CCNA Design Solutions for Organizational Complexity Questions

75 of 455 questions · Page 4/7 · Design Solutions for Organizational Complexity · Answers revealed

226
MCQhard

A company uses AWS Organizations with 50 accounts. The central IT team wants to deploy a CloudFormation stack set to create a VPC with a CIDR of 10.0.0.0/16 in each account, but the VPC CIDR must not overlap with existing VPCs in each account. What is the most scalable and automated approach?

A.Use AWS Service Catalog to create a product that deploys the VPC, and share the portfolio with each account.
B.Create a StackSet that references an Amazon S3 bucket containing a JSON file with account-specific parameters, including unique CIDR blocks for each account.
C.Write a custom AWS Lambda function that iterates through each account and deploys the CloudFormation template with a different CIDR.
D.Create a StackSet with a single parameter for the CIDR block and deploy it to all accounts.
AnswerB

This allows each account to have a unique CIDR without manual intervention.

Why this answer

Option B is correct because AWS CloudFormation StackSets can use account-specific parameters via a parameter file in Amazon S3, allowing each account to have a unique CIDR. Option A is wrong because it uses a single CIDR for all accounts, causing overlap. Option C is wrong because AWS Service Catalog does not handle dynamic CIDR assignment across many accounts.

Option D is wrong because a custom Lambda function per account is not scalable.

227
Multi-Selectmedium

A company wants to implement a data perimeter to ensure that only authorized accounts can access their S3 buckets. Which TWO steps should they take?

Select 2 answers
A.Use SCPs to deny access from external accounts.
B.Use VPC endpoints with bucket policies.
C.Use S3 bucket policy with aws:SourceAccount condition.
D.Enable CloudTrail to log access.
E.Use AWS Network Firewall.
AnswersA, C

Prevents access from accounts outside organization.

Why this answer

Option B is correct because bucket policy with aws:SourceAccount condition ensures only specific accounts. Option D is correct because SCPs can deny access from outside the organization. Option A is wrong because it's for CloudTrail.

Option C is wrong because it's for VPC endpoints. Option E is wrong because it's for network perimeter, not account-level.

228
MCQmedium

A company has multiple AWS accounts and wants to use AWS CloudFormation StackSets to deploy a common set of resources across all accounts. The StackSet should be managed from the management account. What permissions are required?

A.Create IAM users in target accounts with AdministratorAccess.
B.Create an IAM role in each target account with a trust policy allowing the management account to assume it.
C.Use a CloudFormation service role in the management account.
D.Apply an SCP to allow CloudFormation actions across accounts.
AnswerB

StackSets assume this role to deploy resources.

Why this answer

Option C is correct because it requires an IAM role in the target accounts that StackSets can assume. Option A is wrong because StackSets use roles, not user credentials. Option B is wrong because CloudFormation service role is for stack operations, not cross-account.

Option D is wrong because SCPs cannot grant permissions.

229
MCQhard

A company uses AWS Config to evaluate resource compliance across multiple accounts. The security team wants to automatically remediate non-compliant resources using AWS Systems Manager Automation documents. Which solution is MOST scalable and secure?

A.Create a Lambda function in each account that periodically checks Config rules and triggers remediation
B.Set up Amazon CloudWatch Events rules in each account to detect Config compliance changes and invoke remediation Lambda functions
C.Enable AWS Config rules with automatic remediation using SSM Automation documents in each account, and use an AWS Config aggregator to monitor compliance across all accounts
D.Use AWS Organizations service control policies to automatically remediate non-compliant resources
AnswerC

This leverages Config's built-in remediation and provides centralized monitoring.

Why this answer

Option C is correct because it leverages AWS Config's native automatic remediation feature, which directly associates SSM Automation documents with Config rules to remediate non-compliant resources as soon as they are detected. This approach is scalable as it operates within each account without requiring custom Lambda functions or external triggers, and it is secure because remediation actions are defined and controlled by the SSM Automation documents, which can be centrally managed. The use of an AWS Config aggregator provides a single-pane-of-glass view across all accounts for monitoring compliance, meeting the security team's requirements efficiently.

Exam trap

The trap here is that candidates often confuse AWS Config's automatic remediation with custom event-driven approaches (like Lambda or CloudWatch Events) or mistakenly think SCPs can remediate resources, when in fact SCPs only prevent non-compliant actions from being taken, not fix existing non-compliant resources.

How to eliminate wrong answers

Option A is wrong because periodically checking Config rules with a Lambda function introduces latency and inefficiency, as it relies on polling rather than event-driven detection, and it requires managing Lambda functions in every account, which is less scalable and secure than using native Config remediation. Option B is wrong because while CloudWatch Events (now Amazon EventBridge) can detect compliance changes, invoking a Lambda function for remediation adds unnecessary complexity and custom code, whereas AWS Config's built-in automatic remediation is more direct and secure, eliminating the need for additional event processing. Option D is wrong because AWS Organizations service control policies (SCPs) are used to restrict permissions and enforce guardrails, not to automatically remediate non-compliant resources; SCPs cannot trigger remediation actions on existing resources.

230
MCQeasy

A company has a centralized logging solution using Amazon S3 and AWS CloudTrail. They want to ensure that logs are immutable and cannot be deleted or modified by any user, including the root user. Which S3 feature should be enabled?

A.S3 Object Lock in compliance mode.
B.S3 Versioning with a lifecycle policy.
C.S3 bucket policy denying s3:DeleteObject.
D.S3 MFA Delete.
AnswerA

Compliance mode prevents any user from deleting objects.

Why this answer

Option A is correct because S3 Object Lock in compliance mode prevents any user from overwriting or deleting objects for the specified retention period. Option B is wrong because MFA Delete does not prevent root user deletion. Option C is wrong because bucket policies can be changed.

Option D is wrong because versioning alone does not prevent deletion.

231
MCQeasy

A company is designing a multi-account strategy for its development, testing, and production environments. The security team requires that all accounts share a centralized logging solution. Which approach meets this requirement with the LEAST administrative overhead?

A.Configure each account to write logs to its own S3 bucket and use AWS Glue to copy them to a central bucket.
B.Use AWS CloudTrail to deliver logs to a central S3 bucket in the logging account.
C.Use Amazon CloudWatch Logs in each account and view logs from a central account via cross-account access.
D.Use Amazon Kinesis Data Firehose in each account to stream logs to a central Amazon OpenSearch Service.
AnswerB

CloudTrail can deliver to a single bucket across accounts via trail with organization-level settings.

Why this answer

Option B is correct because it centralizes logs with minimal overhead. Option A is wrong because separate buckets require more management. Option C is wrong because CloudWatch Logs in each account lacks centralization.

Option D is wrong because Kinesis Firehose adds unnecessary complexity.

232
Multi-Selectmedium

A company is using AWS Organizations and wants to delegate administration of Amazon GuardDuty to a member account. Which of the following are required? (Choose TWO.)

Select 2 answers
A.The delegated administrator must be the management account.
B.Register the member account as a delegated administrator for GuardDuty.
C.Enable GuardDuty in the management account.
D.Create an SCP that allows GuardDuty actions in the member account.
E.Enable GuardDuty in all member accounts.
AnswersB, C

Delegation is done via the management account.

Why this answer

Options B and D are correct. Option A is wrong because GuardDuty does not require an SCP. Option C is wrong because the service must be enabled in the management account.

Option E is wrong because the delegated administrator account is a member account, not the management account.

233
MCQmedium

A company is implementing a multi-account strategy using AWS Organizations. They need to centralize logging of all API calls across accounts. Which solution meets this requirement with the least operational overhead?

A.Enable CloudWatch Logs in each account and stream to a central log group.
B.Create a CloudTrail trail in each account and aggregate logs to a central S3 bucket.
C.Create an organization trail in the management account with CloudTrail.
D.Enable S3 server access logs on all accounts and send to a central bucket.
AnswerC

Organization trail automatically logs all accounts, minimizing overhead.

Why this answer

Option C is correct because AWS CloudTrail can be configured in the management account to log all accounts in the organization. Option A is wrong because it requires creating trails in each account manually. Option B is wrong because CloudWatch Logs does not capture API calls.

Option D is wrong because S3 access logs record S3 operations only.

234
MCQeasy

A company uses AWS Organizations with multiple accounts. The central IT team wants to restrict the use of specific EC2 instance types across all accounts to control costs. Which approach should the team use?

A.Use AWS Budgets to send alerts when costs exceed a threshold.
B.Configure Amazon CloudWatch Events to detect launches and terminate instances.
C.Attach an IAM policy to each account's root user to deny the ec2:RunInstances action for certain instance types.
D.Create a service control policy (SCP) that denies the ec2:RunInstances action for prohibited instance types and apply it to the organization.
AnswerD

SCPs apply to all accounts in the organization.

Why this answer

Option B is correct because SCPs can deny the launch of specific EC2 instance types. Option A is wrong because IAM policies are per-account and not inherited. Option C is wrong because EC2 billing alerts do not prevent launches.

Option D is wrong because CloudWatch Events can only trigger notifications, not deny actions.

235
MCQeasy

A startup is deploying a multi-account AWS environment using AWS Organizations. They have a central logging account where all VPC Flow Logs and CloudTrail logs are stored in an S3 bucket. The security team requires that all accounts in the organization, including future accounts, automatically send logs to this central bucket. They also want to prevent any account from disabling logging. Which solution meets these requirements?

A.Set up VPC Flow Logs at the VPC level and CloudTrail at the account level, then use Lambda to copy logs to the central bucket.
B.Use AWS Config rules to detect when logs are not being sent and automatically re-enable logging.
C.Create an organization trail in CloudTrail and store logs in the central bucket. Attach an SCP to the root that denies s3:PutBucketPolicy for the central bucket.
D.Create individual trails per account and use S3 cross-region replication to copy logs to the central bucket.
AnswerC

Organization trail automatically applies to all accounts; SCP prevents disabling logging by blocking bucket policy changes.

Why this answer

AWS Organizations allows you to create service control policies (SCPs) that can deny actions across accounts. Using an SCP to deny the s3:PutBucketPolicy action on the central bucket ensures that no account can change the bucket policy to block log delivery. Additionally, enabling CloudTrail for all regions and all accounts with an organization trail ensures automatic log delivery.

Option A is correct.

236
MCQhard

A company has a multi-account AWS environment with centralized logging. The security team wants to ensure that all VPC Flow Logs are published to a central S3 bucket in the logging account. Which combination of steps should be taken to achieve this?

A.Use Amazon Kinesis Data Firehose in each account to stream logs to the central S3 bucket
B.Create VPC Flow Logs in each account with a custom S3 bucket ARN in the logging account, and configure the bucket policy to allow log delivery from source accounts
C.Create VPC endpoints in each account to connect to the central S3 bucket
D.Create VPC Flow Logs in each account and publish to a central CloudWatch Logs group
AnswerB

VPC Flow Logs support cross-account delivery to S3 with appropriate bucket policy.

Why this answer

Option B is correct because VPC Flow Logs can be published directly to an S3 bucket in another account by specifying the bucket ARN in the logging account. The bucket policy must grant the `S3:PutObject` permission to the log delivery service principal (`delivery.logs.amazonaws.com`) for the source accounts, enabling cross-account log delivery without intermediate services.

Exam trap

The trap here is that candidates assume cross-account S3 delivery requires a VPC endpoint or a streaming service like Firehose, but AWS natively supports direct cross-account S3 delivery for VPC Flow Logs via bucket policies.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Data Firehose adds unnecessary complexity and cost; VPC Flow Logs can natively deliver to S3 without requiring Firehose. Option C is wrong because VPC endpoints provide private connectivity to S3 but do not enable cross-account log delivery; the bucket policy is the mechanism for cross-account access. Option D is wrong because publishing to a central CloudWatch Logs group does not place logs in the central S3 bucket as required, and CloudWatch Logs is not the target specified in the question.

237
MCQmedium

A company is using AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a specific member account. What must be done?

A.Create an IAM role in the member account with permissions to manage Identity Center
B.Use the AWS Organizations console to register the member account as a delegated administrator for IAM Identity Center
C.Attach an SCP to the member account allowing Identity Center actions
D.Create a new user in the management account with admin privileges
AnswerB

This grants the member account admin rights over Identity Center.

Why this answer

To delegate administration of IAM Identity Center to a specific member account in AWS Organizations, you must register that account as a delegated administrator using the AWS Organizations console or API. This grants the member account the necessary permissions to manage Identity Center settings, users, and groups without requiring the management account to perform all tasks. Option B is correct because it follows the official AWS mechanism for delegating administrative control of Identity Center to a member account.

Exam trap

The trap here is that candidates often confuse delegating administration with simply granting IAM permissions via roles or SCPs, not realizing that AWS requires a specific registration process through Organizations to enable delegated administration for Identity Center.

How to eliminate wrong answers

Option A is wrong because creating an IAM role in the member account with permissions to manage Identity Center does not establish the required delegation relationship; Identity Center delegation must be registered at the Organizations level, not via a local IAM role. Option C is wrong because attaching a service control policy (SCP) to the member account only restricts or allows actions at the account level but does not delegate administrative authority for Identity Center; SCPs are for permission boundaries, not delegation. Option D is wrong because creating a new user in the management account with admin privileges does not delegate administration to a member account; it keeps all control in the management account and does not enable the member account to manage Identity Center independently.

238
MCQhard

A company has a central IT team that manages AWS resources for multiple business units using AWS Organizations. Each business unit has its own OU. The central team needs to allow each OU's administrators to manage their own IAM roles and policies, but prevent them from modifying the OU structure or creating new accounts. Which IAM policy should be attached to the administrators in the management account?

A.A policy that denies all IAM and organization actions except for viewing.
B.A policy that allows all IAM actions and denies organizations:CreateAccount and organizations:UpdateOrganizationalUnit.
C.A policy that allows organizations:* and IAM:* except for DeleteOrganization and RemoveAccountFromOrganization.
D.A policy that allows iam:* and denies organizations:CreateAccount, organizations:CreateOrganizationalUnit, organizations:UpdateOrganizationalUnit, and organizations:DeleteOrganizationalUnit.
AnswerD

This allows IAM management while denying organization structure changes.

Why this answer

Option D is correct because it explicitly denies the organizational-level actions that could modify the OU structure or create accounts, while allowing other IAM actions. Option A allows full administration, violating the restriction. Option B denies all IAM actions, preventing any management.

Option C allows full organization management, which is too permissive.

239
Multi-Selectmedium

A company uses AWS Organizations and wants to centralize Amazon VPC IP Address Manager (IPAM) across multiple accounts. Which TWO steps are required to enable cross-account IPAM?

Select 2 answers
A.Create a PrivateLink endpoint for IPAM.
B.Enable VPC sharing in each member account.
C.Share the IPAM pool using AWS Resource Access Manager (RAM).
D.Set up AWS Direct Connect between accounts.
E.Delegate an administrator account for IPAM.
AnswersC, E

RAM enables sharing IPAM pools across accounts.

Why this answer

Option C is correct because AWS Resource Access Manager (RAM) is the service used to share IPAM pools across accounts in an AWS Organization. Sharing the pool allows member accounts to allocate CIDRs from the centrally managed pool without needing direct access to the management account. This enables centralized IP address management while maintaining account isolation.

Exam trap

The trap here is that candidates confuse IPAM pool sharing (which uses RAM) with VPC sharing or network connectivity services like Direct Connect, leading them to select irrelevant options that address different aspects of multi-account networking.

240
MCQhard

A company has a decentralized IT structure where each business unit manages its own AWS account. The central security team needs to ensure that all accounts use a specific set of IAM roles for cross-account access. What is the most scalable way to enforce this?

A.Use AWS Config rules to detect non-compliant roles and send alerts.
B.Deploy the IAM roles using AWS CloudFormation StackSets.
C.Request each business unit to create the required IAM roles manually.
D.Apply an SCP that denies iam:CreateRole unless the role has the required trust policy.
AnswerD

SCPs can enforce conditions on role creation centrally.

Why this answer

Option C is correct because SCPs can deny the creation of IAM roles that do not match the required trust policy, enforcing the use of specific roles. Option A is wrong because IAM roles in each account require manual setup. Option B is wrong because AWS CloudFormation StackSets can deploy the roles but cannot prevent creation of non-compliant roles.

Option D is wrong because AWS Config can detect but not prevent.

241
MCQeasy

A company wants to allow developers to assume a role in a production account from their development account using AWS IAM. What is needed for this cross-account access?

A.A role in the dev account with permissions to access production resources.
B.An IAM user in the production account with permissions to switch roles.
C.A role in the production account with a trust policy allowing the dev account, and an IAM policy in the dev account allowing sts:AssumeRole.
D.An SCP that allows sts:AssumeRole from the dev account.
AnswerC

This is the standard cross-account role access setup.

Why this answer

Option C is correct because cross-account access requires both a trust policy in the production account allowing the dev account to assume the role, and an IAM policy in the dev account granting sts:AssumeRole. Option A is wrong because SCPs are not used for cross-account role assumption. Option B is wrong because roles are assumed, not users.

Option D is wrong because a role must exist in the target account.

242
MCQhard

A company uses AWS Organizations and wants to implement a data perimeter across all accounts to ensure that data can only be accessed from approved networks. Which combination of controls should be used to enforce this perimeter?

A.Use S3 bucket policies with aws:SourceIp condition.
B.Use AWS Config rules to detect and alert on non-compliant access.
C.Use network ACLs in each VPC.
D.Use service control policies with aws:SourceIp and aws:SourceVpc conditions.
AnswerD

SCPs can deny access from unapproved networks across all services.

Why this answer

Service control policies (SCPs) in AWS Organizations can enforce a data perimeter by restricting access based on network origin using the `aws:SourceIp` and `aws:SourceVpc` condition keys. This approach works across all accounts in the organization, ensuring that only requests from approved networks (e.g., specific IP ranges or VPCs) are allowed, regardless of individual account configurations.

Exam trap

The trap here is that candidates often confuse resource-level policies (like S3 bucket policies) with organization-wide controls (SCPs), or they mistake detective controls (AWS Config) for preventive controls, leading them to choose options that only partially address the requirement or are reactive rather than proactive.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies with `aws:SourceIp` only apply to S3 resources and cannot enforce a data perimeter across all accounts or services; they are resource-specific, not organization-wide. Option B is wrong because AWS Config rules are detective controls that alert on non-compliant access after it occurs, not preventive controls that block unauthorized access. Option C is wrong because network ACLs operate at the subnet level within a single VPC and cannot enforce policies across multiple accounts or control access to services outside the VPC (e.g., S3 via public endpoints).

243
MCQhard

A company uses AWS Organizations with hundreds of accounts. The security team wants to ensure that no account can disable AWS CloudTrail or delete CloudTrail log files. Which preventive control should be implemented?

A.Use AWS Config rules to detect and remediate any changes to CloudTrail configurations.
B.Apply a service control policy (SCP) that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
C.Create an IAM policy that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail for all IAM users.
D.Apply a resource-based policy to the CloudTrail trail that denies these actions.
AnswerB

SCPs can restrict actions across all accounts in the organization.

Why this answer

A service control policy (SCP) can deny actions that disable CloudTrail or delete logs. Option A is wrong because IAM permissions only apply within an account. Option B is wrong because CloudTrail is not a resource that can be protected by a resource-based policy in this context.

Option D is wrong because AWS Config is detective.

244
Multi-Selectmedium

A company is planning to migrate its on-premises workload to AWS. The workload consists of a stateful web application that requires a static IP address for whitelisting by third-party services. The company will use a multi-AZ deployment. Which TWO services should be used together to meet these requirements?

Select 2 answers
A.Amazon Route 53
B.Amazon CloudFront
C.Network Load Balancer (NLB)
D.Application Load Balancer (ALB)
E.AWS Global Accelerator
AnswersC, D

NLB can provide static IP addresses for whitelisting.

Why this answer

A Network Load Balancer (NLB) provides a static IP address per Availability Zone, which can be whitelisted by third-party services. It operates at Layer 4 and can handle stateful web application traffic without modifying the source IP, preserving client IP visibility for the application. Combined with a multi-AZ deployment, the NLB ensures high availability and a fixed IP endpoint for external whitelisting.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator's static IPs with NLB's static IPs, but Global Accelerator is optimized for global traffic and adds unnecessary complexity and cost for a single-region multi-AZ deployment where per-AZ static IPs are sufficient for whitelisting.

245
MCQeasy

A company wants to use AWS Systems Manager to automate patching of EC2 instances across multiple AWS accounts. What is the most efficient way to manage this centrally?

A.Use AWS Systems Manager Patch Manager in the management account.
B.Use AWS Systems Manager Quick Setup to configure patching across accounts.
C.Use AWS Systems Manager Automation documents in each account.
D.Use AWS Config rules to trigger patching in each account.
AnswerB

Quick Setup provides centralized configuration across accounts in an organization.

Why this answer

Option B is correct because Systems Manager Quick Setup can configure automation across accounts from a central management account. Option A is wrong because Systems Manager Automation alone does not handle multi-account. Option C is wrong because Systems Manager Patch Manager is a component, not a multi-account solution.

Option D is wrong because AWS Config is for compliance, not patching.

246
MCQmedium

A company is using AWS Organizations with consolidated billing. The company has a production account and a development account. The security team needs to ensure that developers cannot create IAM users in the development account. Which option is the MOST effective?

A.Apply an SCP to the development account that denies iam:CreateUser.
B.Create an IAM group for developers with a policy that denies iam:CreateUser.
C.Enable AWS CloudTrail to monitor iam:CreateUser calls.
D.Attach an IAM policy to each developer user that denies iam:CreateUser.
AnswerA

SCPs are effective even for users with full administrative permissions.

Why this answer

Option C is correct because an SCP can deny the iam:CreateUser action in the development account. Option A is wrong because IAM policies attached to developers affect their user permissions, but if they have admin privileges, they can bypass. Option B is wrong because IAM groups can be bypassed if users have other permissions.

Option D is wrong because CloudTrail only logs, does not prevent.

247
Multi-Selecthard

A company has a multi-account AWS environment with hundreds of accounts. They need to enforce that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. Which TWO actions should be taken to ensure compliance across the organization?

Select 2 answers
A.Enable CloudTrail organization trail from the management account.
B.Create an AWS Lambda function in each account to enable CloudTrail.
C.Attach an SCP that requires CloudTrail to be enabled.
D.Create an AWS Config rule to detect accounts without CloudTrail.
E.Use AWS CloudFormation StackSets with service-managed permissions to deploy a CloudTrail trail to all accounts.
AnswersA, E

Organization trails automatically apply to all accounts.

Why this answer

Option A is correct because enabling an organization trail from the management account automatically creates a CloudTrail trail for all accounts in the AWS Organization, including future accounts, without requiring per-account configuration. This ensures centralized logging to a single S3 bucket and enforces compliance across the entire organization.

Exam trap

The trap here is confusing detective controls (like AWS Config rules) with preventive or automated enforcement mechanisms, leading candidates to choose Option D instead of recognizing that organization trails provide native, automatic compliance.

248
MCQhard

A global company with a centralized IT team manages AWS resources across 50 accounts using AWS Control Tower. The team wants to deploy a new VPC with a specific CIDR block in each account in the same AWS Region. The VPC must have identical configuration across accounts. Which approach is the MOST efficient and meets the requirement?

A.Use AWS CloudFormation templates manually triggered in each account.
B.Create a VPC in one account and share it with other accounts using AWS Resource Access Manager (RAM).
C.Use AWS Control Tower account factory and AWS CloudFormation StackSets to deploy the VPC across all accounts.
D.Use AWS Organizations to create the VPC in each account via an SCP.
AnswerC

Control Tower account factory with StackSets automates deployment of identical resources across accounts.

Why this answer

Option C is correct because AWS Control Tower's Account Factory combined with AWS CloudFormation StackSets enables automated, centralized deployment of identical VPC configurations across all 50 accounts in the same Region. StackSets allow you to deploy a CloudFormation template to multiple accounts and Regions from a single administrator account, ensuring consistency without manual intervention.

Exam trap

The trap here is confusing AWS Resource Access Manager (RAM) for creating separate VPCs in each account versus sharing a single VPC, and misunderstanding that SCPs only control permissions, not resource creation.

How to eliminate wrong answers

Option A is wrong because manually triggering CloudFormation templates in each account is inefficient, error-prone, and does not scale to 50 accounts, violating the 'most efficient' requirement. Option B is wrong because sharing a VPC via AWS Resource Access Manager (RAM) does not create a separate VPC in each account; it shares a single VPC, which does not meet the requirement of deploying a VPC in each account. Option D is wrong because AWS Organizations Service Control Policies (SCPs) are used to restrict permissions, not to create resources like VPCs; SCPs cannot deploy infrastructure.

249
MCQmedium

Refer to the exhibit. A company applies this SCP to an OU. However, users in the OU are still able to upload objects to S3 without encryption. What is the most likely reason?

A.The users are using SSE-S3 encryption (AES256).
B.The SCP is missing a Deny for s3:PutObject without any encryption header.
C.The users are using SSE-C encryption.
D.The users are uploading objects using the Multipart Upload API, which uses the s3:UploadPart action.
AnswerD

The SCP only denies s3:PutObject, not s3:UploadPart.

Why this answer

Option C is correct because the SCP only denies s3:PutObject if the encryption is not AES256. However, if users use s3:PutObject with encryption set to aws:kms, the condition StringNotEquals evaluates to true (since 'AES256' != 'aws:kms'), so the Deny applies. Wait: actually, the condition denies if encryption is NOT AES256, so both 'aws:kms' and no encryption would be denied.

But if users use SSE-S3 (AES256), it's allowed. The problem is that users are able to upload without encryption. That means the Deny is not taking effect.

The most likely reason is that the SCP is not attached to the OU, or the users are using Multipart Upload (s3:PutObjectPart) which is a different action. Option A is wrong because SSE-C is also not AES256. Option B is wrong because they are not using SSE-S3.

Option D is wrong because the SCP does not deny s3:PutObject without encryption? Actually, the condition denies if encryption is not AES256, so it should deny unencrypted uploads. But if users use Multipart Upload, the action is s3:UploadPart, not s3:PutObject. So the SCP does not cover that.

250
MCQmedium

A company has a multi-account AWS environment with a centralized security account. The security team needs to have read-only access to all Amazon S3 buckets across all accounts for auditing purposes. Which solution is the MOST secure and scalable?

A.Create an IAM role in each account with read-only S3 permissions and a trust policy that allows the security account to assume the role.
B.Attach a bucket policy to each S3 bucket that grants read-only access to the security team's IAM user in the security account.
C.Use the root user of each account to access the buckets.
D.Create an IAM user in each account with read-only S3 permissions and share the credentials with the security team.
AnswerA

This provides scalable and secure cross-account access.

Why this answer

Option A is correct because it uses IAM roles with cross-account trust policies, which is the most secure and scalable approach for granting read-only S3 access across multiple accounts. The security account assumes the role in each target account, avoiding long-term credentials and allowing centralized control via AWS Organizations or manual role creation.

Exam trap

The trap here is that candidates may choose Option B thinking bucket policies are simpler, but they overlook the scalability and maintenance burden of managing individual bucket policies across hundreds or thousands of buckets, and the fact that bucket policies do not support cross-account access without explicitly listing the principal ARN, which is less flexible than IAM roles.

How to eliminate wrong answers

Option B is wrong because attaching bucket policies to each S3 bucket individually is not scalable for large environments and requires managing policies per bucket, which can lead to policy size limits and complexity. Option C is wrong because using root users violates the principle of least privilege, is not auditable, and is insecure due to shared static credentials. Option D is wrong because creating IAM users in each account with shared credentials introduces long-term access keys that must be rotated and managed, increasing security risk and operational overhead compared to role-based access.

251
Multi-Selectmedium

Which TWO actions improve the security of an S3 bucket that stores sensitive data?

Select 2 answers
A.Enable default encryption with SSE-S3 or SSE-KMS.
B.Block all public access using the S3 Block Public Access feature.
C.Enable S3 Transfer Acceleration.
D.Configure a lifecycle policy to transition objects to Glacier.
E.Enable S3 Select to filter data.
AnswersA, B

Encrypts objects at rest.

Why this answer

Options A and D are correct. Option A: Blocking public access prevents unintended exposure. Option D: Enabling server-side encryption protects data at rest.

Option B is wrong because S3 Transfer Acceleration does not provide security. Option C is wrong because lifecycle policies manage storage, not security. Option E is wrong because S3 Select is for querying, not security.

252
MCQhard

A multinational corporation is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The company has multiple VPCs in different AWS Regions, and all VPCs must be able to authenticate against the same directory. The directory must be highly available and support automatic failover. What is the MOST operationally efficient solution?

A.Use AWS Directory Service AD Connector in each VPC and point to an on-premises Active Directory.
B.Deploy AWS Managed Microsoft AD in each Region using multi-Region replication. Configure the directory as a global directory.
C.Deploy AWS Managed Microsoft AD in one Region. Create VPC peering connections to all other VPCs.
D.Deploy AWS Managed Microsoft AD in one Region. Configure VPN connections from each VPC to this directory.
AnswerB

Multi-Region replication provides automatic failover and low-latency authentication in each Region.

Why this answer

AWS Managed Microsoft AD with multi-Region replication provides a single global directory that spans multiple Regions, enabling automatic failover and high availability. This is the most operationally efficient solution because it eliminates the need for complex networking (VPC peering or VPNs) and allows all VPCs to authenticate against the same directory natively, with replication handled by AWS.

Exam trap

The trap here is that candidates often confuse VPC peering or VPN connectivity as sufficient for high availability, overlooking that a single-Region directory is a single point of failure and that multi-Region replication is the only option that provides automatic failover and operational efficiency across Regions.

How to eliminate wrong answers

Option A is wrong because AD Connector is a proxy that forwards authentication requests to an on-premises Active Directory, not a managed directory in AWS, and it does not provide a highly available, multi-Region directory for the migration scenario. Option C is wrong because VPC peering does not provide automatic failover or high availability for the directory; it only enables network connectivity, and the single-Region directory would be a single point of failure. Option D is wrong because VPN connections add network complexity and latency, and a single-Region directory lacks automatic failover across Regions, making it less operationally efficient than multi-Region replication.

253
MCQmedium

A company uses AWS Organizations with multiple accounts. The finance team needs to track costs by department, where each department uses resources across several accounts. What is the BEST way to allocate costs accurately?

A.Use AWS Cost Explorer to view costs by linked account.
B.Define cost allocation tags for each department and enable them in the Billing and Cost Management console.
C.Set up AWS Budgets for each department with alerts.
D.Create AWS Resource Groups for each department and use AWS Config to track costs.
AnswerB

Tags allow grouping and tracking costs by department across accounts.

Why this answer

Option B is correct because using cost allocation tags that propagate to all accounts and organizing resources by department allows accurate cost tracking in AWS Cost Explorer. Option A is wrong because linked account aggregation does not break down by department. Option C is wrong because resource groups are not for cost allocation.

Option D is wrong because budgeting does not allocate costs.

254
MCQeasy

A company uses AWS Organizations and wants to centrally manage backups of EC2 instances across multiple accounts. Which service should they use?

A.AWS CloudEndure Disaster Recovery
B.Amazon S3 Glacier
C.AWS Storage Gateway
D.AWS Backup
AnswerD

Centralized backup service with cross-account support.

Why this answer

AWS Backup is the correct service because it provides a fully managed, policy-based backup solution that integrates with AWS Organizations to centrally manage backups across multiple accounts. It allows you to define backup policies that automatically apply to EC2 instances and other supported resources across all member accounts, ensuring compliance and centralized monitoring without requiring per-account manual configuration.

Exam trap

The trap here is that candidates may confuse AWS Backup with disaster recovery services like CloudEndure, not realizing that AWS Backup is purpose-built for centralized, policy-driven backup management across multiple accounts, while CloudEndure focuses on continuous replication for failover, not scheduled backups.

How to eliminate wrong answers

Option A is wrong because AWS CloudEndure Disaster Recovery is designed for continuous replication and rapid failover for disaster recovery scenarios, not for scheduled, policy-based backup management across multiple accounts. Option B is wrong because Amazon S3 Glacier is a storage class for long-term archival of objects, not a service for orchestrating or managing backups of EC2 instances across accounts. Option C is wrong because AWS Storage Gateway provides hybrid cloud storage access (e.g., file, volume, tape gateways) for on-premises environments, not centralized backup management of EC2 instances within AWS Organizations.

255
Multi-Selecthard

A multinational corporation is migrating its on-premises Active Directory to AWS. The company requires a solution that supports multi-region authentication for thousands of users and integrates with existing on-premises Active Directory for seamless SSO. The solution must be highly available and provide low-latency authentication. Which TWO AWS services should be combined to meet these requirements? (Choose two.)

Select 2 answers
A.Amazon Cognito
B.AWS Direct Connect
C.AD Connector
D.AWS Single Sign-On (SSO)
E.AWS Managed Microsoft AD
AnswersC, E

AD Connector connects AWS services to on-premises AD, enabling SSO and authentication.

Why this answer

AWS Managed Microsoft AD can be deployed in multiple regions and linked to on-premises Active Directory via AD Connector. AWS Identity and Access Management (IAM) integrates with AD for SSO. Option A (AWS SSO) is a separate service that can also be used but is not required; Option C (Cognito) is for external users; Option E (Direct Connect) is a network service.

Correct: B and D.

256
MCQhard

A company is using AWS Organizations and wants to restrict the use of specific instance types across all accounts. The company wants to allow only T3 and M5 instances. Which SCP should be applied?

A.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"StringNotEquals":{"ec2:InstanceType":["t3.*","m5.*"]}}}
B.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"arn:aws:ec2:*:*:instance/*","Condition":{"StringNotEquals":{"ec2:InstanceType":["t3.*","m5.*"]}}}
C.{"Effect":"Allow","Action":"ec2:RunInstances","Resource":"*","Condition":{"StringEquals":{"ec2:InstanceType":["t3.*","m5.*"]}}}
D.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*"}
AnswerA

Denies launch if instance type is not in the allowed list.

Why this answer

Option A is correct because it uses a Deny effect with a StringNotEquals condition on ec2:InstanceType to block any instance type that does not match the patterns 't3.*' or 'm5.*'. This effectively restricts all accounts in the organization to only T3 and M5 instance families when launching EC2 instances, as any attempt to use a non-allowed type will be denied. The wildcard (*) in the Resource element covers all resources, ensuring the policy applies broadly.

Exam trap

The trap here is that candidates often choose Option C because they think an Allow SCP will permit only the specified instance types, but SCPs are deny-only by default and an Allow statement does not override the implicit deny—only a Deny statement can explicitly block non-compliant actions.

How to eliminate wrong answers

Option B is wrong because it restricts the Resource to 'arn:aws:ec2:*:*:instance/*', which only covers existing instance resources, not the RunInstances action itself; SCPs with Deny on RunInstances must use Resource '*' to block the launch action, otherwise the policy may not prevent the creation of new instances. Option C is wrong because it uses an Allow effect, which is ineffective in SCPs since SCPs are deny lists by default; an Allow SCP does not grant permissions—it only sets a maximum permission boundary, and without a corresponding Deny for non-allowed types, all instance types remain permitted. Option D is wrong because it denies all EC2 RunInstances actions without any condition, which would block all instance types entirely, not just restrict to T3 and M5.

257
MCQeasy

A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?

A.Use an AWS Lambda function that runs periodically to enable CloudTrail in accounts where it is disabled.
B.Create an AWS Config rule in each account to enable CloudTrail if it is disabled.
C.Use an SCP to require CloudTrail to be enabled in each account.
D.Use the AWS CloudTrail setup provided by Control Tower, which automatically enables a trail for all accounts in the organization.
AnswerD

Control Tower automatically sets up a CloudTrail trail in the management account that logs all accounts.

Why this answer

AWS Control Tower provides an integrated CloudTrail setup that automatically creates and manages a central trail for all accounts in the organization. This trail is deployed using AWS CloudFormation StackSets and delivers logs to a centralized S3 bucket, ensuring compliance without manual intervention or custom automation. This is the best approach because it is native, fully managed, and aligns with Control Tower's governance model.

Exam trap

The trap here is that candidates often assume SCPs can enforce service enablement (like enabling CloudTrail), but SCPs only control permissions—they cannot enable services or resources; they can only prevent disabling of existing configurations.

How to eliminate wrong answers

Option A is wrong because using a periodic Lambda function is reactive, introduces latency, and does not prevent accounts from disabling CloudTrail between runs; it also adds operational overhead and potential single points of failure. Option B is wrong because an AWS Config rule can only detect non-compliance and trigger remediation (e.g., via auto-remediation), but it cannot enforce the setting across all accounts proactively; it also requires Config to be enabled in each account first. Option C is wrong because SCPs can only deny or allow API actions, not enable services; an SCP cannot force CloudTrail to be enabled—it can only prevent disabling of an already-enabled trail or block certain CloudTrail API calls.

258
Multi-Selecthard

A company is using AWS Organizations with hundreds of accounts. The central IT team needs to deploy a common set of AWS resources (e.g., VPCs, subnets, security groups) to all accounts in a specific organizational unit (OU). The solution must be automated and ensure that new accounts added to the OU automatically receive the resources. Which three steps should the team take? (Choose three.)

Select 3 answers
A.Create a StackSet with the template and target the OU, enabling automatic deployment.
B.Create an AWS CloudFormation template that defines the common resources.
C.Use AWS Config rules to detect missing resources and deploy them via Lambda.
D.Enable AWS CloudFormation StackSets trusted access with AWS Organizations.
E.Create an SCP that requires the creation of those resources.
AnswersA, B, D

Automatically deploys to new accounts in the OU.

Why this answer

Options A, C, and D are correct. AWS CloudFormation StackSets allow deploying templates to multiple accounts and regions; enabling trusted access allows StackSets to work with Organizations; adding new accounts to the OU triggers automatic deployment if StackSets are configured with automatic deployment. Option B is wrong because SCPs cannot create resources.

Option E is wrong because AWS Config cannot create resources.

259
MCQhard

A company has a multi-account strategy with a centralized logging account. All VPC Flow Logs and CloudTrail logs are sent to an S3 bucket in the logging account. The security team needs to analyze these logs using Amazon Athena. Which configuration provides the MOST cost-effective and secure access?

A.Use S3 access points in each account to grant access to the central bucket.
B.Use AWS Lake Formation to manage permissions to the central S3 bucket and allow Athena queries across accounts.
C.Create an S3 interface endpoint in the logging account and share it with other accounts.
D.Copy logs to each account's own S3 bucket and run Athena queries locally.
AnswerB

Lake Formation provides fine-grained access control and can be used with Athena for cross-account queries without copying data.

Why this answer

Option B is correct because AWS Lake Formation provides a centralized, fine-grained permissions model that allows the security team to grant cross-account access to the S3 data lake for Athena queries without duplicating data. It integrates directly with Athena and S3, enabling column- and row-level security while avoiding the cost and complexity of copying logs or managing multiple S3 access points.

Exam trap

The trap here is that candidates often assume S3 access points or interface endpoints are sufficient for cross-account Athena queries, but they overlook that Athena requires a centralized metadata catalog and fine-grained permissions that only Lake Formation (or a combination of Glue Catalog and IAM) can provide cost-effectively.

How to eliminate wrong answers

Option A is wrong because S3 access points are primarily for managing access to a single bucket from within the same account or via VPC origins, not for granting cross-account Athena query access; they do not natively integrate with Athena’s cross-account query capabilities and would require additional IAM policies and bucket policies, increasing complexity and cost. Option C is wrong because an S3 interface endpoint (AWS PrivateLink) only provides private network connectivity to S3, not cross-account data access or permission management; it does not enable Athena to query data across accounts without additional IAM roles and bucket policies, and it incurs hourly endpoint charges. Option D is wrong because copying logs to each account’s own S3 bucket duplicates storage costs, increases data transfer fees, and introduces latency, making it far less cost-effective than a centralized approach with Lake Formation.

260
MCQhard

A company has a multi-account AWS environment with a central logging account and multiple workload accounts. The security team requires that all VPC Flow Logs be delivered to a central S3 bucket in the logging account. The VPC Flow Logs are encrypted with a customer-managed KMS key in the logging account. The workload accounts have created VPC Flow Logs, but the logs are not appearing in the central S3 bucket. The IAM role used by VPC Flow Logs in the workload accounts has the necessary permissions to deliver logs to the central S3 bucket. What is the most likely cause of the issue?

A.The VPC Flow Logs are being delivered to CloudWatch Logs instead of S3.
B.The S3 bucket policy denies access to the workload accounts.
C.The S3 bucket has a bucket policy that requires encryption in transit.
D.The KMS key policy in the logging account does not grant the VPC Flow Logs service principal permission to use the key.
AnswerD

Key policy must allow the service principal from workload accounts.

Why this answer

Option A is correct because the KMS key policy must grant the VPC Flow Logs service principal permission to use the key for encryption. Even if the IAM role has permissions, the key policy is separate and must be explicitly set. Option B is wrong because bucket policies are evaluated after key policy; bucket policy is not the issue here.

Option C is wrong because VPC Flow Logs do not use CloudWatch Logs for S3 delivery directly. Option D is wrong because bucket policies are not the primary issue; the key policy is missing.

261
MCQeasy

A company has a production AWS account and a development AWS account. The development team needs to assume an IAM role in the production account to deploy resources. What is the correct way to set up this cross-account access?

A.Create an IAM role in the production account with a trust policy that specifies the development account as a trusted entity
B.Apply a service control policy to allow cross-account access
C.Create an IAM user in the production account and share the credentials with the development team
D.Configure security group rules to allow access from the development account
AnswerA

This allows users from the development account to assume the role and gain permissions.

Why this answer

Option A is correct because cross-account IAM role access requires creating an IAM role in the production (trusting) account with a trust policy that explicitly lists the development (trusted) account as a principal. The development team then assumes that role using the AWS STS AssumeRole API, which returns temporary security credentials. This follows the AWS recommended pattern for delegating access without sharing long-term credentials.

Exam trap

The trap here is that candidates confuse network-level controls (security groups) or organizational policies (SCPs) with IAM-based cross-account trust, or mistakenly think sharing IAM user credentials is acceptable for cross-account access.

How to eliminate wrong answers

Option B is wrong because service control policies (SCPs) are used to set permission boundaries across accounts in an AWS Organization; they do not grant cross-account access themselves and cannot be used to allow role assumption between accounts. Option C is wrong because sharing IAM user credentials violates the principle of least privilege and security best practices; it exposes long-term access keys that are not scoped or temporary, increasing risk. Option D is wrong because security group rules control network traffic at the instance level, not IAM-based access; they cannot grant API-level permissions to assume roles or deploy resources.

262
MCQmedium

A company operates multiple AWS accounts using AWS Organizations. They want to centrally manage Amazon EC2 Auto Scaling groups across all accounts. The operations team needs to view and modify scaling policies from a single pane of glass. Which solution should they implement?

A.Use AWS CloudFormation StackSets to deploy the Auto Scaling groups consistently.
B.Use AWS Config rules to enforce desired scaling policies.
C.Use AWS Systems Manager Explorer with multi-account management.
D.Use Amazon CloudWatch cross-account dashboards.
AnswerC

Systems Manager Explorer provides a central dashboard for operational data across accounts.

Why this answer

AWS Systems Manager Explorer provides a single-pane-of-glass view across multiple AWS accounts and Regions, allowing the operations team to view and modify EC2 Auto Scaling policies centrally. It integrates with Systems Manager Automation runbooks to execute changes, such as updating scaling policies, across all accounts managed via AWS Organizations.

Exam trap

The trap here is that candidates confuse monitoring (CloudWatch dashboards) or compliance (Config rules) with the ability to both view and modify operational configurations, leading them to overlook Systems Manager Explorer's centralized management capabilities.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets deploy and manage infrastructure consistently but do not provide a centralized operational interface to view or modify existing Auto Scaling scaling policies in real time. Option B is wrong because AWS Config rules are used for compliance auditing and remediation, not for interactive viewing or modification of scaling policies. Option D is wrong because Amazon CloudWatch cross-account dashboards enable monitoring of metrics but do not allow modification of Auto Scaling policies or provide a management interface for scaling actions.

263
Multi-Selecthard

A company uses AWS Organizations with a hierarchical structure of organizational units (OUs). The security team needs to restrict the use of specific AWS services in the development OU. However, the SCP applied at the root level allows all services. Which TWO SCP strategies can restrict services for the development OU without affecting other OUs? (Choose TWO.)

Select 2 answers
A.Apply a tag policy to the development OU that requires tags for all resources.
B.Modify the root-level SCP to deny the unwanted services.
C.Use a service control policy that denies access to the unwanted services and attach it to the development OU.
D.Attach a deny SCP to the development OU that explicitly denies the unwanted services.
E.Create an IAM permissions boundary for all users in the development OU.
AnswersC, D

Deny SCPs are effective for restricting services.

Why this answer

Option A (attach SCP to the OU) and Option D (use a deny SCP for specific services) are correct. Option B is incorrect because tag policies don't restrict services. Option C is incorrect because IAM permissions boundaries do not override SCPs.

Option E is incorrect because it would affect all OUs.

264
MCQhard

A company has a complex AWS environment with multiple accounts and VPCs. The company wants to ensure that all outbound traffic from VPCs goes through a centralized inspection VPC for security monitoring. The company uses AWS Transit Gateway. Which solution should be implemented?

A.Deploy AWS Network Firewall in each VPC and configure routing to send outbound traffic through the firewall.
B.Use VPC peering to connect all VPCs to the inspection VPC and configure routes.
C.Use Route 53 Resolver to forward all outbound DNS queries to the inspection VPC.
D.Create a Transit Gateway with route tables. Attach the inspection VPC as a central hub. Configure the route tables of the transit gateway to point the default route (0.0.0.0/0) to the inspection VPC attachment. Then attach all other VPCs and configure their route tables to send traffic to the Transit Gateway.
AnswerD

Transit Gateway route tables can direct traffic to inspection VPC.

Why this answer

Option D is correct because it uses AWS Transit Gateway with centralized route tables to force all outbound traffic from attached VPCs through the inspection VPC. By configuring the Transit Gateway route table with a default route (0.0.0.0/0) pointing to the inspection VPC attachment, all outbound traffic from other VPCs is routed to the inspection VPC for security monitoring before leaving the network. This design meets the requirement of a single, centralized inspection point without requiring VPC peering or per-VPC firewall deployments.

Exam trap

The trap here is that candidates often confuse VPC peering with Transit Gateway, assuming peering can achieve transitive routing, but AWS VPC peering explicitly does not support transitive routing, making Option B invalid for centralized inspection.

How to eliminate wrong answers

Option A is wrong because deploying AWS Network Firewall in each VPC creates a decentralized inspection model, not a centralized one, and does not leverage Transit Gateway for traffic flow. Option B is wrong because VPC peering does not support transitive routing; each peering connection is a one-to-one relationship, so traffic cannot be centrally routed through a single inspection VPC without complex full-mesh peering. Option C is wrong because Route 53 Resolver only handles DNS queries, not general outbound traffic (e.g., HTTP, HTTPS, or other IP protocols), and thus cannot enforce security monitoring on all outbound traffic.

265
MCQmedium

A company has a production AWS account and a development AWS account under AWS Organizations. The development team wants to deploy a CloudFormation stack that creates an S3 bucket with a bucket policy that grants access to the production account's IAM roles. The development account has an SCP that denies all s3:PutBucketPolicy actions. The development team has full administrator access in their account. When they try to create the stack, it fails. What is the most likely reason and how should they proceed?

A.The development team does not have IAM permissions to create buckets. They need to attach an IAM policy that allows s3:PutBucketPolicy.
B.The SCP denies s3:PutBucketPolicy and overrides the administrator permissions. They need to request an exception to the SCP from the security team.
C.CloudFormation service role is missing. They need to create a service role with appropriate permissions.
D.The production account's IAM roles are not trusted. They need to update the trust policy.
AnswerB

SCPs can deny actions even to administrators.

Why this answer

Option C is correct because SCPs apply to all principals in the account, including administrators. Option A is wrong because the development team has admin access. Option B is wrong because CloudFormation does not have a separate policy.

Option D is wrong because IAM roles do not override SCPs.

266
Multi-Selecteasy

A company is migrating to a multi-account AWS environment using AWS Control Tower. The security team must ensure that all accounts have AWS Config enabled and that logs are delivered to a central S3 bucket. Which THREE steps should the security team take?

Select 3 answers
A.Manually create an S3 bucket in each account to store Config logs.
B.Use an SCP to prevent disabling of AWS Config in any account.
C.Configure the central S3 bucket policy to allow cross-account log delivery from all accounts in the organization.
D.Enable AWS Config in the management account and use Control Tower's account factory to propagate the configuration to all accounts.
E.Create an IAM role in each account to allow the management account to access Config logs.
AnswersB, C, D

SCPs can deny actions that disable Config.

Why this answer

Option B is correct because AWS Control Tower uses Service Control Policies (SCPs) to enforce guardrails. An SCP can be applied to the root or OUs to prevent any account from disabling AWS Config, ensuring compliance across the multi-account environment without requiring per-account manual intervention.

Exam trap

The trap here is that candidates often think they need to create IAM roles in each account for cross-account logging, but AWS Config's native cross-account delivery only requires a properly configured S3 bucket policy and does not rely on IAM roles in the member accounts.

267
Multi-Selectmedium

A company has a multi-account AWS environment and wants to implement a secure, scalable cross-account network architecture using AWS Transit Gateway. Which TWO steps should be taken?

Select 2 answers
A.Deploy VPC endpoints in each account for communication
B.Create a Transit Gateway in a central networking account and share it with other accounts using AWS Resource Access Manager
C.Create VPC attachments in each account to connect to the shared Transit Gateway
D.Establish VPC peering connections between each account and the central networking account
E.Set up AWS Direct Connect between all accounts
AnswersB, C

RAM allows sharing the Transit Gateway with other accounts.

Why this answer

Option B is correct because AWS Transit Gateway must be created in a central networking account and then shared with other accounts using AWS Resource Access Manager (RAM) to enable cross-account connectivity without VPC peering. This centralizes routing and simplifies network management across multiple VPCs and accounts.

Exam trap

The trap here is that candidates confuse VPC endpoints (used for service access) with Transit Gateway (used for VPC-to-VPC routing), or assume VPC peering is sufficient for multi-account scalability despite its non-transitive nature and management overhead.

268
MCQmedium

A company has a multi-account AWS environment using AWS Organizations with 50 accounts. The accounts are organized into OUs based on environment: Production, Staging, and Development. The central IT team uses AWS CloudFormation StackSets to deploy a baseline network configuration (VPC, subnets, security groups) to all accounts. Recently, the network team updated the stack set to add a new subnet to the VPC. After the update, they noticed that the stack set operation failed for 10 accounts. The error message indicates that the stack set cannot update because a resource already exists. What is the MOST LIKELY cause of this failure?

A.The accounts are in different OUs and the stack set is not configured to deploy to all OUs.
B.Some accounts have manually created resources that conflict with the stack set template's resources.
C.The network team does not have sufficient IAM permissions to update stacks in those accounts.
D.The stack set was previously drift-detected and the drift is preventing updates.
AnswerB

If a resource with the same logical ID already exists outside the stack, CloudFormation cannot update the stack and throws an error.

Why this answer

Option C is correct because StackSets use a single template, and if an account already has a resource with the same logical ID (e.g., due to a previous manual creation), the update fails. Option A is wrong because stack set updates can be performed with proper permissions. Option B is wrong because StackSets can manage resources across OUs, but the issue is resource conflict.

Option D is wrong because drift does not prevent updates; it would be detected separately.

269
MCQmedium

A company has multiple AWS accounts managed under AWS Organizations. The security team needs to enforce that all newly created S3 buckets in any account are automatically tagged with a 'CostCenter' tag. Which solution is the MOST operationally efficient?

A.Use an AWS Lambda function triggered by AWS CloudTrail to tag buckets after creation.
B.Use an AWS Config rule to mark non-compliant buckets and automatically apply tags.
C.Use AWS CloudFormation StackSets to deploy a template that creates tagged buckets in each account.
D.Use a service control policy (SCP) to deny s3:CreateBucket unless the request includes a 'CostCenter' tag.
AnswerD

SCPs can deny API calls based on conditions, enforcing tagging across all accounts.

Why this answer

Option A is correct because SCPs can enforce tagging at the API level across all accounts in the organization. Option B is wrong because Lambda functions require manual setup per account. Option C is wrong because AWS Config rules only detect non-compliance, not prevent creation.

Option D is wrong because CloudFormation StackSets require manual template application.

270
MCQhard

A company has a central networking account that hosts a transit gateway (TGW). Multiple VPCs from various accounts are attached to the TGW. The security team wants to ensure that only specific VPCs can communicate with each other, but all VPCs need access to a shared services VPC. Which configuration should be used?

A.Create a VPC peering connection between each pair of VPCs that need to communicate.
B.Use AWS PrivateLink to connect VPCs to the shared services VPC.
C.Use a single TGW route table for all attachments and control traffic with security groups.
D.Create separate TGW route tables for each VPC and only propagate the shared services VPC routes.
AnswerD

This isolates VPCs from each other while allowing all to reach shared services.

Why this answer

Option D is correct because using separate TGW route tables for each VPC allows you to control which VPCs can communicate by selectively propagating only the shared services VPC routes into each VPC's route table. This ensures all VPCs can reach the shared services VPC, while VPCs that do not have each other's routes in their respective route tables cannot communicate directly. This approach leverages the transitive routing capability of the transit gateway while maintaining strict isolation between non-shared VPCs.

Exam trap

The trap here is that candidates often assume a single TGW route table with security groups can control inter-VPC traffic, but security groups cannot be applied to transit gateway attachments—they only work at the instance or ENI level, and TGW route tables control routing, not filtering.

How to eliminate wrong answers

Option A is wrong because VPC peering connections are point-to-point and do not scale well; they require a separate peering connection for every pair of VPCs, which becomes unmanageable as the number of VPCs grows, and they do not leverage the existing transit gateway. Option B is wrong because AWS PrivateLink is used to expose services privately within a VPC, not to enable general VPC-to-VPC routing; it would only allow VPCs to access specific services in the shared services VPC, not full network-layer communication between all VPCs. Option C is wrong because using a single TGW route table for all attachments would allow all VPCs to communicate with each other by default (since all routes are shared), and security groups cannot be applied to TGW attachments to filter traffic between VPCs—security groups are stateful firewalls for instances, not for transit gateway routing decisions.

271
MCQhard

A large enterprise uses AWS Organizations with hundreds of accounts. The central security team needs to enforce that no IAM users are created in any account; instead, all access must be through IAM roles federated with the corporate identity provider. The security team wants to detect any IAM user creation and automatically remediate it by deleting the user and notifying the security team. Which solution should be implemented?

A.Use AWS Config with a custom rule triggered by iam:CreateUser, and an AWS Lambda function that deletes the user and sends an Amazon SNS notification.
B.Use IAM Access Analyzer to detect and report IAM user creation.
C.Use an SCP to deny iam:CreateUser across all accounts.
D.Enable AWS CloudTrail and create a metric filter for iam:CreateUser, then set up an Amazon CloudWatch alarm that triggers an SNS notification.
AnswerA

Config rule triggers Lambda for automatic remediation and notification.

Why this answer

Option A is correct because AWS Config custom rules can be triggered on specific API calls via AWS CloudTrail events. By configuring a custom rule with an AWS Lambda function triggered by iam:CreateUser, the solution can automatically delete the newly created IAM user and send an SNS notification to the security team, providing both detection and remediation.

Exam trap

The trap here is that candidates may choose an SCP (Option C) because it prevents IAM user creation, but the question specifically requires detection and automatic remediation (deletion and notification), not just prevention.

How to eliminate wrong answers

Option B is wrong because IAM Access Analyzer is designed to analyze resource-based policies for unintended cross-account access, not to detect or report IAM user creation events. Option C is wrong because an SCP that denies iam:CreateUser would prevent IAM user creation proactively, but the question explicitly requires detection and automatic remediation (deletion and notification), not just prevention. Option D is wrong because a CloudWatch alarm on a metric filter for iam:CreateUser can only trigger a notification; it cannot automatically delete the IAM user, so it lacks the remediation step required by the question.

272
Multi-Selecthard

A company manages 200 AWS accounts using AWS Organizations. The security team wants to prevent developers from creating resources outside of a set of approved AWS Regions. Additionally, they want to restrict the creation of resources that are not tagged with a cost center tag. Which THREE actions should be taken to enforce these requirements?

Select 3 answers
A.Create an SCP that denies all actions in non-approved regions.
B.Enable AWS Config rules to detect untagged resources and automatically apply the required tag.
C.Use IAM policies in each account to deny actions in non-approved regions.
D.Define a tag policy using AWS Organizations to enforce cost center tags.
E.Create an SCP that denies the creation of resources that do not have a cost center tag.
AnswersA, B, E

SCPs can centrally deny actions in specific regions.

Why this answer

Option A is correct because SCPs can deny actions in non-approved regions. Option C is correct because SCPs can deny creation of resources that do not have the required tag. Option D is correct because AWS Config rules can detect untagged resources and trigger remediation.

Option B is wrong because IAM policies are per-account and not centrally managed; they can be used but SCPs are more centralized. Option E is wrong because Tag Policies enforce tagging on resource creation via SCPs, but they do not remediate existing resources.

273
MCQeasy

A company uses AWS Organizations with a single member account for its development environment. The IT team wants to allow developers to launch EC2 instances only if they use a specific AMI ID. Which policy type should the company use to enforce this requirement?

A.Attach a service control policy (SCP) to the member account that denies EC2:RunInstances if the AMI ID is not approved.
B.Create an IAM policy that denies EC2:RunInstances if the AMI ID is not approved and attach it to all developer IAM roles.
C.Use AWS Config rules to detect noncompliant EC2 instances and automatically terminate them.
D.Use AWS Systems Manager to enforce the AMI ID requirement.
AnswerA

SCPs can restrict actions at the account level and are effective for preventive controls.

Why this answer

Option A is correct because SCPs can be used to restrict actions at the account level, including specifying allowed AMI IDs. Option B is wrong because IAM policies apply to users and roles within an account, but SCPs are more appropriate for organization-wide restrictions. Option C is wrong because AWS Config rules are detective, not preventive.

Option D is wrong because service control policies are the right mechanism.

274
MCQmedium

A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to share a VPC subnet in the network account with the workload accounts so that they can launch EC2 instances directly into the shared subnet. The network team has created a VPC with a subnet and shared it using AWS Resource Access Manager (RAM) with the workload accounts. However, the workload accounts cannot see the shared subnet when launching EC2 instances. What is the most likely cause?

A.The workload accounts have not accepted the resource share invitation.
B.The workload accounts have a default VPC that conflicts with the shared subnet.
C.The workload accounts do not have the necessary IAM permissions to use shared subnets.
D.The subnet is in a different AWS Region than the workload accounts.
AnswerA

RAM requires acceptance before resources appear.

Why this answer

Option A is correct because RAM requires an explicit acceptance of the resource share by the workload accounts. Until they accept, the subnet is not visible. Option B is wrong because IAM permissions are needed but the issue is acceptance.

Option C is wrong because sharing is not limited to the same region. Option D is wrong because default VPC does not affect shared subnets.

275
MCQmedium

A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?

A.Convert the logs to Parquet format using AWS Glue and store them in the same bucket.
B.Use S3 lifecycle policies to transition logs to S3 Glacier after 7 days and query with Athena.
C.Partition the S3 bucket by date (e.g., year/month/day) and use Athena partition projection.
D.Use Athena with federated query to scan logs directly from the application accounts.
AnswerC

Correct: Partitioning reduces data scanned.

Why this answer

Option C is correct because partitioning the S3 bucket by date (e.g., year/month/day) and using Athena partition projection allows Athena to automatically discover and prune partitions without manual metadata management. This reduces the amount of data scanned per query, lowering costs and improving query speed for recent logs. Partition projection is serverless and eliminates the need for Glue crawlers or Hive-style partition loading, making it ideal for time-series data like VPC Flow Logs.

Exam trap

The trap here is that candidates may confuse Athena’s ability to query compressed formats (like Parquet) with the need for partitioning, or mistakenly believe that S3 Glacier can be queried by Athena, when in fact Athena requires objects to be in S3 Standard, Intelligent-Tiering, or Glacier Instant Retrieval (not Glacier or Glacier Deep Archive).

How to eliminate wrong answers

Option A is wrong because converting logs to Parquet format with AWS Glue improves compression and query performance, but it does not address the need to quickly query recent logs without scanning all historical data; partitioning is still required for cost-effective pruning. Option B is wrong because transitioning logs to S3 Glacier after 7 days makes them inaccessible to Athena, as Athena cannot query data stored in Glacier or Glacier Deep Archive storage classes. Option D is wrong because Athena federated query is designed to query data in external databases (e.g., RDS, DynamoDB) or on-premises sources, not to scan logs directly from S3 buckets in other accounts; cross-account S3 access is handled via bucket policies, not federated query.

276
MCQhard

A company uses AWS Organizations and has shared a subnet from the VPC shown in the exhibit using AWS Resource Access Manager (RAM). A workload account launches an EC2 instance in the shared subnet. The instance needs to communicate with an RDS database in a different private subnet within the same VPC. What additional configuration is required?

A.The workload account must create a route table entry in the shared VPC to allow communication.
B.The workload account must configure security groups for the EC2 instance to allow traffic to the RDS database's security group.
C.Establish a VPC peering connection between the workload account's VPC and the shared VPC.
D.Attach an AWS Transit Gateway to both VPCs to enable communication.
AnswerB

Security groups are managed by the account that owns the resource.

Why this answer

Option C is correct. When a subnet is shared, the owner account manages the route tables and network ACLs, but the participant account cannot modify them. However, the participant account can use security groups to control traffic to/from its instances.

Therefore, the workload account must configure security groups to allow traffic between the EC2 instance and the RDS database. Option A is wrong because VPC peering is not needed; the VPC is already shared. Option B is wrong because the route table is managed by the owner, not the participant.

Option D is wrong because transit gateway is not needed.

277
MCQhard

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

A.Use an SCP to enforce a specific password policy and require MFA across all accounts.
B.Use AWS Config rules to automatically set the password policy and enable MFA for all users.
C.Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.
D.Use AWS CloudTrail to monitor password policy changes and MFA status, and trigger an automatic remediation.
AnswerC

SCPs can block actions that modify the password policy or deactivate MFA, and AWS Config can detect non-compliant users.

Why this answer

Option C is correct because SCPs can deny changes to the password policy and deny deactivation of MFA devices, preventing users from weakening security controls. AWS Config rules then detect non-compliant users (e.g., those without MFA or with a non-compliant password policy), allowing the security team to trigger remediation or alerts. SCPs alone cannot enforce a specific password policy or enable MFA; they only block actions, so Config rules are needed for detection and enforcement.

Exam trap

The trap here is that candidates assume SCPs can enforce configurations like password policies or MFA, but SCPs only deny or allow actions, not set or enable features, so detection and remediation require AWS Config or similar services.

How to eliminate wrong answers

Option A is wrong because SCPs cannot enforce a specific password policy or require MFA; they can only deny or allow actions, not set configurations or enable features. Option B is wrong because AWS Config rules can detect non-compliance but cannot automatically set a password policy or enable MFA for users; they only evaluate and report. Option D is wrong because AWS CloudTrail only logs API calls and does not provide enforcement or remediation; automatic remediation would require additional services like AWS Config with auto-remediation or Lambda, not CloudTrail alone.

278
MCQmedium

A multinational company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization block public access. What is the MOST efficient way to enforce this requirement?

A.Use AWS Config rules to detect and remediate public buckets in each account.
B.Create a CloudFormation StackSet to deploy bucket policies in every account.
C.Use IAM roles to restrict users from modifying bucket public access settings.
D.Apply an SCP to the root OU that denies s3:PutBucketPublicAccessBlock actions.
AnswerD

SCPs prevent the action across all accounts in the OU.

Why this answer

Using an SCP at the root OU is the most efficient way to enforce the policy across all accounts, as it applies to all member accounts and cannot be overridden by account administrators. Option A is wrong because SCPs can enforce restrictions. Option B is wrong because it would require per-account changes.

Option D is wrong because bucket policies are account-specific and do not enforce across accounts.

279
Multi-Selecteasy

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all newly created S3 buckets have encryption enabled. Which TWO approaches can achieve this? (Choose TWO.)

Select 2 answers
A.Use an IAM permissions boundary for all IAM roles.
B.Use S3 Block Public Access at the account level.
C.Use AWS CloudFormation Guard to validate templates before deployment.
D.Enable AWS Config managed rule s3-bucket-server-side-encryption-enabled.
E.Use a service control policy (SCP) to deny s3:CreateBucket if the bucket does not have encryption settings.
AnswersC, E

CloudFormation Guard can enforce encryption settings in templates.

Why this answer

Option C is correct because AWS CloudFormation Guard (cfn-guard) allows you to define rules that validate CloudFormation templates before deployment. You can create a rule that checks whether the `BucketEncryption` property is set on every `AWS::S3::Bucket` resource, preventing the creation of unencrypted buckets at the template level. This enforces encryption as a policy-as-code gate in the CI/CD pipeline.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs or CloudFormation Guard), leading them to select Option D even though it only reports non-compliance after the fact, not preventing the creation of unencrypted buckets.

280
MCQeasy

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. The security team needs to allow a third-party SIEM tool to read these logs from the S3 bucket, but only from a specific VPCE (VPC Endpoint). Which policy should be applied to the S3 bucket?

A.Allow s3:GetObject to the SIEM's IAM role.
B.Use an S3 access point with a network origin policy.
C.Deny s3:GetObject unless aws:SourceVpce matches the VPCE ID.
D.Allow s3:GetObject to the SIEM's AWS account ID.
AnswerC

This condition explicitly restricts access to requests originating from the specific VPCE.

Why this answer

Option C is correct because using a bucket policy with a condition key like `aws:SourceVpce` allows you to restrict access to only requests originating from a specific VPC Endpoint (VPCE). This ensures that even if the SIEM tool has valid credentials, it can only read the VPC Flow Logs from the S3 bucket when the traffic comes through the designated VPCE, meeting the security team's requirement precisely.

Exam trap

The trap here is that candidates often confuse `aws:SourceVpc` (which restricts to an entire VPC) with `aws:SourceVpce` (which restricts to a specific VPC Endpoint), leading them to incorrectly choose Option B (S3 access point) or a generic allow policy, missing the precise VPCE-level control required.

How to eliminate wrong answers

Option A is wrong because simply allowing `s3:GetObject` to the SIEM's IAM role does not restrict access to a specific VPCE; the SIEM could use that role from any network location, violating the requirement. Option B is wrong because an S3 access point with a network origin policy can restrict access based on the VPC or internet, but it does not support a condition key like `aws:SourceVpce` to enforce a specific VPCE ID; it only allows blocking or allowing traffic from an entire VPC, not a single endpoint. Option D is wrong because allowing `s3:GetObject` to the SIEM's AWS account ID would grant access to any principal in that account, regardless of network path, and does not enforce the VPCE restriction.

281
MCQmedium

An organization uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in all accounts must use multi-factor authentication (MFA) to access the AWS Management Console. What is the most efficient way to enforce this?

A.Use AWS Config rules to detect users without MFA and send alerts.
B.Use AWS CloudTrail to monitor console logins and trigger an automatic remediation.
C.Create an IAM policy in each account that denies access without MFA.
D.Apply a service control policy (SCP) that denies all actions if the user does not have MFA enabled.
AnswerD

SCPs enforce centrally across all accounts in the organization.

Why this answer

Option C is correct because an SCP can deny access if MFA is not present, and it applies to all accounts in the organization. Option A is wrong because an IAM policy in each account requires manual effort and is not centralized. Option B is wrong because AWS Config can detect but not enforce.

Option D is wrong because CloudTrail logs but does not enforce.

282
Multi-Selecteasy

A company is designing a multi-account strategy for development, testing, and production environments. They want to ensure that developers can deploy resources in development and testing accounts but not in production. Which TWO methods should the company use to achieve this? (Choose TWO.)

Select 2 answers
A.Enable AWS CloudTrail to monitor and alert on production changes.
B.Apply an SCP to the production OU that denies all actions to non-approved IAM roles.
C.Use resource tags to identify development and production resources and enforce policies via SCPs.
D.Create IAM roles in production with no permissions, and allow only a central CI/CD role to assume a privileged role.
E.Use AWS Config rules to detect unauthorized deployments in production.
AnswersB, D

SCPs can effectively block all actions from developers in production.

Why this answer

Option B is correct because SCPs can deny actions on production accounts. Option D is correct because IAM roles with limited permissions can restrict developer access. Option A is incorrect because AWS Config does not prevent actions.

Option C is incorrect because CloudTrail is auditing, not enforcement. Option E is incorrect because tagging does not prevent deployment.

283
MCQeasy

A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts. The company has an existing identity source in an on-premises Active Directory. Which integration method should the company use?

A.Use SAML 2.0 federation between AWS SSO and the on-premises AD.
B.Use AWS IAM Identity Center with an external identity provider that supports SCIM.
C.Set up an AWS Managed Microsoft AD directory and sync with the on-premises AD using AD Connector.
D.Configure AWS SSO to directly connect to the on-premises Active Directory using LDAP.
AnswerC

AD Connector allows AWS Managed Microsoft AD to proxy authentication to on-premises AD.

Why this answer

Option C is correct because AWS SSO supports connecting to an existing Active Directory via AWS Directory Service for Microsoft Active Directory, which can be used as an identity source. Option A is wrong because AWS SSO does not directly integrate on-premises AD; it requires a directory in AWS. Option B is wrong because IAM Identity Center (successor to AWS SSO) also requires a directory.

Option D is wrong because SAML 2.0 federation with on-premises AD is not a built-in AWS SSO feature; it requires a separate identity provider.

284
MCQmedium

Refer to the exhibit. This S3 bucket policy is attached to a bucket in the security account (111111111111). The policy grants access to account 123456789012. A service in account 123456789012 tries to write a log file to s3://my-log-bucket/AWSLogs/123456789012/logfile.txt. What will happen?

A.The write is denied because the principal is the root user, not an IAM role.
B.The write is allowed because the policy grants access to the root of account 123456789012.
C.The write is denied because the policy only allows GetObject, not PutObject.
D.The write is allowed only if the object key is exactly 'AWSLogs/123456789012/'.
AnswerB

Correct: the root principal covers all IAM entities in that account.

Why this answer

The S3 bucket policy grants access to the root user of account 123456789012 (the `Principal` is the AWS account root user via the account ARN). When a service in that account writes to the bucket, the request is made on behalf of the account, and the root user effectively owns all identities in the account. The policy allows `s3:PutObject` on the `AWSLogs/123456789012/*` prefix, so the write to `s3://my-log-bucket/AWSLogs/123456789012/logfile.txt` is permitted.

Option B correctly identifies that the root user grant covers the service's action.

Exam trap

The trap here is that candidates often assume a root user principal only applies to the literal root user credentials, not to all identities in the account, leading them to incorrectly think the service's write would be denied.

How to eliminate wrong answers

Option A is wrong because the policy grants access to the root user of account 123456789012, not an IAM role, and the root user can delegate permissions to services within the account; the write is not denied on that basis. Option C is wrong because the policy explicitly includes `s3:PutObject` in the `Action` list (the exhibit shows `s3:PutObject` as part of the allowed actions), so the write is not denied due to missing PutObject permission. Option D is wrong because the policy uses a wildcard `AWSLogs/123456789012/*` which allows any object key under that prefix, not an exact match to `AWSLogs/123456789012/`.

285
MCQeasy

A company has a centralized logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all member accounts in AWS Organizations. The logs are stored in an S3 bucket in the logging account. Security analysts need to query these logs using Amazon Athena. What is the MOST efficient way to set up the table partitions?

A.Use AWS Glue Crawler to create a table with no partitions, and query the entire dataset each time.
B.Use AWS Glue Crawler to automatically create partitions based on the date prefix in the S3 key.
C.Use AWS Glue Crawler to create a table, then manually add partitions for each account ID and region.
D.Use AWS Glue Crawler to create a table partitioned by log type and date.
AnswerC

Partitioning by account and region optimizes query performance for multi-account environments.

Why this answer

Option A is correct because partitioning by account ID and region reduces the data scanned per query. Option B is wrong because partitioning by date only does not leverage the account structure. Option C is wrong because Glue Crawler can infer schema but does not automatically create partitions efficiently.

Option D is wrong because partitioning by log type and date is less efficient than account and region for cross-account queries.

286
MCQmedium

A financial services company is migrating its trading platform to AWS. The platform consists of hundreds of microservices deployed in containers using Amazon ECS with Fargate launch type. Each service has its own IAM role for fine-grained permissions. The security team requires that all ECS tasks use a specific VPC (vpc-12345) and cannot run in any other VPC. During a recent audit, it was discovered that some tasks are running in a different VPC (vpc-67890). The solutions architect must implement a preventive control to ensure that ECS tasks only run in the approved VPC. The company uses AWS Organizations and has Service Control Policies (SCPs) in place. What should the solutions architect do?

A.Tag the approved VPC and use IAM policies to allow ECS actions only when the VPC tag matches.
B.Add an IAM policy to each ECS task role that denies the action if the VPC is not the approved one.
C.Create an SCP that denies ecs:RunTask and ecs:CreateService unless the networkConfiguration.awsvpcConfiguration.subnets are in the approved VPC.
D.Use AWS Config rules to detect tasks running in non-approved VPCs and trigger a remediation action.
AnswerC

SCPs provide preventive controls at the organization level.

Why this answer

Option C is correct because Service Control Policies (SCPs) in AWS Organizations provide a preventive control that applies across all accounts in the organization. By denying ecs:RunTask and ecs:CreateService unless the subnets specified in networkConfiguration.awsvpcConfiguration belong to the approved VPC (vpc-12345), the SCP enforces the VPC constraint at the organization level, preventing any task from launching in a non-approved VPC regardless of individual IAM roles or account configurations.

Exam trap

The trap here is that candidates often confuse detective controls (AWS Config) with preventive controls (SCPs), or they mistakenly think IAM policies on task roles can control the launch VPC, when in fact the launch VPC is determined by the caller's permissions and SCPs, not the task's IAM role.

How to eliminate wrong answers

Option A is wrong because IAM policies cannot condition on tags of resources that are not the resource being acted upon (e.g., a VPC tag) in a way that prevents the ECS task from launching in a different VPC; IAM conditions like 'ecs:VpcId' do not exist, and tagging the VPC does not enforce the constraint at the API call level. Option B is wrong because IAM policies attached to ECS task roles control what the task can do after it runs, not whether the task can be launched in a particular VPC; the task role is assumed by the task, not by the caller that creates or runs the task. Option D is wrong because AWS Config rules are detective controls, not preventive controls; they can detect non-compliant tasks and trigger remediation, but they do not prevent the task from running in the first place, which is the requirement for a preventive control.

287
MCQmedium

A company has a multi-account AWS environment. They want to ensure that any new account created in the organization automatically gets a specific set of IAM roles and AWS Config rules deployed. Which solution requires the least manual effort?

A.Use AWS Organizations and attach a tag policy that requires the roles and rules.
B.Use AWS CloudFormation StackSets with automatic deployment to the organization.
C.Attach an SCP to the root OU that creates the roles and rules.
D.Use AWS Lambda to periodically scan for new accounts and deploy resources.
AnswerB

StackSets can automatically deploy stacks to new accounts when enabled.

Why this answer

AWS CloudFormation StackSets with automatic deployment to the organization is the correct solution because it allows you to define a set of AWS resources (IAM roles, Config rules) as a CloudFormation template and automatically deploy it to every account in the organization, including newly created accounts, without any manual intervention. StackSets can be configured to deploy to all accounts in the organization or specific OUs, and they automatically handle the deployment to new accounts as they join the organization.

Exam trap

The trap here is that candidates often confuse the capabilities of SCPs (which only deny or allow actions) with the resource-provisioning capabilities of CloudFormation StackSets, leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because tag policies are used to enforce consistent tagging on resources, not to create or deploy IAM roles or AWS Config rules. Option C is wrong because SCPs (Service Control Policies) are used to restrict permissions and actions at the account level, not to create resources; they cannot create IAM roles or Config rules. Option D is wrong because using a periodic Lambda function to scan for new accounts and deploy resources requires ongoing maintenance, introduces potential latency, and is less reliable than the native, event-driven deployment provided by StackSets.

288
MCQmedium

A company has a management account in AWS Organizations and wants to share a central Amazon VPC subnet with multiple member accounts for a shared services VPC. Which AWS service should be used to share the subnet?

A.VPC peering connection
B.AWS Resource Access Manager
C.AWS PrivateLink
D.Service control policy
AnswerB

RAM allows sharing subnets across accounts within an organization.

Why this answer

AWS Resource Access Manager (RAM) is the correct service because it enables you to share a central VPC subnet from a management account with multiple member accounts in AWS Organizations without requiring VPC peering or transit gateways. With RAM, you create a resource share that includes the subnet and specify the member accounts or organizational units (OUs) to grant them access, allowing those accounts to launch resources directly into the shared subnet while maintaining centralized network management.

Exam trap

The trap here is that candidates often confuse VPC peering (which connects entire VPCs) with subnet sharing (which allows direct resource placement into a shared subnet), leading them to select VPC peering instead of AWS Resource Access Manager.

How to eliminate wrong answers

Option A (VPC peering connection) is wrong because VPC peering connects entire VPCs at the network layer using private IP addresses, but it does not allow you to share a subnet; it only enables routing between VPCs, and each account still needs its own subnet. Option C (AWS PrivateLink) is wrong because PrivateLink provides private connectivity to services via interface VPC endpoints powered by AWS PrivateLink, not for sharing subnets or VPC resources across accounts. Option D (Service control policy) is wrong because SCPs are used to manage permissions and enforce guardrails across accounts in AWS Organizations, not for sharing infrastructure resources like subnets.

289
MCQhard

A company uses AWS Organizations with a centralized networking account that hosts a VPC with a transit gateway. Other accounts need to connect to this transit gateway. The company wants to ensure that only approved VPCs can attach to the transit gateway, and that the attachments are automatically approved when a VPC is created in a member account. Which solution meets these requirements?

A.Create a Lambda function that monitors for new VPCs and creates the transit gateway attachment.
B.Use an SCP to require that all VPCs have a specific tag and then use AWS Config to automatically create the attachment.
C.Use AWS Transit Gateway Network Manager and create a policy to automatically accept attachments from VPCs with a specific tag.
D.Create a transit gateway in the networking account and share it with member accounts using AWS Resource Access Manager. Members create attachments and the networking team manually approves them.
AnswerC

Network Manager can auto-accept attachments based on tags.

Why this answer

Option C is correct because AWS Transit Gateway Network Manager allows you to create a policy that automatically accepts attachment requests from VPCs that have a specific tag. This meets the requirement for automatic approval of approved VPCs without manual intervention, while ensuring only tagged VPCs are attached.

Exam trap

The trap here is that candidates may think a Lambda function or AWS Config is needed for automation, but AWS Transit Gateway Network Manager provides a native, policy-driven way to automatically accept attachments based on tags, which is simpler and more secure.

How to eliminate wrong answers

Option A is wrong because a Lambda function monitoring for new VPCs would require custom code and event handling, and does not inherently enforce that only approved VPCs can attach; it also lacks the built-in approval mechanism. Option B is wrong because an SCP cannot require tags on VPCs (SCPs restrict actions, not enforce tagging), and AWS Config can detect non-compliance but cannot automatically create transit gateway attachments. Option D is wrong because it requires manual approval by the networking team, which does not meet the requirement for automatic approval.

290
Multi-Selecteasy

A company wants to allow developers to launch EC2 instances, but only with specific instance types and only if the instance has a tag 'CostCenter'. Which IAM policy statement should be applied to the developers' IAM group? (Choose TWO.)

Select 2 answers
A.Allow ec2:RunInstances with a condition that the request includes a 'CostCenter' tag.
B.Allow ec2:RunInstances with a condition that the instance type is in an allowed list.
C.Allow ec2:RunInstances without conditions.
D.Deny ec2:RunInstances if the instance type is not in the allowed list.
AnswersA, B

This ensures tagging is enforced.

Why this answer

Option A is correct because the IAM policy condition 'ec2:RequestTag/CostCenter' ensures that the developer's RunInstances request includes the required 'CostCenter' tag, enforcing tagging compliance at launch time. Option B is correct because a condition using 'ec2:InstanceType' with a 'ForAllValues:StringLike' or 'StringEquals' operator restricts allowed instance types to a specific list, preventing unauthorized instance families or sizes.

Exam trap

The trap here is that candidates often choose a Deny-based approach (Option D) thinking it is more secure, but they overlook that without an explicit Allow, the implicit deny blocks all actions, and the Deny condition does not enforce the tagging requirement.

291
MCQmedium

A company uses AWS Organizations with several OUs. The security team wants to restrict the use of specific instance types (e.g., all instances except t2.micro) across all accounts. Which SCP should be applied?

A.An IAM policy applied to each account's admin role to restrict instance types.
B.An SCP that allows ec2:RunInstances only for t2.micro.
C.An SCP that denies ec2:RunInstances when the instance type is not t2.micro.
D.An AWS Config rule to terminate non-compliant instances.
AnswerC

Deny SCPs block non-compliant actions.

Why this answer

Option B is correct because a deny SCP on the RunInstances action for non-allowed instance types will prevent launching those instances. Option A is wrong because allow SCPs require explicit allow, which is not the best approach here. Option C is wrong because IAM policies are per-account and not centralized.

Option D is wrong because AWS Config does not prevent actions.

292
MCQmedium

A company has a multi-account environment with a centralized network account that hosts a transit gateway. Application accounts need to connect to the transit gateway. The network team wants to ensure that only authorized accounts can create attachments. Which method should be used?

A.Use AWS Direct Connect to connect each application account to the transit gateway.
B.Establish VPC peering connections between each application account and the network account.
C.Use AWS Resource Access Manager (RAM) to share the transit gateway with authorized accounts.
D.Create an SCP that denies ec2:CreateTransitGatewayVpcAttachment for all accounts except the network account.
AnswerC

RAM allows sharing of transit gateways with specific accounts.

Why this answer

Option C is correct because the transit gateway can be shared with accounts via AWS Resource Access Manager (RAM), and a resource share can be created with specific accounts or OUs. Option A is wrong because SCPs can deny the creation of attachments only if they are not shared. Option B is wrong because VPC peering is separate from transit gateway.

Option D is wrong because Direct Connect is for on-premises connectivity.

293
MCQhard

A company has multiple VPCs across different AWS accounts and wants to establish private connectivity between them. They also need to centrally manage network traffic for security inspection. Which architecture should they use?

A.Create VPC peering connections between all VPCs and use security groups for inspection
B.Configure a VPN between each VPC and a central virtual appliance
C.Deploy an AWS Transit Gateway with a central inspection VPC that hosts security appliances, and configure route tables to route traffic through the inspection VPC
D.Use AWS Direct Connect to connect all VPCs to a common router
AnswerC

Transit Gateway provides transitive routing and central inspection.

Why this answer

Option C is correct because AWS Transit Gateway acts as a central hub to interconnect multiple VPCs across accounts, and by deploying a dedicated inspection VPC with security appliances (e.g., firewalls, IDS/IPS), you can centrally route all inter-VPC traffic through those appliances for security inspection. This is achieved by configuring Transit Gateway route tables to propagate routes from the inspection VPC and using static routes to force traffic through the inspection VPC's attachments, enabling granular traffic steering without complex peering meshes.

Exam trap

The trap here is that candidates often confuse VPC peering (which is simple but unscalable and lacks central inspection) with Transit Gateway, or they incorrectly assume that Direct Connect or VPNs are designed for inter-VPC connectivity rather than hybrid connectivity to on-premises.

How to eliminate wrong answers

Option A is wrong because VPC peering creates a full-mesh topology that does not scale beyond a few VPCs, and security groups cannot inspect traffic between VPCs (they are stateful firewalls at the instance/ENI level, not a central inspection point). Option B is wrong because configuring a VPN between each VPC and a central virtual appliance introduces bandwidth limitations, latency from encryption overhead, and operational complexity for routing and failover; it also does not leverage native AWS networking constructs for high availability. Option D is wrong because AWS Direct Connect provides dedicated physical connectivity to on-premises networks, not private connectivity between VPCs; it would require additional routing and does not inherently provide centralized traffic inspection.

294
Multi-Selecthard

A company has multiple AWS accounts in an organization. The security team needs to centrally manage Amazon GuardDuty findings from all accounts. Which THREE steps should the team take to meet this requirement? (Choose THREE.)

Select 3 answers
A.Configure GuardDuty to send findings to Amazon CloudWatch Logs in a central logging account.
B.Create a new S3 bucket in each account to store GuardDuty findings.
C.Designate a delegated administrator account for GuardDuty in AWS Organizations.
D.Enable Amazon GuardDuty in each member account.
E.Use the delegated administrator account to view findings from all accounts in the GuardDuty console.
AnswersC, D, E

The delegated admin can manage GuardDuty across accounts.

Why this answer

Option C is correct because designating a delegated administrator account for GuardDuty in AWS Organizations centralizes management of findings across all member accounts. This allows the security team to view, manage, and respond to findings from a single account without needing to log into each individual account.

Exam trap

The trap here is that candidates might think sending findings to CloudWatch Logs or S3 is the correct way to centralize management, but AWS's native multi-account architecture for GuardDuty relies on the delegated administrator and member account model, not log aggregation.

295
Multi-Selectmedium

A company is designing a cross-account backup strategy using AWS Backup. The backup policy must be centrally managed from the management account. Which TWO steps are required to implement this?

Select 2 answers
A.Create IAM roles in each member account to allow AWS Backup to assume them.
B.Create a separate backup policy for each member account.
C.Create a backup vault in the management account and share it with member accounts.
D.Create a backup vault in each member account and aggregate them using AWS Config.
E.Enable AWS Backup as a trusted service within AWS Organizations.
AnswersC, E

Allows member accounts to use the central vault.

Why this answer

Options B and C are correct. Option A is wrong because the backup policy is applied to the organization, not per account. Option D is wrong because the backup vault must be in the management account.

Option E is wrong because IAM roles are not created automatically for AWS Backup.

296
MCQmedium

A company has multiple AWS accounts and wants to share a centrally managed Amazon VPC subnet for workloads that require low latency. The VPC is in the networking account. Which solution meets these requirements with the LEAST operational overhead?

A.Create a separate VPC in each account and connect them with VPC peering.
B.Use AWS Resource Access Manager (RAM) to share the subnet with the workload accounts.
C.Set up an AWS Transit Gateway and attach the VPCs from each account.
D.Create VPC peering connections between the networking account and each workload account.
AnswerB

RAM enables subnet sharing with minimal overhead.

Why this answer

Option B is correct because AWS Resource Access Manager (RAM) allows sharing subnets across accounts with minimal overhead. Option A is wrong because VPC peering does not share subnets. Option C is wrong because Transit Gateway attaches VPCs but does not share subnets.

Option D is wrong because creating separate VPCs in each account defeats the purpose of a shared subnet.

297
MCQeasy

A company uses AWS Organizations with a single OU for all production accounts. The central security team wants to prevent any user from disabling Amazon GuardDuty in any production account. What is the MOST effective way to enforce this?

A.Use AWS Lambda to re-enable GuardDuty if it is disabled.
B.Create an AWS Config rule to detect disabled GuardDuty and send alerts.
C.Apply an SCP to the production OU that denies guardduty:Disable* and guardduty:Delete* actions.
D.Attach an IAM policy to each user that denies guardduty:Disable* actions.
AnswerC

SCPs prevent the actions across all accounts in the OU, regardless of user permissions.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts in an OU. By attaching an SCP that explicitly denies `guardduty:Disable*` and `guardduty:Delete*` actions to the production OU, the security team ensures that no principal (including the root user) in any production account can disable or delete GuardDuty, regardless of IAM policies or direct account-level actions.

Exam trap

The trap here is that candidates often choose a detective or reactive solution (like AWS Config or Lambda) because they overlook the requirement to *prevent* the action, or they mistakenly believe IAM policies attached to users are sufficient to block all principals, including the root user and cross-account roles.

How to eliminate wrong answers

Option A is wrong because using AWS Lambda to re-enable GuardDuty is a reactive, non-preventive approach; it does not block the disable action itself, and there is a window of vulnerability between the disable event and the Lambda execution. Option B is wrong because an AWS Config rule can only detect and alert on a non-compliant state (e.g., GuardDuty disabled), but it cannot prevent the disable action from occurring. Option D is wrong because IAM policies attached to individual users do not prevent the root user or other principals (such as roles or services) from disabling GuardDuty, and they are not enforceable across all accounts in the OU without manual, error-prone replication.

298
MCQmedium

A company uses AWS Organizations with multiple OUs. The finance team needs visibility into costs across all accounts. They want to tag resources with a 'CostCenter' tag. What is the BEST way to enforce tag propagation?

A.Use AWS Service Catalog to enforce tagging on provisioned products.
B.Run a Lambda function that tags resources after creation based on the creator's cost center.
C.Use AWS Config rules to mark non-compliant resources and auto-remediate.
D.Apply an SCP that denies ec2:RunInstances unless the request includes the CostCenter tag.
AnswerD

SCP can enforce tag requirements at creation time.

Why this answer

Using an SCP to deny creation of untagged resources is effective. Option A is wrong because AWS Config can detect but not enforce. Option C is wrong because it doesn't prevent creation.

Option D is wrong because it's after the fact.

299
MCQhard

Refer to the exhibit. A trust policy is attached to an IAM role named AuditRole in account 111111111111. The IAM role Admin in account 222222222222 attempts to assume AuditRole. The session is launched with source identity 'admin'. Will the assumption succeed?

A.No, because the source identity does not match.
B.Yes, because the role in account 222222222222 is allowed by the principal.
C.No, because cross-account role assumption is not allowed.
D.Yes, because the source identity condition is optional.
AnswerA

The condition requires source identity 'central-admin', but it is 'admin'.

Why this answer

The assumption fails because the trust policy on AuditRole includes a `sts:SourceIdentity` condition that requires the source identity to match a specific value (e.g., 'auditor'), but the session is launched with source identity 'admin'. Since the condition is not satisfied, AWS STS denies the AssumeRole API call, even though the principal (the Admin role in account 222222222222) is allowed by the `Principal` element. The `sts:SourceIdentity` condition key is evaluated at request time and must match exactly for the policy to grant access.

Exam trap

The trap here is that candidates assume a trust policy only needs a matching principal and action to succeed, overlooking that condition keys like `sts:SourceIdentity` can independently deny the request even when the principal is valid.

How to eliminate wrong answers

Option B is wrong because while the principal is allowed, the trust policy also includes an `sts:SourceIdentity` condition that must be satisfied; the condition fails due to mismatched source identity, so the assumption is denied. Option C is wrong because cross-account role assumption is explicitly allowed when the trust policy grants access to a principal from another account, which is the case here. Option D is wrong because the `sts:SourceIdentity` condition is not optional—it is a required condition in the policy statement, and if it is present, it must be satisfied for the request to succeed.

300
Multi-Selectmedium

A company is implementing AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts in the organization follow the principle of least privilege for IAM roles. Which TWO actions should the team take?

Select 2 answers
A.Apply service control policies (SCPs) to deny the creation of IAM roles with overly broad permissions, such as 'Action: *' and 'Resource: *'.
B.Use AWS CloudTrail to monitor IAM role creation and alert when roles with broad permissions are created.
C.Enable IAM Access Analyzer to review and identify IAM roles that grant permissions to external principals or have unused permissions.
D.Use AWS IAM Roles Anywhere to manage temporary credentials for workloads outside AWS.
E.Enable AWS Resource Access Manager to share resources only with trusted accounts.
AnswersA, C

SCPs enforce preventive controls at the organization level.

Why this answer

Option A is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts within an organizational unit (OU). By applying an SCP that denies the creation of IAM roles with 'Action: *' and 'Resource: *', the security team enforces the principle of least privilege at the organization level, preventing any account from creating overly permissive roles regardless of the account's own IAM policies.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail alerts) with preventive controls (like SCPs), assuming monitoring alone is sufficient to enforce least privilege, but the question explicitly asks for actions that 'ensure' compliance, which requires proactive denial, not just detection.

← PreviousPage 4 of 7 · 455 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design Solutions for Organizational Complexity questions.