CCNA Design Secure Architectures Questions

75 of 336 questions · Page 4/5 · Design Secure Architectures · Answers revealed

226
Multi-Selecthard

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use?

Select 2 answers
A.Interface VPC endpoint for Systems Manager
B.Internet gateway attached to the VPC
C.NAT gateway in each Availability Zone
D.Gateway VPC endpoint for Amazon S3
AnswersA, D

Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.

Why this answer

Interface VPC endpoints (AWS PrivateLink) enable private connectivity to Systems Manager Parameter Store by creating an elastic network interface in the subnet with a private IP, allowing the application to read parameters without traversing the internet. Gateway VPC endpoints for S3 provide private access to S3 objects via route table entries, using the S3 public IP space but staying within the AWS network, avoiding the need for an internet gateway or NAT gateway.

Exam trap

The trap here is that candidates often confuse gateway endpoints (used for S3 and DynamoDB) with interface endpoints (used for most other AWS services), and may incorrectly assume a NAT gateway or internet gateway is needed for private subnet outbound traffic, ignoring that gateway endpoints work via route tables without public IPs.

227
Multi-Selecthard

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The design must avoid adding custom operational scripts.

Select 2 answers
A.Interface VPC endpoint for Systems Manager
B.Internet gateway attached to the VPC
C.NAT gateway in each Availability Zone
D.Gateway VPC endpoint for Amazon S3
AnswersA, D

Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.

Why this answer

An Interface VPC endpoint for Systems Manager (SSM) allows private subnets to communicate with AWS Systems Manager Parameter Store over the AWS network using private IP addresses, without traversing the internet. This endpoint uses AWS PrivateLink, enabling secure and private access to SSM APIs, which is required for reading parameters from Parameter Store.

Exam trap

The trap here is that candidates often confuse Gateway VPC endpoints (used for S3 and DynamoDB) with Interface VPC endpoints (used for most other AWS services like Systems Manager), and may incorrectly assume a NAT gateway or internet gateway is needed for private subnet access to AWS services.

228
MCQmedium

You serve private reports stored in an S3 bucket through CloudFront. After a recent change, users report that they can access the S3 object URLs directly (bypassing CloudFront), which violates your design. You want to ensure S3 objects are readable only through CloudFront using Origin Access Control (OAC), even if someone guesses the S3 URL. Which update best enforces this at the S3 bucket level?

A.Add a bucket policy Allow for s3:GetObject only when the principal is cloudfront.amazonaws.com and aws:SourceArn matches your CloudFront distribution ARN, while blocking public access.
B.Enable an S3 bucket lifecycle policy to transition objects to Glacier, so public S3 URLs become inaccessible.
C.Rely only on CloudFront signed URLs validation; do not change the S3 bucket policy.
D.Add a WAF rule on CloudFront to block requests that contain "amazonaws.com" in the URL path.
AnswerA

CloudFront OAC requests are authorized via a CloudFront principal plus a SourceArn restriction. Coupled with public access blocking, this prevents direct S3 URL reads.

Why this answer

Option A is correct because it uses an S3 bucket policy that grants s3:GetObject access only when the principal is cloudfront.amazonaws.com and the aws:SourceArn matches the CloudFront distribution ARN. This ensures that only CloudFront, using Origin Access Control (OAC), can retrieve objects, blocking direct S3 URL access even if the URL is guessed. Blocking public access at the bucket level further prevents any anonymous or public reads.

Exam trap

The trap here is that candidates may think CloudFront signed URLs alone are sufficient for security, but without a restrictive bucket policy, the S3 bucket remains publicly accessible, allowing direct URL access to bypass CloudFront.

How to eliminate wrong answers

Option B is wrong because a lifecycle policy to transition objects to Glacier does not prevent direct S3 URL access; it only changes storage class, and objects in Glacier are still accessible via S3 APIs if permissions allow. Option C is wrong because relying solely on CloudFront signed URLs without updating the S3 bucket policy leaves the bucket publicly accessible, allowing direct S3 URL access to bypass CloudFront entirely. Option D is wrong because a WAF rule on CloudFront that blocks requests containing 'amazonaws.com' in the URL path would block legitimate CloudFront requests to the S3 origin, and it does not prevent direct S3 URL access which bypasses CloudFront altogether.

229
MCQmedium

A deployment engineer created an IAM role for an automation workflow (AppDeployRole). The role has an attached identity policy that allows iam:CreateRole for specific resource ARNs. However, the role is also created with a permission boundary named DeployBoundary. The DeployBoundary policy currently does not include the iam:CreateRole action. During execution, the automation fails with AccessDenied for iam:CreateRole, even though the attached identity policy allows it. What is the best fix?

A.Edit AppDeployRole’s attached identity policy to add iam:CreateRole again; permission boundaries only apply when permissions are missing.
B.Update DeployBoundary to allow iam:CreateRole for only the required resource ARNs, following least privilege.
C.Remove the permission boundary from the role because permission boundaries are not enforced at runtime.
D.Encrypt the deployment artifacts with KMS so IAM denies become KMS authorization failures.
AnswerB

IAM permission boundaries define the maximum set of permissions the role can use. To permit iam:CreateRole, the DeployBoundary must explicitly allow iam:CreateRole (and scope it to the required resources). The attached identity policy alone is not sufficient when the boundary is more restrictive.

Why this answer

B is correct because when an IAM role has a permission boundary, the boundary defines the maximum permissions the role can have. Even if the identity-based policy allows iam:CreateRole, the effective permissions are the intersection of the identity policy and the permission boundary. Since DeployBoundary does not include iam:CreateRole, the action is denied.

Updating the boundary to allow iam:CreateRole for the required resource ARNs, following least privilege, grants the necessary permission while still constraining the role.

Exam trap

The trap here is that candidates often think permission boundaries are optional or only restrict when the identity policy is too permissive, but in reality they are an absolute limit that always reduces effective permissions, so even if the identity policy allows an action, the boundary can deny it.

How to eliminate wrong answers

Option A is wrong because permission boundaries are not a fallback that only apply when permissions are missing; they are an upper limit that always applies, and adding the action again to the identity policy does not override the boundary. Option C is wrong because permission boundaries are enforced at runtime; removing the boundary would bypass security controls and is not a best practice. Option D is wrong because encrypting deployment artifacts with KMS does not affect IAM authorization for iam:CreateRole; KMS handles encryption/decryption, not IAM policy evaluation.

230
MCQmedium

An AWS Organizations setup uses an SCP to enforce that developers can read only non-production secrets. A developer role in a member account is correctly configured with an identity policy that allows: - secretsmanager:GetSecretValue on arn:aws:secretsmanager:us-east-1:222222222222:secret:app/* However, the developer gets AccessDenied with an error message mentioning an organization policy (SCP). The SCP includes this Deny statement: "Deny secretsmanager:GetSecretValue on * unless secretsmanager:ResourceTag/environment equals 'dev'". Which change best restores access for secrets tagged environment=dev while still blocking prod secrets?

A.Update the SCP to match the correct tag key/format actually used on your Secrets Manager secret resources so the condition evaluates to true for environment=dev.
B.Remove the Deny statement from the SCP and rely only on the member account identity policy.
C.Add an IAM policy statement with Effect=Allow and "Condition: aws:PrincipalOrgID" in the member account to override the SCP.
D.Use a longer STS session duration so the SCP is evaluated less frequently.
AnswerA

SCP conditions that rely on resource tags must use the correct tag key and the correct Secrets Manager tag condition key (for example, secretsmanager:ResourceTag/<tag-key>). If the SCP references a tag key/format that doesn’t match how the secrets are actually tagged, the 'unless' condition won’t evaluate as intended, and the Deny will still apply.

Why this answer

The SCP Deny statement uses a condition key `secretsmanager:ResourceTag/environment` that must evaluate to true for the tag value 'dev' to allow access. If the actual Secrets Manager secrets are tagged with a different key format (e.g., `environment` vs. `Environment`) or the tag is missing, the condition fails and the Deny applies. Updating the SCP to match the exact tag key and value used on the secrets ensures the condition evaluates to true, allowing GetSecretValue for dev-tagged secrets while still blocking prod secrets.

Exam trap

The trap here is that candidates assume SCPs can be overridden by identity-based policies or that tag conditions are case-insensitive, leading them to choose Option C or B instead of correcting the SCP's tag key format.

How to eliminate wrong answers

Option B is wrong because removing the Deny statement would allow access to all secrets, including prod, which violates the requirement to block prod secrets. Option C is wrong because SCPs are evaluated before identity-based policies and cannot be overridden by any IAM policy in the member account; an `aws:PrincipalOrgID` condition does not bypass SCP Deny statements. Option D is wrong because STS session duration has no effect on SCP evaluation; SCPs are evaluated on every API call regardless of session length.

231
Multi-Selectmedium

A company stores customer invoices in an Amazon S3 bucket. The application must keep the bucket private, ACLs should not be used, and customers should receive temporary download links for individual invoices. Which three changes should the architect make? Select three.

Select 3 answers
A.Enable S3 Block Public Access on both the bucket and the AWS account.
B.Continue using object ACLs so each customer invoice can be made public briefly.
C.Configure Bucket owner enforced object ownership to disable ACLs.
D.Generate presigned URLs for customers to download specific invoices for a limited time.
E.Move the bucket to another AWS Region to isolate it from the internet.
AnswersA, C, D

Block Public Access prevents accidental public exposure through bucket policies, ACLs, and other public settings. It is a strong baseline control when the data must remain private.

Why this answer

Option A is correct because enabling S3 Block Public Access at both the bucket and account level ensures that no public access can be granted to the bucket or its objects, which aligns with the requirement to keep the bucket private. This setting overrides any other permissions that might inadvertently allow public access, providing a strong security baseline.

Exam trap

The trap here is that candidates might think moving the bucket to a different region or using ACLs can solve the temporary access requirement, but they overlook that S3 Block Public Access and presigned URLs are the correct mechanisms for private, time-limited access without ACLs.

232
Multi-Selectmedium

A workload in private subnets must upload logs to Amazon S3 and retrieve one secret from AWS Secrets Manager. The security team forbids internet egress and wants the lowest operational overhead. Which two VPC endpoints should be created? Select two.

Select 2 answers
A.An Amazon S3 gateway endpoint for private S3 access.
B.An AWS Secrets Manager interface endpoint for private secret retrieval.
C.A NAT Gateway in the public subnet.
D.An Internet Gateway attached to the VPC.
E.A DynamoDB gateway endpoint for the log upload path.
AnswersA, B

S3 supports gateway endpoints, which route traffic through the AWS network without requiring a NAT gateway or internet gateway. This is the lowest-overhead private access option for S3.

Why this answer

Amazon S3 gateway endpoints allow private subnet resources to access S3 without traversing the internet, using prefix lists and route table entries to direct traffic through AWS's internal network. This satisfies the security team's no-egress requirement and incurs no hourly cost, offering the lowest operational overhead for S3 access.

Exam trap

The trap here is that candidates often confuse gateway endpoints (for S3 and DynamoDB) with interface endpoints (for most other AWS services), and may incorrectly select a DynamoDB gateway endpoint for S3 or assume a NAT Gateway is required for private subnet access to AWS services.

233
MCQeasy

You must ensure that all requests to an S3 bucket use TLS (HTTPS). Which S3 bucket policy approach best enforces this requirement for S3 access?

A.Allow all principals to GetObject when aws:SecureTransport is true
B.Use a policy statement that explicitly Denies any action when aws:SecureTransport is false
C.Deny requests only when the bucket name is not matched exactly in the request
D.Require that the requester uses SSE-KMS and reject requests without SSE-KMS configuration
AnswerB

A bucket policy statement with Effect = Deny and a condition aws:SecureTransport = false blocks non-HTTPS requests. Because explicit Deny overrides Allow during policy evaluation, this prevents access for any request that does not use TLS, even if other statements grant permissions.

Why this answer

Option B is correct because the `aws:SecureTransport` condition key evaluates whether the request was sent using TLS. By explicitly denying all S3 actions when `aws:SecureTransport` is false, any HTTP request is rejected, ensuring only HTTPS requests succeed. This approach uses an explicit deny, which overrides any allow, making it the most secure and reliable method to enforce TLS.

Exam trap

The trap here is that candidates confuse encryption in transit (TLS/HTTPS) with encryption at rest (SSE-KMS or SSE-S3), leading them to select Option D, which does not address the transport security requirement.

How to eliminate wrong answers

Option A is wrong because an allow statement with `aws:SecureTransport: true` does not block HTTP requests; it only permits HTTPS, but any other policy that allows access (e.g., a public bucket policy) could still allow HTTP requests. Option C is wrong because matching the bucket name has no relation to TLS enforcement; it addresses routing or bucket identification, not transport security. Option D is wrong because requiring SSE-KMS enforces encryption at rest, not encryption in transit (TLS); requests without SSE-KMS could still be sent over HTTP, violating the requirement.

234
MCQmedium

A mobile banking backend stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured? The design must avoid adding custom operational scripts.

A.S3 server access logging
B.S3 lifecycle expiration after seven years
C.S3 versioning only
D.S3 Object Lock in compliance mode with an appropriate retention period
AnswerD

Object Lock compliance mode enforces write-once-read-many retention that even privileged users cannot bypass during the retention period.

Why this answer

S3 Object Lock in compliance mode prevents any user, including the root user, from overwriting or deleting objects for the specified retention period. This meets the compliance requirement of immutable audit logs for seven years without custom scripts. Compliance mode enforces a legal hold that cannot be removed by any user, ensuring logs are write-once-read-many (WORM) protected.

Exam trap

The trap here is that candidates often choose versioning (option C) thinking it prevents deletion, but versioning alone does not block overwrites or permanent deletion of the current version without additional safeguards like MFA delete or Object Lock.

How to eliminate wrong answers

Option A is wrong because S3 server access logging only records requests made to the bucket; it does not prevent deletion or overwriting of existing logs. Option B is wrong because S3 lifecycle expiration deletes objects after a set period, which would violate the requirement to prevent deletion for seven years. Option C is wrong because S3 versioning alone preserves previous versions but does not prevent deletion of the current version or overwrites; it requires additional controls like MFA delete or Object Lock to enforce immutability.

235
MCQeasy

Based on the exhibit, what should the architect recommend to reduce inter-node latency for this workload?

A.Use a spread placement group so each instance is placed on separate hardware.
B.Launch the instances in a cluster placement group within the same Availability Zone.
C.Move the instances into different Availability Zones to improve fault tolerance.
D.Use a partition placement group to balance traffic across partitions.
AnswerB

A cluster placement group places instances close together in a single Availability Zone, which is the best choice for workloads that exchange many small messages and need very low network latency. This design is common for tightly coupled compute, analytics, and HPC-style applications. Because the workload is not bandwidth-saturated but latency-sensitive, proximity matters more than broader distribution.

Why this answer

A cluster placement group provides the lowest possible latency and highest packet-per-second performance by ensuring instances are placed in close physical proximity within a single Availability Zone. This is ideal for tightly coupled, high-performance computing workloads that require low inter-node latency.

Exam trap

The trap here is that candidates confuse placement group types, assuming 'spread' or 'partition' can also reduce latency, when only cluster placement groups are designed for low-latency, high-throughput networking within a single AZ.

How to eliminate wrong answers

Option A is wrong because a spread placement group places instances on separate hardware to reduce correlated failures, not to minimize latency; it actually increases inter-node latency due to physical separation. Option C is wrong because moving instances into different Availability Zones increases network distance and latency, which is the opposite of what is needed. Option D is wrong because a partition placement group is designed to isolate instances across logical partitions for fault tolerance, not to reduce latency, and it does not guarantee close physical proximity.

236
MCQmedium

A Lambda function for a mobile banking backend needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

A.An encrypted object in Amazon S3
B.AWS Secrets Manager with rotation enabled
C.AWS Systems Manager Parameter Store SecureString without automation
D.A KMS-encrypted Lambda environment variable
AnswerB

Secrets Manager stores secrets securely and supports automatic rotation using a rotation Lambda function.

Why this answer

AWS Secrets Manager is the correct choice because it provides built-in automatic rotation of secrets (e.g., database passwords) with a configurable rotation interval (e.g., 30 days). It integrates natively with AWS Lambda via the AWS SDK, allowing the function to retrieve the password at runtime without storing it in environment variables. Secrets Manager also encrypts secrets at rest using KMS and supports automatic rotation via a Lambda rotation function, meeting both the security and rotation requirements.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store SecureString with Secrets Manager, but Parameter Store does not support automatic rotation without custom automation, making it unsuitable for a 30-day rotation requirement.

How to eliminate wrong answers

Option A is wrong because storing an encrypted object in Amazon S3 does not provide automatic rotation of the password; you would need to manually manage rotation and versioning, and the Lambda function would require additional logic to decrypt and rotate the secret. Option C is wrong because AWS Systems Manager Parameter Store SecureString without automation lacks built-in automatic rotation; you would need to implement custom rotation logic, and Parameter Store does not natively support scheduled rotation like Secrets Manager. Option D is wrong because a KMS-encrypted Lambda environment variable is static and cannot be rotated automatically; the password would remain the same until the Lambda function is redeployed, and environment variables are visible in the function configuration, violating the requirement to not store the password in environment variables.

237
MCQmedium

Company A (account 1111) hosts an IAM role (RoleInAccountA) that is assumed by a workload in Company B (account 2222) using sts:AssumeRole. Security requires that only Company B’s intended workload can assume the role, even if another principal in account 2222 tries to assume it. The trust policy already restricts who can assume the role to account 2222. What additional trust policy condition most directly satisfies this requirement?

A.Add a condition requiring sts:ExternalId to equal a specific value that Company B’s workload must provide in sts:AssumeRole.
B.Add a condition requiring aws:PrincipalArn to start with arn:aws:iam::2222:role/.
C.Add a condition requiring sts:RoleSessionName to match the string "integration".
D.Rely only on an SCP in account 1111 to block all sts:AssumeRole calls except from Company B’s OU.
AnswerA

An ExternalId acts as a shared secret known only to the intended workload (or integration). Adding a sts:ExternalId condition causes sts:AssumeRole to fail for any other principals in account 2222 that do not supply the correct ExternalId, directly mitigating confused-deputy scenarios.

Why this answer

Option A is correct because the sts:ExternalId condition key is specifically designed to prevent the confused deputy problem. By requiring a unique external ID that only Company B's intended workload knows and passes in the sts:AssumeRole call, the trust policy ensures that even if another principal in account 2222 attempts to assume the role, it cannot provide the correct external ID, thus blocking the request.

Exam trap

The trap here is that candidates often confuse the purpose of sts:RoleSessionName (which is for auditing, not security) or assume that restricting by principal ARN prefix is sufficient, but they overlook that any role in account 2222 could match that prefix, failing to isolate the specific workload.

How to eliminate wrong answers

Option B is wrong because aws:PrincipalArn can be spoofed or misused; the trust policy already restricts to account 2222, but any role in that account (including unintended ones) could match the prefix, so it does not uniquely identify the specific workload. Option C is wrong because sts:RoleSessionName is a user-supplied string that can be arbitrarily set by any caller; it is not a secure mechanism to enforce workload identity and can be easily bypassed. Option D is wrong because SCPs in account 1111 cannot restrict actions within account 2222; SCPs are applied to the account that owns the role (1111) and cannot control which principals in account 2222 can assume the role—they only affect permissions for principals in the same organization.

238
Matchinghard

Match each operational condition to the load balancing or Auto Scaling behavior that should occur.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The target is marked unhealthy by the ALB health check and removed from routing until it passes again.

The Auto Scaling health check grace period prevents premature termination while startup work completes.

Instances that fail load balancer health checks are considered unhealthy by the group and are replaced automatically.

The health check verifies protocol and port reachability rather than an HTTP response body or status code.

Using EC2 health checks allows Auto Scaling to replace the instance even when the app itself has not reported an error.

Why these pairings

Auto Scaling adds instances when metrics like CPU or network exceed thresholds; load balancer scales based on request count; unhealthy hosts trigger replacement.

239
MCQmedium

A company uses IAM permission boundaries to prevent developers from escalating privileges. The security team created a permission boundary that allows only read-only actions on most AWS services, but teams can still manage their own resources. A developer can create an IAM role with broad permissions, and the boundary does not appear to be restricting it. Which corrective action best aligns with how permission boundaries work?

A.Rely on an AWS-managed policy attached to the developer’s IAM user; permission boundaries only apply to users.
B.Ensure the role creation process sets the permission boundary on the new role, using the boundary’s ARN in the CreateRole call or role template.
C.Attach the permission boundary policy as an SCP in AWS Organizations so it automatically applies to all roles.
D.Grant the developer IAM permissions to add a “deny” statement to the boundary policy so the boundary blocks escalation.
AnswerB

Permission boundaries are evaluated based on the boundary attached to the principal/role being created or used. If a developer creates roles without specifying the boundary, the boundary won’t restrict the resulting permissions. Enforcing boundary attachment via role templates or required parameters ensures every created role is constrained.

Why this answer

Permission boundaries must be explicitly applied to a role during its creation (via the `CreateRole` API call or an infrastructure-as-code template). Without setting the boundary ARN, the role inherits no restriction, allowing the developer to create a role with broad permissions that bypasses the intended boundary. Option B correctly identifies that the role creation process must include the boundary ARN to enforce the limitation.

Exam trap

The trap here is that candidates assume permission boundaries are automatically inherited or enforced by default, when in fact they must be explicitly applied to each role during creation, and SCPs are often confused as a substitute for permission boundaries.

How to eliminate wrong answers

Option A is wrong because permission boundaries apply to IAM roles and users, not just users; the developer's user policy does not restrict roles they create unless the boundary is applied to the role. Option C is wrong because SCPs (Service Control Policies) operate at the AWS Organizations account level and cannot be attached to individual roles; they provide a maximum permission guardrail but do not replace the need for a permission boundary on the role. Option D is wrong because a developer cannot modify a permission boundary policy after it is created; the boundary is a separate policy document that the developer cannot edit, and adding a 'deny' statement would require permissions the developer does not have.

240
MCQhard

Based on the exhibit, the security team needs to detect and alert on both successful and failed attempts to change S3 bucket policies and KMS key policies across the organization. Which solution best meets that requirement?

A.Enable an organization trail for management events in all regions and create an EventBridge rule that matches PutBucketPolicy and PutKeyPolicy, then send alerts to SNS.
B.Enable AWS Config in all accounts and use only a periodic compliance evaluation to alert when bucket or key policies drift.
C.Use IAM Access Analyzer because it continuously blocks policy changes that would expose the resources publicly.
D.Turn on S3 server access logging and KMS key rotation, because both services will capture policy modifications automatically.
AnswerA

CloudTrail management events record API activity, including failed attempts, and an organization trail provides coverage across accounts and Regions. EventBridge can react to those API calls in near real time and route notifications to SNS. This is the clean detective-control pattern for policy-change auditing.

Why this answer

Option A is correct because AWS CloudTrail management events capture all API calls that modify S3 bucket policies (PutBucketPolicy) and KMS key policies (PutKeyPolicy). By enabling an organization trail for all regions, you centralize these events across the entire AWS Organization. An Amazon EventBridge rule can then filter for these specific API calls and send alerts via Amazon SNS, meeting the requirement to detect both successful and failed attempts.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance checks or IAM Access Analyzer's policy analysis with real-time API call monitoring, failing to realize that only CloudTrail management events capture every attempt (including failures) to change policies.

How to eliminate wrong answers

Option B is wrong because AWS Config periodic compliance evaluations only check resource compliance at scheduled intervals, not in real-time, and they do not directly capture or alert on every API call attempt (including failed ones) to change policies. Option C is wrong because IAM Access Analyzer is designed to analyze resource-based policies for unintended public or cross-account access, not to block or alert on all policy change attempts; it does not continuously block changes or capture failed attempts. Option D is wrong because S3 server access logging logs object-level access requests, not management API calls like PutBucketPolicy, and KMS key rotation does not capture policy modifications; neither service logs policy change attempts.

241
MCQmedium

You have an S3 bucket that stores customer-specific private files. You want to serve these files through CloudFront, where clients must use signed cookies (or signed URLs) to access the content. In addition, you need to block common web exploits and rate-limit suspicious traffic at the edge. Which design best meets these requirements?

A.Keep the S3 bucket private, configure CloudFront with Origin Access Control so only CloudFront can access the origin, require signed cookies/URLs for viewers, and associate an AWS WAF web ACL with CloudFront for blocking and rate limiting.
B.Enable public read access on the S3 bucket and rely on WAF alone for authorization because WAF can validate signatures.
C.Configure CloudFront with signed URLs but do not change the S3 bucket access settings; leaving public access enabled is acceptable since CloudFront can filter traffic.
D.Use WAF at CloudFront but omit signed cookies/URLs because rate limiting and exploit blocking already provide access control for private files.
AnswerA

This ensures S3 remains non-public while CloudFront becomes the only origin access path using Origin Access Control. Signed cookies/URLs enforce authenticated authorization at the edge for each request. Attaching AWS WAF adds request inspection and protections like rate limiting and exploit blocking.

Why this answer

Option A is correct because it combines a private S3 bucket with Origin Access Control (OAC) to ensure only CloudFront can access the origin, enforces signed cookies/URLs for viewer authentication, and uses AWS WAF at the edge to block common web exploits and rate-limit suspicious traffic. This layered approach provides both authorization (via signed requests) and security filtering (via WAF) at the CloudFront edge, meeting all requirements.

Exam trap

The trap here is that candidates often think WAF can handle authorization (like validating signed URLs) or that leaving the S3 bucket public is acceptable if CloudFront is used, but WAF cannot verify cryptographic signatures and a public bucket allows direct access bypassing CloudFront's authentication.

How to eliminate wrong answers

Option B is wrong because enabling public read access on the S3 bucket bypasses the need for signed cookies/URLs, and WAF cannot validate signatures—WAF inspects HTTP headers, URI paths, and IP addresses, but does not have the capability to verify CloudFront signed URL or signed cookie cryptographic signatures. Option C is wrong because leaving the S3 bucket publicly accessible defeats the purpose of using signed URLs; CloudFront does not filter traffic based on signed URLs at the origin level, so a public bucket would allow direct access to objects without authentication. Option D is wrong because omitting signed cookies/URLs means there is no mechanism to restrict access to authorized viewers only; WAF rate limiting and exploit blocking do not provide authentication or authorization for private content.

242
MCQhard

Based on the exhibit, a public API is behind CloudFront and is experiencing bursts of requests from the same client IP, causing upstream saturation. The team wants AWS to automatically block that IP when the request rate becomes excessive while keeping enforcement as close to the client as possible. Which control should they add?

A.Add an AWS WAF rate-based rule to the CloudFront distribution and configure it to block the source IP after the threshold is exceeded.
B.Add a network ACL rule that denies the source IP after five requests are observed.
C.Enable AWS Shield Advanced and create a custom protection group for the single IP address.
D.Place the API behind a security group rule that allows only the current client IP range.
AnswerA

AWS WAF rate-based rules are purpose-built for this use case. They evaluate the HTTP request rate from a source IP over a sliding window and can automatically block, CAPTCHA, or count when the threshold is exceeded. Attaching the Web ACL to CloudFront enforces the control at the edge, so abusive requests are stopped before they reach the origin and consume upstream capacity.

Why this answer

AWS WAF rate-based rules are designed to automatically block IP addresses that exceed a specified request rate within a 5-minute evaluation window. By attaching this rule to a CloudFront distribution, enforcement occurs at the edge location closest to the client, preventing excessive requests from reaching the upstream API and mitigating saturation.

Exam trap

The trap here is confusing stateless network ACLs or static security groups with the automatic, rate-aware blocking capability of AWS WAF, leading candidates to choose a manual or non-scalable solution.

How to eliminate wrong answers

Option B is wrong because network ACLs are stateless and require manual intervention to add or remove rules; they cannot automatically block an IP after a threshold of requests is observed. Option C is wrong because AWS Shield Advanced provides DDoS protection and custom protection groups for resource-level mitigation, not automatic per-IP rate limiting based on request count. Option D is wrong because security group rules are stateful and cannot dynamically update to block a specific client IP based on request rate; they only allow or deny traffic based on static rules.

243
MCQhard

Based on the exhibit, an application runs in private subnets without a NAT gateway and must retrieve a secret from AWS Secrets Manager. Security requires the traffic to stay on the AWS network and not traverse the public internet. What is the best solution?

A.Add a NAT gateway to the private subnet route table and keep using the public Secrets Manager endpoint.
B.Create an interface VPC endpoint for Secrets Manager and enable private DNS for the endpoint.
C.Create a gateway VPC endpoint for Secrets Manager and point the route table to it.
D.Use VPC peering to connect the application subnet to another VPC that already has internet access.
AnswerB

An interface endpoint keeps API calls on the AWS network and private DNS makes the standard service name resolve to the private endpoint.

Why this answer

Option B is correct because an interface VPC endpoint for Secrets Manager allows the application in the private subnet to securely access Secrets Manager over the AWS network using private IP addresses, without needing a NAT gateway or internet gateway. Enabling private DNS ensures that the default Secrets Manager DNS name resolves to the endpoint's private IP addresses, keeping all traffic within the AWS backbone and satisfying the security requirement.

Exam trap

The trap here is that candidates confuse gateway VPC endpoints (which work only for S3 and DynamoDB) with interface VPC endpoints (which are used for most other AWS services including Secrets Manager), leading them to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because adding a NAT gateway would route traffic to the public Secrets Manager endpoint over the internet, violating the requirement that traffic must not traverse the public internet. Option C is wrong because gateway VPC endpoints are only supported for AWS services like S3 and DynamoDB, not for Secrets Manager, which requires an interface endpoint. Option D is wrong because VPC peering with another VPC that has internet access still requires the application to go through a NAT or internet gateway to reach Secrets Manager, breaking the 'no public internet' rule and adding unnecessary complexity.

244
MCQmedium

A company stores private customer documents in an S3 bucket. They want only CloudFront to be able to read objects from the bucket (no direct S3 URL access), even if the bucket name and object key are known. Which configuration best meets this requirement?

A.Attach an AWS WAF Web ACL to CloudFront and allow public reads on the S3 bucket so WAF can block direct object access.
B.Use CloudFront Origin Access Control (OAC) and update the bucket policy to allow s3:GetObject only when the principal is cloudfront.amazonaws.com and aws:SourceArn equals the CloudFront distribution ARN.
C.Create IAM users with s3:GetObject permissions and share the IAM credentials with customers so they can fetch objects directly from S3.
D.Enable S3 static website hosting on the bucket and use the S3 website endpoint as the CloudFront origin so access controls can be enforced at CloudFront.
AnswerB

With OAC, CloudFront signs requests to S3 using an AWS-managed identity (the cloudfront.amazonaws.com service principal). A bucket policy that allows s3:GetObject only when AWS:SourceArn matches your specific CloudFront distribution ARN ensures the bucket is not readable from S3 by other principals. Direct S3 requests from users do not present the required CloudFront context, so they are denied at S3 authorization time.

Why this answer

Option B is correct because CloudFront Origin Access Control (OAC) allows you to restrict S3 bucket access exclusively to CloudFront. By configuring the bucket policy to allow s3:GetObject only when the principal is cloudfront.amazonaws.com and the aws:SourceArn matches the CloudFront distribution ARN, you ensure that direct S3 URL requests are denied, even if the bucket name and object key are known. This prevents any unauthorized direct access to the S3 bucket.

Exam trap

The trap here is that candidates often confuse CloudFront's ability to cache content with its ability to enforce access control, mistakenly thinking that enabling static website hosting or using WAF alone can prevent direct S3 access, when in fact only Origin Access Control (or OAI) with a properly scoped bucket policy can achieve this.

How to eliminate wrong answers

Option A is wrong because AWS WAF operates at the application layer (Layer 7) and cannot block direct S3 URL access; it only filters HTTP/HTTPS requests to CloudFront, and allowing public reads on the S3 bucket would still permit direct S3 access. Option C is wrong because sharing IAM credentials with customers violates security best practices, and it does not prevent direct S3 URL access if the credentials are used outside CloudFront. Option D is wrong because enabling S3 static website hosting does not restrict access to CloudFront; the S3 website endpoint is publicly accessible and does not enforce CloudFront-only access controls.

245
MCQhard

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a financial reporting platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

A.A security group rule that allows HTTPS to S3
B.A condition that matches aws:RequestedRegion to the bucket Region
C.A deny statement for all IAM users except the EC2 role
D.A condition that matches aws:sourceVpce to the endpoint ID
AnswerD

The aws:sourceVpce condition restricts S3 access to requests that arrive through the specified VPC endpoint.

Why this answer

Option D is correct because the bucket policy can use the `aws:sourceVpce` condition key to restrict access to requests that originate from a specific VPC endpoint (a Gateway VPC Endpoint for S3). This ensures that only traffic flowing through that endpoint can access the bucket, meeting the security team's requirement. The EC2 instance in the private subnet routes S3 traffic through the endpoint via the subnet's route table, and the bucket policy enforces the restriction at the resource level.

Exam trap

The trap here is that candidates often confuse `aws:sourceVpce` with `aws:SourceVpc` or think that a security group rule (Option A) can enforce endpoint-based access, but only the bucket policy condition key can restrict based on the specific VPC endpoint ID.

How to eliminate wrong answers

Option A is wrong because security group rules control network traffic at the instance level, not at the S3 bucket policy level, and they cannot enforce that traffic must come through a specific VPC endpoint. Option B is wrong because `aws:RequestedRegion` checks the AWS Region in the request, not the VPC endpoint used; it does not restrict traffic to a specific endpoint. Option C is wrong because denying all IAM users except the EC2 role would block legitimate access from other authorized principals (e.g., cross-account roles or services) and does not enforce the endpoint requirement.

246
MCQmedium

A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used. Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging. Which approach best satisfies the requirement?

A.Enable an AWS Organizations CloudTrail organization trail that delivers management event logs (including IAM) to a centralized S3 bucket in a dedicated audit account, for all regions.
B.Use CloudWatch Logs metric filters on application logs to infer which principals changed trust policies.
C.Rely on GuardDuty alerts to provide the full request parameters for every IAM policy change.
D.Enable AWS Config only and store periodic snapshots without CloudTrail management events.
AnswerA

CloudTrail management events provide authoritative audit logs for API actions like IAM policy changes and can be centralized via an organization trail.

Why this answer

Option A is correct because an AWS Organizations CloudTrail organization trail captures management events (including IAM API calls like ChangeTrustPolicy) across all accounts and regions, storing immutable logs in a centralized S3 bucket in a dedicated audit account. This provides the exact principal ARN, source IP, and request parameters needed for forensic investigation, meeting the immutable and centralized audit requirement.

Exam trap

The trap here is that candidates may confuse AWS Config's configuration tracking with CloudTrail's API-level auditing, or assume GuardDuty provides detailed request parameters, but only CloudTrail management events capture the full principal identity and API call details required for forensic analysis.

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs metric filters on application logs cannot capture the full API request parameters or the exact principal identity for IAM changes; they only analyze log text patterns and lack the granularity of CloudTrail management events. Option C is wrong because GuardDuty alerts are designed for threat detection (e.g., anomalous API behavior) and do not provide the complete request parameters or a centralized, immutable audit trail of every IAM policy change. Option D is wrong because AWS Config alone records resource configuration snapshots and changes but does not capture who made the change or the API request parameters; it requires CloudTrail to provide the identity and source of changes.

247
Multi-Selectmedium

An application in Account B reads objects from an Amazon S3 bucket in Account A. The bucket uses SSE-KMS with a customer managed key in Account A. The role in Account B already has s3:GetObject, but downloads fail with AccessDenied on decrypt. Which two changes are required for the role to read the object successfully? Select two.

Select 2 answers
A.Add an SCP that grants the role additional permissions for KMS usage.
B.Add kms:Decrypt permission in the role's IAM policy for the KMS key.
C.Update the KMS key policy in Account A to allow the role from Account B to use Decrypt.
D.Grant the role read access with an S3 bucket ACL.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersB, C

The caller needs an identity-based permission that allows kms:Decrypt on the specific CMK used to encrypt the S3 object. Without that allow statement, KMS denies the decrypt request even if S3 access is permitted.

Why this answer

Option B is correct because the role in Account B needs explicit kms:Decrypt permission in its IAM policy to use the KMS key for decrypting the S3 objects. Option C is correct because the KMS key policy in Account A must grant the role from Account B permission to call kms:Decrypt, as the key is customer managed and cross-account access requires both the key policy and the IAM policy to allow the action.

Exam trap

The trap here is that candidates often think only the IAM policy (Option B) is needed, forgetting that cross-account KMS access requires the key policy (Option C) to explicitly grant the external role decrypt permission, as IAM policies alone are insufficient for resource-based policies like KMS key policies.

248
MCQmedium

A company hosts a image sharing application on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use? The design must avoid adding custom operational scripts.

A.AWS Systems Manager Session Manager with the required instance role
B.An internet gateway attached to the private subnet
C.A public Elastic IP address on each instance
D.A bastion host with SSH open to 0.0.0.0/0
AnswerA

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows secure shell access to EC2 instances without opening inbound ports (SSH 22 or RDP 3389) to the internet. It uses the AWS Systems Manager agent and an IAM instance role to establish a bidirectional connection via the AWS API, eliminating the need for a bastion host or public IP. This meets the requirement of avoiding custom operational scripts because Session Manager is a fully managed service with no additional configuration beyond the agent and role.

Exam trap

The trap here is that candidates may think a bastion host or public IP is necessary for administrative access, failing to recognize that AWS Systems Manager Session Manager provides secure, agent-based access without opening any inbound ports or requiring custom scripts.

How to eliminate wrong answers

Option B is wrong because an internet gateway attached to a private subnet does not provide administrative access; it only enables outbound internet traffic for instances in that subnet, and inbound connections still require a public IP or NAT device. Option C is wrong because assigning a public Elastic IP address to each instance would expose SSH or RDP ports to the internet, violating the requirement to avoid opening those ports. Option D is wrong because a bastion host with SSH open to 0.0.0.0/0 explicitly opens port 22 to the entire internet, which is insecure and contradicts the requirement to avoid opening SSH or RDP ports to the internet.

249
MCQmedium

Your company has an internal service hosted behind a Network Load Balancer (NLB) in VPC 10.0.0.0/16. A consumer team in a different VPC (10.1.0.0/16) must call the service without using the public internet. You want private connectivity using AWS PrivateLink. Which configuration best enables least-privilege access while keeping the traffic private?

A.Expose the NLB with an Internet Gateway route and restrict access using a security group attached to the NLB.
B.Create a VPC endpoint (interface endpoint) in the consumer VPC that points to the service name published by the provider account, and limit allowed clients using the endpoint’s security group rules.
C.Create an S3 Gateway endpoint in the consumer VPC and store the service hostname in SSM Parameter Store so clients can resolve privately.
D.Use a bastion host in the provider VPC and allow the consumer VPC to SSH to it; from there, the consumer makes HTTP calls to the NLB.
AnswerB

PrivateLink uses an interface VPC endpoint in the consumer VPC (using the provider’s published service name). Traffic stays on the AWS network, not the public internet. Security groups on the interface endpoint provide least-privilege control over which client resources can reach the endpoint, and the provider side can also restrict who can connect.

Why this answer

Option B is correct because AWS PrivateLink uses an interface VPC endpoint in the consumer VPC to connect privately to a Network Load Balancer (NLB) in the provider VPC, without traversing the public internet. The endpoint’s security group acts as a least-privilege firewall, allowing only specific clients (by source IP or security group) to access the service. This keeps traffic within the AWS network and avoids exposing the NLB to the internet.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints (which only work for S3 and DynamoDB) with Interface Endpoints (which support PrivateLink for services behind an NLB), leading them to pick Option C incorrectly.

How to eliminate wrong answers

Option A is wrong because attaching an Internet Gateway route to the NLB would expose it to the public internet, violating the requirement to keep traffic private, and NLBs do not support security groups—security groups are only supported for ALBs and ENIs, not NLB itself. Option C is wrong because an S3 Gateway endpoint is designed exclusively for Amazon S3 access, not for connecting to an NLB-hosted service; it cannot resolve or route traffic to a service hostname behind an NLB. Option D is wrong because using a bastion host introduces a single point of failure, requires SSH key management, and adds unnecessary complexity and latency; it also violates least-privilege by granting broad network access rather than a direct private connection.

250
MCQmedium

A public web application is fronted by Amazon CloudFront and an ALB. The team is seeing SQL injection attempts and bursts of malicious HTTP requests that increase origin load. They want to block common web attacks before they reach the ALB. What should they do?

A.Associate an AWS WAF web ACL with the CloudFront distribution.
B.Add an inbound security group rule to the ALB for the attacker IP ranges.
C.Use a network ACL to inspect and block SQL statements in the request body.
D.Enable Amazon KMS encryption on the ALB listener certificates.
AnswerA

AWS WAF is the correct service for filtering HTTP(S) requests based on patterns such as SQL injection, bad bots, and rate-based abuse. When associated with CloudFront, the filtering happens at the edge before traffic reaches the ALB and origin, reducing load and blocking malicious requests earlier in the path. Shield Standard is already included for basic DDoS protection, but WAF is the component that provides the application-layer controls needed here.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting. By associating an AWS WAF web ACL with the CloudFront distribution, you can inspect and filter HTTP(S) requests at the edge before they reach the ALB, reducing origin load and blocking malicious traffic early. This is the recommended approach for defending against layer 7 attacks at the CDN level.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups, NACLs) with application-layer protection, mistakenly thinking they can block SQL injection at the network level, when only a WAF can inspect HTTP request bodies for such attacks.

How to eliminate wrong answers

Option B is wrong because security group rules operate at the network layer (layer 3/4) and cannot inspect application-layer payloads like SQL statements; they only allow or deny traffic based on IP addresses, ports, and protocols, so they cannot block SQL injection attempts. Option C is wrong because network ACLs are stateless packet filters that operate at the subnet level and cannot inspect or block SQL statements in the request body; they only filter based on IP, port, and protocol headers. Option D is wrong because Amazon KMS encryption on ALB listener certificates is used for encrypting data in transit (TLS termination) and has no capability to inspect or block malicious HTTP requests or SQL injection attempts.

251
MCQhard

Based on the exhibit, the platform team wants developers to create application roles for Lambda and ECS, but no developer-created role may ever exceed the approved permission set. Which change best meets this requirement?

A.Remove all IAM permissions from AppProvisioner and require a central security team to create every role manually.
B.Attach a permissions boundary strategy to the delegated workflow and require every created role to include that boundary using the iam:PermissionsBoundary condition.
C.Allow developers to keep creating roles, but add a CloudTrail rule that alerts security after a privileged policy is attached.
D.Move the delegated IAM workflow into a separate VPC and restrict it with security groups and network ACLs.
AnswerB

A permissions boundary creates an upper limit on what any developer-created role can ever do, even if someone later attaches broader policies. Requiring the boundary during role creation prevents privilege escalation while still allowing delegated self-service for approved application roles. This is the standard AWS pattern when teams need to create roles but must remain inside a strict security envelope.

Why this answer

Option B is correct because it uses a permissions boundary to enforce the maximum permission set that any developer-created role can have. By attaching a permissions boundary to the delegated workflow and using the `iam:PermissionsBoundary` condition in the trust policy, every role created by developers is automatically constrained to the approved boundary, preventing any role from exceeding the approved permission set even if the developer tries to attach additional policies.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail alerts) with preventive controls (like permissions boundaries), leading them to choose option C, which only alerts after a violation has already occurred.

How to eliminate wrong answers

Option A is wrong because it removes all IAM permissions from AppProvisioner and requires manual role creation by a central security team, which eliminates the delegation and automation that the platform team wants, and does not scale or meet the requirement for developers to create roles. Option C is wrong because adding a CloudTrail rule to alert after a privileged policy is attached is a detective control, not a preventive one; it does not prevent a developer-created role from exceeding the approved permission set, only notifies after the fact. Option D is wrong because moving the delegated IAM workflow into a separate VPC and restricting it with security groups and network ACLs addresses network-level access control, not IAM permissions or role creation boundaries, and has no effect on the permission set of roles created by developers.

252
MCQmedium

An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports. Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports. What is the most likely reason the traffic fails, and what should be updated?

A.NACLs are stateless, so you must update the NACL to allow the return (outbound) ephemeral port range; security groups alone cannot override a blocked NACL.
B.NACLs are stateful and automatically track connections; the fix is to add a new inbound rule to the security group for client source ports.
C.The issue is caused by ALB health checks; configure a new target group health check on port 80 so traffic can be routed.
D.Because instances are in private subnets, add a NAT gateway so return traffic can reach the internet over dynamic routing.
AnswerA

Stateless NACLs require both inbound and outbound rules. Missing outbound for ephemeral ports will block return traffic even if SG rules are correct.

Why this answer

Network ACLs are stateless, meaning they do not automatically allow return traffic. Even though the security group allows inbound HTTPS from the ALB, the NACL blocks the return traffic because it lacks an outbound rule for ephemeral ports (typically 1024-65535). Since NACLs are evaluated before security groups, a missing outbound allow rule causes the response packets to be dropped, resulting in connection timeouts.

Exam trap

The trap here is that candidates assume security groups' stateful nature applies to NACLs, or they confuse the direction of the missing rule (inbound vs. outbound) and overlook the need for an outbound ephemeral port rule in the NACL.

How to eliminate wrong answers

Option B is wrong because NACLs are stateless, not stateful; they require explicit rules for both inbound and outbound traffic, and the fix involves the NACL, not the security group. Option C is wrong because the issue is not related to ALB health checks; health checks would cause target registration failures, not client connection timeouts, and the described symptom matches a missing NACL outbound rule. Option D is wrong because the instances are in private subnets behind an ALB, and return traffic to the ALB does not require a NAT gateway; the ALB handles routing within the VPC, and the problem is purely a NACL misconfiguration.

253
MCQmedium

A CI pipeline in account A uploads build artifacts to an S3 bucket (arn:aws:s3:::build-artifacts-prod) under the prefix teamA/. The pipeline must not be able to list other prefixes, and it must only upload objects under teamA/. Which IAM policy design best enforces least privilege for this requirement?

A.Allow s3:PutObject on arn:aws:s3:::build-artifacts-prod/* and allow s3:ListBucket on arn:aws:s3:::build-artifacts-prod with no condition.
B.Allow s3:PutObject on arn:aws:s3:::build-artifacts-prod/teamA/* and allow s3:ListBucket on arn:aws:s3:::build-artifacts-prod with a condition that requires s3:prefix equals 'teamA/'.
C.Allow s3:PutObject on arn:aws:s3:::build-artifacts-prod/teamA/* and allow s3:GetBucketLocation on arn:aws:s3:::build-artifacts-prod/teamA/.
D.Allow s3:* on arn:aws:s3:::build-artifacts-prod/teamA/* and allow s3:ListAllMyBuckets for easier auditing.
AnswerB

This scopes uploads to exactly the teamA/ object path by using the object ARN arn:aws:s3:::build-artifacts-prod/teamA/*. For listing, it targets the bucket ARN (arn:aws:s3:::build-artifacts-prod) and restricts listing results to only the requested prefix using the s3:prefix condition key.

Why this answer

Option B is correct because it grants the minimal permissions required: s3:PutObject is scoped to the specific prefix teamA/*, preventing uploads to other prefixes, and s3:ListBucket is allowed only with a condition that restricts the s3:prefix to 'teamA/', ensuring the pipeline cannot list objects under other prefixes. This enforces least privilege by combining resource-level and condition-based access control.

Exam trap

The trap here is that candidates often assume that scoping the resource ARN to a prefix (e.g., arn:aws:s3:::bucket/prefix/*) alone is sufficient to restrict listing, but without a condition on s3:ListBucket, the ListBucket action still returns all objects in the bucket, bypassing the intended restriction.

How to eliminate wrong answers

Option A is wrong because it allows s3:PutObject on the entire bucket (arn:aws:s3:::build-artifacts-prod/*) without restricting the prefix, so the pipeline could upload to any prefix, violating the requirement to only upload under teamA/. Option C is wrong because it allows s3:GetBucketLocation on the prefix path, which is not a valid ARN for that action (GetBucketLocation operates on the bucket, not a prefix) and does not grant the necessary s3:ListBucket permission to list objects, so the pipeline cannot verify uploads or list objects under teamA/. Option D is wrong because it allows s3:* on the prefix, granting excessive permissions like s3:DeleteObject or s3:GetObject, and s3:ListAllMyBuckets is irrelevant for restricting access to a specific bucket and prefix, violating least privilege.

254
MCQmedium

A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions. Which solution best meets these requirements?

A.Store the password in Systems Manager Parameter Store as a SecureString and grant the ECS task role GetParameter only for that parameter ARN. Have the application call GetParameter on each request or on a short refresh interval.
B.Store the password in AWS Secrets Manager. Configure rotation for the secret. Grant the ECS task role secretsmanager:GetSecretValue for only that secret ARN. Update the application to fetch the secret at runtime and cache it briefly.
C.Store the password in a local file within the container image and mount it as a Docker secret at build time to avoid environment variables.
D.Store the password in an S3 bucket with server-side encryption and allow all ECS tasks to read it using a broad IAM policy on the bucket prefix.
AnswerB

Secrets Manager provides encrypted-at-rest storage and supports managed rotation. ECS task roles provide least-privilege access without static keys. Fetching at runtime with brief caching supports rotation without redeploying the task definition.

Why this answer

Option B is correct because AWS Secrets Manager encrypts secrets at rest using AWS KMS (AWS-managed key by default), supports automatic rotation without requiring a task definition redeploy, and allows least-privilege access by granting the ECS task role only secretsmanager:GetSecretValue for the specific secret ARN. The application fetches the secret at runtime and caches it briefly, satisfying all three auditor requirements.

Exam trap

The trap here is that candidates may choose Option A (Parameter Store) because it also supports SecureString and IAM policies, but they overlook that Secrets Manager is the only service that natively provides automatic rotation without additional custom infrastructure, which is explicitly required by the auditors.

How to eliminate wrong answers

Option A is wrong because Systems Manager Parameter Store SecureString encrypts the password at rest, but it does not natively support automatic rotation; rotation would require a custom solution, and the requirement to rotate without redeploying the task definition is not fully met. Option C is wrong because storing the password in a local file within the container image at build time violates the requirement to rotate without redeploying the task definition, and it does not use AWS-managed encryption controls for the secret at rest in transit. Option D is wrong because S3 with server-side encryption encrypts at rest, but allowing all ECS tasks to read the password using a broad IAM policy on the bucket prefix violates the least-privilege requirement, and rotating the password would require updating the S3 object and potentially redeploying the task definition.

255
MCQeasy

Your organization hosts an internet-facing application behind an Amazon CloudFront distribution. You want to mitigate common web exploits (for example, SQL injection and XSS) at the edge. Which action is the most appropriate way to do this using AWS services?

A.Create an AWS WAF web ACL using managed rule sets and associate it with the CloudFront distribution.
B.Add inbound rules to the security group so that only port 443 is open from the internet.
C.Enable AWS Shield Advanced to block SQL injection and XSS.
D.Restrict IAM permissions for the application’s EC2 instances so that SQL injection payloads cannot be executed.
AnswerA

AWS WAF examines incoming HTTP/HTTPS requests at the edge (when associated to CloudFront) and applies rule logic to detect common exploit patterns. Managed rule sets provide pre-built protections for threats like SQL injection and XSS before requests reach your origin.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). By creating a web ACL with managed rule sets (e.g., the AWS Managed Rules for SQL injection and XSS) and associating it with your CloudFront distribution, you can inspect incoming HTTP/HTTPS requests at the edge and block malicious payloads before they reach your origin. This is the most appropriate and scalable way to mitigate these threats at the edge.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups) or DDoS-specific services (Shield Advanced) with application-layer filtering, or mistakenly think IAM permissions can block malicious request payloads, when only a WAF can inspect and filter HTTP/HTTPS content at the edge.

How to eliminate wrong answers

Option B is wrong because security groups operate at the network layer (L3/L4) and can only filter based on IP addresses, ports, and protocols; they cannot inspect application-layer payloads to detect SQL injection or XSS. Option C is wrong because AWS Shield Advanced provides DDoS protection and enhanced detection, but it does not include rule-based inspection for application-layer attacks like SQL injection or XSS; that requires AWS WAF. Option D is wrong because IAM permissions control what actions an AWS resource (like an EC2 instance) can perform, not the content of incoming HTTP requests; restricting IAM permissions does not prevent SQL injection payloads from being processed by the application.

256
Multi-Selectmedium

A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.

Select 2 answers
A.Update the KMS key policy to allow the partner role or account to use the key.
B.Enable automatic key rotation to solve the cross-account access requirement.
C.Attach IAM permissions in the partner account for kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey on the CMK.
D.Replace the CMK with the AWS managed key alias/aws/s3.
E.Export the KMS key material and share it with the partner account.
AnswersA, C

KMS evaluates the key policy before permitting use of a customer managed key. Cross-account use requires the key policy to trust the external principal or a grant to that principal.

Why this answer

Option A is correct because the KMS key policy must explicitly grant the partner account or its assumed role permission to use the key for cryptographic operations. Without this cross-account policy statement, the partner account cannot access the key even if it has IAM permissions, as KMS key policies are the primary access control mechanism for cross-account usage.

Exam trap

The trap here is that candidates often think IAM permissions alone are sufficient for cross-account KMS access, forgetting that KMS key policies must explicitly allow the external account, and vice versa, that key policy alone is not enough without corresponding IAM permissions in the partner account.

257
MCQeasy

Your AWS Organizations environment has an SCP that explicitly denies kms:Decrypt for principals in the Production OU. A member account IAM policy for a user grants kms:Decrypt on the required KMS key. If that user attempts kms:Decrypt, what happens?

A.The request succeeds because the IAM policy explicitly allows kms:Decrypt
B.The request is denied because the SCP explicit deny overrides IAM allows
C.The request succeeds, but only when using the KMS key policy to allow the user
D.The request succeeds for read-only actions and fails only for writes
AnswerB

SCPs are evaluated as a permissions filter for the member account. When an SCP contains an explicit Deny matching kms:Decrypt, that Deny takes precedence over any IAM Allow decisions in the account, and the action is blocked.

Why this answer

In AWS Organizations, Service Control Policies (SCPs) act as a guardrail that sets the maximum available permissions for all accounts in an OU. An explicit deny in an SCP overrides any allow in an IAM policy, even if the IAM policy explicitly grants the action. Therefore, the user's kms:Decrypt request is denied because the SCP's explicit deny takes precedence over the IAM allow.

Exam trap

The trap here is that candidates often assume IAM policy allows are sufficient, forgetting that SCPs act as a higher-level permission boundary that can override those allows with an explicit deny.

How to eliminate wrong answers

Option A is wrong because it ignores the hierarchical nature of AWS authorization: an explicit deny in an SCP at the OU level overrides any allow in an IAM policy, so the request cannot succeed. Option C is wrong because even if the KMS key policy grants kms:Decrypt to the user, the SCP explicit deny still applies and blocks the action; SCPs are evaluated before resource-based policies. Option D is wrong because kms:Decrypt is a single action, not a read or write category, and SCPs apply uniformly to all actions they specify; there is no distinction between read-only and write actions in this context.

258
MCQeasy

A company stores private report PDFs in an S3 bucket. They want users to access PDFs only through CloudFront. Even if someone knows the S3 object URL, direct S3 access must fail. What is the best S3 bucket policy approach?

A.Keep the bucket private and allow s3:GetObject only to the CloudFront origin access identity (OAI) or origin access control (OAC) principal (optionally restricting with aws:SourceArn for the specific distribution).
B.Allow s3:GetObject to "Principal": "*" but rely on CloudFront signed URLs to prevent access.
C.Allow s3:GetObject to the CloudFront distribution using a Condition on aws:SourceIp without restricting the Principal.
D.Only enable default encryption (SSE-KMS) and leave bucket permissions unchanged.
AnswerA

CloudFront is granted permission to read the objects from S3 using its OAI/OAC principal. Because no other principals are allowed s3:GetObject, direct requests to the S3 object URL are denied even if the URL is known.

Why this answer

Option A is correct because it uses an Origin Access Identity (OAI) or Origin Access Control (OAC) to grant CloudFront exclusive read access to the S3 bucket. By setting a bucket policy that allows s3:GetObject only to the CloudFront OAI/OAC principal (and optionally restricting with aws:SourceArn for the specific distribution), direct S3 object URL requests are denied, ensuring users can only access PDFs through CloudFront.

Exam trap

The trap here is that candidates often think encryption (SSE-KMS) or IP-based restrictions are sufficient to block direct S3 access, but they fail to understand that only a bucket policy explicitly denying access to all principals except CloudFront's OAI/OAC can enforce the requirement.

How to eliminate wrong answers

Option B is wrong because allowing s3:GetObject to 'Principal': '*' makes the bucket publicly readable, bypassing CloudFront entirely; anyone with the S3 URL can access the PDFs directly, violating the requirement. Option C is wrong because restricting by aws:SourceIp without specifying a Principal still leaves the bucket open to any principal, and CloudFront's IP addresses are not a reliable way to enforce exclusive access (they can change and be spoofed). Option D is wrong because enabling SSE-KMS encryption does not restrict access; it only encrypts data at rest, leaving the bucket policy unchanged and allowing direct S3 access if the URL is known.

259
MCQeasy

A microservice runs on an EC2 instance using an instance role. It must retrieve exactly one secret value from AWS Secrets Manager. The secret ARN is arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/dbPassword-AbCdEf. The secret is encrypted with the default AWS-managed Secrets Manager KMS key (alias/aws/secretsmanager). Which IAM policy statement provides the best least-privilege access?

A.Allow secretsmanager:GetSecretValue on all secrets: Resource "*".
B.Allow secretsmanager:GetSecretValue only for the specific secret ARN: Resource "arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/dbPassword-AbCdEf".
C.Allow secretsmanager:DescribeSecret on the secret ARN, but not secretsmanager:GetSecretValue.
D.Allow secretsmanager:GetSecretValue on all secrets with the prefix: Resource "arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/*".
AnswerB

The microservice only needs to call secretsmanager:GetSecretValue for that one secret. Scoping the action and resource to exactly that secret provides least-privilege access.

Why this answer

Option B is correct because it grants the least-privilege access by restricting the secretsmanager:GetSecretValue action to the exact secret ARN required. Since the secret is encrypted with the default AWS-managed KMS key (alias/aws/secretsmanager), no additional kms:Decrypt permission is needed because Secrets Manager automatically handles decryption with the default key when using GetSecretValue. This policy ensures the microservice can retrieve only the intended secret and no others.

Exam trap

The trap here is that candidates often assume they need to add a separate kms:Decrypt permission for the default KMS key, or they mistakenly think DescribeSecret returns the secret value, leading them to choose Option C.

How to eliminate wrong answers

Option A is wrong because using Resource '*' grants access to all secrets in the account, violating the least-privilege principle and potentially exposing other secrets. Option C is wrong because secretsmanager:DescribeSecret only retrieves metadata (e.g., secret version IDs, rotation status) but does not allow retrieving the actual secret value, which is the required action. Option D is wrong because using a wildcard prefix (arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/*) would match any secret under the 'prod/' path, granting access to more secrets than needed, which is not least-privilege.

260
MCQmedium

An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?

A.Enable KMS automatic key rotation for the customer-managed key in account B.
B.Update the KMS key policy in account B to allow the instance role’s principal from account A to call kms:Decrypt and kms:CreateGrant.
C.Attach the key policy as an IAM permissions policy to the instance role in account A only; key policies are not evaluated cross-account.
D.Disable encryption on the EBS volume until authorization is fixed, then re-enable encryption after mount.
AnswerB

Customer-managed KMS keys use resource-based key policies to control cross-account usage. Even if the IAM role in account A has kms:Decrypt permissions, the account B key policy must also allow that principal to use the key. Including kms:Decrypt (and often kms:CreateGrant) resolves cross-account mount authorization.

Why this answer

The instance role in account A has an IAM policy allowing kms:Decrypt on the key ARN, but cross-account KMS access requires the key policy in account B to explicitly grant the external principal (the instance role's ARN) the necessary permissions. Without a key policy statement in account B that allows kms:Decrypt and kms:CreateGrant for the instance role, the KMS service will deny the decryption request, even if the IAM policy in account A permits it. The kms:CreateGrant permission is required because attaching an encrypted EBS volume internally creates a grant to allow the EC2 service to use the key on behalf of the instance.

Exam trap

The trap here is that candidates assume an IAM policy in the consuming account is sufficient for cross-account KMS operations, but AWS requires the key policy in the key-owning account to explicitly grant access to the external principal, and kms:CreateGrant is a commonly overlooked required permission for EBS volume attachments.

How to eliminate wrong answers

Option A is wrong because enabling automatic key rotation does not grant any cross-account permissions; it only rotates the key material periodically and does not affect authorization. Option C is wrong because in cross-account scenarios, the key policy in the key-owning account (account B) is the primary authorization mechanism; IAM policies in the consuming account (account A) are not sufficient on their own, and the key policy must explicitly allow the external principal. Option D is wrong because you cannot disable encryption on an EBS volume that was created from an encrypted snapshot; encryption is a permanent attribute of the volume, and attempting to disable it would fail or require creating an unencrypted copy, which defeats the purpose.

261
MCQhard

A claims portal must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

A.Tag encrypted volumes after creation
B.Enable VPC Flow Logs
C.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
D.Run a daily Lambda function to encrypt unencrypted volumes
AnswerC

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

Option C is correct because Service Control Policies (SCPs) are a preventive control that can deny the ec2:CreateVolume action when the encryption condition is false. This ensures that unencrypted EBS volumes cannot be created at all, enforcing encryption at the point of creation across the entire AWS account or organizational unit.

Exam trap

The trap here is that candidates often confuse detective or corrective controls (like tagging or Lambda remediation) with preventive controls, failing to recognize that only an SCP or IAM policy with a deny effect on the CreateVolume action can proactively block the creation of unencrypted volumes.

How to eliminate wrong answers

Option A is wrong because tagging encrypted volumes after creation is a detective or corrective control, not preventive; it does not block the creation of unencrypted volumes. Option B is wrong because VPC Flow Logs capture network traffic metadata and have no effect on EBS volume creation or encryption enforcement. Option D is wrong because running a daily Lambda function to encrypt unencrypted volumes is a reactive/corrective control; it does not prevent the initial creation of unencrypted volumes, leaving a window of exposure.

262
MCQhard

Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?

A.Re-enable object ACLs and manage access by setting object-level ACLs for each team's prefix.
B.Split the bucket into one bucket per team and keep using a single shared bucket policy for all of them.
C.Create one S3 access point per team and attach an access point policy that limits that team to its own prefix.
D.Make the bucket public and issue presigned URLs for team access so IAM policies are no longer needed.
AnswerC

S3 access points are designed for simplifying access management to shared buckets. A separate access point per team keeps the bucket private, avoids ACLs, and lets each team have a smaller, easier-to-review policy boundary. This reduces the blast radius of a policy mistake and scales far better than a single giant bucket policy with many prefix rules.

Why this answer

Option C is correct because S3 Access Points allow you to create separate access points for each team, each with its own policy that restricts access to a specific prefix (e.g., s3://shared-bucket/team-a/). This eliminates the need for a large, error-prone bucket policy while keeping ACLs disabled, as access is managed through IAM policies and access point policies. It also maintains a single shared bucket, simplifying management and cost allocation.

Exam trap

The trap here is that candidates may think splitting the bucket per team (Option B) is simpler, but they overlook that a single shared bucket with access points is more cost-effective and manageable, and that ACLs (Option A) are explicitly disallowed by the requirement.

How to eliminate wrong answers

Option A is wrong because re-enabling object ACLs violates the requirement that ACLs must remain disabled, and managing access at the object level is not scalable for many teams. Option B is wrong because splitting into one bucket per team increases management overhead and does not solve the bucket policy size issue; a single shared bucket policy for all buckets would still be complex and error-prone. Option D is wrong because making the bucket public exposes data to the internet, violating security best practices, and presigned URLs are temporary and not suitable for ongoing team access management.

263
MCQmedium

An e-commerce application uses Aurora MySQL. Writes are modest, but the product-detail page generates many read-only queries and the writer instance CPU is high. The application can tolerate a small amount of replication lag on those reads. What should the team do?

A.Add Aurora read replicas and send read-only traffic to the reader endpoint.
B.Increase the writer instance size and keep all traffic on the primary.
C.Replace Aurora with DynamoDB to eliminate replication lag.
D.Enable Multi-AZ failover only, because it increases read throughput automatically.
AnswerA

Aurora read replicas are the right way to scale read-heavy workloads and reduce pressure on the writer instance. By directing read-only traffic to the reader endpoint, the application can offload product-page queries while keeping writes on the primary instance. Because a small amount of replication lag is acceptable, this approach aligns well with the workload's consistency and performance needs.

Why this answer

Adding Aurora read replicas and directing read-only traffic to the reader endpoint offloads SELECT queries from the writer instance, reducing its CPU load. Aurora replicas share the same underlying storage volume, so replication lag is minimal (typically <100ms) and acceptable for the product-detail page. This scales read throughput without increasing writer instance size or cost.

Exam trap

The trap here is confusing Multi-AZ (which only provides failover) with read replicas (which offload reads), leading candidates to pick Option D thinking it improves read performance.

How to eliminate wrong answers

Option B is wrong because increasing the writer instance size only scales the single node vertically, which does not offload read queries and still leaves the writer as a bottleneck; it also costs more than adding replicas. Option C is wrong because replacing Aurora with DynamoDB would require significant application redesign and DynamoDB does not natively support SQL joins or complex queries; replication lag is not eliminated, as DynamoDB global tables have eventual consistency. Option D is wrong because Multi-AZ failover provides high availability, not increased read throughput; the standby instance does not serve read traffic unless it is an Aurora replica.

264
MCQmedium

A company hosts a B2B file exchange site on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use? The design must avoid adding custom operational scripts.

A.A bastion host with SSH open to 0.0.0.0/0
B.AWS Systems Manager Session Manager with the required instance role
C.A public Elastic IP address on each instance
D.An internet gateway attached to the private subnet
AnswerB

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows administrators to establish secure shell access to EC2 instances without opening inbound SSH or RDP ports, using the Systems Manager agent and an IAM instance role. This meets the requirement for no internet-exposed ports and avoids custom operational scripts because Session Manager is a fully managed AWS service.

Exam trap

The trap here is that candidates often assume a bastion host is the only secure way to access private instances, but AWS Systems Manager Session Manager provides a fully managed, agent-based alternative that avoids opening any inbound ports and requires no custom scripts.

How to eliminate wrong answers

Option A is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes a management port to the entire internet, violating the requirement to avoid opening SSH or RDP ports to the internet. Option C is wrong because assigning a public Elastic IP address to each instance directly exposes them to the internet, requiring open SSH or RDP ports for administrative access. Option D is wrong because an internet gateway attached to a private subnet does not provide administrative access; it only enables outbound internet connectivity for instances in that subnet, and administrators still need a way to connect without open ports.

265
MCQmedium

A company hosts a B2B file exchange site on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

A.A bastion host with SSH open to 0.0.0.0/0
B.AWS Systems Manager Session Manager with the required instance role
C.A public Elastic IP address on each instance
D.An internet gateway attached to the private subnet
AnswerB

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows secure shell access to EC2 instances without opening inbound ports (SSH 22 or RDP 3389) to the internet. It uses the AWS Systems Manager agent and an IAM instance role to establish a bidirectional connection via the AWS cloud, eliminating the need for a bastion host or public IP. This meets the requirement for administrators to connect without exposing any network ports.

Exam trap

The trap here is that candidates often default to a bastion host (Option A) as the traditional solution, overlooking that AWS Systems Manager Session Manager provides a more secure, port-free alternative that fully meets the 'no open ports' requirement.

How to eliminate wrong answers

Option A is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes the instance to the entire internet, violating the requirement to avoid opening SSH or RDP ports. Option C is wrong because assigning a public Elastic IP address to each instance would require opening SSH or RDP ports to the internet for direct access, which is explicitly prohibited. Option D is wrong because an internet gateway attached to a private subnet does not provide administrative connectivity; it only enables outbound internet access for instances, and inbound administrative access would still require open ports or a bastion host.

266
Multi-Selecthard

A company is encrypting sensitive S3 data for a order processing API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals? The design must avoid adding custom operational scripts.

Select 2 answers
A.A larger KMS key rotation period
B.A key policy that limits key administrators and key users
C.IAM policies that grant kms:Decrypt only to required application roles
D.S3 Transfer Acceleration
AnswersB, C

The KMS key policy is the primary resource policy that controls who can administer or use the key.

Why this answer

Option B is correct because a KMS key policy explicitly defines which principals (IAM users, roles, or AWS accounts) are allowed to administer or use the key. By restricting key users to only the required application roles, you prevent unauthorized principals from accidentally invoking KMS operations on the key, even if they have broad IAM permissions. This is a fundamental access control that does not require custom scripts.

Exam trap

The trap here is that candidates often think key rotation (Option A) is a security control that prevents unauthorized use, but it only protects against compromised keys over time, not against accidental access by authorized-but-wrong principals.

267
MCQmedium

A order processing API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured? The design must avoid adding custom operational scripts.

A.S3 server access logging
B.S3 lifecycle expiration after seven years
C.S3 versioning only
D.S3 Object Lock in compliance mode with an appropriate retention period
AnswerD

Object Lock compliance mode enforces write-once-read-many retention that even privileged users cannot bypass during the retention period.

Why this answer

S3 Object Lock in compliance mode prevents any user, including the root user, from overwriting or deleting objects for the specified retention period. This meets the compliance requirement of a seven-year immutable audit log without custom scripts. Compliance mode enforces a legal hold that cannot be removed by any user, ensuring logs remain intact.

Exam trap

The trap here is that candidates often confuse versioning with immutability, thinking versioning alone prevents deletion, but it only preserves overwritten versions while still allowing the current version to be deleted unless combined with Object Lock or MFA Delete.

How to eliminate wrong answers

Option A is wrong because S3 server access logging only records requests made to the bucket, it does not prevent deletion or overwriting of existing logs. Option B is wrong because S3 lifecycle expiration automatically deletes objects after a period, which directly violates the requirement that logs cannot be deleted for seven years. Option C is wrong because S3 versioning alone preserves previous versions of objects but does not prevent deletion of the current version or overwriting; it requires additional controls like MFA Delete or Object Lock to enforce immutability.

268
MCQhard

A healthcare document service must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control? The design must avoid adding custom operational scripts.

A.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
B.Tag encrypted volumes after creation
C.Enable VPC Flow Logs
D.Run a daily Lambda function to encrypt unencrypted volumes
AnswerA

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

AWS Organizations Service Control Policies (SCPs) provide a preventive guardrail that can deny the ec2:CreateVolume API call when the encryption condition is false, ensuring that no unencrypted EBS volumes can be created in the account. This is the strongest preventive control because it blocks the action at the API level before any resource is created, and it does not require custom scripts or post-creation remediation. The condition key ec2:Encrypted must be set to true in the SCP policy to enforce encryption at creation time.

Exam trap

The trap here is that candidates often confuse detective or corrective controls (like tagging, Lambda remediation, or logging) with preventive controls, and fail to recognize that SCPs can enforce encryption at the API level without custom scripts.

How to eliminate wrong answers

Option B is wrong because tagging encrypted volumes after creation is a detective or reactive control, not preventive; it does not stop unencrypted volumes from being created. Option C is wrong because VPC Flow Logs capture network traffic metadata and have no ability to enforce or audit EBS volume encryption policies. Option D is wrong because running a daily Lambda function to encrypt unencrypted volumes is a corrective/reactive control that relies on custom operational scripts, which the design explicitly avoids, and it does not prevent the initial creation of unencrypted volumes.

269
MCQmedium

Account C wants engineers to access a role (RoleInAccountA) in account A using STS AssumeRole. Security policy requires that (1) only engineers from account C can assume the role, (2) they must provide an external ID value, and (3) the session must be MFA-authenticated. Which change is most appropriate in the RoleInAccountA trust policy to meet all three requirements?

A.Add conditions sts:ExternalId = <value> only; do not include any MFA requirement because MFA can be enforced by the IAM role session policy.
B.Add conditions that (a) restrict the caller principals to account C engineers (for example, aws:PrincipalArn matches a specific engineer role/user pattern from account C), (b) require sts:ExternalId = <value>, and (c) require aws:MultiFactorAuthPresent = true.
C.Add conditions for aws:PrincipalTag:Department = Engineering and sts:ExternalId = <value>; omit MFA because MFA is optional for AssumeRole.
D.Add conditions aws:SecureTransport = true and sts:ExternalId = <value>; rely on IAM permissions in account C to require MFA.
AnswerB

A trust policy can simultaneously (1) restrict who can call AssumeRole via principal-based conditions, (2) require sts:ExternalId to mitigate confused-deputy risk, and (3) enforce MFA by requiring aws:MultiFactorAuthPresent = true when STS issues the temporary credentials.

Why this answer

Option B is correct because it satisfies all three security requirements: it restricts the caller principals to engineers from account C using the `aws:PrincipalArn` condition, enforces the external ID with `sts:ExternalId`, and mandates MFA authentication via `aws:MultiFactorAuthPresent = true`. The trust policy on RoleInAccountA must explicitly include the MFA condition because MFA enforcement cannot be delegated to the session policy or to the calling account's IAM permissions when the role is in a different account.

Exam trap

The trap here is that candidates often assume MFA can be enforced indirectly through session policies or the calling account's permissions, but in cross-account AssumeRole scenarios, the trust policy in the target account must explicitly require `aws:MultiFactorAuthPresent = true` to enforce MFA on the assumed role session.

How to eliminate wrong answers

Option A is wrong because it omits the MFA requirement entirely, incorrectly assuming that MFA can be enforced by the IAM role session policy—session policies cannot enforce MFA; the trust policy must explicitly require `aws:MultiFactorAuthPresent = true`. Option C is wrong because it uses `aws:PrincipalTag:Department = Engineering` to identify engineers, which is unreliable across accounts (tags are not automatically shared) and omits the MFA condition, leaving the session unauthenticated by MFA. Option D is wrong because it relies on `aws:SecureTransport` (which only enforces HTTPS) and assumes MFA can be enforced by IAM permissions in account C—account C's permissions cannot enforce MFA on the assumed role session in account A; the trust policy must include the MFA condition.

270
MCQmedium

A finance application stores invoices in Amazon S3. Security requires that the data be encrypted with a key they control, and they want the ability to disable access quickly if the application is suspected of compromise. Developers do not want to manage encryption in application code. Which solution best meets these requirements?

A.Use SSE-S3 with the default Amazon-managed key for all uploads.
B.Use SSE-KMS with a customer-managed AWS KMS key.
C.Encrypt objects on the client side and store the encryption key in the same S3 bucket.
D.Use Amazon S3 replication to a second bucket in another region.
AnswerB

SSE-KMS with a customer-managed KMS key gives the security team explicit control over key policy, grants, auditing, and revocation. The application can upload objects normally while S3 handles encryption and decryption on the service side, so developers do not need custom cryptography code. If compromise is suspected, the key or grants can be disabled to block future access, which is exactly why a customer-managed key is preferable here.

Why this answer

SSE-KMS with a customer-managed AWS KMS key meets the requirements because it allows the finance application to encrypt data at rest using a key that the customer controls, and it provides the ability to quickly disable access by revoking or disabling the KMS key, which immediately blocks any decryption attempts. The developers do not need to manage encryption in application code because encryption is handled server-side by S3 using the KMS key.

Exam trap

The trap here is that candidates often confuse SSE-S3 with customer-managed keys or think S3 replication provides security controls, but the key distinction is that only SSE-KMS with a customer-managed key gives you both customer-controlled keys and the ability to quickly revoke access without changing application code.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses an Amazon-managed key, which the customer does not control, failing the requirement for customer-controlled keys. Option C is wrong because client-side encryption requires developers to manage encryption in application code, which contradicts the requirement that developers do not want to manage encryption in code, and storing the encryption key in the same S3 bucket is a severe security risk. Option D is wrong because S3 replication only copies objects to another bucket and does not provide encryption key control or the ability to quickly disable access; it is a data durability and availability feature, not a security control for encryption or access revocation.

271
MCQmedium

A security operations team wants continuous compliance checks for AWS resources. They need to know when an EBS volume becomes unencrypted or when a security group starts allowing SSH from 0.0.0.0/0. Which AWS service should they use?

A.AWS CloudTrail, because it records every API call made in the account.
B.AWS Config, because it evaluates resource configuration against compliance rules.
C.Amazon GuardDuty, because it automatically encrypts noncompliant resources.
D.Amazon Macie, because it manages encryption settings for all AWS resources.
AnswerB

AWS Config is the right service for continuous resource compliance monitoring. It tracks configuration changes over time and can evaluate rules that check for conditions such as encrypted EBS volumes or overly permissive security groups. This makes it ideal for governance and drift detection, especially when the team needs to know the current state of resources rather than only the history of API calls.

Why this answer

AWS Config is the correct service because it continuously monitors and evaluates the configuration of AWS resources against desired compliance rules. It can detect when an EBS volume is unencrypted or when a security group rule allows SSH (port 22) from 0.0.0.0/0, and trigger notifications or remediation actions via AWS Config rules.

Exam trap

The trap here is that candidates confuse AWS CloudTrail's API logging with AWS Config's configuration evaluation, assuming that recording API calls is sufficient for compliance checks, but CloudTrail does not assess the current state of resources against rules.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls (e.g., who made a change) but does not evaluate the current configuration state of resources against compliance rules; it lacks the ability to detect an unencrypted EBS volume or an overly permissive security group rule without additional analysis. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes network traffic and DNS logs for malicious activity, not a configuration compliance tool; it does not automatically encrypt resources or evaluate security group rules. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover and protect sensitive data in S3, not a service for managing encryption settings or evaluating resource configurations like EBS volumes or security groups.

272
Multi-Selectmedium

A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.

Select 2 answers
A.Create an S3 gateway VPC endpoint and update the route tables for the private subnets.
B.Place a NAT gateway in the public subnet so the private instances can reach AWS services.
C.Create an interface VPC endpoint for AWS Secrets Manager and allow the workload security group to reach it.
D.Assign public IPv4 addresses to the instances and restrict them with security groups.
E.Use VPC peering to the AWS service endpoints instead of VPC endpoints.
AnswersA, C

An S3 gateway endpoint provides private access to S3 without sending traffic over the internet. It is the correct endpoint type for S3 and integrates through route tables.

Why this answer

Option A is correct because an S3 gateway VPC endpoint enables private subnet instances to access S3 over the AWS network without requiring internet gateways or NAT gateways. Gateway endpoints use route table entries to direct S3 traffic through the AWS backbone, avoiding public IPs entirely.

Exam trap

The trap here is that candidates often confuse gateway endpoints (for S3 and DynamoDB) with interface endpoints (for most other services) and may incorrectly assume a NAT gateway is needed for all AWS service access, ignoring that gateway endpoints provide a free, internet-free alternative for S3.

273
MCQmedium

A media platform stores originals in an S3 bucket. The application must: (1) prevent any public access to the bucket, (2) allow authenticated users to upload and download objects using presigned URLs, and (3) enforce that all requests use HTTPS and only touch objects under the user-specific prefix (for example, s3://media-originals/user-123/*). The bucket currently allows uploads but sometimes returns 403 AccessDenied for presigned URLs. Which change is the best fix while meeting the security requirements?

A.Disable S3 Block Public Access and add an ACL that grants READ and WRITE to the bucket owner only.
B.Keep Block Public Access enabled, remove any Allow statement to Principal="*", and use a bucket policy or access point policy that denies non-HTTPS requests and allows PutObject/GetObject only when the object key matches the authenticated user's session tag, such as arn:aws:s3:::media-originals/${aws:PrincipalTag/userId}/*.
C.Use bucket website hosting and allow public GET requests so presigned URLs are not needed for downloads.
D.Use ACLs to grant ObjectOwner full control and rely on the application to generate presigned URLs with longer expirations to avoid 403 errors.
AnswerB

Block Public Access ensures the bucket cannot become public. A policy that denies non-HTTPS traffic and scopes object ARNs to a session tag or equivalent identity attribute enforces user-specific access without relying on public principals.

Why this answer

Option B is correct because it keeps S3 Block Public Access enabled (preventing any public access), uses a bucket policy or access point policy with a condition key like `aws:PrincipalTag` to restrict `PutObject`/`GetObject` to the user-specific prefix (e.g., `arn:aws:s3:::media-originals/${aws:PrincipalTag/userId}/*`), and denies non-HTTPS requests via a `aws:SecureTransport` condition. This ensures presigned URLs work only for authenticated users with the correct session tag, while enforcing HTTPS and preventing public access.

Exam trap

The trap here is that candidates mistakenly think presigned URLs bypass bucket policies, but in reality, presigned URLs are still subject to the bucket policy—so a policy that denies access to anonymous principals or lacks conditions for user-specific prefixes will cause 403 errors even with valid presigned URLs.

How to eliminate wrong answers

Option A is wrong because disabling S3 Block Public Access and using an ACL that grants READ and WRITE to the bucket owner only does not prevent public access—ACLs are legacy and do not override bucket policies that might allow public access; also, ACLs cannot enforce user-specific prefixes or HTTPS. Option C is wrong because enabling bucket website hosting and allowing public GET requests violates the requirement to prevent any public access and makes presigned URLs unnecessary, but it exposes objects to the public. Option D is wrong because using ACLs to grant ObjectOwner full control does not enforce user-specific prefixes or HTTPS, and relying on longer presigned URL expirations does not fix the 403 error—the 403 is likely due to a missing or incorrect bucket policy that denies access based on the requester's identity or prefix.

274
MCQhard

A healthcare document service uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

A.Embed the database password in the AMI
B.Store the database password in user data
C.Use a security group rule that allows only application instances
D.IAM database authentication for RDS with an EC2 instance role
AnswerD

IAM database authentication allows the application to use temporary AWS credentials instead of stored database passwords.

Why this answer

IAM database authentication for RDS with an EC2 instance role is correct because it allows the EC2 instance to assume an IAM role and obtain a short-lived authentication token (valid for 15 minutes) to connect to the PostgreSQL database, eliminating the need to store any credentials on the instance. This approach meets both requirements: no credentials stored on EC2 and the use of short-lived credentials. The token is generated using the AWS CLI or SDK with the IAM role's temporary security credentials, and the RDS instance must be configured to accept IAM authentication.

Exam trap

The trap here is that candidates may think security groups alone solve credential management, but they only control network access, not authentication or credential lifecycle, so they fail to address the short-lived credential requirement.

How to eliminate wrong answers

Option A is wrong because embedding the database password in the AMI stores credentials persistently on the EC2 instance, violating the requirement that credentials must not be stored on the instance, and the password is long-lived, not short-lived. Option B is wrong because storing the database password in user data also places credentials on the EC2 instance (accessible via the instance metadata), again violating the no-storage requirement and providing a long-lived credential. Option C is wrong because a security group rule only controls network access at the transport layer; it does not address authentication or credential management, and it does not provide short-lived credentials.

275
MCQmedium

Based on the exhibit, which AWS service should the security team enable to continuously discover sensitive data stored inside Amazon S3 objects?

A.AWS CloudTrail
B.Amazon Macie
C.AWS Config
D.Amazon GuardDuty
AnswerB

Macie is the AWS service designed to discover and classify sensitive data in S3. It can continuously analyze buckets for personal data patterns and produce findings when sensitive information is detected. That matches the requirement for ongoing classification of object contents rather than audit logs or configuration checks.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data such as personally identifiable information (PII) or financial data stored in Amazon S3. It provides continuous visibility into data security risks by generating findings when sensitive data is detected, making it the correct choice for this use case.

Exam trap

The trap here is that candidates often confuse Amazon Macie with Amazon GuardDuty, mistakenly thinking GuardDuty's threat detection includes scanning for sensitive data, when in fact GuardDuty focuses on security threats and anomalies, not data classification or content inspection.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and governance events for auditing, but it does not inspect the content of S3 objects to discover sensitive data. Option C is wrong because AWS Config evaluates resource configurations against compliance rules and tracks configuration changes, but it cannot scan or analyze the data within S3 objects for sensitive content. Option D is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not perform content inspection of S3 objects to find sensitive data.

276
MCQeasy

A company hosts static images, CSS, and JavaScript files in an Amazon S3 bucket. Users around the world report slow page loads, and the origin receives many repeated requests for the same files. What should the team use to improve performance?

A.Amazon CloudFront
B.AWS Direct Connect
C.Amazon Route 53 health checks
D.Amazon EFS
AnswerA

CloudFront caches content at edge locations and reduces latency and origin traffic for global users.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static content (images, CSS, JavaScript) at edge locations worldwide. By serving cached copies from the edge closest to each user, CloudFront reduces latency, offloads repeated requests from the origin S3 bucket, and improves page load times for a global audience.

Exam trap

The trap here is that candidates may confuse a CDN (CloudFront) with a private network connection (Direct Connect) or a DNS routing service (Route 53), failing to recognize that caching at edge locations is the key to reducing latency and origin load for static content served globally.

How to eliminate wrong answers

Option B is wrong because AWS Direct Connect establishes a dedicated private network connection from on-premises to AWS, which does not cache content or reduce latency for global users accessing public S3 objects. Option C is wrong because Amazon Route 53 health checks monitor endpoint availability and route traffic away from unhealthy endpoints, but they do not cache content or reduce repeated requests to the origin. Option D is wrong because Amazon EFS is a scalable file system for EC2 instances, not a caching or content delivery service, and it would not improve latency for users accessing static files via the internet.

277
MCQeasy

A web application behind an Application Load Balancer (ALB) currently allows client connections over HTTP (port 80). The security policy requires all client traffic to use HTTPS. What is the best ALB change to enforce this requirement?

A.Add an HTTP listener on port 80 with a redirect action to HTTPS on port 443, and configure an HTTPS listener using an ACM certificate
B.Enable TLS only on the target group so that traffic between the ALB and targets is encrypted, even if clients connect via HTTP
C.Turn on S3 server-side encryption to ensure data is encrypted in transit from clients to the ALB
D.Remove port 80 access by removing the port 80 listener and leave only a default target group
AnswerA

Redirecting all HTTP requests to HTTPS forces clients to use TLS when they access the application. Configuring an HTTPS listener with an ACM certificate ensures the ALB terminates TLS on port 443 using a valid certificate, directly enforcing encryption in transit for client-to-ALB traffic.

Why this answer

Option A is correct because it uses an ALB HTTP-to-HTTPS redirect action, which is the most efficient and AWS-native way to enforce HTTPS-only traffic. The HTTP listener on port 80 automatically redirects all client requests to the HTTPS listener on port 443, which terminates TLS using an ACM certificate. This approach requires no changes to client applications and ensures compliance with the security policy at the load balancer level.

Exam trap

The trap here is that candidates may think removing the HTTP listener or enabling TLS on the target group is sufficient, but the correct approach is to use a redirect action on the HTTP listener to enforce HTTPS without breaking client connectivity.

How to eliminate wrong answers

Option B is wrong because enabling TLS only on the target group does not enforce HTTPS for client-to-ALB traffic; clients can still connect over HTTP, and the ALB will forward requests to targets over TLS, but the initial connection remains unencrypted. Option C is wrong because S3 server-side encryption is for data at rest in Amazon S3, not for encrypting data in transit between clients and the ALB. Option D is wrong because simply removing the port 80 listener and leaving only a default target group would drop all HTTP traffic, but it does not provide a redirect to HTTPS, which is a better user experience and the recommended approach; clients would receive a connection error instead of being seamlessly redirected.

278
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a image sharing application. The partner has its own AWS account. What is the most secure scalable access pattern?

A.Make the objects public and rely on difficult-to-guess object names
B.Create an IAM user in the company account and share the access keys
C.Copy the objects to a public website bucket
D.Create a bucket policy that grants the partner role least-privilege access to the required prefix
AnswerD

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option D is correct because it uses a resource-based bucket policy that grants the partner's AWS account (via its IAM role) least-privilege read-only access to a specific prefix. This avoids sharing long-term credentials, leverages AWS's cross-account trust mechanism, and ensures the partner's access is controlled through their own IAM roles, which is the most secure and scalable pattern for cross-account S3 access.

Exam trap

The trap here is that candidates often choose sharing IAM access keys (Option B) because it seems simpler, but the SAA-C03 exam emphasizes using IAM roles and resource-based policies for cross-account access to avoid long-term credential management and improve security.

How to eliminate wrong answers

Option A is wrong because making objects public with 'security through obscurity' (difficult-to-guess names) is not secure; anyone who discovers the URL can access the objects, and S3 does not enforce access control based on object name guessability. Option B is wrong because creating an IAM user in the company account and sharing access keys introduces a long-term credential that must be rotated, managed, and could be leaked; it violates the principle of least privilege and does not scale across multiple partner accounts. Option C is wrong because copying objects to a public website bucket (e.g., S3 static website hosting) makes them publicly accessible over HTTP/HTTPS with no authentication, which is insecure and does not provide read-only access control for a specific partner.

279
Multi-Selectmedium

A company is designing a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), an Amazon EC2 Auto Scaling group for the web tier, and an Amazon RDS for MySQL database. The security team requires that the web tier instances have no public IP addresses and that all outbound traffic to the internet is blocked, except for specific software updates from a trusted vendor. Which three steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
.Place the web tier instances in a private subnet and use a NAT gateway in a public subnet for outbound traffic to the trusted vendor.
.Configure a VPC endpoint for the trusted vendor's software update service.
.Use a security group on the web tier instances that denies all outbound traffic except to the trusted vendor's IP range.
.Deploy the web tier instances in a public subnet and use a network ACL to block all inbound traffic from the internet.
.Configure the ALB to be internet-facing and place the web tier instances in a public subnet.
.Use a network ACL on the private subnet to block all outbound traffic except to the trusted vendor's IP range and to the NAT gateway.

Why this answer

Placing the web tier instances in a private subnet ensures they have no public IP addresses, meeting the security requirement. Using a security group on the web tier instances to deny all outbound traffic except to the trusted vendor's IP range provides a stateful, instance-level control that blocks all other outbound internet traffic. Additionally, a network ACL on the private subnet must allow outbound traffic to the trusted vendor's IP range and to the NAT gateway, because the NAT gateway itself needs to send traffic to the vendor, and the network ACL acts as a stateless subnet-level filter that must explicitly permit this return traffic.

Exam trap

The trap here is that candidates often confuse security groups (stateful) with network ACLs (stateless) and forget that a NAT gateway is required for private instances to reach the internet, but the NACL must explicitly allow traffic to the NAT gateway's IP range (the public subnet's CIDR) and the vendor's IP, while the security group handles the instance-level outbound restriction.

280
MCQmedium

A mobile banking backend stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

A.S3 server access logging
B.S3 lifecycle expiration after seven years
C.S3 versioning only
D.S3 Object Lock in compliance mode with an appropriate retention period
AnswerD

Object Lock compliance mode enforces write-once-read-many retention that even privileged users cannot bypass during the retention period.

Why this answer

S3 Object Lock in compliance mode prevents any user, including the root user, from overwriting or deleting objects until the retention period expires. This meets the compliance requirement of immutable audit logs for seven years, as compliance mode enforces a legal hold that cannot be removed by any party.

Exam trap

The trap here is that candidates often confuse versioning with immutability, thinking versioning alone prevents data loss, but it does not block overwrites or deletes of the current version, which is required for compliance-grade write-once protection.

How to eliminate wrong answers

Option A is wrong because S3 server access logging only records requests made to the bucket, it does not prevent deletion or overwriting of existing objects. Option B is wrong because S3 lifecycle expiration after seven years would automatically delete objects after that period, but it does not prevent premature deletion or overwriting before the seven-year mark. Option C is wrong because S3 versioning alone preserves previous versions of objects but does not prevent deletion of the current version or overwriting with a new version; it only retains old versions, not block writes or deletes.

281
MCQmedium

Developers for a customer analytics portal need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

A.Disable CloudTrail during troubleshooting
B.Attach AdministratorAccess permanently to every developer role
C.Use IAM Identity Center permission sets with time-bound access processes and CloudTrail auditing
D.Create shared administrator access keys for the team
AnswerC

Federated access with permission sets and audited temporary assignments reduces standing privilege.

Why this answer

Option C is correct because AWS IAM Identity Center (formerly AWS SSO) allows you to define permission sets that grant temporary, time-bound elevated access to production resources. Combined with AWS CloudTrail, every access attempt is logged for audit, meeting the security team's requirements for approvals, expiry, and audit logging. This approach follows the principle of least privilege and ensures that elevated permissions are not permanent.

Exam trap

The trap here is that candidates often confuse IAM users with IAM Identity Center, or think that simply enabling CloudTrail (without a proper access control mechanism) is sufficient, but the question specifically requires time-bound access and approvals, which only a centralized identity solution like IAM Identity Center provides.

How to eliminate wrong answers

Option A is wrong because disabling CloudTrail during troubleshooting removes all audit logging, directly violating the security team's requirement for audit logging. Option B is wrong because permanently attaching AdministratorAccess to every developer role grants excessive, permanent privileges, violating the principle of least privilege and the requirement for temporary, time-bound access. Option D is wrong because creating shared administrator access keys eliminates individual accountability, breaks audit trails, and violates the security team's need for approvals and expiry.

282
Multi-Selecthard

A media company stores raw project files in Amazon S3. Files are accessed heavily for the first 60 days, occasionally for legal review during the next six months, and must be retained for 7 years. Retrieval for the oldest files can take hours. Which three actions should the architect recommend? Select three.

Select 3 answers
A.Transition objects to S3 Standard-IA after 60 days.
B.Transition objects to S3 Glacier Deep Archive after the review period ends.
C.Expire objects after 7 years.
D.Store the same files in EBS snapshots instead of S3 to lower archive costs.
E.Replicate the bucket to another Region to reduce storage charges.
AnswersA, B, C

Standard-IA reduces storage cost for infrequently accessed objects while still keeping retrieval in minutes, which fits the post-production review period.

Why this answer

Option A is correct because S3 Standard-IA is designed for data accessed less frequently but requires rapid access when needed. After 60 days of heavy access, transitioning to Standard-IA reduces storage costs while maintaining low-latency retrieval for occasional legal reviews.

Exam trap

The trap here is that candidates may confuse S3 replication (which increases costs) with a cost-saving mechanism, or incorrectly assume EBS snapshots are a cheaper alternative for long-term archival, when in fact S3 Glacier Deep Archive is the most cost-effective option for data that can tolerate hours of retrieval time.

283
MCQmedium

A SaaS vendor needs temporary access to an S3 bucket in your AWS account to read customer exports. The vendor will assume an IAM role you created. During integration testing, the vendor reports that their AssumeRole requests succeed, but your security team is concerned about the possibility of confused-deputy attacks. Which trust policy approach most directly mitigates this risk?

A.Add an sts:ExternalId condition to the role trust policy that must match the unique external ID you provide to the vendor.
B.Require the vendor to use the same MFA device serial number as your internal administrators in the trust policy.
C.Remove the role’s permissions policy and rely only on the S3 bucket policy to validate the caller.
D.Allow sts:AssumeRole from the vendor account root principal without restricting to the vendor’s specific IAM role.
AnswerA

The sts:ExternalId condition is a common protection against confused-deputy scenarios in cross-account role assumption. It ensures that only principals who know the unique external ID can successfully assume the role. This mitigates a third party tricking the vendor’s identity into assuming your role, even if they can call AssumeRole.

Why this answer

Option A is correct because adding an `sts:ExternalId` condition to the role trust policy forces the vendor to include a unique external ID in their `AssumeRole` API call. This prevents a confused-deputy attack by ensuring that the role can only be assumed when the caller presents the specific external ID you control, even if the vendor's account is compromised or used by a different AWS service.

Exam trap

The trap here is that candidates may think MFA (Option B) or bucket policies (Option C) are sufficient for cross-account access security, but they fail to address the specific confused-deputy vector that `sts:ExternalId` is designed to block.

How to eliminate wrong answers

Option B is wrong because requiring the vendor to use the same MFA device serial number as your internal administrators is impractical and insecure—it would require sharing a physical or virtual MFA device, which violates the principle of least privilege and does not prevent confused-deputy attacks. Option C is wrong because removing the role’s permissions policy and relying solely on the S3 bucket policy does not mitigate the confused-deputy risk; the trust policy still governs who can assume the role, and without an external ID condition, any principal in the vendor account could assume it. Option D is wrong because allowing `sts:AssumeRole` from the vendor account root principal without restricting to the vendor’s specific IAM role actually increases the attack surface—it permits any user or service in the vendor account to assume the role, making confused-deputy attacks easier, not harder.

284
MCQeasy

You have an EC2 instance in private subnets with no NAT Gateway. The instance must access an Amazon S3 bucket (for example, to read configuration files) without sending traffic to the public internet. What VPC endpoint type should you use for S3?

A.Create a Gateway VPC endpoint for the S3 service
B.Create an Interface VPC endpoint (powered by PrivateLink) for S3
C.Use a Transit Gateway to route to S3 over the internet
D.Place a NAT Gateway and restrict security group egress to port 443 to reduce exposure
AnswerA

S3 uses a Gateway VPC endpoint type. Gateway endpoints integrate with your VPC route tables so that traffic destined for S3 is routed privately within the VPC, avoiding the need for NAT Gateway and public internet egress for S3 access.

Why this answer

A Gateway VPC endpoint is the correct choice because it allows EC2 instances in a private subnet to access S3 without traversing the public internet. It uses prefix lists and route table entries to direct S3 traffic through AWS's internal network, and it does not require a NAT gateway, internet gateway, or public IP addresses. Gateway endpoints are free of charge and scale automatically, making them ideal for private subnet access to S3 and DynamoDB.

Exam trap

The trap here is that candidates often confuse Gateway VPC endpoints with Interface VPC endpoints, assuming S3 requires a private IP address like other AWS services, but S3 and DynamoDB are the only services that support Gateway endpoints, which are simpler and free.

How to eliminate wrong answers

Option B is wrong because Interface VPC endpoints (PrivateLink) are used for services that require private IP addresses and are typically for services like API Gateway, Kinesis, or custom services, not for S3; S3 supports Gateway endpoints natively, which are more cost-effective and simpler. Option C is wrong because a Transit Gateway is a network transit hub to connect VPCs, VPNs, and on-premises networks, but it does not provide direct private access to S3 without an internet gateway or NAT; routing to S3 over the internet would still require public connectivity. Option D is wrong because placing a NAT Gateway would allow outbound internet traffic, but the requirement explicitly states 'without sending traffic to the public internet,' and a NAT Gateway incurs additional cost and complexity; a Gateway VPC endpoint achieves the goal without any internet exposure.

285
Multi-Selectmedium

A financial services company is migrating sensitive customer data to Amazon S3. The data must be encrypted at rest using a customer-managed key stored in AWS KMS, with automatic rotation every 90 days. The company also needs to prevent any access to the data from outside the corporate network, except for approved AWS services. Which three steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
.Enable default encryption on the S3 bucket with SSE-KMS using the customer-managed key.
.Configure an S3 bucket policy that denies access unless the request is made from the corporate IP range.
.Use an S3 bucket policy to require that all requests use HTTPS.
.Enable S3 Block Public Access at the account level.
.Attach an S3 VPC endpoint policy that only allows access from the corporate VPC.
.Use an S3 bucket policy that grants access only to the root user of the account.

Why this answer

Enable default encryption on the S3 bucket with SSE-KMS using the customer-managed key ensures data is encrypted at rest with a key the customer controls and can rotate automatically every 90 days. Configure an S3 bucket policy that denies access unless the request is made from the corporate IP range restricts access to the corporate network. Attach an S3 VPC endpoint policy that only allows access from the corporate VPC ensures that traffic to S3 stays within the AWS network and is subject to VPC controls, preventing exposure to the public internet.

Exam trap

The trap here is that candidates often confuse encryption in transit (HTTPS) with encryption at rest (SSE-KMS), or they think that Block Public Access alone satisfies network restriction requirements, when in fact a combination of bucket policy IP restrictions and VPC endpoint policies is needed to meet the 'no access from outside the corporate network' requirement.

286
MCQeasy

An internal web application must require encrypted client connections. The company currently has an ALB listener on port 80 (HTTP), and users can access the application over plain HTTP. What is the best change to ensure all client traffic uses HTTPS?

A.Configure an HTTPS (port 443) listener using an ACM certificate and update the port 80 listener to redirect to HTTPS (or to block plain HTTP requests).
B.Enable S3 default encryption so HTTP requests are automatically encrypted in transit.
C.Set the application to encrypt data only after it is received by the ALB.
D.Rely on WAF alone to encrypt HTTP traffic.
AnswerA

Client-to-ALB encryption is enforced by terminating TLS on an ALB HTTPS listener. Redirecting or blocking HTTP on port 80 ensures clients cannot successfully establish plaintext HTTP sessions, so all viable paths use HTTPS end-to-end between the client and the load balancer.

Why this answer

Option A is correct because it uses an HTTPS listener on port 443 with an ACM certificate to enforce encrypted client connections, and redirecting HTTP (port 80) traffic to HTTPS ensures all traffic is encrypted in transit. This is the standard AWS best practice for enforcing HTTPS on an ALB, as it directly controls the listener behavior at the load balancer level without requiring application changes.

Exam trap

The trap here is that candidates may confuse encryption at rest (S3 default encryption) with encryption in transit, or assume that WAF or post-receipt encryption can secure the initial client connection, when only a properly configured HTTPS listener with a redirect from HTTP can enforce encrypted client connections.

How to eliminate wrong answers

Option B is wrong because S3 default encryption applies to data at rest in S3 buckets, not to data in transit over HTTP; it cannot encrypt client-to-ALB traffic. Option C is wrong because encrypting data after it is received by the ALB means the initial client-to-ALB leg remains in plaintext HTTP, failing the requirement for encrypted client connections. Option D is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS traffic but does not perform encryption; it cannot encrypt plain HTTP traffic.

287
MCQmedium

A microservice runs in private subnets with no NAT gateway. It must retrieve a secret from AWS Secrets Manager. Security requires that traffic to Secrets Manager stays within AWS’s private network (no public internet egress). The IAM role already grants secretsmanager:GetSecretValue for the needed secret. What is the best network setup to meet the requirement?

A.Create an Interface VPC Endpoint for Secrets Manager (com.amazonaws.<region>.secretsmanager) and allow it via the endpoint security group; optionally enable private DNS.
B.Create an S3 Gateway VPC endpoint and use it for Secrets Manager requests because both services use HTTPS.
C.Assign a public IP address to the tasks so they can call Secrets Manager over the internet without NAT.
D.Change the route table to send all 0.0.0.0/0 traffic directly to an Internet Gateway.
AnswerA

Interface VPC Endpoints provide private IP connectivity from the VPC to the Secrets Manager service without routing through a NAT gateway or an Internet Gateway. The calls remain within AWS networking and still use standard TLS to the service endpoint.

Why this answer

An Interface VPC Endpoint (AWS PrivateLink) for Secrets Manager allows the microservice to access the secret privately without traversing the public internet. Since the subnet has no NAT Gateway and no public IP, this is the only way to keep traffic within the AWS network. Enabling private DNS ensures the standard Secrets Manager endpoint resolves to the private IP of the endpoint, eliminating the need for route table changes.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints (which only work for S3 and DynamoDB) with Interface Endpoints (which are needed for Secrets Manager and most other AWS services), leading them to incorrectly select option B.

How to eliminate wrong answers

Option B is wrong because S3 Gateway VPC endpoints are specific to Amazon S3 and cannot be used for Secrets Manager requests; Secrets Manager requires an Interface endpoint (powered by PrivateLink), not a Gateway endpoint. Option C is wrong because assigning a public IP address would route traffic over the public internet, violating the requirement that traffic stays within AWS’s private network. Option D is wrong because sending all 0.0.0.0/0 traffic to an Internet Gateway would force traffic out to the public internet, which is not allowed, and the subnet has no NAT Gateway to enable return traffic.

288
Multi-Selectmedium

A company has a workload running on Amazon EC2 instances that need to securely communicate with an Amazon SQS queue and an Amazon DynamoDB table. The EC2 instances are in a private subnet without internet access. The security team wants to ensure that no traffic leaves the AWS network. Which three steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
.Create a VPC endpoint for Amazon SQS and attach a policy that allows access from the EC2 instance's IAM role.
.Create a VPC endpoint for Amazon DynamoDB and attach a policy that allows access from the EC2 instance's IAM role.
.Configure a NAT gateway in a public subnet to route traffic to SQS and DynamoDB.
.Add a route in the private subnet's route table pointing to a NAT gateway for all traffic.
.Configure the security group for the EC2 instances to allow outbound traffic to the VPC endpoints.
.Enable VPC flow logs to monitor traffic to SQS and DynamoDB.

Why this answer

Creating VPC endpoints for Amazon SQS and DynamoDB allows EC2 instances in a private subnet to communicate with these services privately, without traversing the internet or requiring a NAT gateway. Attaching a policy that restricts access to the EC2 instance's IAM role ensures that only authorized traffic is allowed, meeting the security team's requirement that no traffic leaves the AWS network. Configuring the security group to allow outbound traffic to the VPC endpoints is necessary because security groups are stateful and control outbound connections, but the endpoints themselves are accessed via their specific prefix list IDs, not public IPs.

Exam trap

The trap here is that candidates often assume a NAT gateway is required for private subnet resources to access AWS services, but VPC endpoints provide a more secure and cost-effective alternative that keeps traffic entirely within the AWS network.

289
Multi-Selecthard

A marketing portal serves private PDF files stored in Amazon S3 through CloudFront. Users authenticate to the portal first, and each download link must expire after one hour. The S3 origin must never be directly reachable from the internet. Which three actions should be used? Select three.

Select 3 answers
A.Use CloudFront signed URLs or signed cookies with a one-hour expiration window.
B.Configure an Origin Access Control for the S3 origin behind CloudFront.
C.Add an S3 bucket policy that allows only the CloudFront distribution, through its Origin Access Control, and denies public access.
D.Expose the S3 bucket through the static website endpoint and secure it with security group rules.
E.Use an AWS WAF web ACL attached to the S3 bucket instead of CloudFront.
AnswersA, B, C

CloudFront signed URLs or signed cookies enforce time-limited viewer authorization at the edge. For a one-hour access window, the distribution can issue a signature that CloudFront validates before it serves the object. Signed URLs are useful for a small number of object links, while signed cookies are better when the portal needs to grant access to multiple PDFs without generating a separate URL for each file.

Why this answer

Option A is correct because CloudFront signed URLs or signed cookies allow you to restrict access to content for a specific time window. By setting the expiration to one hour, you ensure that each download link becomes invalid after that period, meeting the requirement for expiring links. This approach also keeps the S3 bucket private, as users must authenticate through CloudFront rather than accessing S3 directly.

Exam trap

The trap here is that candidates often confuse CloudFront signed URLs with S3 pre-signed URLs, but S3 pre-signed URLs would expose the bucket directly if not combined with OAC, and they do not inherently prevent direct internet access to the S3 origin.

290
MCQmedium

Based on the exhibit, what is the best way to let private EC2 instances reach Amazon S3 and AWS Systems Manager without sending traffic through the internet or a NAT gateway?

A.Create a gateway endpoint for S3 and interface endpoints for Systems Manager, EC2Messages, and SSMMessages.
B.Add a more permissive security group rule allowing outbound 0.0.0.0/0 on all ports.
C.Replace the NAT gateway with a network ACL that allows ephemeral ports to the internet.
D.Move the instances to public subnets so they can reach AWS services directly.
AnswerA

This keeps traffic on the AWS network and avoids NAT or internet traversal. S3 uses a gateway endpoint, while Systems Manager needs interface endpoints for the control and messaging services that Session Manager depends on. It directly addresses both the S3 download problem and the missing Session Manager connectivity in a private subnet design.

Why this answer

Gateway endpoints for S3 allow private EC2 instances to access S3 via AWS's private network without traversing the internet or a NAT gateway, using prefix lists and route table entries. Interface endpoints for Systems Manager, EC2Messages, and SSMMessages provide private connectivity to AWS Systems Manager via PrivateLink, enabling secure instance management without public IPs or NAT.

Exam trap

The trap here is that candidates often assume all AWS services can be accessed via a single endpoint type, but S3 requires a gateway endpoint (route table-based) while Systems Manager and its sub-services require interface endpoints (PrivateLink-based), and failing to create all three (including EC2Messages and SSMMessages) will break Systems Manager functionality.

How to eliminate wrong answers

Option B is wrong because adding a permissive security group rule for outbound 0.0.0.0/0 does not eliminate the need for a NAT gateway or internet gateway; it only permits traffic but still requires a route to the internet, which violates the requirement to avoid internet or NAT gateway traffic. Option C is wrong because replacing the NAT gateway with a network ACL that allows ephemeral ports to the internet does not provide private connectivity; network ACLs are stateless and cannot route traffic to AWS services privately, and they still require an internet gateway for outbound internet access. Option D is wrong because moving instances to public subnets would require public IP addresses and an internet gateway, exposing them to the internet and defeating the requirement to avoid internet traffic.

291
MCQmedium

Developers for a financial reporting platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

A.Use IAM Identity Center permission sets with time-bound access processes and CloudTrail auditing
B.Disable CloudTrail during troubleshooting
C.Create shared administrator access keys for the team
D.Attach AdministratorAccess permanently to every developer role
AnswerA

Federated access with permission sets and audited temporary assignments reduces standing privilege.

Why this answer

IAM Identity Center (formerly AWS SSO) allows you to define permission sets with time-bound access, ensuring that developers receive temporary elevated permissions that automatically expire. Combined with AWS CloudTrail, all API calls made during the troubleshooting session are logged for audit, meeting the security team's requirements for approvals, expiry, and audit logging.

Exam trap

The trap here is that candidates may think IAM roles with a trust policy and `sts:AssumeRole` are sufficient, but without IAM Identity Center's permission sets and time-bound controls, they lack the centralized approval workflow and automatic expiry that the question explicitly requires.

How to eliminate wrong answers

Option B is wrong because disabling CloudTrail would eliminate audit logging, directly violating the security team's requirement for audit logging. Option C is wrong because creating shared administrator access keys violates the principle of least privilege, provides no individual accountability, and cannot enforce time-bound access or approvals. Option D is wrong because permanently attaching AdministratorAccess to every developer role grants persistent elevated privileges with no expiry, which contradicts the requirement for temporary, time-bound access and increases the attack surface.

292
MCQhard

An application runs in private subnets and must download objects from Amazon S3 and read one secret from AWS Secrets Manager. NAT gateways are prohibited, and traffic must not traverse the public internet. The secret uses a customer managed KMS key. Which design is best?

A.Use a NAT gateway for outbound access and rely on security groups to block internet destinations.
B.Create interface VPC endpoints for both S3 and Secrets Manager and enable private DNS.
C.Create a gateway VPC endpoint for S3 and an interface VPC endpoint for Secrets Manager with private DNS enabled.
D.Use VPC peering to a public subnet that hosts a proxy for S3 and Secrets Manager access.
AnswerC

This combination keeps traffic on the AWS network without NAT. S3 is best accessed through a gateway endpoint, which is the native private connectivity option for S3. Secrets Manager requires an interface endpoint, and private DNS lets the application use standard service names while still resolving to the private endpoint. The KMS key is used by Secrets Manager service-side, not via a separate app network path.

Why this answer

Option C is correct because it uses a gateway VPC endpoint for S3, which provides private connectivity to S3 without traversing the internet, and an interface VPC endpoint for Secrets Manager, which allows private access via AWS PrivateLink. Enabling private DNS ensures that the standard DNS names for both services resolve to the endpoint IPs, keeping all traffic within the AWS network and meeting the requirement to avoid NAT gateways and public internet.

Exam trap

The trap here is that candidates often assume all AWS services require interface VPC endpoints, but S3 and DynamoDB use gateway endpoints, which are more cost-effective and simpler to configure for private access.

How to eliminate wrong answers

Option A is wrong because NAT gateways are explicitly prohibited by the requirement, and relying on security groups to block internet destinations does not prevent traffic from traversing the public internet; security groups control inbound/outbound traffic but do not alter the routing path. Option B is wrong because while interface VPC endpoints work for Secrets Manager, S3 does not support interface VPC endpoints in all regions and using one for S3 would incur higher costs and complexity; the recommended approach for S3 is a gateway endpoint, which is free and uses prefix lists. Option D is wrong because VPC peering to a public subnet with a proxy still requires traffic to traverse the internet or a NAT device, and it introduces a single point of failure and additional latency, violating the 'no public internet' requirement.

293
MCQmedium

A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole". What is the most appropriate fix?

A.Add an allow statement for the vendor in the role’s trust policy to permit sts:AssumeRole from the vendor account (and include any required ExternalId condition).
B.Attach the same allow policy to the vendor account’s existing IAM user so the user can call sts:AssumeRole directly into your role.
C.Replace the AssumeRole call with GetCallerIdentity so the vendor can infer permissions without assuming the role.
D.Enable MFA on the vendor’s IAM user and require MFA for your role using condition keys in the permissions policy.
AnswerA

AssumeRole is blocked unless the role trust policy allows the vendor principal. The role’s permissions policy alone cannot permit assumption.

Why this answer

The error 'Not authorized to perform: sts:AssumeRole' indicates that the role's trust policy does not grant the external AWS account (555566667777) permission to assume the role. The trust policy must include an Allow statement with the sts:AssumeRole action, specifying the external account as the principal, and optionally an ExternalId condition to prevent the confused deputy problem. This is the required configuration for cross-account IAM role access.

Exam trap

The trap here is that candidates often confuse the role's permissions policy (which defines what the role can do after being assumed) with the trust policy (which defines who can assume the role), and mistakenly think attaching permissions to the external user or modifying the permissions policy will fix the AssumeRole authorization failure.

How to eliminate wrong answers

Option B is wrong because attaching the allow policy to the vendor account's IAM user does not grant the user permission to assume the role; the trust policy on the role must explicitly allow the external account (or its users/roles) to call sts:AssumeRole. Option C is wrong because GetCallerIdentity returns information about the caller's identity and does not grant or infer permissions to access resources in another account; it cannot replace the need for role assumption. Option D is wrong because enabling MFA on the vendor's IAM user and requiring MFA in the role's permissions policy does not address the missing trust policy authorization; the trust policy must first allow the sts:AssumeRole call, and MFA conditions are optional enhancements, not a fix for a missing trust relationship.

294
MCQmedium

Your CI system assumes an IAM role RoleForDeploy using STS AssumeRole and includes a session tag called Project=blue. The role’s permissions policy uses an ABAC condition like aws:PrincipalTag/Project to allow access only to resources tagged with the same project. AssumeRole succeeds, but deployments fail with AccessDenied. CloudTrail shows the role was assumed, yet the effective session does not contain the Project tag. Which change most directly fixes this issue?

A.Add permissions for sts:TagSession to the IAM role so the CI pipeline is allowed to pass the Project session tag during AssumeRole.
B.Remove the ABAC condition using aws:PrincipalTag/Project so the policy ignores session tags.
C.Move the aws:PrincipalTag/Project condition into the trust policy so it applies during the AssumeRole call.
D.Add kms:Decrypt permission to the CI role because missing tags are typically caused by KMS authorization failures.
AnswerA

Session tags are not automatically granted; the role needs sts:TagSession permission to allow passing tags into the session.

Why this answer

Option A is correct because when using AWS Security Token Service (STS) AssumeRole with session tags, the calling entity must have explicit permission to pass those tags via the `sts:TagSession` action. Without this permission, the AssumeRole call succeeds but the session tags are silently dropped, causing the ABAC condition `aws:PrincipalTag/Project` to evaluate to false and deny access to resources. Adding `sts:TagSession` to the role's permissions policy allows the CI pipeline to include the `Project=blue` tag in the assumed role session.

Exam trap

The trap here is that candidates assume `AssumeRole` with session tags always succeeds in applying the tags, but AWS silently drops tags if the caller lacks `sts:TagSession` permission, leading to a confusing AccessDenied on downstream actions.

How to eliminate wrong answers

Option B is wrong because removing the ABAC condition would bypass the intended fine-grained access control, but it does not address the root cause—the session tags are missing due to lack of `sts:TagSession` permission. Option C is wrong because the `aws:PrincipalTag/Project` condition belongs in the resource-based policy or identity-based policy to enforce ABAC on downstream actions; moving it to the trust policy would only affect who can assume the role, not the presence of session tags in the assumed session. Option D is wrong because KMS authorization failures are unrelated to missing session tags; the issue is purely about STS tag propagation, not encryption key permissions.

295
MCQhard

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a B2B file exchange site. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

A.A condition that matches aws:sourceVpce to the endpoint ID
B.A deny statement for all IAM users except the EC2 role
C.A condition that matches aws:RequestedRegion to the bucket Region
D.A security group rule that allows HTTPS to S3
AnswerA

The aws:sourceVpce condition restricts S3 access to requests that arrive through the specified VPC endpoint.

Why this answer

The correct answer is A because the bucket policy must include a condition that matches `aws:sourceVpce` to the specific VPC endpoint ID. This ensures that only traffic originating from that VPC endpoint (e.g., `vpce-12345678`) is allowed to access the S3 bucket, meeting the security team's requirement. Without this condition, any traffic from the private subnet that routes through the endpoint would be allowed, but the policy explicitly restricts access to only that endpoint.

Exam trap

The trap here is that candidates often confuse `aws:sourceVpce` with `aws:SourceIp` or think a security group rule can be applied to S3, when in fact S3 bucket policies use VPC endpoint conditions to enforce network-level restrictions.

How to eliminate wrong answers

Option B is wrong because denying all IAM users except the EC2 role does not restrict traffic to the VPC endpoint; it only controls which IAM identities can access the bucket, not the network path. Option C is wrong because `aws:RequestedRegion` checks the AWS Region of the request, not the VPC endpoint, and does not enforce that traffic comes through a specific endpoint. Option D is wrong because security group rules apply to EC2 instances, not to S3 bucket policies, and S3 does not support security group rules in bucket policies; S3 uses bucket policies and VPC endpoint policies for access control.

296
Multi-Selectmedium

A company is designing a secure multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets, and the EC2 instances need to access an Amazon RDS database in a separate private subnet. The company must ensure that all traffic is encrypted in transit and that only necessary access is allowed. Which of the following steps should the company take to meet these requirements? (Choose four.)

Select 4 answers
.Configure the ALB with an HTTPS listener and install a TLS certificate from AWS Certificate Manager (ACM).
.Place the EC2 instances in a public subnet to allow direct access to the internet for security updates.
.Configure the security group for the RDS database to allow inbound traffic on port 3306 (or the appropriate database port) only from the security group attached to the EC2 instances.
.Enable encryption in transit for the RDS database by using SSL/TLS for connections between the EC2 instances and the database.
.Assign a public IP address to the RDS database instance to simplify connectivity from the EC2 instances.
.Use an AWS Network Load Balancer (NLB) with a TLS listener to terminate and re-encrypt traffic from the ALB to the EC2 instances.

Why this answer

Configuring the ALB with an HTTPS listener and a TLS certificate from ACM ensures that traffic between clients and the ALB is encrypted in transit. This is a fundamental requirement for securing a multi-tier web application, as it protects data from eavesdropping and tampering during transmission over the internet.

Exam trap

The trap here is that candidates often think an NLB is required for TLS termination or re-encryption between ALB and EC2, but the ALB itself can handle HTTPS termination, and the question's requirement for encryption in transit is already met by the ALB's HTTPS listener and the RDS SSL/TLS connection.

297
MCQmedium

A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?

A.Use AWS Systems Manager Session Manager, enabling the required SSM permissions in the instance profile and restricting access to engineers via IAM.
B.Keep the bastion host but move it into a private subnet; engineers can connect by using a corporate VPN into the VPC.
C.Attach a public IP to each private instance so engineers can SSH directly and use security groups to restrict access.
D.Create a security group rule that allows engineers’ source IP addresses to reach instances over RDP on port 3389.
AnswerA

Session Manager avoids inbound SSH from the internet by initiating interactive sessions through Systems Manager. The instance profile must allow SSM actions like StartSession, and engineers’ IAM permissions restrict who can connect. This is a commonly recommended bastion-free alternative that improves security and reduces exposed network paths.

Why this answer

AWS Systems Manager Session Manager provides secure, auditable, agent-based access to EC2 instances without requiring a bastion host, open inbound ports, or SSH keys. By enabling the required SSM permissions (e.g., AmazonSSMManagedInstanceCore) in the instance profile and using IAM policies to restrict access to authenticated engineers via AWS SSO, you achieve a fully managed, secure, and compliant solution. This eliminates the need for a bastion host while maintaining the ability to troubleshoot instances in private subnets.

Exam trap

The trap here is that candidates often think a bastion host is required for private subnet access, or they mistakenly believe that opening inbound ports (even with IP restrictions) is an acceptable alternative, failing to recognize that AWS Systems Manager Session Manager provides a fully managed, agent-based, port-free solution that aligns with the principle of least privilege and removes the bastion host entirely.

How to eliminate wrong answers

Option B is wrong because moving the bastion host to a private subnet and requiring a corporate VPN still maintains an unnecessary bastion host, which adds complexity, cost, and a potential attack surface; it does not remove the bastion host as required. Option C is wrong because attaching a public IP to each private instance defeats the purpose of a private subnet, exposing instances directly to the internet and violating the principle of least privilege, even with security group restrictions. Option D is wrong because allowing RDP (port 3389) from engineers' source IPs still requires opening inbound ports and managing IP whitelists, which is less secure and more operationally burdensome than using Session Manager's agent-based, port-free access.

298
MCQmedium

An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present. Which IAM design best meets these requirements?

A.Create an IAM user for administrators with AdministratorAccess and require MFA only at the IAM user login.
B.Create an IAM role for administration and use a permissions policy that allows only the required read/write actions. Add a condition to deny all allowed actions unless aws:MultiFactorAuthPresent is true.
C.Attach policies to an IAM user that allow read/write actions and enable MFA in the account, but do not use condition keys in IAM policies.
D.Use a role with the correct actions but enforce MFA only in the application by prompting users for an OTP before every API call.
AnswerB

A role-based approach removes long-lived keys and supports temporary credentials. Using a permissions-policy condition to require MFA presence enforces that the session must have MFA to perform actions, aligning with the “actions only allowed with MFA present” requirement.

Why this answer

Option B is correct because it uses an IAM role with a permissions policy that includes a condition key `aws:MultiFactorAuthPresent` set to `true`. This ensures that any API call made using temporary credentials from the role requires MFA to be present, eliminating long-lived access keys and enforcing MFA for every action. The role-based approach also aligns with the principle of least privilege by scoping actions to only required read/write operations.

Exam trap

The trap here is that candidates assume requiring MFA at login (Option A) or enabling MFA in the account (Option C) is sufficient, but they overlook the need for a condition key in the IAM policy to enforce MFA for every API call, not just the initial authentication.

How to eliminate wrong answers

Option A is wrong because it creates an IAM user with AdministratorAccess and only requires MFA at login, which still allows the user to generate long-lived access keys and perform actions without MFA after the initial session. Option C is wrong because it attaches policies to an IAM user and enables MFA in the account but does not use condition keys, meaning the user can still use access keys without MFA for API calls. Option D is wrong because it enforces MFA only at the application layer via OTP prompts, which does not prevent API calls made directly to AWS using temporary credentials that bypass the application-level check.

299
MCQmedium

You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests. Which change most likely fixes the issue?

A.Associate the Web ACL with the Application Load Balancer resource ARN so WAF evaluates requests sent to that ALB.
B.Add a security group rule that drops inbound traffic from the attacker IP range at the instances' ENIs.
C.Create a target group stickiness policy so WAF can count requests consistently per client IP.
D.Enable AWS Shield Advanced but keep the Web ACL unattached because Shield automatically applies rate limiting.
AnswerA

For an ALB, the Web ACL must be associated with the load balancer resource itself. If it is not attached to the ALB, WAF will not inspect those requests.

Why this answer

The Web ACL must be explicitly associated with the ALB resource ARN for AWS WAF to evaluate incoming requests. Without this association, WAF does not inspect traffic, allowing attackers to bypass the rate-based rule and reach the backend service. Associating the Web ACL with the ALB ensures that all requests to the ALB are evaluated by the WAF rules before being forwarded to the target group.

Exam trap

The trap here is that candidates assume deploying a Web ACL automatically applies it to all associated resources, but in AWS WAF, you must explicitly associate the Web ACL with each resource (ALB, API Gateway, CloudFront) using the resource ARN.

How to eliminate wrong answers

Option B is wrong because security group rules operate at the network layer (Layer 3/4) and cannot inspect application-layer traffic or implement rate-based logic; they only filter by IP/port/protocol, which would block all traffic from the attacker IPs rather than rate-limit abusive requests. Option C is wrong because target group stickiness (sticky sessions) is a load-balancing feature that routes requests from the same client to the same target, but it does not integrate with AWS WAF or enable request counting for rate-based rules. Option D is wrong because AWS Shield Advanced provides DDoS protection at the network/transport layer and does not automatically apply application-layer rate limiting; the Web ACL must still be associated with the ALB for WAF rules to take effect.

300
MCQmedium

Developers for a e-learning platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best? The design must avoid adding custom operational scripts.

A.Disable CloudTrail during troubleshooting
B.Use IAM Identity Center permission sets with time-bound access processes and CloudTrail auditing
C.Attach AdministratorAccess permanently to every developer role
D.Create shared administrator access keys for the team
AnswerB

Federated access with permission sets and audited temporary assignments reduces standing privilege.

Why this answer

IAM Identity Center permission sets allow administrators to define time-bound access policies that grant temporary elevated permissions to specific users or roles. When combined with AWS CloudTrail, every API call made during the troubleshooting session is logged, providing full auditability. This approach meets the security team's requirements for approvals (via the permission set assignment process), expiry (via session duration settings), and audit logging without requiring custom scripts.

Exam trap

The trap here is that candidates may think IAM roles or temporary credentials require custom scripts to manage, but IAM Identity Center provides a fully managed, script-free solution for time-bound access with built-in audit logging via CloudTrail.

How to eliminate wrong answers

Option A is wrong because disabling CloudTrail during troubleshooting would remove all audit logging for that period, violating the security team's requirement for audit logging and making it impossible to track actions taken. Option C is wrong because permanently attaching AdministratorAccess to every developer role violates the principle of least privilege, grants excessive permissions at all times, and does not provide time-bound access or expiry. Option D is wrong because creating shared administrator access keys eliminates individual accountability, bypasses approval workflows, and prevents proper audit logging since actions cannot be attributed to a specific developer.

← PreviousPage 4 of 5 · 336 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design Secure Architectures questions.