CCNA Design Secure Questions

75 of 336 questions · Page 1/5 · Design Secure topic · Answers revealed

1
MCQmedium

You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests. Which change most likely fixes the issue?

A.Associate the Web ACL with the Application Load Balancer resource ARN so WAF evaluates requests sent to that ALB.
B.Add a security group rule that drops inbound traffic from the attacker IP range at the instances' ENIs.
C.Create a target group stickiness policy so WAF can count requests consistently per client IP.
D.Enable AWS Shield Advanced but keep the Web ACL unattached because Shield automatically applies rate limiting.
AnswerA

For an ALB, the Web ACL must be associated with the load balancer resource itself. If it is not attached to the ALB, WAF will not inspect those requests.

Why this answer

A Web ACL must be explicitly associated with a resource (such as an ALB) for AWS WAF to evaluate incoming requests. In this scenario, the Web ACL was deployed but not associated with the ALB resource ARN, so WAF never inspected the traffic. Associating the Web ACL with the ALB ensures that all requests to the ALB are evaluated by the rate-based rule before reaching the backend.

Exam trap

The trap here is that candidates assume deploying a Web ACL automatically applies it to all resources in the account, when in fact it must be explicitly associated with each resource ARN to take effect.

How to eliminate wrong answers

Option B is wrong because security group rules operate at the instance ENI level and can block traffic, but they do not integrate with WAF rate-based rules or provide application-layer rate limiting; they also cannot be dynamically updated by WAF. Option C is wrong because target group stickiness (sticky sessions) ensures a client is routed to the same target, but it does not cause WAF to evaluate requests or count them per client IP; WAF evaluation is independent of load balancer routing policies. Option D is wrong because AWS Shield Advanced provides DDoS protection and automatic application-layer mitigation, but it does not replace the need for an associated Web ACL to enforce custom rate-based rules; Shield Advanced works alongside WAF, not as a substitute for Web ACL association.

2
MCQmedium

Company A stores encrypted log files in its S3 bucket using SSE-KMS with a customer-managed KMS key. A partner application in Company B uploads objects into Company A's bucket using an IAM role in Company B. Uploads fail with an error indicating KMS access is denied (kms:Encrypt not authorized). Neither the partner IAM policy nor the S3 bucket policy currently mentions KMS. What is the most secure and correct change to allow cross-account uploads to succeed?

A.In Company A's KMS key policy, allow Company B's partner role principal to use the key for kms:Encrypt, kms:GenerateDataKey, and kms:DescribeKey, and also add a matching IAM policy in Company B that grants the partner role those same KMS actions on Company A's key ARN, constrained to the target S3 bucket context when possible.
B.In Company B's IAM policy, allow kms:Encrypt on Company A's KMS key ARN, without changing Company A's key policy.
C.Create a new KMS key in Company B and configure Company A's S3 bucket to use that key for SSE-KMS.
D.Disable key policy restrictions by setting the KMS key to enabled and removing all policy statements so that encryption automatically works for any principal.
AnswerA

Cross-account SSE-KMS requires both the KMS key policy in the key owner account and an IAM policy in the caller account to allow the required KMS actions. Scoping the permissions to the specific bucket or encryption context reduces blast radius.

Why this answer

For cross-account SSE-KMS uploads, the KMS key policy must explicitly grant the external IAM role principal the required KMS actions (kms:Encrypt, kms:GenerateDataKey, and kms:DescribeKey). Additionally, the partner account's IAM policy must also allow those same actions on the key ARN. This dual-permission model is required because KMS does not implicitly trust IAM policies in the key owner's account for cross-account access; the key policy is the authoritative gatekeeper.

Option A correctly implements both sides, and constraining to the target S3 bucket context (via kms:ViaService or kms:EncryptionContext) adds a security best practice.

Exam trap

The trap here is that candidates assume an IAM policy in the partner account alone is sufficient for cross-account KMS access, forgetting that KMS key policies are the definitive authorization mechanism for external principals.

How to eliminate wrong answers

Option B is wrong because KMS key policies are the primary access control for cross-account use; an IAM policy in Company B alone is insufficient without the key policy granting access to the external principal. Option C is wrong because using a KMS key from Company B would require Company A's S3 bucket to trust that key for SSE-KMS, which is not supported for cross-account uploads—the bucket must use its own key to decrypt. Option D is wrong because removing all policy statements from the KMS key disables all access control, making the key effectively unusable and insecure; KMS requires at least a default key policy to allow the root account, and removing it would break all encryption operations.

3
MCQmedium

Your company has an internal service hosted behind a Network Load Balancer (NLB) in VPC 10.0.0.0/16. A consumer team in a different VPC (10.1.0.0/16) must call the service without using the public internet. You want private connectivity using AWS PrivateLink. Which configuration best enables least-privilege access while keeping the traffic private?

A.Expose the NLB with an Internet Gateway route and restrict access using a security group attached to the NLB.
B.Create a VPC endpoint (interface endpoint) in the consumer VPC that points to the service name published by the provider account, and limit allowed clients using the endpoint’s security group rules.
C.Create an S3 Gateway endpoint in the consumer VPC and store the service hostname in SSM Parameter Store so clients can resolve privately.
D.Use a bastion host in the provider VPC and allow the consumer VPC to SSH to it; from there, the consumer makes HTTP calls to the NLB.
AnswerB

PrivateLink uses an interface VPC endpoint in the consumer VPC (using the provider’s published service name). Traffic stays on the AWS network, not the public internet. Security groups on the interface endpoint provide least-privilege control over which client resources can reach the endpoint, and the provider side can also restrict who can connect.

Why this answer

Option B is correct because AWS PrivateLink uses an interface VPC endpoint in the consumer VPC to connect privately to a Network Load Balancer (NLB) in the provider VPC, keeping traffic within the AWS network. The endpoint’s security group acts as a stateful firewall to restrict which clients in the consumer VPC can access the service, enforcing least-privilege access. This eliminates exposure to the public internet and avoids complex routing or gateway configurations.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints (which only work with S3 and DynamoDB) with Interface Endpoints (which support PrivateLink for services behind an NLB), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because attaching an Internet Gateway route to the NLB would expose the service to the public internet, violating the requirement for private connectivity and least-privilege access; NLB security groups are not supported (NLBs use security groups only for target instances, not the load balancer itself). Option C is wrong because an S3 Gateway endpoint is designed exclusively for Amazon S3 access and cannot be used to connect to an NLB or resolve a service hostname; SSM Parameter Store does not provide private network connectivity. Option D is wrong because using a bastion host introduces a single point of failure, requires SSH key management, and violates least-privilege by granting broad network access; it also adds latency and operational overhead compared to a direct PrivateLink connection.

4
MCQhard

A IoT ingestion API must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

A.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
B.Run a daily Lambda function to encrypt unencrypted volumes
C.Enable VPC Flow Logs
D.Tag encrypted volumes after creation
AnswerA

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

An SCP (Service Control Policy) is the strongest preventive control because it can deny the ec2:CreateVolume API call when the encrypted condition is false, effectively blocking the creation of any unencrypted EBS volume at the account level before it happens. This is a preventive control that enforces encryption as a mandatory requirement, unlike detective or corrective measures that act after the fact.

Exam trap

The trap here is confusing preventive controls (like SCPs that block the action) with detective or corrective controls (like Lambda scripts or tagging), leading candidates to choose a reactive solution instead of the strongest preventive one.

How to eliminate wrong answers

Option B is wrong because running a daily Lambda function to encrypt unencrypted volumes is a corrective/reactive control, not a preventive one; it only fixes volumes after they have already been created unencrypted, leaving a window of non-compliance. Option C is wrong because VPC Flow Logs are a detective control that captures network traffic metadata, not a mechanism to enforce or prevent the creation of encrypted EBS volumes. Option D is wrong because tagging encrypted volumes after creation is a labeling action that provides visibility but does not prevent the creation of unencrypted volumes in the first place.

5
Multi-Selecthard

A image sharing application uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Select 2 answers
A.Enable CloudFront standard logging
B.Enable S3 static website hosting
C.Configure Origin Access Control for the S3 origin
D.Use an S3 bucket policy that allows access only from the CloudFront distribution
AnswersC, D

Origin Access Control allows CloudFront to securely access a private S3 bucket.

Why this answer

Origin Access Control (OAC) is a CloudFront feature that restricts access to an S3 origin by requiring that all requests include a specific signature that only CloudFront can generate. When you configure OAC, CloudFront signs requests to S3 using its own credentials, and the S3 bucket policy is updated to allow access only to the CloudFront distribution's canonical user ID. This ensures that direct requests to the S3 bucket URL are denied, preventing users from bypassing CloudFront.

Exam trap

The trap here is that candidates often confuse enabling S3 static website hosting (which creates a public endpoint) with a security control, when in fact it would undermine the goal of restricting direct access.

6
Multi-Selecthard

A customer analytics portal uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Select 2 answers
A.Enable CloudFront standard logging
B.Configure Origin Access Control for the S3 origin
C.Use an S3 bucket policy that allows access only from the CloudFront distribution
D.Enable S3 static website hosting
AnswersB, C

Origin Access Control allows CloudFront to securely access a private S3 bucket.

Why this answer

Option B is correct because Origin Access Control (OAC) is a CloudFront feature that restricts access to an S3 origin so that only the CloudFront distribution can fetch objects. When OAC is configured, CloudFront signs requests using a trusted identity, and the S3 bucket policy can then deny any request that does not come from that identity, effectively blocking direct S3 access.

Exam trap

The trap here is that candidates often confuse CloudFront standard logging with access control, or mistakenly think enabling S3 static website hosting somehow restricts access, when in fact it opens an additional direct endpoint.

7
Multi-Selectmedium

A software vendor in Account B must assume a role in Account A to process support tickets. Security wants to prevent confused deputy attacks. Which two configurations are required for this access pattern to work safely? Select two.

Select 2 answers
A.Require a specific sts:ExternalId value in the role trust policy in Account A.
B.Make sure the vendor includes that same ExternalId when calling sts:AssumeRole.
C.Share long-term access keys from Account A with the vendor.
D.Attach a permissions boundary to the role to satisfy the ExternalId requirement.
E.Allow sts:GetSessionToken instead of sts:AssumeRole in the trust policy.
AnswersA, B

A trust policy condition on sts:ExternalId is the standard confused-deputy protection for third-party role assumption. It ensures that only callers who know the shared external identifier can assume the role.

Why this answer

Option A is correct because requiring a specific sts:ExternalId value in the role trust policy in Account A is a standard AWS mechanism to prevent the confused deputy problem. The ExternalId acts as a unique secret that the vendor must provide when assuming the role, ensuring that the role is assumed only for the intended purpose and not by a malicious third party.

Exam trap

The trap here is that candidates often confuse the ExternalId with a permissions boundary or think that long-term keys are acceptable for cross-account access, but the correct answer requires both the trust policy condition and the caller's inclusion of the ExternalId in the API call.

8
MCQhard

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a customer analytics portal. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy? The design must avoid adding custom operational scripts.

A.A security group rule that allows HTTPS to S3
B.A condition that matches aws:RequestedRegion to the bucket Region
C.A deny statement for all IAM users except the EC2 role
D.A condition that matches aws:sourceVpce to the endpoint ID
AnswerD

The aws:sourceVpce condition restricts S3 access to requests that arrive through the specified VPC endpoint.

Why this answer

Option D is correct because the bucket policy can use the `aws:sourceVpce` condition key to restrict access exclusively to traffic originating from a specific VPC endpoint ID. This ensures that only requests sent through that VPC endpoint are allowed, meeting the security team's requirement without requiring custom scripts or additional infrastructure.

Exam trap

The trap here is that candidates may confuse security group rules with bucket policies, or assume that restricting by IAM user or region is sufficient to enforce network-level control, when in fact only the `aws:sourceVpce` condition key directly ties access to a specific VPC endpoint.

How to eliminate wrong answers

Option A is wrong because security group rules operate at the network interface level and cannot be attached to an S3 bucket; S3 bucket policies are resource-based policies that do not support security group references. Option B is wrong because `aws:RequestedRegion` restricts the AWS Region in which the request is made, not the network path or VPC endpoint used, so it does not enforce that traffic comes through a specific VPC endpoint. Option C is wrong because denying all IAM users except the EC2 role would not restrict traffic to a specific VPC endpoint; it only controls which IAM identities can access the bucket, not the network path, and could break legitimate access from other services or users.

9
MCQeasy

Account A hosts an IAM role (RoleInAccountA). The trust policy in Account A correctly allows a specific principal from Account B to call sts:AssumeRole. However, when Account B’s application calls sts:AssumeRole, it receives an AccessDenied error. What is the most likely missing requirement in Account B?

A.Account B’s calling principal must have an identity-based policy that allows sts:AssumeRole on RoleInAccountA’s role ARN.
B.Account A must attach an S3 bucket policy statement to allow sts:AssumeRole from Account B.
C.Account B must add kms:Decrypt permissions to the caller to satisfy AssumeRole.
D.Account B must create an SCP in the organization to allow sts:AssumeRole.
AnswerA

Cross-account role assumption is authorized on both sides: the trust policy allows who can assume, and the caller’s identity policy must allow sts:AssumeRole on the target role ARN.

Why this answer

Option A is correct because for an IAM role in Account A to be assumed by a principal in Account B, two conditions must be met: (1) the trust policy of the role in Account A must grant the sts:AssumeRole permission to the Account B principal, and (2) the calling principal in Account B must have an identity-based policy that explicitly allows sts:AssumeRole on the ARN of RoleInAccountA. Without this identity-based policy in Account B, the request is denied by AWS's explicit deny default, even if the trust policy in Account A is correctly configured.

Exam trap

The trap here is that candidates often assume the trust policy alone is sufficient for cross-account role assumption, forgetting that the calling principal must also have an explicit identity-based policy granting sts:AssumeRole on the target role ARN.

How to eliminate wrong answers

Option B is wrong because S3 bucket policies are used to control access to S3 resources, not to authorize sts:AssumeRole calls; sts:AssumeRole is governed by IAM policies and trust policies, not S3 bucket policies. Option C is wrong because kms:Decrypt permissions are relevant only if the role or resources accessed after assuming the role require decryption of KMS-encrypted data; they are not a prerequisite for the sts:AssumeRole API call itself. Option D is wrong because Service Control Policies (SCPs) in AWS Organizations can only deny or allow permissions for principals within the organization, but the question does not indicate that Account B is part of an organization, and even if it were, SCPs are not the missing requirement—the identity-based policy is the immediate missing element.

10
MCQmedium

A microservice reads a secret from AWS Secrets Manager using its task role (ServiceRole). The secret is configured to use a customer-managed CMK. In production, the service fails with AccessDeniedException on GetSecretValue. CloudTrail shows that Secrets Manager attempted kms:Decrypt but was denied. Which IAM policy change is most appropriate to fix the failure while keeping least privilege?

A.Add kms:Decrypt permission for the specific CMK ARN to ServiceRole, and also keep secretsmanager:GetSecretValue for the specific secret ARN.
B.Add secretsmanager:ListSecrets permission on "*" so the service can discover the secret and retry the read.
C.Add s3:GetObject permission to ServiceRole for the KMS key alias stored in an S3 bucket.
D.Add kms:Encrypt permission instead of kms:Decrypt, because the service only needs to read the secret.
AnswerA

The failure is due to kms:Decrypt being denied. Granting decrypt on the specific CMK and limiting Secrets Manager access to the exact secret preserves least-privilege while allowing Secrets Manager’s decryption step.

Why this answer

The AccessDeniedException occurs because the task role (ServiceRole) lacks the kms:Decrypt permission for the customer-managed CMK used to encrypt the secret. Secrets Manager calls kms:Decrypt on your behalf when retrieving the secret value. Adding kms:Decrypt for the specific CMK ARN to ServiceRole, while retaining secretsmanager:GetSecretValue for the specific secret ARN, grants the minimum required permissions to decrypt and read the secret.

Exam trap

The trap here is that candidates assume secretsmanager:GetSecretValue alone is sufficient, overlooking that Secrets Manager must call kms:Decrypt with the caller's permissions when a customer-managed CMK is used.

How to eliminate wrong answers

Option B is wrong because secretsmanager:ListSecrets on "*" does not grant permission to decrypt the secret; it only lists secret metadata and does not resolve the kms:Decrypt denial. Option C is wrong because the KMS key alias is not stored in an S3 bucket in this scenario, and s3:GetObject is irrelevant to decrypting the secret; the error is about KMS decryption, not S3 access. Option D is wrong because kms:Encrypt is used to encrypt data, not to decrypt it; reading a secret requires kms:Decrypt, not kms:Encrypt.

11
MCQmedium

In AWS Organizations, a Service Control Policy (SCP) denies kms:Decrypt on a production CMK for all principals in the Finance OU. A developer in the Finance OU created/updated an IAM policy that allows secrets access, but the application still fails with AccessDenied due to the SCP. You must enable only the Finance OU to decrypt that specific CMK while keeping the SCP restrictions for other OUs. What is the correct remediation?

A.Update the developer’s IAM policy to allow kms:Decrypt on the CMK alias ARN so the request bypasses the SCP.
B.Modify the SCP so it no longer denies kms:Decrypt for that specific CMK when applied to the Finance OU, while preserving the deny behavior for other OUs.
C.Add a KMS key policy statement that allows the developer role to decrypt the CMK.
D.Attach a permissions boundary that grants kms:Decrypt so the SCP becomes irrelevant.
AnswerB

Because the SCP is what creates the Deny, the correct fix is to adjust the SCP scope/conditions so that kms:Decrypt for the specific CMK is not denied for the Finance OU. Other OUs remain under the same restrictive SCP behavior.

Why this answer

Option B is correct because SCPs are evaluated before IAM policies and cannot be bypassed by IAM permissions. By modifying the SCP to exclude the specific CMK for the Finance OU (e.g., using a Condition key like `kms:ViaService` or a resource-level exception), you remove the explicit deny for that OU while keeping it in place for all other OUs. This ensures the developer's IAM policy can then allow `kms:Decrypt` without being blocked by the SCP.

Exam trap

The trap here is that candidates mistakenly think IAM policies or KMS key policies can override an SCP, but SCPs are a higher-order policy that always takes precedence over any allow within the account.

How to eliminate wrong answers

Option A is wrong because SCPs take precedence over IAM policies; an IAM policy allowing `kms:Decrypt` cannot bypass an SCP that explicitly denies the same action. Option C is wrong because a KMS key policy statement granting decrypt to the developer role is still subject to the SCP's explicit deny, which overrides any allow from the key policy. Option D is wrong because a permissions boundary limits the maximum permissions an IAM role can have, but it does not override an SCP; the SCP's explicit deny still applies and blocks the action.

12
MCQeasy

A Lambda function needs to read the current value of exactly one AWS Secrets Manager secret at startup. Which least-privilege IAM permission (action and resource scope) should you grant to the Lambda execution role?

A.secretsmanager:ListSecrets on all secrets (resource set to "*")
B.secretsmanager:GetSecretValue on only the secret’s full ARN
C.secretsmanager:UpdateSecret on the specific secret ARN
D.secretsmanager:DescribeSecret on all secrets (resource set to "*")
AnswerB

GetSecretValue is the specific action required to retrieve the secret value. Scoping the permission to the secret’s full ARN ensures the Lambda role can read only that secret and cannot access other secrets.

Why this answer

The Lambda function needs to read the current value of exactly one secret at startup. The least-privilege permission is `secretsmanager:GetSecretValue` scoped to that secret's full ARN. This action retrieves the secret value, and restricting the resource to the specific ARN ensures the function cannot access any other secrets.

Exam trap

The trap here is that candidates may confuse `ListSecrets` or `DescribeSecret` with `GetSecretValue`, thinking metadata retrieval is sufficient, or they may apply a broad resource scope ("*") instead of the specific ARN, violating the least-privilege principle that AWS emphasizes in the SAA-C03 exam.

How to eliminate wrong answers

Option A is wrong because `secretsmanager:ListSecrets` only returns metadata (names, ARNs) and not the secret value, so it cannot satisfy the requirement to read the current value. Option C is wrong because `secretsmanager:UpdateSecret` is a write operation that modifies the secret, which is unnecessary and violates least privilege for a read-only startup task. Option D is wrong because `secretsmanager:DescribeSecret` returns metadata (e.g., rotation configuration, tags) but not the secret value, and scoping it to all secrets grants excessive access.

13
MCQmedium

A company wants S3 access to be available only from private connectivity. They created an Interface VPC Endpoint for S3 (that provides private connectivity from their VPC to S3) and configured the application to use it from private subnets. The IAM role allows: - s3:GetObject on arn:aws:s3:::confidential-bucket/reports/* However, requests fail with AccessDenied. The S3 bucket policy includes an allow statement that permits GetObject only if: - aws:SourceVpce equals "vpce-0abc12345def6789" After redeploying the VPC endpoint, the application still uses the same IAM permissions but gets AccessDenied. What change is most likely to fix the issue?

A.Update the bucket policy to allow the new VPC endpoint ID (the vpce-* value) created by the redeployment.
B.Add internet egress via a NAT Gateway so the requests can reach S3 over the public endpoint.
C.Remove the aws:SourceVpce condition from the bucket policy to ensure the IAM permissions are sufficient.
D.Update the IAM role to add s3:PutObject permissions so the requests can be authorized.
AnswerA

The bucket policy is pinned to a specific endpoint ID using aws:SourceVpce. Redeploying or recreating the endpoint creates a new endpoint ID, so requests now present a different aws:SourceVpce value. Updating the bucket policy to match the new endpoint ID makes the condition true again while keeping access restricted to that specific private endpoint.

Why this answer

Option A is correct because redeploying a VPC Endpoint creates a new endpoint ID (vpce-*). The bucket policy explicitly allows access only if aws:SourceVpce matches the original endpoint ID. Since the new endpoint has a different ID, the condition fails, causing AccessDenied.

Updating the bucket policy to reference the new vpce ID restores access.

Exam trap

The trap here is that candidates assume IAM permissions alone are sufficient, overlooking that bucket policy conditions tied to a specific VPC endpoint ID become invalid after the endpoint is redeployed, causing an AccessDenied even with correct IAM roles.

How to eliminate wrong answers

Option B is wrong because adding a NAT Gateway would route traffic over the public internet, defeating the purpose of private connectivity and violating the bucket policy's SourceVpce condition. Option C is wrong because removing the condition would allow any VPC endpoint or public access to the bucket, compromising the security requirement for private-only access. Option D is wrong because the error is AccessDenied, not a missing permission; s3:PutObject is irrelevant to GetObject requests and does not address the condition mismatch.

14
MCQhard

Based on the exhibit, a public API is behind CloudFront. A single client IP is sending bursts of requests that are overwhelming the origin, and the team wants AWS to automatically mitigate the abuse at the edge without changing the application code. What should the team do?

A.Associate an AWS WAF web ACL with CloudFront and add a rate-based rule for the offending IP behavior.
B.Increase the ALB idle timeout to allow the origin to absorb more concurrent requests.
C.Add an Amazon Route 53 health check to fail over traffic to another DNS name.
D.Enable AWS Shield Advanced and rely on automatic DDoS protection for all request bursts.
AnswerA

AWS WAF is the right control at the CloudFront edge because it can inspect requests before they reach the origin and enforce a rate-based rule on abusive traffic patterns. A rate-based rule can automatically count requests by source IP and block or challenge requests that exceed the configured threshold, which directly addresses the burst traffic shown in the logs. This meets the requirement to mitigate at the edge without any application changes.

Why this answer

AWS WAF rate-based rules automatically block or rate-limit requests from a client IP when the request rate exceeds a threshold you define. By associating the web ACL with CloudFront, the rule is enforced at the edge before traffic reaches the origin, mitigating abuse without modifying application code.

Exam trap

The trap here is that candidates confuse AWS Shield Advanced's automatic DDoS mitigation (which handles network/transport layer floods) with the need for a WAF rate-based rule to stop application-layer request bursts from a single IP.

How to eliminate wrong answers

Option B is wrong because increasing the ALB idle timeout does not reduce the volume of requests hitting the origin; it only keeps idle connections open longer, which can actually worsen resource exhaustion. Option C is wrong because Route 53 health checks and failover reroute traffic to another endpoint but do not mitigate bursts from a single IP; the abusive client would simply follow the failover. Option D is wrong because AWS Shield Advanced provides enhanced DDoS protection against volumetric attacks, but it does not automatically apply per-IP rate limiting for application-layer request bursts; a rate-based rule in AWS WAF is required for that granular control.

15
MCQmedium

A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used. Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging. Which approach best satisfies the requirement?

A.Enable an AWS Organizations CloudTrail organization trail that delivers management event logs (including IAM) to a centralized S3 bucket in a dedicated audit account, for all regions.
B.Use CloudWatch Logs metric filters on application logs to infer which principals changed trust policies.
C.Rely on GuardDuty alerts to provide the full request parameters for every IAM policy change.
D.Enable AWS Config only and store periodic snapshots without CloudTrail management events.
AnswerA

CloudTrail management events provide authoritative audit logs for API actions like IAM policy changes and can be centralized via an organization trail.

Why this answer

Option A is correct because an AWS Organizations CloudTrail organization trail captures management events (including IAM API calls like 'UpdateAssumeRolePolicy') across all accounts in the organization, delivering immutable logs to a centralized S3 bucket in a dedicated audit account. This provides the exact principal ARN, source IP, user agent, and request parameters for every API call, meeting the requirement for a centralized, immutable audit record of configuration and API changes.

Exam trap

The trap here is that candidates confuse AWS Config's resource tracking with CloudTrail's API-level auditing, failing to realize that only CloudTrail captures the 'who' and 'how' (principal and parameters) of a change, while Config only records the 'what' (state after change).

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs metric filters on application logs can only infer patterns from log data, not capture the exact API request parameters or principal identity for IAM policy changes, and application logs are not immutable or centralized across accounts. Option C is wrong because GuardDuty alerts are designed for threat detection (e.g., anomalous API behavior) and do not provide full request parameters for every IAM policy change; they only generate findings based on suspicious activity, not a complete audit trail. Option D is wrong because AWS Config alone records resource configuration changes (e.g., IAM policy state) but does not capture who made the change or the API request parameters; it requires CloudTrail to record the API caller identity and parameters.

16
MCQeasy

A security team requires that every object uploaded to s3://secure-bucket/uploads/ must be encrypted using SSE-KMS with a specific customer-managed KMS key. Which S3 bucket policy condition approach best enforces this requirement for PutObject requests?

A.Deny PutObject unless s3:x-amz-server-side-encryption equals "aws:kms" and s3:x-amz-server-side-encryption-aws-kms-key-id equals the required CMK ARN
B.Allow PutObject only when aws:SecureTransport is true; encryption is then guaranteed automatically
C.Deny PutObject if the request includes Content-Type other than "application/octet-stream"
D.Deny PutObject when the caller’s role is not allowed to kms:Decrypt in their IAM policy
AnswerA

This enforces the encryption choice at upload time by validating the request headers that specify SSE-KMS and the exact KMS key ID/ARN. Using a Deny condition ensures uploads that do not include the correct SSE-KMS headers (for example, unencrypted uploads or uploads using a different KMS key) are rejected immediately.

Why this answer

Option A is correct because it uses a Deny effect with the s3:x-amz-server-side-encryption condition key set to 'aws:kms' and the s3:x-amz-server-side-encryption-aws-kms-key-id condition key set to the specific customer-managed KMS key ARN. This ensures that any PutObject request that does not include both the required encryption header and the exact KMS key identifier is denied, enforcing the encryption requirement at the bucket policy level.

Exam trap

The trap here is that candidates often confuse encryption in transit (aws:SecureTransport) with encryption at rest (SSE-KMS), or they mistakenly think that checking the caller's KMS permissions in the bucket policy is sufficient, when in fact the policy must inspect the request headers to enforce the encryption requirement.

How to eliminate wrong answers

Option B is wrong because requiring aws:SecureTransport (HTTPS) only ensures the data is encrypted in transit, not at rest; it does not enforce SSE-KMS or a specific KMS key. Option C is wrong because restricting Content-Type to 'application/octet-stream' has no relation to server-side encryption and would block legitimate uploads with other content types. Option D is wrong because denying PutObject based on the caller's inability to kms:Decrypt is irrelevant; the encryption requirement is about the upload process (kms:GenerateDataKey and kms:Encrypt), not decryption, and the condition should check the request headers, not the caller's IAM permissions.

17
Multi-Selecthard

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The security team requires the decision to be auditable.

Select 2 answers
A.Interface VPC endpoint for Systems Manager
B.Internet gateway attached to the VPC
C.NAT gateway in each Availability Zone
D.Gateway VPC endpoint for Amazon S3
AnswersA, D

Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.

Why this answer

Interface VPC endpoints (AWS PrivateLink) allow private subnets to access Systems Manager Parameter Store without traversing the internet, using private IP addresses within the VPC. This meets the requirement for private, auditable access because all traffic stays within the AWS network and can be logged via VPC Flow Logs.

Exam trap

The trap here is that candidates often confuse NAT gateways as a private-only solution, not realizing they still route through the internet gateway and public internet, which fails the 'no public internet' requirement.

18
MCQmedium

An application in Account B (IAM role arn:aws:iam::account-b:role/app-read) reads objects from an S3 bucket in Account A. The bucket uses SSE-KMS with a customer-managed KMS key in Account A. Object reads consistently fail with an error that includes "AccessDenied" and "kms:Decrypt". The IAM permissions in Account B for kms:Decrypt are correct, but the requests still fail. Which change will most directly fix the failure?

A.Add kms:Decrypt to the KMS key policy in Account A for the Account B role arn:aws:iam::account-b:role/app-read, and remove kms:Decrypt from the role policy in Account B.
B.Update the IAM role in Account B to use the s3:GetObject permission only, and rely on S3 to authorize KMS decrypt automatically.
C.Modify the KMS key policy in Account A to allow kms:Decrypt for the Account B role arn:aws:iam::account-b:role/app-read, using the appropriate cross-account conditions (for example, allowing the use via S3 and the expected encryption context for the bucket).
D.Switch the S3 bucket encryption from SSE-KMS to SSE-S3, keeping all existing IAM and KMS configuration unchanged.
AnswerC

For SSE-KMS, S3 must call KMS Decrypt when serving objects. KMS authorization is evaluated against the KMS key policy in Account A in addition to the identity policy in Account B. If the error includes kms:Decrypt AccessDenied in a cross-account scenario, the most direct fix is to update the KMS key policy to allow the Account B role to use the key for decrypt (often with conditions tied to S3 usage and the specific bucket/object encryption context).

Why this answer

Option C is correct because when using SSE-KMS with a customer-managed KMS key in a cross-account scenario, the KMS key policy must explicitly grant the external IAM role (arn:aws:iam::account-b:role/app-read) permission to perform kms:Decrypt. Even if the IAM role in Account B has the correct kms:Decrypt permission, the KMS key policy in Account A acts as a resource-based policy that must also allow the cross-account principal. Without this, the KMS service denies the decrypt request, resulting in the 'AccessDenied' error.

Exam trap

The trap here is that candidates often assume IAM permissions alone are sufficient for cross-account KMS operations, forgetting that KMS key policies are resource-based and must explicitly allow external principals, even when the IAM role has the correct permissions.

How to eliminate wrong answers

Option A is wrong because removing kms:Decrypt from the Account B role policy would remove the necessary permission from the IAM principal, and the KMS key policy alone cannot grant permissions to a cross-account role without the role also having the corresponding IAM permission. Option B is wrong because S3 does not automatically authorize KMS decrypt; the s3:GetObject permission alone does not grant the required kms:Decrypt action, and the KMS key policy must still allow the cross-account role. Option D is wrong because switching to SSE-S3 would change the encryption method and potentially break existing data encrypted with SSE-KMS, and it does not address the root cause of missing cross-account KMS key policy permissions.

19
MCQeasy

A cross-account IAM role in Account B reads encrypted S3 objects from Account A. The objects use SSE-KMS with a customer-managed KMS key in Account A. Account B can successfully call s3:GetObject, but decryption fails with an AccessDeniedException from KMS. What change most directly fixes the issue?

A.Add kms:Decrypt only to the Account B role’s IAM policy, without changing the customer-managed KMS key policy in Account A.
B.Update the Account A S3 bucket policy to grant kms:Decrypt to Account B.
C.Update the customer-managed KMS key policy in Account A to allow kms:Decrypt for the specific Account B role principal.
D.Enable KMS key rotation, which automatically allows cross-account decrypt permissions.
AnswerC

With SSE-KMS, S3 calls KMS on your behalf during decryption. KMS checks the customer-managed key policy (and optionally grants). Allowing the Account B role principal in the KMS key policy for kms:Decrypt directly resolves KMS AccessDenied.

Why this answer

SSE-KMS with a customer-managed KMS key requires explicit permission to use the key for decryption. The S3 GetObject call succeeds because the bucket policy allows it, but KMS decryption fails because the KMS key policy in Account A does not grant kms:Decrypt to the IAM role principal in Account B. Updating the KMS key policy to allow the Account B role principal to call kms:Decrypt directly resolves the AccessDeniedException.

Exam trap

The trap here is that candidates assume S3 bucket policies can control KMS permissions, but KMS key policies are the sole mechanism for granting cross-account access to customer-managed keys, and IAM policies alone are insufficient for cross-account KMS operations.

How to eliminate wrong answers

Option A is wrong because adding kms:Decrypt only to the Account B role’s IAM policy is insufficient; cross-account access to a customer-managed KMS key requires the key policy in Account A to explicitly grant the permission to the external principal. Option B is wrong because S3 bucket policies can only grant S3 actions (like s3:GetObject), not KMS actions; KMS permissions must be granted via the KMS key policy or an IAM policy with appropriate trust. Option D is wrong because enabling KMS key rotation does not grant any new permissions; it only changes the backing key material periodically and has no effect on cross-account access control.

20
MCQhard

Based on the exhibit, a central deployment role in Account A is assumed by several CI/CD pipelines from Account B. The role must remain reusable, but the team wants the TeamA pipeline to upload artifacts only to s3://artifact-bucket/teamA/prod/ without creating a separate IAM role. What is the best approach?

A.Use an IAM user in Account B and hard-code the narrower S3 path in its access key policy.
B.Add a bucket ACL that grants write access only to the TeamA pipeline session name.
C.Attach a permissions boundary to the central role so every pipeline session inherits the narrower prefix automatically.
D.Pass an STS session policy when TeamA assumes the role to further restrict the temporary credentials to the teamA/prod prefix.
AnswerD

An STS session policy is specifically designed to reduce the permissions of temporary credentials for a single assume-role session. The reusable base role can remain broad enough for multiple pipelines, while TeamA can pass a session policy that limits effective permissions to the teamA/prod prefix. This preserves the shared role model and achieves least privilege without creating a separate IAM role.

Why this answer

Option D is correct because when the TeamA pipeline assumes the central IAM role in Account A, it can pass an STS session policy that further restricts the temporary credentials to only allow actions on the s3://artifact-bucket/teamA/prod/ prefix. This approach keeps the role reusable for other pipelines while enforcing a narrower permission scope at the session level, without requiring a separate IAM role.

Exam trap

The trap here is that candidates often think a permissions boundary (Option C) can dynamically restrict individual sessions, but permissions boundaries set a hard limit on the role's overall permissions and cannot be applied per-session like an STS session policy can.

How to eliminate wrong answers

Option A is wrong because IAM users in Account B cannot directly access resources in Account A via hard-coded access keys; cross-account access requires IAM roles and trust policies, and hard-coding keys violates security best practices. Option B is wrong because S3 bucket ACLs do not support restricting access based on an IAM role session name; ACLs are legacy and cannot filter by session tags or names. Option C is wrong because a permissions boundary sets the maximum permissions for the role itself, not for individual sessions; it would apply to all pipelines assuming the role, not just TeamA, and cannot dynamically restrict to a specific prefix per session.

21
MCQmedium

A retail company lets developers deploy ECS services but they must never be able to modify IAM. The team currently uses an IAM user per developer with an admin-like policy, and several access keys have been leaked. You are asked to redesign access so that: (1) developers authenticate with temporary credentials, (2) they can create/update ECS services and related autoscaling resources, and (3) IAM changes are impossible even if a developer tries to attach new policies. Which design best meets all requirements?

A.Create an IAM user for each developer and keep the existing broad permissions, rotating keys every 90 days.
B.Use an IAM role that developers assume for deployments; attach least-privilege policies for ECS and Auto Scaling; and attach a permission boundary that does not allow iam:* actions, so additional inline or managed policies cannot grant IAM permissions.
C.Attach a policy that allows ecs:* and autoscaling:* and rely on developers to self-review that no IAM statements are added to their roles.
D.Create a single shared IAM role with full administrator permissions so developers can troubleshoot faster when deployments fail.
AnswerB

Assuming a role provides temporary credentials and removes long-lived keys. Least-privilege policies limit allowed actions, and a permission boundary caps the role's effective permissions so IAM actions cannot be gained through later policy changes.

Why this answer

Option B is correct because it uses an IAM role with temporary credentials (via AWS STS AssumeRole), satisfying the requirement that developers never have long-term access keys. The least-privilege policies restrict actions to ECS and Auto Scaling only, and the permission boundary explicitly denies iam:* actions, preventing developers from escalating privileges by attaching new policies to their role. This combination ensures developers can deploy ECS services but cannot modify IAM in any way.

Exam trap

The trap here is that candidates may think a permission boundary is optional or that denying iam:* actions in a policy is sufficient, but without a boundary, a developer could attach a new policy that grants iam:* actions, bypassing the deny—the boundary is required to cap permissions at the role level.

How to eliminate wrong answers

Option A is wrong because it retains long-term access keys (rotated every 90 days), which violates the requirement for temporary credentials and does not prevent key leaks; it also keeps broad permissions, allowing potential IAM modifications. Option C is wrong because relying on developers to self-review that no IAM statements are added is not a technical control—developers could still attach policies with IAM actions, violating the requirement that IAM changes be impossible. Option D is wrong because a single shared IAM role with full administrator permissions grants developers the ability to modify IAM, directly contradicting the requirement to prevent IAM changes, and shared credentials increase security risk.

22
MCQeasy

A team stores important documents in Amazon S3. They want to recover earlier versions if someone overwrites or deletes a file by mistake. What should they enable?

A.Amazon S3 Versioning
B.Amazon EBS snapshots
C.Amazon CloudWatch logs
D.VPC flow logs
AnswerA

Versioning keeps previous versions of S3 objects, which lets you recover from accidental overwrite or deletion.

Why this answer

Amazon S3 Versioning is the correct choice because it allows you to preserve, retrieve, and restore every version of every object stored in an S3 bucket. When enabled, S3 automatically maintains a unique version ID for each object, so if a file is overwritten or deleted, the previous version remains accessible. This directly addresses the requirement to recover earlier versions after accidental modification or deletion.

Exam trap

The trap here is that candidates may confuse S3 Versioning with backup services like EBS snapshots, but versioning is an S3-native feature for object-level recovery, not a volume-level backup mechanism.

How to eliminate wrong answers

Option B is wrong because Amazon EBS snapshots are point-in-time backups of Amazon Elastic Block Store volumes, used for EC2 instance data persistence, not for versioning individual objects in S3. Option C is wrong because Amazon CloudWatch logs capture operational metrics and log data from AWS services and applications, not object-level version history in S3. Option D is wrong because VPC flow logs capture IP traffic metadata for network interfaces in a VPC, providing network visibility, not object versioning or recovery capabilities.

23
MCQhard

Based on the exhibit, a batch platform in Account B must assume a role in Account A. Only the specific role arn:aws:iam::222233334444:role/BatchRunner should be allowed to assume it, and the design must prevent any other role in Account B from reusing the same external ID. Which change best meets the requirement?

A.Add an identity-based policy to the BatchRunner role that allows sts:AssumeRole on the target role.
B.Change the trust policy principal from account root to arn:aws:iam::222233334444:role/BatchRunner and keep the ExternalId condition.
C.Replace the ExternalId condition with a role session name condition so only BatchRunner sessions are accepted.
D.Attach an SCP to Account B that denies sts:AssumeRole unless the request comes from BatchRunner.
AnswerB

This limits assumption to the exact role in Account B while preserving the ExternalId defense against confused deputy attacks.

Why this answer

Option B is correct because the trust policy on the target role in Account A must restrict the principal to the exact BatchRunner role ARN (arn:aws:iam::222233334444:role/BatchRunner) rather than the entire Account B root. This ensures that only that specific role can assume the target role. Keeping the ExternalId condition adds an additional layer of security by requiring a unique identifier that only BatchRunner knows, preventing any other role in Account B from reusing the same external ID.

Exam trap

The trap here is that candidates often think an identity-based policy on the assuming role (Option A) is sufficient, but the trust policy on the target role must explicitly restrict the principal to the specific role ARN, not just the account root.

How to eliminate wrong answers

Option A is wrong because identity-based policies on the BatchRunner role cannot grant it permission to assume a role in another account; the trust policy on the target role must explicitly allow the BatchRunner principal, and the BatchRunner role also needs an sts:AssumeRole permission, but the key missing change is the principal restriction. Option C is wrong because a role session name condition (sts:RoleSessionName) is set by the assuming entity and can be spoofed by any role in Account B, so it does not prevent other roles from reusing the same external ID. Option D is wrong because Service Control Policies (SCPs) are applied at the organization or OU level in AWS Organizations, not to individual accounts, and they cannot restrict based on a specific role ARN within the same account; they also cannot enforce the external ID requirement.

24
MCQhard

Based on the exhibit, a CI pipeline assumes a shared deployment role in Account A. The role can access several artifact prefixes, but this pipeline must only upload to teamA/prod/ and decrypt using a single KMS key for this execution. Changing the shared role would affect other pipelines. Which approach should the pipeline use?

A.Attach a permission boundary to the pipeline's assumed session so the temporary credentials cannot exceed the shared role permissions.
B.Pass an inline session policy in the AssumeRole request that further restricts the temporary credentials to teamA/prod/ and the approved KMS key.
C.Add an SCP to Account A that forces all roles to use the same S3 prefix and key whenever they are assumed.
D.Change the role trust policy to allow only the teamA/prod/ prefix and the key ARN because trust policies can scope S3 object paths directly.
AnswerB

STS session policies are designed to further restrict the permissions of temporary credentials issued by AssumeRole. In this case, the shared role can remain reusable for other pipelines, while this one execution is narrowed to the exact S3 prefix and KMS key required. The effective permissions become the intersection of the role permissions and the session policy, which preserves least privilege without changing the shared role itself.

Why this answer

Option B is correct because an inline session policy passed in the AssumeRole request allows you to further restrict the temporary credentials' permissions without modifying the shared role itself. This ensures the pipeline can only upload to teamA/prod/ and decrypt using the specified KMS key, while other pipelines using the same role remain unaffected.

Exam trap

The trap here is that candidates confuse permission boundaries (which set a maximum limit) with session policies (which further restrict a specific session), or mistakenly think trust policies can scope resource-level permissions like S3 prefixes or KMS keys.

How to eliminate wrong answers

Option A is wrong because a permission boundary sets the maximum permissions for the role but does not dynamically restrict the session to specific prefixes or keys; it would still allow access to all prefixes the role can access. Option C is wrong because SCPs apply to all principals in the account and cannot be scoped to a single pipeline's session without affecting other roles and users. Option D is wrong because trust policies control who can assume the role, not what actions the assumed session can perform; S3 object paths cannot be scoped in trust policies.

25
MCQeasy

A company runs EC2 instances in private subnets and needs to access Amazon S3 objects without using a NAT gateway. They want the traffic to stay within AWS private networking as much as possible (no internet egress). Which VPC endpoint type should they create for Amazon S3?

A.Create an Interface VPC endpoint for S3 and point the instances to it
B.Create a Gateway VPC endpoint for S3 and update the route tables to use it
C.Create a NAT gateway and allow outbound HTTPS to S3
D.Create a VPC endpoint service and manually register S3 as a provider endpoint
AnswerB

Gateway VPC endpoints for S3 are the supported way to send S3 traffic from private subnets without NAT. They add routes in the relevant route tables (via S3 prefix lists) so requests to S3 go through the AWS network. This avoids internet egress and keeps the path private to the extent intended by VPC endpoint routing.

Why this answer

A Gateway VPC endpoint for S3 is the correct choice because it uses prefix lists and route table entries to send S3 traffic directly through AWS's private network without leaving the AWS backbone or requiring a NAT gateway. This endpoint type supports S3 and DynamoDB only, and it does not incur hourly charges, making it cost-effective for private subnet instances to access S3 objects securely.

Exam trap

The trap here is that candidates often confuse Gateway endpoints (for S3/DynamoDB) with Interface endpoints (for other AWS services), or incorrectly assume that a NAT gateway is required for private subnet egress, missing that Gateway endpoints provide a free, private alternative for S3 access.

How to eliminate wrong answers

Option A is wrong because an Interface VPC endpoint for S3 uses an Elastic Network Interface (ENI) with a private IP, but it still requires a NAT gateway or internet gateway for private subnet instances to reach it unless the endpoint is in the same subnet; more importantly, Gateway endpoints are the recommended and simpler option for S3. Option B is the correct answer. Option C is wrong because a NAT gateway allows outbound internet traffic, which violates the requirement to keep traffic within AWS private networking and avoid internet egress.

Option D is wrong because a VPC endpoint service is used to expose your own services to other VPCs via AWS PrivateLink, not to access AWS services like S3; you cannot manually register S3 as a provider endpoint.

26
MCQhard

Based on the exhibit, the security team wants centralized detection and alerting for both successful and failed attempts to change S3 bucket policies and KMS key policies across multiple accounts. Which approach best meets the requirement?

A.Enable S3 server access logging on each bucket and archive the logs in the security account.
B.Use AWS Config rules only, because Config records every successful and failed API call automatically.
C.Create an organization CloudTrail trail for management events and add EventBridge rules in the security account to alert on PutBucketPolicy and PutKeyPolicy events, including failed calls.
D.Enable GuardDuty in every account and use its findings as the main source for policy change notifications.
AnswerC

An organization trail captures the API activity across accounts, and EventBridge can route both successful and failed management events to alerts centrally.

Why this answer

Option C is correct because an organization CloudTrail trail captures management events (including PutBucketPolicy and PutKeyPolicy) across all accounts in the organization, and EventBridge rules in the security account can filter for both successful and failed API calls (using the `errorCode` field) to trigger centralized alerts. This provides the required centralized detection and alerting for policy changes across multiple accounts.

Exam trap

The trap here is that candidates may confuse S3 server access logging (which logs object-level access) with CloudTrail (which logs management API calls), or assume AWS Config automatically records all API calls, when in fact Config only tracks configuration changes and not failed API attempts.

How to eliminate wrong answers

Option A is wrong because S3 server access logging logs object-level access requests, not management API calls like PutBucketPolicy, and it does not capture KMS key policy changes at all. Option B is wrong because AWS Config rules evaluate resource configurations and compliance, but they do not automatically record every API call; they rely on configuration changes and cannot directly alert on failed API calls. Option D is wrong because GuardDuty focuses on threat detection (e.g., anomalous behavior, compromised credentials) and does not natively provide detailed alerting for specific management API calls like PutBucketPolicy or PutKeyPolicy, especially for failed attempts.

27
MCQeasy

A CI/CD pipeline needs to deploy to your production environment. Security requires that the pipeline uses temporary credentials (not long-lived access keys) and only has permissions to read a specific set of parameters from AWS Systems Manager Parameter Store and write application logs to CloudWatch Logs. What is the best AWS approach?

A.Create an IAM user for the pipeline and store access keys in the CI system.
B.Create an IAM role in the production account, grant least-privilege policies, and let the CI assume it using STS AssumeRole.
C.Attach the required permissions to an IAM group and add the pipeline’s principal to that group directly.
D.Use AWS KMS to encrypt the pipeline’s access keys and store the ciphertext in the CI system.
AnswerB

IAM roles with STS provide temporary credentials and allow least-privilege permissions via attached policies.

Why this answer

Option B is correct because it uses an IAM role with least-privilege policies that the CI/CD pipeline can assume via AWS STS AssumeRole, generating temporary credentials that automatically expire. This eliminates the need for long-lived access keys and adheres to the security requirement of using temporary credentials. The role's policies can be scoped to exactly read specific parameters from Systems Manager Parameter Store and write logs to CloudWatch Logs.

Exam trap

The trap here is that candidates may choose Option A or D because they focus on credential storage rather than the fundamental requirement for temporary credentials, or they may confuse IAM groups with roles, thinking a group can be used for cross-account access without understanding that groups only apply to IAM users within the same account.

How to eliminate wrong answers

Option A is wrong because creating an IAM user with long-lived access keys violates the security requirement for temporary credentials and introduces a static credential risk if the keys are leaked. Option C is wrong because IAM groups are used to attach policies to IAM users, not to external principals like a CI/CD pipeline; the pipeline's principal cannot be added directly to an IAM group without first being an IAM user. Option D is wrong because encrypting access keys with KMS still results in long-lived credentials that must be decrypted and used, failing the temporary credentials requirement and adding unnecessary complexity without addressing the core security mandate.

28
MCQmedium

A public API for a customer analytics portal is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used? The design must avoid adding custom operational scripts.

A.API keys only
B.JWT authorizer configured for the OpenID Connect issuer
C.IAM authorization for all internet users
D.A VPC endpoint policy
AnswerB

A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.

Why this answer

Option B is correct because a JWT authorizer in API Gateway can validate tokens issued by an external OpenID Connect (OIDC) provider without requiring custom code. The JWT authorizer automatically verifies the token's signature, expiry, and issuer against the OIDC provider's JWKS endpoint, meeting the requirement for standards-based authentication and avoiding custom operational scripts.

Exam trap

The trap here is that candidates often confuse API keys (which are for rate limiting and usage plans, not authentication) with token-based authorization, or mistakenly think IAM authorization can be used for external users without AWS credentials.

How to eliminate wrong answers

Option A is wrong because API keys only provide simple identification, not authentication or authorization; they do not validate token claims or integrate with an OpenID Connect provider. Option C is wrong because IAM authorization is designed for AWS principals (e.g., IAM users/roles) and requires AWS credentials, not standards-based tokens from an external OIDC provider; it also cannot be used for all internet users without custom signing logic. Option D is wrong because a VPC endpoint policy controls access to API Gateway via VPC endpoints, not authentication or token validation; it does not address client authentication with OIDC tokens.

29
MCQhard

Based on the exhibit, a workload in Account B must assume a role in Account A. Security requires that only the specific role arn:aws:iam::444455556666:role/PipelineExecRole can assume it, and only when the caller supplies the external ID acct-b-prod-7788. Which change best satisfies the requirement with the least privilege?

A.Keep the root principal and add an aws:PrincipalTag condition in the trust policy to require the tag acct-b-prod-7788.
B.Replace the principal with arn:aws:iam::444455556666:role/PipelineExecRole and add a StringEquals condition on sts:ExternalId = acct-b-prod-7788.
C.Attach a permission boundary to the role in Account A so that only PipelineExecRole can use it.
D.Add an SCP in Account B that allows sts:AssumeRole only for PipelineExecRole.
AnswerB

This change directly restricts trust to one named role in Account B and adds a confused-deputy defense with the external ID. The role trust policy is the correct place to control who can assume the role, and the external ID ensures only the expected caller can complete the STS request.

Why this answer

Option B is correct because it explicitly restricts the trust policy principal to the specific IAM role ARN `arn:aws:iam::444455556666:role/PipelineExecRole` and adds a `StringEquals` condition on `sts:ExternalId` set to `acct-b-prod-7788`. This satisfies the security requirement by ensuring only that exact role can assume the role in Account A, and only when the correct external ID is provided, following the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the trust policy's `Principal` element with permission boundaries or SCPs, mistakenly thinking those can restrict who can assume a role, when in fact only the trust policy controls the assumption, and the external ID condition is required to prevent confused deputy attacks.

How to eliminate wrong answers

Option A is wrong because using a root principal (which allows any IAM entity in Account B) combined with an `aws:PrincipalTag` condition does not restrict the caller to the specific role `PipelineExecRole`; tags can be modified or absent, and the root principal is overly permissive. Option C is wrong because a permission boundary attached to the role in Account A limits the permissions of that role but does not control which external principal can assume it; the trust policy alone governs who can assume the role. Option D is wrong because an SCP in Account B can deny or allow `sts:AssumeRole` actions for principals in Account B, but it cannot enforce the external ID requirement or restrict which role in Account A is assumed; the trust policy in Account A is the authoritative mechanism.

30
MCQmedium

A company hosts a customer analytics portal on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

A.An internet gateway attached to the private subnet
B.A public Elastic IP address on each instance
C.AWS Systems Manager Session Manager with the required instance role
D.A bastion host with SSH open to 0.0.0.0/0
AnswerC

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows secure, auditable shell access to EC2 instances without opening inbound SSH (port 22) or RDP (port 3389) ports to the internet. It uses the AWS Systems Manager agent on the instance, which initiates an outbound connection to the AWS Systems Manager service over HTTPS (port 443), and the required IAM instance role grants permissions for this communication. This eliminates the need for a bastion host or public IP addresses, meeting the security requirement of no open inbound ports.

Exam trap

The trap here is that candidates often default to a bastion host (Option D) as the traditional solution for secure administrative access, but fail to recognize that Session Manager provides the same functionality without any inbound ports, which is the exact requirement stated in the question.

How to eliminate wrong answers

Option A is wrong because an internet gateway attached to a private subnet does not provide direct connectivity to the internet; it is used for public subnets and would require a route table entry to a NAT device for outbound-only access, not for administrative connections without open ports. Option B is wrong because assigning a public Elastic IP address to each instance exposes them directly to the internet, requiring open SSH or RDP ports to connect, which violates the requirement. Option D is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes the bastion to the entire internet, creating a security risk and still requires opening SSH (port 22) or RDP (port 3389) on the bastion, contradicting the 'without opening SSH or RDP ports to the internet' constraint.

31
MCQmedium

Your security team needs to detect and alert on any attempt to change sensitive policies, specifically S3 bucket policy changes and KMS key policy changes. The team wants alerts within minutes, and logs must be centrally retained for forensics. Which design best meets these detective control requirements using AWS-native services?

A.Enable CloudTrail management events and configure an EventBridge rule to send notifications for PutBucketPolicy and PutKeyPolicy API calls, while also delivering CloudTrail logs to a dedicated S3 bucket for retention.
B.Rely on AWS Config resource snapshots only; use the snapshots to infer policy changes and generate alerts from the daily compliance summary reports.
C.Enable S3 access logging on the affected buckets only; treat these logs as sufficient evidence for KMS key policy modifications.
D.Turn on CloudWatch Logs for the S3 bucket and KMS key; alert on any log line containing the word 'policy' to detect changes.
AnswerA

CloudTrail management events capture these policy-change API calls. EventBridge can create near-real-time alerts, and S3 provides durable central log retention for investigations.

Why this answer

Option A is correct because CloudTrail management events capture all API calls for S3 bucket policies (PutBucketPolicy) and KMS key policies (PutKeyPolicy) by default, and EventBridge rules can trigger near-real-time alerts (within minutes) for these specific API calls. Additionally, delivering CloudTrail logs to a dedicated S3 bucket provides centralized, immutable retention for forensic analysis, meeting both the alerting and retention requirements.

Exam trap

The trap here is that candidates often confuse S3 access logs (which record data-plane operations) with CloudTrail management events (which record control-plane operations), leading them to choose Option C, or they mistakenly think AWS Config snapshots provide real-time alerts, when in fact they are periodic and lack API-level detail.

How to eliminate wrong answers

Option B is wrong because AWS Config resource snapshots are taken periodically (e.g., every 1 hour or 6 hours), not within minutes, and they only show the state of resources at a point in time, not the specific API call that made the change, making them unsuitable for near-real-time alerting and forensic detail. Option C is wrong because S3 access logs record object-level access requests (e.g., GET, PUT, DELETE) on S3 buckets, not management events like bucket policy changes or KMS key policy modifications, and they cannot capture KMS key policy changes at all. Option D is wrong because CloudWatch Logs for S3 buckets and KMS keys do not exist as native log sources; CloudWatch Logs can ingest CloudTrail logs, but simply alerting on any log line containing the word 'policy' would generate excessive false positives (e.g., from normal operations like listing policies) and lacks the precision to detect only policy modification API calls.

32
MCQmedium

In an AWS Organizations environment, developers create IAM roles using an automation tool. The security team wants to guarantee that even if a developer attaches an overly permissive inline policy, the role cannot exceed a fixed set of allowed actions. The team already uses permission boundaries on each role. The tool’s role-creation API call succeeds, but one developer’s new role can still delete production S3 buckets. What is the most likely reason, and what should be corrected?

A.Permission boundaries do not affect permissions for resources created with role chaining; enable role chaining instead to apply the boundary.
B.The boundary policy was not actually attached during role creation, or the automation tool attached the wrong boundary ARN; correct the role-creation request to set the intended PermissionBoundary.
C.KMS key policies override permission boundaries for S3, so deletion permission comes from the KMS policy; restrict the KMS key policy instead.
D.Permission boundaries apply only to managed policies, not to inline policies; move the overly permissive permissions to a managed policy type to keep it bounded.
AnswerB

Permission boundaries work by intersecting allowed actions from the role’s attached policies with the actions permitted by the boundary policy. If the automation tool fails to set the PermissionBoundary ARN (or sets an incorrect one), then the role can use the developer’s attached policies without the intended restriction. Fixing the PermissionBoundary parameter in the role creation call is the direct remedy.

Why this answer

Option B is correct because permission boundaries must be explicitly attached to an IAM role during creation via the `PermissionBoundary` parameter. If the automation tool fails to attach the intended boundary policy or attaches the wrong ARN, the role will have no effective boundary, allowing any inline policy to grant full access. The developer's role could then delete production S3 buckets because the boundary was not enforced.

Exam trap

The trap here is that candidates may assume permission boundaries are automatically inherited from the AWS Organizations policy or that they only affect managed policies, when in fact they must be explicitly attached and apply to all policy types.

How to eliminate wrong answers

Option A is wrong because permission boundaries do apply to roles used in role chaining; role chaining does not bypass boundaries, and enabling it would not fix the issue. Option C is wrong because KMS key policies control encryption operations, not S3 bucket deletion permissions; S3 delete actions are governed by S3 resource-based policies and IAM policies, not KMS policies. Option D is wrong because permission boundaries apply to both managed and inline policies equally; they limit the maximum permissions a role can have regardless of policy type.

33
MCQmedium

A platform team wants application developers to create IAM roles for their ECS tasks, but security must guarantee that no role created by those developers can ever exceed a predefined permission set. The developers also should not be able to attach broader permissions to themselves later. What should the team implement?

A.Attach a customer-managed IAM policy to the developers and let them create roles freely.
B.Use an IAM permission boundary on the developer principals and require created roles to include the boundary.
C.Create a service-linked role for ECS and let developers reuse it for all workloads.
D.Add an S3 bucket policy that only allows tagged roles to be created.
AnswerB

A permission boundary sets the upper limit for permissions that an IAM principal or created role can receive. By combining developer role creation permissions with a required boundary, security can allow self-service role creation while preventing privilege escalation. Even if developers attach broader identity policies later, the effective permissions cannot exceed the boundary. This is the right control when you need delegated administration with a hard ceiling on privileges.

Why this answer

Option B is correct because IAM permission boundaries allow the platform team to define a maximum set of permissions that any role created by the developers can have. By attaching a permission boundary to the developers' IAM user or role, and requiring that any new role they create includes that boundary, the developers cannot grant permissions beyond the boundary—even if they attach a broader policy. This ensures that no role can ever exceed the predefined permission set, and developers cannot escalate their own privileges later.

Exam trap

The trap here is that candidates often confuse IAM permission boundaries with simple policy attachments, thinking that attaching a restrictive policy to the developer's user account is sufficient to control the roles they create, but permission boundaries are the only mechanism that limits the effective permissions of roles created by delegated users.

How to eliminate wrong answers

Option A is wrong because simply attaching a customer-managed IAM policy to the developers does not prevent them from creating roles with broader permissions—they could attach additional policies to those roles that exceed the predefined set. Option C is wrong because a service-linked role for ECS is a predefined role that cannot be customized per workload; developers would be forced to reuse a single role, which violates the principle of least privilege and does not allow developers to create roles with specific permissions. Option D is wrong because an S3 bucket policy controls access to S3 resources, not IAM role creation or permission boundaries; it cannot restrict the permissions of IAM roles created by developers.

34
Multi-Selecthard

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The implementation must work across routine deployments without manual intervention.

Select 2 answers
A.Interface VPC endpoint for Systems Manager
B.Internet gateway attached to the VPC
C.NAT gateway in each Availability Zone
D.Gateway VPC endpoint for Amazon S3
AnswersA, D

Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.

Why this answer

Interface VPC endpoints (AWS PrivateLink) for Systems Manager allow private subnets to access Systems Manager Parameter Store without traversing the internet, using private IP addresses within the VPC. Gateway VPC endpoints for S3 provide a highly available, redundant path to S3 via route table entries, ensuring traffic stays within the AWS network. Together, they eliminate the need for internet gateways or NAT gateways, meeting the requirement for no public internet routing.

Exam trap

The trap here is that candidates often confuse gateway VPC endpoints (used for S3 and DynamoDB) with interface VPC endpoints (used for most other AWS services), leading them to incorrectly select NAT gateways or internet gateways for private subnet access.

35
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a B2B file exchange site. The partner has its own AWS account. What is the most secure scalable access pattern?

A.Make the objects public and rely on difficult-to-guess object names
B.Create an IAM user in the company account and share the access keys
C.Create a bucket policy that grants the partner role least-privilege access to the required prefix
D.Copy the objects to a public website bucket
AnswerC

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option C is correct because it uses a resource-based bucket policy that grants the partner's IAM role (from their own AWS account) least-privilege read-only access to a specific prefix. This avoids sharing long-term credentials, follows the principle of cross-account access using IAM roles and bucket policies, and is fully scalable without managing external users.

Exam trap

The trap here is that candidates often choose Option B (sharing IAM user keys) because it seems simpler, but AWS recommends cross-account IAM roles for secure, temporary, and auditable access between accounts.

How to eliminate wrong answers

Option A is wrong because making objects public bypasses all access control and relies on security through obscurity (guessable object names), which is not secure or auditable. Option B is wrong because creating an IAM user in the company account and sharing access keys introduces long-term static credentials that must be rotated, shared securely, and managed, violating the principle of least privilege and creating a security risk. Option D is wrong because copying objects to a public website bucket exposes them to the internet without any access control, and it adds unnecessary data duplication and cost.

36
MCQmedium

An administrator needs the ability to read and update infrastructure for a specific AWS account, but only when using MFA. The security team wants to eliminate long-lived administrator access keys and ensure that even if someone obtains temporary session credentials, actions are only allowed with MFA present. Which IAM design best meets these requirements?

A.Create an IAM user for administrators with AdministratorAccess and require MFA only at the IAM user login.
B.Create an IAM role for administration and use a permissions policy that allows only the required read/write actions. Add a condition to deny all allowed actions unless aws:MultiFactorAuthPresent is true.
C.Attach policies to an IAM user that allow read/write actions and enable MFA in the account, but do not use condition keys in IAM policies.
D.Use a role with the correct actions but enforce MFA only in the application by prompting users for an OTP before every API call.
AnswerB

A role-based approach removes long-lived keys and supports temporary credentials. Using a permissions-policy condition to require MFA presence enforces that the session must have MFA to perform actions, aligning with the “actions only allowed with MFA present” requirement.

Why this answer

Option B is correct because it uses an IAM role with a condition key `aws:MultiFactorAuthPresent` set to `true` to enforce MFA for all API calls made with temporary credentials. This eliminates long-lived access keys and ensures that even if temporary session credentials are compromised, actions are denied unless MFA was used during the session. The policy explicitly denies all allowed actions when MFA is not present, meeting the security team's requirement for MFA on every administrative action.

Exam trap

The trap here is that candidates often confuse requiring MFA at login (console) with enforcing MFA for all API calls, failing to realize that without a condition key in the IAM policy, access keys or temporary credentials can be used without MFA after the initial login.

How to eliminate wrong answers

Option A is wrong because it only requires MFA at login, not for subsequent API calls made with the user's access keys or temporary credentials, leaving a gap where long-lived access keys could be used without MFA. Option C is wrong because enabling MFA in the account without using condition keys in IAM policies does not enforce MFA for API calls; it only affects console login, and long-lived access keys remain active. Option D is wrong because enforcing MFA only in the application is not an IAM-level control; it can be bypassed if the application is compromised or if API calls are made directly via the AWS CLI or SDK without the application's OTP prompt.

37
MCQmedium

A SaaS vendor needs temporary access to an S3 bucket in your AWS account to read customer exports. The vendor will assume an IAM role you created. During integration testing, the vendor reports that their AssumeRole requests succeed, but your security team is concerned about the possibility of confused-deputy attacks. Which trust policy approach most directly mitigates this risk?

A.Add an sts:ExternalId condition to the role trust policy that must match the unique external ID you provide to the vendor.
B.Require the vendor to use the same MFA device serial number as your internal administrators in the trust policy.
C.Remove the role’s permissions policy and rely only on the S3 bucket policy to validate the caller.
D.Allow sts:AssumeRole from the vendor account root principal without restricting to the vendor’s specific IAM role.
AnswerA

The sts:ExternalId condition is a common protection against confused-deputy scenarios in cross-account role assumption. It ensures that only principals who know the unique external ID can successfully assume the role. This mitigates a third party tricking the vendor’s identity into assuming your role, even if they can call AssumeRole.

Why this answer

Option A is correct because the `sts:ExternalId` condition in the trust policy forces the vendor to include a unique external ID in their `AssumeRole` API call. This prevents a confused-deputy attack by ensuring that the role can only be assumed when the caller provides the exact external ID you have pre-shared, thereby verifying the intended purpose of the cross-account access.

Exam trap

The trap here is that candidates may think MFA or bucket policies are sufficient for cross-account security, but the confused-deputy attack is specifically mitigated by the `sts:ExternalId` condition, not by authentication factors or resource-based policies alone.

How to eliminate wrong answers

Option B is wrong because requiring the vendor to use the same MFA device serial number as your internal administrators is impractical and insecure—it would expose your MFA device to an external party and does not prevent confused-deputy attacks, as the vendor could still be tricked into assuming the role on behalf of another account. Option C is wrong because removing the role’s permissions policy and relying solely on the S3 bucket policy does not mitigate confused-deputy attacks; the bucket policy can still grant access to the role, and the attacker could still exploit the role’s trust relationship without an external ID check. Option D is wrong because allowing `sts:AssumeRole` from the vendor account root principal without restricting to a specific IAM role increases the attack surface—any principal in the vendor account (including compromised roles) could assume your role, and it does not address the confused-deputy risk because the external ID is not enforced.

38
MCQmedium

An engineering team runs application servers in private subnets. The instances must download patches and software packages from Amazon S3, but the company does not want the traffic to traverse the internet or a NAT gateway. Which design should they use?

A.Add an internet gateway to the VPC and route private subnet traffic through it.
B.Use an Amazon S3 gateway VPC endpoint in the route tables for the private subnets.
C.Use a security group rule that allows outbound traffic to the S3 public IP range.
D.Create a VPC peering connection to the S3 service VPC.
AnswerB

A gateway VPC endpoint for S3 keeps traffic between the VPC and S3 on the AWS network without using the public internet or a NAT gateway. This is the standard private-connectivity pattern for S3 access from private subnets. It also simplifies the architecture and reduces NAT-related cost while preserving access to the bucket from workloads that must remain nonpublic.

Why this answer

Option B is correct because an S3 Gateway VPC endpoint allows instances in private subnets to access Amazon S3 without traversing the internet or a NAT gateway. The endpoint uses AWS’s internal network and is added to the route table of the private subnets, directing S3 traffic through the endpoint prefix list. This design meets the requirement of keeping traffic off the internet while providing secure, low-latency access to S3.

Exam trap

The trap here is that candidates often confuse Gateway VPC endpoints with Interface VPC endpoints, or mistakenly think that a security group rule alone can bypass the need for a routing path to the internet, when in fact routing decisions are made at the subnet route table level, not by security groups.

How to eliminate wrong answers

Option A is wrong because adding an internet gateway to the VPC and routing private subnet traffic through it would still require a NAT gateway or NAT instance to enable outbound internet access from private subnets, which the company explicitly wants to avoid. Option C is wrong because a security group rule allowing outbound traffic to the S3 public IP range does not change the routing path; traffic would still need an internet gateway or NAT device to reach those public IPs, violating the no-internet requirement. Option D is wrong because VPC peering connections cannot be established with an AWS service VPC (like S3); VPC peering is only between customer-owned VPCs, and S3 is accessed via endpoints or public endpoints, not through a peering connection.

39
MCQmedium

A server assumes an IAM role and must read export objects only from this prefix in an S3 bucket: s3://customer-data/exports/acme/ . The application also needs to list the objects under that exact prefix so it can discover which export folders exist. The application performs ListBucket requests with Prefix set to exactly "exports/acme/". The current role policy allows s3:ListBucket on the bucket ARN without a prefix condition, and security reports the role can list other tenants’ export object keys. Which IAM policy change best enforces least privilege for both ListBucket and GetObject?

A.Keep s3:ListBucket allowed on arn:aws:s3:::customer-data, but restrict s3:GetObject to arn:aws:s3:::customer-data/exports/acme/*.
B.Allow s3:ListBucket on arn:aws:s3:::customer-data only when s3:prefix equals "exports/acme/" (for example, using a StringEquals condition on s3:prefix). Also allow s3:GetObject only on arn:aws:s3:::customer-data/exports/acme/*.
C.Allow s3:ListBucket only on arn:aws:s3:::customer-data/exports/acme/* and allow s3:GetObject on arn:aws:s3:::customer-data/*.
D.Add a Deny statement for s3:GetObject outside arn:aws:s3:::customer-data/exports/acme/*, but keep s3:ListBucket unrestricted on arn:aws:s3:::customer-data.
AnswerB

ListBucket must be authorized at the bucket ARN level, then scoped using a Condition on the request prefix (so only the approved listing prefix is allowed). GetObject is authorized at the object ARN level and is restricted to exports/acme/*, preventing reads outside the prefix.

Why this answer

Option B is correct because it uses an s3:prefix condition with StringEquals on the ListBucket action to restrict listing to exactly 'exports/acme/', preventing the role from enumerating other tenants' objects. It also restricts GetObject to the same prefix using a resource ARN of arn:aws:s3:::customer-data/exports/acme/*, ensuring least privilege for both read operations. This combination enforces the principle of least privilege by scoping both actions to the specific tenant prefix.

Exam trap

The trap here is that candidates often confuse bucket-level actions (like s3:ListBucket) with object-level actions (like s3:GetObject), incorrectly applying resource ARNs with key prefixes to ListBucket, or forgetting that a condition on s3:prefix is required to scope listing to a specific prefix.

How to eliminate wrong answers

Option A is wrong because it leaves s3:ListBucket unrestricted on the bucket ARN, which still allows the role to list objects under any prefix (e.g., other tenants' exports), violating least privilege. Option C is wrong because s3:ListBucket cannot be granted on a resource ARN with a key prefix (e.g., arn:aws:s3:::customer-data/exports/acme/*); ListBucket is a bucket-level action and must target the bucket ARN, not an object path. Option D is wrong because it keeps s3:ListBucket unrestricted, allowing the role to list all object keys in the bucket, and a Deny statement for GetObject outside the prefix does not prevent listing other tenants' export keys.

40
MCQeasy

An internal web application is exposed through an Application Load Balancer (ALB). The ALB currently has only an HTTP listener on port 80. Security requires that all client traffic be encrypted in transit. What is the best next step?

A.Enable S3 bucket encryption for application files, since it ensures encryption in transit.
B.Configure an ALB HTTPS listener on port 443 using an ACM certificate, and redirect HTTP (80) to HTTPS (443).
C.Turn on default encryption for CloudFront origin access, which automatically encrypts all ALB traffic.
D.Add KMS permissions to the ALB role so TLS is enabled automatically.
AnswerB

An HTTPS listener terminates TLS at the ALB, encrypting traffic in transit. Redirecting HTTP to HTTPS ensures clients use TLS for all requests.

Why this answer

Option B is correct because the requirement to encrypt all client traffic in transit is met by adding an HTTPS listener on port 443 using an ACM certificate, which enables TLS encryption. Additionally, configuring a redirect from HTTP (port 80) to HTTPS (port 443) ensures that any client attempting to connect over unencrypted HTTP is automatically upgraded to HTTPS, enforcing encryption for all traffic.

Exam trap

The trap here is that candidates often confuse encryption at rest (e.g., S3 bucket encryption) with encryption in transit, or assume that enabling KMS or CloudFront settings automatically secures ALB traffic without explicit listener configuration.

How to eliminate wrong answers

Option A is wrong because S3 bucket encryption (e.g., SSE-S3 or SSE-KMS) protects data at rest, not data in transit, and does not affect ALB traffic encryption. Option C is wrong because CloudFront default encryption refers to encrypting traffic between CloudFront and the origin (ALB), but it does not automatically encrypt client-to-ALB traffic; also, the question does not mention CloudFront being in use. Option D is wrong because KMS permissions on the ALB role are used for decrypting TLS private keys or for KMS-based certificate management, but they do not automatically enable TLS; the ALB must be explicitly configured with an HTTPS listener and a certificate.

41
MCQmedium

A CI/CD system creates an IAM role (CICDRole) used for deployments. Your organization uses IAM permission boundaries to prevent developers from granting themselves higher privileges. After an incident, you discover that CICDRole can perform unintended IAM actions because the role’s identity policy includes broad permissions. Which change most directly ensures permission boundaries continue to restrict CICDRole regardless of what is later added to the role’s identity policies?

A.Remove the permission boundary from CICDRole so that only the identity policy controls access.
B.Ensure CICDRole is created with the required permissions boundary ARN, and verify that the boundary policy does not allow the unintended IAM actions.
C.Add an identity-policy deny for iam:CreatePolicy and iam:UpdateRole on all resources.
D.Rely on CloudTrail alerts to stop deployments from performing IAM changes after the fact.
AnswerB

Permission boundaries cap the maximum effective permissions for the role by intersecting the identity policy and the permissions boundary at authorization time. Even if the identity policy later expands, the boundary still prevents actions not allowed by the boundary policy, providing deterministic enforcement against privilege escalation.

Why this answer

Option B is correct because IAM permission boundaries define the maximum permissions that an IAM role can have, regardless of what is later added to its identity-based policies. By ensuring CICDRole is created with a permission boundary that explicitly denies the unintended IAM actions, even if broad permissions are added to the role's identity policy, the boundary will override and restrict those actions. This directly addresses the requirement to prevent privilege escalation through policy modifications.

Exam trap

The trap here is that candidates often think adding deny statements to the identity policy is sufficient, but they overlook that permission boundaries are the only mechanism that can restrict permissions added later, and that deny statements in the identity policy can be overridden by a broader allow if not carefully scoped.

How to eliminate wrong answers

Option A is wrong because removing the permission boundary eliminates the only mechanism that caps the role's maximum permissions, allowing any broad identity policy to grant unintended IAM actions without restriction. Option C is wrong because adding a deny for iam:CreatePolicy and iam:UpdateRole does not prevent the role from using other IAM actions like iam:PassRole or iam:AttachRolePolicy that could still lead to privilege escalation; it is an incomplete fix that does not address the root cause of broad permissions. Option D is wrong because relying on CloudTrail alerts is a detective control, not a preventive one; it only notifies after the fact, allowing unauthorized IAM actions to occur before any response can be taken.

42
MCQmedium

Based on the exhibit, why is the IAM role still receiving AccessDenied even though it has AdministratorAccess attached?

A.AdministratorAccess is always evaluated before SCPs, so the SCP is ignored in production accounts.
B.The SCP is acting as a maximum permission guardrail, so its explicit deny overrides the IAM allow.
C.The role needs a session duration of at least 12 hours before SCPs stop applying.
D.The account needs an AWS Config rule to approve the snapshot action before IAM can work.
AnswerB

SCPs set the outer boundary for permissions in an account or OU. They do not grant access, but they can block actions even when the IAM role has AdministratorAccess. The explicit deny in the SCP is therefore the reason CreateSnapshot fails. To allow the operation, the organization must change the SCP or move the account out of the restrictive scope.

Why this answer

B is correct because Service Control Policies (SCPs) act as a maximum permission guardrail in AWS Organizations. Even if an IAM role has the AdministratorAccess policy attached, an SCP with an explicit deny on the ec2:CreateSnapshot action will override that allow, resulting in an AccessDenied error. SCPs are evaluated after IAM policies, and an explicit deny in an SCP cannot be overridden by any IAM allow.

Exam trap

The trap here is that candidates often assume AdministratorAccess grants full permissions unconditionally, forgetting that SCPs can impose a higher-level deny that overrides any IAM allow, especially in AWS Organizations.

How to eliminate wrong answers

Option A is wrong because AdministratorAccess is not always evaluated before SCPs; in fact, SCPs are evaluated after IAM policies, and an explicit deny in an SCP overrides any IAM allow. Option C is wrong because session duration has no effect on SCP evaluation; SCPs apply regardless of session length, and there is no 12-hour threshold. Option D is wrong because AWS Config rules are used for compliance and resource auditing, not for approving API actions; they do not affect IAM authorization or SCP evaluation.

43
MCQmedium

A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions. Which solution best meets these requirements?

A.Store the password in Systems Manager Parameter Store as a SecureString and grant the ECS task role GetParameter only for that parameter ARN. Have the application call GetParameter on each request or on a short refresh interval.
B.Store the password in AWS Secrets Manager. Configure rotation for the secret. Grant the ECS task role secretsmanager:GetSecretValue for only that secret ARN. Update the application to fetch the secret at runtime and cache it briefly.
C.Store the password in a local file within the container image and mount it as a Docker secret at build time to avoid environment variables.
D.Store the password in an S3 bucket with server-side encryption and allow all ECS tasks to read it using a broad IAM policy on the bucket prefix.
AnswerB

Secrets Manager provides encrypted-at-rest storage and supports managed rotation. ECS task roles provide least-privilege access without static keys. Fetching at runtime with brief caching supports rotation without redeploying the task definition.

Why this answer

Option B is correct because AWS Secrets Manager provides automatic rotation of secrets without redeploying the task definition, encryption at rest via AWS KMS, and fine-grained IAM permissions. By granting the ECS task role only `secretsmanager:GetSecretValue` for the specific secret ARN, the application can fetch the password at runtime, meeting all three audit requirements.

Exam trap

The trap here is that candidates often choose Parameter Store (Option A) because it is cheaper and can store SecureStrings, but they overlook the explicit requirement for automatic rotation without custom infrastructure, which Secrets Manager natively supports.

How to eliminate wrong answers

Option A is wrong because Systems Manager Parameter Store SecureString does not support native automatic rotation; rotation would require custom automation or Lambda, and the requirement to call GetParameter on each request or short interval is inefficient and not a best practice. Option C is wrong because storing the password in a local file within the container image at build time violates the requirement to rotate without redeploying the task definition, and the password is not encrypted at rest using AWS-managed controls (it is baked into the image). Option D is wrong because allowing all ECS tasks to read the password using a broad IAM policy on an S3 bucket prefix violates the least-privilege requirement, and S3 does not provide native secret rotation capabilities.

44
MCQmedium

A backend service in AWS uses an IAM role to upload large files to an S3 bucket using multipart upload. The upload typically succeeds, but it intermittently fails during cleanup with this error: "AccessDenied: User is not authorized to perform: s3:AbortMultipartUpload" The role identity policy currently allows only: - s3:PutObject on arn:aws:s3:::my-bucket/uploads/* - s3:ListBucket on arn:aws:s3:::my-bucket with a prefix condition What is the best least-privilege change to fix the cleanup failure?

A.Add s3:AbortMultipartUpload for arn:aws:s3:::my-bucket/uploads/*.
B.Add s3:AbortMultipartUpload for arn:aws:s3:::my-bucket/*.
C.Add s3:ListBucket for arn:aws:s3:::my-bucket/uploads/* so the service can find parts to abort.
D.Add kms:Decrypt permissions for the KMS key used to encrypt objects in the bucket.
AnswerA

For multipart uploads, S3 clients use s3:AbortMultipartUpload to stop/cleanup an in-progress multipart upload (for example, when an upload fails or the client cancels). Granting s3:AbortMultipartUpload only on the uploads prefix matches the denied API in the symptom and keeps the permission scoped to the exact objects the service uploads.

Why this answer

The error occurs because the IAM role lacks permission to abort multipart uploads. Multipart uploads in S3 require s3:AbortMultipartUpload to clean up incomplete upload parts after a failure or interruption. Option A grants this permission on the specific uploads/* prefix, which is the least-privilege fix because it scopes the action to the exact path where the service uploads files.

Exam trap

The trap here is that candidates may confuse the need for s3:AbortMultipartUpload with other permissions like s3:ListBucket or KMS actions, or they may over-scope the permission to the entire bucket instead of the specific prefix.

How to eliminate wrong answers

Option B is wrong because it grants s3:AbortMultipartUpload on the entire bucket (/*), which is broader than necessary and violates least-privilege principles. Option C is wrong because s3:ListBucket is already allowed with a prefix condition; adding it again does not grant the missing abort permission, and listing parts requires s3:ListMultipartUploadParts, not s3:ListBucket. Option D is wrong because the error is an S3 access denied, not a KMS permission issue; KMS permissions are needed for encrypting/decrypting objects, not for aborting multipart uploads.

45
Multi-Selecthard

A platform team lets project administrators create IAM roles for workloads in their own AWS accounts, but every role must stay inside a fixed security baseline. The organization also wants to block all member accounts from using AWS Regions outside us-east-1 and us-west-2. Which three controls should be used? Select three.

Select 3 answers
A.Attach a permissions boundary to each role created through the delegation process.
B.Require iam:PermissionsBoundary in the role creation policy so every new role must include the approved boundary.
C.Use an SCP to deny actions in all AWS Regions except us-east-1 and us-west-2.
D.Grant AdministratorAccess to the project administrators and rely on later audits for enforcement.
E.Use an AWS Config rule alone to stop role creation if the permissions are too broad.
AnswersA, B, C

A permissions boundary caps the maximum permissions a created role can ever receive, even if an administrator later attaches broader policies. This is the right mechanism for a fixed security baseline on delegated role creation.

Why this answer

Option A is correct because attaching a permissions boundary to each role created through delegation ensures that even if a project administrator grants excessive permissions, the effective permissions are limited by the boundary. This enforces the fixed security baseline without preventing administrators from creating roles within those constraints.

Exam trap

The trap here is that candidates often think a detective control like AWS Config is sufficient for enforcement, but the question requires preventive controls that block non-compliant actions before they occur.

46
MCQmedium

A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services. Which architecture best satisfies these requirements?

A.Place instances in private subnets but use NAT gateways so traffic to S3 and Secrets Manager goes through the internet; restrict security groups to instance-to-instance only.
B.Add a VPC gateway endpoint for S3 and an interface VPC endpoint for Secrets Manager; keep instances in private subnets and configure security group rules attached to the endpoints to allow inbound traffic only from the application subnets.
C.Use public subnets with instances that have no security group rules; rely on AWS services to reject unauthorized traffic.
D.Create an S3 bucket policy that allows requests from the application instances’ private IP addresses and enable public access to Secrets Manager via the default service endpoint.
AnswerB

Gateway endpoints provide private routing to S3, and interface endpoints provide private access to Secrets Manager without internet traversal. Security group controls on interface endpoints restrict traffic to only the application subnets, meeting segmentation and cost constraints.

Why this answer

Option B is correct because it uses a VPC gateway endpoint for S3 and an interface VPC endpoint for Secrets Manager, both of which allow private subnet instances to access these AWS services without traversing the public internet or requiring a NAT gateway. The security group rules attached to the interface endpoint restrict inbound traffic to only the application subnets, satisfying the security requirement of allowing only required VPC traffic. This architecture avoids NAT gateway costs and keeps instances isolated from inbound internet traffic.

Exam trap

The trap here is that candidates may assume all AWS service endpoints require a NAT gateway or internet gateway for private subnet access, overlooking the cost-effective and secure alternative of VPC endpoints (gateway and interface) that keep traffic within the AWS network.

How to eliminate wrong answers

Option A is wrong because it introduces NAT gateways, which incur cost and violate the requirement to avoid them, and traffic still routes through the public internet, failing the no-internet requirement. Option C is wrong because using public subnets with no security group rules exposes instances to inbound internet traffic, violating the private subnet and security requirements, and does not leverage VPC endpoints. Option D is wrong because enabling public access to Secrets Manager via the default service endpoint routes traffic over the internet, violating the no-internet requirement, and S3 bucket policies based on private IP addresses are ineffective since private IPs are not routable over the internet and do not restrict traffic to VPC endpoints.

47
MCQhard

Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?

A.Re-enable object ACLs and manage access by setting object-level ACLs for each team's prefix.
B.Split the bucket into one bucket per team and keep using a single shared bucket policy for all of them.
C.Create one S3 access point per team and attach an access point policy that limits that team to its own prefix.
D.Make the bucket public and issue presigned URLs for team access so IAM policies are no longer needed.
AnswerC

S3 access points are designed for simplifying access management to shared buckets. A separate access point per team keeps the bucket private, avoids ACLs, and lets each team have a smaller, easier-to-review policy boundary. This reduces the blast radius of a policy mistake and scales far better than a single giant bucket policy with many prefix rules.

Why this answer

Option C is correct because S3 Access Points allow you to create separate access points for each team, each with its own policy that restricts access to a specific prefix (e.g., s3://shared-bucket/team-a/). This eliminates the need for a large, error-prone bucket policy while keeping ACLs disabled, meeting the security requirement for per-team prefix isolation without modifying the underlying bucket configuration.

Exam trap

The trap here is that candidates may think splitting into multiple buckets (Option B) is simpler, but they overlook that a single bucket policy cannot efficiently manage multiple buckets, and the requirement is to keep a shared bucket while avoiding a large bucket policy.

How to eliminate wrong answers

Option A is wrong because re-enabling object ACLs violates the requirement that ACLs must remain disabled, and managing access via object-level ACLs for each prefix would be complex and error-prone at scale. Option B is wrong because splitting into one bucket per team and using a single shared bucket policy does not solve the problem—each bucket would still need its own policy, and a single policy cannot effectively manage access across multiple buckets without becoming large and error-prone. Option D is wrong because making the bucket public is a severe security risk, and presigned URLs are intended for temporary, delegated access, not for ongoing team access management; IAM policies would still be needed to control who can generate presigned URLs.

48
Multi-Selectmedium

A company is deploying a serverless application using AWS Lambda functions that process credit card transactions. The application stores data in Amazon DynamoDB and sends notifications through Amazon SNS. Compliance requirements mandate that all data in transit and at rest is encrypted, and that no AWS Lambda function can access resources in other AWS accounts. Which three steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
.Configure DynamoDB to use AWS owned keys for encryption at rest.
.Attach an IAM policy to the Lambda execution role that denies access to resources outside the account using a condition on aws:SourceAccount.
.Enable encryption in transit for the Lambda function by using an ENI in a private subnet with a VPC endpoint for DynamoDB and SNS.
.Use a VPC endpoint for DynamoDB and SNS, and ensure the Lambda function is configured to use the VPC.
.Configure the Lambda function to use an IAM role that allows access to all accounts.
.Use a security group to block all outbound traffic from the Lambda function to the internet.

Why this answer

The correct options enforce account isolation and encryption in transit. Option 2 uses an IAM policy with a condition key like `aws:SourceAccount` to explicitly deny any action where the resource ARN belongs to a different AWS account, preventing cross-account access. Option 3 enables encryption in transit by routing Lambda traffic through an Elastic Network Interface (ENI) in a private subnet, using VPC endpoints for DynamoDB (HTTPS) and SNS (HTTPS) so data never traverses the public internet.

Option 4 ensures the Lambda function is attached to the VPC, which is necessary for the VPC endpoints to be used; without this, traffic would still go over the public internet, breaking encryption-in-transit compliance.

Exam trap

AWS often tests the misconception that VPC endpoints alone guarantee encryption in transit, but candidates forget that the Lambda function must actually be configured to use the VPC (via `VpcConfig`) for the endpoints to be effective; otherwise, traffic still goes over the public internet.

49
Multi-Selecthard

A startup has an HTTP API with highly unpredictable traffic from mobile devices. Each request performs lightweight validation, writes an event record, and triggers downstream notifications. The current EC2 fleet stays mostly idle, and the team wants to reduce infrastructure management and pay only for usage. Which two changes best fit the requirement? Select two.

Select 2 answers
A.Place Amazon API Gateway in front of AWS Lambda functions for request handling.
B.Keep the EC2 fleet and add more instances so the idle cost is less noticeable.
C.Use Amazon SQS to buffer notification work and decouple it from the request path.
D.Move the API to an Application Load Balancer only, without changing compute.
E.Store runtime secrets in user data on each instance.
AnswersA, C

API Gateway plus Lambda fits spiky request traffic well because it removes server management and charges are based on actual use.

Why this answer

Option A is correct because Amazon API Gateway can directly invoke AWS Lambda functions, eliminating the need to manage EC2 instances. This serverless architecture scales automatically with unpredictable traffic, and you pay only for the requests and compute time consumed, which aligns with the startup's goal of reducing idle costs and infrastructure management.

Exam trap

The trap here is that candidates might think adding more EC2 instances (Option B) or using an ALB (Option D) solves the idle cost problem, but these options still require managing servers and incur idle costs, whereas serverless options (A and C) eliminate idle costs entirely.

50
MCQhard

A claims portal uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

A.Store the database password in user data
B.Embed the database password in the AMI
C.IAM database authentication for RDS with an EC2 instance role
D.Use a security group rule that allows only application instances
AnswerC

IAM database authentication allows the application to use temporary AWS credentials instead of stored database passwords.

Why this answer

IAM database authentication for RDS with an EC2 instance role allows the application to obtain a short-lived authentication token (valid for 15 minutes) using the AWS CLI or SDK, without storing any credentials on the instance. The EC2 instance role provides the necessary permissions to generate the token, which is then used instead of a static password, meeting both security requirements.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) with authentication mechanisms, or assume that storing credentials in user data or AMIs is acceptable because they are 'hidden' from the application code, but AWS explicitly considers these insecure practices for production workloads.

How to eliminate wrong answers

Option A is wrong because storing the database password in user data persists the credential in plaintext on the instance metadata and can be exposed via the console or API, violating the requirement to not store credentials on EC2. Option B is wrong because embedding the database password in the AMI hard-codes the credential into the image, making it static and long-lived, and any instance launched from that AMI inherits the password, which cannot be rotated without rebuilding the AMI. Option D is wrong because a security group rule controls network access at the transport layer but does not address credential storage or authentication; it only restricts which IPs or instances can connect, not how the application authenticates.

51
Multi-Selectmedium

A company is designing a secure CI/CD pipeline on AWS. Developers push code to AWS CodeCommit, which triggers AWS CodePipeline to build and deploy applications to Amazon EC2 instances running in a VPC. The security team requires that all code is scanned for secrets and vulnerabilities before deployment, and that deployment artifacts are encrypted at rest in Amazon S3. Which three steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
.Add a CodeBuild step in the pipeline that runs a static code analysis tool to scan for secrets and vulnerabilities.
.Configure the S3 bucket used for deployment artifacts to have default encryption with SSE-S3.
.Use AWS Secrets Manager to store secrets and retrieve them at build time via IAM roles.
.Enable AWS CloudTrail to log all access to the S3 bucket and CodeCommit repository.
.Configure the S3 bucket to enforce encryption in transit using a bucket policy that denies requests without HTTPS.
.Use an S3 bucket policy that grants full public access to the deployment artifacts for faster downloads.

Why this answer

Adding a CodeBuild step that runs static code analysis (e.g., using tools like Checkov, Bandit, or custom scripts) directly addresses the requirement to scan for secrets and vulnerabilities before deployment. This integrates security scanning into the CI/CD pipeline as a gated step, ensuring only compliant code proceeds.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' with 'encryption in transit'; the requirement for 'encryption at rest in S3' is met by default SSE-S3, but the correct answer enforces HTTPS (encryption in transit) because the question's phrasing implies securing the entire artifact lifecycle, and the provided correct options include the HTTPS bucket policy, not the SSE-S3 default encryption.

52
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a financial reporting platform. The partner has its own AWS account. What is the most secure scalable access pattern?

A.Create a bucket policy that grants the partner role least-privilege access to the required prefix
B.Create an IAM user in the company account and share the access keys
C.Copy the objects to a public website bucket
D.Make the objects public and rely on difficult-to-guess object names
AnswerA

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option A is correct because a bucket policy with a condition that grants read-only access to a specific prefix allows the partner's AWS account to access the S3 bucket without creating IAM users or sharing long-term credentials. This leverages cross-account IAM roles, where the partner assumes a role in their own account that the bucket policy trusts, ensuring least-privilege access and eliminating the need to manage static keys. The policy can be scoped to a specific prefix (e.g., `reports/`) and use the `aws:SourceArn` or `aws:SourceAccount` condition key to restrict access to only the partner's account, providing both security and scalability.

Exam trap

The trap here is that candidates often choose Option B (sharing IAM user access keys) because it seems simpler, but the exam tests the principle of using cross-account IAM roles with bucket policies for secure, scalable, and auditable access without managing static credentials.

How to eliminate wrong answers

Option B is wrong because creating an IAM user in the company account and sharing access keys introduces long-term static credentials that must be securely rotated and managed, violating the principle of least privilege and increasing the risk of credential leakage; it also does not scale well across multiple partners. Option C is wrong because copying objects to a public website bucket removes all access controls, making the data publicly accessible over the internet, which is insecure for financial reports and violates compliance requirements. Option D is wrong because making objects public and relying on difficult-to-guess object names (security through obscurity) provides no actual access control; any user who discovers the URL can access the data, and S3 object URLs are enumerable via tools like S3Scanner, making this pattern highly insecure.

53
MCQmedium

A batch process uploads artifacts to an Amazon S3 bucket using multipart uploads. The bucket policy contains a statement that explicitly denies PutObject and CreateMultipartUpload unless the request uses server-side encryption with AWS KMS (SSE-KMS) and includes these request headers/parameters: x-amz-server-side-encryption=aws:kms and x-amz-server-side-encryption-aws-kms-key-id set to a specific CMK. After the process was updated, uploads intermittently fail with AccessDenied errors. Which change is the best way to make uploads succeed while still meeting the bucket policy's encryption requirement?

A.Update the IAM role policy to add s3:PutObject permissions for the bucket prefix.
B.Update the uploader so the CreateMultipartUpload request includes SSE-KMS with the required CMK key ID; any separate PutObject uploads should include the same headers.
C.Remove the bucket policy's explicit Deny statement so the IAM permissions control access.
D.Switch to client-side encryption (SSE-C) because it also encrypts data at rest in S3.
AnswerB

For multipart uploads, SSE-KMS is specified on CreateMultipartUpload rather than on individual UploadPart calls. Supplying the required SSE-KMS settings and CMK key ID on the upload initiation request satisfies the bucket policy's condition without weakening the encryption requirement.

Why this answer

Option B is correct because the bucket policy explicitly denies `PutObject` and `CreateMultipartUpload` unless the request includes both `x-amz-server-side-encryption=aws:kms` and the specific `x-amz-server-side-encryption-aws-kms-key-id` header. The intermittent failures occur because the batch process's `CreateMultipartUpload` request (which initiates the multipart upload) is missing these required headers, causing the explicit Deny to trigger. By ensuring that the `CreateMultipartUpload` request includes SSE-KMS with the correct CMK key ID, and that any subsequent `PutObject` parts also include the same headers, the uploads will satisfy the bucket policy and succeed.

Exam trap

The trap here is that candidates assume the encryption requirement only applies to the final object or to `PutObject` calls, but the explicit Deny in the bucket policy applies to the `CreateMultipartUpload` API call itself, which must also include the required headers to avoid AccessDenied errors.

How to eliminate wrong answers

Option A is wrong because adding `s3:PutObject` permissions to the IAM role does not override the bucket policy's explicit Deny statement; an explicit Deny in a bucket policy always takes precedence over any Allow, regardless of IAM permissions. Option C is wrong because removing the Deny statement would violate the encryption requirement the policy is designed to enforce, leaving the bucket unencrypted for those operations and failing the security objective. Option D is wrong because SSE-C (client-side encryption) does not use the `x-amz-server-side-encryption` or `x-amz-server-side-encryption-aws-kms-key-id` headers required by the policy; SSE-C uses a different header (`x-amz-server-side-encryption-customer-algorithm`) and a customer-provided key, so it would still be denied by the explicit Deny.

54
MCQhard

Based on the exhibit, an automation pipeline in several member accounts creates IAM roles for application deployments. Security says no future role may exceed the approved boundary arn:aws:iam::123456789012:policy/DeployBoundary, even if someone later attaches AdministratorAccess. What should you implement to enforce this across the organization?

A.Attach DeployBoundary to the automation role only, because that automatically forces every created role to inherit the same boundary.
B.Create an SCP that denies iam:CreateRole and iam:PutRolePermissionsBoundary unless aws:RequestTag equals DeployBoundary.
C.Create an SCP that denies iam:CreateRole unless iam:PermissionsBoundary equals arn:aws:iam::123456789012:policy/DeployBoundary, and also deny removing that boundary from created roles.
D.Use AWS Access Analyzer to automatically attach the approved boundary whenever a role is created without one.
AnswerC

This is the strongest organization-wide enforcement. The SCP prevents role creation unless the approved permissions boundary is attached, and it can also prevent boundary removal later. That ensures the maximum effective permissions for all created roles remain capped, even if someone attaches a broader identity policy afterward.

Why this answer

Option C is correct because it uses an SCP to enforce that any IAM role creation must include the specific permissions boundary `arn:aws:iam::123456789012:policy/DeployBoundary`, and also prevents removal or modification of that boundary from existing roles. This ensures that even if an attacker or administrator later attaches a policy like AdministratorAccess, the effective permissions are still limited by the boundary, meeting the security requirement across all member accounts in the organization.

Exam trap

The trap here is confusing the condition key `aws:RequestTag` (used for tagging) with `iam:PermissionsBoundary` (the actual boundary ARN), leading candidates to pick Option B, which would not enforce the boundary requirement.

How to eliminate wrong answers

Option A is wrong because attaching a permissions boundary to the automation role does not automatically propagate that boundary to roles created by that role; each role must have its own boundary explicitly set. Option B is wrong because it uses `aws:RequestTag` to match the boundary, but permissions boundaries are not tags; the correct condition key is `iam:PermissionsBoundary`, not a request tag. Option D is wrong because AWS Access Analyzer is a tool for analyzing resource policies and identifying unintended access, not for automatically attaching permissions boundaries to roles.

55
MCQeasy

A company serves private images stored in S3 through Amazon CloudFront. Only authenticated users should be able to access each image, and access should expire after 1 hour. Which CloudFront feature best meets this requirement?

A.Signed URLs or signed cookies with an expiration time of 1 hour
B.A WAF rule that blocks requests without valid JWTs, without using signed URLs
C.Turning on S3 bucket public access block, without any CloudFront viewer authentication
D.Enabling CloudFront geo restriction to allow only one country
AnswerA

Signed URLs/cookies provide cryptographic, edge-enforced authorization for specific CloudFront resources and include an expiration timestamp. After expiry, CloudFront rejects requests (for example, with 403) without needing the origin to handle time-based authorization.

Why this answer

Signed URLs or signed cookies allow CloudFront to grant temporary access to private content by embedding authentication information (policy, signature, key pair ID) directly in the request. By setting an expiration time of 1 hour in the policy statement, access automatically becomes invalid after that period, meeting both the authentication and expiry requirements without exposing the S3 bucket publicly.

Exam trap

The trap here is that candidates often confuse CloudFront signed URLs with S3 pre-signed URLs, but S3 pre-signed URLs work at the S3 bucket level and do not leverage CloudFront's edge caching or origin access control, whereas CloudFront signed URLs are the correct feature for controlling access at the CDN edge with expiration.

How to eliminate wrong answers

Option B is wrong because AWS WAF rules alone cannot validate JWTs or enforce CloudFront signed URL authentication; WAF operates at the HTTP request layer and does not have native capability to verify CloudFront private content signatures. Option C is wrong because blocking public access to the S3 bucket without any CloudFront viewer authentication would prevent all access, including from authenticated users, since CloudFront would not be able to serve the private images. Option D is wrong because geo restriction only limits access based on geographic location, not user identity, and does not provide any authentication or time-based expiration of access.

56
MCQhard

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a customer analytics portal. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

A.A security group rule that allows HTTPS to S3
B.A condition that matches aws:RequestedRegion to the bucket Region
C.A deny statement for all IAM users except the EC2 role
D.A condition that matches aws:sourceVpce to the endpoint ID
AnswerD

The aws:sourceVpce condition restricts S3 access to requests that arrive through the specified VPC endpoint.

Why this answer

Option D is correct because the bucket policy can use the `aws:sourceVpce` condition key to restrict access exclusively to traffic originating from a specific VPC endpoint (interface or Gateway Load Balancer endpoint). This ensures that only requests sent through that VPC endpoint are allowed, meeting the security team's requirement for regulated exports.

Exam trap

The trap here is that candidates often confuse `aws:sourceVpce` with `aws:SourceIp` or `aws:sourceVpc`, thinking they can restrict by VPC ID or IP range, but only the VPC endpoint ID uniquely identifies the specific endpoint used for the request.

How to eliminate wrong answers

Option A is wrong because security group rules are attached to EC2 instances, not to S3 bucket policies, and S3 does not support security group references in bucket policies; HTTPS access is allowed by default via the endpoint. Option B is wrong because `aws:RequestedRegion` restricts the AWS Region in which the request is made, not the network path or VPC endpoint, so it does not enforce that traffic comes through a specific Vpc Endpoint. Option C is wrong because denying all IAM users except the EC2 role would not restrict traffic to a specific VPC endpoint; it would only control which IAM identities can access the bucket, not the network path.

57
Multi-Selectmedium

A company runs a customer portal in us-east-1 and a warm standby in us-west-2. The DNS name must send users to us-east-1 while it is healthy and automatically switch to us-west-2 if the primary application endpoint stops responding. Which two actions should the architect take? Select two.

Select 2 answers
A.Create Route 53 failover records for the same DNS name with primary and secondary targets.
B.Use latency-based routing so Route 53 always returns the lowest-latency Region.
C.Associate a Route 53 health check with the primary endpoint that monitors application availability.
D.Use weighted records with a 50/50 split to balance traffic across both Regions.
E.Place the standby application in a private hosted zone so only internal systems can resolve it.
AnswersA, C

Failover routing is the Route 53 feature built for primary-to-secondary traffic shifting. It lets DNS answer with the primary target while health checks pass, then returns the secondary target when the primary becomes unhealthy.

Why this answer

Option A is correct because Route 53 failover routing allows you to configure active-passive failover by associating a primary and secondary record with the same DNS name. When the primary endpoint fails, Route 53 automatically returns the secondary record's IP address, directing traffic to the warm standby in us-west-2. This directly meets the requirement for automatic failover based on endpoint health.

Exam trap

The trap here is that candidates often confuse failover routing with latency-based or weighted routing, assuming any routing policy that distributes traffic can handle failover, but only failover routing with an associated health check provides automatic, health-based switching between a primary and secondary endpoint.

58
Multi-Selecthard

A financial reporting platform uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly?

Select 2 answers
A.Use an S3 bucket policy that allows access only from the CloudFront distribution
B.Enable CloudFront standard logging
C.Enable S3 static website hosting
D.Configure Origin Access Control for the S3 origin
AnswersA, D

The bucket policy should trust the CloudFront distribution and deny direct public access.

Why this answer

Option A is correct because an S3 bucket policy can explicitly deny access to any principal except the CloudFront distribution's origin access identity (OAI) or origin access control (OAC). This ensures that direct requests to the S3 bucket URL are rejected, forcing all traffic through CloudFront. The policy uses a condition like `aws:SourceArn` or `aws:SourceAccount` to restrict access to the CloudFront distribution's ARN, preventing bypass.

Exam trap

The trap here is that candidates often think enabling S3 static website hosting or logging provides security, but these features actually create additional access points or only provide visibility, not access control.

59
MCQmedium

A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible. Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking. Which architecture best meets these requirements?

A.Use AWS PrivateLink by creating a VPC endpoint service backed by the NLB in VPC A, then create an interface VPC endpoint in the partner VPC with appropriate endpoint access controls.
B.Expose the NLB to the internet with an Elastic IP and restrict access using the NLB’s security group only.
C.Use VPC peering between VPC A and the partner VPC and update route tables to resolve the overlap.
D.Deploy a NAT gateway in VPC A and route the partner’s traffic to the NLB through the NAT gateway.
AnswerA

PrivateLink exposes the service privately via interface endpoints, avoiding peering and keeping the NLB non-public for secure partner access.

Why this answer

Option A is correct because AWS PrivateLink allows you to expose an internal NLB as a VPC endpoint service in VPC A, and the partner team can create an interface VPC endpoint in their own VPC to connect privately. This works even with overlapping CIDR blocks because PrivateLink uses ENIs with private IPs from the endpoint subnet, not routing based on CIDR. The traffic stays within the AWS network and never traverses the internet, meeting the non-public requirement.

Exam trap

The trap here is that candidates may think VPC peering is always the simplest solution, but they overlook the CIDR overlap restriction, or they assume a NAT gateway can provide inbound private connectivity, which it cannot.

How to eliminate wrong answers

Option B is wrong because attaching an Elastic IP to the NLB makes it internet-facing, violating the requirement that the API must remain non-public; additionally, NLBs do not support security groups, so access control via security groups is not possible. Option C is wrong because VPC peering requires non-overlapping CIDR blocks; overlapping CIDRs cause routing conflicts and are explicitly not supported by AWS VPC peering. Option D is wrong because a NAT gateway is used for outbound internet traffic from a private subnet, not for inbound private connectivity between VPCs; routing partner traffic through a NAT gateway would not establish a private, direct connection and would still require internet routing.

60
MCQmedium

A solutions architect is designing an S3 bucket for a mobile banking backend. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

A.Create an IAM policy that denies s3:GetObject to anonymous users
B.Enable S3 Transfer Acceleration
C.Enable S3 Block Public Access at the account or bucket level
D.Enable server access logging on the bucket
AnswerC

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

Option C is correct because S3 Block Public Access provides a definitive override that prevents any public access to objects, regardless of bucket policies or ACLs. This setting can be applied at the account or bucket level and ensures that even if a developer later adds an overly broad bucket policy, the objects remain inaccessible to anonymous users. It is the only mechanism that enforces a hard block on public access at the S3 service level.

Exam trap

The trap here is that candidates often think an IAM deny policy (Option A) is sufficient, but they miss that bucket policies can be written to grant access to anonymous users independently of IAM, making S3 Block Public Access the only guaranteed safeguard.

How to eliminate wrong answers

Option A is wrong because an IAM policy that denies s3:GetObject to anonymous users does not prevent public access via a bucket policy that explicitly grants access to 'Principal': '*' — IAM policies and bucket policies are evaluated separately, and a bucket policy grant can override an IAM deny if not explicitly scoped. Option B is wrong because S3 Transfer Acceleration is a performance feature that uses edge locations to speed up uploads over long distances; it has no effect on access control or public accessibility. Option D is wrong because server access logging records requests to the bucket but does not enforce any access restrictions; it is a monitoring tool, not a security control.

61
MCQhard

A platform team lets application teams create IAM roles in member accounts through Infrastructure as Code. Security says every new role must stay within a centrally approved permission ceiling, even if someone later attaches broader managed policies or inline policies. Which control should be used to enforce that maximum permission set?

A.Use an AWS Organizations service control policy to grant the role all needed permissions directly.
B.Attach a permissions boundary to each role so the role can never exceed the approved ceiling.
C.Use a resource-based policy on Amazon S3 to restrict the permissions that IAM roles can receive.
D.Require temporary STS session policies whenever the role is assumed.
AnswerB

A permissions boundary is specifically designed to cap the maximum permissions a role can ever receive, regardless of what identity-based policies are attached later. If a developer adds a broader managed policy or inline policy, the effective permissions still cannot exceed the boundary. This makes it the best fit for delegated role creation with a centrally approved ceiling.

Why this answer

A permissions boundary is an AWS IAM feature that sets the maximum permissions an IAM role can have. When attached to a role, any policy that grants permissions beyond the boundary is effectively ignored, ensuring the role cannot exceed the approved permission ceiling even if broader managed or inline policies are later attached. This directly enforces the security requirement without restricting the application teams' ability to create roles via Infrastructure as Code.

Exam trap

The trap here is confusing service control policies (SCPs) with permissions boundaries: SCPs apply to all principals in an account and cannot be used to set a per-role permission ceiling, while permissions boundaries are specifically designed for that granular control.

How to eliminate wrong answers

Option A is wrong because an AWS Organizations service control policy (SCP) applies to all principals in an account or OU, not to a specific role, and granting permissions directly via SCP would not prevent the role from exceeding the ceiling—it would actually add permissions, not restrict them. Option C is wrong because a resource-based policy on Amazon S3 can only control access to that S3 resource, not restrict the permissions that IAM roles can receive across all services. Option D is wrong because requiring temporary STS session policies only limits permissions during a specific session, but the role itself could still have broader permissions attached, violating the permanent permission ceiling requirement.

62
MCQhard

Based on the exhibit, users must access private PDF reports only through CloudFront. Direct requests to the S3 object URL must fail, and the bucket should not be publicly readable. Which solution is the best fit?

A.Enable CloudFront Origin Access Control for the distribution and update the bucket policy to allow only the CloudFront distribution principal with its SourceArn.
B.Keep the bucket public and require signed URLs at CloudFront, because signed URLs automatically block all direct S3 requests.
C.Add an S3 access point and allow the CloudFront distribution to use it without changing the bucket policy.
D.Attach AWS WAF to the distribution and block requests that do not include a signed cookie.
AnswerA

Origin Access Control is the modern pattern for restricting S3 origins to CloudFront. The bucket policy can then permit only the specific distribution, preventing direct S3 access while keeping the content private. Signed URLs or cookies can still be used at the viewer layer for authorization.

Why this answer

Option A is correct because CloudFront Origin Access Control (OAC) allows you to restrict access to an S3 bucket so that only the specific CloudFront distribution can retrieve objects. By updating the bucket policy to allow the CloudFront distribution principal with its SourceArn, you ensure that direct requests to the S3 object URL are denied, while CloudFront-signed URLs or cookies can still control user access. This meets the requirement of blocking direct S3 access while keeping the bucket private.

Exam trap

The trap here is that candidates often assume signed URLs or cookies alone can block direct S3 access, but they only control access at the CloudFront level, not at the S3 bucket level, so the bucket must still be private and explicitly restricted to CloudFront.

How to eliminate wrong answers

Option B is wrong because making the bucket public violates the requirement that the bucket should not be publicly readable; signed URLs at CloudFront do not block direct S3 requests if the bucket itself is public. Option C is wrong because an S3 access point alone does not restrict access to only CloudFront; you would still need a bucket policy or OAC to prevent direct S3 access, and the access point does not inherently block requests that bypass CloudFront. Option D is wrong because AWS WAF attached to CloudFront can block requests based on signed cookies, but it does not prevent direct requests to the S3 object URL, which bypass CloudFront entirely.

63
Multi-Selecthard

A batch job runs on EC2 instances in isolated private subnets with no NAT Gateway. The job uses STS AssumeRole to access an operations account and then retrieves a secret from AWS Secrets Manager. After a network hardening change, both calls fail. Which two interface VPC endpoints should be created? Select two.

Select 2 answers
A.An interface VPC endpoint for AWS STS so the job can call AssumeRole without internet access.
B.An interface VPC endpoint for AWS Secrets Manager so the job can retrieve the secret privately.
C.A gateway VPC endpoint for Amazon S3 so the job can reach the secret store indirectly.
D.A NAT Gateway in each Availability Zone so the job can use the public service endpoints.
E.An internet gateway attached to the VPC so private subnets can reach AWS APIs.
AnswersA, B

The application explicitly calls STS AssumeRole, so it needs private network access to the STS service. An interface endpoint provides that path inside the VPC without requiring a NAT Gateway or public internet route.

Why this answer

Option A is correct because the batch job uses STS AssumeRole, which requires calling the AWS STS API. Without a NAT Gateway or Internet Gateway, private subnets cannot reach public endpoints. An interface VPC endpoint for STS allows the EC2 instances to call AssumeRole privately using AWS PrivateLink, without needing internet access.

Exam trap

The trap here is that candidates often confuse gateway VPC endpoints (for S3 and DynamoDB) with interface VPC endpoints (for most other AWS services like STS and Secrets Manager), leading them to select option C instead of understanding that Secrets Manager requires an interface endpoint.

64
Multi-Selectmedium

A web application uses Amazon RDS for MySQL in a Multi-AZ deployment. During a planned maintenance event, the team wants to understand which two statements about failover are accurate so they can design connection handling correctly. Which two statements are accurate? Select two.

Select 2 answers
A.RDS automatically promotes the synchronous standby in the same Region if the primary instance becomes unavailable.
B.The standby instance can serve production read traffic to improve read scaling in standard RDS Multi-AZ.
C.The application must permanently change its connection string to a new host after failover completes.
D.Existing database connections are interrupted and the application should retry by reconnecting to the same database endpoint.
E.Multi-AZ provides protection against a full Region outage without any additional design changes.
AnswersA, D

This is the core Multi-AZ availability behavior. AWS manages the standby and promotes it automatically during failure or maintenance events, keeping the database available within the Region with minimal administrative effort.

Why this answer

Option A is correct because in a Multi-AZ RDS for MySQL deployment, Amazon RDS automatically maintains a synchronous standby replica in a different Availability Zone. If the primary instance becomes unavailable due to a planned maintenance event or failure, RDS automatically fails over to the standby, promoting it to become the new primary. This failover is transparent to the application when using the same DNS endpoint, as RDS updates the DNS record to point to the new primary.

Exam trap

The trap here is that candidates often confuse the passive standby in standard Multi-AZ with a readable replica, or assume that Multi-AZ provides cross-Region disaster recovery, when in fact it only protects against AZ-level failures within a single Region.

65
MCQmedium

A Lambda function for a order processing API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used? The design must avoid adding custom operational scripts.

A.AWS Secrets Manager with rotation enabled
B.An encrypted object in Amazon S3
C.AWS Systems Manager Parameter Store SecureString without automation
D.A KMS-encrypted Lambda environment variable
AnswerA

Secrets Manager stores secrets securely and supports automatic rotation using a rotation Lambda function.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing and automatically rotating database credentials. It natively supports rotation every 30 days via a built-in Lambda rotation function, without requiring any custom operational scripts. This meets the requirement to avoid storing the password in environment variables and to automate rotation.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store SecureStrings but lacks native rotation) with Secrets Manager, or they assume that encrypting a value at rest (e.g., in S3 or environment variables) is sufficient, ignoring the operational burden of manual rotation and the requirement for automatic rotation every 30 days.

How to eliminate wrong answers

Option B is wrong because an encrypted object in Amazon S3 requires custom code to retrieve, decrypt, and rotate the password, and it lacks built-in automatic rotation, violating the 'no custom operational scripts' constraint. Option C is wrong because AWS Systems Manager Parameter Store SecureString does not support automatic rotation without additional automation (e.g., a custom Lambda function), so it fails the 30-day rotation requirement. Option D is wrong because a KMS-encrypted Lambda environment variable stores the password statically in the function configuration, cannot be rotated automatically, and exposes the password to anyone with access to the Lambda configuration or logs.

66
MCQmedium

A backend service uses an IAM role to read files from an S3 bucket. It must only read objects under s3://prod-reporting/incoming/ but currently receives AccessDenied (403) on GetObject for that prefix. The role already has this statement: - Action: s3:ListBucket - Resource: arn:aws:s3:::prod-reporting Which policy statement would most directly follow least privilege to allow only the required reads under the incoming prefix?

A.Allow only listing and reading with a single statement: Action = ["s3:*"], Resource = ["arn:aws:s3:::prod-reporting/incoming/*"].
B.Allow reads with a prefix-scoped statement: Action = ["s3:GetObject"], Resource = ["arn:aws:s3:::prod-reporting/incoming/*"].
C.Allow all S3 reads at the account level: Action = ["s3:GetObject"], Resource = ["arn:aws:s3:::*"].
D.Allow bucket listing with a condition that forces the prefix: Action = ["s3:ListBucket"], Resource = ["arn:aws:s3:::prod-reporting"], Condition = {"StringLike": {"s3:prefix": "incoming/*"}}.
AnswerB

This grants only the specific action s3:GetObject and scopes it to the exact prefix that the service needs. It aligns with least privilege by avoiding extra permissions like PutObject or DeleteObject. Since the service already has ListBucket, this completes the required read path for objects in incoming.

Why this answer

Option B is correct because it grants only the s3:GetObject permission on the specific prefix path arn:aws:s3:::prod-reporting/incoming/*, which directly allows reading objects under that prefix while adhering to least privilege. The existing s3:ListBucket permission already enables listing the bucket, so only the missing read action needs to be added.

Exam trap

The trap here is that candidates often confuse granting a ListBucket condition (Option D) with granting GetObject access, not realizing that the AccessDenied error on GetObject requires a separate s3:GetObject permission on the object ARN.

How to eliminate wrong answers

Option A is wrong because it uses s3:* which grants all S3 actions (including write, delete, etc.) on the prefix, violating least privilege. Option C is wrong because it grants s3:GetObject on all S3 buckets (arn:aws:s3:::*), which is overly permissive and not scoped to the required bucket or prefix. Option D is wrong because it only adds a condition to the existing s3:ListBucket action, but the AccessDenied error is on GetObject, not ListBucket; this statement does not grant the read permission needed to resolve the 403 error.

67
Multi-Selecthard

A studio keeps 4 PB of completed video projects in Amazon S3. Editors work on active projects for about 60 days, auditors occasionally review the same objects for several months, and legal policy requires retention for 7 years. Retrieval of very old files can take hours. Which three actions should the architect recommend? Select three.

Select 3 answers
A.Transition objects to S3 Standard-IA after 60 days.
B.Transition objects to S3 Glacier Deep Archive after the review period ends.
C.Expire objects after 7 years.
D.Keep the files in S3 Standard indefinitely so retrieval is always fast.
E.Copy the files to a single EBS volume for lower per-GB cost.
AnswersA, B, C

Standard-IA is a good fit after the active editing window because the objects are accessed less often but still need relatively quick retrieval.

Why this answer

Option A is correct because after 60 days of active editing, objects can be transitioned to S3 Standard-IA, which offers lower storage costs than S3 Standard while still providing low-latency retrieval for occasional access by auditors. This lifecycle policy optimizes cost without sacrificing availability for the review period.

Exam trap

The trap here is that candidates may think S3 Standard must be retained for fast retrieval at all times, but the scenario explicitly states retrieval of very old files can take hours, so using Glacier Deep Archive for long-term retention is acceptable and cost-effective.

68
MCQmedium

Developers for a image sharing application need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

A.Disable CloudTrail during troubleshooting
B.Use IAM Identity Center permission sets with time-bound access processes and CloudTrail auditing
C.Create shared administrator access keys for the team
D.Attach AdministratorAccess permanently to every developer role
AnswerB

Federated access with permission sets and audited temporary assignments reduces standing privilege.

Why this answer

IAM Identity Center (formerly AWS SSO) allows you to define permission sets that grant time-bound, elevated access to production resources. By integrating with CloudTrail, every access request, approval, and action is logged for audit. This meets the security team's requirements for approvals, expiry, and audit logging without compromising security.

Exam trap

The trap here is that candidates may think shared keys or permanent admin roles are acceptable for troubleshooting, but the question explicitly requires approvals, expiry, and audit logging, which only IAM Identity Center with time-bound permission sets and CloudTrail can fully satisfy.

How to eliminate wrong answers

Option A is wrong because disabling CloudTrail during troubleshooting removes all audit logging, violating the security team's requirement for audit logging. Option C is wrong because creating shared administrator access keys eliminates individual accountability, prevents expiry, and bypasses approval workflows, making it impossible to audit who performed which action. Option D is wrong because permanently attaching AdministratorAccess to every developer role grants persistent elevated privileges without time-bound access, approvals, or expiry, violating the principle of least privilege and the security team's requirements.

69
MCQmedium

A web application for a healthcare document service is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

A.Security groups on the application instances
B.AWS WAF associated with the Application Load Balancer
C.Network ACLs on the public subnets
D.AWS Shield Advanced only
AnswerB

AWS WAF can inspect HTTP requests and block common web exploits when associated with an ALB.

Why this answer

AWS WAF is a web application firewall that can be associated with an Application Load Balancer to filter and monitor HTTP/HTTPS requests. It includes managed rule sets specifically designed to block common web exploits like SQL injection and cross-site scripting (XSS) with minimal operational overhead, as AWS manages the rule updates.

Exam trap

The trap here is that candidates may confuse network-layer security controls (security groups or NACLs) with application-layer protection, assuming they can block web attacks, when in fact they only filter based on network attributes like IP addresses and ports.

How to eliminate wrong answers

Option A is wrong because security groups act as a virtual firewall at the instance level, controlling inbound and outbound traffic based on IP addresses and ports, but they cannot inspect application-layer payloads to detect SQL injection or XSS patterns. Option C is wrong because network ACLs operate at the subnet level and provide stateless filtering based on IP addresses, ports, and protocols, but they lack the deep packet inspection capability required to identify malicious web application attacks. Option D is wrong because AWS Shield Advanced provides DDoS protection against volumetric attacks, but it does not include the application-layer filtering needed to block SQL injection or XSS attacks.

70
MCQhard

Based on the exhibit, a workload in private subnets must reach only Amazon S3 and AWS Secrets Manager. The team wants to eliminate internet exposure for those calls and reduce NAT gateway charges. What change should be made?

A.Move the instances into a public subnet and restrict inbound access with security groups.
B.Add a NAT instance and disable the managed NAT gateway to lower cost.
C.Create an S3 gateway endpoint and a Secrets Manager interface endpoint with private DNS, then remove NAT dependency for those service calls.
D.Use VPC peering to a shared services VPC and route all AWS service traffic through that VPC.
AnswerC

S3 is best reached through a gateway VPC endpoint, while Secrets Manager requires an interface endpoint. With private DNS enabled, the application can resolve and reach those services without leaving AWS private networking. This removes the need for NAT traffic for those calls, cuts cost, and keeps service access off the public internet.

Why this answer

Option C is correct because VPC Gateway Endpoints (for S3) and Interface Endpoints (for Secrets Manager) allow private subnet instances to access these services over the AWS network without traversing the internet or a NAT gateway. Enabling private DNS on the interface endpoint ensures that the default Secrets Manager DNS name resolves to the endpoint's private IP, eliminating the need for a NAT gateway for those calls and reducing costs.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints (for S3 and DynamoDB) with Interface Endpoints (for most other AWS services), and may incorrectly assume a single endpoint type works for all services, or that a NAT gateway is still required for private subnet traffic to AWS services.

How to eliminate wrong answers

Option A is wrong because moving instances to a public subnet would expose them to the internet, violating the requirement to eliminate internet exposure for the calls. Option B is wrong because a NAT instance still routes traffic through the internet (via an internet gateway) to reach AWS services, which does not eliminate internet exposure and introduces management overhead, though it may lower cost compared to a managed NAT gateway. Option D is wrong because VPC peering to a shared services VPC would still require a NAT gateway or internet gateway in that shared VPC to reach S3 and Secrets Manager, adding complexity and not directly eliminating internet exposure for those service calls.

71
MCQeasy

A company has an Amazon S3 bucket for sensitive reports. They must ensure that any object uploaded with s3:PutObject is encrypted using AWS KMS (SSE-KMS). Which S3 bucket policy approach best enforces this by denying uploads that do not use SSE-KMS?

A.Use a Deny statement for s3:PutObject with a condition that denies requests where s3:x-amz-server-side-encryption is not "aws:kms" (SSE-KMS), for example: Condition { StringNotEquals: { "s3:x-amz-server-side-encryption": "aws:kms" } }
B.Use a Deny statement that denies requests when aws:SecureTransport is false.
C.Use a Deny statement that checks the specific KMS key ID (s3:x-amz-server-side-encryption-aws-kms-key-id) and denies requests that don’t match a single alias value.
D.Use a Deny or Allow statement that limits object keys using s3:prefix (for example, only allow keys under "reports/").
AnswerA

This directly checks the SSE encryption header used in the PutObject request. If a client uploads without SSE-KMS (for example, no encryption header or SSE-S3/AES256), the condition evaluates to true and the Deny prevents the upload.

Why this answer

Option A is correct because it uses a Deny statement with the condition `StringNotEquals` on the `s3:x-amz-server-side-encryption` request header, which explicitly denies any `s3:PutObject` request that does not include the value `aws:kms` for that header. This ensures that only objects encrypted with SSE-KMS are uploaded, as any request lacking the header or using a different encryption type (e.g., AES256) will be denied. The condition is evaluated at the time of the request, making it an effective enforcement mechanism.

Exam trap

The trap here is that candidates often confuse encryption in transit (HTTPS) with encryption at rest (SSE), leading them to pick Option B, which only ensures secure transport but does not enforce server-side encryption with KMS.

How to eliminate wrong answers

Option B is wrong because `aws:SecureTransport` checks for HTTPS (TLS) usage, not encryption at rest; it would allow uploads without SSE-KMS as long as they use HTTPS. Option C is wrong because checking the specific KMS key ID (`s3:x-amz-server-side-encryption-aws-kms-key-id`) only enforces that a particular key is used, but does not require SSE-KMS at all—requests with no encryption header or with SSE-S3 would not be denied unless the key ID condition is also paired with an encryption type check. Option D is wrong because restricting object keys with `s3:prefix` controls which paths objects can be uploaded to, but has no effect on encryption requirements; objects could be uploaded without SSE-KMS under the allowed prefix.

72
Multi-Selecthard

A company is encrypting sensitive S3 data for a IoT ingestion API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Select 2 answers
A.IAM policies that grant kms:Decrypt only to required application roles
B.S3 Transfer Acceleration
C.A key policy that limits key administrators and key users
D.A larger KMS key rotation period
AnswersA, C

IAM permissions should grant least-privilege use of the KMS key to specific roles.

Why this answer

IAM policies that grant kms:Decrypt only to required application roles ensure that only authorized principals can decrypt data encrypted with the KMS key. By explicitly allowing only the Decrypt action and restricting it to specific roles, you prevent unauthorized principals from accidentally using the key for decryption or other operations, even if they have access to the encrypted S3 objects.

Exam trap

The trap here is that candidates often confuse key rotation (a cryptographic hygiene measure) with access control, or mistakenly think network-level features like Transfer Acceleration can restrict key usage.

73
Drag & Dropmedium

Arrange the steps to implement a disaster recovery plan using AWS Elastic Disaster Recovery (DRS).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Agent installation, replication config, launch recovery instance, test, and failback.

74
MCQmedium

A public API for a image sharing application is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?

A.A VPC endpoint policy
B.API keys only
C.JWT authorizer configured for the OpenID Connect issuer
D.IAM authorization for all internet users
AnswerC

A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.

Why this answer

Option C is correct because API Gateway's JWT authorizer natively validates JSON Web Tokens (JWTs) issued by an external OpenID Connect (OIDC) provider. It verifies the token's signature, expiry, and issuer against the OIDC provider's JWKS endpoint, enabling standards-based authentication without custom Lambda code.

Exam trap

The trap here is that candidates often confuse API keys (simple identification) with authentication, or assume IAM authorization is required for all API Gateway endpoints, overlooking the purpose-built JWT authorizer for federated OIDC tokens.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint policy controls access to API Gateway via VPC endpoints, not authentication for external clients using OIDC tokens. Option B is wrong because API keys alone provide only client identification, not authentication; they do not validate identity or token claims from an OIDC provider. Option D is wrong because IAM authorization requires AWS Signature Version 4 signing, which is not suitable for internet users with external OIDC tokens and does not support standards-based token validation.

75
MCQmedium

Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com". Which change most directly resolves this while keeping instances private?

A.Create an interface VPC endpoint for STS (com.amazonaws.<region>.sts) and associate it with the instance subnets and a security group that allows HTTPS.
B.Create a gateway VPC endpoint for S3 and route the STS traffic through the S3 endpoint gateway.
C.Open an inbound rule in the instances’ security group to allow outbound HTTPS to the internet CIDR block directly.
D.Attach an Internet Gateway to the private subnet route table so the STS API can be reached over public internet.
AnswerA

Interface endpoints provide private, in-VPC connectivity to AWS APIs like STS without requiring internet access or NAT.

Why this answer

The error indicates that the EC2 instances in private subnets cannot reach the STS public endpoint over the internet because there is no NAT gateway or internet gateway attached to the private subnets. Creating an interface VPC endpoint for STS (com.amazonaws.<region>.sts) allows the instances to communicate with the STS API privately using AWS PrivateLink, without requiring internet access. Associating the endpoint with the instance subnets and a security group that allows HTTPS (port 443) ensures that traffic stays within the AWS network, resolving the connectivity error while keeping the instances private.

Exam trap

The trap here is that candidates often confuse gateway endpoints (for S3/DynamoDB) with interface endpoints (for most other AWS services like STS), or they mistakenly think security group rules alone can enable internet access without a proper routing path.

How to eliminate wrong answers

Option B is wrong because a gateway VPC endpoint for S3 only supports S3 and DynamoDB; it cannot route STS traffic, which requires an interface endpoint (PrivateLink) for API calls. Option C is wrong because opening an outbound rule to the internet CIDR block does not provide a route to the internet; the instances are in private subnets with no NAT gateway or internet gateway, so outbound traffic to the internet is blocked regardless of security group rules. Option D is wrong because attaching an Internet Gateway to the private subnet route table would make the subnets public, violating the requirement to keep instances private; private subnets must not have a default route to an internet gateway.

Page 1 of 5 · 336 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design Secure questions.