the KMS key policy are required for cross-account encrypted access.

Exam trap

The trap here is that candidates often assume a cross-account IAM role with s3:GetObject permission is sufficient, overlooking that S3 bucket policies and KMS key policies are separate authorization layers that must explicitly allow the external principal, especially when objects are encrypted with a customer managed KMS key.

167
MCQmedium

A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services. Which architecture best satisfies these requirements?

A.Place instances in private subnets but use NAT gateways so traffic to S3 and Secrets Manager goes through the internet; restrict security groups to instance-to-instance only.
B.Add a VPC gateway endpoint for S3 and an interface VPC endpoint for Secrets Manager; keep instances in private subnets and configure security group rules attached to the endpoints to allow inbound traffic only from the application subnets.
C.Use public subnets with instances that have no security group rules; rely on AWS services to reject unauthorized traffic.
D.Create an S3 bucket policy that allows requests from the application instances’ private IP addresses and enable public access to Secrets Manager via the default service endpoint.
AnswerB

Gateway endpoints provide private routing to S3, and interface endpoints provide private access to Secrets Manager without internet traversal. Security group controls on interface endpoints restrict traffic to only the application subnets, meeting segmentation and cost constraints.

Why this answer

Option B is correct because it uses a VPC gateway endpoint for Amazon S3 and an interface VPC endpoint for AWS Secrets Manager, both of which allow private subnet instances to access these services without traversing the public internet or requiring a NAT gateway. The security group rules attached to the interface endpoint restrict inbound traffic to only the application subnets, satisfying the security requirement of allowing only required VPC traffic. This architecture meets all constraints: no public internet, no NAT gateway cost, and least-privilege access.

Exam trap

The trap here is that candidates often assume all AWS services require NAT gateways or internet gateways for private subnet access, overlooking the distinction between gateway endpoints (for S3 and DynamoDB) and interface endpoints (for most other services like Secrets Manager) that provide private connectivity without internet exposure.

How to eliminate wrong answers

Option A is wrong because NAT gateways incur cost and route traffic through the internet, violating the 'without exposing the instances to NAT gateways due to cost' requirement; additionally, security groups on instances alone do not restrict traffic to AWS service endpoints. Option C is wrong because public subnets expose instances to inbound internet traffic, contradicting the 'no inbound internet' requirement, and having no security group rules is a severe security violation. Option D is wrong because enabling public access to Secrets Manager via the default service endpoint exposes it to the internet, and S3 bucket policies based on private IP addresses are unreliable since private IPs can change and do not authenticate the requester; Secrets Manager requires interface endpoints or private connectivity, not public endpoints.

168
Multi-Selectmedium

A containerized service on Amazon ECS connects to a database with a password that must never be stored in plaintext or hardcoded in the image. The application reads the password at startup and occasionally reconnects later, so it needs to retrieve the current secret when needed. Which three actions should the architect take? Select three.

Select 3 answers
A.Store the database password in AWS Secrets Manager.
B.Have the application retrieve the secret from Secrets Manager at runtime when it needs the password.
C.Grant the ECS task role least-privilege permission to read only that secret.
D.Store the password in a plain environment variable and update it manually during maintenance windows.
E.Use an IAM user access key inside the container so the database password can be embedded in code.
AnswersA, B, C

Secrets Manager is designed for sensitive credentials and integrates with IAM and rotation features. It is a better fit than putting passwords in code, images, or plain variables.

Why this answer

AWS Secrets Manager is the correct service for securely storing and automatically rotating database credentials. It eliminates the need to hardcode secrets in the container image or store them in plaintext. The application retrieves the secret at runtime via the AWS SDK, ensuring the current password is always used.

Exam trap

The trap here is that candidates might think environment variables or IAM access keys are acceptable for storing secrets, but AWS explicitly requires secrets to be stored in a dedicated secrets management service with least-privilege IAM permissions.

169
MCQeasy

A CI/CD pipeline needs to deploy to your production environment. Security requires that the pipeline uses temporary credentials (not long-lived access keys) and only has permissions to read a specific set of parameters from AWS Systems Manager Parameter Store and write application logs to CloudWatch Logs. What is the best AWS approach?

A.Create an IAM user for the pipeline and store access keys in the CI system.
B.Create an IAM role in the production account, grant least-privilege policies, and let the CI assume it using STS AssumeRole.
C.Attach the required permissions to an IAM group and add the pipeline’s principal to that group directly.
D.Use AWS KMS to encrypt the pipeline’s access keys and store the ciphertext in the CI system.
AnswerB

IAM roles with STS provide temporary credentials and allow least-privilege permissions via attached policies.

Why this answer

Option B is correct because it uses an IAM role with least-privilege policies that the CI/CD pipeline can assume via AWS STS AssumeRole, providing temporary credentials that automatically expire. This avoids long-lived access keys and meets the security requirement of using temporary credentials. The role can be scoped to allow only reading specific parameters from Systems Manager Parameter Store and writing logs to CloudWatch Logs, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates may think IAM users with access keys are acceptable for automation, but the question explicitly requires temporary credentials, making the IAM role with STS AssumeRole the only correct approach.

How to eliminate wrong answers

Option A is wrong because it creates an IAM user with long-lived access keys, which violates the security requirement for temporary credentials and introduces a risk of key exposure. Option C is wrong because IAM groups are used to manage permissions for IAM users, not for external CI/CD systems; the pipeline's principal cannot be added to an IAM group directly without an IAM user, and this still relies on long-lived credentials. Option D is wrong because encrypting access keys with KMS does not eliminate the use of long-lived access keys; the pipeline would still need to decrypt and use them, which does not meet the requirement for temporary credentials.

170
MCQmedium

A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

A.Enable server access logging on the bucket
B.Enable S3 Transfer Acceleration
C.Create an IAM policy that denies s3:GetObject to anonymous users
D.Enable S3 Block Public Access at the account or bucket level
AnswerD

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

S3 Block Public Access provides a definitive override that prevents any public access to S3 objects, regardless of bucket policies or ACLs. By enabling this setting at the account or bucket level, the architect ensures that even if a developer later attaches an overly permissive bucket policy, the objects remain inaccessible to anonymous users. This meets the requirement without requiring custom operational scripts.

Exam trap

The trap here is that candidates often think an IAM policy can block anonymous access, but IAM policies do not apply to unauthenticated principals; only bucket policies or S3 Block Public Access can effectively deny anonymous access.

How to eliminate wrong answers

Option A is wrong because server access logging records requests to the bucket but does not enforce any access restrictions; it only provides audit logs. Option B is wrong because S3 Transfer Acceleration speeds up uploads over long distances using edge locations but has no effect on access control or public accessibility. Option C is wrong because an IAM policy that denies s3:GetObject to anonymous users only applies to IAM principals; anonymous users are not IAM principals, so such a policy would not block access granted by a bucket policy that explicitly allows anonymous access.

171
MCQmedium

An application runs on EC2 instances in private subnets in a VPC. There is no NAT gateway. The instances need to download objects from S3 over HTTPS and also call DynamoDB. The security group outbound rules allow TCP 443 to the VPC endpoint addresses. After deployment, the app times out when connecting to S3, but it can reach DynamoDB. Which single change is most likely to restore S3 connectivity?

A.Create a Gateway VPC endpoint for S3 and associate it with the private subnet route tables that contain the instances.
B.Replace the security group egress rule to allow all outbound traffic to 0.0.0.0/0 on TCP 443.
C.Add an Internet Gateway to the VPC and route the private subnet’s 0.0.0.0/0 to the IGW.
D.Switch from network ACLs to security groups by removing the existing NACL allow rules for ephemeral ports.
AnswerA

S3 connectivity without NAT typically requires a Gateway VPC endpoint. For a gateway endpoint, you must update the route tables to direct S3 traffic to the endpoint. If DynamoDB works but S3 times out, it often means DynamoDB has the required endpoint while S3 is missing or not routed via the correct route tables.

Why this answer

The application is in private subnets without a NAT Gateway, so it cannot reach the internet. A Gateway VPC Endpoint for S3 allows private subnet instances to access S3 over the AWS network without internet connectivity. The security group already allows TCP 443 to the VPC endpoint addresses, so the missing piece is the route table association that directs S3 traffic to the endpoint.

Exam trap

The trap here is that candidates often confuse Gateway VPC Endpoints with Interface Endpoints, or assume that allowing outbound HTTPS to 0.0.0.0/0 in a security group is sufficient, forgetting that private subnets have no internet route without a NAT Gateway or Internet Gateway.

How to eliminate wrong answers

Option B is wrong because allowing all outbound traffic to 0.0.0.0/0 on TCP 443 would not help, as the private subnets have no route to the internet (no NAT Gateway or Internet Gateway), so traffic would still be dropped. Option C is wrong because adding an Internet Gateway and routing 0.0.0.0/0 to it would require the private subnet instances to have public IPs or a NAT device, and it would break the security posture by exposing them to the internet. Option D is wrong because network ACLs are stateless and must allow ephemeral ports for return traffic, but the issue is not about NACLs; it is about the lack of a route to S3, and switching to security groups does not solve the routing problem.

172
MCQmedium

A company hosts a e-learning platform on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

A.A public Elastic IP address on each instance
B.A bastion host with SSH open to 0.0.0.0/0
C.An internet gateway attached to the private subnet
D.AWS Systems Manager Session Manager with the required instance role
AnswerD

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows secure shell access to EC2 instances without opening inbound ports (SSH/RDP) or using a bastion host. It uses the AWS Systems Manager agent and an IAM instance role to establish a bidirectional connection over HTTPS to the AWS Systems Manager service, eliminating the need for public IP addresses or internet-facing security groups.

Exam trap

The trap here is that candidates often assume a bastion host (Option B) is the only secure way to manage instances, but they overlook that Session Manager provides a more secure, agent-based solution that eliminates the need for any open inbound ports or public IP addresses.

How to eliminate wrong answers

Option A is wrong because assigning a public Elastic IP address to each instance would expose them directly to the internet, requiring open SSH or RDP ports, which violates the requirement to avoid opening those ports. Option B is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes the bastion to the entire internet, creating a security risk and still requires opening SSH ports, which contradicts the requirement. Option C is wrong because an internet gateway attached to a private subnet does not provide connectivity; internet gateways must be attached to VPCs and associated with route tables for public subnets, and private subnets cannot directly use an internet gateway without a NAT device, which still does not solve the administrative access need without open ports.

173
Drag & Dropmedium

Arrange the steps for a cross-region Amazon S3 replication configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Versioning must be enabled first, then IAM role, replication rules, destination config, and verification.

174
MCQmedium

A media platform stores originals in an S3 bucket. The application must: (1) prevent any public access to the bucket, (2) allow authenticated users to upload and download objects using presigned URLs, and (3) enforce that all requests use HTTPS and only touch objects under the user-specific prefix (for example, s3://media-originals/user-123/*). The bucket currently allows uploads but sometimes returns 403 AccessDenied for presigned URLs. Which change is the best fix while meeting the security requirements?

A.Disable S3 Block Public Access and add an ACL that grants READ and WRITE to the bucket owner only.
B.Keep Block Public Access enabled, remove any Allow statement to Principal="*", and use a bucket policy or access point policy that denies non-HTTPS requests and allows PutObject/GetObject only when the object key matches the authenticated user's session tag, such as arn:aws:s3:::media-originals/${aws:PrincipalTag/userId}/*.
C.Use bucket website hosting and allow public GET requests so presigned URLs are not needed for downloads.
D.Use ACLs to grant ObjectOwner full control and rely on the application to generate presigned URLs with longer expirations to avoid 403 errors.
AnswerB

Block Public Access ensures the bucket cannot become public. A policy that denies non-HTTPS traffic and scopes object ARNs to a session tag or equivalent identity attribute enforces user-specific access without relying on public principals.

Why this answer

Option B is correct because it keeps S3 Block Public Access enabled (preventing any public access), uses a bucket policy or access point policy with a condition key like `aws:PrincipalTag` to restrict `PutObject`/`GetObject` to the user-specific prefix (e.g., `arn:aws:s3:::media-originals/${aws:PrincipalTag/userId}/*`), and denies non-HTTPS requests via a `aws:SecureTransport` condition. This ensures presigned URLs work only for authenticated users with the correct session tag, while eliminating the 403 errors caused by overly restrictive policies or missing principal restrictions.

Exam trap

The trap here is that candidates assume presigned URLs bypass all bucket policies, but in reality, presigned URLs are subject to the same bucket policies and IAM permissions as the signing principal, so a missing or overly restrictive policy condition (like not scoping to the user-specific prefix) causes 403 errors.

How to eliminate wrong answers

Option A is wrong because disabling S3 Block Public Access and using an ACL that grants READ and WRITE to the bucket owner only does not prevent public access — Block Public Access is the primary safeguard, and ACLs are legacy and do not enforce user-specific prefix restrictions or HTTPS. Option C is wrong because using bucket website hosting with public GET requests violates the requirement to prevent any public access and makes presigned URLs unnecessary, but it exposes objects to the internet. Option D is wrong because ACLs granting ObjectOwner full control do not enforce user-specific prefix restrictions or HTTPS, and relying on longer presigned URL expirations does not fix the 403 error caused by missing policy conditions or incorrect principal restrictions.

175
Drag & Dropmedium

Arrange the steps to create an encrypted Amazon EBS volume from scratch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Encryption requires a KMS key first, then volume creation with encryption, attach, format/mount, and verification.

176
MCQhard

A order processing API uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

A.IAM database authentication for RDS with an EC2 instance role
B.Store the database password in user data
C.Use a security group rule that allows only application instances
D.Embed the database password in the AMI
AnswerA

IAM database authentication allows the application to use temporary AWS credentials instead of stored database passwords.

Why this answer

IAM database authentication for RDS allows EC2 instances to authenticate to PostgreSQL using a short-lived token generated via the AWS CLI or SDK, instead of a static password. By assigning an IAM instance role to the EC2 instance, the application can obtain the token without storing any credentials on the instance, meeting both security requirements. This approach uses the IAM role's temporary security credentials to generate a password token that is valid for 15 minutes, after which a new token must be obtained.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) with authentication mechanisms, or they assume that storing credentials in user data or AMIs is acceptable because it is 'hidden,' but the exam explicitly tests the requirement for short-lived, non-persistent credentials.

How to eliminate wrong answers

Option B is wrong because storing the database password in user data leaves it in plaintext on the instance metadata, which can be accessed by any process or user with instance metadata access, and it does not use short-lived credentials. Option C is wrong because a security group rule only controls network access at the transport layer; it does not provide authentication credentials or eliminate the need to store them on the instance. Option D is wrong because embedding the database password in the AMI hardcodes the credential into the image, which persists across instances and cannot be rotated without rebuilding the AMI, violating the requirement for short-lived credentials.

177
MCQhard

A mobile banking backend uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

A.Store the database password in user data
B.IAM database authentication for RDS with an EC2 instance role
C.Use a security group rule that allows only application instances
D.Embed the database password in the AMI
AnswerB

IAM database authentication allows the application to use temporary AWS credentials instead of stored database passwords.

Why this answer

IAM database authentication for RDS with an EC2 instance role is the correct approach because it eliminates the need to store credentials on the instance. The EC2 instance assumes an IAM role, which obtains a short-lived (15-minute default) authentication token using the AWS CLI's `generate-db-auth-token` command. This token is used as the password for the PostgreSQL connection, ensuring credentials are never stored and automatically rotated.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) with authentication mechanisms, or they assume that storing credentials in user data or AMIs is acceptable because they are 'hidden', but the exam strictly requires no static credentials on the instance and short-lived tokens.

How to eliminate wrong answers

Option A is wrong because storing the database password in user data leaves it in plaintext on the instance metadata, which is accessible to any process or user with access to the instance, violating the requirement to not store credentials on EC2. Option C is wrong because a security group rule only controls network access at the transport layer; it does not address authentication or credential storage, and the application would still need a static password to connect. Option D is wrong because embedding the database password in the AMI hardcodes the credential into the image, which persists across instances and violates the principle of not storing credentials on the instance, plus it cannot provide short-lived credentials.

178
MCQhard

A IoT ingestion API uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

A.Store the database password in user data
B.Embed the database password in the AMI
C.IAM database authentication for RDS with an EC2 instance role
D.Use a security group rule that allows only application instances
AnswerC

IAM database authentication allows the application to use temporary AWS credentials instead of stored database passwords.

Why this answer

Option C is correct because IAM database authentication for RDS allows EC2 instances to authenticate to PostgreSQL using short-lived credentials obtained via an IAM instance role, eliminating the need to store long-term credentials on the instance. The EC2 instance assumes the role, retrieves a temporary authentication token (valid for 15 minutes), and uses it to connect to the RDS database, meeting both security requirements.

Exam trap

The trap here is that candidates confuse network-level controls (security groups) with authentication mechanisms, assuming that restricting traffic alone satisfies credential security, while the real requirement is about eliminating stored long-term credentials entirely.

How to eliminate wrong answers

Option A is wrong because storing the database password in user data is insecure — user data is accessible from within the instance and can be retrieved by any process or user with access, and it does not provide short-lived credentials. Option B is wrong because embedding the database password in an AMI creates a static credential that persists across instances launched from that AMI, violating the requirement for short-lived credentials and increasing the risk of credential exposure. Option D is wrong because a security group rule controls network access at the transport layer but does not address authentication or credential management; it cannot provide short-lived credentials or eliminate the need to store passwords on the instance.

179
MCQmedium

Your organization uses IAM permission boundaries to prevent privilege escalation. A deployment role was created with a permission boundary. After an incident, you discover that an operator was later able to remove or change the permission boundary (the operator has iam:PutRolePermissionsBoundary permissions). You need to ensure operators cannot remove or change the permission boundary after it is set. What is the best security control to add?

A.Grant operators iam:PutRolePermissionsBoundary so they can reapply the boundary if needed.
B.Add an explicit IAM Deny for operators on both iam:PutRolePermissionsBoundary and iam:DeleteRolePermissionsBoundary for all affected roles.
C.Rely only on the role’s trust policy so operators cannot assume the role.
D.Attach a more permissive permission boundary so the roles remain functional after changes.
AnswerB

An explicit Deny prevents permission boundary updates or removal, even if the operator has allow permissions elsewhere. This directly protects the permission boundary integrity and maintains the privilege-limiting guardrail.

Why this answer

Option B is correct because adding an explicit IAM Deny for both `iam:PutRolePermissionsBoundary` and `iam:DeleteRolePermissionsBoundary` on the affected roles prevents operators from removing or changing the permission boundary, even if they have the corresponding Allow permissions. This is a classic use of an explicit Deny, which overrides any Allow in AWS IAM policy evaluation logic, ensuring the boundary remains immutable after deployment.

Exam trap

The trap here is that candidates often assume that simply not granting the `iam:PutRolePermissionsBoundary` permission is sufficient, but they overlook that an operator with broader IAM privileges (e.g., `iam:PassRole` or `iam:CreatePolicyVersion`) could still modify the boundary unless an explicit Deny is added.

How to eliminate wrong answers

Option A is wrong because granting `iam:PutRolePermissionsBoundary` would allow the operator to reapply a different boundary, which directly enables the privilege escalation they are trying to prevent. Option C is wrong because relying solely on the role’s trust policy controls who can assume the role, but does not restrict the operator’s ability to modify the permission boundary via IAM API calls (e.g., from their own user account). Option D is wrong because attaching a more permissive permission boundary would expand the role’s effective permissions, defeating the purpose of using boundaries to limit privilege escalation.

180
MCQmedium

A microservice runs in private subnets and must read exactly one AWS Secrets Manager secret using its IAM task role: arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/db-pass-AbCdEf Security requires that every Secrets Manager API call comes only through a specific Interface VPC Endpoint (vpce-0a1b2c3d4e5f6g7h), and must not be reachable over any other network path. Which IAM policy change best enforces this requirement?

A.In the task role policy statement for secretsmanager:GetSecretValue on the secret ARN, add a condition that allows the action only when aws:SourceVpce equals vpce-0a1b2c3d4e5f6g7h.
B.Add a condition that allows secretsmanager:GetSecretValue only when aws:SourceIp is within 10.0.0.0/8.
C.Require TLS by adding a condition on aws:SecureTransport for the Secrets Manager permission.
D.Add a KMS condition using kms:ViaService=secretsmanager.us-east-1.amazonaws.com instead of restricting Secrets Manager directly.
AnswerA

For Interface VPC endpoints, aws:SourceVpce can be used as a condition key so KMS/Secrets Manager API authorization succeeds only when the request originates from the specified endpoint. Restricting the IAM permission to aws:SourceVpce=vpce-... directly matches the requirement that calls must not traverse other network paths (e.g., via NAT/egress).

Why this answer

Option A is correct because the condition `aws:SourceVpce` in the IAM policy restricts the `secretsmanager:GetSecretValue` API call to originate only from the specified VPC Endpoint (vpce-0a1b2c3d4e5f6g7h). This ensures that the secret can only be accessed via that specific Interface Endpoint, blocking any other network path (e.g., internet, NAT gateway, or other VPC endpoints). The task role is attached to the microservice, so the policy directly enforces the security requirement at the API level.

Exam trap

The trap here is that candidates often confuse `aws:SourceVpce` with `aws:SourceIp` or `aws:SourceVpc`, thinking any network-level condition will work, but only `aws:SourceVpce` uniquely identifies the specific Interface VPC Endpoint required for this strict enforcement.

How to eliminate wrong answers

Option B is wrong because `aws:SourceIp` condition key is not effective for requests made through a VPC Endpoint; the source IP is replaced by the endpoint's private IP, making the condition unreliable for restricting traffic to a specific endpoint. Option C is wrong because requiring TLS (`aws:SecureTransport`) only ensures encryption in transit, not that the API call comes through a specific VPC Endpoint; it does not restrict the network path. Option D is wrong because `kms:ViaService` restricts KMS key usage to a specific AWS service (Secrets Manager), but it does not control which network path (e.g., VPC Endpoint) the Secrets Manager API call uses; it addresses KMS authorization, not network-level restriction.

181
MCQeasy

Your company allows application teams to create IAM roles. Each team must be prevented from granting permissions beyond a defined per-role baseline, even if they attach overly permissive identity-based policies to the role. Which AWS feature best enforces this ceiling at the IAM role level?

A.Use an Organizations service control policy (SCP) to cap the maximum permissions for role creation in each account
B.Attach a permission boundary to every role that teams create so the boundary limits the role’s maximum effective permissions
C.Rely on KMS key policies to restrict permissions because IAM policies cannot override KMS restrictions
D.Require multi-factor authentication (MFA) for all role creation requests and deny any request without MFA
AnswerB

A permission boundary acts as a permissions ceiling for the role. Even if the team attaches an identity-based policy that grants broader permissions, the role’s effective permissions are only those allowed by both the identity policy and the permission boundary. This prevents privilege escalation by role policy changes while still allowing teams to manage which policies are attached, within the boundary.

Why this answer

Permission boundaries are an AWS IAM feature that sets the maximum permissions that an identity-based policy can grant to an IAM role. When a permission boundary is attached to a role, the effective permissions are the intersection of the boundary and the role's identity-based policy, ensuring that even if a team attaches an overly permissive policy, the role cannot exceed the boundary's defined limits. This directly enforces a per-role ceiling on permissions, making option B the correct choice.

Exam trap

The trap here is that candidates often confuse SCPs with permission boundaries, thinking SCPs can enforce per-role limits, but SCPs apply to all principals in an account and cannot be scoped to individual roles, whereas permission boundaries are specifically designed for that purpose.

How to eliminate wrong answers

Option A is wrong because SCPs apply at the AWS account or organizational unit level, not at the individual IAM role level, and they cannot enforce a per-role ceiling within an account; they cap permissions for all principals in the account but do not provide granular control over each role's maximum permissions. Option C is wrong because KMS key policies control access to KMS keys, not IAM role permissions, and they are unrelated to setting a ceiling on what actions a role can perform via IAM policies. Option D is wrong because requiring MFA for role creation requests is an authentication control that does not limit the permissions granted to the role once it is created; it prevents unauthorized creation but does not enforce a permissions ceiling.

182
MCQmedium

A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

A.Enable S3 Block Public Access at the account or bucket level
B.Create an IAM policy that denies s3:GetObject to anonymous users
C.Enable server access logging on the bucket
D.Enable S3 Transfer Acceleration
AnswerA

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

Option A is correct because S3 Block Public Access provides a definitive override that prevents any public access to S3 objects, even if a bucket policy or ACL later grants public access. This setting can be applied at the account or bucket level and ensures that all access is denied to anonymous users, meeting the requirement without custom scripts.

Exam trap

The trap here is that candidates may think an IAM policy can block anonymous users, but IAM policies only apply to authenticated IAM principals, not to anonymous (unauthenticated) requests, making S3 Block Public Access the only effective solution.

How to eliminate wrong answers

Option B is wrong because an IAM policy that denies s3:GetObject to anonymous users is not effective; anonymous users are not IAM principals, so IAM policies do not apply to them. Option C is wrong because server access logging records requests but does not enforce access controls or prevent public access. Option D is wrong because S3 Transfer Acceleration speeds up uploads over long distances but has no effect on access permissions or public accessibility.

183
MCQhard

Based on the exhibit, a partner account uploads encrypted objects to a central S3 bucket and later reads them back. The S3 permissions are correct, but the requests still fail. What change is required so the partner workload can use the customer-managed KMS key safely?

A.Replace SSE-KMS with S3 object ACLs so the partner account can bypass KMS authorization.
B.Create a new bucket in the partner account and copy the objects there to avoid cross-account encryption.
C.Switch the bucket to SSE-S3 so the partner role no longer needs KMS permissions.
D.Update the CMK key policy, or add a tightly scoped grant, to allow the partner role the required KMS actions through S3.
AnswerD

Cross-account access to SSE-KMS encrypted objects requires KMS authorization in addition to S3 authorization. The key policy must trust the partner role, and the permissions should be limited to the needed KMS actions such as Decrypt, Encrypt, and GenerateDataKey with a service condition for S3. That is why the partner can have valid S3 permissions and still fail until the KMS policy is fixed.

Why this answer

Option D is correct because when using a customer-managed KMS key (CMK) for SSE-KMS in a cross-account scenario, the key policy must explicitly grant the partner account's IAM role the necessary KMS actions (kms:Decrypt, kms:GenerateDataKey) to allow S3 to perform the encryption/decryption on behalf of the partner. Without this policy update or a tightly scoped grant, the KMS service will deny the request even if S3 bucket policies are correctly configured.

Exam trap

The trap here is that candidates assume S3 bucket policies alone control all access, forgetting that SSE-KMS introduces a separate authorization layer at KMS that requires explicit cross-account permissions in the key policy.

How to eliminate wrong answers

Option A is wrong because S3 object ACLs cannot bypass KMS authorization; ACLs control access to the object itself, not the encryption key, and removing SSE-KMS would violate security requirements. Option B is wrong because copying objects to a new bucket in the partner account does not resolve the underlying KMS authorization issue; the partner still needs access to the CMK to decrypt the objects. Option C is wrong because switching to SSE-S3 would remove the use of the customer-managed key, which may be a compliance or security requirement, and does not address the need for cross-account access with a CMK.

184
MCQeasy

Company A must allow workloads in Company B to assume an IAM role in Company A (RoleInA). To mitigate confused-deputy attacks, a Security requirement is to use an External ID. Company A should restrict who can assume RoleInA. Which trust-policy configuration is the best choice?

A.In Company A role trust policy, allow sts:AssumeRole for principal "arn:aws:iam::<company-b-account-id>:root" with no sts:ExternalId condition.
B.In Company A role trust policy, allow sts:AssumeRole only for principal "arn:aws:iam::<company-b-account-id>:role/<specific-role-in-b>" and require a condition where sts:ExternalId equals the expected External ID value.
C.In the trust policy, allow iam:PassRole for the Company B principal and include an sts:ExternalId condition.
D.In Company A, grant Company B access using an IAM permissions policy attached to RoleInA instead of using a trust policy.
AnswerB

Restricting the principal to the specific intended role limits who can assume RoleInA. Requiring the correct sts:ExternalId in the trust policy mitigates confused-deputy attacks.

Why this answer

Option B is correct because it restricts the trust policy to a specific IAM role in Company B (using the principal ARN) and requires the `sts:ExternalId` condition to match a predefined value. This ensures only the intended role in Company B can assume RoleInA, and the External ID prevents a confused-deputy attack by requiring the third party to provide a unique identifier that only the legitimate service knows.

Exam trap

The trap here is that candidates often confuse `iam:PassRole` with `sts:AssumeRole` or think that a permissions policy can restrict who assumes a role, but only the trust policy defines the trusted principals and conditions for role assumption.

How to eliminate wrong answers

Option A is wrong because it allows the entire Company B account (root principal) to assume the role without any External ID condition, which violates the security requirement and leaves the role open to confused-deputy attacks. Option C is wrong because `iam:PassRole` is used to pass a role to an AWS service, not to assume a role; the correct action for assuming a role is `sts:AssumeRole`, and the condition should be on the trust policy, not on a permissions policy. Option D is wrong because an IAM permissions policy attached to RoleInA controls what the role can do after it is assumed, but it does not control who can assume the role; the trust policy is the only place to define the trusted principals and conditions for assuming the role.

185
Multi-Selecthard

A company is encrypting sensitive S3 data for a mobile banking backend with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Select 2 answers
A.A larger KMS key rotation period
B.A key policy that limits key administrators and key users
C.S3 Transfer Acceleration
D.IAM policies that grant kms:Decrypt only to required application roles
AnswersB, D

The KMS key policy is the primary resource policy that controls who can administer or use the key.

Why this answer

Option B is correct because a KMS key policy explicitly defines which principals (IAM users, roles, AWS accounts) can administer or use the key. By limiting key administrators and key users in the key policy, you prevent unauthorized principals from accidentally invoking KMS operations on that key, even if they have broad IAM permissions. This is a direct access control mechanism at the key level.

Exam trap

The trap here is that candidates often think IAM policies alone are sufficient for KMS access control, but they forget that KMS key policies are evaluated first and can explicitly deny or limit access regardless of IAM permissions.

186
MCQmedium

Based on the exhibit, which AWS service should the team use so the database password can rotate automatically every 30 days and the application can retrieve it securely at runtime?

A.AWS Systems Manager Parameter Store with a standard String parameter
B.AWS Secrets Manager
C.Amazon Cognito user pools
D.AWS Key Management Service customer managed keys
AnswerB

Secrets Manager is built for storing and rotating credentials such as database passwords. It supports secret versioning, fine-grained access control, and managed rotation workflows, making it the best fit for a 30-day automated rotation requirement. The application can retrieve the current secret at runtime without embedding the password in code or environment variables.

Why this answer

AWS Secrets Manager is the correct service because it natively supports automatic rotation of database passwords on a configurable schedule (e.g., every 30 days) and provides secure retrieval at runtime via the AWS SDK, CLI, or Secrets Manager API. Unlike Parameter Store, Secrets Manager is designed specifically for managing secrets with built-in rotation, encryption, and fine-grained access control.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store encrypted parameters) with Secrets Manager, but Parameter Store lacks native automatic rotation and is not optimized for managing database credentials with scheduled rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with a standard String parameter does not support automatic rotation of secrets; it is intended for plaintext or encrypted configuration data, not for managing database credentials with lifecycle rotation. Option C is wrong because Amazon Cognito user pools are designed for user authentication and identity management, not for storing or rotating application database passwords. Option D is wrong because AWS KMS customer managed keys are used for encryption and decryption operations, not for storing secrets or managing their rotation; they can encrypt secrets but do not provide rotation or retrieval of the secret value itself.

187
MCQmedium

A web application for a healthcare document service is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy? The design must avoid adding custom operational scripts.

A.Security groups on the application instances
B.AWS WAF associated with the Application Load Balancer
C.Network ACLs on the public subnets
D.AWS Shield Advanced only
AnswerB

AWS WAF can inspect HTTP requests and block common web exploits when associated with an ALB.

Why this answer

AWS WAF is a web application firewall that integrates directly with an Application Load Balancer to filter and monitor HTTP/HTTPS requests. It provides managed rules specifically designed to block common attack patterns like SQL injection and cross-site scripting (XSS) without requiring custom scripts or manual rule maintenance, thus meeting the requirement for minimum operational overhead.

Exam trap

The trap here is that candidates often confuse network-layer security controls (security groups, network ACLs, or Shield) with application-layer protection, assuming they can block SQL injection or XSS, when in fact only a web application firewall like AWS WAF can inspect and filter HTTP payloads for such attacks.

How to eliminate wrong answers

Option A is wrong because security groups act as a stateful virtual firewall at the instance level, filtering traffic based on IP addresses, ports, and protocols; they cannot inspect application-layer payloads to detect SQL injection or XSS patterns. Option C is wrong because network ACLs are stateless and operate at the subnet level, only filtering traffic based on IP, port, and protocol rules, with no capability to parse HTTP request bodies or headers for malicious content. Option D is wrong because AWS Shield Advanced provides DDoS protection at the network and transport layers, not application-layer attack mitigation for SQL injection or XSS; it does not include a web application firewall.

188
MCQmedium

A IoT ingestion API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

A.S3 lifecycle expiration after seven years
B.S3 versioning only
C.S3 server access logging
D.S3 Object Lock in compliance mode with an appropriate retention period
AnswerD

Object Lock compliance mode enforces write-once-read-many retention that even privileged users cannot bypass during the retention period.

Why this answer

Option D is correct because S3 Object Lock with compliance mode provides a write-once-read-many (WORM) model that prevents any user, including the root user, from overwriting or deleting objects for the specified retention period. This meets the compliance requirement of a seven-year immutable audit log, as compliance mode enforces a legal hold that cannot be removed by any entity, including AWS support.

Exam trap

The trap here is that candidates often confuse versioning with immutability, thinking versioning alone prevents data loss, but it does not block overwrites or deletions of the current version, which is why Object Lock is required for true write-once-read-many protection.

How to eliminate wrong answers

Option A is wrong because S3 lifecycle expiration only automates deletion after a set period but does not prevent overwrites or deletions during that period; objects can still be deleted manually or overwritten before expiration. Option B is wrong because S3 versioning alone preserves previous versions but does not prevent deletion of the current version or overwrites; it only retains old versions, not enforce immutability. Option C is wrong because S3 server access logging records access requests to the bucket but does not provide any data protection or prevent modification or deletion of the audit logs themselves.

189
Multi-Selecthard

A B2B file exchange site uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Select 2 answers
A.Enable S3 static website hosting
B.Use an S3 bucket policy that allows access only from the CloudFront distribution
C.Configure Origin Access Control for the S3 origin
D.Enable CloudFront standard logging
AnswersB, C

The bucket policy should trust the CloudFront distribution and deny direct public access.

Why this answer

Option B is correct because an S3 bucket policy that explicitly denies access to any principal except the CloudFront distribution's origin access identity (OAI) or origin access control (OAC) ensures that direct requests to the S3 bucket are blocked. This policy uses the `aws:SourceArn` or `aws:SourceAccount` condition key to restrict access exclusively to the CloudFront service, preventing users from bypassing CloudFront and accessing the bucket directly via its S3 endpoint.

Exam trap

The trap here is that candidates often confuse enabling S3 static website hosting (Option A) as a security measure, when in fact it opens a separate direct access endpoint, or they overlook that Origin Access Control (Option C) alone is insufficient without a corresponding bucket policy to enforce the restriction.

190
MCQhard

A healthcare document service must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

A.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
B.Tag encrypted volumes after creation
C.Enable VPC Flow Logs
D.Run a daily Lambda function to encrypt unencrypted volumes
AnswerA

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

Option A is correct because an SCP (Service Control Policy) is a preventive control that can deny the ec2:CreateVolume action when the encryption condition (ec2:Encrypted) is false. This ensures that no unencrypted EBS volumes can be created in the account, providing a strong, proactive guardrail that cannot be overridden by IAM policies within the account.

Exam trap

The trap here is that candidates often confuse detective or corrective controls (like Lambda remediation or tagging) with preventive controls, failing to recognize that only SCPs or IAM policies with Deny effects can block the action before it occurs.

How to eliminate wrong answers

Option B is wrong because tagging encrypted volumes after creation is a detective or corrective control, not a preventive one; it does not stop the creation of unencrypted volumes. Option C is wrong because VPC Flow Logs capture network traffic metadata and have no ability to enforce encryption policies on EBS volumes. Option D is wrong because running a daily Lambda function to encrypt unencrypted volumes is a reactive/corrective control that only fixes volumes after they have been created, leaving a window of non-compliance.

191
Multi-Selectmedium

A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.

Select 2 answers
A.Update the KMS key policy to allow the partner role or account to use the key.
B.Enable automatic key rotation to solve the cross-account access requirement.
C.Attach IAM permissions in the partner account for kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey on the CMK.
D.Replace the CMK with the AWS managed key alias/aws/s3.
E.Export the KMS key material and share it with the partner account.
AnswersA, C

KMS evaluates the key policy before permitting use of a customer managed key. Cross-account use requires the key policy to trust the external principal or a grant to that principal.

Why this answer

Option A is correct because the KMS key policy must explicitly grant the partner account or role permission to use the key for cryptographic operations. Without this cross-account policy statement, the key remains inaccessible to the partner account, even if the partner has S3 bucket access. This is a fundamental requirement for cross-account KMS key usage.

Exam trap

The trap here is that candidates often forget that cross-account KMS access requires both a key policy update in the central account AND IAM permissions in the partner account, not just one of them.

192
MCQmedium

An S3 bucket in account A uses default server-side encryption with an AWS KMS customer-managed key (CMK) in account A. A team created an IAM role in account B that is allowed by IAM policy to perform s3:GetObject on the bucket. When the account B role tries to read objects, it fails with: AccessDeniedException: 'User is not authorized to perform kms:Decrypt'. Which change is most likely to fix the issue?

A.Add kms:Decrypt permissions to the identity policy in account B only, without modifying the CMK key policy in account A.
B.Update the CMK key policy in account A to allow the account B role principal to call kms:Decrypt (and kms:DescribeKey if needed).
C.Disable SSE-KMS on the S3 bucket so objects use SSE-S3 instead, eliminating the need for KMS permissions.
D.Attach a broad permissions boundary to the account B role allowing all kms:* actions to override the key policy.
AnswerB

KMS customer-managed keys rely on key policies (especially for cross-account access). Granting kms:Decrypt to the exact account B role principal in the key policy enables successful decrypt operations for SSE-KMS objects.

Why this answer

When an S3 bucket uses SSE-KMS with a customer-managed key (CMK) in account A, the account B role must have explicit kms:Decrypt permission on that CMK. The key policy in account A controls access to the CMK, so adding the account B role principal to the key policy with kms:Decrypt (and kms:DescribeKey if needed) is required. Without this, even if the S3 bucket policy and IAM role allow s3:GetObject, the KMS decrypt call will fail.

Exam trap

The trap here is that candidates assume IAM permissions in account B are sufficient for cross-account KMS operations, forgetting that the KMS key policy in the owning account must explicitly grant access to the external principal.

How to eliminate wrong answers

Option A is wrong because adding kms:Decrypt to the identity policy in account B alone is insufficient; the CMK key policy in account A must also grant access to the account B role, as KMS key policies act as a separate authorization layer. Option C is wrong because disabling SSE-KMS and switching to SSE-S3 would change the encryption method and potentially violate security requirements, but it would technically fix the KMS permission issue; however, it is not the most likely fix as it alters the encryption configuration rather than addressing the permission gap. Option D is wrong because a permissions boundary on the account B role cannot override the CMK key policy in account A; the key policy is the ultimate authority for KMS key access, and a boundary only limits the role's maximum permissions within its own account.

193
Multi-Selecthard

A company is encrypting sensitive S3 data for a claims portal with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Select 2 answers
A.A larger KMS key rotation period
B.IAM policies that grant kms:Decrypt only to required application roles
C.A key policy that limits key administrators and key users
D.S3 Transfer Acceleration
AnswersB, C

IAM permissions should grant least-privilege use of the KMS key to specific roles.

Why this answer

Option B is correct because IAM policies can be used to restrict the `kms:Decrypt` action to only the specific IAM roles that require it for the claims portal. This ensures that even if an unauthorized principal has access to the encrypted S3 object, they cannot decrypt it without the explicit IAM permission to use the KMS key. Option C is correct because a key policy that explicitly defines key administrators and key users limits who can manage or use the KMS key, preventing accidental use by unauthorized principals.

Exam trap

The trap here is that candidates often assume that IAM policies alone are sufficient to control KMS key access, but they forget that the key policy must also explicitly allow the IAM principal to use the key, as KMS requires both the key policy and IAM policy to grant access.

194
MCQhard

A company uses AWS Organizations and wants to prevent any account in the organization from launching resources in regions other than us-east-1 and eu-west-1. This restriction must apply even if an administrator in a member account grants full IAM permissions. Which approach should a solutions architect use?

A.Create IAM policies with Deny for disallowed regions and attach them to all IAM users and roles in each account
B.Enable AWS Config rules to detect resources launched in disallowed regions and trigger auto-remediation to delete them
C.Use AWS Control Tower guardrails to enforce region restriction for all accounts
D.Create an SCP with a Deny on all actions for regions outside us-east-1 and eu-west-1, attached to the Organization root
AnswerD

SCPs apply to all principals in all member accounts and cannot be overridden by account-level IAM. Attached to the Organization root, this SCP covers every member account. The Deny with StringNotEquals condition on aws:RequestedRegion blocks all other regions.

Why this answer

Service Control Policies (SCPs) in AWS Organizations provide a guardrail that applies to all principals in member accounts — including IAM users, roles, and even the account root. SCPs restrict the maximum permissions that can be granted within an account.

An SCP with Deny on all actions for all regions except us-east-1 and eu-west-1, attached to the organization root, prevents any account from launching resources in other regions regardless of account-level IAM permissions. IAM policies in member accounts cannot override SCPs.

Exam trap

A common misconception is that an IAM Administrator or root user in a member account can override organization-level controls. SCPs define the permission ceiling — even AdministratorAccess (Action: *, Resource: *) cannot exceed what the SCP allows. SCPs are evaluated BEFORE account-level IAM policies.

Why the other options are wrong

A

IAM policies must be attached individually to each user and role in each account — unscalable across an Organization. Administrators in member accounts could also remove or bypass these policies by creating new roles without the restriction.

B

AWS Config rules detect non-compliant resources after they have been created. Auto-remediation adds latency. This is a detective control, not a preventive control — resources would exist temporarily before deletion.

C

AWS Control Tower uses SCPs under the hood for guardrails. However, the underlying mechanism is an SCP applied via Organizations. The direct answer for organizational prevention is an SCP.

195
MCQmedium

A solutions architect is designing an S3 bucket for a order processing API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

A.Enable S3 Block Public Access at the account or bucket level
B.Enable server access logging on the bucket
C.Create an IAM policy that denies s3:GetObject to anonymous users
D.Enable S3 Transfer Acceleration
AnswerA

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

S3 Block Public Access provides a definitive override that prevents any public access to objects, regardless of bucket policies or ACLs. By enabling this setting at the account or bucket level, the architect ensures that even if a developer later adds an overly broad bucket policy, the objects remain inaccessible to anonymous users. This is the only option that guarantees no public access can be inadvertently granted.

Exam trap

The trap here is that candidates may think an IAM policy denying anonymous access is sufficient, but they miss that bucket policies can override IAM policies when both are evaluated, making S3 Block Public Access the only foolproof solution.

How to eliminate wrong answers

Option B is wrong because server access logging only records requests made to the bucket; it does not enforce any access restrictions. Option C is wrong because an IAM policy that denies s3:GetObject to anonymous users can be overridden by a later bucket policy that grants public access, as IAM and bucket policies are evaluated together and a bucket policy can explicitly allow what an IAM policy denies. Option D is wrong because S3 Transfer Acceleration is a performance feature that speeds up uploads over long distances; it has no effect on access control or public accessibility.

196
MCQmedium

A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

A.Enable S3 Transfer Acceleration
B.Create an IAM policy that denies s3:GetObject to anonymous users
C.Enable S3 Block Public Access at the account or bucket level
D.Enable server access logging on the bucket
AnswerC

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

Option C is correct because S3 Block Public Access provides a definitive override that prevents any public access to objects, regardless of bucket policies or object ACLs. This setting, when enabled at the account or bucket level, ensures that even if a developer later attaches an overly permissive bucket policy, the public access is blocked. It meets the requirement of avoiding custom operational scripts by being a native, configurable S3 feature.

Exam trap

The trap here is that candidates may think an IAM policy denying s3:GetObject to anonymous users is sufficient, but anonymous users are not IAM principals, so such a policy has no effect on anonymous access granted by a bucket policy.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a performance feature that speeds up uploads over long distances using edge locations; it does not control access permissions or prevent public access. Option B is wrong because an IAM policy that denies s3:GetObject to anonymous users only applies to IAM principals, not to anonymous requests; anonymous users are not IAM entities, so this policy would not block public access granted by a bucket policy. Option D is wrong because server access logging records requests to the bucket for auditing purposes but does not enforce any access restrictions or prevent public access.

197
MCQhard

Based on the exhibit, a company stores sensitive PDFs in S3 and serves them through CloudFront. Direct requests to the S3 object URL must fail, but CloudFront should still be able to fetch the files securely. Which solution best satisfies the requirement?

A.Leave the bucket public but require CloudFront signed cookies for all users.
B.Use an S3 access point and give it a public policy so CloudFront can reach the objects.
C.Configure CloudFront Origin Access Control for the S3 origin and update the bucket policy to allow only that distribution.
D.Use S3 object ACLs to grant read access only to users behind CloudFront.
AnswerC

OAC lets CloudFront sign origin requests to S3, while the bucket policy can deny all other principals and block direct URL access.

Why this answer

Option C is correct because CloudFront Origin Access Control (OAC) allows CloudFront to authenticate requests to an S3 origin using a specific identity, and the bucket policy can be configured to grant access only to that CloudFront distribution. This ensures that direct S3 object URL requests fail (since they lack the CloudFront signature), while CloudFront can still fetch the files securely using the OAC mechanism.

Exam trap

The trap here is that candidates often confuse signed URLs/cookies (which control user access) with origin access controls (which control how CloudFront fetches from S3), leading them to pick options that still allow direct S3 access.

How to eliminate wrong answers

Option A is wrong because leaving the bucket public would allow anyone with the S3 object URL to access the files directly, violating the requirement that direct requests must fail. Option B is wrong because an S3 access point with a public policy would still allow direct public access to the objects, bypassing CloudFront. Option D is wrong because S3 object ACLs cannot restrict access based on the requester being behind CloudFront; they only grant permissions to specific AWS accounts or canonical users, not to CloudFront distributions.

198
MCQhard

A financial services company must store audit logs in S3 for 7 years and ensure that no one — including the AWS account root user — can delete or overwrite the logs during the retention period. Which S3 Object Lock configuration should a solutions architect use?

A.Object Lock in Compliance mode with a 7-year retention period
B.Object Lock in Governance mode with a 7-year retention period
C.S3 Versioning with a lifecycle rule to transition objects to Glacier after 7 years
D.A bucket policy with Deny for s3:DeleteObject applied to all principals including root
AnswerA

Compliance mode prevents ALL users including root from deleting or overwriting objects before retention expires. The period cannot be shortened, satisfying strict financial regulatory requirements.

Why this answer

S3 Object Lock in Compliance mode prevents ALL users — including the root account — from deleting or overwriting objects before the retention period expires. The retention period itself cannot be shortened once set in Compliance mode.

Governance mode also prevents most deletions, but users with s3:BypassGovernanceRetention permission (and the root account) can delete objects or shorten the retention period. For regulatory requirements where not even root can override, Compliance mode is mandatory.

Exam trap

Candidates choose Governance mode because 'governance' sounds strict. In AWS terminology, Governance is the LESS strict option — it can be bypassed by privileged users. Compliance mode is immutable: no one can remove the retention until the period expires.

This distinction is critical for financial regulations like SEC Rule 17a-4 and FINRA requirements.

Why the other options are wrong

B

Governance mode can be bypassed by the root account and users with s3:BypassGovernanceRetention permission. This does NOT meet the requirement that no one including root can delete the logs.

C

S3 Versioning prevents accidental deletion by keeping previous versions, but a privileged user can permanently delete all versions. Lifecycle rules manage storage class transitions — they do not prevent deletion. Compliance mode is required.

D

Bucket policies cannot restrict the root account. IAM policies (including resource-based policies) cannot override root user permissions. Only AWS Organizations SCPs and S3 Object Lock Compliance mode can restrict root's ability to delete S3 objects.

199
MCQmedium

Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com". Which change most directly resolves this while keeping instances private?

A.Create an interface VPC endpoint for STS (com.amazonaws.<region>.sts) and associate it with the instance subnets and a security group that allows HTTPS.
B.Create a gateway VPC endpoint for S3 and route the STS traffic through the S3 endpoint gateway.
C.Open an inbound rule in the instances’ security group to allow outbound HTTPS to the internet CIDR block directly.
D.Attach an Internet Gateway to the private subnet route table so the STS API can be reached over public internet.
AnswerA

Interface endpoints provide private, in-VPC connectivity to AWS APIs like STS without requiring internet access or NAT.

Why this answer

The error indicates the EC2 instances cannot reach the STS public endpoint over the internet because they are in private subnets without a NAT gateway. An interface VPC endpoint for STS (com.amazonaws.<region>.sts) allows private, direct connectivity to the STS API using AWS PrivateLink, without requiring internet access. Associating the endpoint with the instance subnets and a security group that allows HTTPS (port 443) resolves the connectivity issue while keeping the instances private.

Exam trap

The trap here is that candidates often confuse gateway endpoints (which only work for S3 and DynamoDB) with interface endpoints (which work for many services like STS), or they mistakenly think security group rules alone can enable outbound internet access without a route.

How to eliminate wrong answers

Option B is wrong because a gateway VPC endpoint for S3 only provides private connectivity to S3, not to STS; STS is a different service and cannot be reached through an S3 endpoint. Option C is wrong because opening an inbound rule in the instances’ security group for outbound HTTPS to the internet CIDR block does not provide a route to the internet; the instances are in private subnets with no NAT gateway or internet gateway, so outbound traffic to the internet is blocked regardless of security group rules. Option D is wrong because attaching an Internet Gateway to the private subnet route table would make the subnet public, violating the requirement to keep instances private; it would also expose the instances to inbound internet traffic.

200
Multi-Selecthard

A company has three workloads. First, a stable EC2 application will remain on the same instance family for at least one year. Second, an ECS service on Fargate may shift between launch types but has steady baseline usage. Third, a fault-tolerant nightly batch job can be interrupted and restarted. Which three pricing choices should the architect recommend? Select three.

Select 3 answers
A.Standard Reserved Instances for the EC2 application.
B.Compute Savings Plans for the Fargate service.
C.Spot Instances for the nightly batch job.
D.On-Demand Instances for all three workloads.
E.Dedicated Hosts for the batch job.
AnswersA, B, C

A stable EC2 workload on the same family is a classic Reserved Instance use case because the commitment matches the predictable baseline.

Why this answer

Standard Reserved Instances (A) are ideal for the stable EC2 application because the workload has a predictable, steady-state usage and will remain on the same instance family for at least one year. By committing to a 1-year or 3-year term, the company receives a significant discount (up to 72%) compared to On-Demand pricing, making it the most cost-effective choice for this stable, long-running workload.

Exam trap

The trap here is that candidates often assume On-Demand is the only safe choice for all workloads, failing to recognize that the stable EC2 workload qualifies for Reserved Instances, the steady Fargate usage qualifies for Compute Savings Plans, and the fault-tolerant batch job is a textbook use case for Spot Instances.

201
MCQmedium

A customer-managed KMS key (CMK) encrypts SQS messages. A consumer service uses an IAM role that includes kms:Decrypt permission for that CMK. After a security change, the consumer fails with: "AccessDeniedException: kms:Decrypt is not allowed" CloudTrail indicates the KMS request is reaching KMS, but the CMK key policy no longer includes the consumer role (or its principal). What is the best fix?

A.Update the CMK key policy to allow the consumer role principal to perform kms:Decrypt on the CMK.
B.Update only the consumer role identity policy because identity policies always override key policies.
C.Enable default encryption on SQS so that KMS permissions are no longer required.
D.Create an S3 bucket policy statement allowing kms:Decrypt because the messages are stored in S3.
AnswerA

For customer-managed keys, the CMK key policy is the authoritative authorization control for KMS operations. Even if the role’s identity policy allows kms:Decrypt, KMS will still deny the request unless the key policy also permits the principal (or a grant permits it).

Why this answer

Option A is correct because the error indicates that the KMS key policy explicitly denies the consumer role's kms:Decrypt request. Since KMS key policies are the primary access control for CMKs, adding the consumer role principal with kms:Decrypt permission resolves the issue. The CloudTrail log confirms the request reaches KMS, so the problem is solely the missing key policy statement.

Exam trap

The trap here is that candidates assume identity policies alone are sufficient for KMS access, but KMS requires explicit authorization in the key policy unless the key policy includes a statement delegating access to IAM policies.

How to eliminate wrong answers

Option B is wrong because identity policies (like IAM role policies) do not override key policies; KMS requires that both the key policy and the identity policy grant the permission, and if the key policy denies or omits the principal, the request fails regardless of the identity policy. Option C is wrong because enabling default encryption on SQS does not eliminate the need for KMS permissions; it would still require the consumer to have kms:Decrypt on the default KMS key, and the consumer's current issue is with a customer-managed CMK, not the default key. Option D is wrong because SQS messages are not stored in S3; SQS is a separate service, and an S3 bucket policy has no effect on KMS permissions for SQS message decryption.

202
MCQmedium

Account Y provides a role named AnalyticsReadOnly to engineers in Account X. The role trust policy currently allows sts:AssumeRole from the Account X principal. A new security requirement states that only STS sessions created with MFA are allowed to assume the role. Which trust policy condition is the best choice to enforce MFA for sts:AssumeRole?

A.Add a condition "Bool": { "aws:MultiFactorAuthPresent": "true" } in the role trust policy for the sts:AssumeRole action.
B.Add a condition "StringEquals": { "aws:username": "mfa-user" } in the IAM policy attached to the role.
C.Add a condition requiring "sts:ExternalId" to equal a fixed value in the trust policy.
D.Add a condition "Bool": { "aws:SecureTransport": "true" } in the trust policy to require HTTPS.
AnswerA

aws:MultiFactorAuthPresent is a condition key designed to reflect whether MFA was used when establishing the STS session. By requiring it to be true in the trust policy, STS denies AssumeRole when the caller did not authenticate with MFA.

Why this answer

Option A is correct because the `aws:MultiFactorAuthPresent` condition key checks whether the principal used MFA to obtain the session credentials. By adding a `Bool` condition set to `"true"` in the trust policy for the `sts:AssumeRole` action, only STS sessions that were created after MFA authentication will be allowed to assume the role. This directly enforces the security requirement without affecting other authentication methods.

Exam trap

The trap here is that candidates may confuse `aws:MultiFactorAuthPresent` with other condition keys like `aws:SecureTransport` or `aws:username`, or think that `sts:ExternalId` can enforce MFA, when in fact only the `Bool` condition on `aws:MultiFactorAuthPresent` directly checks MFA status.

How to eliminate wrong answers

Option B is wrong because `aws:username` refers to the IAM user name, not the MFA status; requiring a specific username does not enforce MFA and can be bypassed if that user does not use MFA. Option C is wrong because `sts:ExternalId` is used to prevent the confused deputy problem in cross-account access, not to enforce MFA. Option D is wrong because `aws:SecureTransport` only ensures the session uses HTTPS/TLS, which is already required for AWS API calls, and does not verify MFA usage.

203
MCQmedium

A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible. Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking. Which architecture best meets these requirements?

A.Use AWS PrivateLink by creating a VPC endpoint service backed by the NLB in VPC A, then create an interface VPC endpoint in the partner VPC with appropriate endpoint access controls.
B.Expose the NLB to the internet with an Elastic IP and restrict access using the NLB’s security group only.
C.Use VPC peering between VPC A and the partner VPC and update route tables to resolve the overlap.
D.Deploy a NAT gateway in VPC A and route the partner’s traffic to the NLB through the NAT gateway.
AnswerA

PrivateLink exposes the service privately via interface endpoints, avoiding peering and keeping the NLB non-public for secure partner access.

Why this answer

Option A is correct because AWS PrivateLink allows you to expose an internal NLB in VPC A as a VPC endpoint service, and the partner team can create an interface VPC endpoint in their own VPC to connect privately. This solution avoids overlapping CIDR issues because traffic flows through PrivateLink’s network interfaces using private IPs, not through VPC peering or internet routing. It also satisfies the non-public requirement since the API remains accessible only via private networking within AWS.

Exam trap

The trap here is that candidates may assume VPC peering can handle overlapping CIDRs with route table adjustments, but AWS explicitly prohibits overlapping CIDRs in VPC peering connections, making PrivateLink the only viable private networking option.

How to eliminate wrong answers

Option B is wrong because exposing the NLB to the internet with an Elastic IP makes the API publicly accessible, violating the security requirement that the API must remain non-public. Option C is wrong because VPC peering cannot resolve overlapping CIDR blocks; overlapping CIDRs cause routing conflicts and are explicitly unsupported for VPC peering. Option D is wrong because a NAT gateway is used for outbound internet traffic from a private subnet, not for inbound traffic from another VPC, and it would not provide private connectivity between VPCs with overlapping CIDRs.

204
MCQhard

Based on the exhibit, the platform team wants developers to create application roles for Lambda and ECS, but no developer-created role may ever exceed the approved permission set. Which change best meets this requirement?

A.Remove all IAM permissions from AppProvisioner and require a central security team to create every role manually.
B.Attach a permissions boundary strategy to the delegated workflow and require every created role to include that boundary using the iam:PermissionsBoundary condition.
C.Allow developers to keep creating roles, but add a CloudTrail rule that alerts security after a privileged policy is attached.
D.Move the delegated IAM workflow into a separate VPC and restrict it with security groups and network ACLs.
AnswerB

A permissions boundary creates an upper limit on what any developer-created role can ever do, even if someone later attaches broader policies. Requiring the boundary during role creation prevents privilege escalation while still allowing delegated self-service for approved application roles. This is the standard AWS pattern when teams need to create roles but must remain inside a strict security envelope.

Why this answer

Option B is correct because it uses an IAM permissions boundary attached to the delegated role creation workflow, combined with the `iam:PermissionsBoundary` condition key to enforce that every developer-created role must include that boundary. This ensures no role can exceed the approved permission set, as the boundary acts as a maximum limit on permissions, even if the role's policy grants more. The delegated workflow (e.g., AWS Service Catalog or IAM Role creation via Lambda) can create roles, but the boundary prevents any escalation beyond the predefined scope.

Exam trap

The trap here is that candidates confuse reactive monitoring (like CloudTrail alerts) with preventive controls, or mistakenly think network isolation (VPC/security groups) can restrict IAM permissions, when only IAM boundaries or service control policies (SCPs) can cap permissions at the identity level.

How to eliminate wrong answers

Option A is wrong because removing all IAM permissions from AppProvisioner and requiring manual role creation by a central security team eliminates the delegation entirely, which contradicts the requirement that developers create application roles for Lambda and ECS; it also introduces operational bottlenecks and does not leverage IAM boundaries. Option C is wrong because adding a CloudTrail rule to alert after a privileged policy is attached is reactive, not preventive; it does not stop a developer-created role from exceeding the approved permission set at creation time, violating the 'may never exceed' requirement. Option D is wrong because moving the delegated IAM workflow into a separate VPC with security groups and network ACLs addresses network-level access control, not IAM permission boundaries; it cannot restrict the permissions of IAM roles created by developers, as IAM policies are not governed by network constructs.

205
Multi-Selectmedium

A public API is delivered through CloudFront and an Application Load Balancer. The security team wants AWS to automatically block repetitive bursts from the same client IP and also reduce exposure to common web exploits without custom code. Which two AWS WAF features should be enabled? Select two.

Select 2 answers
A.A rate-based rule that blocks clients exceeding a request threshold from the same source IP.
B.An AWS Managed Rules group for common web exploits.
C.ALB sticky sessions for all requests.
D.A security group rule that blocks requests based on HTTP path.
E.CloudFront origin access control for the API endpoint.
AnswersA, B

Rate-based rules are the native WAF feature for detecting and blocking unusually high request rates from the same IP or set of IPs. This helps stop bursts that can indicate abuse or application-layer flooding.

Why this answer

A rate-based rule in AWS WAF automatically tracks request rates per source IP and blocks clients that exceed a configured threshold within a 5-minute evaluation window. This directly addresses the security team's requirement to block repetitive bursts from the same client IP without custom code.

Exam trap

The trap here is that candidates often confuse security group rules (Layer 3/4) with WAF rules (Layer 7), mistakenly thinking a security group can filter HTTP paths or block application-layer attacks.

206
MCQmedium

A web application for a claims portal is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

A.AWS WAF associated with the Application Load Balancer
B.AWS Shield Advanced only
C.Network ACLs on the public subnets
D.Security groups on the application instances
AnswerA

AWS WAF can inspect HTTP requests and block common web exploits when associated with an ALB.

Why this answer

AWS WAF is a web application firewall that integrates directly with an Application Load Balancer to filter and monitor HTTP/HTTPS requests. It provides managed rules specifically designed to block common attack patterns like SQL injection and cross-site scripting (XSS) with minimal operational overhead, as the rules are pre-configured and automatically updated by AWS.

Exam trap

The trap here is that candidates often confuse network-layer controls (like security groups or NACLs) with application-layer protection, assuming they can block SQL injection or XSS, but these operate at Layer 3/4 and cannot inspect HTTP request bodies or headers for malicious content.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides DDoS protection, not application-layer attack filtering for SQL injection or XSS. Option C is wrong because Network ACLs operate at the subnet level (Layer 3/4) and cannot inspect application-layer payloads for SQL injection or XSS patterns. Option D is wrong because security groups act as stateful firewalls at the instance level (Layer 3/4) and cannot perform deep packet inspection for application-layer attacks.

207
Multi-Selecthard

A public web application sits behind Amazon CloudFront with an Application Load Balancer as the origin. The security team wants all edge traffic inspected by AWS WAF and also wants to prevent anyone on the internet from reaching the ALB directly. Which two changes should be made? Select two.

Select 2 answers
A.Associate an AWS WAF web ACL with the CloudFront distribution.
B.Restrict the ALB security group inbound rules to the AWS-managed CloudFront origin-facing prefix list.
C.Place the ALB in private subnets and keep the CloudFront distribution unchanged.
D.Use an S3 Origin Access Control instead of a security group change.
E.Open the ALB to 0.0.0.0/0 and rely on WAF alone for protection.
AnswersA, B

CloudFront supports AWS WAF at the edge, so requests can be inspected and filtered before they reach the origin. This placement stops malicious traffic early and applies the protection globally at the distribution layer.

Why this answer

Option A is correct because AWS WAF can be associated directly with a CloudFront distribution to inspect all edge traffic before it reaches the origin. This allows the security team to filter malicious requests at the AWS edge locations, reducing the attack surface and offloading processing from the Application Load Balancer.

Exam trap

The trap here is that candidates often think placing the ALB in private subnets is sufficient, but they forget that CloudFront cannot route traffic to private subnets without a public endpoint or a VPC origin configuration, making option C invalid.

208
Multi-Selecthard

A development environment runs a small web app on EC2 and an Amazon RDS database, but it is used only on weekdays during office hours. The team wants to minimize spend and can tolerate a short startup delay after the environment is started. Which two changes should the architect recommend? Select two.

Select 2 answers
A.Stop the EC2 instances outside business hours and start them on a schedule.
B.Replace the database with Aurora Serverless v2 so capacity can scale down during idle periods.
C.Move the app to larger EC2 instances so fewer machines are managed.
D.Keep RDS and EC2 running all weekend because start/stop is operationally risky.
E.Use Spot Instances for the database tier.
AnswersA, B

Scheduled stop and start removes idle compute spend from nights and weekends while preserving the same application architecture.

Why this answer

Option A is correct because stopping EC2 instances outside business hours eliminates compute costs (you are not charged for stopped instances, only for attached EBS volumes). The team tolerates a short startup delay, so a scheduled stop/start (e.g., via AWS Instance Scheduler or Lambda) directly reduces spend without architectural changes.

Exam trap

The trap here is that candidates may think Aurora Serverless v2 is always cheaper than stopping a traditional RDS instance, but they overlook that Serverless v2 still has a minimum ACU charge and storage costs, while stopping an RDS instance eliminates compute cost entirely (only storage and backups are billed).

209
MCQmedium

A web application for a IoT ingestion API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy? The design must avoid adding custom operational scripts.

A.AWS WAF associated with the Application Load Balancer
B.Network ACLs on the public subnets
C.Security groups on the application instances
D.AWS Shield Advanced only
AnswerA

AWS WAF can inspect HTTP requests and block common web exploits when associated with an ALB.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). By associating an AWS WAF web ACL with the Application Load Balancer, you can filter and monitor HTTP(S) requests based on rules that match malicious patterns, with no custom scripts or operational overhead. This is the most efficient and managed solution for the stated requirements.

Exam trap

The trap here is that candidates often confuse network-layer controls (NACLs, security groups) with application-layer protection, or assume Shield Advanced alone covers all web threats, when in fact WAF is specifically designed for Layer 7 attack mitigation like SQLi and XSS.

How to eliminate wrong answers

Option B is wrong because Network ACLs are stateless packet filters that operate at the subnet level (Layer 3/4) and cannot inspect application-layer payloads like SQL or XSS patterns. Option C is wrong because security groups are stateful virtual firewalls that control traffic based on IP addresses, ports, and protocols (Layer 3/4), and they lack the ability to perform deep packet inspection for web application attacks. Option D is wrong because AWS Shield Advanced provides DDoS protection and enhanced detection, but it does not include the rule-based filtering needed to block SQL injection or XSS attacks.

210
MCQeasy

A stateless web application runs on Amazon EC2 instances across two Availability Zones. The team wants unhealthy instances to be removed automatically and replaced without manual action. What is the best solution?

A.Place the instances in a single subnet and increase the instance size.
B.Use an Application Load Balancer with an Auto Scaling group and configure health checks.
C.Use a network ACL to detect failed instances and restart them.
D.Store the web servers on EBS volumes so the data survives failures.
AnswerB

An Application Load Balancer distributes traffic across healthy targets, and an Auto Scaling group can replace instances that fail health checks. Together, they provide automatic recovery from instance failure and keep the application available across multiple Availability Zones. This is the standard resilient design for stateless EC2 web tiers.

Why this answer

Option B is correct because an Application Load Balancer (ALB) with an Auto Scaling group provides automated health checks and instance replacement. The ALB performs HTTP/HTTPS health checks against the instances, and when an instance fails the health check, the Auto Scaling group automatically terminates the unhealthy instance and launches a new one to maintain the desired capacity. This ensures the stateless web application remains available across both Availability Zones without manual intervention.

Exam trap

The trap here is that candidates confuse network ACLs (stateless packet filters) with health check mechanisms, or assume that persistent storage (EBS) alone provides high availability without an orchestration layer like Auto Scaling.

How to eliminate wrong answers

Option A is wrong because placing instances in a single subnet and increasing instance size does not provide automated health monitoring or replacement; it only changes the capacity of a single instance and introduces a single point of failure. Option C is wrong because a network ACL is a stateless firewall that filters traffic at the subnet level and cannot detect failed instances or restart them; it has no awareness of application health or instance lifecycle. Option D is wrong because storing web servers on EBS volumes does not automate health checks or replacement; while EBS provides persistent storage, the stateless nature of the application means data persistence is irrelevant to fault tolerance, and manual action would still be required to replace failed instances.

211
MCQmedium

An order-quote Lambda function is invoked directly by API Gateway. Traffic is predictable during the business day, and the first request after scaling from zero causes unacceptable latency. The team wants to keep the current architecture and reduce cold-start impact. Which configuration should they use?

A.Increase the function timeout so the first invocation has more time to finish.
B.Enable provisioned concurrency for the Lambda function.
C.Set reserved concurrency to a fixed number and leave the rest unchanged.
D.Increase the memory size only to eliminate cold starts.
AnswerB

Provisioned concurrency keeps a set number of Lambda execution environments initialized and ready to serve traffic. That directly reduces or removes cold starts for predictable workloads such as business-hours APIs. It is the most appropriate choice when the team wants to preserve serverless architecture while delivering consistent response times for the first request and subsequent requests.

Why this answer

Provisioned concurrency initializes a specified number of execution environments in advance, so when the first request arrives after scaling from zero, it is served by a pre-warmed instance instead of incurring a cold start. This directly addresses the unacceptable latency without changing the architecture or requiring code modifications.

Exam trap

The trap here is that candidates confuse reserved concurrency (which caps concurrent executions) with provisioned concurrency (which pre-warms instances), or mistakenly believe that increasing memory or timeout can eliminate the cold-start initialization delay.

How to eliminate wrong answers

Option A is wrong because increasing the function timeout does not prevent cold starts; it only allows the invocation to run longer, but the initial cold-start delay (e.g., loading runtime, initializing code) still occurs. Option C is wrong because reserved concurrency limits the maximum number of concurrent executions but does not pre-warm instances; it can even worsen cold starts by capping available capacity. Option D is wrong because increasing memory size can reduce cold-start duration (since CPU allocation scales with memory) but does not eliminate cold starts entirely; the first invocation after idle still requires initialization.

212
MCQeasy

Your application runs in private subnets with no NAT gateway. It needs to call AWS Secrets Manager to retrieve secrets. For private connectivity without internet egress, which VPC endpoint type should you create for AWS Secrets Manager?

A.An Interface VPC endpoint (AWS PrivateLink) for secretsmanager in your Region
B.A Gateway VPC endpoint for secretsmanager
C.A NAT gateway in the private subnet route table
D.A VPC peering connection to the AWS public network hosting Secrets Manager
AnswerA

Secrets Manager supports Interface VPC endpoints. An interface endpoint provides private connectivity from subnets to the Secrets Manager API without traversing the public internet.

Why this answer

An Interface VPC endpoint (AWS PrivateLink) creates an elastic network interface in your subnet with a private IP address, allowing your instances to communicate with AWS Secrets Manager over the AWS network without traversing the internet. Since your application runs in private subnets with no NAT gateway, this is the only supported endpoint type for Secrets Manager, as Gateway endpoints are only available for S3 and DynamoDB.

Exam trap

The trap here is that candidates often confuse Gateway endpoints (which are free and only for S3/DynamoDB) with Interface endpoints (which incur hourly charges and support many services like Secrets Manager), leading them to incorrectly select option B.

How to eliminate wrong answers

Option B is wrong because Gateway VPC endpoints are only supported for Amazon S3 and DynamoDB, not for AWS Secrets Manager. Option C is wrong because a NAT gateway requires an internet gateway and public subnet, and the question explicitly states there is no NAT gateway and no internet egress allowed. Option D is wrong because VPC peering connects two VPCs within the AWS network, not to the AWS public network hosting Secrets Manager; Secrets Manager is accessed via service endpoints, not through peering.

213
MCQmedium

A website serves mostly cacheable images, CSS, and JavaScript from an ALB. Users in Europe and Asia report slower page loads, and the ALB receives far more requests than expected. The team also wants text assets compressed automatically. Which change is the best first step?

A.Increase the ALB size and add more target instances behind it.
B.Use Route 53 latency-based routing to send users to the nearest ALB.
C.Place Amazon CloudFront in front of the ALB and enable compression and caching.
D.Replace the ALB with an NLB to reduce latency for web requests.
AnswerC

CloudFront is the right choice because it caches static content at edge locations close to users, reducing latency and lowering the number of requests that reach the ALB. It also supports compression for text-based assets such as CSS, JavaScript, and HTML. This improves both performance and origin offload without changing the application logic.

Why this answer

CloudFront is the correct first step because it acts as a CDN that caches cacheable content (images, CSS, JS) at edge locations close to users in Europe and Asia, reducing load on the ALB and improving page load times. It also supports automatic compression of text assets (e.g., via gzip or Brotli) without requiring backend changes, directly addressing the team's requirement for compressed text assets. By offloading requests from the ALB, CloudFront reduces the number of requests hitting the origin, solving the 'far more requests than expected' issue.

Exam trap

The trap here is that candidates often think scaling the ALB (Option A) or using latency-based routing (Option B) will solve performance issues, but they overlook that caching and compression at the edge (CloudFront) directly address both latency and request volume without requiring backend changes.

How to eliminate wrong answers

Option A is wrong because increasing ALB size and adding instances only addresses capacity, not the root causes of high latency for distant users or the unexpectedly high request volume; it does not cache content or compress text assets automatically. Option B is wrong because Route 53 latency-based routing still sends all requests to an ALB, which does not cache content or compress text assets; it also does not reduce the number of requests hitting the ALB, as each user request still reaches the origin. Option D is wrong because replacing the ALB with an NLB does not provide caching, compression, or any application-layer features; NLBs operate at Layer 4 and cannot inspect or cache HTTP content, nor can they compress text assets.

214
MCQmedium

A company uses IAM permission boundaries to prevent developers from escalating privileges. The security team created a permission boundary that allows only read-only actions on most AWS services, but teams can still manage their own resources. A developer can create an IAM role with broad permissions, and the boundary does not appear to be restricting it. Which corrective action best aligns with how permission boundaries work?

A.Rely on an AWS-managed policy attached to the developer’s IAM user; permission boundaries only apply to users.
B.Ensure the role creation process sets the permission boundary on the new role, using the boundary’s ARN in the CreateRole call or role template.
C.Attach the permission boundary policy as an SCP in AWS Organizations so it automatically applies to all roles.
D.Grant the developer IAM permissions to add a “deny” statement to the boundary policy so the boundary blocks escalation.
AnswerB

Permission boundaries are evaluated based on the boundary attached to the principal/role being created or used. If a developer creates roles without specifying the boundary, the boundary won’t restrict the resulting permissions. Enforcing boundary attachment via role templates or required parameters ensures every created role is constrained.

Why this answer

Permission boundaries must be explicitly set on a role during its creation (via the `CreateRole` API call or an infrastructure-as-code template). Without specifying the boundary ARN in the role creation request, the role inherits no boundary, allowing the developer to attach broad permissions that exceed the intended restriction. Option B correctly identifies that the developer’s role creation process must include the boundary ARN to enforce the limitation.

Exam trap

The trap here is that candidates assume permission boundaries are automatically inherited or enforced globally, when in fact they must be explicitly applied to each role during creation, and SCPs are a separate mechanism that does not replace boundaries.

How to eliminate wrong answers

Option A is wrong because permission boundaries apply to IAM roles and users, not just users; the boundary can be attached to a role to limit its effective permissions. Option C is wrong because SCPs (Service Control Policies) are organization-level policies that apply to all accounts and principals, but they do not replace the need for a permission boundary on the role itself; SCPs and boundaries work at different layers and are not interchangeable. Option D is wrong because a developer cannot modify the boundary policy itself—the boundary is a separate policy document that only the security team can edit; adding a deny statement to the boundary would not block escalation because the boundary already limits permissions, and the developer lacks permission to alter it.

215
Multi-Selectmedium

A containerized service on Amazon ECS connects to a database with a password that must never be stored in plaintext or hardcoded in the image. The application reads the password at startup and occasionally reconnects later, so it needs to retrieve the current secret when needed. Which three actions should the architect take? Select three.

Select 3 answers
A.Store the database password in AWS Secrets Manager.
B.Have the application retrieve the secret from Secrets Manager at runtime when it needs the password.
C.Grant the ECS task role least-privilege permission to read only that secret.
D.Store the password in a plain environment variable and update it manually during maintenance windows.
E.Use an IAM user access key inside the container so the database password can be embedded in code.
AnswersA, B, C

Secrets Manager is designed for sensitive credentials and integrates with IAM and rotation features. It is a better fit than putting passwords in code, images, or plain variables.

Why this answer

AWS Secrets Manager is the correct service for storing sensitive data like database passwords because it provides encryption at rest (using AWS KMS) and automatic rotation capabilities. By storing the password in Secrets Manager, the architect ensures it is never exposed in plaintext or hardcoded in the container image, meeting the security requirement.

Exam trap

The trap here is that candidates might think environment variables or IAM access keys are acceptable for secrets, but the exam requires using a dedicated secrets management service like Secrets Manager to avoid plaintext exposure and enable rotation.

216
MCQmedium

Account A has an IAM role named FinanceDataRole that is assumed by a principal in Account B. The role’s trust policy includes a condition requiring sts:ExternalId to equal "Fin-2026-Q2". A developer in Account B calls AssumeRole but receives an error: AccessDenied: ExternalId mismatch. The security team requires that you do not remove the ExternalId condition. What is the correct remediation?

A.Add kms:Decrypt to the developer’s IAM policy so KMS can validate the ExternalId during AssumeRole.
B.Update the AssumeRole call in Account B to include sts:ExternalId="Fin-2026-Q2" exactly as required.
C.Increase the role’s MaxSessionDuration to reduce authentication failures.
D.Remove the ExternalId condition from the trust policy to allow all AssumeRole requests.
AnswerB

The trust policy explicitly checks the ExternalId value provided in the AssumeRole request. Supplying the exact required ExternalId satisfies the condition and allows STS to issue credentials for the role.

Why this answer

The error 'AccessDenied: ExternalId mismatch' occurs because the AssumeRole API call from Account B does not include the required sts:ExternalId parameter. The trust policy on the FinanceDataRole explicitly requires this parameter to match 'Fin-2026-Q2' as a security measure to prevent the confused deputy problem. Option B is correct because the developer must pass the exact ExternalId value in the AssumeRole request to satisfy the condition and successfully assume the role.

Exam trap

The trap here is that candidates may think the ExternalId is automatically passed or that the error is due to permission issues (like KMS or session duration), when in fact the developer must explicitly include the correct ExternalId in the AssumeRole API call.

How to eliminate wrong answers

Option A is wrong because KMS is not involved in validating ExternalId during AssumeRole; the ExternalId check is performed by the AWS STS service based on the role's trust policy, not by KMS. Option C is wrong because MaxSessionDuration controls the maximum session length for an assumed role, not authentication failures related to ExternalId mismatches. Option D is wrong because the security team explicitly requires that the ExternalId condition not be removed, and removing it would weaken security by eliminating the confused deputy protection.

217
MCQeasy

A company has a primary application in us-east-1 and a standby environment in us-west-2. Users should go to the primary site while it is healthy and automatically switch to the standby site if the primary fails. Which Route 53 routing policy should they use?

A.Weighted routing
B.Failover routing with health checks
C.Geolocation routing
D.Latency-based routing
AnswerB

Route 53 failover routing is designed for active-passive resilience. You define a primary record and a secondary record, then attach health checks so DNS answers shift to the standby when the primary is unhealthy. This provides a simple disaster recovery pattern for user-facing endpoints without requiring application-level traffic management.

Why this answer

Failover routing with health checks is the correct choice because it allows you to configure an active-passive failover pattern where Route 53 directs traffic to the primary resource (us-east-1) as long as it passes a health check. If the health check fails, Route 53 automatically routes traffic to the secondary resource (us-west-2), ensuring high availability without manual intervention.

Exam trap

The trap here is that candidates often confuse failover routing with latency-based routing, thinking that latency routing will automatically switch to a healthy region, but latency routing only optimizes for speed and does not consider health status unless combined with health checks, which is not its primary purpose.

How to eliminate wrong answers

Option A is wrong because weighted routing distributes traffic across multiple resources based on assigned weights, which is used for load balancing or testing, not for automatic failover when a primary site fails. Option C is wrong because geolocation routing directs traffic based on the geographic location of the user, which is designed for content localization or regional restrictions, not for active-passive failover. Option D is wrong because latency-based routing sends traffic to the resource with the lowest latency for the user, which optimizes performance but does not provide automatic failover when a primary resource becomes unhealthy.

218
MCQmedium

A public API for a B2B file exchange site is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

A.API keys only
B.IAM authorization for all internet users
C.JWT authorizer configured for the OpenID Connect issuer
D.A VPC endpoint policy
AnswerC

A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.

Why this answer

Option C is correct because API Gateway's JWT authorizer natively validates JSON Web Tokens issued by an external OpenID Connect (OIDC) provider. It verifies the token's signature, expiry, and issuer against the OIDC provider's JWKS endpoint without requiring custom Lambda code, making it the simplest and most secure choice for standards-based token authentication.

Exam trap

The trap here is that candidates often confuse API keys (which are for rate limiting and client identification) with authentication, or assume IAM authorization can be used for external users, but IAM requires AWS credentials and is not designed for third-party OIDC tokens.

How to eliminate wrong answers

Option A is wrong because API keys only provide client identification, not authentication; they do not validate the identity of the caller or support OIDC tokens. Option B is wrong because IAM authorization is designed for AWS principals (e.g., IAM users/roles) and requires AWS Signature V4 signing, which is not suitable for internet clients using external OIDC tokens. Option D is wrong because a VPC endpoint policy controls access to API Gateway via VPC endpoints, not authentication or token validation for public internet clients.

219
MCQmedium

Account A hosts a role named AppReadRole. Account B needs to access it using STS AssumeRole. Account A’s role trust policy includes this condition: - StringEquals: { "sts:ExternalId": "b-7f9a" } When Account B runs: aws sts assume-role --role-arn arn:aws:iam::111111111111:role/AppReadRole --role-session-name test the call fails with: "AccessDenied: ExternalId mismatch". What should Account B change?

A.Provide the correct --external-id value (b-7f9a) in the AssumeRole call.
B.Add kms:Decrypt permissions to Account B’s IAM user because trust policy failures are KMS related.
C.Remove the ExternalId condition from the trust policy so any caller can assume the role.
D.Use AssumeRoleWithSAML instead of AssumeRole so ExternalId is not required.
AnswerA

The trust policy requires sts:ExternalId to equal b-7f9a. If the caller does not supply the matching external ID, STS fails the trust-policy condition and denies AssumeRole. Supplying --external-id b-7f9a satisfies the condition.

Why this answer

The error 'AccessDenied: ExternalId mismatch' occurs because the trust policy on Account A's role requires an `sts:ExternalId` condition with the value `b-7f9a`, but Account B's `aws sts assume-role` command did not include the `--external-id` parameter. By providing the correct `--external-id b-7f9a` in the call, Account B satisfies the condition, allowing the role assumption to succeed. This is a standard security mechanism to prevent the confused deputy problem.

Exam trap

The trap here is that candidates may think the error is due to missing permissions (like KMS) or that changing the API method (SAML) avoids the condition, when in fact the fix is simply to include the required `--external-id` parameter in the AssumeRole call.

How to eliminate wrong answers

Option B is wrong because the error is explicitly about an ExternalId mismatch, not a KMS permissions issue; KMS is unrelated to STS AssumeRole trust policy conditions. Option C is wrong because while removing the condition would technically allow the call, it weakens security and is not the minimal change required to fix the mismatch error. Option D is wrong because AssumeRoleWithSAML does not bypass the ExternalId condition; the condition is evaluated regardless of the STS API used, and SAML-based calls have their own requirements.

220
MCQhard

Based on the exhibit, an EC2 application runs in private subnets with no NAT gateway and must retrieve a secret from AWS Secrets Manager. The secret uses a customer managed KMS key. Which change will allow the application to reach the service while keeping traffic off the internet?

A.Create an interface VPC endpoint for Secrets Manager and another interface VPC endpoint for KMS, and enable private DNS for both.
B.Create an S3 gateway endpoint for Secrets Manager and use the existing S3 gateway endpoint for both secret retrieval and KMS decryption.
C.Add a NAT gateway in a public subnet and route 0.0.0.0/0 from the private subnets to the NAT gateway.
D.Move the application into a public subnet so it can call the public Secrets Manager endpoint directly.
AnswerA

Secrets Manager is an interface endpoint service, and the customer managed KMS key means the application also needs private access to KMS for decrypt operations. Private DNS lets the SDK resolve standard service names to the VPC endpoints, keeping all traffic inside AWS private networking.

Why this answer

Option A is correct because it creates interface VPC endpoints for both Secrets Manager and KMS, which allows the EC2 instance in the private subnet to securely access these services over the AWS network without traversing the internet. Enabling private DNS ensures that the standard service endpoints resolve to the private IP addresses of the VPC endpoints, eliminating the need for a NAT gateway or internet gateway.

Exam trap

The trap here is that candidates often assume a single endpoint type (like a gateway endpoint) can serve all AWS services, but Secrets Manager and KMS specifically require interface endpoints, and forgetting the KMS endpoint is a common oversight.

How to eliminate wrong answers

Option B is wrong because S3 gateway endpoints are designed for Amazon S3 only, not for Secrets Manager or KMS; Secrets Manager requires an interface endpoint (powered by AWS PrivateLink) and KMS also requires an interface endpoint or a separate connection. Option C is wrong because adding a NAT gateway would route traffic to the internet, which violates the requirement to keep traffic off the internet; the goal is to avoid internet-bound traffic entirely. Option D is wrong because moving the application to a public subnet would expose it to the internet, contradicting the requirement to keep traffic off the internet and potentially compromising security.

221
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a e-learning platform. The partner has its own AWS account. What is the most secure scalable access pattern? The design must avoid adding custom operational scripts.

A.Copy the objects to a public website bucket
B.Create an IAM user in the company account and share the access keys
C.Create a bucket policy that grants the partner role least-privilege access to the required prefix
D.Make the objects public and rely on difficult-to-guess object names
AnswerC

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option C is correct because it uses a resource-based bucket policy that grants the partner's IAM role cross-account read-only access to a specific prefix, adhering to the principle of least privilege. This approach is secure (no public exposure), scalable (no manual key rotation), and requires no custom scripts, as AWS handles the cross-account trust automatically via the bucket policy's Principal element referencing the partner's AWS account ID.

Exam trap

AWS often tests the misconception that sharing IAM user access keys is acceptable for cross-account access, but the trap here is that IAM users are for human identities within the same account, not for secure cross-account automation, and bucket policies with IAM roles are the recommended pattern for least-privilege, script-free access.

How to eliminate wrong answers

Option A is wrong because copying objects to a public website bucket exposes them to the entire internet, violating security and requiring operational scripts for synchronization. Option B is wrong because creating an IAM user in the company account and sharing access keys introduces long-term static credentials that must be manually rotated, are insecure if leaked, and require custom scripts for key management. Option D is wrong because making objects public with difficult-to-guess names relies on security through obscurity, which is not a valid security control; objects can still be discovered via enumeration or leaks, and this violates AWS best practices for data protection.

222
MCQeasy

Account A hosts an IAM role that Account B developers must assume for a limited task. You want to require MFA for anyone assuming the role. Which trust policy condition most directly enforces that requirement for sts:AssumeRole?

A.Add a statement condition requiring "Bool": {"aws:MultiFactorAuthPresent": "true"} in the role trust policy.
B.Add a condition requiring "StringEquals": {"aws:PrincipalOrgID": "o-example"} without any MFA condition.
C.Add a statement that denies sts:AssumeRole when the requested role session name contains the text "dev".
D.Require HTTPS by setting a condition on "aws:SecureTransport": "true" in the trust policy.
AnswerA

aws:MultiFactorAuthPresent is a built-in IAM condition context key set when the caller authenticated with MFA. Requiring it to be true causes trust policy evaluation to fail for non-MFA sessions.

Why this answer

Option A is correct because the `aws:MultiFactorAuthPresent` condition key in the role trust policy directly checks whether the caller authenticated with a valid MFA device before calling `sts:AssumeRole`. When set to "true" with a Bool condition, it enforces that the session must have been established after MFA verification, which is the most direct and standard way to require MFA for role assumption.

Exam trap

The trap here is that candidates confuse transport-layer security (HTTPS) with authentication-layer MFA, thinking that requiring encrypted communication also enforces multi-factor authentication, but `aws:SecureTransport` only ensures the channel is encrypted, not that the caller proved possession of a second factor.

How to eliminate wrong answers

Option B is wrong because `aws:PrincipalOrgID` checks the AWS Organization ID of the principal, which has no relation to MFA enforcement; it only restricts which accounts in an organization can assume the role. Option C is wrong because denying `sts:AssumeRole` based on the role session name containing "dev" is a naming convention check, not an MFA requirement; it does not verify the caller's authentication method. Option D is wrong because `aws:SecureTransport` enforces HTTPS for the API call, which ensures encryption in transit but does not require the caller to have used MFA; a non-MFA session over HTTPS would still succeed.

223
Multi-Selectmedium

A startup runs an API on Amazon EC2. The instance must read items from one DynamoDB table and upload logs to one S3 bucket. Platform engineers also need a way to create new application roles, but those roles must never exceed a predefined set of permissions. Which three actions should the architect take? Select three.

Select 3 answers
A.Attach an IAM role to the EC2 instance profile and remove long-lived access keys from the server.
B.Give the EC2 instance an IAM user with administrator access for simplicity.
C.Scope the application policy to the exact DynamoDB table ARN and S3 bucket prefix.
D.Store the access keys in the application configuration file and rotate them later.
E.Use a permissions boundary for any IAM roles the platform team is allowed to create.
AnswersA, C, E

This gives the workload temporary credentials through the instance metadata service and avoids storing secrets on the host. It is the standard least-privilege pattern for EC2-based applications.

Why this answer

Option A is correct because attaching an IAM role to the EC2 instance profile allows the instance to obtain temporary credentials via the instance metadata service (IMDS), eliminating the need to store long-lived access keys on the server. This follows the AWS security best practice of using IAM roles for EC2 to securely access DynamoDB and S3 without managing static credentials.

Exam trap

The trap here is that candidates may think storing access keys in a config file is acceptable if rotated later, but AWS explicitly recommends using IAM roles for EC2 to avoid the security risks of long-lived credentials.

224
MCQeasy

A company runs Amazon RDS for MySQL in a Multi-AZ configuration. If the primary database instance fails, what is the expected behavior?

A.The database remains unavailable until an administrator manually creates a new instance.
B.RDS automatically fails over to the standby instance in the same Region and keeps the same endpoint.
C.Traffic is routed to a read replica in another Region for immediate continuity.
D.The failed primary continues serving traffic while the standby synchronizes in the background.
AnswerB

Multi-AZ RDS is built for high availability. If the primary instance becomes unavailable, AWS automatically promotes the standby in the same Region and updates the DNS behind the database endpoint. Applications keep using the same connection string, so failover is largely transparent. This reduces downtime without requiring manual intervention or application changes.

Why this answer

Amazon RDS for MySQL in a Multi-AZ configuration automatically synchronously replicates data to a standby instance in a different Availability Zone. When the primary database instance fails, RDS automatically fails over to the standby instance, updating the DNS record for the same CNAME endpoint so that applications can resume operations without manual intervention. This ensures high availability with minimal downtime.

Exam trap

The trap here is that candidates often confuse Multi-AZ failover with read replicas, mistakenly thinking a read replica in another Region can serve as the failover target, whereas Multi-AZ uses a synchronous standby in the same Region.

How to eliminate wrong answers

Option A is wrong because RDS Multi-AZ automatically handles failover without requiring an administrator to manually create a new instance; the standby instance is already provisioned and ready. Option C is wrong because read replicas are used for read scaling and disaster recovery, not for automatic failover; Multi-AZ failover uses a standby in the same Region, not a read replica in another Region. Option D is wrong because the failed primary cannot continue serving traffic; RDS detects the failure and redirects traffic to the standby instance, while the primary is taken out of service.

225
MCQmedium

A Lambda function in Account A must upload reports to an S3 bucket in Account B. Security does not want long-lived access keys anywhere, and the access should be easy to revoke from Account B. Which approach is best?

A.Create an IAM role in Account B that Account A can assume through STS, then grant the role S3 permissions.
B.Create an IAM user in Account B and store its access keys in Lambda environment variables.
C.Attach a security group to the Lambda function that allows outbound traffic to the bucket.
D.Use AWS Organizations SCPs to grant the Lambda function permission to write to the bucket.
AnswerA

Cross-account role assumption with AWS STS is the standard way to grant temporary access without sharing long-lived credentials. By placing the permissions on a role in Account B and controlling the trust policy there, the bucket-owning account keeps central control and can revoke access by changing the trust relationship or permissions. The Lambda execution role in Account A assumes the role when needed and receives short-lived credentials only.

Why this answer

Option A is correct because it uses cross-account IAM roles with AWS Security Token Service (STS) to grant temporary credentials to the Lambda function. This avoids long-lived access keys, and the permissions can be revoked immediately by modifying or deleting the role in Account B, meeting the security requirements.

Exam trap

The trap here is that candidates may confuse security groups (network-layer controls) with IAM policies (identity-based access), or mistakenly think SCPs can grant cross-account permissions when they only act as guardrails.

How to eliminate wrong answers

Option B is wrong because storing IAM user access keys in Lambda environment variables creates long-lived credentials that violate the 'no long-lived access keys' requirement and are harder to revoke without deleting the user. Option C is wrong because security groups control network traffic at the instance/ENI level, not S3 bucket access; S3 uses IAM policies, not security groups, for authorization. Option D is wrong because AWS Organizations SCPs are used to set permission boundaries across accounts in an organization, not to grant specific Lambda function permissions to an S3 bucket; SCPs cannot grant access, only restrict it.

← PreviousPage 3 of 5 · 336 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design Secure Architectures questions.