CCNA Design Solutions for Organizational Complexity Questions

75 of 455 questions · Page 2/7 · Design Solutions for Organizational Complexity · Answers revealed

76
MCQeasy

A company wants to implement a single sign-on (SSO) solution for its employees to access multiple AWS accounts and business applications. The company uses Microsoft Active Directory on-premises. Which AWS service should be used to integrate with the existing directory?

A.Amazon Cognito user pools
B.AWS Organizations
C.AWS Identity and Access Management (IAM)
D.AWS IAM Identity Center (AWS SSO) with an AWS Managed Microsoft AD directory
AnswerD

Integrates with on-premises AD via AD Connector or managed AD.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) can be integrated with an AWS Managed Microsoft AD directory to provide a single sign-on experience across multiple AWS accounts and business applications. This integration allows users to authenticate using their existing on-premises Active Directory credentials via AD Connector or a two-way forest trust, enabling seamless access to the AWS Management Console, command-line interface, and supported SAML 2.0 applications.

Exam trap

The trap here is that candidates often confuse AWS IAM Identity Center with AWS IAM, assuming IAM alone can provide SSO across multiple accounts, but IAM is account-scoped and lacks the centralized application portal and cross-account federation capabilities that IAM Identity Center provides.

How to eliminate wrong answers

Option A is wrong because Amazon Cognito user pools are designed for customer-facing identity and access management, not for integrating with an existing on-premises Microsoft Active Directory for employee SSO across multiple AWS accounts. Option B is wrong because AWS Organizations is a service for centrally managing and governing multiple AWS accounts, not for providing identity federation or SSO capabilities. Option C is wrong because AWS IAM is used for managing permissions for individual AWS users and roles, but it does not natively support SSO integration with on-premises Active Directory or provide a centralized portal for accessing multiple AWS accounts and business applications.

77
MCQeasy

A company wants to centrally manage backups for Amazon EBS volumes across multiple AWS accounts. They need a solution that can automatically back up volumes based on tags, retain backups according to a policy, and send notifications on failures. Which AWS service should they use?

A.AWS CloudFormation StackSets
B.Amazon RDS automated backups
C.AWS Backup
D.Amazon S3 lifecycle policies
AnswerC

AWS Backup provides centralized backup management across accounts.

Why this answer

AWS Backup is the correct service because it provides a centralized, policy-based backup solution for Amazon EBS volumes across multiple AWS accounts. It supports tag-based backup policies, retention rules, and integrates with Amazon CloudWatch Events and Amazon SNS to send notifications on failures, meeting all the stated requirements.

Exam trap

The trap here is that candidates might confuse AWS Backup with native snapshot management or assume that a service like CloudFormation StackSets can handle backup automation, but only AWS Backup provides the centralized, policy-driven, cross-account backup management with notification capabilities required by the scenario.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets is used to deploy infrastructure as code across multiple accounts and regions, not for managing backups or retention policies. Option B is wrong because Amazon RDS automated backups are specific to RDS databases and cannot back up EBS volumes or operate across multiple accounts. Option D is wrong because Amazon S3 lifecycle policies manage the transition and expiration of objects within S3 buckets, not the backup of EBS volumes.

78
MCQmedium

Refer to the exhibit. A solutions architect is reviewing an IAM trust policy for a Lambda function's execution role. The function needs to access an S3 bucket in the same account. The trust policy is as shown. What is missing for the Lambda function to successfully assume the role?

A.An IAM policy must be attached to the role granting permissions to the S3 bucket
B.A service control policy must allow Lambda to assume roles
C.The S3 bucket must have a resource-based policy allowing the Lambda function
D.The trust policy must specify the Lambda function name
AnswerA

The trust policy allows Lambda to assume the role, but the role itself needs an IAM policy to grant S3 access.

Why this answer

Option A is correct because the IAM trust policy only allows the Lambda service to assume the role, but it does not grant any permissions to access the S3 bucket. For the Lambda function to successfully read or write objects in the S3 bucket, an IAM permissions policy (e.g., s3:GetObject, s3:PutObject) must be attached to the role. Without this policy, the role has no effective permissions to perform actions on the bucket, even though the trust policy allows the role to be assumed.

Exam trap

The trap here is that candidates often confuse the trust policy (which controls who can assume the role) with the permissions policy (which controls what actions the role can perform), leading them to think the trust policy alone is sufficient for accessing resources.

How to eliminate wrong answers

Option B is wrong because service control policies (SCPs) are used in AWS Organizations to restrict permissions for accounts, not to allow Lambda to assume roles; SCPs can only deny or allow permissions, but they do not grant the ability to assume roles—that is handled by IAM trust policies. Option C is wrong because the S3 bucket resource-based policy is not required when the Lambda function and the bucket are in the same account; in the same account, IAM roles alone can grant access without needing a bucket policy. Option D is wrong because the trust policy does not need to specify the Lambda function name; it only needs to specify the AWS service principal (lambda.amazonaws.com) to allow the Lambda service to assume the role on behalf of any function in the account.

79
MCQhard

A global company uses AWS Organizations with hundreds of accounts. The networking team needs to allow VPCs in different accounts to communicate privately using AWS Transit Gateway. The company wants to centralize management while allowing individual account owners to create and attach VPCs. Which solution meets these requirements?

A.Create a VPN connection from each VPC to a central network appliance.
B.Use AWS PrivateLink to connect each VPC to a central VPC endpoint service.
C.Create a Transit Gateway in the networking account and share it with other accounts using AWS Resource Access Manager.
D.Create VPC peering connections between each VPC and a central VPC.
AnswerC

Allows centralized management and self-service attachment via RAM.

Why this answer

Option D is correct because it allows centralized management with self-service via Resource Access Manager. Option A is wrong because VPNs are not scalable. Option B is wrong because VPC peering does not scale to hundreds of accounts.

Option C is wrong because VPC endpoints are for services, not VPC-to-VPC.

80
MCQeasy

A company has a single AWS account that hosts multiple applications for different business units. Each business unit wants to have its own set of IAM users and permissions. The company wants to minimize administrative overhead while maintaining separation. They are considering using AWS Organizations with multiple accounts. However, the CFO is concerned about increased costs due to separate accounts. What is the best solution to address the business units' needs while managing costs?

A.Create an Organizational Unit for each business unit within the existing account.
B.Use IAM policies with conditions based on resource tags to restrict access within the single account.
C.Create a separate AWS account for each business unit and use consolidated billing to manage costs.
D.Use Service Control Policies to restrict each business unit's access to specific services.
AnswerB

Allows logical separation without additional accounts.

Why this answer

Option D is correct because it provides logical separation using IAM policies and resource tags without the overhead of multiple accounts. Option A is wrong because multiple accounts increase costs due to minimum services per account. Option B is wrong because OUs do not provide IAM user management.

Option C is wrong because SCPs are for account-level restrictions, not user-level.

81
MCQhard

A company uses AWS Organizations and has a requirement that all API calls to AWS services must be logged and monitored. The security team wants to create a central CloudWatch dashboard that shows API activity across all accounts. Which solution should be implemented with the least operational overhead?

A.Use Amazon EventBridge to capture API calls from all accounts and route them to a central CloudWatch Logs group.
B.Enable CloudTrail in each account and configure the trail to send logs to a CloudWatch Logs group in that account. Then create a cross-account CloudWatch dashboard.
C.Use CloudWatch cross-account observability to aggregate logs from all accounts into a single monitoring account.
D.Enable an organization trail in CloudTrail in the management account to deliver logs to a central S3 bucket. Use Amazon CloudWatch Logs to process the logs and create a metric filter, then build a dashboard.
AnswerD

Organization trail centralizes logs, and CloudWatch Logs can create metrics and dashboards.

Why this answer

Option D is correct because enabling an organization trail in CloudTrail from the management account automatically applies to all accounts in the AWS Organization, delivering logs to a central S3 bucket with minimal per-account configuration. Using CloudWatch Logs with metric filters on that S3 bucket allows the security team to create a central CloudWatch dashboard that monitors API activity across all accounts, satisfying the requirement with the least operational overhead.

Exam trap

The trap here is that candidates often assume cross-account observability (Option C) is the simplest solution for central monitoring, but it does not natively aggregate CloudTrail logs and requires additional configuration, whereas an organization trail provides automatic, centralized logging with minimal overhead.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge captures events from AWS services but does not natively capture all API calls; CloudTrail is the service designed to log API activity, and EventBridge would require custom rules and additional infrastructure to route logs centrally. Option B is wrong because enabling CloudTrail in each account individually and sending logs to separate CloudWatch Logs groups creates significant operational overhead (managing trails per account) and cross-account dashboards require complex IAM permissions and log group sharing, which is not the simplest approach. Option C is wrong because CloudWatch cross-account observability is designed for monitoring metrics, logs, and traces across accounts but does not directly aggregate CloudTrail logs; it would still require each account to send logs to a central monitoring account, adding overhead compared to a single organization trail.

82
MCQhard

Refer to the exhibit. A company has the above AWS Organization with a management account (111111111111) and a production account (222222222222). The security administrator in the management account creates an SCP that denies s3:DeleteBucket. The SCP is attached to the root. The production account's administrator tries to delete an S3 bucket and fails. What is the MOST likely reason?

A.The production account's IAM policy denies s3:DeleteBucket.
B.The SCP only applies to the management account.
C.The SCP applies to the production account because it is attached to the root.
D.The production account is the management account.
AnswerC

SCPs at the root apply to all member accounts.

Why this answer

Option A is correct because SCPs affect all accounts in the organization. Option B is wrong because SCPs do not affect management account. Option C is wrong because the production account is not the management account.

Option D is wrong because SCPs override IAM permissions.

83
MCQhard

A global company uses AWS Organizations with multiple organizational units (OUs) for different business units. The networking team wants to ensure that all VPCs across all accounts can communicate through a central transit gateway. However, the security team requires that specific accounts cannot access each other's resources. Which combination of actions should the company take to meet these requirements?

A.Create a central transit gateway with a single route table. Use VPC endpoints to control traffic between VPCs.
B.Create VPC peering connections between all VPCs and use route tables to control access.
C.Create a central transit gateway with separate route tables for each VPC attachment. Use network ACLs in each VPC to restrict traffic between specific VPCs.
D.Create a central transit gateway with a single route table. Use security groups in each VPC to restrict traffic.
AnswerC

Separate route tables allow granular routing, and network ACLs can filter traffic at the subnet level.

Why this answer

Option D is correct because AWS Transit Gateway allows you to create separate route tables per VPC attachment, and you can associate a network ACL (or security group) at the VPC level to control traffic between specific VPCs. Option A is wrong because VPC endpoints are for accessing AWS services privately. Option B is wrong because a single route table would allow all VPCs to communicate.

Option C is wrong because VPC peering does not provide central management.

84
MCQeasy

A company is migrating to AWS and wants to use AWS CloudFormation to manage infrastructure as code. The DevOps team needs to ensure that stack updates are reviewed and approved before execution. Which feature should they use?

A.AWS CloudFormation Drift Detection
B.AWS CloudFormation StackSets
C.AWS CloudFormation Change Sets
D.AWS CloudFormation Nested Stacks
AnswerC

Change Sets provide a preview of changes before execution.

Why this answer

Option A is correct because Change Sets allow you to preview changes before applying them. Option B is wrong because StackSets are for managing stacks across multiple accounts. Option C is wrong because Drift Detection identifies differences, not review changes.

Option D is wrong because Nested Stacks are for reusing templates, not for review.

85
Multi-Selecteasy

A company is using AWS Organizations with multiple accounts. The IT team wants to centrally manage AWS Systems Manager Patch Manager to patch EC2 instances across all accounts. Which TWO actions are required?

Select 2 answers
A.Install the AWS Systems Manager Agent (SSM Agent) on each EC2 instance in all accounts.
B.Enable AWS Config in all accounts to track patch compliance.
C.Configure the instance profile for each EC2 instance to include the AmazonSSMManagedInstanceCore policy.
D.Create an IAM service role for Systems Manager in each member account and attach the AmazonSSMManagedInstanceCore policy.
E.Create a maintenance window in the management account and target instances using AWS Resource Groups that span accounts.
AnswersD, E

Required for SSM to manage instances.

Why this answer

Options A and C are correct. A: A service role with the necessary permissions must be created in each account. C: A maintenance window in the management account can target instances in member accounts using resource groups.

Option B is wrong because the SSM agent does not need to be replaced. Option D is wrong because instance profiles are not automatically created. Option E is wrong because Systems Manager does not use AWS Config for patching.

86
MCQhard

A financial services company is designing a multi-account strategy using AWS Control Tower. The company has strict data residency requirements: customer data must remain in the country of origin. The company operates in three countries: US, UK, and Germany. Each country has a set of accounts for production, development, and testing. The company needs to ensure that IAM roles in UK accounts cannot access resources in German accounts, and vice versa. Which architecture should be used?

A.Create one OU per account type (Prod, Dev, Test) and use SCPs to restrict access to resources based on tags.
B.Create a single OU for all accounts and use IAM permissions boundaries to restrict access.
C.Use AWS Resource Access Manager to share resources only within the same country and use IAM policies to restrict cross-country access.
D.Create separate OUs for each country (US, UK, Germany) under Control Tower. Apply SCPs at each country OU that deny access to resources in other country OUs.
AnswerD

This enforces data residency at the organizational level.

Why this answer

Option D is correct because AWS Control Tower allows you to create separate Organizational Units (OUs) for each country, and Service Control Policies (SCPs) can be applied at the OU level to explicitly deny access to resources in other country OUs. This enforces data residency by preventing IAM roles in UK accounts from accessing German resources, and vice versa, using a deny-all-cross-region or deny-all-cross-account approach scoped to the specific country OUs.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies or permissions boundaries, thinking that IAM-level controls are sufficient for cross-account isolation, when in fact only SCPs at the OU level can enforce a hard deny across all accounts in an organization.

How to eliminate wrong answers

Option A is wrong because creating OUs per account type (Prod, Dev, Test) does not provide a mechanism to isolate access between countries; tags can be changed or omitted, and SCPs based on tags are not a reliable enforcement for strict data residency requirements. Option B is wrong because a single OU for all accounts cannot enforce cross-country isolation; IAM permissions boundaries are per-account and do not prevent cross-account access between countries within the same OU. Option C is wrong because AWS Resource Access Manager (RAM) is used for sharing resources, not for restricting access; IAM policies alone cannot prevent cross-country access if the accounts are in the same organization without SCPs at the OU level.

87
MCQmedium

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The company has multiple VPCs across different accounts that need to authenticate against the same directory. What is the MOST scalable and secure way to provide this access?

A.Set up a VPN connection from each VPC to the on-premises AD.
B.Deploy AWS Managed Microsoft AD in a central account and share it with other accounts using AWS Resource Access Manager.
C.Clone the directory and deploy it in each account.
D.Deploy an AD Connector in each VPC pointing to the on-premises AD.
AnswerB

Allows centralized directory with cross-account sharing.

Why this answer

Option A is correct because sharing the directory via RAM allows cross-account access. Option B is wrong because AD Connector per VPC adds management overhead. Option C is wrong because VPNs are not needed for this.

Option D is wrong because directory cloning is not for cross-account access.

88
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to centrally enforce that all S3 buckets across all accounts have server-side encryption enabled. Which solution should be used?

A.Use AWS CloudTrail to monitor and alert on bucket creation without encryption
B.Use AWS Config rules with auto-remediation in each account
C.Attach a service control policy (SCP) to the root organizational unit that denies s3:PutBucket without encryption
D.Define an IAM policy in each account to deny S3:PutBucket without encryption
AnswerC

SCPs centrally deny actions across all accounts.

Why this answer

Option C is correct because a service control policy (SCP) attached to the root organizational unit can centrally deny the s3:PutBucket action unless the request includes a condition that requires server-side encryption (e.g., s3:x-amz-server-side-encryption). SCPs apply to all accounts in the organization, ensuring that even administrators in member accounts cannot create unencrypted buckets, and they cannot be overridden by IAM policies within those accounts.

Exam trap

The trap here is that candidates often choose AWS Config with auto-remediation (Option B) because it can fix noncompliant buckets, but they overlook that SCPs provide a preventive, centrally managed control that cannot be overridden by account-level administrators, which is the key requirement for central enforcement across multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a logging service that records API calls; it can alert on bucket creation without encryption but cannot enforce or prevent the creation of unencrypted buckets—it is reactive, not proactive. Option B is wrong because AWS Config rules with auto-remediation run within each individual account and require per-account setup; they do not provide a central enforcement mechanism across all accounts in an organization, and auto-remediation can be disabled or bypassed by account administrators. Option D is wrong because IAM policies defined in each account can be modified or removed by administrators in that account, so they do not provide a centrally enforceable, immutable guardrail across the entire organization.

89
MCQmedium

A company uses AWS Organizations with 50 accounts. The networking team wants to deploy a shared VPC in the network account and share subnets with other accounts. The shared subnets will host EC2 instances from the consuming accounts. What is the MOST secure way to ensure that only authorized accounts can create resources in the shared subnets?

A.Use AWS Transit Gateway to route traffic between accounts and rely on route tables to control access.
B.Use AWS Resource Access Manager to share subnets with specific accounts and require that the consuming account uses a service-linked role.
C.Create VPC Peering connections between the network account and each consuming account, and use security groups to restrict access.
D.Create an SCP that denies ec2:RunInstances unless the subnet is in the network account.
AnswerB

RAM provides fine-grained sharing and the service-linked role ensures secure creation of resources.

Why this answer

Option B is correct because AWS Resource Access Manager (RAM) allows the network account to share subnets with specific consuming accounts, and requiring a service-linked role ensures that only authorized accounts can launch resources in those subnets. This approach provides granular, cross-account subnet sharing without exposing the VPC to unauthorized actions, aligning with the principle of least privilege.

Exam trap

The trap here is that candidates often confuse network connectivity solutions (like Transit Gateway or VPC Peering) with resource sharing and authorization mechanisms, leading them to select options that enable traffic flow but do not control which accounts can create resources in shared subnets.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub for routing traffic between VPCs and on-premises networks, not a mechanism to control which accounts can create resources in shared subnets; route tables manage traffic flow, not authorization. Option C is wrong because VPC Peering connections enable network connectivity between VPCs but do not provide a way to share subnets or control which accounts can launch EC2 instances in them; security groups only filter traffic at the instance level, not authorize account-level access. Option D is wrong because an SCP that denies ec2:RunInstances unless the subnet is in the network account would prevent all consuming accounts from launching instances in shared subnets, as the subnet belongs to the network account, not the consuming account; SCPs cannot conditionally allow actions based on subnet ownership across accounts in this way.

90
Multi-Selecteasy

A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts and business applications. Which TWO components are required for this setup?

Select 2 answers
A.AWS Cloud Directory
B.A service control policy (SCP) attached to the root
C.An IAM user in each account
D.An external identity provider (IdP) such as Azure AD or Okta
E.Permission sets that define the level of access to each account
AnswersD, E

AWS SSO can connect to an external IdP for user authentication.

Why this answer

Options A and D are correct. AWS SSO requires an identity source (like an external IdP) and permission sets to assign access. Option B is wrong because Cloud Directory is not used with AWS SSO.

Option C is wrong because IAM users are not used for SSO. Option E is wrong because SCPs are for organizations, not SSO.

91
Multi-Selecthard

A company has a multi-account AWS environment with a centralized logging account. The security team needs to collect all Amazon S3 access logs and AWS CloudTrail logs from all accounts into a centralized Amazon S3 bucket in the logging account. Which THREE steps are required to meet this requirement? (Choose THREE.)

Select 3 answers
A.Enable S3 server access logging on each source bucket to deliver logs to the central S3 bucket.
B.Create an Amazon CloudWatch Logs subscription filter to stream logs from each account to the central bucket.
C.Enable AWS CloudTrail Insights in each account to capture S3 access logs.
D.Create an AWS CloudTrail trail in each account that delivers logs to the central S3 bucket.
E.Apply a bucket policy on the central S3 bucket that grants cross-account write access from each account's CloudTrail service.
AnswersA, D, E

S3 server access logs are enabled per bucket and can be delivered to a target bucket.

Why this answer

Option A is correct because S3 server access logging can be configured on each source bucket to deliver detailed access logs directly to a central S3 bucket in the logging account. This is a native S3 feature that writes log objects for every request made to the source bucket, satisfying the requirement to collect S3 access logs.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs subscription filters or CloudTrail Insights as mechanisms to collect S3 access logs, when in fact S3 server access logging and CloudTrail trails are the correct services for this centralized logging requirement.

92
Multi-Selectmedium

A company is using AWS Control Tower to manage multiple accounts. The security team wants to enforce that all accounts use a specific AWS Region for data storage. Which TWO steps should be taken to enforce this requirement?

Select 2 answers
A.Use AWS Config rules to detect resources in unapproved Regions and trigger automatic remediation.
B.Create an IAM policy that denies actions in unapproved Regions and attach it to all IAM roles.
C.Configure AWS IAM Identity Center to restrict access to approved Regions.
D.Enable AWS CloudTrail and set up an SNS notification for any API call in an unapproved Region.
E.Create a service control policy (SCP) that denies all actions in non-compliant Regions. Attach it to the root or OUs.
AnswersA, E

AWS Config can detect non-compliant resources and trigger remediation to delete or flag them.

Why this answer

AWS Control Tower uses Service Control Policies (SCPs) to centrally enforce restrictions across all accounts in an organization. An SCP that denies all actions in non-compliant Regions, attached to the root or OUs, prevents users in those accounts from performing any action in unapproved Regions, even if they have IAM permissions. AWS Config rules can detect non-compliant resources and trigger automatic remediation (e.g., deleting or stopping resources), providing a detective and corrective layer.

Together, these two steps enforce the requirement proactively (SCP) and reactively (Config).

Exam trap

The trap here is that candidates often confuse IAM policies (which are account-level and can be bypassed by administrators) with SCPs (which are organization-wide and cannot be overridden by account admins), leading them to select Option B instead of Option E.

93
MCQhard

A large enterprise has a multi-account AWS environment managed through AWS Organizations. The central networking team uses a transit gateway in a shared services VPC to connect all VPCs. The security team requires that all traffic between VPCs be inspected by a third-party firewall appliance that is deployed in an auto-scaling group in the shared services VPC. The firewall appliance is configured as a Gateway Load Balancer (GWLB) endpoint. The transit gateway has a route table that sends all inter-VPC traffic to the GWLB endpoint. Recently, the operations team noticed that some applications are experiencing high latency and packet loss when communicating across VPCs. Upon investigation, they found that the firewall appliance is not scaling properly. Which solution should be implemented to ensure that the firewall can handle the traffic load and maintain low latency?

A.Enable cross-zone load balancing on the Gateway Load Balancer to distribute traffic evenly across all firewall instances in all Availability Zones.
B.Increase the size of the firewall instances to larger instance types to handle more traffic per instance.
C.Create additional Gateway Load Balancer endpoints in each Availability Zone and use a separate transit gateway route table for each AZ.
D.Configure the auto-scaling group to use a step scaling policy based on network throughput.
AnswerA

Cross-zone load balancing ensures that traffic is balanced across all healthy targets, improving scaling and reducing latency.

Why this answer

Option A is correct because Gateway Load Balancers (GWLB) by default do not distribute traffic across Availability Zones (AZs); they only send traffic to targets in the same AZ as the GWLB endpoint. Enabling cross-zone load balancing allows the GWLB to distribute traffic evenly across all healthy firewall instances in all AZs, which prevents overloading a single AZ's instances and ensures the auto-scaling group can scale effectively based on overall load, reducing latency and packet loss.

Exam trap

The trap here is that candidates assume Gateway Load Balancers inherently distribute traffic across all Availability Zones like Application Load Balancers do, but in reality, GWLB endpoints are zonal by default and require explicit cross-zone load balancing to spread traffic across AZs.

How to eliminate wrong answers

Option B is wrong because increasing instance size addresses per-instance capacity but does not fix the root cause of uneven traffic distribution across AZs; the firewall may still be overwhelmed in one AZ while others are underutilized, and scaling policies based on aggregate metrics may not trigger correctly. Option C is wrong because creating additional GWLB endpoints per AZ and separate TGW route tables per AZ would actually isolate traffic to each AZ, exacerbating the uneven distribution problem and potentially increasing complexity without solving the scaling issue. Option D is wrong because step scaling policies based on network throughput can help with scaling but do not address the fundamental issue that traffic is not evenly distributed across AZs; without cross-zone load balancing, the auto-scaling group may not scale appropriately because the load is concentrated in one AZ.

94
MCQeasy

A company is using AWS Organizations with multiple organizational units (OUs). The security team needs to enforce that all newly created S3 buckets in the production OU have versioning enabled and are encrypted with AWS KMS. Which solution meets these requirements with minimal operational overhead?

A.Apply a service control policy (SCP) at the production OU level that denies s3:CreateBucket unless versioning and KMS encryption are specified in the request.
B.Use AWS CloudTrail to monitor bucket creation and send alerts to the security team.
C.Create an IAM policy that requires versioning and KMS encryption when creating buckets, and attach it to all users.
D.Use AWS Config rules to detect noncompliant buckets and auto-remediate with Lambda.
AnswerA

SCPs provide preventive enforcement at the organization level.

Why this answer

A service control policy (SCP) at the OU level can deny the s3:CreateBucket action unless the request includes both the x-amz-bucket-object-locked-enabled-for-bucket-creation header (for versioning) and the x-amz-server-side-encryption-aws-kms-key-id header (for KMS encryption). This enforces compliance at the API level with no ongoing overhead, as the SCP is evaluated before the bucket is created, preventing noncompliant buckets from existing at all.

Exam trap

The trap here is that candidates often choose AWS Config with auto-remediation (Option D) because it sounds automated, but they miss that SCPs are a preventive control with zero operational overhead, whereas Config is reactive and requires Lambda maintenance.

How to eliminate wrong answers

Option B is wrong because CloudTrail monitoring only alerts after the bucket is created, not preventing noncompliant buckets, and requires manual or automated follow-up, adding operational overhead. Option C is wrong because an IAM policy attached to users does not prevent creation by roles, services (e.g., CloudFormation), or cross-account access, and it cannot enforce compliance across all principals in the OU. Option D is wrong because AWS Config rules detect noncompliant buckets after creation and auto-remediate with Lambda, which is reactive and incurs overhead for remediation logic and potential race conditions, whereas SCPs prevent the violation proactively.

95
MCQeasy

A company wants to allow developers to launch EC2 instances only if they include a specific tag 'CostCenter'. The tag must be provided at launch. Which IAM policy should be used?

A.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"Null":{"ec2:CreateAction":"true"}}}
B.{"Effect":"Allow","Action":"ec2:RunInstances","Resource":"*","Condition":{"Null":{"aws:RequestTag/CostCenter":"false"}}}
C.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"Null":{"aws:RequestTag/CostCenter":"true"}}}
D.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"StringNotEquals":{"aws:RequestTag/CostCenter":"MyProject"}}}
AnswerA

Denies if the create action is not null, but actually the null condition on ec2:CreateAction ensures the tag is provided.

Why this answer

Option B is correct because the condition ec2:CreateAction ensures the tag is applied during launch. Option A is wrong because the condition is on the tag, not on the action. Option C is wrong because it requires a specific value.

Option D is wrong because it denies all launches without tag.

96
MCQhard

A company uses AWS Organizations with 100 accounts. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if MFA is not present. However, some users report that they cannot access the console even with MFA. What is the most likely reason?

A.The SCP does not include an explicit allow for the sts:GetSessionToken action.
B.The IAM policy attached to the users does not allow any actions.
C.The SCP does not apply to users who have administrative privileges.
D.The SCP also denies access to the root user of each account.
AnswerA

Without allowing STS:GetSessionToken, the MFA challenge cannot be completed.

Why this answer

Option D is correct because the SCP must allow the STS:GetSessionToken action to allow MFA based temporary credentials. Option A is wrong because MFA is not required for root user in this context. Option B is wrong because SCPs override IAM permissions.

Option C is wrong because SCPs apply to all principals, including users with administrative privileges.

97
Multi-Selecthard

A company has a central IT account that manages DNS using Amazon Route 53 Private Hosted Zones. Multiple VPCs from different accounts are associated with the same private hosted zone. The company wants to ensure that only authorized VPCs can resolve records in the zone. Which three steps should be taken? (Choose THREE.)

Select 3 answers
A.Create a Route 53 Resolver rule in the central account to forward queries to the private hosted zone.
B.Restrict IAM permissions to only allow authorized users to associate VPCs with the hosted zone.
C.Associate each VPC with the private hosted zone using the authorize zone association API.
D.Use AWS RAM to share the private hosted zone with the other accounts.
E.Create a VPC peering connection between the central account and each VPC.
AnswersB, C, D

IAM permissions control who can perform the association.

Why this answer

Option B is correct because restricting IAM permissions ensures that only authorized users can associate VPCs with the private hosted zone, preventing unauthorized VPCs from resolving records. This is a fundamental security control for managing cross-account DNS resolution in Route 53.

Exam trap

The trap here is that candidates often confuse VPC peering with DNS resolution; peering provides network connectivity but does not automatically grant DNS resolution from a private hosted zone, which requires explicit association or sharing via AWS RAM.

98
MCQeasy

A startup is launching a new multi-account AWS environment using AWS Organizations. They want to ensure that only the central security team has access to the root user of each member account. Additionally, they want to enable multi-factor authentication (MFA) for the root user of each account. The security team has access to the management account. What is the MOST secure and efficient way to meet these requirements?

A.Use AWS Organizations to create a new IAM user in each member account with full permissions, and disable the root user.
B.Capture the root user email addresses and passwords in a secure password manager and share them with the security team.
C.Use the management account to assume an IAM role in each member account that has permissions to reset the root user password and enable MFA. Then, rotate the root user password and enable MFA.
D.Use AWS Single Sign-On (SSO) to grant the security team access to the root user credentials for each account.
AnswerC

This allows central management without sharing credentials.

Why this answer

Option B is correct because AWS Organizations allows you to create an IAM role in each member account that can be assumed from the management account. The root user password can be reset and MFA can be enabled by assuming the role with appropriate permissions. Option A is incorrect because you cannot use AWS Organizations to manage root user credentials directly.

Option C is incorrect because AWS Single Sign-On (now IAM Identity Center) does not manage root users. Option D is inefficient and insecure as it requires sharing root credentials.

99
Multi-Selectmedium

A company is designing a multi-account architecture using AWS Organizations. The company wants to enforce that all Amazon S3 buckets across all accounts must have server-side encryption (SSE) enabled. Which TWO actions should be taken to enforce this requirement?

Select 2 answers
A.Create a service control policy (SCP) that denies s3:PutBucket* actions unless encryption is specified.
B.Set the default encryption on each bucket to disable encryption.
C.Enable AWS CloudTrail to log all S3 API calls and trigger a Lambda function to remediate.
D.Create an IAM policy with a global condition for SSE and attach it to all users and roles.
E.Use AWS Config rules to detect S3 buckets without encryption and automatically remediate.
AnswersA, E

SCPs can deny actions that do not meet conditions, such as requiring encryption.

Why this answer

Option A is correct because a service control policy (SCP) can be applied at the AWS Organizations root, OU, or account level to deny S3 bucket operations that do not include encryption. By using a condition key like `s3:x-amz-server-side-encryption` in the SCP, you can enforce that any `s3:PutBucket*` action must specify encryption, preventing the creation or modification of buckets without SSE. This provides a preventive, centralized control that cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules with auto-remediation) with preventive controls (like SCPs), but the question specifically asks to 'enforce' the requirement, which demands a preventive approach that blocks non-compliant actions before they occur.

100
MCQeasy

A company uses AWS Organizations with a management account and several member accounts. The security team needs to centrally manage IAM users and roles across all accounts. Which AWS service should the company use?

A.AWS Directory Service for Microsoft Active Directory.
B.AWS Identity and Access Management (IAM) in the management account.
C.AWS IAM Identity Center (AWS SSO).
D.Amazon Cognito user pools.
AnswerC

Provides centralized access management across accounts.

Why this answer

Option C is correct because AWS IAM Identity Center (successor to AWS SSO) allows centralized management of user access across multiple accounts. Option A is wrong because IAM is per account. Option B is wrong because Cognito is for customer-facing identities.

Option D is wrong because Directory Service is not for managing IAM identities.

101
Multi-Selectmedium

A company uses AWS Organizations with consolidated billing. The company wants to share a centrally managed Amazon VPC subnet across multiple accounts using AWS Resource Access Manager (RAM). Which THREE resources can be shared via RAM? (Choose THREE.)

Select 3 answers
A.License configurations
B.Subnets
C.Transit gateways
D.VPC peering connections
E.Security groups
AnswersA, B, C

License Manager configurations can be shared via RAM.

Why this answer

Option A is correct because AWS License Manager configurations can be shared across accounts using AWS Resource Access Manager (RAM), enabling centralized management of software licenses. This allows organizations to enforce license usage limits and rules consistently across multiple accounts in an AWS Organization.

Exam trap

The trap here is that candidates often assume VPC peering connections can be shared via RAM because they are a networking construct, but RAM only supports sharing of resources that can be centrally managed and attached to multiple accounts, not point-to-point connections like VPC peering.

102
Drag & Dropmedium

Drag and drop the steps to restore an Amazon RDS DB instance from a snapshot in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First navigate to snapshots, restore, configure settings, wait for completion, then update application endpoint.

103
MCQhard

A company uses AWS Organizations with a hierarchical OU structure. The security OU has an SCP that denies all actions except those explicitly allowed. The development OU has an SCP that allows all actions. A developer account in the development OU tries to launch an EC2 instance but receives an access denied error. The IAM user in the developer account has full administrator permissions. What is the most likely cause?

A.An SCP at the root level denies EC2 actions.
B.The SCP at the development OU level denies EC2 actions.
C.The IAM user does not have MFA enabled, and an SCP requires MFA.
D.An SCP at the root level requires encryption on EC2 instances, which is not satisfied.
AnswerA

A restrictive SCP at the root would override the permissive development OU SCP.

Why this answer

Option C is correct because SCPs at the root or parent OU can affect child OUs. If the root has a restrictive SCP, it will apply to all accounts, including those in the development OU. Option A is wrong because SCPs do not enforce encryption requirements.

Option B is wrong because SCPs only deny if explicitly stated; if the development OU SCP allows all, and the root SCP is the issue, the root SCP is the cause. Option D is wrong because SCPs do not require MFA unless the SCP itself denies actions without MFA.

104
Multi-Selectmedium

A company is designing a multi-account strategy using AWS Organizations. The security team requires that all API calls to create or modify IAM roles are logged and alerted. Which TWO steps should be taken to meet this requirement?

Select 2 answers
A.Use AWS Config to record IAM role changes and stream to CloudWatch Logs.
B.Create a CloudWatch Logs metric filter and alarm to detect IAM role creation/modification events.
C.Create an SCP that denies IAM role creation and modification.
D.Enable CloudTrail management events with CloudWatch Logs integration in all accounts.
E.Enable IAM Access Analyzer to monitor IAM role usage.
AnswersB, D

Metric filters can parse logs and trigger alarms.

Why this answer

Option A is correct because CloudTrail logs management events, including IAM API calls, to CloudWatch Logs. Option D is correct because a CloudWatch Logs metric filter and alarm can detect specific API events and trigger notifications. Option B is wrong because SCPs cannot log events.

Option C is wrong because AWS Config does not log API calls. Option E is wrong because IAM Access Analyzer is for analyzing policies, not logging.

105
MCQmedium

A company has a AWS Organizations setup with 100 accounts. The security team requires that all IAM users across all accounts must have multi-factor authentication (MFA) enabled. Currently, there is no central enforcement. The company wants to implement a solution that automatically detects IAM users without MFA and disables their access keys. The solution must be centrally managed from the management account. Which solution meets these requirements?

A.Create an SCP that denies all API calls if the user does not have an MFA device.
B.Deploy an AWS Config rule across all accounts using AWS Organizations that checks for IAM users without MFA, and use AWS Config custom remediation to disable the user's access keys.
C.Use IAM Access Analyzer to generate findings for users without MFA and automatically disable access keys.
D.Use AWS IAM Identity Center to enforce MFA and automatically disable access keys for existing IAM users.
AnswerB

Config can detect and remediate across accounts.

Why this answer

Option C is correct because AWS Config rules can be deployed across all accounts via AWS Organizations, and the custom remediation action can disable access keys. Option A is wrong because IAM Access Analyzer does not manage MFA. Option B is wrong because SCPs cannot enforce MFA on existing users; they can deny access if MFA is not present, but they cannot disable keys.

Option D is wrong because AWS IAM Identity Center is for workforce identity, not for managing existing IAM users.

106
MCQhard

Refer to the exhibit. A CloudFormation template is used to create an IAM role for EC2. The stack creation fails with the error: "Resource creation cancelled". The IAM role is not created. What is the MOST likely reason?

A.The trust policy does not include the correct service principal for EC2
B.The IAM role name already exists in the account
C.The template does not have the required IAM capabilities
D.The role does not have an instance profile
AnswerB

IAM role names must be unique within an account.

Why this answer

The error 'Resource creation cancelled' typically occurs when CloudFormation attempts to create a resource that already exists in the account and the resource is not configured for updates or replacement. Since the IAM role name is globally unique within an AWS account, if a role with the same name already exists, CloudFormation will fail to create it and cancel the operation, leaving the role uncreated.

Exam trap

The trap here is that candidates often confuse 'Resource creation cancelled' with permission or policy errors, but it specifically indicates a conflict or failure during resource creation, such as a duplicate name, rather than a missing capability or incorrect trust policy.

How to eliminate wrong answers

Option A is wrong because an incorrect trust policy would cause a different error, such as 'Invalid principal in policy' or a validation failure, not 'Resource creation cancelled'. Option C is wrong because missing IAM capabilities (like CAPABILITY_IAM) would result in an explicit error message stating that the template requires IAM capabilities, not a 'Resource creation cancelled' error. Option D is wrong because an instance profile is not required for creating an IAM role; it is only needed when associating the role with an EC2 instance, and its absence would not cause the role creation to fail.

107
Multi-Selecteasy

A company uses AWS Organizations to manage multiple accounts. The central team wants to deploy a CloudFormation template that creates an S3 bucket with default encryption in every member account. Which THREE steps are required to accomplish this?

Select 3 answers
A.Create an IAM role in each member account that allows CloudFormation to create resources.
B.Create an SCP that allows CloudFormation to create S3 buckets.
C.Write a CloudFormation template that includes an S3 bucket resource with default encryption enabled.
D.Create a CloudFormation StackSet in the management account.
E.Configure the StackSet with the target accounts and regions, and specify an IAM role for execution.
AnswersC, D, E

The template defines the resources to be created.

Why this answer

Options B, C, and D are correct. Option B: A StackSet is needed to deploy the template across accounts. Option C: The template must be created with the S3 bucket resource.

Option D: The StackSet needs IAM roles to create resources in target accounts. Option A is wrong because StackSets do not require a service role in each account manually; they use a delegated administrator. Option E is wrong because SCPs are not required for this deployment.

108
Multi-Selectmedium

A company wants to use AWS IAM Identity Center (successor to AWS SSO) to provide single sign-on access to multiple AWS accounts. They have an existing Microsoft Active Directory and want to synchronize users and groups. Which TWO actions should be taken to set this up?

Select 2 answers
A.Create an IAM Identity Center identity store and manually import users from Active Directory.
B.Set up AWS Managed Microsoft AD in the management account and configure IAM Identity Center to use it as the identity source.
C.Install the AWS Directory Service AD Connector and point it to the on-premises Active Directory.
D.Create permission sets in IAM Identity Center for each job function and assign them to groups.
E.Configure AWS CloudTrail to log all sign-in events.
AnswersB, D

Managed AD integrates with IAM Identity Center.

Why this answer

Option B is correct because AWS IAM Identity Center can use AWS Managed Microsoft AD as its identity source, enabling seamless synchronization of users and groups from an existing on-premises Active Directory via a two-way forest trust. This eliminates the need for manual import and provides a managed, highly available directory service that integrates directly with IAM Identity Center for single sign-on across multiple AWS accounts.

Exam trap

The trap here is that candidates often confuse AD Connector (which only proxies authentication) with AWS Managed Microsoft AD (which provides a full directory that can be synchronized with IAM Identity Center), leading them to incorrectly select option C as a valid identity source for IAM Identity Center.

109
MCQmedium

A company has a multi-account AWS environment. The central IT team manages IAM roles in each account using AWS CloudFormation StackSets. The team needs to ensure that a specific IAM role exists in all member accounts. Which solution is the MOST efficient?

A.Use AWS CloudFormation StackSets to deploy the IAM role template across all accounts.
B.Use AWS Config rules to enforce the IAM role creation in each account.
C.Manually create the IAM role in each account using the AWS Management Console.
D.Use AWS Organizations to create the IAM role via a service control policy (SCP).
AnswerA

StackSets automate deployment across multiple accounts.

Why this answer

AWS CloudFormation StackSets allow you to deploy a single IAM role template across multiple accounts and Regions in a single operation, ensuring consistent role creation without manual effort. This is the most efficient solution because it automates the deployment, handles drift detection, and integrates with AWS Organizations for automatic account addition.

Exam trap

The trap here is confusing AWS Config rules (detective control) with proactive resource creation, or assuming SCPs can create IAM roles when they only enforce permission boundaries.

How to eliminate wrong answers

Option B is wrong because AWS Config rules can only detect non-compliance (e.g., missing IAM role) and trigger remediation actions, but they do not directly create the IAM role; they require a separate automation (e.g., Lambda) to create it, making it less efficient than StackSets. Option C is wrong because manually creating the IAM role in each account using the AWS Management Console is inefficient, error-prone, and does not scale for multi-account environments. Option D is wrong because AWS Organizations service control policies (SCPs) are used to restrict permissions, not to create IAM roles; SCPs cannot create resources like IAM roles.

110
Multi-Selectmedium

A company has a consolidated billing setup with AWS Organizations. The finance team needs to track costs at the department level. Each department has its own AWS account. Which THREE steps should be taken to achieve detailed cost allocation? (Choose THREE.)

Select 3 answers
A.Enable detailed billing reports in the management account.
B.Enable the RI discount sharing feature in the management account.
C.Activate cost allocation tags in the Billing and Cost Management console.
D.Enable AWS Cost and Usage Reports (CUR) for each member account.
E.Define and enforce a tagging strategy using AWS Organizations tag policies.
AnswersB, C, E

RI sharing allows cost benefits to be shared across accounts.

Why this answer

Option B is correct because enabling RI discount sharing in the management account allows all accounts in the AWS Organization to benefit from Reserved Instance discounts, which is essential for accurate cost allocation across departments. Without this, RI discounts would only apply to the purchasing account, skewing department-level cost tracking.

Exam trap

The trap here is that candidates often think detailed billing reports or per-account CUR are needed for granular cost tracking, but AWS Organizations requires CUR and tag policies to be configured at the management account level for consolidated, department-level cost allocation.

111
Multi-Selecthard

A company has a multi-account AWS environment with a central security account for AWS GuardDuty, AWS Security Hub, and AWS IAM Access Analyzer. The security team wants to aggregate findings from all member accounts into the security account. Which THREE steps should be taken?

Select 3 answers
A.Use AWS Config aggregator in the security account to collect configuration items from all accounts.
B.Enable AWS Security Hub in the security account and designate it as the administrator account for the organization.
C.Enable Amazon GuardDuty in the security account and add member accounts via the GuardDuty API.
D.Enable AWS IAM Access Analyzer in the security account with the organization as the zone of trust.
E.Configure GuardDuty in the security account to monitor all regions by using a single detector.
AnswersB, C, D

Security Hub administrator account aggregates findings.

Why this answer

Options A, C, and D are correct. A: Enable GuardDuty in the security account and designate it as the administrator for all member accounts. C: Enable Security Hub in the security account and use the integration to aggregate findings.

D: Enable IAM Access Analyzer in the security account with the organization as the zone of trust. Option B is wrong because GuardDuty is region-specific and cannot be centralized in one region. Option E is wrong because Config aggregator aggregates configuration items, not security findings.

112
MCQeasy

A company has a decentralized IT structure where each business unit manages its own AWS account. The central security team needs visibility into all IAM user activities across accounts. What is the MOST scalable solution to aggregate CloudTrail logs?

A.Enable CloudTrail Insights in each account and review separately.
B.Use AWS Config aggregator to collect IAM user activity.
C.Set up Amazon Kinesis Data Streams in each account and stream to a central Kinesis Data Firehose.
D.Configure CloudTrail in each account to deliver logs to a single S3 bucket in the security account.
AnswerD

This centralizes logs without additional tooling.

Why this answer

Option D is correct because CloudTrail can be configured in each account to deliver log files to a centralized S3 bucket in the security account. This approach aggregates all IAM user activities into a single location without requiring additional streaming infrastructure, and it scales automatically as new accounts are added. The central security team can then use Amazon Athena or AWS Lake Formation to query the logs across all accounts efficiently.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Kinesis (Option C) because they assume streaming is required for scalability, but CloudTrail's native S3 delivery is the most scalable and cost-effective aggregation method for IAM user activity logs.

How to eliminate wrong answers

Option A is wrong because reviewing CloudTrail Insights separately in each account does not aggregate logs; it requires manual per-account access and lacks a centralized view, making it unscalable for decentralized IT structures. Option B is wrong because AWS Config aggregator is designed to collect resource configuration changes and compliance history, not IAM user activity logs; CloudTrail is the service that records API activity, not AWS Config. Option C is wrong because setting up Kinesis Data Streams in each account and streaming to a central Kinesis Data Firehose introduces unnecessary complexity, cost, and operational overhead compared to the simpler S3 bucket delivery method; CloudTrail can directly deliver to S3 without needing Kinesis.

113
MCQhard

A company has a centralized logging account and wants all VPC Flow Logs from all accounts to be delivered to a central S3 bucket in the logging account. Each account has a VPC Flow Log configured to deliver to a bucket in the same account. What is the most efficient way to centralize these logs?

A.Use a Lambda function in each account to copy logs to the central bucket
B.Set up S3 cross-account replication from each account's bucket to the central bucket
C.Configure VPC Flow Logs in each account to directly deliver to the central bucket
D.Use CloudWatch Logs subscription filter to stream logs to the central account
AnswerB

Replication is automated and efficient.

Why this answer

Option B is correct because S3 Cross-Region Replication (CRR) or Same-Region Replication (SRR) can be configured to automatically replicate objects from each account's VPC Flow Logs bucket to a central S3 bucket in the logging account. This approach is fully managed, requires no custom code, and ensures all logs are centralized with minimal operational overhead, while preserving the original delivery mechanism.

Exam trap

The trap here is that candidates assume VPC Flow Logs can be delivered directly to a cross-account S3 bucket (Option C), but AWS restricts delivery to the same account, making replication the only native, serverless way to centralize logs across accounts.

How to eliminate wrong answers

Option A is wrong because using a Lambda function in each account to copy logs introduces unnecessary complexity, potential for execution timeouts, and additional cost per invocation, making it less efficient than a managed replication service. Option C is wrong because VPC Flow Logs can only deliver to an S3 bucket in the same account as the VPC; direct delivery to a cross-account bucket is not supported by the VPC Flow Logs service. Option D is wrong because CloudWatch Logs subscription filters are designed to stream logs to a central CloudWatch Logs account or to other destinations like Lambda or Kinesis, not directly to an S3 bucket, and would require additional transformation steps to land in S3.

114
MCQeasy

A company has an AWS Organization with multiple accounts. The central IT team wants to deploy a common set of AWS Config rules across all accounts in the production OU. Which approach is the MOST scalable and maintainable?

A.Use an AWS Config aggregator to deploy rules across accounts.
B.Use AWS CloudFormation StackSets to deploy an AWS Config rule template to each account.
C.Use AWS Config conformance packs and deploy them using AWS CloudFormation StackSets.
D.Use AWS Config to create a custom rule in each account manually.
AnswerC

Conformance packs allow consistent deployment of rules across accounts and regions.

Why this answer

Option B is correct because AWS Config conformance packs can be deployed across accounts and regions via StackSets. Option A is wrong because it requires manual setup in each account. Option C is wrong because CloudFormation StackSets directly deploy templates, but conformance packs are specifically designed for Config rules.

Option D is wrong because AWS Config aggregator only aggregates data, does not deploy rules.

115
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team needs to enforce that all newly created S3 buckets in any account have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which solution should the team implement?

A.Create an IAM role with a policy that requires encryption on S3 buckets and attach it to all users.
B.Configure S3 bucket policies on each existing bucket to deny requests that do not include encryption.
C.Create a service control policy (SCP) that denies the s3:CreateBucket action unless the request includes s3:x-amz-server-side-encryption header.
D.Enable AWS CloudTrail to log all S3 API calls and set up a CloudWatch alarm to notify when a bucket without encryption is created.
AnswerC

SCPs can enforce conditions on API actions across all accounts in the organization.

Why this answer

Option C is correct because a service control policy (SCP) in AWS Organizations can centrally deny the s3:CreateBucket action unless the request includes the s3:x-amz-server-side-encryption header. This enforces encryption on all newly created S3 buckets across all accounts in the organization, regardless of individual account permissions, and does not require modifying existing buckets or user policies.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail and CloudWatch alarms) with preventive controls (like SCPs), or mistakenly think IAM policies can enforce request headers on API actions, when only SCPs can centrally enforce such conditions across multiple accounts.

How to eliminate wrong answers

Option A is wrong because an IAM role with a policy requiring encryption attached to all users does not prevent users from creating buckets without encryption—IAM policies control who can perform actions, but they cannot enforce request headers on the s3:CreateBucket action; users could still create unencrypted buckets by omitting the encryption header. Option B is wrong because configuring bucket policies on each existing bucket only affects access to those specific buckets, not the creation of new buckets; it cannot enforce encryption on newly created buckets. Option D is wrong because enabling CloudTrail and CloudWatch alarms is a detective control, not a preventive one—it only notifies after an unencrypted bucket is created, failing to enforce encryption at creation time.

116
MCQmedium

A company wants to implement a multi-account strategy using AWS Organizations. The security team requires that all new accounts added to the organization automatically inherit a baseline set of security controls, such as AWS CloudTrail and AWS Config rules. Which approach should the company use?

A.Use AWS Organizations Service Control Policies (SCPs) to enforce the baseline controls.
B.Use AWS Systems Manager Automation to apply the baseline to new accounts.
C.Use AWS CloudFormation StackSets to deploy the baseline stack to new accounts automatically.
D.Use AWS Config aggregators to apply the baseline controls to new accounts.
AnswerC

StackSets can deploy stacks across multiple accounts and regions, and can be set to automatically apply to new accounts.

Why this answer

Option C is correct because AWS CloudFormation StackSets allow you to deploy stacks across multiple accounts and regions from a single template, which can be automated to apply to new accounts. Option A is wrong because Service Control Policies (SCPs) are used to restrict permissions, not to deploy resources. Option B is wrong because AWS Config aggregators only collect configuration data, not deploy resources.

Option D is wrong because AWS Systems Manager is primarily for operational management, not automated resource deployment across accounts.

117
MCQmedium

Refer to the exhibit. A company attaches this SCP to the root of an AWS Organization. What is the effect?

A.All principals outside the organization are denied all actions.
B.All principals are required to have MFA enabled.
C.All principals in the organization are allowed all actions.
D.All principals in the organization are denied all actions.
AnswerA

The condition denies when the org ID does not match, so external principals are blocked.

Why this answer

Option B is correct because the SCP denies any action if the principal's organization ID does not match 'o-exampleorgid'. This effectively blocks all actions from principals outside the organization. Option A is wrong because it does not deny actions from all principals; it only denies those outside the org.

Option C is wrong because it does not allow actions; it denies. Option D is wrong because it does not require MFA.

118
MCQhard

A company has a centralized logging solution where all VPC Flow Logs from member accounts are delivered to a central S3 bucket in the logging account. The logs contain sensitive IP addresses that must be redacted before analysis. What is the MOST scalable approach?

A.Create a Lambda function in each member account to redact logs before delivery.
B.Use S3 Object Lambda to redact sensitive data when objects are read.
C.Use Amazon Athena with Lambda User-Defined Functions (UDFs) to redact data during query execution.
D.Use Amazon Kinesis Data Firehose to transform data before writing to S3.
AnswerC

Scalable and flexible; allows redaction on the fly without modifying stored data.

Why this answer

Option B is correct because Athena queries can use Lambda UDFs to redact data on the fly. Option A is wrong because S3 Object Lambda is for object-level transformations, not query-time. Option C is wrong because it's not scalable to run a script on each account.

Option D is wrong because Kinesis adds complexity and is not necessary.

119
MCQhard

A company uses AWS Organizations with several OUs. The security team wants to enforce that EC2 instances in production accounts cannot have public IP addresses. The solution must be preventive and should not rely on developers remembering to follow guidelines. What should the security team do?

A.Use the Amazon EC2 'Block public access' feature at the account level.
B.Create an IAM policy that denies ec2:RunInstances if the instance is launched with a public IP and attach it to all IAM roles in production accounts.
C.Use AWS Config to detect instances with public IPs and automatically terminate them.
D.Create a service control policy (SCP) that denies ec2:RunInstances if the request includes AssociatePublicIpAddress=true and attach it to the production OU.
AnswerD

SCPs are preventive and cannot be overridden by IAM policies within the account.

Why this answer

Option B is correct because SCPs can deny EC2:RunInstances if the NetworkInterface has AssociatePublicIpAddress set to true. Option A is wrong because IAM policies can be overridden by service-linked roles. Option C is wrong because the 'Block public access' feature is for S3.

Option D is wrong because it is detective, not preventive.

120
MCQhard

A company uses AWS SSO with an external identity provider. The security team needs to enforce that users in the finance department can only access the finance OU accounts. Which configuration is required?

A.Configure the external IdP to send a SAML attribute that AWS uses to enforce permissions.
B.Use AWS SSO to assign the finance group to the finance OU accounts only.
C.Create an SCP that denies access to non-finance accounts for users from the finance group.
D.Create IAM roles in each finance account and trust the IdP with a condition on the group attribute.
AnswerB

AWS SSO provides direct assignment of users/groups to accounts.

Why this answer

Option D is correct because AWS SSO allows assignment of users/groups to specific accounts, and the finance group can be assigned only to finance OU accounts. Option A is wrong because SCPs affect all users, not just from a specific IdP. Option B is wrong because IAM roles in each account would require manual management.

Option C is wrong because the IdP cannot manage AWS account permissions directly.

121
Multi-Selectmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all root user activities are monitored and alerted. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Create an Amazon CloudWatch Events rule to detect root user login events and send an alert via Amazon SNS.
B.Use AWS Config rules to detect root user usage.
C.Create an IAM role for root user with limited permissions.
D.Enable AWS CloudTrail to log root user API calls in all accounts.
E.Attach a service control policy (SCP) to all accounts to deny root user actions.
AnswersA, D

Alerts on root user activity.

Why this answer

Options A and C are correct. CloudTrail logs root user activities, and CloudWatch Events can trigger alerts. Option B is wrong because SCPs cannot restrict root user actions.

Option D is wrong because IAM roles are for human users, not root. Option E is wrong because Config does not monitor root activities specifically.

122
MCQeasy

A company is using AWS Organizations with a multi-account strategy. The finance team wants to centrally manage and enforce cost allocation tags across all accounts. Which solution is MOST effective?

A.Create a service control policy (SCP) that denies the creation of resources if they do not have the required tags.
B.Use AWS Budgets to alert on untagged resources.
C.Use AWS Config rules to detect untagged resources and trigger a Lambda function to tag them.
D.Create an AWS Lambda function that tags resources after they are created.
AnswerA

SCPs can enforce tag requirements proactively.

Why this answer

Option B is correct because a service control policy can enforce that resources are created with required tags by denying creation if tags are missing. Option A is wrong because tagging resources manually is error-prone. Option C is wrong because AWS Config rules are detective, not preventive.

Option D is wrong because AWS Budgets does not enforce tags.

123
MCQmedium

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

A.An SCP that allows only read-only billing actions.
B.An SCP that denies all billing-related actions except read-only.
C.An IAM policy attached to the root OU that denies billing modifications.
D.An SCP that denies the effect of actions that modify billing preferences.
AnswerD

An SCP can deny actions like 'aws-portal:ModifyAccount' and 'aws-portal:ModifyBilling'.

Why this answer

Option D is correct because a Service Control Policy (SCP) attached to the root OU can deny the effect of actions that modify billing preferences across all accounts in the organization. SCPs are the only mechanism that can restrict permissions for all principals (including the root user) in member accounts, and by using a Deny effect on specific billing modification actions, the security team ensures no IAM user or role can alter billing settings. This approach does not require enumerating every allowed read-only action, which avoids the risk of missing future read-only actions.

Exam trap

The trap here is that candidates confuse SCPs with IAM policies, thinking an IAM policy can be attached to an OU, or they incorrectly assume that an Allow-only SCP is the simplest way to restrict actions, when in reality a targeted Deny SCP is more precise and maintainable for blocking specific modification actions while allowing all other billing read actions by default.

How to eliminate wrong answers

Option A is wrong because an SCP that allows only read-only billing actions would require an explicit Allow statement for every read-only action, which is brittle and could inadvertently block necessary read-only actions if the list is incomplete; moreover, SCPs are deny-by-default, so an Allow-only SCP would effectively deny all other actions, but it is not the most precise or maintainable approach for this requirement. Option B is wrong because an SCP that denies all billing-related actions except read-only would require an explicit Deny for every non-read-only action, which is cumbersome and error-prone; a Deny list approach is less scalable than using a Deny on specific modification actions as in Option D. Option C is wrong because an IAM policy cannot be attached to an OU; IAM policies are attached to IAM users, groups, or roles, not to organizational units in AWS Organizations, so this option is technically invalid.

124
Multi-Selectmedium

A company wants to centrally manage IAM permissions across multiple AWS accounts using AWS Organizations. They need to allow developers to launch EC2 instances but restrict the instance types to approved families (e.g., t3 and m5). Which TWO solutions meet this requirement?

Select 2 answers
A.Use AWS Service Catalog to create a product that launches approved instances, and require developers to launch only through Service Catalog.
B.Apply a service control policy (SCP) that denies ec2:RunInstances with an ec2:InstanceType condition key that does not match approved families.
C.Deploy an AWS Config rule that triggers a Lambda function to terminate unauthorized instances.
D.Create an IAM role in each account with a policy that restricts instance types, and require developers to use that role.
E.Use AWS CloudFormation StackSets to deploy an IAM policy across accounts that denies ec2:RunInstances for non-approved types.
AnswersB, E

Prevents unauthorized instance types at the organizational level.

Why this answer

Option B is correct because a service control policy (SCP) applied at the AWS Organizations root or OU level can centrally deny ec2:RunInstances for non-approved instance types using the ec2:InstanceType condition key. This enforces the restriction across all accounts without requiring per-account IAM changes, and SCPs act as a guardrail that cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs), or assume that IAM roles or Service Catalog alone can enforce restrictions across all access methods without additional guardrails.

125
MCQmedium

A company has a centralized logging account that receives VPC flow logs from all accounts. The logs are stored in an S3 bucket. The security team needs to analyze these logs to detect anomalous traffic patterns. Which solution provides the most cost-effective and scalable analysis?

A.Use Amazon QuickSight to create dashboards from the flow logs.
B.Use Amazon Athena to run SQL queries directly on the S3 bucket containing the flow logs.
C.Set up Amazon Kinesis Data Analytics to process the flow logs in real time.
D.Load the flow logs into Amazon Redshift and run SQL queries.
AnswerB

Athena is serverless and cost-effective for ad-hoc querying of S3 data.

Why this answer

Amazon Athena is the most cost-effective and scalable solution because it allows querying VPC flow logs directly in S3 using standard SQL without requiring data loading or infrastructure management. Athena's serverless, pay-per-query model eliminates idle costs and scales automatically to handle any volume of log data, making it ideal for ad-hoc security analysis of historical logs.

Exam trap

The trap here is that candidates may choose Redshift or Kinesis because they associate 'analysis' with traditional data warehouses or real-time processing, overlooking that Athena's serverless, pay-per-query model is the most cost-effective and scalable for ad-hoc SQL analysis of data already in S3.

How to eliminate wrong answers

Option A is wrong because Amazon QuickSight is a visualization tool that requires a data source; it cannot directly analyze raw VPC flow logs in S3 without an intermediate query engine like Athena, and it incurs per-session costs that are not optimal for ad-hoc analysis. Option C is wrong because Amazon Kinesis Data Analytics processes streaming data in real time, which is unnecessary and more expensive for analyzing historical VPC flow logs already stored in S3; the requirement is for batch analysis of stored logs, not real-time processing. Option D is wrong because loading VPC flow logs into Amazon Redshift involves data ingestion, storage, and compute costs even when not querying, and it requires cluster management, making it less cost-effective and more complex than Athena's serverless approach for this use case.

126
Multi-Selectmedium

A company has 100 AWS accounts in AWS Organizations. The security team wants to enforce that all Amazon S3 buckets have encryption enabled. Which TWO actions should the team take to meet this requirement? (Choose TWO.)

Select 2 answers
A.Create an SCP that denies s3:PutObject unless encryption headers are included.
B.Create an SCP that requires all objects to be uploaded with server-side encryption.
C.Enable S3 Block Public Access at the account level and use a service control policy to prevent disabling it.
D.Create an SCP that denies the s3:CreateBucket action to all accounts.
E.Use AWS Config rules to detect buckets without default encryption and auto-remediate with a Lambda function.
AnswersC, E

While this does not directly enforce encryption, it is a common security baseline, and combined with Config can ensure encryption. However, the correct answer is that S3 default encryption can be enforced via Config and SCPs can prevent disabling of block public access.

Why this answer

Option C is correct because enabling S3 Block Public Access at the account level prevents any public access to S3 buckets, and using a service control policy (SCP) to deny actions that would disable this setting ensures it cannot be overridden by any account in the organization. This enforces encryption indirectly by ensuring that all buckets are private, but the primary requirement is encryption; however, the question asks for two actions, and C combined with E provides a complete solution. Option E is correct because AWS Config rules can detect S3 buckets without default encryption and trigger an auto-remediation Lambda function to enable encryption, ensuring compliance across all accounts.

Exam trap

The trap here is that candidates may think SCPs can enforce encryption on object uploads (Option B), but SCPs only control API permissions, not the actual content of API requests, so they cannot require encryption headers—only bucket policies or AWS Config rules can enforce that.

127
MCQhard

A company uses AWS Organizations with 200 accounts. The security team wants to enforce that all EC2 instances launched in any account must use a specific Amazon Machine Image (AMI) ID that is approved by the security team. Which approach should be used?

A.Use IAM policies in each account to restrict the AMI ID
B.Use AWS Config rules with auto-remediation to stop non-compliant instances
C.Use a service control policy (SCP) that denies EC2 RunInstances unless the AMI ID matches the approved list
D.Use CloudFormation StackSets to enforce AMI IDs for all new instances
AnswerC

SCPs can centrally control which AMIs can be used across all accounts.

Why this answer

Option A is correct because SCPs can deny EC2 RunInstances if the AMI ID is not in a list. Option B is wrong because Config rules can detect but not enforce. Option C is wrong because IAM policies are per-account and can be overridden.

Option D is wrong because CloudFormation cannot enforce non-CloudFormation launches.

128
MCQhard

Refer to the exhibit. A solutions architect applies this IAM policy to a user. The user tries to upload an object to my-bucket using an unencrypted HTTP connection with SSE-S3 encryption. Will the upload succeed?

A.Yes, because the Deny statement only applies to non-encrypted requests.
B.Yes, because the request uses SSE-S3 encryption which satisfies the Allow statement.
C.No, because the Deny statement blocks all HTTP requests regardless of encryption.
D.No, because the Allow statement requires HTTPS transport.
AnswerC

The Deny condition is on SecureTransport false, so any HTTP request is denied.

Why this answer

Option C is correct. The first statement denies all S3 actions if SecureTransport is false (HTTP), which applies regardless of encryption. The second statement allows PutObject only with SSE-S3, but it is conditional on HTTPS? No, the condition is only on encryption.

However, the Deny overrides Allow. Since the request is HTTP, the Deny matches and the request is denied. Option A is wrong because the Deny applies to HTTP.

Option B is wrong because the Deny overrides Allow. Option D is wrong because SSE-S3 does not satisfy the SecureTransport condition.

129
Multi-Selecthard

A company uses AWS Organizations with hundreds of accounts. The central IT team needs to ensure that all accounts use a standard set of network configurations, including VPC CIDR blocks and subnets. Which THREE steps should the team take to enforce this standard? (Choose THREE.)

Select 3 answers
A.Use AWS CloudFormation StackSets to deploy standard VPC and subnet configurations to all accounts.
B.Create a service control policy (SCP) that denies creation of VPCs with non-compliant CIDR blocks.
C.Create an IAM role in each account with permissions to manage VPCs.
D.Set up AWS Lambda functions to terminate noncompliant VPCs daily.
E.Use AWS Config rules to detect and report noncompliant VPCs.
AnswersA, B, E

Automates deployment of compliant infrastructure.

Why this answer

Options A, B, and C are correct. SCPs enforce CIDR restrictions, CloudFormation StackSets deploy standard resources, and Config rules detect noncompliance. Option D is wrong because IAM roles do not enforce network config.

Option E is wrong because it is reactive.

130
MCQhard

A multinational corporation uses AWS Organizations to manage multiple accounts across different geographic regions. The company needs to ensure that all data residing in AWS accounts for a specific country remains within that country's boundaries. Which combination of AWS services and features should the company use to enforce this data residency requirement?

A.Use AWS PrivateLink and VPC endpoints to keep traffic within the country's region.
B.Use service control policies (SCPs) to deny actions in non-approved regions and AWS Config rules to audit compliance.
C.Use resource-based policies on all AWS resources to deny access from other regions.
D.Use AWS WAF and AWS Shield to protect data and enforce geographic restrictions.
AnswerB

SCPs prevent resource creation in disallowed regions; Config detects violations.

Why this answer

Option C is correct because SCPs can restrict the Region where resources can be created, and AWS Config can detect noncompliant resources. Option A is wrong because VPC endpoints do not restrict resource creation. Option B is wrong because AWS WAF is for web traffic.

Option D is wrong because resource-based policies alone cannot prevent resource creation in other regions.

131
MCQmedium

A company has a centralized network account that hosts a transit gateway with attachments to multiple VPCs in different accounts. The security team needs to ensure that all traffic between VPCs is inspected by a centralized NGFW appliance in the network account. What is the MOST efficient solution?

A.Use AWS PrivateLink to route traffic through the NGFW.
B.Create a transit gateway with a route table that includes a blackhole route for inter-VPC traffic, and attach an inspection VPC with the NGFW.
C.Establish VPC peering connections between all VPCs and route traffic through the inspection VPC.
D.Set up AWS Direct Connect between all VPCs and the inspection VPC.
AnswerB

This forces all inter-VPC traffic to go through the inspection VPC.

Why this answer

Option B is correct because it uses a transit gateway with a centralized inspection VPC, which allows all inter-VPC traffic to be routed through the NGFW appliance. By attaching the inspection VPC to the transit gateway and configuring route tables with blackhole routes for direct inter-VPC traffic, traffic is forced to traverse the NGFW for inspection. This is the most efficient and scalable solution for centralized traffic inspection across multiple VPCs in different accounts.

Exam trap

The trap here is that candidates often assume VPC peering (Option C) can be used for transitive routing, but VPC peering does not support transitive routing, making it impossible to route traffic through an inspection VPC to other VPCs.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink is designed for private connectivity to services via Network Load Balancers, not for routing inter-VPC traffic through a centralized NGFW; it does not support transitive routing or traffic inspection between VPCs. Option C is wrong because VPC peering does not support transitive routing, so you cannot route traffic from one peered VPC through another VPC to reach a third VPC; this would require a full mesh of peering connections and complex route tables, which is inefficient and not scalable. Option D is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a solution for routing traffic between VPCs; it does not provide inter-VPC routing capabilities and would add unnecessary cost and complexity.

132
MCQmedium

A company uses a centralized logging account with an S3 bucket that receives VPC Flow Logs from multiple accounts. The logs must be encrypted at rest using a KMS key in the logging account. Which configuration is required to allow cross-account delivery of VPC Flow Logs?

A.Add a bucket policy on the logging account's S3 bucket granting the VPC Flow Logs service principal write access, and a KMS key policy granting the same principal encrypt/decrypt permissions.
B.Create an IAM role in the logging account that can be assumed by the VPC Flow Logs service.
C.Configure the source account's S3 bucket policy to allow VPC Flow Logs to write logs and replicate them to the logging account.
D.In the source account, create a KMS key and allow the logging account to use it for encryption.
AnswerA

The service principal is 'delivery.logs.amazonaws.com' and needs both bucket and key permissions.

Why this answer

Option A is correct because the S3 bucket policy must allow the VPC Flow Logs service principal to write objects, and the KMS key policy must allow the same service principal to use the key. Option B is wrong because the source account's KMS key would not be used; the logging account's key encrypts the bucket. Option C is wrong because VPC Flow Logs do not use IAM roles for cross-account delivery; they use the bucket policy.

Option D is wrong because the source account's bucket policy is irrelevant; the destination bucket is in the logging account.

133
MCQhard

A large enterprise has a multi-account AWS environment with over 200 accounts organized under AWS Organizations. The central platform team uses AWS CloudFormation StackSets to deploy a standard VPC with a CIDR of 10.0.0.0/16 into each account. Recently, a business unit created a new account that was not included in the StackSet deployment, and the team manually deployed the VPC using a CloudFormation template. Now, the central team wants to ensure that all accounts have exactly the same VPC configuration and that any drift is automatically corrected. The team also wants to prevent unauthorized changes to the VPC configuration. What is the MOST efficient and secure solution?

A.Create a custom Amazon EventBridge rule that catches VPC modification events and automatically re-deploys the CloudFormation stack.
B.Use AWS Service Catalog to create a VPC product and require all accounts to provision VPCs through the product.
C.Use AWS Config rules to detect VPC changes and trigger a Lambda function to revert them.
D.Enable drift detection on the StackSet and configure automatic stack drift remediation. Additionally, apply an SCP that denies ec2:CreateVpc, ec2:DeleteVpc, ec2:ModifyVpcAttribute, and similar actions unless they are performed by the StackSet's service role.
AnswerD

StackSets drift detection and SCPs provide automated correction and prevention.

Why this answer

Option C is correct because AWS CloudFormation StackSets with drift detection and automatic remediation can detect and correct any changes to the VPC stack across all accounts. SCPs can then deny changes to the VPC resources outside of StackSets, preventing unauthorized modifications. Option A is reactive and does not prevent drift.

Option B requires custom development and is less integrated. Option D is not integrated with StackSets and requires manual steps.

134
MCQhard

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to centrally manage IAM roles that grant cross-account access to a central security account. The solution must scale as new accounts are added. What should the team do?

A.Use a service control policy (SCP) to enforce the creation of the role.
B.Manually create the same IAM role in each account with a trust policy pointing to the security account.
C.Use IAM groups in the security account and grant permissions to the groups.
D.Use AWS CloudFormation StackSets to deploy the IAM role to all accounts, and enable AWS Organizations trusted access for the role.
AnswerD

StackSets automate deployment across accounts and trusted access simplifies cross-account roles.

Why this answer

Option D is correct because AWS Organizations can automatically create roles via CloudFormation StackSets or AWS CloudFormation in each account, and using a trusted access role simplifies management. Option A is wrong because manual creation does not scale. Option B is wrong because IAM groups are not cross-account.

Option C is wrong because SCPs do not create roles.

135
Multi-Selecthard

A company is designing a multi-account strategy for its development teams. Each team needs to have its own isolated environment with VPCs, subnets, and security groups. The company wants to centralize network administration and ensure that all VPCs use a common set of security rules. Which THREE steps should the company take? (Choose THREE.)

Select 3 answers
A.Allow each team to create their own VPCs and use VPC Peering to connect them.
B.Deploy a centralized inspection VPC with AWS Network Firewall and use Transit Gateway to route traffic.
C.Create a dedicated network account and use AWS Resource Access Manager to share subnets with other accounts.
D.Use AWS CloudFormation StackSets to deploy identical VPCs to each account.
E.Use AWS Firewall Manager to apply common security group rules across all accounts.
AnswersB, C, E

This allows central inspection and control of traffic between VPCs.

Why this answer

Option B is correct because deploying a centralized inspection VPC with AWS Network Firewall and using Transit Gateway to route traffic allows the company to centralize network administration and enforce common security rules across all VPCs. Transit Gateway acts as a hub for inter-VPC and on-premises connectivity, while AWS Network Firewall provides stateful inspection and filtering for all traffic passing through the hub, meeting the requirement for a common set of security rules.

Exam trap

The trap here is that candidates may confuse AWS CloudFormation StackSets (which only automates resource deployment) with centralized security enforcement, overlooking the need for a hub-and-spoke architecture with a centralized inspection point like AWS Network Firewall and Transit Gateway.

136
MCQhard

A company has a multi-account environment with over 500 accounts. They need to enforce that all EC2 instances are launched only in approved instance families (e.g., t3, m5, c5). Which combination of AWS services provides the MOST scalable and effective enforcement?

A.Use a service control policy (SCP) to deny ec2:RunInstances if the instance type is not in the approved list, and use AWS CloudFormation hooks to enforce the same.
B.Use AWS CloudTrail to trigger an AWS Lambda function that terminates non-compliant instances.
C.Use AWS Systems Manager to scan instances and apply a tag for non-compliance.
D.Use AWS Config rules to detect non-compliant instances and automatically terminate them.
AnswerA

Preventive at the API level and works for CloudFormation deployments.

Why this answer

Option D is correct because SCPs deny non-compliant API calls, and CloudFormation hooks prevent non-compliant stacks. Option A is wrong because Config is detective, not preventive. Option B is wrong because Lambda triggered by CloudTrail is reactive.

Option C is wrong because Systems Manager is not for enforcement at launch time.

137
Multi-Selectmedium

Which TWO AWS services can be used to implement a centralized logging solution across multiple AWS accounts?

Select 2 answers
A.Amazon CloudWatch Logs with cross-account log groups.
B.Amazon SQS.
C.Amazon S3 with a centralized bucket and appropriate bucket policies.
D.AWS CloudFormation.
E.Amazon Kinesis Data Firehose.
AnswersA, C

CloudWatch Logs can aggregate logs from multiple accounts.

Why this answer

Options A and D are correct. Option A: CloudWatch Logs can aggregate logs from multiple accounts using cross-account subscriptions. Option D: Amazon S3 can serve as a central log destination for CloudTrail and other logs.

Option B is wrong because Kinesis is for streaming, not central log storage. Option C is wrong because CloudFormation is for infrastructure as code. Option E is wrong because SQS is for messaging.

138
Multi-Selecthard

A company has multiple AWS accounts and wants to ensure that all resources are tagged with a cost center tag. Which THREE steps should they take to enforce this?

Select 3 answers
A.Use AWS Organizations to define a tag policy that mandates the cost center tag.
B.Use AWS Config rules to detect untagged resources and trigger a Lambda function to add the tag.
C.Use AWS CloudFormation templates that enforce tagging and use StackSets to deploy across accounts.
D.Create a service control policy (SCP) that denies resource creation if the required tag is not present, for supported services.
E.Enable AWS Cost Explorer to report on untagged resources.
AnswersA, C, D

Tag policies can enforce tags on resources during creation and prevent non-compliant resource creation.

Why this answer

Option A is correct because AWS Organizations tag policies allow you to define rules for tagging resources across accounts in your organization. By specifying the cost center tag as mandatory in a tag policy, you can enforce that all resources must have this tag, and any non-compliant resources can be reported or prevented from being created, depending on the policy's enforcement mode.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like tag policies or SCPs), and may select option B thinking it enforces tagging, when it only remediates after the fact.

139
MCQmedium

A company has a multi-account AWS environment with a central logging account. All VPC Flow Logs are published to a central S3 bucket in the logging account. The security team needs to analyze these logs using Amazon Athena, but they want to minimize costs by reducing the amount of data scanned. Which partitioning strategy is MOST effective?

A.Partition by region and date.
B.Partition by account ID only.
C.Partition by account ID and region.
D.Partition by date and account ID.
AnswerD

Common queries filter by date range and account, so this minimizes scanned data.

Why this answer

Option C is correct because the most common query filters are by account and date, so partitioning by date and account ID reduces scans. Option A is wrong because it does not include date, which is a common filter. Option B is wrong because it only includes account ID, missing date.

Option D is wrong because region is less selective than account.

140
Multi-Selectmedium

A company uses AWS Organizations and wants to implement a least-privilege model for IAM roles. The security team needs to ensure that no IAM role can be created without an approval workflow. Which THREE steps should the company take?

Select 3 answers
A.Create an AWS Lambda function that is triggered by CloudTrail events to automatically tag approved roles.
B.Use a service control policy (SCP) to deny iam:CreateRole unless a specific tag (e.g., 'Approved') is present.
C.Use AWS CloudFormation StackSets to deploy IAM roles across accounts.
D.Enable AWS CloudTrail to log all IAM role creation events.
E.Use AWS Config rules to detect roles without the 'Approved' tag and mark them as non-compliant.
AnswersA, B, E

Automates tagging after approval.

Why this answer

Options A, C, and D are correct. Option B is wrong because CloudTrail is logging, not preventive. Option E is wrong because SCPs cannot enforce approval workflows.

141
MCQmedium

A company wants to implement a centralized logging solution for all VPCs in their AWS Organization. They need to capture VPC Flow Logs, AWS CloudTrail logs, and DNS logs, and store them in a central Amazon S3 bucket. The logs must be encrypted with a customer-managed KMS key. Which solution meets these requirements with the least operational overhead?

A.Create an S3 bucket in the central account with KMS encryption. Configure each account to send logs to that bucket using cross-account permissions.
B.Create separate S3 buckets for each log type in the central account and configure KMS encryption. Use AWS Glue to crawl and catalog the logs.
C.Use the AWS Centralized Logging with OpenSearch Service solution, which sets up the necessary infrastructure to collect and store logs from multiple accounts in a central S3 bucket with KMS encryption.
D.Use Amazon S3 with default encryption and enable S3 Cross-Region Replication to a central bucket.
AnswerC

Automated solution reduces operational overhead.

Why this answer

Option C is correct because the AWS Centralized Logging with OpenSearch Service solution is a purpose-built, AWS-managed solution that automates the deployment of the necessary infrastructure to collect, centralize, and store VPC Flow Logs, CloudTrail logs, and DNS logs from multiple accounts into a central S3 bucket with customer-managed KMS encryption. This approach minimizes operational overhead by handling cross-account log collection, S3 bucket configuration, and KMS key integration out of the box, eliminating the need for manual setup and maintenance.

Exam trap

The trap here is that candidates often overestimate the simplicity of manual cross-account log delivery (Option A) or confuse AWS Glue's cataloging capabilities with log collection, while underestimating the operational overhead of building and maintaining such a solution from scratch versus using a purpose-built, managed solution like AWS Centralized Logging with OpenSearch Service.

How to eliminate wrong answers

Option A is wrong because while cross-account permissions can send logs to a central bucket, this approach requires manually configuring each account's log delivery (e.g., VPC Flow Logs, CloudTrail, DNS logs) and managing cross-account KMS key policies, which introduces significant operational overhead and does not provide a centralized, automated solution. Option B is wrong because creating separate S3 buckets for each log type and using AWS Glue to crawl and catalog logs adds unnecessary complexity and cost; Glue is for data cataloging and ETL, not for log collection or cross-account aggregation, and this approach does not address the requirement to capture logs from multiple accounts. Option D is wrong because S3 default encryption uses SSE-S3, not a customer-managed KMS key, and S3 Cross-Region Replication only replicates objects after they are stored, it does not capture logs from multiple accounts or handle the initial log delivery from various AWS services.

142
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce that all newly created accounts automatically have a specific set of security controls, including AWS Config rules and an AWS CloudTrail trail. Which solution meets these requirements with the LEAST operational overhead?

A.Use AWS Config conformance packs to deploy rules across accounts.
B.Use AWS Lambda functions triggered by AWS CloudTrail events to create a new stack in each new account.
C.Use AWS Organizations with AWS CloudFormation StackSets to automatically deploy the security stack to new accounts.
D.Use AWS Service Catalog to create a portfolio that includes the security stack and grant access to new accounts.
AnswerC

StackSets automatically deploy stacks to specified accounts and regions, including new accounts added to the organization.

Why this answer

Option B is correct because AWS Organizations can be used with AWS CloudFormation StackSets to automatically deploy and manage security configurations across accounts. Option A is wrong because custom scripts require ongoing maintenance. Option C is wrong because Service Catalog requires user action to provision.

Option D is wrong because AWS Config conformance packs do not automatically apply to new accounts without additional setup.

143
MCQmedium

A multinational corporation is implementing a multi-account AWS strategy using AWS Organizations. The security team requires that all newly created accounts in the organization automatically have an Amazon GuardDuty detector enabled in all enabled Regions. Which solution meets this requirement with the LEAST operational overhead?

A.Use AWS CloudFormation StackSets with a stack that includes an AWS::GuardDuty::Detector resource, and apply it to the organization root OU.
B.Use AWS Service Catalog to publish a GuardDuty product and require account owners to launch it.
C.Use an SCP that denies guardduty:DeleteDetector and guardduty:UpdateDetector actions, then have each account administrator manually enable GuardDuty.
D.Use AWS Config rules to detect accounts without GuardDuty enabled and trigger a Lambda function to enable it.
AnswerA

Correct: StackSets automate deployment across accounts; the resource creates the detector.

Why this answer

Option A is correct because AWS CloudFormation StackSets can be applied to the organization root OU, automatically deploying an AWS::GuardDuty::Detector resource to every account in the organization as new accounts are created. This approach requires no manual intervention per account, and StackSets handle the lifecycle of the detector across all enabled Regions with minimal operational overhead.

Exam trap

The trap here is that candidates often choose the Config + Lambda option (D) thinking it is fully automated, but they overlook that it is reactive and incurs ongoing evaluation costs, whereas StackSets provide a proactive, single-deployment solution with lower operational overhead.

How to eliminate wrong answers

Option B is wrong because AWS Service Catalog requires account owners to manually launch the product, which does not meet the requirement for automatic enabling and adds operational overhead. Option C is wrong because an SCP that denies delete and update actions does not enable GuardDuty; it only prevents modifications after manual enabling, which still requires manual action per account. Option D is wrong because AWS Config rules and Lambda functions are reactive (detect and remediate after the fact) and incur additional complexity and cost compared to a proactive, declarative StackSets deployment.

144
MCQmedium

A company manages multiple AWS accounts and wants to centralize billing and cost tracking. They have enabled AWS Organizations and consolidated billing. Which additional step should they take to gain granular visibility into costs per department?

A.Enable AWS Cost Explorer and use default groupings
B.Create AWS Budgets for each department
C.Implement cost allocation tags for resources and use AWS Cost Explorer to filter by tags
D.Use the consolidated billing feature to view costs per account
AnswerC

Tags enable granular cost tracking by department.

Why this answer

Option C is correct because cost allocation tags allow you to tag AWS resources with department-specific metadata (e.g., 'Department: Engineering'). Once enabled and activated in the Billing and Cost Management console, AWS Cost Explorer can filter and group costs by these tags, providing granular visibility into per-department spending across multiple accounts in an AWS Organization. This approach directly addresses the need for department-level cost tracking beyond the account-level view provided by consolidated billing.

Exam trap

The trap here is that candidates often confuse the account-level aggregation of consolidated billing (Option D) with the resource-level granularity needed for department tracking, or they assume AWS Budgets (Option B) provide visibility rather than just alerts.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer's default groupings (e.g., by service or linked account) do not provide department-level granularity unless custom tags or cost categories are used; relying on default groupings alone cannot break down costs by department. Option B is wrong because AWS Budgets are used to set spending thresholds and send alerts, not to provide granular visibility into historical or current cost breakdowns by department; they are a cost control mechanism, not a reporting or analysis tool. Option D is wrong because the consolidated billing feature aggregates costs at the account level, not at the department level; it cannot distinguish costs for resources within a single account that belong to different departments.

145
Multi-Selectmedium

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in the organization are encrypted at rest. Which TWO approaches can the company use to achieve this? (Choose TWO.)

Select 2 answers
A.Attach a bucket policy to each bucket that denies PutObject without encryption.
B.Create a service control policy (SCP) that denies s3:CreateBucket unless the bucket has default encryption enabled.
C.Create an IAM policy that denies s3:PutObject unless encryption is specified.
D.Enable S3 Block Public Access at the organization level.
E.Use AWS Config rules to detect S3 buckets without encryption and automatically apply encryption.
AnswersB, E

Prevents creation of unencrypted buckets.

Why this answer

Options A and B are correct. SCP can deny creation of unencrypted buckets, and Config can detect noncompliant buckets. Option C is wrong because bucket policies can be bypassed by bucket owners.

Option D is wrong because IAM policies are per-account and may not cover all principals. Option E is wrong because S3 Block Public Access does not address encryption.

146
MCQmedium

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

A.Deploy AD in two Regions and use a VPN connection between the VPCs to replicate data.
B.Deploy a single AD domain in one Region and use AD replication over a VPC peering connection to a second Region.
C.Deploy AD in two Regions, attach both VPCs to the transit gateway, and enable cross-Region transit gateway peering. Use route tables to direct AD traffic through the inspection VPC.
D.Deploy AD in two Regions, attach both VPCs to a transit gateway in the primary Region, and use a transit gateway inter-Region peering attachment. Configure route tables to force traffic through the inspection VPC in the primary Region.
AnswerD

This ensures all inter-Region AD traffic is routed through the inspection VPC for firewall inspection.

Why this answer

Option D is correct because it uses a transit gateway in the primary Region with an inter-Region peering attachment to the secondary Region, allowing AD traffic to be routed through the inspection VPC in the primary Region for firewall inspection. This meets the security policy requirement that all cross-Region AD traffic must traverse the transit gateway and be inspected by the third-party firewall appliance.

Exam trap

The trap here is that candidates may think cross-Region transit gateway peering alone satisfies the inspection requirement, but without explicit route table configuration to direct traffic through the inspection VPC, the traffic will bypass the firewall.

How to eliminate wrong answers

Option A is wrong because a VPN connection between VPCs does not provide the required transit gateway routing or inspection VPC integration; it also introduces additional latency and complexity without meeting the inspection requirement. Option B is wrong because a single AD domain with VPC peering does not support cross-Region AD replication natively (AD replication requires direct connectivity or VPN, and VPC peering alone cannot enforce inspection by a third-party firewall in a separate inspection VPC). Option C is wrong because attaching both VPCs to the transit gateway and enabling cross-Region transit gateway peering does not force AD traffic through the inspection VPC; route tables must be explicitly configured to direct traffic through the inspection VPC, and the description in C lacks the necessary detail about routing through the inspection VPC in the primary Region.

147
Multi-Selectmedium

A company uses AWS Organizations and wants to centrally manage Amazon GuardDuty across all accounts. Which TWO steps are required to enable GuardDuty in all accounts from a single management account?

Select 2 answers
A.Use AWS CloudFormation StackSets to deploy GuardDuty in each account
B.Enable GuardDuty manually in each member account by logging into each account
C.Create a service control policy to force GuardDuty to be enabled
D.Use the GuardDuty delegated administrator account to enable GuardDuty for all accounts in the organization
E.Designate a member account as the GuardDuty delegated administrator
AnswersD, E

Delegated administrator can enable GuardDuty across all accounts via API.

Why this answer

Option D is correct because AWS Organizations allows you to designate a GuardDuty delegated administrator account, which can then enable GuardDuty for all member accounts in the organization with a single API call or via the console. This eliminates the need to manually enable GuardDuty in each account, as the delegated administrator manages the service centrally across the entire organization.

Exam trap

The trap here is that candidates often confuse service control policies (SCPs) with proactive enforcement, but SCPs only restrict permissions and cannot automatically enable a service; they also overlook that CloudFormation StackSets cannot enable a service like GuardDuty, which requires a specific API action rather than resource deployment.

148
MCQmedium

A company uses AWS Organizations and wants to enable cost allocation across business units using tags. They require that all resources are tagged with a 'CostCenter' tag. What is the most effective way to enforce this?

A.Create an IAM policy in each account that requires the CostCenter tag.
B.Use AWS Config rules to identify untagged resources and automatically tag them.
C.Create a tag policy in AWS Organizations that requires the CostCenter tag on resources.
D.Use an SCP to deny resource creation if the CostCenter tag is missing.
AnswerC

Tag policies centrally enforce tagging rules across all accounts.

Why this answer

Option D is correct because AWS Organizations has a tag policy feature that can enforce tags on resources during creation. Option A is wrong because SCPs can deny creation without tags, but tag policies are more specific. Option B is wrong because AWS Config can detect but not enforce.

Option C is wrong because IAM policies can enforce but require per-account configuration.

149
MCQhard

Refer to the exhibit. A company has an SCP named 'DenyOutsideRegions' attached to the root OU. The SCP is intended to deny all actions outside us-east-1 and eu-west-1. However, users in a member account are still able to launch EC2 instances in ap-southeast-1. What is the most likely reason?

A.The SCP is not applied to the root user of the member account.
B.The SCP cannot restrict actions based on region.
C.The SCP policy document does not contain a Deny statement for the regions.
D.The SCP is overridden by an Allow policy attached to the account.
AnswerC

The exhibit only shows the policy metadata, not the content.

Why this answer

Option B is correct because the SCP shown is only a list of policies; the actual policy content (the statement) is not displayed. It is possible that the SCP does not contain the intended deny rule or has an Allow effect that overrides. Option A is wrong because SCPs affect all users, including root.

Option C is wrong because SCPs can deny actions based on region conditions. Option D is wrong because SCPs apply to all services uniformly unless specified otherwise.

150
Multi-Selectmedium

A company is managing multiple AWS accounts using AWS Organizations. They want to centralize the management of EC2 instances and enforce tagging standards across all accounts. Which TWO approaches should they use?

Select 2 answers
A.Use AWS CloudFormation StackSets to deploy AWS Config rules across all accounts to check for required tags.
B.Use AWS Service Catalog to enforce tagging on EC2 products.
C.Use AWS Resource Access Manager to share a tagging policy across accounts.
D.Apply a service control policy (SCP) that denies ec2:RunInstances if the required tags are not specified.
E.Use EC2 Auto Scaling lifecycle hooks to add tags automatically.
AnswersA, D

Config rules can enforce tagging compliance.

Why this answer

Option A is correct because AWS Config rules can be deployed via CloudFormation StackSets across all accounts in an AWS Organization to continuously check for required tags on EC2 instances, enabling centralized enforcement of tagging standards. Option D is correct because a service control policy (SCP) can deny the ec2:RunInstances action if required tags are not present in the request, using the ec2:ResourceTag condition key to enforce tagging at the API level before the instance is created.

Exam trap

The trap here is that candidates often confuse AWS Service Catalog's tagging enforcement as a global solution, not realizing it only applies to products launched through the catalog, not to direct EC2 API calls across accounts.

← PreviousPage 2 of 7 · 455 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design Solutions for Organizational Complexity questions.