CCNA Design Secure Questions

36 of 336 questions · Page 5/5 · Design Secure topic · Answers revealed

301
MCQmedium

A company hosts a financial reporting platform on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

A.A public Elastic IP address on each instance
B.A bastion host with SSH open to 0.0.0.0/0
C.AWS Systems Manager Session Manager with the required instance role
D.An internet gateway attached to the private subnet
AnswerC

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows secure shell access to EC2 instances without opening inbound ports (SSH 22 or RDP 3389) to the internet. It uses the AWS Systems Manager agent on the instance, combined with an IAM instance role that grants permissions to communicate with the Systems Manager API, establishing a bidirectional tunnel over HTTPS (port 443). This satisfies the requirement of no public-facing SSH or RDP ports while enabling administrative connectivity.

Exam trap

The trap here is that candidates often default to a bastion host (Option B) as the traditional solution, but the question explicitly prohibits opening SSH or RDP ports to the internet, and a bastion host still requires those ports open (even if restricted to a CIDR), which fails the requirement; Session Manager avoids any inbound port exposure entirely.

How to eliminate wrong answers

Option A is wrong because assigning a public Elastic IP address to each instance would expose them directly to the internet, requiring open SSH or RDP ports to connect, which violates the requirement. Option B is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes the bastion itself to the entire internet, creating a single point of attack and still requiring open SSH ports, which does not meet the 'without opening SSH or RDP ports to the internet' constraint. Option D is wrong because an internet gateway attached to a private subnet does not provide administrative connectivity; it enables outbound internet access for instances in public subnets, not inbound management access without open ports.

302
Multi-Selectmedium

A company stores sensitive PDFs in Amazon S3 and serves them through CloudFront. Users must access PDFs only through CloudFront, and direct S3 URL requests must fail. Which three changes should be implemented? Select three.

Select 3 answers
A.Enable CloudFront Origin Access Control (OAC) for the S3 origin.
B.Turn on S3 Block Public Access for the bucket and account.
C.Add an S3 bucket policy that allows requests only from the CloudFront distribution using aws:SourceArn.
D.Enable S3 static website hosting on the bucket.
E.Make the object ACLs public so CloudFront can retrieve them.
AnswersA, B, C

OAC lets CloudFront sign origin requests so the S3 bucket can trust only that distribution.

Why this answer

Option A is correct because CloudFront Origin Access Control (OAC) is the modern, recommended method to restrict S3 bucket access exclusively to a CloudFront distribution. OAC uses a signed request mechanism that verifies the request originates from CloudFront, ensuring direct S3 URL requests are denied. This replaces the older Origin Access Identity (OAI) and provides stronger security with support for features like cross-region buckets and server-side encryption with KMS.

Exam trap

The trap here is that candidates often confuse OAC with OAI or think that enabling static website hosting is necessary for CloudFront integration, when in fact it creates an additional attack surface by exposing a direct S3 endpoint.

303
Multi-Selecthard

A company is encrypting sensitive S3 data for a IoT ingestion API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals? The design must avoid adding custom operational scripts.

Select 2 answers
A.IAM policies that grant kms:Decrypt only to required application roles
B.S3 Transfer Acceleration
C.A key policy that limits key administrators and key users
D.A larger KMS key rotation period
AnswersA, C

IAM permissions should grant least-privilege use of the KMS key to specific roles.

Why this answer

Option A is correct because IAM policies can explicitly grant kms:Decrypt only to specific application roles, ensuring that only authorized principals (e.g., the IoT ingestion service role) can use the KMS key for decryption. This prevents unauthorized principals from accidentally or maliciously decrypting S3 objects, as the policy restricts the action to required roles without needing custom scripts.

Exam trap

The trap here is that candidates often confuse operational features like Transfer Acceleration or key rotation settings with access control mechanisms, failing to recognize that only IAM and key policies directly govern who can use a KMS key.

304
MCQmedium

Your organization uses IAM permission boundaries to prevent engineers from escalating privileges. An automated pipeline creates an IAM role for an application deployment and attaches a permission boundary. After deployment, the pipeline reports that the role could create a new KMS key. The permission boundary policy attached to the role allows only (for a specific KMS key ARN, prod-key): - kms:Decrypt - kms:DescribeKey There is no Allow statement for: - iam:CreateKey - kms:CreateKey What is the most likely reason the role was still able to create a KMS key?

A.The permission boundary was not actually attached to the role at creation time (for example, the pipeline bug attached a different boundary ARN or the attachment step failed).
B.Permission boundaries automatically grant all KMS permissions needed by applications, even when they are not listed in the boundary.
C.Because the boundary allows kms:DescribeKey for prod-key, kms:CreateKey must also be implicitly allowed.
D.SCPs always override permission boundaries, so the boundary is ignored in Organizations.
AnswerA

Permission boundaries only constrain the effective permissions when they are attached to the IAM principal. If the boundary attachment step fails (or attaches the wrong boundary/role), the role’s effective permissions come from its identity policy alone, which may include kms:CreateKey.

Why this answer

The most likely reason is that the permission boundary was not actually attached to the role at creation time. Permission boundaries define the maximum permissions a role can have; if the boundary is missing or not attached, the role inherits the full permissions of its attached IAM policies. Since the boundary explicitly denies kms:CreateKey, the only way the role could create a KMS key is if the boundary was not enforced, pointing to a pipeline bug or attachment failure.

Exam trap

The trap here is that candidates assume permission boundaries are always correctly attached and enforced, but the question tests the understanding that a missing or misattached boundary results in no restriction, allowing actions that the boundary was intended to block.

How to eliminate wrong answers

Option B is wrong because permission boundaries do not automatically grant any permissions; they only set a limit on what the role can do, and any action not explicitly allowed in the boundary is implicitly denied. Option C is wrong because allowing kms:DescribeKey for a specific key does not imply any other KMS actions; IAM permissions are explicit, not implicit, and kms:CreateKey is a separate action that must be explicitly allowed. Option D is wrong because SCPs (Service Control Policies) can further restrict permissions, but they do not override permission boundaries; both SCPs and permission boundaries are evaluated together, and the effective permission is the intersection of all applicable policies.

305
MCQhard

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a financial reporting platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy? The design must avoid adding custom operational scripts.

A.A security group rule that allows HTTPS to S3
B.A condition that matches aws:RequestedRegion to the bucket Region
C.A deny statement for all IAM users except the EC2 role
D.A condition that matches aws:sourceVpce to the endpoint ID
AnswerD

The aws:sourceVpce condition restricts S3 access to requests that arrive through the specified VPC endpoint.

Why this answer

Option D is correct because the bucket policy can use the `aws:sourceVpce` condition key to restrict access to requests originating from a specific VPC endpoint. This ensures that only traffic routed through that endpoint can access the S3 bucket, meeting the security team's requirement without custom scripts.

Exam trap

The trap here is that candidates may confuse security group rules (which control instance-level traffic) with bucket policy conditions (which control access to the S3 service), leading them to pick Option A instead of the correct VPC endpoint condition.

How to eliminate wrong answers

Option A is wrong because security group rules are applied at the instance level, not the bucket policy level, and cannot restrict access based on the VPC endpoint used. Option B is wrong because `aws:RequestedRegion` checks the region of the request, not the network path or endpoint, so it does not enforce that traffic comes through a specific VPC endpoint. Option C is wrong because denying all IAM users except the EC2 role does not control the network path; the EC2 role could still access S3 via the internet or a different endpoint, violating the requirement.

306
MCQhard

Based on the exhibit, a workload in private subnets must reach only Amazon S3 and AWS Secrets Manager. The team wants to eliminate internet exposure for those calls and reduce NAT gateway charges. What change should be made?

A.Move the instances into a public subnet and restrict inbound access with security groups.
B.Add a NAT instance and disable the managed NAT gateway to lower cost.
C.Create an S3 gateway endpoint and a Secrets Manager interface endpoint with private DNS, then remove NAT dependency for those service calls.
D.Use VPC peering to a shared services VPC and route all AWS service traffic through that VPC.
AnswerC

S3 is best reached through a gateway VPC endpoint, while Secrets Manager requires an interface endpoint. With private DNS enabled, the application can resolve and reach those services without leaving AWS private networking. This removes the need for NAT traffic for those calls, cuts cost, and keeps service access off the public internet.

Why this answer

Option C is correct because VPC Gateway Endpoints for S3 and VPC Interface Endpoints for Secrets Manager allow private subnet instances to access these services over the AWS network without traversing the internet or a NAT gateway. Enabling private DNS on the interface endpoint ensures that standard DNS names resolve to private IPs, eliminating the need for NAT and reducing costs.

Exam trap

The trap here is that candidates may think NAT gateways are required for all AWS service access from private subnets, not realizing that VPC endpoints provide direct, private connectivity without internet exposure.

How to eliminate wrong answers

Option A is wrong because moving instances to a public subnet would expose them to the internet, violating the requirement to eliminate internet exposure. Option B is wrong because a NAT instance still requires internet access and incurs management overhead, failing to eliminate internet exposure and not reducing costs effectively compared to endpoints. Option D is wrong because VPC peering to a shared services VPC does not inherently provide private access to S3 or Secrets Manager without additional endpoints or NAT, and it adds complexity and potential routing issues.

307
Multi-Selecthard

The web tier of an online scheduling app runs on an Auto Scaling group behind an ALB. Traffic spikes every weekday at 13:00 when a corporate newsletter is sent. CloudWatch shows CPU averages 18% outside that window, and the current fleet uses larger instances than the load test requires. The application is stateless and can scale out in a few minutes. Which two changes should the architect recommend? Select two.

Select 2 answers
A.Use scheduled scaling to raise desired capacity before the known newsletter window and lower it afterward.
B.Reduce the instance size to the smallest tested type that still meets peak load.
C.Keep the current oversized instances to avoid any scaling activity.
D.Replace the Auto Scaling group with Spot Instances only.
E.Disable ALB health checks to save a small amount of traffic.
AnswersA, B

Scheduled scaling eliminates unnecessary baseline capacity during predictable low-demand periods and ensures extra instances are ready before the spike.

Why this answer

Option A is correct because the traffic spike is predictable (every weekday at 13:00), making scheduled scaling the most cost-effective and reliable approach. Scheduled scaling allows you to increase the desired capacity of the Auto Scaling group before the newsletter window and decrease it afterward, ensuring the application can handle the load without relying on dynamic scaling policies that might lag behind the sudden spike. This avoids over-provisioning during non-peak hours while guaranteeing capacity exactly when needed.

Exam trap

The trap here is that candidates often assume dynamic scaling (e.g., step scaling or target tracking) is always the best choice, but for predictable, recurring traffic patterns, scheduled scaling is more efficient because it proactively adds capacity before the load arrives, avoiding the latency of scaling in response to metrics.

308
MCQmedium

A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager. Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?

A.Create an interface VPC endpoint (AWS PrivateLink) for the Secrets Manager service and update the security group rules to allow HTTPS from the application subnets.
B.Add a public DNS entry in the instance /etc/hosts pointing Secrets Manager to the instance’s private IP so requests do not leave the VPC.
C.Attach an internet gateway to the private route table so that Secrets Manager traffic can reach public endpoints without NAT.
D.Enable S3 VPC endpoint and store the secrets in an S3 bucket instead of Secrets Manager, then retrieve them using S3 gateway endpoints.
AnswerA

An interface VPC endpoint provides private, route-table-scoped connectivity to Secrets Manager without internet access or NAT. Security group rules on the endpoint enforce which subnets/instances can reach it.

Why this answer

An interface VPC endpoint (AWS PrivateLink) for Secrets Manager creates a private, direct connection to the service within the VPC, using Elastic Network Interfaces (ENIs) in the subnets. This allows the application to reach Secrets Manager over HTTPS without traversing the internet, a NAT gateway, or an internet gateway, directly resolving the timeout errors caused by the network hardening change that removed public internet access.

Exam trap

The trap here is that candidates might think a NAT gateway or internet gateway is required for any AWS service access, overlooking that AWS PrivateLink interface endpoints can provide private, direct connectivity to services like Secrets Manager without any public internet exposure.

How to eliminate wrong answers

Option B is wrong because modifying /etc/hosts to point the Secrets Manager DNS name to a private IP does not establish a valid network path to the service; the private IP would not be routable to the actual Secrets Manager endpoints, and the request would still fail or be misrouted. Option C is wrong because attaching an internet gateway to a private route table would expose the private subnets to the internet, defeating the purpose of keeping them private and NAT-free, and it would not provide a secure, private connection to Secrets Manager. Option D is wrong because while S3 VPC endpoints (gateway type) provide private connectivity to S3, migrating secrets to an S3 bucket introduces security risks (e.g., lack of automatic rotation, encryption at rest complexities) and does not leverage Secrets Manager's native secret management features; the question specifically asks for connectivity to Secrets Manager, not a workaround.

309
Multi-Selecthard

A company is encrypting sensitive S3 data for a healthcare document service with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Select 2 answers
A.S3 Transfer Acceleration
B.A key policy that limits key administrators and key users
C.A larger KMS key rotation period
D.IAM policies that grant kms:Decrypt only to required application roles
AnswersB, D

The KMS key policy is the primary resource policy that controls who can administer or use the key.

Why this answer

Option B is correct because a key policy in AWS KMS explicitly defines which principals (users, roles, or AWS services) are allowed to use the key for cryptographic operations. By restricting key usage to specific key users, you prevent unauthorized principals—even those with broad IAM permissions—from accidentally invoking the key. This is a critical control for sensitive data like healthcare documents, where compliance requires strict access boundaries.

Exam trap

The trap here is that candidates often overlook that key rotation settings (Option C) are about key lifecycle management, not access control, and confuse S3 Transfer Acceleration (Option A) with a security feature when it is purely a performance optimization.

310
MCQmedium

A web application for a IoT ingestion API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

A.AWS WAF associated with the Application Load Balancer
B.Network ACLs on the public subnets
C.Security groups on the application instances
D.AWS Shield Advanced only
AnswerA

AWS WAF can inspect HTTP requests and block common web exploits when associated with an ALB.

Why this answer

AWS WAF is a web application firewall that integrates directly with an Application Load Balancer to filter and monitor HTTP/HTTPS requests. It provides managed rules specifically designed to block common attack patterns like SQL injection and cross-site scripting (XSS) with minimal operational overhead, as AWS manages the rule updates and scaling. This makes it the ideal choice for protecting the IoT ingestion API without requiring custom code or manual configuration.

Exam trap

The trap here is that candidates often confuse network-layer controls (like NACLs or security groups) with application-layer protection, assuming that blocking ports or IPs is sufficient to prevent SQL injection and XSS, when in fact these attacks require deep packet inspection of HTTP content.

How to eliminate wrong answers

Option B is wrong because Network ACLs operate at the subnet level and provide stateless IP/port filtering; they cannot inspect application-layer payloads to detect SQL injection or XSS patterns. Option C is wrong because security groups act as stateful firewalls at the instance level, filtering traffic based on IP addresses and ports, but they lack the ability to parse HTTP request bodies or headers for malicious content. Option D is wrong because AWS Shield Advanced provides DDoS protection and enhanced monitoring, but it does not include web application firewall capabilities to block SQL injection or XSS attacks.

311
MCQhard

Based on the exhibit, a partner account uploads encrypted objects to a central S3 bucket and later reads them back. The S3 permissions are correct, but the requests still fail. What change is required so the partner workload can use the customer-managed KMS key safely?

A.Replace SSE-KMS with S3 object ACLs so the partner account can bypass KMS authorization.
B.Create a new bucket in the partner account and copy the objects there to avoid cross-account encryption.
C.Switch the bucket to SSE-S3 so the partner role no longer needs KMS permissions.
D.Update the CMK key policy, or add a tightly scoped grant, to allow the partner role the required KMS actions through S3.
AnswerD

Cross-account access to SSE-KMS encrypted objects requires KMS authorization in addition to S3 authorization. The key policy must trust the partner role, and the permissions should be limited to the needed KMS actions such as Decrypt, Encrypt, and GenerateDataKey with a service condition for S3. That is why the partner can have valid S3 permissions and still fail until the KMS policy is fixed.

Why this answer

The correct answer is D because when using a customer-managed KMS key (CMK) for SSE-KMS in a cross-account scenario, the key policy must explicitly grant the partner account's IAM role the necessary KMS actions (kms:Decrypt, kms:GenerateDataKey) to allow S3 to perform the encryption/decryption on behalf of the partner. Without this policy update or a tightly scoped grant, S3 cannot authorize the KMS operation even if the S3 bucket policy permits the upload/read.

Exam trap

The trap here is that candidates assume the S3 bucket policy alone is sufficient for cross-account access with SSE-KMS, forgetting that KMS requires its own separate authorization via the key policy or a grant, which is a frequent point of failure in multi-account architectures.

How to eliminate wrong answers

Option A is wrong because S3 object ACLs do not bypass KMS authorization; they only control access to the object metadata, not the encryption key, and cannot resolve the missing KMS permissions. Option B is wrong because copying objects to a new bucket in the partner account does not address the root cause—the partner still needs to read the encrypted objects from the central bucket, and the KMS key policy remains unchanged. Option C is wrong because switching to SSE-S3 would remove the need for KMS permissions, but this changes the encryption method and may violate security requirements for using a customer-managed key; the question implies the partner must use the existing CMK.

312
MCQhard

A claims portal uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend? The design must avoid adding custom operational scripts.

A.Store the database password in user data
B.Embed the database password in the AMI
C.IAM database authentication for RDS with an EC2 instance role
D.Use a security group rule that allows only application instances
AnswerC

IAM database authentication allows the application to use temporary AWS credentials instead of stored database passwords.

Why this answer

Option C is correct because IAM database authentication for RDS PostgreSQL allows EC2 instances to authenticate using short-lived credentials (tokens) obtained via the IAM instance profile role, eliminating the need to store long-term credentials on the instance. The EC2 instance assumes an IAM role, which grants permission to generate an authentication token (valid for 15 minutes) using the AWS CLI or SDK, and that token is used as the password for the database connection. This approach satisfies the requirements of no stored credentials, short-lived authentication, and no custom operational scripts.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups) with application-layer authentication, or they assume that storing credentials in user data or an AMI is acceptable because it's 'not on the instance filesystem' — but both still persist the credential on the instance, violating the 'not stored on EC2' requirement.

How to eliminate wrong answers

Option A is wrong because storing the database password in user data means the password is written to the instance's metadata and remains on the instance, violating the requirement that credentials must not be stored on EC2 instances. Option B is wrong because embedding the database password in the AMI hard-codes the credential into the image, which persists across instance launches and again stores credentials on the instance, failing the no-storage requirement. Option D is wrong because a security group rule controls network access at the transport layer (IP/port) and does not provide authentication; it cannot replace database credentials or enforce short-lived authentication.

313
MCQmedium

A security requirement states: all uploads to an S3 bucket must (1) use TLS in transit and (2) use server-side encryption with AWS KMS (SSE-KMS) using the CMK key id 'abcd-1234'; otherwise the upload should be rejected. A developer reports that uploads are succeeding even though clients are sometimes using non-encrypted requests. Which bucket policy approach most directly enforces both controls?

A.Add an Allow statement granting s3:PutObject to the developer role; rely on IAM conditions in the developer role to enforce TLS and SSE-KMS.
B.Use Deny statements that reject PutObject when aws:SecureTransport is false and reject PutObject when s3:x-amz-server-side-encryption is not 'aws:kms' or when s3:x-amz-server-side-encryption-aws-kms-key-id does not equal 'abcd-1234'.
C.Enable S3 default encryption to SSE-KMS and remove any bucket policy enforcement, since default encryption automatically rejects all noncompliant uploads.
D.Attach a WAF rule to the S3 website endpoint to block non-TLS requests, because bucket policies cannot evaluate aws:SecureTransport.
AnswerB

These Deny conditions directly block noncompliant requests regardless of the caller’s IAM permissions because explicit Deny in a resource policy overrides any Allow. aws:SecureTransport identifies whether the request used TLS. The SSE-KMS headers (s3:x-amz-server-side-encryption and s3:x-amz-server-side-encryption-aws-kms-key-id) identify whether SSE-KMS was requested and which CMK key id was used.

Why this answer

Option B is correct because bucket policies can use the `aws:SecureTransport` condition key to enforce TLS and the `s3:x-amz-server-side-encryption` and `s3:x-amz-server-side-encryption-aws-kms-key-id` condition keys to enforce SSE-KMS with the specific CMK key ID. By using Deny statements, any request that does not meet both conditions is explicitly rejected, regardless of any Allow statements that might otherwise grant access. This directly enforces the security requirement at the bucket level.

Exam trap

The trap here is that candidates often confuse S3 default encryption with enforcement—default encryption only applies encryption to objects that lack it, but does not reject non-compliant uploads, so it cannot replace a bucket policy Deny statement for rejecting requests that violate encryption or TLS requirements.

How to eliminate wrong answers

Option A is wrong because relying on IAM conditions in the developer role does not enforce the controls for all clients; any client that can assume the role or use different credentials could bypass the conditions, and IAM conditions are not evaluated for anonymous or cross-account requests. Option C is wrong because S3 default encryption only applies server-side encryption to objects that are uploaded without an encryption header; it does not reject non-compliant uploads—it silently encrypts them, so requests without TLS or with a different KMS key ID would still succeed. Option D is wrong because AWS WAF cannot be attached directly to an S3 bucket endpoint; S3 does not support WAF integration, and bucket policies can indeed evaluate `aws:SecureTransport` to enforce TLS.

314
MCQhard

A mobile banking backend must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

A.Run a daily Lambda function to encrypt unencrypted volumes
B.Enable VPC Flow Logs
C.Tag encrypted volumes after creation
D.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
AnswerD

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

Option D is correct because Service Control Policies (SCPs) are a preventive control that can deny the ec2:CreateVolume action when the encrypted condition is false. This ensures that only encrypted EBS volumes can be created, enforcing encryption at the point of request before any volume is provisioned. SCPs operate at the AWS Organizations level, making them the strongest preventive mechanism for account-wide enforcement.

Exam trap

The trap here is that candidates often confuse reactive controls (like Lambda remediation) with preventive controls (like SCPs), or they mistakenly think tagging or logging can enforce encryption requirements.

How to eliminate wrong answers

Option A is wrong because running a daily Lambda function to encrypt unencrypted volumes is a detective/reactive control, not preventive; it only remediates volumes after they have already been created unencrypted, violating the requirement to prevent creation in the first place. Option B is wrong because VPC Flow Logs capture network traffic metadata and have no ability to enforce or prevent EBS volume creation or encryption; they are a monitoring tool, not a preventive control. Option C is wrong because tagging encrypted volumes after creation is a labeling action that does not prevent unencrypted volumes from being created; it is a detective or organizational control, not a preventive one.

315
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a B2B file exchange site. The partner has its own AWS account. What is the most secure scalable access pattern? The design must avoid adding custom operational scripts.

A.Make the objects public and rely on difficult-to-guess object names
B.Create an IAM user in the company account and share the access keys
C.Create a bucket policy that grants the partner role least-privilege access to the required prefix
D.Copy the objects to a public website bucket
AnswerC

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option C is correct because it uses a bucket policy with a principal ARN for the partner's AWS account, granting read-only access to a specific prefix. This is secure (no public exposure), scalable (no per-user credentials to manage), and avoids custom scripts by leveraging native AWS IAM and S3 policy evaluation. The partner can use their own IAM roles to access the bucket without sharing long-term access keys.

Exam trap

The trap here is that candidates may choose Option B (IAM user with shared keys) because it seems straightforward, but they overlook the security risk of long-term credentials and the operational burden of key rotation, which violates the 'most secure scalable' and 'avoid custom scripts' requirements.

How to eliminate wrong answers

Option A is wrong because making objects public relies on security through obscurity (difficult-to-guess names), which is not secure and violates the principle of least privilege; objects can be discovered via enumeration or leaks. Option B is wrong because creating an IAM user and sharing access keys introduces long-term credentials that must be securely rotated and managed, increasing operational overhead and risk of exposure, contradicting the 'avoid custom operational scripts' requirement. Option D is wrong because copying objects to a public website bucket makes them publicly accessible, losing all access control, and adds unnecessary data duplication and synchronization overhead.

316
MCQeasy

You have EC2 instances in private subnets with no NAT gateway. They must retrieve secrets from AWS Secrets Manager without sending traffic to the public internet. Which VPC endpoint type is the correct choice for connecting to AWS Secrets Manager?

A.Create a Gateway VPC endpoint for Secrets Manager.
B.Create an Interface VPC endpoint (AWS PrivateLink) for Secrets Manager and associate security groups for the endpoint.
C.Use a Transit Gateway attachment to route traffic to the public internet for Secrets Manager.
D.Deploy a NAT gateway and allow outbound HTTPS traffic to Secrets Manager.
AnswerB

Secrets Manager is reached via an Interface VPC endpoint. Interface endpoints create private network interfaces in your subnets and route traffic to the AWS service over the AWS network, avoiding public internet egress.

Why this answer

AWS Secrets Manager is accessed via an API endpoint that uses HTTPS. Interface VPC endpoints (AWS PrivateLink) are the correct choice for connecting to services like Secrets Manager because they use elastic network interfaces (ENIs) with private IPs in your VPC, allowing traffic to stay within the AWS network. Gateway endpoints only support S3 and DynamoDB, not Secrets Manager.

Exam trap

The trap here is that candidates often confuse Gateway endpoints (which are free and only for S3/DynamoDB) with Interface endpoints (which incur hourly charges but support many services like Secrets Manager, KMS, and CloudWatch).

How to eliminate wrong answers

Option A is wrong because Gateway VPC endpoints only support Amazon S3 and DynamoDB, not AWS Secrets Manager. Option C is wrong because Transit Gateway attachments route traffic between VPCs and on-premises networks, but they do not provide private connectivity to AWS public services without a NAT gateway or internet gateway. Option D is wrong because deploying a NAT gateway would send traffic to the public internet, violating the requirement to avoid public internet traffic.

317
MCQeasy

A company wants to protect a critical application from a full Region outage. The secondary Region should keep only a small amount of infrastructure running most of the time to control cost. Which disaster recovery strategy fits best?

A.Pilot light
B.Active-active
C.Single-AZ deployment
D.Blue/green deployment
AnswerA

Pilot light keeps a minimal version of the environment running in the backup Region, which helps reduce cost while still supporting recovery.

Why this answer

The pilot light strategy is correct because it keeps a minimal core of infrastructure (e.g., a small database, a few EC2 instances) running in the secondary Region, while the bulk of the application remains dormant. In a full Region outage, the pilot light can be rapidly scaled up to full production capacity, meeting the requirement of low ongoing cost with the ability to recover from a complete Region failure.

Exam trap

The trap here is that candidates confuse 'pilot light' with 'active-active' or 'warm standby,' mistakenly thinking that any multi-Region setup must run full capacity, when the pilot light specifically minimizes cost by keeping only a minimal footprint until failover is triggered.

How to eliminate wrong answers

Option B (Active-active) is wrong because it runs full production workloads in both Regions simultaneously, incurring high costs that contradict the requirement to keep only a small amount of infrastructure running most of the time. Option C (Single-AZ deployment) is wrong because it deploys resources within a single Availability Zone, which does not protect against a full Region outage and violates the requirement for cross-Region disaster recovery. Option D (Blue/green deployment) is wrong because it is a deployment strategy for minimizing downtime during application updates, not a disaster recovery strategy for Region-level failures; it typically operates within a single Region.

318
Multi-Selectmedium

A startup runs an API on Amazon EC2. The instance must read items from one DynamoDB table and upload logs to one S3 bucket. Platform engineers also need a way to create new application roles, but those roles must never exceed a predefined set of permissions. Which three actions should the architect take? Select three.

Select 3 answers
A.Attach an IAM role to the EC2 instance profile and remove long-lived access keys from the server.
B.Give the EC2 instance an IAM user with administrator access for simplicity.
C.Scope the application policy to the exact DynamoDB table ARN and S3 bucket prefix.
D.Store the access keys in the application configuration file and rotate them later.
E.Use a permissions boundary for any IAM roles the platform team is allowed to create.
AnswersA, C, E

This gives the workload temporary credentials through the instance metadata service and avoids storing secrets on the host. It is the standard least-privilege pattern for EC2-based applications.

Why this answer

Option A is correct because attaching an IAM role to the EC2 instance profile allows the instance to obtain temporary credentials via the instance metadata service (IMDS), eliminating the need to store long-lived access keys on the server. This follows the AWS security best practice of using roles for EC2 to securely access DynamoDB and S3 without managing static credentials.

Exam trap

The trap here is that candidates may think storing access keys in a config file with rotation is acceptable, but AWS explicitly recommends using IAM roles for EC2 to avoid the security risks of long-lived static credentials.

319
MCQeasy

A public API is served through an Application Load Balancer and protected by AWS WAF. The team wants AWS to automatically block clients that send too many requests from the same IP address within a short time window. Which AWS WAF feature is the best fit?

A.Use a rate-based rule in AWS WAF to block when requests per IP exceed a configured threshold over the WAF rate-based evaluation window.
B.Use an AWS IAM policy on the ALB listener to deny requests when request count exceeds a threshold.
C.Enable S3 server access logs for the bucket that stores API responses and alert on high log volume.
D.Configure an AWS Lambda authorizer to reject requests after the Nth request from an IP address.
AnswerA

Rate-based rules are designed specifically to mitigate abusive traffic by limiting the number of requests from an identified source (typically by IP). When the threshold is exceeded, you can set the rule action to Block (or count first for tuning).

Why this answer

A rate-based rule in AWS WAF is specifically designed to automatically block clients when the number of requests from a single IP address exceeds a configured threshold within a rolling evaluation window (typically 5 minutes). This feature directly addresses the requirement to mitigate high request rates from the same IP, making it the best fit for the described use case.

Exam trap

The trap here is that candidates may confuse AWS WAF rate-based rules with other AWS services like IAM or Lambda authorizers, mistakenly thinking those can handle network-level rate limiting, when in fact only WAF provides native, automatic IP-based rate blocking.

How to eliminate wrong answers

Option B is wrong because IAM policies control authentication and authorization for AWS API calls, not network-level request rates on an ALB listener; they cannot deny HTTP requests based on request count. Option C is wrong because S3 server access logs are for auditing object-level access, not for real-time rate limiting of API requests, and alerting on log volume does not automatically block clients. Option D is wrong because an AWS Lambda authorizer is used for custom authentication/authorization of requests, not for rate limiting based on IP address; it would require custom logic and does not natively support sliding window rate tracking.

320
MCQmedium

A healthcare document service stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

A.S3 Object Lock in compliance mode with an appropriate retention period
B.S3 server access logging
C.S3 lifecycle expiration after seven years
D.S3 versioning only
AnswerA

Object Lock compliance mode enforces write-once-read-many retention that even privileged users cannot bypass during the retention period.

Why this answer

S3 Object Lock in compliance mode prevents any user, including the root user, from overwriting or deleting objects for the specified retention period. This meets the compliance requirement of immutable audit logs for seven years, as compliance mode enforces a strict write-once-read-many (WORM) model that cannot be bypassed.

Exam trap

The trap here is that candidates often confuse S3 versioning with immutability, assuming versioning alone prevents deletion, but versioning only protects against accidental overwrites by creating new versions—it does not prevent explicit deletion of the current version or the entire object.

How to eliminate wrong answers

Option B is wrong because S3 server access logging only records requests made to the bucket, it does not prevent deletion or overwriting of existing logs. Option C is wrong because S3 lifecycle expiration automatically deletes objects after seven years, which violates the requirement that logs cannot be deleted. Option D is wrong because S3 versioning alone preserves previous versions but does not prevent deletion of the current version or overwriting of objects; it must be combined with Object Lock to enforce immutability.

321
MCQhard

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a image sharing application. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

A.A condition that matches aws:sourceVpce to the endpoint ID
B.A deny statement for all IAM users except the EC2 role
C.A security group rule that allows HTTPS to S3
D.A condition that matches aws:RequestedRegion to the bucket Region
AnswerA

The aws:sourceVpce condition restricts S3 access to requests that arrive through the specified VPC endpoint.

Why this answer

Option A is correct because the `aws:sourceVpce` condition key in an S3 bucket policy allows you to restrict access so that only traffic originating from a specific VPC endpoint (VPCe) is permitted. This enforces the security team's requirement that all S3 access must come through that endpoint, ensuring that requests from other paths (e.g., NAT gateway, internet gateway) are denied. The condition is evaluated at the S3 service side, not at the instance level, making it a direct and secure way to enforce the policy.

Exam trap

The trap here is that candidates often confuse `aws:sourceVpce` with `aws:SourceVpc` (which matches the VPC ID, not the endpoint ID) or incorrectly think a security group rule can enforce endpoint-specific routing, but security groups cannot control the network path taken by traffic.

How to eliminate wrong answers

Option B is wrong because denying all IAM users except the EC2 role does not enforce the requirement that traffic must come through a specific VPC endpoint; it only restricts which IAM identity can access the bucket, not the network path. Option C is wrong because a security group rule controls traffic at the instance level (allowing HTTPS to S3 from the instance), but it cannot enforce that the traffic must traverse a specific VPC endpoint—security groups do not have awareness of VPC endpoints. Option D is wrong because `aws:RequestedRegion` restricts the AWS Region from which the request is made, not the network path or VPC endpoint; it does not ensure traffic flows through the required VPC endpoint.

322
MCQmedium

A Lambda function for a order processing API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

A.AWS Secrets Manager with rotation enabled
B.An encrypted object in Amazon S3
C.AWS Systems Manager Parameter Store SecureString without automation
D.A KMS-encrypted Lambda environment variable
AnswerA

Secrets Manager stores secrets securely and supports automatic rotation using a rotation Lambda function.

Why this answer

AWS Secrets Manager is designed to securely store, retrieve, and automatically rotate database credentials on a schedule. It natively supports rotation every 30 days via a built-in Lambda rotation function, and it avoids storing the password in environment variables, meeting both security and compliance requirements.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store SecureString (which can store encrypted values but lacks automatic rotation) with Secrets Manager, or they assume KMS-encrypted environment variables are sufficient despite their static nature and the explicit requirement to avoid environment variables.

How to eliminate wrong answers

Option B is wrong because storing an encrypted object in Amazon S3 requires manual retrieval and decryption logic in the Lambda function, and it does not provide automated rotation every 30 days. Option C is wrong because AWS Systems Manager Parameter Store SecureString without automation lacks built-in rotation capabilities; you would need to implement custom rotation logic, which is not automatic. Option D is wrong because a KMS-encrypted Lambda environment variable is static and cannot be rotated automatically; any rotation would require redeploying the function, and the password remains in the environment variable, which is explicitly prohibited.

323
MCQmedium

A order processing API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured?

A.S3 server access logging
B.S3 lifecycle expiration after seven years
C.S3 versioning only
D.S3 Object Lock in compliance mode with an appropriate retention period
AnswerD

Object Lock compliance mode enforces write-once-read-many retention that even privileged users cannot bypass during the retention period.

Why this answer

S3 Object Lock in compliance mode prevents any user, including the root user, from overwriting or deleting objects for the specified retention period. This meets the compliance requirement of immutable audit logs for seven years, as compliance mode enforces a legal hold that cannot be removed by any party.

Exam trap

The trap here is that candidates confuse versioning (which provides recovery but not immutability) with Object Lock (which enforces strict WORM compliance), leading them to select versioning alone as sufficient.

How to eliminate wrong answers

Option A is wrong because S3 server access logging only records requests made to the bucket; it does not prevent deletion or overwriting of existing logs. Option B is wrong because S3 lifecycle expiration after seven years would delete objects after that period, but it does not prevent deletion or overwriting before the expiration date. Option C is wrong because S3 versioning alone preserves previous versions of objects but does not prevent deletion of the current version or overwriting; it only allows recovery of deleted or overwritten objects, not immutability.

324
MCQmedium

Your CI system assumes an IAM role RoleForDeploy using STS AssumeRole and includes a session tag called Project=blue. The role’s permissions policy uses an ABAC condition like aws:PrincipalTag/Project to allow access only to resources tagged with the same project. AssumeRole succeeds, but deployments fail with AccessDenied. CloudTrail shows the role was assumed, yet the effective session does not contain the Project tag. Which change most directly fixes this issue?

A.Add permissions for sts:TagSession to the IAM role so the CI pipeline is allowed to pass the Project session tag during AssumeRole.
B.Remove the ABAC condition using aws:PrincipalTag/Project so the policy ignores session tags.
C.Move the aws:PrincipalTag/Project condition into the trust policy so it applies during the AssumeRole call.
D.Add kms:Decrypt permission to the CI role because missing tags are typically caused by KMS authorization failures.
AnswerA

Session tags are not automatically granted; the role needs sts:TagSession permission to allow passing tags into the session.

Why this answer

Option A is correct because when an IAM role is assumed with STS AssumeRole and session tags are included, the calling principal must have explicit permission to pass those tags via the `sts:TagSession` action. Without this permission, the session tags are silently dropped, even though the AssumeRole call succeeds. Adding `sts:TagSession` to the role's permissions allows the CI pipeline to pass the `Project=blue` tag, making the ABAC condition on `aws:PrincipalTag/Project` evaluate correctly and granting access to tagged resources.

Exam trap

The trap here is that candidates assume session tags are automatically applied when passed in the AssumeRole call, but AWS requires explicit `sts:TagSession` permission for the tags to take effect, which is a subtle but critical detail tested in ABAC scenarios.

How to eliminate wrong answers

Option B is wrong because removing the ABAC condition would bypass the intended security control, but the root cause is that the session tag is not being applied, not that the condition is misconfigured. Option C is wrong because moving the condition to the trust policy would not fix the missing tag; the trust policy controls who can assume the role, not how session tags are passed, and the condition on `aws:PrincipalTag/Project` is correctly placed in the permissions policy to enforce ABAC. Option D is wrong because KMS authorization failures are unrelated to missing session tags; the issue is purely about STS tag propagation, not encryption key permissions.

325
MCQmedium

A Lambda function for a mobile banking backend needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used? The design must avoid adding custom operational scripts.

A.An encrypted object in Amazon S3
B.AWS Secrets Manager with rotation enabled
C.AWS Systems Manager Parameter Store SecureString without automation
D.A KMS-encrypted Lambda environment variable
AnswerB

Secrets Manager stores secrets securely and supports automatic rotation using a rotation Lambda function.

Why this answer

AWS Secrets Manager is the correct choice because it natively supports automatic rotation of secrets on a configurable schedule (e.g., every 30 days) without requiring custom scripts. It also provides fine-grained access control and integrates directly with Lambda via the AWS SDK, keeping the password out of environment variables and code.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store SecureString (which can store secrets but lacks automatic rotation) with Secrets Manager, or they assume that encrypting environment variables with KMS is sufficient for rotation, ignoring the need for automated lifecycle management.

How to eliminate wrong answers

Option A is wrong because storing an encrypted object in Amazon S3 requires custom code to retrieve, decrypt, and rotate the password, violating the 'no custom operational scripts' constraint. Option C is wrong because AWS Systems Manager Parameter Store SecureString without automation does not support automatic rotation; you would need to manually update the parameter or add a custom rotation solution. Option D is wrong because a KMS-encrypted Lambda environment variable is static and cannot be rotated automatically; you would need to redeploy the function to change the password, which adds operational overhead.

326
Multi-Selecthard

A customer analytics portal uses CloudFront in front of an S3 origin. Which two settings help keep users from bypassing CloudFront and accessing the bucket directly? The design must avoid adding custom operational scripts.

Select 2 answers
A.Enable CloudFront standard logging
B.Configure Origin Access Control for the S3 origin
C.Use an S3 bucket policy that allows access only from the CloudFront distribution
D.Enable S3 static website hosting
AnswersB, C

Origin Access Control allows CloudFront to securely access a private S3 bucket.

Why this answer

Option B is correct because Origin Access Control (OAC) is a CloudFront feature that restricts access to an S3 origin so that only the CloudFront distribution can retrieve objects. OAC uses a signed request mechanism that prevents direct S3 access, ensuring users cannot bypass CloudFront and hit the bucket directly without custom scripts.

Exam trap

The trap here is that candidates often think enabling logging (Option A) or static website hosting (Option D) can somehow restrict access, but these settings have no effect on access control and actually introduce new endpoints that could be exploited to bypass CloudFront.

327
MCQeasy

A service role has an IAM policy granting kms:Decrypt for a specific AWS KMS key. The application still fails to decrypt with an AccessDenied error. What change most directly fixes this when the KMS key policy is missing the role’s permissions?

A.Update the KMS key policy to allow kms:Decrypt for the service role principal (or the assumed-role principal identity that the KMS key evaluates).
B.Add an IAM policy statement allowing s3:GetObject for the bucket that stores the encrypted data.
C.Enable a CloudFront distribution for the KMS key alias.
D.Create a VPC gateway endpoint for KMS to route decryption requests privately.
AnswerA

KMS authorization is controlled by the KMS key policy in addition to (not instead of) IAM identity policies. If the key policy does not allow the principal, KMS will deny kms:Decrypt even if the IAM policy allows it.

Why this answer

The AccessDenied error occurs because the KMS key policy does not grant the service role (or its assumed-role principal) permission to call kms:Decrypt. Even if the IAM policy attached to the role allows kms:Decrypt, KMS requires that the key policy explicitly authorize the principal (or the role’s assumed-role session) when the key policy is the sole authorization mechanism. Updating the key policy to include the service role principal (or the assumed-role ARN) with kms:Decrypt directly resolves the missing permission.

Exam trap

The trap here is that candidates assume IAM policies alone are sufficient for KMS authorization, but KMS key policies are resource-based and must explicitly include the principal (or the assumed-role session) when the key policy is the sole authorization mechanism.

How to eliminate wrong answers

Option B is wrong because s3:GetObject for the S3 bucket is unrelated to the KMS decryption failure; the error is specifically about KMS authorization, not S3 access. Option C is wrong because enabling a CloudFront distribution for the KMS key alias does not grant decryption permissions; CloudFront is a content delivery service and does not interact with KMS key policies. Option D is wrong because a VPC gateway endpoint for KMS only affects network routing for KMS API calls, not the IAM or key policy authorization; it does not grant the required kms:Decrypt permission.

328
MCQmedium

A company uses AWS Organizations and has separate development, test, and production accounts. The security team wants to ensure that no one in the sandbox organizational unit can disable AWS CloudTrail or delete the central audit bucket, even if an account administrator creates permissive IAM policies later. Which control should they use?

A.Attach an identity-based policy in each account that denies CloudTrail changes.
B.Use a service control policy on the sandbox organizational unit to deny the prohibited actions.
C.Create an S3 bucket policy that allows only the audit team role to delete objects.
D.Apply a permission boundary to each IAM user in the sandbox accounts.
AnswerB

Service control policies are the correct governance mechanism for setting guardrails across multiple accounts in AWS Organizations. An SCP can explicitly deny sensitive actions such as disabling CloudTrail or deleting the audit bucket, and those denies apply even if administrators create local IAM policies that would otherwise allow the actions. SCPs do not grant permissions by themselves; they only constrain what account principals can ever do within the OU.

Why this answer

Service control policies (SCPs) are the correct mechanism because they act as a centralized guardrail at the AWS Organizations level, setting maximum permissions for all accounts in an organizational unit (OU). Even if an account administrator creates permissive IAM policies later, an SCP that explicitly denies disabling CloudTrail or deleting the central audit bucket will override those permissions, ensuring the security team's requirements are enforced across the sandbox OU.

Exam trap

The trap here is that candidates often confuse service control policies with IAM permission boundaries or resource-based policies, thinking that a bucket policy or permission boundary can prevent service-level actions like disabling CloudTrail, when only an SCP can enforce such restrictions across all principals in an entire OU.

How to eliminate wrong answers

Option A is wrong because identity-based policies are attached to IAM users, groups, or roles within an account and can be overridden by a more permissive policy created by an account administrator, so they do not provide the centralized, unchangeable control needed. Option C is wrong because an S3 bucket policy can prevent deletion of objects in the bucket but cannot prevent an account administrator from disabling CloudTrail itself, which is the primary concern. Option D is wrong because a permission boundary limits the maximum permissions an IAM user can have but does not prevent an account administrator from creating new IAM users or roles without the boundary, nor does it block disabling CloudTrail at the service level.

329
MCQmedium

A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?

A.Use AWS Systems Manager Session Manager, enabling the required SSM permissions in the instance profile and restricting access to engineers via IAM.
B.Keep the bastion host but move it into a private subnet; engineers can connect by using a corporate VPN into the VPC.
C.Attach a public IP to each private instance so engineers can SSH directly and use security groups to restrict access.
D.Create a security group rule that allows engineers’ source IP addresses to reach instances over RDP on port 3389.
AnswerA

Session Manager avoids inbound SSH from the internet by initiating interactive sessions through Systems Manager. The instance profile must allow SSM actions like StartSession, and engineers’ IAM permissions restrict who can connect. This is a commonly recommended bastion-free alternative that improves security and reduces exposed network paths.

Why this answer

AWS Systems Manager Session Manager provides secure, auditable, agent-based access to EC2 instances without requiring a bastion host, public IPs, or open inbound ports. Since the instances already have an instance profile, you only need to add the required SSM permissions (e.g., AmazonSSMManagedInstanceCore) to that profile and use IAM policies to restrict Session Manager access to engineers authenticated via AWS SSO. This eliminates the bastion host while maintaining secure, on-demand troubleshooting access.

Exam trap

The trap here is that candidates often think a bastion host is the only way to access private instances, overlooking that AWS Systems Manager Session Manager provides a fully managed, agent-based alternative that eliminates the need for any bastion host or open inbound ports.

How to eliminate wrong answers

Option B is wrong because moving the bastion host to a private subnet and using a corporate VPN still leaves a persistent bastion host that must be patched and managed, and it does not eliminate the attack surface or the need for SSH/RDP key management. Option C is wrong because attaching a public IP to each private instance directly exposes them to the internet, violating the principle of least privilege and increasing the attack surface, even with security group restrictions. Option D is wrong because allowing engineers’ source IPs over RDP port 3389 requires opening inbound ports and managing IP whitelists, which is less secure than agentless access and does not integrate with AWS SSO for authentication.

330
MCQeasy

A containerized service needs to read exactly one secret value from AWS Secrets Manager. The secret’s ARN is already known, and the secret is encrypted with the AWS-managed KMS key for Secrets Manager, so no separate KMS permissions are needed for this question. The service does not need to list secrets, create secrets, rotate them, or write updates. What is the most least-privilege IAM permission statement to grant the service role?

A.Allow secretsmanager:GetSecretValue on the specific secret ARN only.
B.Allow secretsmanager:* on all resources in the account.
C.Allow secretsmanager:ListSecrets so the service can discover the secret ARN at runtime.
D.Allow secretsmanager:PutSecretValue so the service can retrieve and update the secret value.
AnswerA

For a read-only use case where the secret ARN is already known, the minimum required Secrets Manager action is secretsmanager:GetSecretValue. Scoping the resource to only that secret ARN minimizes blast radius if the role is compromised.

Why this answer

Option A is correct because the service only needs to read a single secret value, and the least-privilege permission is to allow only the `secretsmanager:GetSecretValue` action on that specific secret's ARN. This grants exactly the required read access without any additional capabilities, adhering to the principle of least privilege. Since the secret is encrypted with the AWS-managed KMS key for Secrets Manager, no separate KMS permissions are needed, as the key policy automatically grants access to the Secrets Manager service.

Exam trap

The trap here is that candidates often choose a broader permission like `secretsmanager:*` or `secretsmanager:ListSecrets` because they confuse the need to discover the secret with the need to read it, or they overlook that the ARN is already known, making list actions unnecessary.

How to eliminate wrong answers

Option B is wrong because `secretsmanager:*` on all resources grants full administrative access to all secrets in the account, which is far more permissive than needed and violates least privilege. Option C is wrong because `secretsmanager:ListSecrets` allows listing all secret names and ARNs in the account, which is unnecessary since the secret ARN is already known, and it provides no ability to read the secret value itself. Option D is wrong because `secretsmanager:PutSecretValue` allows updating the secret value, which is not required and introduces unnecessary write permissions that could lead to accidental or malicious modification.

331
MCQmedium

Developers for a financial reporting platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best? The design must avoid adding custom operational scripts.

A.Use IAM Identity Center permission sets with time-bound access processes and CloudTrail auditing
B.Disable CloudTrail during troubleshooting
C.Create shared administrator access keys for the team
D.Attach AdministratorAccess permanently to every developer role
AnswerA

Federated access with permission sets and audited temporary assignments reduces standing privilege.

Why this answer

IAM Identity Center permission sets allow granting time-bound, least-privilege access to production resources. Combined with CloudTrail auditing, this provides full logging of all actions taken during the elevated access period. The solution meets the security team's requirements for approvals (via the permission set request workflow), expiry (via session duration or time-bound assignments), and audit logging (via CloudTrail), without requiring custom operational scripts.

Exam trap

The trap here is that candidates may think shared keys (Option C) are acceptable for 'temporary' access, but AWS explicitly discourages shared credentials because they break audit trails and accountability, which is a core security requirement in the SAA-C03 exam.

How to eliminate wrong answers

Option B is wrong because disabling CloudTrail during troubleshooting removes all audit logging, directly violating the security team's requirement for audit logging and making it impossible to track actions taken. Option C is wrong because creating shared administrator access keys violates the principle of least privilege, eliminates individual accountability, and prevents proper audit logging of who performed which action. Option D is wrong because permanently attaching AdministratorAccess to every developer role grants excessive, always-on privileges with no time-bound expiry, violating the requirement for temporary elevated access and approvals.

332
MCQeasy

A security team needs an audit trail to investigate suspicious API activity across multiple AWS accounts. Which AWS approach best provides centralized visibility into who did what, when, for service API calls?

A.Create an AWS CloudTrail organization trail that delivers logs to a centralized, access-controlled S3 bucket.
B.Enable AWS Config only for EC2 security groups and rely on it for API call auditing.
C.Turn on S3 server access logging for every bucket and assume it covers all AWS services.
D.Use only Amazon CloudWatch alarms with no logging destination to reduce storage costs.
AnswerA

An AWS Organizations organization trail centralizes management and API activity logs across accounts. CloudTrail provides detailed event records including the requesting principal, source information, event time, and the specific API action, which supports forensic investigation.

Why this answer

AWS CloudTrail organization trail is the correct approach because it captures all management and data events across multiple AWS accounts within an AWS Organizations structure, delivering them to a single, centralized S3 bucket. This provides a unified, immutable audit trail of who performed which API call, when, and from which source IP, enabling the security team to investigate suspicious activity with full visibility. The centralized bucket can be access-controlled with S3 bucket policies and IAM to ensure only authorized personnel can view the logs.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration changes) with CloudTrail (which records API calls), leading them to pick Option B, but Config does not provide the who, what, when details needed for an API audit trail.

How to eliminate wrong answers

Option B is wrong because AWS Config is a resource inventory and configuration change tracking service, not an API call auditor; it does not capture who made the API call or the full request/response details. Option C is wrong because S3 server access logging only records requests made to S3 buckets, not API calls for other AWS services like EC2, IAM, or Lambda, leaving a massive gap in the audit trail. Option D is wrong because CloudWatch alarms only trigger on metric thresholds and do not store or provide any log data for forensic investigation; without a logging destination, there is no audit trail at all.

333
MCQmedium

Based on the exhibit, what should the security team implement so developers can create AWS Lambda execution roles, but no developer-created role can ever exceed the approved permission set?

A.Place the developers in an IAM group with a deny-only managed policy attached.
B.Require a permissions boundary on every developer-created role and set the boundary to the approved maximum permissions.
C.Use an AWS Organizations SCP to grant only the approved Lambda permissions directly to the developer roles.
D.Create the roles with inline policies only, because inline policies are always safer than managed policies.
AnswerB

A permissions boundary limits the highest permissions a role can ever have, even if someone attaches broader policies later. This is the right guardrail when developers are allowed to create roles but must stay within a security-approved ceiling. It still lets them work independently while preventing privilege escalation through policy attachment.

Why this answer

Option B is correct because a permissions boundary explicitly defines the maximum permissions that an IAM role can have, and when attached to developer-created roles, it prevents any role from exceeding the approved set of permissions, even if the developer attaches a more permissive policy. This directly addresses the requirement that no developer-created role can ever exceed the approved permission set, as the boundary acts as a hard cap.

Exam trap

The trap here is that candidates often confuse permissions boundaries with SCPs or assume that inline policies are more restrictive, but the key is that a permissions boundary is the only mechanism that directly caps the maximum permissions of a specific role without affecting other principals.

How to eliminate wrong answers

Option A is wrong because a deny-only managed policy attached to an IAM group would deny all actions by default, preventing developers from creating any roles at all, rather than allowing creation within a permission limit. Option C is wrong because an AWS Organizations SCP applies to all accounts in the organization and cannot be scoped to specific developer roles; it would affect all principals in the account, not just developer-created roles, and it cannot grant permissions—only allow or deny. Option D is wrong because inline policies are not inherently safer than managed policies; the security concern is about permission scope, not policy type, and inline policies can still grant excessive permissions without a boundary.

334
MCQmedium

Your team hosts a private web app on an S3 bucket and serves it through CloudFront using a modern Origin Access Control (OAC). After deployment, users receive HTTP 403 from CloudFront with the S3 origin error "AccessDenied". Which S3 bucket policy change best aligns with CloudFront OAC so the distribution can fetch objects privately?

A.Allow the CloudFront service principal cloudfront.amazonaws.com to perform s3:GetObject, and scope access with a condition on AWS:SourceArn matching your CloudFront distribution ARN.
B.Allow only the S3 bucket owner account to perform s3:GetObject without any condition, so CloudFront can inherit access automatically.
C.Add a policy statement that denies s3:GetObject when the request does not include the header CloudFront-Viewer-Country.
D.Grant s3:GetObject permission to an Origin Access Identity (OAI) canonical user ID even though you are using Origin Access Control (OAC).
AnswerA

With CloudFront OAC, the request to S3 is authorized using the CloudFront service principal. Granting s3:GetObject to cloudfront.amazonaws.com and constraining it with AWS:SourceArn to the specific distribution is the standard secure pattern for private S3 origins.

Why this answer

Option A is correct because CloudFront Origin Access Control (OAC) requires an explicit S3 bucket policy that allows the CloudFront service principal (`cloudfront.amazonaws.com`) to perform `s3:GetObject`, and the recommended best practice is to scope the permission using a condition on `AWS:SourceArn` matching the specific CloudFront distribution ARN. This ensures that only requests originating from that distribution can access the bucket objects, preventing unauthorized access from other sources.

Exam trap

The trap here is that candidates often confuse Origin Access Control (OAC) with the older Origin Access Identity (OAI) and incorrectly select an OAI-based policy (Option D), or they assume that bucket owner permissions automatically extend to CloudFront (Option B), failing to recognize that OAC requires an explicit service principal-based policy with a source ARN condition.

How to eliminate wrong answers

Option B is wrong because simply allowing the S3 bucket owner account to perform `s3:GetObject` does not grant CloudFront any permissions; CloudFront operates under its own service principal, not the bucket owner's account, so the distribution would still receive 403 errors. Option C is wrong because requiring the `CloudFront-Viewer-Country` header does not address the underlying access control issue; CloudFront OAC requires a policy that explicitly allows the service principal to read objects, and this header condition is unrelated to authentication or authorization. Option D is wrong because Origin Access Control (OAC) is a newer mechanism that replaces Origin Access Identity (OAI); using an OAI canonical user ID is incompatible with OAC, and the policy must reference the CloudFront service principal, not the OAI canonical user.

335
MCQeasy

A mobile app reads the same product details many times per minute from Amazon DynamoDB. The table design is already correct, but repeated reads are still causing noticeable latency. Which service should the team add to improve read performance?

A.Amazon DAX
B.Amazon EFS
C.AWS Lambda
D.Amazon SNS
AnswerA

DAX adds an in-memory cache in front of DynamoDB to reduce read latency for repeated accesses.

Why this answer

Amazon DAX (DynamoDB Accelerator) is an in-memory cache specifically designed for DynamoDB. It reduces read latency from single-digit milliseconds to microseconds by caching frequently accessed items, which directly addresses the repeated read pattern described in the question.

Exam trap

The trap here is that candidates may confuse DAX with ElastiCache (which is generic and not DynamoDB-native) or assume that Lambda or SNS can somehow accelerate reads, but DAX is the only service purpose-built for DynamoDB read acceleration.

How to eliminate wrong answers

Option B (Amazon EFS) is wrong because it is a file-level storage service for EC2 instances, not a cache for DynamoDB reads, and it would introduce network latency rather than reducing DynamoDB latency. Option C (AWS Lambda) is wrong because it is a serverless compute service that executes code in response to events; it does not cache data or improve DynamoDB read performance on its own. Option D (Amazon SNS) is wrong because it is a pub/sub messaging service for sending notifications, not a caching layer for database reads.

336
MCQmedium

A Lambda function for a IoT ingestion API needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

A.AWS Secrets Manager with rotation enabled
B.A KMS-encrypted Lambda environment variable
C.AWS Systems Manager Parameter Store SecureString without automation
D.An encrypted object in Amazon S3
AnswerA

Secrets Manager stores secrets securely and supports automatic rotation using a rotation Lambda function.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, automatically rotating, and managing secrets such as database passwords. With rotation enabled, Secrets Manager can automatically rotate the password every 30 days without requiring custom code, and it integrates natively with Lambda via the AWS SDK to retrieve the secret at runtime, avoiding storage in environment variables.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store SecureString with Secrets Manager, but Parameter Store lacks native automatic rotation, making it unsuitable for the 30-day rotation requirement without additional custom automation.

How to eliminate wrong answers

Option B is wrong because storing a KMS-encrypted password in a Lambda environment variable still exposes the encrypted value in the function's configuration and does not support automatic rotation; the password would need manual rotation and re-deployment. Option C is wrong because AWS Systems Manager Parameter Store SecureString without automation does not provide automatic rotation; it only stores the secret securely, requiring custom logic to rotate the password every 30 days. Option D is wrong because an encrypted object in Amazon S3 lacks native rotation capabilities and introduces unnecessary complexity for secret retrieval, as Lambda would need to decrypt the object and manage rotation manually.

← PreviousPage 5 of 5 · 336 questions total

Ready to test yourself?

Try a timed practice session using only Design Secure questions.