CCNA Design Solutions for Organizational Complexity Questions

75 of 455 questions · Page 5/7 · Design Solutions for Organizational Complexity · Answers revealed

301
MCQeasy

A company is designing a network architecture for a multi-account AWS environment. They need to establish a central inspection VPC through which all traffic between VPCs in different accounts must pass. Which AWS service should be used to route traffic between VPCs through the inspection VPC?

A.AWS Direct Connect gateway
B.VPC peering with full mesh connectivity
C.Elastic Load Balancer
D.AWS Transit Gateway
AnswerD

Transit Gateway supports transitive routing and central inspection VPC architectures.

Why this answer

AWS Transit Gateway (D) is the correct service because it acts as a central hub that can route traffic between multiple VPCs across different accounts, and it supports route tables that can force all inter-VPC traffic through a dedicated inspection VPC (e.g., using a blackhole route or a network appliance). This enables transitive routing without requiring full mesh peering, and it integrates with AWS Resource Access Manager (RAM) for cross-account sharing.

Exam trap

The trap here is that candidates often confuse VPC peering with transitive routing, assuming that a full mesh of peering connections can achieve the same centralized inspection as Transit Gateway, but VPC peering explicitly does not support transitive routing (per AWS documentation), making it impossible to force all traffic through a single inspection VPC without additional, unsupported workarounds.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect gateway is used to connect on-premises networks to AWS via Direct Connect, not for routing traffic between VPCs in different accounts. Option B is wrong because VPC peering with full mesh connectivity does not support transitive routing—each peering connection is a one-to-one relationship, so traffic cannot be forced through a central inspection VPC without complex, non-scalable configurations. Option C is wrong because Elastic Load Balancer is a traffic distribution service for applications, not a routing service for inter-VPC traffic; it cannot route packets between VPCs or enforce inspection paths.

302
MCQhard

A company is migrating to AWS and wants to set up a multi-account structure using AWS Organizations. The security team requires that all accounts be part of an organization and that any attempt to leave the organization be blocked. Additionally, the company wants to prevent the use of the root user in member accounts for daily operations. What should they do?

A.Apply an SCP to the root OU that denies the organizations:LeaveOrganization action and denies the root user's ability to perform actions.
B.Create an IAM policy that denies the organizations:LeaveOrganization action and attach it to all IAM users.
C.Use AWS Config rules to detect when an account leaves the organization and automatically rejoin it.
D.Use AWS CloudTrail to monitor and alert on root user activity and organizations:LeaveOrganization.
AnswerA

SCPs apply to root user and all IAM entities; can block leave and restrict root.

Why this answer

Option C is correct because SCPs can deny leaving the organization and restrict root user actions. Option A is wrong because IAM policies cannot restrict root user. Option B is wrong because CloudTrail does not prevent actions.

Option D is wrong because AWS Config cannot block actions.

303
Multi-Selecthard

A company is designing a multi-account strategy using AWS Organizations. They need to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO approaches should they combine to enforce this requirement?

Select 2 answers
A.Use AWS Config rules to detect users without MFA and send alerts.
B.Enable AWS CloudTrail to log console access without MFA.
C.Create a service control policy (SCP) that denies console access unless aws:MultiFactorAuthPresent is true.
D.Use AWS Single Sign-On (SSO) with MFA enabled for all users.
E.Create an IAM policy in each account that denies console access unless aws:MultiFactorAuthPresent is true.
AnswersC, E

SCPs can centrally enforce MFA across all accounts.

Why this answer

Option C is correct because a service control policy (SCP) can be applied at the organizational unit (OU) or account level to deny all console access unless the `aws:MultiFactorAuthPresent` condition key is `true`. This enforces MFA usage across all member accounts centrally, without requiring per-account IAM policy changes. SCPs are the recommended mechanism for guardrails in AWS Organizations because they cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (AWS Config) with preventive controls (SCPs) or assume that a per-account IAM policy (Option E) is sufficient, but the question requires a multi-account strategy where SCPs provide centralized enforcement that cannot be bypassed by account administrators.

304
Multi-Selectmedium

A company is designing a multi-account strategy using AWS Organizations. They want to enforce that no one can disable AWS CloudTrail in any account. Which TWO methods can achieve this?

Select 2 answers
A.Use AWS Trusted Advisor to alert when CloudTrail is disabled.
B.Attach a Service Control Policy (SCP) that denies disabling or deleting CloudTrail.
C.Use AWS Shield Advanced to protect CloudTrail.
D.Use AWS Config rules with auto-remediation to re-enable CloudTrail if disabled.
E.Use IAM permissions boundaries to restrict user permissions.
AnswersB, D

SCPs can prevent disabling actions at the organizational level.

Why this answer

Option A is correct because SCPs can deny CloudTrail:StopLogging and CloudTrail:DeleteTrail actions. Option D is correct because AWS Config rules can detect and remediate disabled trails. Option B is wrong because IAM permissions boundaries do not prevent root user actions.

Option C is wrong because Trusted Advisor does not enforce. Option E is wrong because AWS Shield is for DDoS protection.

305
Multi-Selecthard

A company is using AWS Organizations with a centralized networking account that hosts a transit gateway. The company wants to ensure that all traffic between VPCs in different accounts flows through the transit gateway. Which THREE steps are required to implement this architecture?

Select 3 answers
A.Attach the VPCs in member accounts to the transit gateway.
B.Update the route tables of the VPCs to point to the transit gateway for inter-VPC traffic.
C.Create VPC endpoints for the transit gateway in each VPC.
D.Create VPC peering connections between each VPC and the networking VPC.
E.Share the transit gateway with the member accounts using AWS Resource Access Manager.
AnswersA, B, E

VPCs must be attached to the transit gateway to route traffic through it.

Why this answer

Option A is correct because attaching the VPCs in member accounts to the transit gateway is a fundamental step to establish connectivity. The transit gateway acts as a central hub, and each VPC must be explicitly attached to it to route traffic through the gateway. Without attachment, the transit gateway cannot forward traffic to or from those VPCs.

Exam trap

The trap here is that candidates often confuse VPC endpoints (used for AWS service access) with transit gateway attachments, or mistakenly think VPC peering is required when the transit gateway already provides the necessary connectivity.

306
MCQeasy

A company has a management account in AWS Organizations. It wants to delegate administration of AWS IAM Identity Center to a member account for user management. What is the correct way to achieve this?

A.Use AWS Resource Access Manager to share the IAM Identity Center instance with the member account.
B.Use the IAM Identity Center console to add the member account as a delegated administrator.
C.Use a service control policy to allow the member account to manage IAM Identity Center.
D.Create an IAM role in the management account and allow the member account to assume it.
AnswerB

This is the native mechanism for delegation.

Why this answer

Option B is correct because IAM Identity Center can register member accounts as delegated administrators. Option A is wrong because IAM roles cannot manage IAM Identity Center. Option C is wrong because SCPs are not for delegation.

Option D is wrong because RAM does not share IAM Identity Center.

307
MCQmedium

A company has a multi-account AWS environment. The security team needs to centrally manage and audit IAM roles that allow cross-account access. Which solution meets these requirements?

A.Use AWS Organizations service control policies to deny cross-account access.
B.Enable AWS IAM Access Analyzer in the management account and delegate admin to the security account.
C.Use AWS Trusted Advisor to check for unused cross-account roles.
D.Enable AWS CloudTrail across all accounts and use Athena to query for AssumeRole events.
AnswerB

Access Analyzer automatically discovers cross-account access and can be centrally managed.

Why this answer

AWS IAM Access Analyzer helps identify resources shared with external principals, including cross-account IAM roles. By enabling it in the management account and delegating administration to the security account, the security team gains a centralized view of all cross-account access findings across the organization without needing to enable it in each account individually. This meets the requirement for central management and auditing of cross-account IAM roles.

Exam trap

The trap here is that candidates confuse preventive controls (SCPs) with detective/audit controls, or they assume CloudTrail logging alone provides centralized auditing without considering the need for a purpose-built tool like IAM Access Analyzer to identify cross-account access configurations.

How to eliminate wrong answers

Option A is wrong because service control policies (SCPs) can deny or restrict permissions but do not provide auditing or centralized management of existing cross-account roles; they are preventive, not detective. Option C is wrong because AWS Trusted Advisor checks for unused IAM roles but does not specifically audit cross-account access or provide centralized management across multiple accounts. Option D is wrong because while CloudTrail logs AssumeRole events and Athena can query them, this approach requires aggregating logs from all accounts and does not offer a built-in, centralized auditing mechanism for cross-account roles like IAM Access Analyzer does.

308
MCQhard

A company uses AWS Organizations with a multi-account strategy. The central IT team needs to enforce that all Amazon S3 buckets across the organization are encrypted with AWS KMS using a specific customer managed key. The security policy must be applied without modifying individual bucket policies. Which approach meets these requirements?

A.Use the S3 default encryption feature to automatically encrypt new objects with the specified KMS key.
B.Create a service control policy (SCP) that denies s3:PutBucketPolicy and s3:PutObject actions unless the request includes the specified KMS key.
C.Use AWS Config rules to detect unencrypted buckets and trigger a Lambda function to remediate.
D.Create an S3 bucket policy in each account that denies PutObject if the object is not encrypted with the specified KMS key.
AnswerB

SCPs can centrally enforce encryption requirements across all accounts.

Why this answer

Option B is correct because a service control policy (SCP) can centrally enforce encryption requirements across all accounts in an AWS Organization without modifying individual bucket policies. The SCP denies s3:PutBucketPolicy and s3:PutObject actions unless the request includes the specified KMS key, ensuring compliance at the organization level.

Exam trap

The trap here is that candidates often choose reactive solutions like AWS Config or default encryption, overlooking that SCPs can proactively deny API actions based on request parameters, which is the only way to enforce encryption without touching individual bucket policies.

How to eliminate wrong answers

Option A is wrong because S3 default encryption only applies to new objects written to a bucket, but it does not prevent users from overriding the encryption setting in a PutObject request or from modifying the bucket policy to disable encryption enforcement. Option C is wrong because AWS Config rules with Lambda remediation are reactive (detect and fix after the fact) and do not prevent non-compliant actions from occurring, which violates the requirement to enforce without modifying bucket policies. Option D is wrong because it requires modifying each account's bucket policy, which contradicts the requirement to apply the policy without modifying individual bucket policies.

309
MCQmedium

A company has a complex AWS environment with multiple VPCs connected via a transit gateway. The company wants to centrally manage DNS resolution across all VPCs. Currently, each VPC has its own Amazon Route 53 private hosted zone. The company needs a solution that allows resources in any VPC to resolve DNS names from any other VPC's private hosted zone. Which solution should be implemented?

A.Create VPC peering connections between all VPCs and enable the 'Allow DNS resolution from peered VPC' option.
B.Use Route 53 Resolver outbound endpoints and forwarding rules to forward DNS queries to the appropriate private hosted zones.
C.Configure Route 53 Resolver inbound endpoints in each VPC and set up conditional forwarding.
D.Associate each private hosted zone with each VPC using Route 53.
AnswerB

Resolver endpoints and forwarding rules enable cross-VPC DNS resolution.

Why this answer

Option B is correct because Route 53 Resolver outbound endpoints allow you to forward DNS queries from your VPCs to custom DNS resolvers or to other private hosted zones. By creating outbound endpoints and forwarding rules, you can centrally route DNS queries from any VPC to the appropriate private hosted zone associated with another VPC, enabling cross-VPC DNS resolution without requiring VPC peering or complex associations.

Exam trap

The trap here is that candidates often confuse VPC peering DNS options with private hosted zone resolution, assuming that enabling 'Allow DNS resolution from peered VPC' automatically resolves private hosted zones across peers, when in fact it only affects the default VPC DNS server (AmazonProvidedDNS) and not custom private hosted zones.

How to eliminate wrong answers

Option A is wrong because VPC peering connections with 'Allow DNS resolution from peered VPC' only enable DNS resolution for the default VPC DNS server (the Amazon-provided DNS), not for private hosted zones associated with the peered VPC; private hosted zones require explicit association or forwarding rules. Option C is wrong because Route 53 Resolver inbound endpoints are used to receive DNS queries from on-premises networks or other resolvers, not to forward queries to private hosted zones within AWS; conditional forwarding is a client-side concept, not a resolver endpoint feature. Option D is wrong because associating each private hosted zone with each VPC is not scalable and does not solve the problem of resolving DNS names from one VPC's private hosted zone when the query originates from another VPC; private hosted zones are only resolvable from VPCs they are explicitly associated with, and this option does not provide a central resolution mechanism.

310
MCQeasy

A company has multiple AWS accounts for different departments. The finance team wants to centrally manage and optimize EC2 Reserved Instance purchases across all accounts. Which solution should the company implement?

A.Use AWS Organizations with consolidated billing and purchase Reserved Instances in the management account to share with all accounts.
B.Use AWS Budgets to monitor usage and then purchase Reserved Instances per account.
C.Purchase Reserved Instances in the EC2 Reserved Instance Marketplace for distribution to accounts.
D.Have each account purchase its own Reserved Instances based on its usage.
AnswerA

Reserved Instances are shared across all accounts in the consolidated billing family.

Why this answer

Option D is correct because AWS Organizations allows you to consolidate billing and share Reserved Instance discounts across all accounts. Option A is wrong because each account would need to purchase separately, losing optimization. Option B is wrong because EC2 Reserved Instance Marketplace is for selling unused reservations.

Option C is wrong because AWS Budgets is for cost tracking, not purchasing.

311
MCQmedium

A company has a central S3 bucket for logs (central-logs-bucket) in account 123456789012. The bucket policy is shown in the exhibit. A developer in account 111111111111 tries to access an object in the bucket using the AWS CLI without the --no-sign-request option. The request fails. What is the MOST likely cause?

A.The bucket policy denies access from all accounts except 123456789012.
B.The bucket policy only grants access to the root user of account 123456789012, not to other accounts.
C.The request is not using HTTPS, so it is denied by the aws:SecureTransport condition.
D.The request is not signed, so it is denied by the aws:SecureTransport condition.
AnswerB

The Principal is set to the root user of the bucket owner account.

Why this answer

Option C is correct. The bucket policy grants access only to the root user of account 123456789012 (the bucket owner account), not to other accounts. The developer's account (111111111111) is not authorized.

Option A is wrong because secure transport is required, but the request likely uses HTTPS. Option B is wrong because signed requests are used. Option D is wrong because the bucket policy explicitly allows access, but only to the specified principal.

312
MCQmedium

A company has a multi-account AWS environment with over 500 accounts. The security team uses AWS Config to evaluate resource compliance across all accounts. They have set up an AWS Config aggregator in the security account to collect configuration snapshots from all member accounts. Recently, the team noticed that some member accounts are not showing up in the aggregator. The accounts are active and have AWS Config enabled. What should the security team do to troubleshoot this issue?

A.Ensure that the member accounts have enabled AWS Config in the same region as the aggregator.
B.Check if the member accounts have exceeded the AWS Config resource limits.
C.Check if the AWS Config recorder in the member accounts is configured to record all resource types.
D.Verify that the AWS Config aggregator in the security account has the correct authorization to assume a role in each member account.
AnswerD

The aggregator needs cross-account IAM roles to retrieve data; if permissions are missing or incorrect, accounts won't appear.

Why this answer

Option D is correct because AWS Config aggregators require cross-account authorization to collect configuration data from member accounts. Even if AWS Config is enabled in member accounts, the aggregator in the security account must have the correct IAM role permissions (via an IAM role in each member account) to assume and retrieve configuration snapshots. Without this authorization, the aggregator cannot access the member accounts' data, causing them to not appear.

Exam trap

The trap here is that candidates assume enabling AWS Config in member accounts is sufficient, overlooking the critical cross-account authorization step required by the aggregator to pull data from those accounts.

How to eliminate wrong answers

Option A is wrong because AWS Config aggregators can collect data from multiple regions, and the issue is about accounts not showing up, not regions; the aggregator can aggregate across regions if configured correctly. Option B is wrong because exceeding AWS Config resource limits would cause errors or throttling, not a complete absence of accounts in the aggregator; the accounts are active and Config is enabled, so limits are not the likely cause. Option C is wrong because the AWS Config recorder configuration (recording all resource types or specific ones) affects what resources are recorded, not whether the account appears in the aggregator; the aggregator shows accounts regardless of the recorder's scope.

313
MCQmedium

A company has multiple AWS accounts and wants to centralize CloudTrail logs from all accounts into a single S3 bucket in the audit account. Which configuration is required?

A.Configure CloudWatch Events cross-account to forward logs to a central S3 bucket.
B.Create an organization trail in the management account that delivers logs to the central S3 bucket in the audit account, and set the bucket policy to allow CloudTrail from the organization.
C.Use AWS Organizations to automatically create a CloudTrail trail in the management account that logs all accounts.
D.Create a CloudTrail trail in each account that delivers logs to the central S3 bucket, with a bucket policy that grants write access to each account's CloudTrail service.
AnswerB

An organization trail automatically collects logs from all accounts and can deliver to a bucket in a different account if the bucket policy permits.

Why this answer

Option B is correct because AWS Organizations allows you to create an organization trail in the management account that automatically applies to all accounts in the organization. By configuring the trail to deliver logs to a central S3 bucket in the audit account, and setting the bucket policy to grant CloudTrail service access from the organization, you centralize logging without needing per-account trails. This approach ensures that new accounts added to the organization are automatically covered.

Exam trap

The trap here is that candidates often assume they must create individual trails per account (Option D) or use CloudWatch Events (Option A), missing the simpler and more robust organization trail feature that automatically covers all accounts in the organization.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events cross-account forwarding is not designed to aggregate CloudTrail logs into S3; it forwards events to targets like Lambda or SQS, not directly to S3, and would require custom processing. Option C is wrong because AWS Organizations does not automatically create a CloudTrail trail; you must explicitly create an organization trail in the management account. Option D is wrong because while it could work technically, it is not the simplest or most scalable solution; it requires configuring a trail in every account and managing individual bucket policies, which does not leverage the organizational trail feature that automatically includes all accounts.

314
MCQeasy

A solutions architect needs to design a network architecture for a multi-account AWS environment using AWS Transit Gateway. The company requires that all traffic between VPCs be inspected by a central security appliance. What is the MOST efficient way to achieve this?

A.Use AWS Direct Connect to connect all VPCs to a central on-premises firewall.
B.Use a Network Load Balancer in each VPC to forward traffic to a firewall instance.
C.Attach all VPCs to a Transit Gateway and route traffic through a central inspection VPC.
D.Create VPC peering connections between all VPCs and route traffic through a security VPC.
AnswerC

Transit Gateway enables transitive routing with a central inspection VPC.

Why this answer

Option C is correct because a Transit Gateway with a central inspection VPC (using a firewall appliance) allows routing all inter-VPC traffic through the inspection point. Option A is wrong because VPC peering does not provide a central inspection point. Option B is wrong because Direct Connect is for on-premises connectivity.

Option D is wrong because Network Load Balancer does not perform traffic inspection.

315
MCQhard

A company has a multi-account strategy with a dedicated audit account. The audit account needs to have read-only access to all resources in all other accounts. The security team wants to use IAM roles. What is the MOST scalable way to set up this cross-account access?

A.Use AWS Single Sign-On (SSO) to grant the audit team access to each account.
B.Create an IAM user in the audit account and allow that user to assume a role in each account.
C.Manually create an IAM role in each account and attach a read-only policy.
D.Use AWS CloudFormation StackSets to deploy a stack containing an IAM role with the required trust and permissions.
AnswerD

StackSets can deploy to all accounts in an organization automatically.

Why this answer

Option D is correct because AWS CloudFormation StackSets allows you to deploy a consistent IAM role with a read-only policy and a trust policy that grants the audit account access across all target accounts in a single, automated, and scalable operation. This approach eliminates manual effort, ensures consistency, and scales to hundreds of accounts without requiring per-account configuration.

Exam trap

The trap here is that candidates often choose manual role creation (Option C) because it seems straightforward, but they overlook the scalability and automation benefits of StackSets, which is the most efficient solution for managing cross-account roles across many accounts in a multi-account strategy.

How to eliminate wrong answers

Option A is wrong because AWS Single Sign-On (SSO) is designed for federated user access to the AWS Management Console and does not provide a mechanism to grant programmatic cross-account IAM role access for a dedicated audit account; it also does not natively enforce read-only permissions across all resources. Option B is wrong because creating an IAM user in the audit account and allowing that user to assume roles in each account is not scalable—it requires manual creation of roles and trust policies in every account, and IAM users are a security anti-pattern for cross-account access compared to role-based access. Option C is wrong because manually creating an IAM role in each account with a read-only policy is not scalable for a multi-account environment with many accounts; it introduces human error, inconsistency, and operational overhead.

316
MCQhard

Refer to the exhibit. A solutions architect is troubleshooting why EC2 instances launched in subnet-11111111 cannot access the internet. The subnet is in a VPC with an internet gateway attached. The route table for the subnet has a default route (0.0.0.0/0) pointing to the internet gateway. What is the MOST likely cause?

A.The subnet's auto-assign public IP setting is disabled
B.The internet gateway is not attached to the VPC
C.The subnet needs a NAT gateway for internet access
D.The subnet's route table does not have a route to the internet gateway
AnswerA

MapPublicIpOnLaunch is false, so instances lack public IPs.

Why this answer

Option C is correct because MapPublicIpOnLaunch is false, so instances launched in the subnet are not assigned public IP addresses automatically. Without a public IP, they cannot communicate with the internet via the internet gateway. Option A is wrong because the route to the internet gateway exists.

Option B is wrong because the internet gateway is attached. Option D is wrong because NAT gateway is not required if the subnet had public IPs.

317
MCQeasy

A company uses AWS Organizations with consolidated billing. The finance team wants to track costs by project, where each project may use resources across multiple accounts. What is the MOST scalable way to allocate costs?

A.Create separate AWS accounts for each project and use consolidated billing to view costs.
B.Use AWS Budgets with cost allocation tags to track project costs.
C.Apply cost allocation tags to resources in each account and use AWS Cost Explorer to filter by tag.
D.Use AWS Cost Categories in AWS Cost Explorer to group costs by shared tags that are activated centrally.
AnswerD

Cost Categories allow grouping by tags, accounts, or services and are managed centrally in the management account.

Why this answer

Option B is correct because cost allocation tags are designed for this purpose and can be activated in AWS Organizations centrally. Option A is wrong because individual tags in each account are not automatically propagated. Option C is wrong because linked accounts do not track tags across accounts.

Option D is wrong because it forces account-per-project which is not flexible.

318
MCQeasy

A company wants to implement a data lake on AWS with data from multiple sources. They need to store data in its raw format and allow multiple teams to query it using different tools. Which service should be used as the central storage layer?

A.Amazon DynamoDB
B.Amazon Redshift
C.Amazon S3
D.Amazon RDS
AnswerC

S3 is the foundational storage service for data lakes.

Why this answer

Amazon S3 is the correct choice because it provides a highly durable, scalable, and cost-effective object storage service that can store data in its raw, native format (e.g., CSV, JSON, Parquet, images). It supports multiple query engines like Amazon Athena, Amazon Redshift Spectrum, and AWS Glue, allowing diverse teams to query the same data using different tools without data movement.

Exam trap

The trap here is that candidates often confuse a data lake's raw storage layer with a data warehouse (Redshift) or a transactional database (RDS, DynamoDB), failing to recognize that a data lake requires schema-on-read, object storage, and multi-engine query support, which only S3 provides.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database designed for low-latency, transactional workloads, not for storing raw, schema-less data lake files or supporting SQL-based analytics at scale. Option B is wrong because Amazon Redshift is a petabyte-scale data warehouse that requires data to be loaded and transformed into a structured, columnar format; it is not designed to store raw, unprocessed data from multiple sources. Option D is wrong because Amazon RDS is a relational database service that enforces a fixed schema and is optimized for OLTP workloads, making it unsuitable for storing diverse raw data formats and supporting ad-hoc queries from multiple analytics tools.

319
MCQhard

A company has a centralized logging account and multiple application accounts. Each application account sends CloudWatch Logs to a cross-account log group in the logging account. The security team wants to ensure that logs are encrypted at rest using a KMS key that only the logging account can manage. Which configuration is required?

A.Use S3 replication with SSE-KMS to copy logs from source accounts to the logging account.
B.Create a cross-account destination in the logging account, configure subscription filters in source accounts, and attach a KMS key policy that allows CloudWatch Logs in source accounts to use the key.
C.Create a cross-account destination in each source account and attach a resource policy that grants the logging account permission to write.
D.Use the default AWS-managed KMS key for CloudWatch Logs in each source account.
AnswerB

This enables cross-account log delivery with customer-managed KMS encryption.

Why this answer

Option D is correct because each account must have a subscription filter that sends logs to the cross-account destination, and the destination's access policy must allow the source accounts to write. Additionally, KMS key policy must grant the CloudWatch Logs service principal in the source accounts permission to use the key. Option A is wrong because using the default CloudWatch Logs encryption key does not provide customer-managed encryption.

Option B is wrong because the destination is in the logging account, not in the source accounts. Option C is wrong because S3 is not used.

320
MCQmedium

A company uses AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a member account. Which step is required to set this up?

A.Use the management account to designate the member account as a delegated administrator for IAM Identity Center.
B.Enable AWS Organizations and create an admin role in the member account.
C.Create a new OU for the delegated administrator account.
D.Attach an SCP to allow IAM Identity Center actions in the member account.
AnswerA

This is the standard AWS procedure.

Why this answer

To delegate administration of IAM Identity Center to a member account, you must use the AWS Organizations management account to register that member account as a delegated administrator for IAM Identity Center. This is done via the AWS Organizations console or API (RegisterDelegatedAdministrator), which grants the member account the necessary permissions to manage IAM Identity Center settings, users, and groups without requiring full management account access. Only the management account can designate delegated administrators, and this action is specific to IAM Identity Center within AWS Organizations.

Exam trap

The trap here is that candidates often confuse generic cross-account role delegation (like creating an IAM role in a member account) with the specific AWS Organizations delegated administrator feature, which requires explicit registration from the management account and is not achieved by simply creating roles or policies.

How to eliminate wrong answers

Option B is wrong because enabling AWS Organizations and creating an admin role in the member account is a generic step for cross-account access, but it does not specifically delegate IAM Identity Center administration; delegated administration requires explicit registration via the management account, not just role creation. Option C is wrong because creating a new OU for the delegated administrator account is not required; delegated administrators can be any member account in any OU, and OUs are for organizational structure and policy application, not for enabling delegation. Option D is wrong because attaching an SCP to allow IAM Identity Center actions in the member account is unnecessary and incorrect; SCPs are used to restrict permissions, not to grant them, and delegation is controlled by the management account's registration, not by SCPs.

321
MCQeasy

A company wants to centralize management of Amazon EC2 instances across multiple accounts using AWS Systems Manager. The company uses AWS Organizations. What is the simplest way to enable Systems Manager to manage instances in all accounts?

A.Use AWS Config to aggregate configuration data
B.Use Systems Manager Automation runbooks in each account
C.Use Systems Manager Explorer with multi-account management
D.Use CloudFormation StackSets to deploy Systems Manager agents
AnswerC

Explorer provides a single pane of glass for all accounts in the organization.

Why this answer

Option C is correct because Systems Manager Explorer provides a centralized view of operational data across accounts. Option A is wrong because Systems Manager Automation runbooks are for automation, not centralized management. Option B is wrong because AWS Config is for compliance, not management.

Option D is wrong because CloudFormation is for infrastructure deployment.

322
MCQhard

A company has a global AWS environment with multiple VPCs in different regions. The company uses AWS Transit Gateway to connect VPCs in the same region, but they need to interconnect VPCs across regions. The network team wants a solution that provides transitive routing across regions with minimal latency and operational overhead. Which solution should be implemented?

A.Set up a VPN connection between Transit Gateways in different regions.
B.Use AWS Direct Connect to connect the Transit Gateways in different regions.
C.Create VPC peering connections between all VPCs in different regions.
D.Use Transit Gateway peering attachments between Transit Gateways in different regions.
AnswerD

Transit Gateway peering provides transitive routing across regions with low latency.

Why this answer

Transit Gateway peering attachments enable transitive routing between Transit Gateways in different AWS regions, providing low-latency connectivity over the AWS global network without requiring VPN or Direct Connect. This solution minimizes operational overhead because AWS manages the peering connection and route propagation automatically, allowing VPCs attached to different Transit Gateways to communicate across regions.

Exam trap

The trap here is that candidates may confuse Transit Gateway peering with VPN or Direct Connect, assuming that cross-region connectivity requires a VPN or dedicated line, but AWS provides a native, managed peering feature that is simpler and more performant for inter-region Transit Gateway connectivity.

How to eliminate wrong answers

Option A is wrong because setting up a VPN connection between Transit Gateways introduces additional latency, complexity, and operational overhead due to managing VPN tunnels and encryption endpoints, and it does not leverage the AWS global backbone for optimal performance. Option B is wrong because AWS Direct Connect is a dedicated on-premises connection and cannot be used to directly interconnect Transit Gateways across regions; it would require additional routing and does not provide transitive routing between regions. Option C is wrong because VPC peering does not support transitive routing—each peering connection is a one-to-one relationship, so to connect all VPCs across regions you would need a full mesh of peering connections, which is not scalable and incurs high operational overhead.

323
Multi-Selectmedium

A company is setting up a new AWS Organization and wants to implement a data perimeter to ensure that data can only be accessed from approved network locations. Which TWO actions should the company take?

Select 2 answers
A.Implement an S3 bucket policy that restricts access based on the aws:SourceVpce condition key.
B.Create an IAM policy in each account that denies access unless the request comes from the approved IP range.
C.Use AWS PrivateLink to access all AWS services from within the VPC.
D.Create a service control policy (SCP) that denies access to resources unless the request originates from the approved IP address range.
E.Use AWS Resource Access Manager to share resources with approved accounts only.
AnswersA, D

Restricts access to requests from specific VPC endpoints.

Why this answer

Options B and D are correct. B: An SCP with a condition on aws:SourceIp restricts access based on IP address across all accounts. D: An S3 bucket policy with a condition on aws:SourceVpce restricts access to specific VPC endpoints.

Option A is wrong because it's not centralized. Option C is wrong because it restricts service but not network location. Option E is wrong because it restricts actions but not network.

324
MCQmedium

A multinational corporation is deploying a multi-account AWS environment using AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with a specific AWS KMS key managed by the security account. Which solution should the company implement to enforce this policy across the organization?

A.Create IAM policies in each account to enforce encryption
B.Attach a service control policy (SCP) to the root that denies S3 actions unless encryption conditions are met
C.Use AWS Config rules with auto-remediation in each account
D.Deploy a CloudFormation StackSet that creates S3 buckets with encryption
AnswerB

SCPs can centrally deny operations that do not meet encryption requirements across all accounts in the organization.

Why this answer

Option D is correct because SCPs can be used to deny S3 bucket creation or modification if encryption is not set to the required KMS key. Option A is wrong because IAM policies in individual accounts cannot be enforced across accounts. Option B is wrong because AWS Config rules can detect but not enforce.

Option C is wrong because CloudFormation StackSets can deploy resources but cannot enforce existing buckets.

325
MCQeasy

A company has multiple AWS accounts and wants to centrally manage CloudWatch dashboards. Which solution should they use?

A.Use CloudWatch cross-account dashboards with a monitoring account.
B.Use AWS Config aggregator to view resources.
C.Use Amazon QuickSight with data sources from each account.
D.Use AWS CloudFormation StackSets to deploy dashboards in each account.
AnswerA

Native cross-account dashboard feature.

Why this answer

CloudWatch cross-account dashboards allow you to create a single dashboard in a central monitoring account that displays metrics from multiple source accounts. This is the native AWS solution for centralized observability, requiring no additional data movement or custom code. The monitoring account uses the CloudWatch cross-account functionality to query metrics across accounts via IAM roles and the CloudWatch API.

Exam trap

The trap here is that candidates confuse AWS Config aggregator (which aggregates configuration data) with CloudWatch cross-account dashboards (which aggregate metric data), or assume CloudFormation StackSets provide a central view when they only replicate resources per account.

How to eliminate wrong answers

Option B is wrong because AWS Config aggregator is designed to aggregate resource configuration and compliance data, not CloudWatch metrics or dashboards; it cannot display time-series metric graphs. Option C is wrong because Amazon QuickSight is a business intelligence service for interactive dashboards and analytics, not a native CloudWatch dashboard viewer; it would require custom data pipelines to extract CloudWatch metrics into SPICE or S3, adding unnecessary complexity. Option D is wrong because AWS CloudFormation StackSets can deploy dashboard definitions across accounts, but each dashboard remains isolated in its own account; there is no central view or cross-account query capability, defeating the purpose of centralized management.

326
MCQmedium

A company is using AWS Organizations with a hierarchical OU structure. The security team wants to enforce that any new account created in the organization automatically inherits a baseline set of AWS Config rules and a VPC with a default CIDR block. What is the MOST efficient way to achieve this?

A.Use AWS CloudFormation StackSets with a stack that creates the VPC and Config rules, and trigger it via an SCP.
B.Create an SCP that denies creation of resources unless they comply with the baseline.
C.Enable AWS Control Tower and configure Account Factory to provision accounts with a baseline blueprint containing the VPC and Config rules.
D.Use AWS Config conformance packs with YAML templates deployed to all accounts via an SCP.
AnswerC

Control Tower automates account provisioning with pre-defined guardrails and blueprints.

Why this answer

Option B is correct because AWS Control Tower provides Account Factory and guardrails to automatically apply baselines to new accounts. Option A (Lambda + CloudFormation StackSets) requires custom code and is less integrated. Option C (SCPs) can only deny actions, not create resources.

Option D (AWS Config conformance packs) can deploy rules but cannot create VPCs.

327
Multi-Selectmedium

A company uses AWS Organizations with a large number of accounts. The security team needs to enforce that only approved AMIs from a central account can be used to launch EC2 instances in all accounts. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Share the approved AMIs from the central account with all other accounts.
B.Use AWS CloudFormation Guard to validate templates before deployment.
C.Apply an SCP that denies ec2:RunInstances with a condition that the image owner is not the central account.
D.Use AWS Service Catalog to create a product for approved AMIs.
AnswersA, C

Necessary so that accounts can launch from those AMIs.

Why this answer

Option A is correct because sharing AMIs from a central account with all other accounts allows those accounts to launch EC2 instances using the approved AMIs. Option C is correct because applying a service control policy (SCP) that denies ec2:RunInstances with a condition that the image owner is not the central account enforces that only AMIs owned by the central account can be used, preventing the use of unapproved AMIs from other sources.

Exam trap

The trap here is that candidates often think AWS Service Catalog or CloudFormation Guard can enforce organization-wide AMI restrictions, but they lack the ability to block direct API calls across all accounts without an SCP.

328
MCQeasy

A company wants to implement a centralized logging solution for its multi-account AWS environment. The solution must be resilient to AWS Regional failures and provide near real-time log delivery. Which combination of services should the company use?

A.S3 buckets in each account with cross-region replication enabled to a central bucket.
B.Lambda functions in each account that read CloudWatch Logs and write to a central S3 bucket.
C.Amazon CloudWatch Logs subscription filters in each account that stream log data to a Kinesis Data Stream in the central logging account, then use Kinesis Data Firehose to write to S3.
D.Amazon Kinesis Data Firehose delivery streams in each account sending logs to a centralized S3 bucket.
AnswerC

This provides near real-time streaming and cross-account aggregation.

Why this answer

Option B is correct because CloudWatch Logs can stream to a cross-account Kinesis stream in the logging account, which can then be processed and stored in S3. Option A is not serverless; Option C uses S3 replication which is not near real-time; Option D uses Lambda which is more complex and less resilient.

329
MCQhard

A company uses AWS Organizations with a single OU for all member accounts. The company wants to restrict the use of specific Amazon EC2 instance types across all member accounts. However, the management account should not be restricted. Which solution meets this requirement?

A.Use AWS CloudTrail to monitor and alert when restricted instance types are launched.
B.Attach an SCP that denies the restricted instance types to the OU.
C.Create an IAM policy in the management account that denies the restricted instance types, and attach it to all member account users.
D.Attach an SCP to the root of the organization and exclude the management account.
AnswerB

SCPs attached to the OU apply to all member accounts but not to the management account.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts in an OU. By attaching an SCP that denies specific EC2 instance types to the OU, you restrict all member accounts while the management account is not affected by SCPs. This meets the requirement without impacting the management account.

Exam trap

The trap here is that candidates often think SCPs apply to all accounts including the management account, but in reality, the management account is never affected by SCPs, so attaching an SCP to the OU correctly restricts only member accounts.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail only provides auditing and alerting, not preventive enforcement; it cannot block the launch of restricted instance types. Option C is wrong because IAM policies attached in the management account do not propagate to member accounts; each member account has its own IAM namespace and would require separate policy attachments. Option D is wrong because SCPs attached to the root of the organization apply to all accounts, including the management account, unless explicitly excluded; however, SCPs cannot be applied to the management account at all, so excluding it is unnecessary and the statement is technically incorrect.

330
Multi-Selectmedium

A company is using AWS Organizations with multiple OUs. The security team wants to ensure that no account can delete CloudTrail trails or S3 bucket policies. Which THREE SCP strategies should be combined?

Select 3 answers
A.Use IAM policies with conditions to restrict deletion to certain IP addresses.
B.Attach an SCP to the root that explicitly denies cloudtrail:DeleteTrail and s3:PutBucketPolicy.
C.Attach an SCP to the root that allows all actions, and rely on IAM policies in each account.
D.Ensure that the SCPs are evaluated in the correct order, with deny statements taking precedence.
E.Attach an SCP that denies all actions except those necessary for CloudTrail and S3 operations.
AnswersB, D, E

Explicit denial overrides any allow.

Why this answer

Option A is correct because denying specific actions is straightforward. Option C is correct because a deny-all SCP with allows for CloudTrail and S3 actions would also work, but careful ordering is needed. Option D is correct because SCPs are evaluated in order, and a deny always overrides an allow.

Option B is wrong because SCPs cannot prevent deletion if the user has full admin; SCPs only apply if the user would otherwise have permission. Option E is wrong because IAM policies are not SCPs.

331
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user in the management account of AWS Organizations. The user wants to assume the OrganizationAccountAccessRole in a member account. However, the user receives an access denied error. What is the most likely reason?

A.The trust policy of the OrganizationAccountAccessRole in the member account does not grant access to the management account.
B.The IAM role does not exist in the same region as the user.
C.An SCP in the member account denies the sts:AssumeRole action.
D.The policy does not specify the exact member account ARN.
AnswerA

The role must trust the management account to allow AssumeRole.

Why this answer

Option D is correct because the user must have permission from the management account to assume the role, and the role itself must trust the management account. The policy shown is correct, but the role in the member account must have a trust policy that allows the management account to assume it. Option A is wrong because SCPs can deny but not the primary issue.

Option B is wrong because IAM roles are not regional. Option C is wrong because the policy allows all accounts.

332
MCQeasy

A company needs to share a central Amazon S3 bucket containing common data files with multiple accounts in AWS Organizations. Which approach is most secure and scalable?

A.Make the bucket public with read-only access.
B.Generate presigned URLs for each account to access the bucket.
C.Create IAM roles in each account with permissions to assume a role in the central account.
D.Use an S3 bucket policy that grants access to the organization using aws:PrincipalOrgID condition key.
AnswerD

Condition key ensures only accounts in the organization can access.

Why this answer

Option A is correct because S3 bucket policies with condition keys for AWS Organizations allow secure cross-account access. Option B is wrong because presigned URLs expire and require management. Option C is wrong because IAM roles require users to switch roles.

Option D is wrong because making the bucket public is insecure.

333
MCQmedium

A company has a centralized logging account and multiple member accounts. The security team wants to enable VPC Flow Logs for all VPCs across all accounts and centralize the logs in the logging account. The solution must be automated and ensure that new VPCs are automatically included. Which approach should be taken?

A.Use AWS CloudTrail to monitor VPC creation and invoke an AWS Lambda function to enable Flow Logs.
B.Use Amazon EventBridge to capture VPC creation events and trigger an AWS Lambda function to enable Flow Logs.
C.Use an AWS Config rule to detect VPCs without Flow Logs and trigger an AWS Systems Manager Automation runbook to enable them, publishing to a centralized Amazon S3 bucket.
D.Use AWS Trusted Advisor to check VPC Flow Logs configuration and send alerts to an Amazon SNS topic.
AnswerC

This automates detection and remediation.

Why this answer

Option C is correct because AWS Config can continuously evaluate all VPCs against a custom rule that checks for the presence of VPC Flow Logs. When a non-compliant VPC is detected (including newly created ones), Config can trigger an AWS Systems Manager Automation runbook that enables Flow Logs and publishes them to a centralized Amazon S3 bucket in the logging account. This approach is fully automated, covers existing and new VPCs, and centralizes logs without requiring event-driven triggers that might miss resources created before the rule was deployed.

Exam trap

The trap here is that candidates often choose EventBridge (Option B) because it seems like the most direct way to react to VPC creation, but they overlook the requirement to also handle existing VPCs and the need for continuous compliance monitoring, which AWS Config provides out of the box.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is designed to record API activity, not to monitor resource state or trigger remediation; using CloudTrail to invoke Lambda for VPC creation would require additional custom event processing and does not handle existing VPCs or VPCs created outside of CloudTrail’s scope. Option B is wrong because Amazon EventBridge captures real-time events like CreateVpc, but it only reacts to future VPC creation events and does not remediate VPCs that already exist without Flow Logs, nor does it provide ongoing compliance checks. Option D is wrong because AWS Trusted Advisor only checks for best practices on a limited set of resources and does not support automated remediation; it can send alerts via SNS but cannot enable Flow Logs or centralize logs, and it does not cover all VPCs in all accounts automatically.

334
MCQhard

Refer to the exhibit. A security engineer applied this bucket policy to an S3 bucket. A developer tries to upload an object using the AWS CLI without specifying any encryption. What is the outcome?

A.The upload succeeds because the policy only denies if encryption is not KMS.
B.The upload fails because the bucket policy is malformed and rejects all requests.
C.The upload fails because the policy denies PutObject when encryption is not KMS with the specific key.
D.The upload succeeds because the developer is using the AWS CLI with default encryption settings.
AnswerC

Both statements deny the upload if the encryption does not match the required key. Without encryption, the condition is true, so the upload is denied.

Why this answer

The bucket policy includes a Deny statement that explicitly denies s3:PutObject unless the request includes the x-amz-server-side-encryption header with value aws:kms and the x-amz-server-side-encryption-aws-kms-key-id header matching the specific KMS key ARN. Since the developer does not specify any encryption, the condition fails, and the Deny statement applies, causing the upload to fail.

Exam trap

The trap here is that candidates often assume a Deny without a matching Allow automatically blocks all requests, but they overlook that the Deny only applies when the condition is met; however, in this case, the condition is met because the request lacks the required encryption headers, so the Deny is triggered.

How to eliminate wrong answers

Option A is wrong because the policy denies PutObject when encryption is not KMS, not just when encryption is not KMS; the condition also requires a specific key ID, so any upload without the correct encryption headers is denied. Option B is wrong because the bucket policy is syntactically valid (it has proper Sid, Effect, Principal, Action, Resource, and Condition blocks) and is not malformed. Option D is wrong because the AWS CLI does not automatically apply KMS encryption with a specific key ID by default; without explicit encryption parameters, the request lacks the required headers and is denied by the policy.

335
MCQhard

A company has a multi-account AWS environment with a centralized logging account. The security team wants to ensure that all VPC Flow Logs from all accounts are delivered to a central Amazon S3 bucket in the logging account. The logs must be encrypted at rest using AWS KMS. The company currently uses AWS Organizations. Which solution meets these requirements with the least operational overhead?

A.Create a bucket in the logging account with default S3-managed encryption and enable VPC Flow Logs in each account to publish to that bucket.
B.Create a bucket in the logging account with a KMS key. Grant the necessary permissions to the VPC Flow Logs service in each account to write to that bucket using the KMS key. Enable VPC Flow Logs in each account to publish to the central bucket.
C.Create a bucket in each account with KMS encryption and use S3 Cross-Region Replication to copy logs to the central bucket.
D.Use Amazon Kinesis Data Firehose in each account to stream logs to a central S3 bucket with KMS encryption.
AnswerB

Direct delivery to central bucket with KMS encryption.

Why this answer

Option B is correct because it uses a central S3 bucket in the logging account with a customer-managed KMS key, which satisfies the encryption-at-rest requirement. By granting the VPC Flow Logs service principal in each account the necessary permissions to write to the central bucket and use the KMS key, logs are delivered directly without additional infrastructure. This approach minimizes operational overhead by avoiding replication, streaming services, or per-account bucket management.

Exam trap

The trap here is that candidates may overlook the KMS encryption requirement and choose Option A with SSE-S3, or assume that cross-account delivery requires complex replication or streaming services, when in fact VPC Flow Logs support direct cross-account S3 delivery with proper bucket and KMS key policies.

How to eliminate wrong answers

Option A is wrong because S3-managed encryption (SSE-S3) does not use AWS KMS, failing the explicit requirement for KMS encryption. Option C is wrong because it requires creating a bucket in each account and using S3 Cross-Region Replication, which adds complexity, cost, and potential replication delays, increasing operational overhead. Option D is wrong because it introduces Amazon Kinesis Data Firehose in each account, which adds unnecessary infrastructure and cost compared to direct VPC Flow Logs delivery to S3.

336
MCQmedium

A company uses AWS Organizations with multiple OUs. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI) ID from a central list. The list changes frequently. What is the MOST scalable way to enforce this?

A.Use AWS CloudFormation StackSets to deploy AMI approval rules via EC2 launch templates.
B.Use an SCP that denies ec2:RunInstances unless the AMI has a specific tag (e.g., "Approved":"true"). Central team tags approved AMIs.
C.Use AWS Config with a custom rule that triggers a Lambda function to terminate non-compliant instances.
D.Create an IAM policy condition that only allows ec2:RunInstances if the AMI ID matches a list in the condition.
AnswerB

SCPs can enforce tagging conditions centrally, and tags are easy to manage.

Why this answer

Option C is correct because SCPs can conditionally deny actions based on tags, and you can use a tag on approved AMIs. Option A (Config rule + Lambda) can only remediate after launch. Option B (IAM condition) requires updating policies per account.

Option D (CloudFormation) is not real-time and cannot prevent manual launches.

337
MCQhard

A company uses AWS Organizations with 50 accounts. The network team wants to centrally manage VPC flow logs for all accounts, storing them in a central S3 bucket in the security account. The flow logs must be encrypted with a KMS key managed by the security account. What is the MOST efficient way to configure this?

A.Manually create VPC flow logs in each account and point to the central S3 bucket
B.Use AWS CloudFormation StackSets to deploy a stack that creates VPC flow logs with the required configuration in all accounts
C.Use AWS Config rules to enforce flow log creation across accounts
D.Use AWS Systems Manager Automation to create flow logs in each account
AnswerB

StackSets can deploy the same template across multiple accounts and regions, ensuring consistent configuration.

Why this answer

Option D is correct because CloudFormation StackSets can deploy the required resources across all accounts efficiently. Option A is wrong because manually configuring each account is not efficient. Option B is wrong because AWS Config can detect but not deploy.

Option C is wrong because SSM Automation documents are run per account but require additional setup.

338
MCQeasy

A company has a central IT team that manages multiple AWS accounts. The team wants to allow developers to create resources in their own accounts but wants to restrict the use of certain expensive services like Amazon Redshift. The developers should not be able to launch Redshift clusters in any account. What is the MOST efficient way to achieve this?

A.Apply an SCP that denies redshift:CreateCluster to the organizational unit containing the developer accounts.
B.Use AWS CloudTrail to monitor cluster creation and alert the security team.
C.Create an IAM policy that denies redshift:CreateCluster and attach it to the developers' IAM groups in each account.
D.Use AWS Config rules to detect Redshift cluster creation and automatically delete them.
AnswerA

SCPs provide centralized control across accounts.

Why this answer

Option A is correct because SCPs can deny the redshift:CreateCluster action across all accounts in the organization. Option B is wrong because IAM policies in each account require manual setup. Option C is wrong because AWS Config cannot deny actions.

Option D is wrong because CloudTrail does not prevent actions.

339
MCQhard

A global company uses AWS Organizations with hundreds of accounts. The security team requires that all S3 buckets across the organization block public access. They want to enforce this policy without modifying existing bucket policies. Which solution should they use?

A.Use AWS CloudTrail to monitor for public bucket creation and alert the security team.
B.Create a service control policy (SCP) that denies s3:PutBucketPolicy for any bucket that allows public access.
C.Use AWS Config rules to detect public buckets and auto-remediate with a Lambda function.
D.Create an SCP that denies s3:PutAccountPublicAccessBlock and s3:DeleteAccountPublicAccessBlock, and enable S3 Block Public Access at the account level via a custom resource in each account.
AnswerD

This enforces that account-level block public access settings cannot be changed, effectively blocking all public access.

Why this answer

Option D is correct because S3 Block Public Access settings at the account level override bucket-level policies and can be enforced organization-wide via a service control policy (SCP) that denies the ability to disable or delete those settings. By using a custom resource (e.g., AWS CloudFormation) to enable S3 Block Public Access at the account level in each account, and an SCP to prevent any account from modifying those settings, the security team ensures all buckets in the organization block public access without needing to modify existing bucket policies.

Exam trap

The trap here is that candidates often confuse reactive detection (AWS Config) or partial policy restrictions (denying s3:PutBucketPolicy) with the comprehensive, preventive account-level block that SCPs can enforce, missing that S3 Block Public Access at the account level is the only way to block all public access without touching existing bucket policies.

How to eliminate wrong answers

Option A is wrong because CloudTrail only provides logging and alerting; it does not enforce or prevent public access, so it fails to meet the requirement to block public access without modifying bucket policies. Option B is wrong because denying s3:PutBucketPolicy does not block public access via bucket ACLs or object-level permissions; it only prevents policy changes, leaving other public access vectors open. Option C is wrong because AWS Config rules with auto-remediation via Lambda can detect and fix public buckets, but this is a reactive approach that may have a delay and does not proactively block public access at the account level as required.

340
MCQeasy

A company uses AWS Organizations with multiple OUs. The security team wants to enforce that no resources can be created outside of approved AWS Regions. Which policy should be used, and how should it be attached?

A.Create a resource-based policy on each resource type that denies creation in unapproved Regions.
B.Create a service control policy (SCP) that denies actions in unapproved Regions. Attach it to the root or OUs.
C.Create an IAM policy that denies actions in unapproved Regions. Attach it to all IAM users and roles.
D.Enable AWS CloudTrail to log resource creation and set up a CloudWatch alarm to notify if resources are created in unapproved Regions.
AnswerB

SCPs provide centralized control over maximum permissions for accounts in an organization.

Why this answer

Option A is correct because SCPs can be attached to the root or OUs to deny actions in unapproved Regions. Option B is wrong because IAM policies can be attached to users/roles but not to OUs. Option C is wrong because resource-based policies are attached to individual resources.

Option D is wrong because CloudTrail trails only log events, not enforce policies.

341
Multi-Selecteasy

A global e-commerce company is migrating its on-premises application to AWS. The application uses Active Directory for authentication and requires integration with AWS Managed Microsoft AD. The company has a multi-account strategy using AWS Organizations. Which TWO steps should the solutions architect take to ensure seamless authentication across the organization?

Select 2 answers
A.Configure an IAM identity provider to use the on-premises Active Directory.
B.Establish a two-way forest trust between the on-premises Active Directory and AWS Managed Microsoft AD.
C.Store AD credentials in AWS Systems Manager Parameter Store and retrieve them at runtime.
D.Use AWS Resource Access Manager to share the AWS Managed Microsoft AD directory with other accounts in the organization.
E.Deploy AWS Managed Microsoft AD in each account and configure replication.
AnswersB, D

This enables users to authenticate with their existing credentials.

Why this answer

Option B is correct because establishing a two-way forest trust between on-premises Active Directory and AWS Managed Microsoft AD allows users authenticated by the on-premises AD to access resources in the AWS cloud without needing separate credentials. This trust enables Kerberos and NTLM authentication to flow seamlessly between the two forests, supporting the company's requirement for integration with AWS Managed Microsoft AD.

Exam trap

The trap here is that candidates often confuse IAM identity providers (Option A) with Active Directory trust relationships, or they incorrectly assume that storing credentials in Parameter Store (Option C) is a valid authentication strategy for directory integration, when in fact the correct approach is to establish a forest trust and share the directory via RAM.

342
Multi-Selectmedium

A company is designing a multi-account strategy for its AWS environment. Which TWO considerations are important when using AWS Organizations?

Select 2 answers
A.Service control policies (SCPs) apply to all accounts in the organization, including the management account.
B.AWS CloudTrail can be enabled for all accounts from the management account using an organization trail.
C.Each account in an organization must have its own payment method.
D.Consolidated billing allows you to combine usage and receive volume discounts.
E.AWS Config rules cannot be applied across accounts via AWS Organizations.
AnswersB, D

An organization trail automatically logs events for all accounts.

Why this answer

Option B is correct because AWS Organizations allows you to create an organization trail in CloudTrail that logs events for all accounts within the organization from the management account. This simplifies audit and compliance by centralizing log collection without needing to configure trails individually in each member account.

Exam trap

The trap here is that candidates often assume SCPs apply to all accounts including the management account, but AWS explicitly excludes the management account from SCP effects to prevent accidental lockout of administrative access.

343
Multi-Selecthard

A company uses AWS Organizations with a multi-account setup. The security team needs to ensure that all users in all accounts use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should be taken to enforce this?

Select 3 answers
A.Enable CloudTrail to log all console logins and alert if MFA is not used.
B.Use AWS IAM Identity Center (SSO) with MFA enforcement for all accounts.
C.Use AWS Config rules to detect IAM users without MFA and automatically remediate by sending notifications.
D.Use a service control policy (SCP) to require MFA on all IAM users.
E.Create an IAM policy that requires MFA for ConsoleLogin and attach it to all IAM users in each account.
AnswersB, C, E

IAM Identity Center can enforce MFA centrally for all accounts.

Why this answer

Option B is correct because AWS IAM Identity Center (SSO) allows you to centrally manage user access and enforce MFA at the identity provider level. By configuring MFA enforcement in IAM Identity Center, all users federating into any account in the organization are required to present a valid MFA token before accessing the AWS Management Console, ensuring consistent enforcement across the multi-account setup.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can enforce MFA enrollment, when in fact SCPs only deny actions based on the presence of MFA and cannot force users to configure or use MFA at login.

344
MCQeasy

A security engineer attaches this SCP to the root organizational unit. What is the result?

A.All actions are allowed only if MFA is not used.
B.Only the root user is required to use MFA.
C.All IAM users and roles must use MFA for any AWS API call.
D.All IAM users must use MFA to access the console, but API calls are not affected.
AnswerC

The SCP denies all actions if MFA is not present.

Why this answer

Option B is correct because the SCP denies all actions if MFA is not present. This effectively requires MFA for all API calls, including console login and CLI. Option A is wrong because it applies to all principals, not just IAM users.

Option C is wrong because the SCP denies, not allows. Option D is wrong because it does not require MFA for root user only; it affects all principals, except root user is not affected by SCPs.

345
MCQhard

A large financial services company uses AWS Organizations with over 200 accounts. The security team has implemented a Service Control Policy (SCP) that denies access to all services except a whitelist that includes Amazon S3, Amazon DynamoDB, AWS Lambda, and Amazon CloudWatch. Recently, the DevOps team reported that they cannot create new EC2 instances in their development account, even though the administrator explicitly attached an IAM policy allowing ec2:RunInstances. The SCP does not explicitly deny EC2. What is the most likely cause of this issue?

A.The IAM role used by the DevOps team has a trust policy that does not allow EC2 actions
B.The EC2 service has been disabled via AWS Config in that account
C.The development account is in an organizational unit (OU) with a different SCP that denies EC2
D.The SCP denies all services not explicitly allowed, and EC2 is not on the whitelist
AnswerD

SCPs that use an allow list deny all services not explicitly listed.

Why this answer

The SCP uses a deny-all approach with a whitelist of allowed services. Since EC2 is not on that whitelist, the SCP implicitly denies all EC2 actions, overriding any IAM policy that explicitly allows ec2:RunInstances. SCPs act as a guardrail that cannot be bypassed by account-level IAM policies.

Exam trap

The trap here is that candidates may think an explicit IAM allow can override an SCP, but SCPs set the maximum permissions boundary, so any action not explicitly allowed by the SCP is implicitly denied.

How to eliminate wrong answers

Option A is wrong because a trust policy controls which principals can assume a role, not the actions the role can perform; the issue is about authorization, not trust. Option B is wrong because AWS Config is a compliance and monitoring service, not a service control mechanism that can disable EC2; it cannot prevent API calls. Option C is wrong because the question states the SCP does not explicitly deny EC2, and the SCP described is the only one mentioned; while an OU-level SCP could cause this, the most direct and likely cause given the whitelist design is that EC2 is simply not allowed.

346
MCQmedium

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket is used to store sensitive logs from multiple accounts in an AWS Organization. What is the primary purpose of the condition element in this policy?

A.To ensure that only requests originating from accounts within the specified organization are allowed.
B.To restrict access to only the root user of the management account.
C.To enforce that all requests are made using HTTPS.
D.To allow access only from specific IP addresses within the organization.
AnswerA

The aws:SourceOrgID condition checks the organization ID.

Why this answer

The condition element in this S3 bucket policy uses the `aws:PrincipalOrgID` condition key to restrict access to principals (users or roles) that belong to accounts within the specified AWS Organization. This ensures that only requests from accounts that are members of the organization are allowed, even if the IAM principal has explicit permissions. This is the primary purpose of the condition, as it enforces organizational boundaries for cross-account access to sensitive logs.

Exam trap

The trap here is that candidates may confuse `aws:PrincipalOrgID` with other condition keys like `aws:SourceIp` or `aws:SecureTransport`, or assume it restricts to the management account root user, when in fact it validates organization membership for any principal in the organization.

How to eliminate wrong answers

Option B is wrong because the condition does not reference the root user of the management account; it uses `aws:PrincipalOrgID` which applies to all principals in the organization, not just the root user. Option C is wrong because enforcing HTTPS is done using the `aws:SecureTransport` condition key, not `aws:PrincipalOrgID`. Option D is wrong because restricting access to specific IP addresses is achieved with the `aws:SourceIp` condition key, not `aws:PrincipalOrgID`.

347
MCQmedium

A multinational company wants to implement a multi-account AWS environment using AWS Organizations. The security team requires that all new accounts automatically have AWS CloudTrail and AWS Config enabled with specific rules. Which solution should the company use to enforce these settings across all accounts?

A.Use AWS Organizations Service Control Policies (SCPs) to deny actions that disable CloudTrail and AWS Config.
B.Use AWS CloudFormation StackSets to deploy CloudTrail and AWS Config in each account.
C.Use IAM permissions boundaries to restrict what users can do in each account.
D.Use AWS Config conformance packs to deploy rules across accounts.
AnswerA

SCPs can enforce required services by denying disabling actions.

Why this answer

Option C is correct because Service Control Policies (SCPs) can be used to enforce that CloudTrail and Config are enabled and cannot be disabled by member accounts. Option A is wrong because CloudFormation StackSets require manual deployment to each account. Option B is wrong because AWS Config rules alone cannot enforce CloudTrail.

Option D is wrong because IAM permissions boundaries do not enforce service enablement.

348
MCQeasy

A company uses AWS Organizations with multiple OUs. The DevOps team needs to allow developers to launch EC2 instances only of type t3.micro in the dev OU. Which action should the team take?

A.Create an IAM role with a policy that allows only t3.micro, and attach it to users in the dev OU.
B.Use AWS CloudFormation templates that specify t3.micro.
C.Apply a Service Control Policy (SCP) to the dev OU that denies ec2:RunInstances with instance type not equal to t3.micro.
D.Use AWS Config rules to terminate non-compliant instances.
AnswerC

SCPs prevent non-compliant actions at the OU level.

Why this answer

Option C is correct because a Service Control Policy (SCP) applied to the dev OU can centrally restrict which EC2 instance types can be launched by all accounts within that OU. The SCP uses a Deny effect with a condition key ec2:InstanceType not equal to t3.micro, which prevents any IAM principal in the OU from launching non-compliant instances, regardless of their IAM permissions. This is the most effective way to enforce a hard boundary at the organization level.

Exam trap

The trap here is that candidates often choose AWS Config rules (Option D) thinking they can prevent launches, but Config is detective, not preventive; SCPs are the correct preventive control at the organization level.

How to eliminate wrong answers

Option A is wrong because an IAM role attached to users does not apply to all principals in the OU; users could still launch instances via other roles or services, and the role does not enforce the restriction across all accounts in the OU. Option B is wrong because CloudFormation templates are not an enforcement mechanism; developers could bypass the template and launch instances manually via the console or CLI. Option D is wrong because AWS Config rules only detect and report non-compliance after the instance is launched; they do not prevent the launch, and terminating instances after creation is reactive and can incur costs and operational overhead.

349
MCQhard

A company plans to migrate on-premises workloads to AWS. They have 500 VMs and need to ensure consistent network segmentation and security group rules across multiple VPCs in different AWS accounts. The network team uses a centralized hub-and-spoke model with AWS Transit Gateway. Which approach minimizes operational overhead while maintaining security compliance?

A.Use AWS Config rules to detect non-compliant security groups and send alerts.
B.Create a Python script that uses AWS SDK to apply security group rules to each VPC and run it periodically.
C.Use AWS Firewall Manager to centrally define and apply security group policies across accounts.
D.Use network ACLs instead of security groups to enforce segmentation.
AnswerC

Firewall Manager automates policy enforcement across all accounts.

Why this answer

Option D is correct because AWS Firewall Manager allows centralized management of security group rules across accounts and VPCs. Option A is wrong because manual scripting is error-prone. Option B is wrong because AWS Config does not enforce rules; it only detects drift.

Option C is wrong because Network ACLs are stateless and not as granular as security groups.

350
MCQhard

A global company has a multi-region AWS deployment. They need to share a single Amazon RDS for MySQL database across multiple AWS Regions for disaster recovery. The database must have minimal data loss and RTO of less than 1 minute. Which solution meets these requirements?

A.Use cross-Region Read Replicas with automatic failover.
B.Use Amazon Aurora Global Database with MySQL compatibility.
C.Use a Multi-AZ RDS instance with a standby in another Region.
D.Use AWS Database Migration Service for continuous replication.
AnswerB

Aurora Global Database provides low-latency replication and fast failover across Regions.

Why this answer

Option D is correct because Amazon RDS for MySQL does not support cross-Region synchronous replication; the best option is to use Amazon Aurora Global Database with MySQL compatibility, which provides fast replication and failover. Option A is wrong because cross-Region Read Replicas are asynchronous and may have data loss. Option B is wrong because Multi-AZ is single-Region.

Option C is wrong because Database Migration Service is for migration, not continuous replication with low RTO.

351
Multi-Selectmedium

A company uses AWS Organizations with 100 accounts. They want to restrict which AWS services can be used in the development OU. Which TWO steps should they take?

Select 2 answers
A.Use AWS CloudFormation StackSets to enforce service usage.
B.Use an SCP with an Allow effect for allowed services.
C.Use AWS Config rules to detect disallowed services.
D.Use IAM policies in each account to deny services.
E.Use an SCP with a Deny effect for services not allowed.
AnswersB, E

Explicitly allows only specified services.

Why this answer

Service control policies (SCPs) are the correct mechanism to centrally restrict which AWS services can be used across accounts in an AWS Organization. An SCP with an Allow effect explicitly permits only the specified services, while an SCP with a Deny effect blocks the specified services; both approaches achieve the goal of restricting service usage at the OU level. SCPs apply to all IAM users, roles, and root users in the member accounts, making them the appropriate tool for this requirement.

Exam trap

The trap here is that candidates often choose AWS Config rules (option C) thinking detective controls can prevent actions, but Config is reactive and cannot block service usage; only SCPs or IAM permissions boundaries can proactively restrict services.

352
Multi-Selecthard

A company is migrating to a multi-account structure and needs to manage DNS resolution across accounts. The company uses Amazon Route 53 private hosted zones. They want a central resolver in the shared services VPC. Which THREE components are required?

Select 3 answers
A.Route 53 Resolver outbound endpoints in each VPC to forward queries to the central resolver.
B.A Transit Gateway connecting all VPCs.
C.Route 53 private hosted zones associated with the shared services VPC.
D.Route 53 Resolver inbound endpoints in the shared services VPC.
E.VPC peering connections between each VPC and the shared services VPC.
AnswersA, B, C

Allows conditional forwarding.

Why this answer

Options A, C, and D are correct. Option B is wrong because VPC peering is not needed if Transit Gateway is used. Option E is wrong because Route 53 Resolver endpoints are for hybrid, not inter-VPC.

353
MCQmedium

A company applied the above SCP to an OU. A developer in an account under that OU tries to launch a t2.medium EC2 instance. What will happen?

A.The instance launches only if the developer's IAM policy explicitly allows t2.medium.
B.The instance launch is allowed because there is no explicit Allow statement in the SCP.
C.The instance launches successfully because the SCP does not affect IAM users.
D.The instance launch is denied because the SCP denies all instance types except t2.micro and t2.small.
AnswerD

Correct interpretation of the Deny with condition.

Why this answer

The SCP denies RunInstances if the instance type is not t2.micro or t2.small. Since t2.medium is not in the allowed list, the action is denied. Option A is wrong because t2.medium is not allowed.

Option C is wrong because SCP applies. Option D is wrong because IAM policy does not override SCP.

354
Multi-Selecthard

A company uses AWS Organizations with a central security account. They need to ensure that any S3 bucket created in any account is configured with encryption and versioning enabled. Which THREE steps should they take?

Select 3 answers
A.Create IAM policies in each account that require encryption and versioning for any bucket creation.
B.Use AWS CloudFormation StackSets to deploy a stack in each account that creates a bucket with encryption and versioning, and use SCPs to prevent deletion.
C.Deploy AWS Config rules across all accounts to detect buckets without encryption or versioning and trigger auto-remediation.
D.Apply a service control policy (SCP) that denies s3:CreateBucket unless encryption and versioning are specified.
E.Use AWS CloudTrail to monitor bucket creation and send alerts.
AnswersB, C, D

Ensures a compliant bucket exists.

Why this answer

Option B is correct because AWS CloudFormation StackSets allow you to deploy a standardized stack across multiple accounts in an organization, ensuring that any bucket created by the stack has encryption and versioning enabled. Combining this with a service control policy (SCP) that denies s3:CreateBucket unless encryption and versioning are specified (Option D) provides a preventive guardrail at the organization level. Additionally, deploying AWS Config rules with auto-remediation (Option C) acts as a detective and corrective measure, ensuring compliance even if buckets are created outside the approved stack.

Exam trap

The trap here is that candidates often think IAM policies alone can enforce resource configuration parameters, but IAM only controls permissions, not the actual values passed in the API call, which requires SCPs or service-specific controls.

355
MCQeasy

A company wants to allow developers to manage their own resources in individual AWS accounts while the central IT team manages networking and security. Which AWS service can help enforce that developers cannot modify networking resources?

A.Use AWS Organizations Service Control Policies (SCPs) to deny networking actions for developer accounts.
B.Use IAM roles to grant developers access only to their own resources.
C.Use AWS Config rules to detect changes to networking resources.
D.Use resource tags to identify networking resources and apply IAM conditions.
AnswerA

SCPs can block specific actions across accounts.

Why this answer

Option C is correct because AWS Organizations SCPs can restrict access to networking actions in specific accounts or OUs. Option A is wrong because IAM roles can be assumed by developers, but they don't prevent developers from using other roles. Option B is wrong because AWS Config is detective, not preventive.

Option D is wrong because resource tags do not prevent actions.

356
MCQeasy

Refer to the exhibit. A solutions architect is reviewing this SCP. What is the effect of this SCP when attached to an organizational unit (OU)?

A.It denies all actions if the request is not made over HTTPS.
B.It denies all actions if the request does not include multi-factor authentication.
C.It denies all actions from IP addresses outside the corporate network.
D.It allows all actions as long as the request is made over HTTPS.
AnswerA

The condition aws:SecureTransport false denies non-HTTPS requests.

Why this answer

This SCP denies all actions if the request is not made over HTTPS, effectively enforcing encrypted transport. Option A is wrong because it does not enforce MFA. Option C is wrong because it does not block specific services.

Option D is wrong because it does not allow all actions; it denies unencrypted requests.

357
Multi-Selecthard

A company has a multi-account architecture with a shared services account that hosts a central Amazon RDS instance. Member accounts need to access this database. Which TWO actions should the company take to enable secure access?

Select 2 answers
A.Create a Transit Gateway and attach all VPCs to it, then use route tables to enable connectivity.
B.Use AWS Lambda to proxy database requests from member accounts.
C.Configure the RDS security group to allow inbound traffic from the member account VPC CIDRs.
D.Make the RDS instance publicly accessible and use IAM authentication.
E.Create a VPC peering connection between each member VPC and the shared services VPC.
AnswersA, C

Centralized connectivity for many VPCs.

Why this answer

Options A and D are correct. Option B is wrong because VPC peering is not transitive; a Transit Gateway handles many VPCs. Option C is wrong because direct Lambda access would bypass security groups.

Option E is wrong because the RDS should not be public.

358
Multi-Selecthard

A company wants to use AWS Resource Access Manager (RAM) to share a subnet in a VPC with other accounts in the organization. Which of the following are required? (Choose THREE.)

Select 3 answers
A.The subnet must be created by the owning account.
B.The consumer accounts must accept the resource share invitation.
C.The VPC must be in the same AWS Region as the shared subnet.
D.Each consumer account must create a subnet in the same VPC.
E.Enable VPC sharing in the AWS Organizations console.
AnswersA, B, C

The owner creates the subnet to share.

Why this answer

Options A, C, and D are correct. Option B is wrong because RAM does not require VPC sharing to be enabled. Option E is wrong because the subnet is shared, not created by the consumer.

359
MCQmedium

A company uses AWS Organizations with multiple OUs. The DevOps team wants to allow developers in a specific OU to create and manage their own VPCs but restrict them from deleting VPCs created by the central networking team. How can this be achieved?

A.Use AWS Config rules to automatically recreate any VPC that is deleted.
B.Use a resource-based policy on each centrally created VPC to deny ec2:DeleteVpc to the developers' roles.
C.Create an SCP for the developers' OU that denies ec2:DeleteVpc for all VPCs.
D.Create an IAM policy for developers that denies ec2:DeleteVpc unless the VPC has a specific tag.
AnswerB

Resource-based policies allow fine-grained control per VPC.

Why this answer

Option A is correct because resource-based policies can be attached to VPCs to control deletion. SCPs can also be used but are account-wide. Option B is wrong because SCPs would restrict all accounts.

Option C is wrong because IAM policies cannot restrict by resource tag without a specific condition. Option D is wrong because AWS Config does not prevent deletion.

360
MCQhard

A company uses AWS Organizations with a multi-account setup. The central IT team manages a shared services VPC in the network account, which hosts a NAT gateway, a VPN connection to the on-premises network, and a transit gateway. Several application accounts have VPCs attached to the transit gateway. Recently, the application teams report that they cannot reach the on-premises network through the VPN. The network team confirms that the VPN is up and routes are propagated in the transit gateway route tables. However, the application VPCs are not receiving the routes. What is the MOST likely cause?

A.The application VPCs have route tables that override the transit gateway routes with local routes.
B.The VPN connection is not configured to advertise the on-premises CIDR to the transit gateway.
C.The application VPCs have security groups that block traffic to the on-premises network.
D.The transit gateway route tables are not associated with the application VPC attachments.
AnswerD

For routes to be effective, the transit gateway route table that contains the VPN routes must be associated with the VPC attachments; otherwise, they won't receive the routes.

Why this answer

The most likely cause is that the transit gateway route tables are not associated with the application VPC attachments. Even if the VPN routes are propagated into the transit gateway route tables, the application VPCs will not receive those routes unless their VPC attachments are explicitly associated with the correct transit gateway route table. Without this association, the transit gateway does not propagate routes to the attached VPCs, leaving them unable to reach the on-premises network.

Exam trap

The trap here is confusing route propagation with route table association — candidates often assume that if routes are propagated into the transit gateway route table, all attached VPCs automatically receive them, but AWS requires an explicit association between the VPC attachment and the route table for route distribution.

How to eliminate wrong answers

Option A is wrong because local routes in VPC route tables have a higher priority than transit gateway routes by default, but the question states the application VPCs are not receiving the routes at all, not that they are being overridden. Option B is wrong because the network team confirmed that routes are propagated in the transit gateway route tables, meaning the VPN is correctly advertising the on-premises CIDR to the transit gateway. Option C is wrong because security groups operate at the instance level, not at the VPC routing level, and the issue is about route propagation, not traffic filtering.

361
MCQeasy

A company uses AWS Organizations and wants to delegate administrative tasks for specific AWS services to a member account. Which AWS feature should be used?

A.AWS Control Tower
B.Delegated administrator for AWS services
C.Cross-account IAM roles
D.AWS CloudTrail organization trail
AnswerB

This allows a member account to administer services like GuardDuty, Macie, etc., across the organization.

Why this answer

Delegated administrator for AWS services allows you to designate a member account in AWS Organizations to perform administrative tasks for specific AWS services, such as AWS IAM Access Analyzer or AWS Security Hub, without granting full organization management access. This feature centralizes control while distributing operational responsibilities, making it the correct choice for delegating administrative tasks for specific services.

Exam trap

The trap here is that candidates often confuse the broad, role-based access of cross-account IAM roles (Option C) with the specific, service-level delegation model of delegated administrators, leading them to overlook the AWS Organizations-native feature designed for this exact purpose.

How to eliminate wrong answers

Option A is wrong because AWS Control Tower is a service for setting up and governing a multi-account environment using pre-built blueprints and guardrails, not for delegating administrative tasks for specific AWS services to a member account. Option C is wrong because cross-account IAM roles provide broad, role-based access to resources in another account but are not designed for the specific, service-level delegation model that AWS Organizations supports for delegated administrators. Option D is wrong because AWS CloudTrail organization trail logs API activity across all accounts in the organization for auditing, not for delegating administrative tasks for specific services.

362
MCQmedium

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by project, but projects span multiple accounts. Which approach should be used to tag resources consistently across accounts?

A.Define cost allocation tags in the management account and activate them for all accounts.
B.Use AWS Config rules to automatically tag resources after creation.
C.Use an SCP that denies resource creation if the required tags are not present.
D.Use tag policies in AWS Organizations to enforce required tags on resources.
AnswerD

Tag policies can enforce tagging across all accounts.

Why this answer

Option C is correct because AWS Organizations provides tag policies that can enforce required tags across all accounts in the organization. Option A is wrong because cost allocation tags must be activated in each account, but they do not enforce tagging. Option B is wrong because SCPs cannot enforce tagging.

Option D is wrong because AWS Config can detect untagged resources but does not enforce at creation.

363
MCQhard

A company uses AWS Organizations and has deployed a multi-account strategy. The security team wants to enforce that all S3 buckets have versioning enabled. They create an SCP that denies the PutBucketVersioning action if versioning is not enabled. However, they find that the SCP is not preventing users in member accounts from disabling versioning on existing buckets. What is the most likely reason?

A.The SCP is overridden by a service control policy that allows the action.
B.The SCP does not have an explicit deny; it uses a default deny.
C.SCPs cannot evaluate the current state of a resource; they can only deny actions based on request parameters.
D.The SCP is not applied to the root organizational unit.
AnswerC

SCPs cannot check existing bucket configuration.

Why this answer

Option D is correct because SCPs are evaluated before the actual API call, but they cannot see the current state of the bucket. The SCP denies the PutBucketVersioning action only if the condition checks for the current setting, but SCPs cannot access the bucket's current configuration. Therefore, the SCP as described would not block the action.

Option A is wrong because SCPs apply to all users. Option B is wrong because SCPs are not optional. Option C is wrong because SCPs do not require explicit allow.

364
Multi-Selectmedium

A company is designing a multi-account strategy using AWS Organizations. Which TWO benefits does this approach provide? (Choose TWO.)

Select 2 answers
A.Centrally enforce policies using service control policies (SCPs).
B.Automatically create VPC peering connections between accounts.
C.Simplify cross-region replication for Amazon RDS databases.
D.Isolate workloads and provide a boundary for security and cost management.
E.Reduce the total cost of EC2 instances by aggregating usage across accounts.
AnswersA, D

SCPs apply to all accounts in the organization.

Why this answer

Service control policies (SCPs) allow you to centrally manage permissions for all accounts in your AWS Organizations hierarchy. SCPs act as a guardrail, enabling you to define the maximum available permissions for IAM roles and users across member accounts without granting any permissions themselves. This ensures consistent enforcement of security and compliance policies across the entire organization.

Exam trap

The trap here is that candidates often confuse consolidated billing with direct cost reduction for EC2 instances, not realizing that aggregation only enables volume discounts and does not lower the per-instance price automatically.

365
MCQhard

A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances launched in any account must have a specific tag key 'CostCenter'. Which approach should be used?

A.Create an IAM policy in each account that requires the tag for ec2:RunInstances.
B.Use a Service Control Policy (SCP) that denies ec2:RunInstances unless the request includes the required tag.
C.Use AWS Config rules to detect untagged instances and trigger an AWS Lambda function to tag them.
D.Configure the EC2 service to automatically add the tag to all instances.
AnswerB

SCPs can conditionally deny actions based on tags.

Why this answer

Option B is correct because you can use an SCP to deny ec2:RunInstances if the request does not include the required tag. Option A is wrong because AWS Config can detect non-compliance but not prevent it. Option C is wrong because tagging is not automatic; it must be enforced.

Option D is wrong because IAM policies in individual accounts can be overridden by SCPs, but SCPs are more effective for organization-wide enforcement.

366
MCQhard

A company uses AWS Organizations with hundreds of accounts. They want to centrally manage VPC security group rules to ensure that only approved CIDR ranges are allowed for SSH access. Which solution is MOST scalable and auditable?

A.Use AWS Config rules to detect non-compliant security groups and trigger a Lambda function to remove the offending rules.
B.Create an SCP that denies ec2:AuthorizeSecurityGroupIngress for SSH ports unless the CIDR is in an approved list.
C.Use AWS Firewall Manager to centrally manage security group rules across accounts.
D.Use AWS CloudFormation StackSets to deploy security groups with approved rules, and use an SCP to deny creation or modification of security groups outside of CloudFormation.
AnswerD

This ensures that only compliant security groups are created, and any changes must go through the central template.

Why this answer

Option D is correct because it combines CloudFormation StackSets for deploying approved security groups across hundreds of accounts with an SCP that denies ec2:CreateSecurityGroup and ec2:AuthorizeSecurityGroupIngress actions unless they originate from CloudFormation (using the aws:ViaAWSService condition key). This ensures that only centrally managed, auditable deployments can create or modify security groups, providing both scalability and a clear audit trail via CloudFormation change sets and StackSet operations.

Exam trap

The trap here is that candidates often confuse Firewall Manager’s capabilities—it manages web ACLs and network firewalls, not VPC security group rules—and overlook the powerful combination of CloudFormation StackSets with SCPs using the aws:ViaAWSService condition key for preventive, auditable governance.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are reactive—they detect non-compliance after the fact and rely on a Lambda function to remediate, which introduces latency and potential race conditions; it is not a preventive control and does not scale well for hundreds of accounts with frequent changes. Option B is wrong because SCPs cannot deny actions based on the content of API parameters like CIDR ranges in ec2:AuthorizeSecurityGroupIngress; SCPs operate at the service action level, not on specific resource configuration values, so they cannot enforce approved CIDR lists. Option C is wrong because AWS Firewall Manager is designed for managing AWS WAF rules, AWS Shield Advanced protections, and Network Firewall policies, not for centrally managing VPC security group rules; it does not support security group rule management across accounts.

367
MCQhard

Refer to the exhibit. A company applies this S3 bucket policy to a central logging bucket. CloudTrail trails in multiple accounts are configured to deliver logs to this bucket. Recently, logs stopped being delivered. What is the most likely cause?

A.CloudTrail does not automatically set the 'bucket-owner-full-control' ACL when delivering logs.
B.The Principal element uses 'cloudtrail.amazonaws.com' which is not the correct service principal.
C.The Resource ARN does not include the account ID, so it matches all accounts.
D.The policy uses 'Deny' which is not allowed in S3 bucket policies.
AnswerA

The condition requires the ACL, but CloudTrail does not set it, causing denial.

Why this answer

Option C is correct because the bucket policy requires the ACL to be 'bucket-owner-full-control'. If CloudTrail does not set this ACL, the deny statement will block the write. CloudTrail by default does not set the ACL, so the condition fails and the request is denied.

Option A is wrong because the service principal is correct. Option B is wrong because the resource ARN is correct. Option D is wrong because the policy version is fine.

368
Drag & Dropmedium

Drag and drop the steps to set up a Direct Connect private virtual interface in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct order is: first create the virtual interface in AWS, then configure the on-premises router, establish BGP, verify availability, and finally update route tables.

369
MCQhard

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to centrally manage IAM roles for cross-account access. They want to ensure that when a role is created in a member account, it automatically adheres to the principle of least privilege and is auditable. What solution should they implement?

A.Use AWS CloudFormation StackSets to deploy IAM roles from a central template in each account.
B.Use AWS Organizations service control policies (SCPs) to deny creation of IAM roles except through AWS CloudFormation, and use a centrally managed CloudFormation template via StackSets.
C.Configure AWS Config rules to detect non-compliant roles and trigger a Lambda function to remove them.
D.Create a Lambda function that monitors CloudTrail events for role creation and sends alerts.
AnswerB

SCPs can enforce that roles are only created via CloudFormation, and StackSets ensure consistent deployment and auditing.

Why this answer

Option B is correct because AWS Organizations SCPs can be used to deny the creation of IAM roles except through AWS CloudFormation, ensuring that roles are only created via a centrally managed template. By combining this with AWS CloudFormation StackSets, the security team can deploy IAM roles from a single template across all member accounts, enforcing the principle of least privilege and providing full auditability through CloudFormation stack events and AWS CloudTrail.

Exam trap

The trap here is that candidates often choose Option A, thinking that CloudFormation StackSets alone provide enforcement, but they miss the critical need for a preventive control (SCPs) to block manual role creation outside the template.

How to eliminate wrong answers

Option A is wrong because using CloudFormation StackSets alone to deploy IAM roles does not prevent users from creating roles manually outside the template, so it fails to enforce the principle of least privilege or ensure auditability. Option C is wrong because configuring AWS Config rules to detect non-compliant roles and trigger a Lambda function to remove them is a reactive approach that does not prevent the creation of non-compliant roles in the first place, leading to potential security gaps and operational overhead. Option D is wrong because creating a Lambda function that monitors CloudTrail events for role creation and sends alerts is also reactive; it only notifies after a role is created, without enforcing least privilege or preventing non-compliant roles from being created.

370
Multi-Selectmedium

A company uses AWS Organizations and wants to centrally manage VPC flow logs for all VPCs across all accounts. Which TWO steps are required to achieve this?

Select 2 answers
A.Configure cross-account CloudWatch Logs subscription.
B.Create a centralized S3 bucket in the logging account.
C.Use VPC Flow Logs with Amazon Kinesis Data Firehose.
D.Apply an SCP that requires VPC Flow Logs to be enabled.
E.Use AWS Config rules to enable flow logs automatically.
AnswersB, D

VPC Flow Logs can be delivered to an S3 bucket.

Why this answer

Options A and D are correct. First, create a centralized S3 bucket to store flow logs. Then, use an SCP to enforce enabling flow logs on all VPCs.

Option B is wrong because AWS Config can detect but not enforce. Option C is wrong because CloudWatch Logs cross-account subscription is not necessary if using S3. Option E is wrong because VPC Flow Logs can be delivered to S3 directly.

371
MCQhard

A company has a production AWS account that is part of an AWS Organization. The account has a VPC with a NAT gateway for internet access. The security team wants to ensure that all outbound traffic to the internet flows through a centralized inspection VPC in the security account for traffic inspection. Which architecture should be used?

A.Use AWS Cloud WAN to connect the VPCs and route all outbound traffic through the inspection VPC.
B.Create a VPC peering connection between the production VPC and the inspection VPC, and route all outbound traffic through the peered connection.
C.Create a transit gateway, attach both VPCs, and configure the production VPC's route table to send all internet-bound traffic to the transit gateway, then route it through the inspection VPC's firewall.
D.Place a NAT gateway in the inspection VPC and have the production VPC route internet traffic to the NAT gateway.
AnswerC

Transit gateway enables transitive routing for inspection.

Why this answer

Option D is correct because a transit gateway with attachment to the inspection VPC (with a firewall appliance) and routing all outbound traffic through it provides centralized inspection. Option A is wrong because VPC peering does not support transitive routing. Option B is wrong because Cloud WAN can be used but it's more complex than needed.

Option C is wrong because a central NAT gateway in the security account would require routing all traffic through it, which is less flexible.

372
MCQeasy

A company has a central IT team that manages networking resources for multiple application teams. Each application team needs to manage its own EC2 instances and RDS databases. Which AWS architecture best supports this separation of duties?

A.Use AWS Transit Gateway to connect individual VPCs managed by each team.
B.Use a shared VPC with separate subnets for each team, with IAM policies to control access.
C.Create a single VPC and use VPC peering to connect team resources.
D.Create a separate VPC for each application team and use VPC peering.
AnswerB

Shared VPC allows central management of network resources while teams manage their own resources.

Why this answer

Option B is correct because a shared VPC allows the central IT team to manage the network while application teams can create their own resources in the same VPC. Option A is wrong because individual VPCs per team would not allow central management. Option C is wrong because VPC peering does not provide central management.

Option D is wrong because AWS Transit Gateway does not control resource creation permissions within VPCs.

373
MCQmedium

A company is centralizing its logging across multiple AWS accounts using a central logging account. Each application account delivers its CloudTrail logs and VPC Flow Logs to an S3 bucket in the logging account. The security team needs to query these logs using Amazon Athena. The logs are currently in separate S3 prefixes per account. The team wants to create a single Athena table that can query logs from all accounts without having to modify the table definition every time a new account is added. The logs are in CSV format for VPC Flow Logs and JSON format for CloudTrail. What is the MOST efficient solution?

A.Create a view that unions all the tables for each account, and update the view DDL when a new account is added.
B.Use AWS Glue crawlers configured to crawl the S3 bucket with a partition structure based on account ID and log type. Enable partition indexing to improve query performance.
C.Create an Athena table with partitions manually for each account and use MSCK REPAIR TABLE to add new partitions.
D.Convert all logs to Parquet format using AWS Glue ETL jobs and store them in a single prefix.
AnswerB

Glue crawlers automatically discover new partitions and update the table metadata.

Why this answer

Option D is correct because using AWS Glue crawlers with partition indexes allows automatic discovery of new partitions as new accounts add logs. The crawler can be scheduled to run periodically, updating the table metadata. Option A requires manual partition management.

Option B requires converting logs to a common format, which adds overhead. Option C requires manual DDL updates.

374
MCQeasy

A company wants to automate the creation of new AWS accounts and apply baseline security configurations. Which combination of services should be used to achieve this?

A.AWS Service Catalog and AWS Config.
B.AWS Organizations API and CloudTrail.
C.AWS Control Tower and Service Control Policies (SCPs).
D.AWS CloudFormation StackSets and IAM.
AnswerC

Control Tower provides account factory and guardrails via SCPs.

Why this answer

AWS Control Tower provides a managed service to automate the creation of new AWS accounts through Account Factory, while Service Control Policies (SCPs) enforce baseline security guardrails across all accounts in the organization. This combination ensures that every new account is provisioned with consistent security policies without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Control Tower with AWS Organizations alone, forgetting that Control Tower adds automated account provisioning and pre-built security guardrails (SCPs) that Organizations alone does not provide.

How to eliminate wrong answers

Option A is wrong because AWS Service Catalog is used for creating and managing approved IT service catalogs, not for automating account creation, and AWS Config is a configuration auditing service, not a provisioning tool. Option B is wrong because the AWS Organizations API can create accounts programmatically but lacks built-in baseline security configuration enforcement; CloudTrail only logs API activity and does not apply security policies. Option D is wrong because AWS CloudFormation StackSets deploy infrastructure templates across accounts but do not automate account creation itself, and IAM manages user permissions but not account provisioning or baseline security guardrails.

375
MCQhard

A company uses AWS Organizations and wants to implement a policy that prevents any account from disabling AWS CloudTrail or deleting CloudTrail log files. The solution must be enforceable across all accounts. Which combination of actions should be taken?

A.Enable CloudTrail with a trail that logs to a bucket in a separate account, and use IAM policies to deny CloudTrail deletion.
B.Create an SCP that denies cloudtrail:DeleteTrail and cloudtrail:StopLogging, and rely on S3 versioning to recover deleted logs.
C.Create an IAM policy in each account that denies CloudTrail deletion and attach it to all IAM users and roles.
D.Create an SCP that denies cloudtrail:DeleteTrail, cloudtrail:StopLogging, and s3:DeleteObject on the log bucket. Also attach a bucket policy to the log bucket that denies s3:DeleteObject for all principals except the management account.
AnswerD

Combines SCP and bucket policy for comprehensive protection.

Why this answer

Option A is correct because an SCP can deny CloudTrail deletion and disabling, and an S3 bucket policy on the log bucket can prevent log deletion. Option B is wrong because IAM policies in each account are not centralized. Option C is wrong because CloudTrail cannot be protected from deletion by the same account.

Option D is wrong because SCP alone cannot protect the S3 bucket.

← PreviousPage 5 of 7 · 455 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design Solutions for Organizational Complexity questions.