CCNA Org Complexity Questions

75 of 455 questions · Page 1/7 · Org Complexity topic · Answers revealed

1
MCQhard

A large enterprise has 200 AWS accounts organized under AWS Organizations. The central security team needs to audit all IAM role trust policies across accounts to ensure no cross-account roles allow external principals. Which approach is most efficient and scalable?

A.Enable AWS Config aggregator and use advanced queries to search for trust policies.
B.Use AWS Trusted Advisor to check for overly permissive roles.
C.Write a script using AWS SDK to list roles in each account and analyze trust policies.
D.Use IAM Access Analyzer to generate findings for each account.
AnswerA

Config aggregator allows querying across all accounts.

Why this answer

Option D is correct because using AWS Config advanced queries across accounts with aggregation is scalable. Option A is wrong because manual review is not scalable. Option B is wrong because Trusted Advisor does not cover custom policies.

Option C is wrong because IAM Access Analyzer identifies external access but does not provide a full audit of trust policies.

2
MCQeasy

A company has multiple AWS accounts and wants to centralize the management of security policies. The security team needs to enforce that all IAM users in all accounts must use multi-factor authentication (MFA) to access the AWS Management Console. The solution must be centrally managed and automatically applied to new accounts as they are added. Which approach should be taken?

A.Use AWS Config to detect IAM users without MFA and send alerts.
B.Create an SCP that denies console access for IAM users if MFA is not present.
C.Use AWS IAM Identity Center to enforce MFA for all users accessing the console.
D.Create an IAM policy in each account that denies console access without MFA.
AnswerB

SCPs are centrally managed and apply to all accounts.

Why this answer

AWS Organizations Service Control Policies (SCPs) can centrally deny AWS API actions (including console access) for all IAM users across multiple accounts if the `aws:MultiFactorAuthPresent` condition key is false. This approach is centrally managed from the management account and automatically applies to new accounts added to the organization, meeting the requirement for centralized enforcement and scalability.

Exam trap

The trap here is that candidates confuse IAM Identity Center (federated users) with native IAM users, or they assume AWS Config can enforce policies when it only detects and alerts, leading them to pick a non-preventive or non-centralized solution.

How to eliminate wrong answers

Option A is wrong because AWS Config can detect and alert on IAM users without MFA, but it does not enforce or deny access; it only provides detective controls, not preventive enforcement. Option B is wrong because AWS IAM Identity Center (formerly AWS SSO) manages access for federated users, not for IAM users in individual accounts; it cannot enforce MFA on native IAM users created directly in member accounts. Option D is wrong because creating an IAM policy in each account requires manual per-account deployment and does not automatically apply to new accounts, failing the central management and automatic application requirements.

3
MCQeasy

Refer to the exhibit. A company runs the AWS CLI command to list accounts in AWS Organizations. The company wants to remove the account '444444444444' from the organization. What must the company do first before it can remove this account?

A.Close the AWS account from the management account.
B.Create a support ticket to AWS to remove the account.
C.Remove the account's payment method.
D.The management account can directly remove the account without any prerequisites.
AnswerC

An account must be suspended before removal; removing payment method effectively suspends it.

Why this answer

Option C is correct because, before an AWS account can be removed from an AWS Organization, the account must have its payment method removed. This is a prerequisite enforced by AWS to ensure the account is not left in a state where it cannot be billed independently after leaving the organization. The management account cannot directly remove an account that still has an active payment method associated with it.

Exam trap

The trap here is that candidates often assume the management account has full authority to remove any account without prerequisites, overlooking the specific billing prerequisite that AWS enforces to ensure the account can function independently after removal.

How to eliminate wrong answers

Option A is wrong because closing the AWS account from the management account is not a prerequisite for removal; closing an account is a separate action that permanently terminates the account, whereas removal from the organization simply detaches it. Option B is wrong because AWS does not require a support ticket to remove an account from an organization; the management account can remove accounts programmatically via the AWS Organizations API or CLI without contacting support. Option D is wrong because the management account cannot directly remove an account without prerequisites; the account must have its payment method removed first, as per AWS Organizations requirements.

4
MCQmedium

A company has a multi-account AWS environment with hundreds of accounts. The central IT team needs to audit all API calls made in the organization. The solution must be cost-effective and capture events from all regions and accounts, including future accounts. Which solution should the company use?

A.Create an organization trail in the management account that logs all events to an S3 bucket with a bucket policy granting access to all accounts.
B.Use AWS Config to record API calls and deliver to a central S3 bucket.
C.Enable CloudTrail in each account and configure each trail to deliver logs to a central S3 bucket.
D.Use VPC Flow Logs to capture API calls and send to a central S3 bucket.
AnswerA

Organization trail automatically captures all accounts and future accounts.

Why this answer

Option C is correct because AWS CloudTrail can be enabled at the organization level, which automatically creates a trail for all accounts and regions, including future accounts. Option A is wrong because it requires individual setup. Option B is wrong because enabling CloudTrail per account is operationally heavy.

Option D is wrong because security groups do not log API calls.

5
MCQmedium

A company uses AWS Organizations and has a central security account. They want to use AWS Security Hub to aggregate findings from all member accounts. They have enabled Security Hub in the security account and invited all member accounts. However, findings from member accounts are not appearing in the Security Hub console of the security account. What is the most likely cause?

A.The member accounts have not configured Security Hub to send findings to the security account.
B.The IAM role used by Security Hub in the security account does not have permissions to read findings from member accounts.
C.Security Hub cannot aggregate findings from member accounts in different regions.
D.The member accounts have not enabled Security Hub and accepted the invitation.
AnswerD

Each member account must enable Security Hub.

Why this answer

Option D is correct because each member account must enable Security Hub and accept the invitation before findings are aggregated. Option A is wrong because Security Hub supports cross-region aggregation. Option B is wrong because IAM permissions are needed but not the primary cause.

Option C is wrong because there is no such requirement.

6
Multi-Selectmedium

A company has a multi-account AWS environment with 50 accounts. They need to implement a centralized logging solution for VPC Flow Logs, CloudTrail, and AWS Config logs. The logs must be stored in a central S3 bucket and encrypted with a customer-managed KMS key. Which THREE steps should be taken to meet these requirements?

Select 3 answers
A.Create an S3 bucket policy that grants permissions to the CloudTrail and AWS Config service principals from all accounts to write logs.
B.Use AWS Config aggregator to collect configuration data from all accounts into a central account.
C.Configure CloudTrail in each account to send logs to the central S3 bucket.
D.Create a customer-managed KMS key with a key policy that allows the CloudTrail and AWS Config service principals to use the key for encryption.
E.Enable VPC Flow Logs in each account and deliver them to a central CloudWatch Logs group.
AnswersA, C, D

Bucket policy must allow cross-account delivery.

Why this answer

Option A is correct because the central S3 bucket must allow log delivery from all accounts via bucket policy. Option B is correct because CloudTrail trails can be configured to deliver to a central bucket across accounts. Option D is correct because KMS key policy must grant permissions to the log delivery services across accounts.

Option C is wrong because VPC Flow Logs cannot be directly aggregated to a central account without third-party tools or cross-account delivery. Option E is wrong because AWS Config data is per-account; aggregation is done via Aggregator, not direct log delivery.

7
Multi-Selecthard

A company has a multi-account AWS environment. The security team wants to enforce that all IAM roles in the production accounts can only be assumed from a specific IP range (the corporate network). Which TWO approaches can achieve this?

Select 2 answers
A.Attach a Service Control Policy (SCP) to the production OU that denies sts:AssumeRole unless the request source IP is within the corporate range.
B.Use a VPC endpoint for STS and restrict access to the endpoint.
C.Configure AWS WAF to block requests from IPs outside the corporate range.
D.Add a condition to the trust policy of each IAM role that requires the source IP to be in the corporate range.
E.Attach a Service Control Policy (SCP) to each IAM role that denies assume role unless the source IP is corporate.
AnswersA, D

SCPs can enforce conditions on API calls.

Why this answer

Options A and C are correct. Option A: An SCP can be used to deny the sts:AssumeRole action if the request does not come from the corporate IP range. Option C: An IAM policy with a condition on the source IP can be attached to the roles.

Option B is wrong because SCPs cannot be attached to roles. Option D is wrong because AWS WAF is for web traffic, not IAM. Option E is wrong because VPC endpoints do not enforce source IP.

8
Multi-Selectmedium

A company is designing a multi-account AWS environment with a centralized logging account. Which TWO services should be used to aggregate logs from all accounts?

Select 2 answers
A.AWS CloudTrail with cross-account S3 bucket
B.Amazon CloudWatch Logs with cross-account subscription
C.Amazon S3 cross-region replication
D.Amazon VPC Flow Logs
E.Amazon Kinesis Data Firehose
AnswersA, B

CloudTrail can deliver logs to a centralized S3 bucket in another account.

Why this answer

Options A and D are correct. CloudTrail logs can be delivered to a centralized S3 bucket in the logging account using cross-account delivery. CloudWatch Logs can be aggregated using cross-account subscription filters to a central account.

Option B is wrong because Kinesis Data Firehose can be used but is not the primary aggregator for logs. Option C is wrong because S3 is a storage destination, not an aggregation service. Option E is wrong because VPC Flow Logs are sent to S3 or CloudWatch Logs, not directly to a central account.

9
MCQeasy

A company wants to centralize management of IAM users and groups across multiple AWS accounts. The solution should allow users to access resources in any account without needing separate credentials. Which AWS service should be used?

A.AWS Identity and Access Management (IAM)
B.AWS Organizations
C.AWS IAM Identity Center (AWS SSO)
D.AWS Directory Service for Microsoft Active Directory
AnswerC

Provides centralized user management and single sign-on.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides a centralized identity source that allows users to sign in once with a single set of credentials and then access multiple AWS accounts and applications. It integrates with AWS Organizations to manage user and group permissions across accounts, eliminating the need for separate IAM users in each account.

Exam trap

The trap here is that candidates often confuse AWS Organizations with a user management service, but Organizations only manages accounts and policies, not user identities or authentication.

How to eliminate wrong answers

Option A is wrong because IAM is account-scoped and cannot centralize user management across multiple AWS accounts; it requires creating separate IAM users in each account, which defeats the goal of single sign-on. Option B is wrong because AWS Organizations provides policy-based management and consolidated billing but does not itself offer a user directory or authentication mechanism; it relies on IAM Identity Center or other identity providers for user access. Option D is wrong because AWS Directory Service for Microsoft Active Directory is a managed AD service that can be used as an identity source, but it is not the AWS-native service for centralizing IAM user and group management across accounts; IAM Identity Center is the recommended service for this purpose.

10
MCQmedium

A company has a multi-account AWS environment with a central security account. They want to enable Amazon GuardDuty in all accounts and centrally view findings. The security team has already enabled GuardDuty in the security account and invited all member accounts. However, the security account is not receiving findings from all member accounts. Upon investigation, some member accounts show that GuardDuty is not enabled, and some show that they have not accepted the invitation. The team needs a scalable solution to enable GuardDuty across all accounts and ensure findings are sent to the security account. What should the team do?

A.Use AWS Config rules to detect accounts without GuardDuty and send alerts.
B.Use AWS CloudFormation StackSets to deploy GuardDuty resources in each account.
C.Use AWS Control Tower to enable GuardDuty in all accounts via a custom blueprint.
D.Use the GuardDuty delegated administrator feature with AWS Organizations to automatically enable GuardDuty in all accounts and centralize findings.
AnswerD

Automates enablement and centralization.

Why this answer

Option D is correct because the GuardDuty delegated administrator feature integrated with AWS Organizations allows the security account to be designated as the GuardDuty administrator, which can then automatically enable GuardDuty for all existing and future member accounts in the organization. This eliminates the need for manual invitations and acceptances, ensuring that findings are centrally aggregated in the security account without requiring per-account configuration.

Exam trap

The trap here is that candidates may choose CloudFormation StackSets (Option B) thinking it can deploy GuardDuty resources across accounts, but they overlook that StackSets cannot automatically accept GuardDuty invitations or leverage the Organizations delegated administrator model to bypass the manual acceptance step.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can only detect noncompliant resources and trigger alerts or remediation actions, but they cannot automatically enable GuardDuty across accounts or manage the invitation/acceptance workflow required for centralized findings. Option B is wrong because CloudFormation StackSets can deploy resources across accounts, but they require the member accounts to already have accepted the GuardDuty invitation or be part of the same organization; they do not automate the invitation acceptance process or leverage the delegated administrator model to bypass manual steps. Option C is wrong because AWS Control Tower custom blueprints are used to deploy additional governance controls or resources, but they do not natively support the GuardDuty delegated administrator feature; enabling GuardDuty across all accounts in Control Tower is better achieved through Organizations integration, not a custom blueprint.

11
Drag & Dropmedium

Drag and drop the steps to set up AWS CloudTrail for logging API activity in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the S3 bucket, then create the trail, configure events, enable security features, and verify delivery.

12
MCQmedium

A company has a multi-account AWS environment and wants to enforce that all EC2 instances are launched with a specific AMI ID. The AMI ID is maintained by the security team in a central account. What is the MOST effective way to enforce this across all accounts?

A.Create an EC2 launch template with the approved AMI and share it with all accounts
B.Use AWS CloudTrail to monitor instance launches and trigger a Lambda function to terminate non-compliant instances
C.Use AWS Config rules in each account to detect non-compliant instances and send alerts
D.Apply a service control policy (SCP) that denies ec2:RunInstances if the ami parameter does not match the approved AMI ID
AnswerD

SCPs enforce at the API level across all accounts in the organization.

Why this answer

Option D is correct because an SCP can centrally deny the ec2:RunInstances action unless the request includes a specific AMI ID parameter, enforced across all accounts in the AWS Organization. This preventive control blocks non-compliant launches at the API level, ensuring no instance can be created with an unapproved AMI, regardless of account-level permissions.

Exam trap

The trap here is that candidates confuse detective controls (Config, CloudTrail/Lambda) with preventive controls (SCPs), assuming that alerting or terminating non-compliant instances is as effective as blocking the launch entirely.

How to eliminate wrong answers

Option A is wrong because sharing an EC2 launch template does not enforce its use; users can still launch instances with other AMIs by ignoring the template. Option B is wrong because CloudTrail monitoring with Lambda termination is a reactive, detective control that allows non-compliant instances to run temporarily, incurring cost and risk before termination. Option C is wrong because AWS Config rules are also detective, only alerting or triggering remediation after a non-compliant instance exists, not preventing the launch.

13
Multi-Selecthard

A company uses AWS Organizations with a dedicated security account. They want to centralize the management of AWS Config rules and ensure that all accounts are compliant with the same set of rules. Which THREE steps should they take?

Select 3 answers
A.Apply a service control policy (SCP) that requires AWS Config to be enabled.
B.Create an AWS Config aggregator in the security account to view compliance status across accounts.
C.Use AWS CloudFormation StackSets to deploy the desired AWS Config rules to all accounts.
D.Enable AWS Config in all accounts across the organization.
E.Use AWS CloudTrail to monitor compliance status.
AnswersB, C, D

Centralized dashboard.

Why this answer

Option B is correct because an AWS Config aggregator in the security account collects compliance data from all member accounts, providing a centralized view of rule compliance across the organization. This enables the security team to monitor and audit compliance without logging into each account individually.

Exam trap

The trap here is confusing service control policies (SCPs) with service enablement; SCPs restrict permissions but cannot automatically enable AWS Config, leading candidates to incorrectly select option A as a way to enforce compliance.

14
MCQhard

Refer to the exhibit. An SCP is attached to an OU. A developer in an account under this OU tries to launch a t3.large EC2 instance. What will happen?

A.The instance launch is allowed because the condition uses StringNotEquals, which is not evaluated correctly.
B.The instance launch is denied because the SCP denies any instance type not in the allowed list.
C.The instance launch is denied, but only if the account's IAM policy also denies it.
D.The instance launch is allowed because the SCP has an explicit deny, but it only applies to certain instance types.
AnswerB

Correct: the deny effect applies when the condition is true.

Why this answer

The SCP explicitly denies any EC2 instance launch where the instance type does not match the allowed list using `StringNotEquals`. Since `t3.large` is not in the allowed list (`t2.micro`, `t2.small`, `t2.medium`), the condition evaluates to true, triggering the explicit deny. SCPs act as a guardrail that overrides any IAM permissions, so the launch is denied regardless of the account's IAM policies.

Exam trap

The trap here is that candidates may think `StringNotEquals` is a misconfiguration or that SCPs only apply if the IAM policy also denies, but in reality, an explicit deny in an SCP is absolute and cannot be bypassed by IAM allows.

How to eliminate wrong answers

Option A is wrong because `StringNotEquals` is evaluated correctly by AWS; it denies actions when the specified value does not match the allowed list, not the other way around. Option C is wrong because SCPs are evaluated before IAM policies and can deny actions even if the IAM policy allows them; an explicit deny in an SCP cannot be overridden by an IAM allow. Option D is wrong because the SCP's explicit deny applies to all instance types not in the allowed list, and `t3.large` is not in that list, so the deny is triggered.

15
MCQeasy

A company has multiple AWS accounts that are centrally managed using AWS Organizations. The security team requires that all API activity be logged and retained for 7 years. The logs must be stored in a central Amazon S3 bucket that is in the management account. Which solution meets these requirements with the least operational overhead?

A.Enable CloudTrail in each account and use S3 Cross-Region Replication to copy logs to a central bucket.
B.Use Amazon Kinesis Data Firehose to stream CloudTrail logs from each account to a central S3 bucket.
C.Enable CloudTrail in each account individually and configure log file delivery to a bucket in that account.
D.Enable AWS CloudTrail in the management account with organization trail, and configure the trail to deliver logs to an S3 bucket in the management account.
AnswerD

Organization trail delivers logs from all accounts to a central bucket.

Why this answer

Option D is correct because enabling an organization trail in the management account automatically applies CloudTrail to all accounts in the AWS Organization, delivering logs to a single S3 bucket in the management account without any per-account configuration or additional replication mechanisms. This meets the 7-year retention requirement with the least operational overhead, as the trail is centrally managed and logs are stored directly in the central bucket.

Exam trap

The trap here is that candidates often assume they must enable CloudTrail in each account individually or use replication/streaming services, failing to recognize that an organization trail in the management account automatically centralizes log delivery from all accounts with minimal configuration.

How to eliminate wrong answers

Option A is wrong because S3 Cross-Region Replication adds operational complexity and cost, and it does not address the need to centrally collect logs from all accounts without per-account CloudTrail setup. Option B is wrong because Amazon Kinesis Data Firehose requires setting up a delivery stream in each account and adds unnecessary complexity and potential data transformation overhead, whereas an organization trail provides direct log delivery. Option C is wrong because it requires enabling CloudTrail individually in each account and then manually aggregating logs from separate buckets, which increases operational overhead and does not leverage the centralized management capabilities of AWS Organizations.

16
Multi-Selectmedium

A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?

Select 3 answers
A.The management account must have an IAM role (StackSetsAdminRole) with permissions to create stack instances in member accounts.
B.The management account must have an AWS Organizations SCP that allows CloudFormation StackSets operations.
C.The execution role in member accounts must have permissions to create the resources defined in the CloudFormation template (e.g., VPC, subnets).
D.Each member account must have a self-managed IAM role named 'AWSCloudFormationStackSetExecutionRole' with a trust policy allowing the management account to assume it.
E.The management account must have permission to assume the execution role in member accounts (via IAM trust policy).
AnswersA, C, E

This is the admin role that assumes the execution role in member accounts.

Why this answer

Option A is correct because StackSets require the management account to have an IAM role (commonly named 'AWSCloudFormationStackSetAdministrationRole') that grants permission to create and manage stack instances in member accounts. This role is assumed by CloudFormation to perform operations across accounts, and it must have a trust policy allowing the CloudFormation service to assume it.

Exam trap

The trap here is that candidates often confuse the optional self-managed execution role (option D) as a requirement, when in fact service-managed StackSets eliminate the need for manual role creation in member accounts.

17
MCQeasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users are created in member accounts. All access must be through federated roles. Which approach should they use?

A.Apply an SCP to the root OU that denies the iam:CreateUser action.
B.Set an IAM password policy in each account that requires strong passwords.
C.Use AWS Config rules to detect IAM users and automatically delete them.
D.Use AWS CloudTrail to monitor for CreateUser and alert the security team.
AnswerA

SCPs prevent user creation entirely.

Why this answer

Option C is correct because an SCP can deny the iam:CreateUser action across all member accounts. Option A is wrong because IAM password policies do not prevent user creation. Option B is wrong because AWS Config can detect but not prevent.

Option D is wrong because CloudTrail only logs.

18
MCQhard

A company has multiple AWS accounts that each have their own VPCs with overlapping CIDR ranges. They want to use AWS Transit Gateway to connect these VPCs to a central network account. However, overlapping CIDRs prevent attachment. What is the MOST scalable solution?

A.Use AWS PrivateLink to connect each VPC to the network account.
B.Create VPC peering connections between each VPC and the network account.
C.Set up a NAT gateway in each VPC and route traffic through the transit gateway using private IP addresses from a separate CIDR block.
D.Assign new non-overlapping CIDR ranges to each VPC and update all resources.
AnswerC

NAT translates overlapping IPs to unique addresses, enabling communication.

Why this answer

Option C is correct because it uses a NAT gateway in each VPC to translate overlapping private IPs to unique private IPs from a separate CIDR block before routing through the Transit Gateway. This allows the Transit Gateway to forward traffic without conflict, as the NAT gateway performs source network address translation (SNAT) to eliminate IP overlap. This approach is highly scalable because it avoids re-architecting existing VPCs and can be applied incrementally as new VPCs are added.

Exam trap

The trap here is that candidates assume Transit Gateway can handle overlapping CIDRs natively, but it cannot; the NAT gateway is required to perform address translation before traffic enters the Transit Gateway, and this is the most scalable solution without renumbering VPCs.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink creates point-to-point connections via Network Load Balancers and endpoint services, which does not resolve overlapping CIDR conflicts between VPCs; it only provides private connectivity to specific services, not full network routing. Option B is wrong because VPC peering requires non-overlapping CIDR ranges to route traffic, and overlapping CIDRs will cause routing conflicts and prevent successful peering connections. Option D is wrong because assigning new non-overlapping CIDR ranges to each VPC is not scalable; it requires extensive reconfiguration of all resources, downtime, and is impractical for a large number of accounts with existing workloads.

19
Multi-Selectmedium

A company wants to implement a cost allocation strategy using tags across multiple accounts in AWS Organizations. Which TWO practices should be followed?

Select 2 answers
A.Define a standardized set of tags (e.g., CostCenter, Owner, Project) and enforce them using AWS Config rules.
B.Enable AWS-generated tags automatically for all resources.
C.Use service control policies (SCPs) to require tags on all resources.
D.Apply tags only at the resource creation time; they cannot be added later.
E.Use AWS Cost Explorer to filter costs by tags across accounts.
AnswersA, E

Standardization and enforcement are key for cost allocation.

Why this answer

Option A is correct because defining a standardized set of tags and enforcing them with AWS Config rules ensures consistent cost allocation tagging across all accounts in AWS Organizations. AWS Config rules can evaluate resources for tag compliance and trigger remediation actions, such as automatically tagging resources or sending notifications, which is essential for accurate cost tracking. This approach aligns with the AWS Well-Architected Framework's cost optimization pillar by enabling granular cost allocation and chargeback.

Exam trap

The trap here is confusing service control policies (SCPs) with tag enforcement mechanisms; SCPs control permissions, not resource configurations, so candidates often incorrectly select SCPs for tagging requirements instead of AWS Config rules or tag policies.

20
Multi-Selectmedium

A company is implementing a new multi-account strategy using AWS Organizations. The central IT team wants to delegate management of certain AWS services to individual account administrators while maintaining centralized governance. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Create IAM roles in each account that can be assumed from the central account with limited permissions.
B.Create SCPs that allow all actions except those managed centrally.
C.Use AWS CloudFormation StackSets to deploy baseline resources across accounts.
D.Share the root user credentials of each account with the respective administrator.
E.Grant each account administrator full access to the management account.
AnswersA, C

Cross-account roles allow central team to perform actions in delegated accounts.

Why this answer

Option A is correct because AWS CloudFormation StackSets allows central deployment of resources across accounts. Option D is correct because IAM roles with cross-account trust allow delegated administration. Option B is incorrect because root user access should be restricted, not granted.

Option C is incorrect because SCPs can restrict actions but cannot delegate management. Option E is incorrect because sharing root credentials violates security best practices.

21
MCQmedium

A company is designing a multi-account AWS environment for different business units. They need to share a central Amazon RDS database with read replicas in each account for disaster recovery. What architecture minimizes cross-region data transfer costs while maintaining high availability?

A.Use a VPC endpoint to share the database across accounts without data transfer costs.
B.Create a cross-region read replica in the central account and grant access to other accounts.
C.Share a snapshot of the RDS instance with each account and restore it as a read replica in the same region.
D.Create an IAM role in each account to access the central RDS instance directly.
AnswerC

Snapshots can be shared across accounts and restored without cross-region data transfer costs.

Why this answer

Option D is correct because sharing the RDS snapshot with each account and restoring as a read replica in the same region avoids data transfer costs. Option A is wrong because a single cross-region replica incurs data transfer costs. Option B is wrong because direct cross-account access is not supported for read replicas.

Option C is wrong because a VPC endpoint does not eliminate data transfer costs for RDS replication.

22
MCQhard

A company uses AWS Organizations with hundreds of accounts. The central IT team wants to manage IP address ranges for VPCs across all accounts using a custom AWS Resource Access Manager (RAM) resource share. They have created a resource share containing the IP address CIDR blocks (as managed prefix lists) and shared it with the organization. However, some accounts cannot see the shared prefix lists. What is the MOST likely cause?

A.The organization's sharing feature for Amazon VPC is not enabled in the management account.
B.Managed prefix lists are not supported by AWS RAM.
C.The accounts need to accept the resource share invitation manually.
D.The resource share can only include one type of resource at a time.
AnswerA

RAM requires enabling sharing with AWS Organizations for each service; VPC sharing must be enabled.

Why this answer

Option D is correct because RAM sharing with an organization requires that all accounts have the sharing feature enabled via the Organization's trusted access. Option A is incorrect because RAM supports prefix lists. Option B is incorrect because resource shares can include multiple resources.

Option C is incorrect because RAM sharing with the entire organization does not require individual invites.

23
MCQhard

A global company uses AWS Organizations with many OUs and accounts. The finance team needs to track costs by cost center, which is tagged on each resource. However, some resources are not tagged. Which solution will provide the MOST accurate cost allocation?

A.Enable cost allocation tags and use AWS Cost Explorer to filter by tag.
B.Create AWS Budgets reports for each cost center using tag filters.
C.Export AWS Cost and Usage Reports to Amazon QuickSight and use tag-based filtering.
D.Use AWS Cost Categories to group costs by tag value and set a default rule for untagged resources.
AnswerD

Cost Categories can group costs by tags and assign untagged resources to a default category.

Why this answer

Option D is correct because AWS Cost Categories allow you to group costs by tag values and, crucially, set a default rule for untagged resources. This ensures that all resources—tagged or not—are assigned to a cost center, providing the most accurate cost allocation across the entire organization. Other options only filter or report on tagged resources, leaving untagged costs unallocated.

Exam trap

The trap here is that candidates assume tag-based filtering or reporting tools (Cost Explorer, Budgets, QuickSight) can handle untagged resources, but they cannot—only Cost Categories with a default rule can allocate costs for untagged resources.

How to eliminate wrong answers

Option A is wrong because enabling cost allocation tags and using Cost Explorer to filter by tag only reports on resources that already have the tag; untagged resources are excluded, leading to incomplete cost allocation. Option B is wrong because AWS Budgets reports with tag filters also only apply to tagged resources; they do not handle untagged resources, so costs from untagged resources are not tracked by cost center. Option C is wrong because exporting CUR to QuickSight and using tag-based filtering still requires tags to be present on resources; untagged resources are not assigned to any cost center, resulting in inaccurate allocation.

24
MCQmedium

A company wants to centrally manage access to multiple AWS accounts using AWS Organizations. The security team requires that all IAM users and roles be created in a single master account and assume roles in member accounts. Which configuration ensures that cross-account role assumptions are auditable and enforced?

A.Enable AWS CloudTrail in the master account and log sts:AssumeRole events.
B.Create an IAM Access Analyzer in each member account to monitor cross-account access.
C.Use AWS Config to record IAM role configurations and trigger Lambda functions on changes.
D.Configure a service control policy (SCP) to deny all IAM actions except sts:AssumeRole.
AnswerA

CloudTrail logs all STS API calls, providing a centralized audit trail for cross-account role assumptions.

Why this answer

Option A is correct because AWS CloudTrail in the master account can log all sts:AssumeRole API calls across the organization when management events are enabled. This provides a centralized, immutable audit trail of who assumed which role in which member account, meeting the security team's requirement for auditable cross-account role assumptions. CloudTrail captures the source identity, target role ARN, and timestamp, enabling full forensic analysis.

Exam trap

The trap here is that candidates often confuse AWS Config (which records resource configuration changes) with CloudTrail (which records API calls), leading them to choose Option C even though it cannot log the actual sts:AssumeRole events needed for auditing.

How to eliminate wrong answers

Option B is wrong because IAM Access Analyzer is designed to identify resources shared with external entities (outside the organization), not to audit or enforce cross-account role assumptions within the same organization. Option C is wrong because AWS Config records configuration changes to IAM roles but does not log the actual sts:AssumeRole API calls; it cannot provide an audit trail of role assumption events. Option D is wrong because a service control policy (SCP) that denies all IAM actions except sts:AssumeRole would prevent users from creating, modifying, or deleting IAM resources in member accounts, but it does not enforce that all IAM users and roles are created only in the master account, nor does it provide auditing of role assumptions.

25
MCQeasy

A company wants to allow developers to launch EC2 instances only in the us-east-1 Region. They have a single AWS account. What is the simplest way to enforce this?

A.Create an IAM policy that denies EC2 actions unless the region is us-east-1.
B.Use AWS Config to terminate instances in other Regions.
C.Apply an SCP to the account.
D.Configure the default VPC in us-east-1 only.
AnswerA

IAM policy directly restricts user actions.

Why this answer

An IAM policy with a condition on ec2:Region is the simplest. Option B is wrong because SCPs are for Organizations. Option C is wrong because it's per-VPC.

Option D is wrong because it's reactive.

26
Multi-Selectmedium

A company is designing a multi-account AWS Organizations architecture. Which TWO considerations should be taken into account when designing the organizational structure?

Select 2 answers
A.Accounts cannot be moved between OUs once created.
B.Each organizational unit (OU) should contain only one account for security isolation.
C.AWS CloudTrail can be configured to log management events across all accounts from the management account.
D.Service control policies (SCPs) can be used to centrally restrict permissions across accounts.
E.SCPs can only be applied to root accounts, not OUs.
AnswersC, D

CloudTrail can be enabled for all accounts via Organizations.

Why this answer

Option C is correct because AWS CloudTrail can be configured from the management account to log management events for all accounts in the organization. This is done by creating a CloudTrail trail that applies to all accounts in the organization, which centralizes logging and eliminates the need to configure CloudTrail individually in each account.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can only be applied to the root account, when in fact they can be attached to any OU or account within the organization.

27
MCQmedium

A company has a multi-account AWS environment with 50 accounts. They use AWS Organizations and want to centrally manage EC2 instances across all accounts. The operations team needs to run a script on all EC2 instances that are tagged with Environment=Production. The script must be executed once immediately and requires access to a shared S3 bucket in the management account. Which solution meets these requirements with the least operational overhead?

A.Use AWS Systems Manager State Manager to create an association that runs the script on the targeted instances.
B.Use AWS Config to create a custom rule that triggers an AWS Lambda function to run the script on the instances.
C.Use AWS Lambda to directly run the script on EC2 instances using the AWS SDK.
D.Use AWS Systems Manager Run Command with a resource group that selects instances by tag across accounts.
AnswerD

Run Command can execute commands immediately on targeted instances.

Why this answer

Option D is correct because AWS Systems Manager Run Command can target instances by tags across accounts using resource data sync and cross-account delegation. Option A is wrong because AWS Systems Manager State Manager is for scheduled execution, not one-time immediate. Option B is wrong because AWS Config does not execute scripts.

Option C is wrong because AWS Lambda cannot directly run scripts on EC2 instances without additional infrastructure.

28
MCQhard

A company uses AWS Organizations and wants to delegate administration of a specific service to a member account. The service must be able to perform actions across all accounts in the organization. Which steps should the company take?

A.Use AWS Organizations to register the member account as a delegated administrator for the service.
B.Create a service-linked role in each account to allow the service to perform actions.
C.Grant the member account IAM permissions to assume the OrganizationAccountAccessRole in all accounts.
D.Create an IAM role in each account with a trust policy that allows the service to assume it.
AnswerA

Delegated administration allows the member account to manage the service across the organization.

Why this answer

Option A is correct because AWS Organizations allows you to register a member account as a delegated administrator for a service, which then allows that service to perform cross-account actions. Option B is wrong because creating a service-linked role in each account is not necessary; the delegated administrator can create them on behalf of other accounts. Option C is wrong because the Organizations management account does not need to grant cross-account access; the service can do it.

Option D is wrong because IAM roles in each account are not needed if the service supports delegated administration.

29
MCQeasy

A company uses AWS Organizations with consolidated billing. The finance team needs to allocate costs to different departments based on resource tags. However, some resources are not tagged. What is the most effective solution?

A.Use AWS Trusted Advisor to check for untagged resources.
B.Use Service Control Policies to deny creation of untagged resources.
C.Use AWS Cost Categories to create rules for untagged resources and AWS Budgets to alert when resources lack tags.
D.Use AWS Cost Explorer to filter by tags and manually identify untagged resources.
AnswerC

Cost Categories allocate costs; Budgets can trigger alerts for untagged resources.

Why this answer

Option B is correct because AWS Cost Categories allow allocation based on rules, and AWS Budgets can notify when untagged resources are created. Option A is wrong because Cost Explorer alone cannot enforce tagging. Option C is wrong because SCPs cannot enforce tagging on all resources.

Option D is wrong because Trusted Advisor does not enforce tagging.

30
MCQeasy

A company uses AWS Organizations with a single OU. The management account has a service control policy (SCP) that denies all actions on EC2 instances with a specific tag. However, users in a member account can still terminate tagged instances. What is the most likely cause?

A.The SCP is attached to the root, not the OU.
B.The users have a permissions boundary that allows the actions.
C.The SCP's condition key does not match the actual tag.
D.The users are operating in the management account.
AnswerD

SCPs do not apply to the management account.

Why this answer

SCPs do not affect the management account in AWS Organizations. They can only restrict permissions in member accounts. Since the users are operating in the management account, the SCP denying EC2 termination based on a tag has no effect, allowing them to terminate the tagged instances.

Exam trap

The trap here is that candidates assume SCPs apply to all accounts in the organization, including the management account, but AWS explicitly exempts the management account from SCP evaluation.

How to eliminate wrong answers

Option A is wrong because attaching the SCP to the root or the OU does not change its applicability—SCPs apply to all member accounts under the root or OU, but never to the management account. Option B is wrong because a permissions boundary can only restrict, not allow, actions beyond what the SCP denies; SCPs are an outer boundary that overrides any IAM permissions, including boundaries. Option C is wrong because if the condition key did not match the actual tag, the SCP would not deny the action, but the question states the SCP is designed to deny actions on EC2 instances with a specific tag; the most likely cause given the scenario is that users are in the management account, not a condition mismatch.

31
MCQhard

A company has a multi-account AWS environment and uses AWS Organizations. The security team wants to automatically remediate non-compliant resources, such as S3 buckets that are publicly accessible. Which design should they implement?

A.Use Amazon Inspector to scan for public buckets.
B.Use an SCP to deny making buckets public.
C.Use AWS Config rules to detect public buckets and trigger an AWS Lambda function to make them private.
D.Use AWS CloudTrail to send alerts when a bucket becomes public.
AnswerC

Config rules can invoke Lambda for remediation.

Why this answer

Option C is correct because AWS Config rules can continuously evaluate S3 bucket configurations against a custom or managed rule (e.g., 's3-bucket-public-read-prohibited'). When a bucket is detected as publicly accessible, the rule can invoke an AWS Lambda function via an Amazon CloudWatch Events event to automatically apply a bucket policy that removes public access, achieving automated remediation.

Exam trap

The trap here is that candidates often confuse preventive controls (SCPs) with detective and corrective controls (AWS Config + Lambda), assuming SCPs can automatically fix existing non-compliant resources, when in reality SCPs only block future API actions and do not remediate current state.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is designed for vulnerability management and network accessibility assessments of EC2 instances, containers, and Lambda functions, not for scanning S3 bucket public access configurations. Option B is wrong because Service Control Policies (SCPs) can only deny or allow API actions at the account level (e.g., s3:PutBucketPolicy), but they cannot remediate already-public buckets; they prevent future changes but do not fix existing non-compliant resources. Option D is wrong because AWS CloudTrail logs API calls and can send alerts via CloudWatch alarms when a bucket becomes public, but it does not provide automated remediation; it only notifies, leaving the security team to manually fix the issue.

32
MCQmedium

Refer to the exhibit. An administrator runs this command and sees the output. Which statement about the accounts is correct?

A.The Suspended account was invited to the organization.
B.The Production account is the management account.
C.The Suspended account cannot be used until it is reactivated.
D.The Management account was created directly.
AnswerC

Suspended accounts are not active and must be reactivated.

Why this answer

The command output shows the account status as 'SUSPENDED'. In AWS Organizations, a suspended account cannot be used for any AWS operations until it is reactivated by the management account. This is a hard state enforced by the service, regardless of how the account was added to the organization.

Exam trap

The trap here is that candidates often confuse account status (SUSPENDED) with the method of account creation (invited vs. created), leading them to incorrectly infer that a suspended account must have been invited, when in fact suspension is independent of how the account joined the organization.

How to eliminate wrong answers

Option A is wrong because a suspended account is not necessarily one that was invited; it could have been created directly or invited and then suspended. The status alone does not indicate the invitation method. Option B is wrong because the 'Production' account is listed as a member account (not the management account), as the management account is the one that initiated the organization and is not shown in the list of member accounts.

Option D is wrong because the management account is the original account that created the organization; it is not 'created directly' within the organization — it is the root account that already existed before the organization was formed.

33
MCQmedium

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

A.Use a VPN connection from each application VPC to the shared VPC.
B.Use AWS Resource Access Manager to share the Transit Gateway with the application accounts.
C.Use VPC peering between the shared VPC and each application VPC.
D.Create IAM roles in each application account that allow the networking team to create VPC attachments.
AnswerB

RAM allows sharing the Transit Gateway, and the networking team can accept or reject attachments via RAM.

Why this answer

AWS Resource Access Manager (RAM) allows the centralized networking team to share the Transit Gateway with specific application accounts, enabling authorized VPCs to create attachments without exposing the resource to all accounts. This approach is secure because it uses resource-based policies to grant access only to designated accounts, and scalable because it avoids the administrative overhead of managing individual VPNs or VPC peering connections as the number of application VPCs grows.

Exam trap

The trap here is that candidates often confuse IAM permissions (Option D) with resource-based sharing via RAM, thinking that granting IAM roles to create attachments is sufficient, but RAM provides explicit authorization at the resource level, which is more secure and scalable for cross-account access.

How to eliminate wrong answers

Option A is wrong because using a VPN connection from each application VPC to the shared VPC introduces unnecessary complexity, latency, and bandwidth limitations compared to using a Transit Gateway, and it does not scale well as the number of VPCs increases. Option C is wrong because VPC peering requires a one-to-one connection between each application VPC and the shared VPC, which does not scale and creates a mesh of connections that is difficult to manage, and it also does not provide centralized routing or transitive connectivity. Option D is wrong because creating IAM roles in each application account that allow the networking team to create VPC attachments does not control which VPCs can connect; it only grants permission to create attachments, but any VPC in the application account could potentially attach, and it does not enforce authorization at the resource level like RAM does.

34
Multi-Selecthard

A company has a multi-account environment and wants to centralize logging for all AWS API calls. Which TWO services should they use together to achieve this?

Select 2 answers
A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.Amazon GuardDuty
D.Amazon S3
E.AWS Config
AnswersA, B

Logs API calls.

Why this answer

AWS CloudTrail is the service that records all AWS API calls made in an account, capturing the who, what, when, and source IP for every action. To centralize these logs from multiple accounts into a single location, you can configure CloudTrail to deliver log files to a centralized Amazon S3 bucket, and then use Amazon CloudWatch Logs to monitor, search, and alert on those API events in real time. Together, they provide a complete, centralized logging and monitoring solution for API activity across a multi-account environment.

Exam trap

The trap here is that candidates often confuse Amazon S3 as a logging service rather than a storage destination, or they mistakenly think GuardDuty or AWS Config can replace CloudTrail for capturing API calls.

35
MCQhard

Refer to the exhibit. A company applies this SCP to all accounts in an AWS Organization. What is the effect of this policy?

A.Allows only t3.micro and t3.small instances to be launched.
B.Denies launching instances that are not t3.micro or t3.small for IAM users and roles, but not root.
C.Has no effect because SCPs cannot deny actions.
D.Denies launching any instance except t3.micro and t3.small for all users including root.
AnswerB

SCPs apply to IAM users and roles, not to root user.

Why this answer

The SCP uses a Deny effect with a condition that denies any EC2:RunInstances action unless the instance type is t3.micro or t3.small. However, SCPs do not affect the root user (the management account's root user) because SCPs cannot restrict the root user in the management account. Therefore, the policy denies launching non-compliant instance types for IAM users and roles, but not for the root user.

Exam trap

The trap here is that candidates often forget that SCPs do not apply to the root user of the management account, leading them to incorrectly assume the policy denies all users including root.

How to eliminate wrong answers

Option A is wrong because the SCP does not allow only those instance types; it denies all others, but the effect is a deny, not an allow, and it does not apply to root. Option C is wrong because SCPs can deny actions; they are a type of policy that can explicitly deny API actions. Option D is wrong because SCPs do not apply to the root user in the management account; root is exempt from SCP restrictions.

36
MCQmedium

A company has a centralized logging solution using Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) in a central logging account. Application logs from hundreds of EC2 instances across multiple accounts are shipped to the OpenSearch cluster via Amazon Kinesis Data Firehose. The security team requires that all log data be encrypted at rest and in transit. The logging account has a KMS key used to encrypt the OpenSearch cluster and the Firehose delivery stream. Recently, the security team noticed that some log deliveries are failing with 'AccessDenied' errors. The CloudWatch Logs delivery to Firehose is configured correctly. What is the most likely cause of the failure?

A.The CloudWatch Logs subscription filter does not have permissions to write to Firehose.
B.The OpenSearch cluster's access policy denies write access from the Firehose stream.
C.The KMS key policy does not grant the Firehose delivery stream permission to use the key for encryption.
D.The Firehose delivery stream does not have a TLS certificate configured.
AnswerC

Firehose needs kms:Encrypt and kms:Decrypt permissions on the key.

Why this answer

The most likely cause is that the KMS key policy does not grant the Firehose delivery stream permission to use the key for encryption. Even though the CloudWatch Logs subscription filter is correctly configured to send data to Firehose, Firehose must have kms:Decrypt and kms:GenerateDataKey permissions on the KMS key to encrypt the data at rest in the OpenSearch cluster and in transit. Without these permissions, Firehose cannot encrypt the data, resulting in 'AccessDenied' errors.

Exam trap

The trap here is that candidates often assume the error is due to network or access policies (Options A or B) rather than recognizing that KMS key policies must explicitly grant encryption permissions to intermediate services like Firehose, which is a subtle but critical requirement for encrypted log pipelines.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that the CloudWatch Logs delivery to Firehose is configured correctly, meaning the subscription filter already has the necessary permissions to write to Firehose. Option B is wrong because the OpenSearch cluster's access policy controls access to the cluster itself, not the Firehose delivery stream's ability to write; the error occurs before data reaches OpenSearch, during Firehose's encryption step. Option D is wrong because TLS certificates are used for encrypting data in transit between Firehose and OpenSearch, but the 'AccessDenied' error is related to KMS permissions, not TLS configuration; Firehose automatically uses TLS for data delivery to OpenSearch.

37
Multi-Selecthard

A company has a centralized logging account and multiple member accounts. The member accounts generate VPC Flow Logs that need to be sent to a central S3 bucket in the logging account. Which TWO steps must be taken to enable this cross-account delivery?

Select 2 answers
A.Add a bucket policy on the central S3 bucket that grants the service principal 'delivery.logs.amazonaws.com' s3:PutObject permission.
B.Create an IAM role in the logging account that the member accounts can assume to put objects.
C.Create an S3 bucket in each member account to receive Flow Logs, and replicate to the central bucket.
D.Configure VPC Flow Logs in each member account to deliver to the central S3 bucket.
E.Enable AWS CloudTrail in the management account to aggregate logs.
AnswersA, D

This allows the Flow Logs service to write to the bucket.

Why this answer

Option A is correct because VPC Flow Logs can be published to a cross-account S3 bucket, but the bucket policy must allow the delivery service. Option C is correct because the bucket policy must grant the VPC Flow Logs service principal (delivery.logs.amazonaws.com) permission to write. Option B is wrong because the bucket should be in the logging account, not in member accounts.

Option D is wrong because IAM roles are not used for VPC Flow Logs delivery. Option E is wrong because the management account is not needed for this setup.

38
MCQhard

A company has a multi-account AWS environment. The security team wants to centrally manage VPC flow logs for all accounts. They already have a centralized logging account. What is the MOST scalable solution?

A.Deploy a third-party log collector agent on each EC2 instance.
B.Configure AWS Transit Gateway to aggregate flow logs.
C.Use a CloudFormation StackSet to deploy VPC Flow Logs to an S3 bucket in the central account using bucket policies.
D.Enable VPC Flow Logs in each account and publish to a CloudWatch Logs group in the central account.
AnswerC

StackSet can create flow logs with cross-account delivery to a central S3 bucket.

Why this answer

Using VPC Flow Logs with a delivery to a central S3 bucket via cross-account permissions is scalable. Option A is wrong because it requires per-VPC setup. Option C is wrong because it adds cost and complexity.

Option D is wrong because it doesn't centralize.

39
MCQhard

A company manages multiple AWS accounts using AWS Organizations. They want to enforce that any EC2 instance launched with a public IP address must have a specific security group attached. What is the MOST effective way to enforce this?

A.Create an IAM policy that requires the security group when launching instances with a public IP.
B.Use AWS Config rules to detect non-compliant instances and automatically terminate them.
C.Use AWS CloudFormation StackSets to deploy a template that only allows instances with the required security group.
D.Apply a service control policy (SCP) that denies ec2:RunInstances when the instance has a public IP and does not include the required security group.
AnswerD

Prevents non-compliant launches.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts in the organization. By crafting an SCP with a condition that denies ec2:RunInstances when the instance has a public IP (using ec2:AssociatePublicIpAddress) and does not include the required security group (using ec2:SecurityGroup), you can proactively prevent non-compliant instances from being launched at the API level, rather than detecting and remediating after the fact.

Exam trap

The trap here is that candidates often choose AWS Config (Option B) because it is a well-known compliance tool, but they overlook that Config is reactive (detect and remediate) rather than proactive (prevent at the API call), which is the key distinction for 'enforce' in this question.

How to eliminate wrong answers

Option A is wrong because IAM policies are attached to users, roles, or groups and cannot enforce conditions based on the instance's runtime configuration (like public IP assignment) at the time of launch across all accounts in an organization; they also cannot prevent launches by users with full admin privileges. Option B is wrong because AWS Config rules are detective, not preventive—they can detect non-compliant instances and trigger auto-remediation (e.g., termination), but this allows a window of non-compliance and potential cost/security exposure before remediation. Option C is wrong because CloudFormation StackSets deploy templates but cannot enforce a blanket policy across all accounts; users with sufficient IAM permissions can still launch instances manually via the console, CLI, or SDK outside of CloudFormation, bypassing the template's constraints.

40
MCQhard

A company has a multi-account AWS environment with over 500 accounts managed through AWS Organizations. The accounts are organized into OUs by business unit. The security team wants to enforce a policy that all S3 buckets must have server-side encryption enabled (SSE-S3 or SSE-KMS). They also want to automatically remediate any existing non-compliant buckets and prevent creation of new non-compliant buckets. Currently, there is no centralized logging or monitoring. The team has tried using AWS Config rules with auto-remediation, but they found that Config rules are not triggered for buckets created before the rule was enabled, and some teams are creating buckets via AWS CloudFormation that bypass the Config rule evaluation. The team needs a solution that covers all buckets, regardless of creation method or time. What should the team do?

A.Use AWS CloudFormation StackSets to deploy a bucket template that enforces encryption across all accounts.
B.Apply an SCP that denies s3:CreateBucket if encryption is not specified, and use AWS Config rules with Lambda auto-remediation to fix existing non-compliant buckets.
C.Use AWS CloudTrail to detect non-compliant bucket creation and send alerts to administrators.
D.Use S3 bucket policies to deny PutObject if encryption is not set.
AnswerB

SCP prevents new non-compliant buckets; Config remediates existing ones.

Why this answer

Option B is correct because an SCP applied at the root or OU level can deny s3:CreateBucket when encryption settings are not specified, preventing creation of non-compliant buckets regardless of the method (console, CLI, CloudFormation). For existing non-compliant buckets, AWS Config rules with Lambda auto-remediation can scan and fix them, and Config rules can be configured to evaluate all existing resources by running a manual or scheduled evaluation after the rule is enabled, addressing the gap where buckets created before the rule was enabled were not evaluated.

Exam trap

The trap here is that candidates often assume AWS Config rules automatically evaluate all existing resources when enabled, but they only evaluate resources on configuration changes after enablement unless a manual or scheduled evaluation is triggered, leading to the misconception that Config alone cannot cover pre-existing buckets.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets can deploy templates but cannot enforce encryption on buckets created outside of CloudFormation, and teams can still create buckets via other methods (console, CLI) that bypass the template. Option C is wrong because CloudTrail only detects and alerts on bucket creation events but does not prevent creation of non-compliant buckets or remediate existing ones, leaving the security gap open. Option D is wrong because S3 bucket policies can deny PutObject without encryption but do not enforce encryption at the bucket level (SSE-S3 or SSE-KMS) during bucket creation, and they cannot prevent creation of buckets without encryption settings.

41
Multi-Selectmedium

A company has multiple AWS accounts. They want to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO steps should be taken to enforce this across all accounts?

Select 2 answers
A.Use AWS CloudTrail to detect console logins without MFA and send alerts.
B.Attach an SCP that denies all AWS actions if the aws:MultiFactorAuthPresent condition is false.
C.Require each IAM user to have a virtual MFA device assigned.
D.Create an IAM group for users without MFA and deny them console access.
E.Attach an IAM policy to all users that denies console access if MFA is not present.
AnswersB, E

This denies actions when MFA is not used.

Why this answer

Option B is correct because AWS Organizations Service Control Policies (SCPs) can be applied to all accounts in the organization to centrally enforce that any API action is denied unless the request includes MFA. By using the `aws:MultiFactorAuthPresent` condition key set to `false`, the SCP effectively blocks all AWS actions (including console login) for any principal that has not authenticated with MFA. This ensures a blanket, unmodifiable guard across all member accounts, even preventing account administrators from bypassing the requirement.

Exam trap

The trap here is that candidates often confuse detection (CloudTrail) with enforcement (SCP or IAM policy), or they assume that assigning an MFA device is sufficient without a corresponding deny policy, leading them to pick options that only monitor or partially enforce the requirement.

42
MCQeasy

A company wants to implement a centralized logging solution for all AWS accounts in AWS Organizations. The logs include CloudTrail, VPC Flow Logs, and AWS Config configuration items. Which approach provides the MOST scalable and cost-effective solution?

A.Configure each account to deliver logs to a central Amazon S3 bucket in a logging account, and use S3 Lifecycle policies to transition logs to Amazon S3 Glacier.
B.Use Amazon Kinesis Data Firehose in each account to stream logs to a central Amazon S3 bucket.
C.Configure each account to deliver logs to its own S3 bucket and use S3 Replication to copy logs to a central bucket.
D.Send logs to Amazon CloudWatch Logs in each account and use cross-account CloudWatch Logs subscription filters to forward logs to a central account.
AnswerA

S3 is cost-effective for central log storage.

Why this answer

Option B is correct because cross-account delivery to a central S3 bucket with S3 Lifecycle policies minimizes storage costs and centralizes logs. Option A is wrong because CloudWatch Logs in each account requires separate retention and is not as cost-effective for long-term storage. Option C is wrong because Kinesis Data Firehose is more expensive and adds complexity.

Option D is wrong because S3 replication incurs additional costs.

43
Multi-Selectmedium

A company wants to implement AWS Organizations with multiple OUs to isolate development, testing, and production workloads. The company needs to ensure that production workloads are not impacted by changes in other OUs. Which TWO practices should the company follow? (Choose two.)

Select 2 answers
A.Allow all users to assume cross-account roles for easier management.
B.Share the same VPC across all OUs to simplify networking.
C.Use separate AWS accounts for each environment to provide strong isolation.
D.Use resource tagging to isolate environments instead of accounts.
E.Apply separate SCPs to each OU to enforce different security policies.
AnswersC, E

Separate accounts provide the best isolation between environments.

44
MCQhard

An SCP is attached to a production OU. An IAM user in a member account under that OU attempts to launch an m5.large EC2 instance. What happens?

A.The launch succeeds because the condition evaluates to true.
B.The launch succeeds because the SCP only denies StartInstances.
C.The launch fails because the SCP denies the action.
D.The launch succeeds because the SCP allows all instance types except t3.micro.
AnswerC

The condition matches, so the deny is applied.

Why this answer

Option C is correct because the SCP denies RunInstances if the instance type is not t3.micro. Since m5.large is not t3.micro, the action is denied. Option A is wrong because the SCP denies the action.

Option B is wrong because the condition denies non-t3.micro instances. Option D is wrong because the SCP does not allow; it denies.

45
MCQmedium

A company is using AWS Organizations and wants to allow only specific AWS services to be used in member accounts. The security team needs to block the use of Amazon EC2 and Amazon RDS, but allow all other services. Which SCP configuration should be used?

A.Deny effect with "*" as the action.
B.Deny effect with NotAction set to ec2:* and rds:*.
C.Allow effect with ec2:* and rds:* as the actions.
D.Deny effect with ec2:* and rds:* as the actions.
AnswerD

This denies all EC2 and RDS operations.

Why this answer

Option D is correct because AWS SCPs use an explicit deny to block specific services. By applying a Deny effect with ec2:* and rds:* as the actions, the SCP will block all operations for Amazon EC2 and Amazon RDS in the member accounts, while allowing all other services by default (since SCPs do not grant permissions; they only filter what is allowed by IAM policies).

Exam trap

The trap here is that candidates confuse NotAction with a targeted deny, mistakenly thinking it blocks only the specified services, when in fact NotAction denies everything except those services.

How to eliminate wrong answers

Option A is wrong because a Deny effect with '*' as the action would block all AWS services, not just EC2 and RDS. Option B is wrong because NotAction with ec2:* and rds:* would deny everything except EC2 and RDS, which is the opposite of the requirement. Option C is wrong because an Allow effect in an SCP does not override an implicit deny; SCPs are deny-only filters and cannot grant permissions, so this would not block EC2 and RDS.

46
MCQeasy

A company has a management account and several member accounts in AWS Organizations. They want to allow a developer in a member account to create an organization trail. What should they do?

A.Register the member account as a delegated administrator for CloudTrail in AWS Organizations.
B.Create a resource-based policy on the CloudTrail service to allow the member account to create trails.
C.Create an IAM role in the management account and grant the developer permission to assume it.
D.Attach an SCP to the member account that allows CloudTrail actions.
AnswerA

Allows the member account to create organization trails.

Why this answer

Option A is correct because registering a member account as a delegated administrator for CloudTrail in AWS Organizations allows that account to create organization trails on behalf of the management account. This delegation grants the member account the necessary permissions to call CreateTrail with the OrganizationTrail parameter set to true, which is required for organization-wide logging.

Exam trap

The trap here is that candidates often assume creating an IAM role in the management account (Option C) is sufficient, but they miss that organization trails require the member account to be explicitly registered as a delegated administrator in AWS Organizations to bypass the default restriction that only the management account can create organization trails.

How to eliminate wrong answers

Option B is wrong because CloudTrail does not support resource-based policies; it uses IAM policies and service-linked roles for access control. Option C is wrong because while an IAM role in the management account could be assumed, this approach does not enable the member account to create an organization trail directly—organization trails require the member account to be a delegated administrator or have explicit permissions from Organizations. Option D is wrong because SCPs are used to restrict permissions, not to grant them; attaching an SCP that allows CloudTrail actions would not grant the developer the ability to create an organization trail without additional IAM permissions.

47
MCQhard

A global company with 50 AWS accounts uses AWS Organizations and wants to centralize CloudTrail logs. The security team requires that all accounts send their CloudTrail logs to a central S3 bucket in the audit account. Which combination of steps will ensure this?

A.Use AWS Config to forward logs to a central S3 bucket.
B.Enable CloudTrail in each account and use AWS Organizations to aggregate logs.
C.Create a CloudTrail trail in the audit account that logs all accounts via CloudWatch Logs.
D.Create a CloudTrail trail in the audit account with an S3 bucket, and add a bucket policy that grants cross-account permissions for each member account to deliver logs. Then configure each member account to use the same trail.
AnswerD

This is the standard cross-account CloudTrail setup.

Why this answer

Option D is correct because it uses a single CloudTrail trail in the audit account with a central S3 bucket, and the bucket policy grants the necessary s3:PutObject permissions to each member account's CloudTrail service principal. Each member account then configures CloudTrail to use the same trail (the audit account's trail), which allows CloudTrail to deliver logs from all accounts to the central bucket without requiring separate trails or manual log forwarding.

Exam trap

The trap here is that candidates often think they need to enable CloudTrail in each account individually (Option B) or use a different service like AWS Config (Option A), when the correct approach is to create a single organization trail in the audit account with cross-account permissions and have member accounts reference that trail.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration auditing service, not a log delivery mechanism; it cannot forward CloudTrail logs to an S3 bucket. Option B is wrong because enabling CloudTrail in each account individually would create separate trails and separate log deliveries, not centralize logs into a single bucket; AWS Organizations can aggregate trails only when a single organization trail is created from the management account. Option C is wrong because CloudTrail cannot log all accounts via CloudWatch Logs; CloudWatch Logs is a destination for CloudTrail logs, not a mechanism to aggregate logs from multiple accounts.

48
MCQmedium

A company has multiple AWS accounts managed via AWS Control Tower. The DevOps team wants to deploy a shared CI/CD pipeline that can deploy applications across all accounts. The pipeline must use the same source repository and artifact store. What is the MOST secure and scalable approach?

A.Deploy the pipeline in a central DevOps account. Use cross-account IAM roles to deploy to target accounts.
B.Create a separate pipeline in each account using the same source repository.
C.Use AWS CodePipeline with cross-account actions by assuming IAM roles in each target account.
AnswerA, C

Central pipeline with cross-account roles provides centralized control and secure access.

Why this answer

Option A is correct because deploying the pipeline in a central DevOps account and using cross-account IAM roles to deploy to target accounts follows the principle of least privilege and centralizes management. This approach avoids duplicating resources, ensures a single source of truth for the source repository and artifact store, and scales easily as new accounts are added via AWS Control Tower. Cross-account IAM roles allow the pipeline to assume a role in each target account with scoped permissions, eliminating the need for long-term credentials.

Exam trap

The trap here is that candidates may confuse 'cross-account actions' (Option C) with the central DevOps account pattern (Option A), not realizing that Option A explicitly describes the recommended architecture for AWS Control Tower environments, while Option C is a generic feature that could be implemented without a dedicated central account, which is less secure and scalable.

How to eliminate wrong answers

Option B is wrong because creating a separate pipeline in each account duplicates infrastructure, increases management overhead, and does not use a shared artifact store or source repository consistently, leading to potential drift and inconsistency. Option C is wrong because while it mentions cross-account actions, it is essentially the same as Option A but less specific about the central account pattern; however, the question asks for the MOST secure and scalable approach, and Option A explicitly describes the best practice of a central DevOps account with cross-account IAM roles, which is more aligned with AWS Control Tower's multi-account governance model than simply using cross-account actions in CodePipeline without a dedicated central account.

49
MCQmedium

A company is using AWS Organizations and wants to centralize the management of Amazon EC2 instance security groups. The security team needs to enforce that certain ports are not open to the internet across all accounts. The company currently uses AWS Firewall Manager. Which approach should the security team use to enforce this policy?

A.Use AWS Config rules to detect non-compliant security groups and trigger a Lambda function to remediate.
B.Use AWS Firewall Manager to create a security group policy that defines rules, and apply it across all accounts. Firewall Manager will automatically create and manage security groups.
C.Use AWS Firewall Manager to audit security groups against a baseline policy and generate reports.
D.Use an SCP to deny ec2:AuthorizeSecurityGroupIngress for ports that should not be open.
AnswerB

Firewall Manager can enforce security group rules centrally.

Why this answer

AWS Firewall Manager can centrally create, apply, and manage security group policies across all accounts in an AWS Organization. By defining a security group policy with rules that block specific ports from 0.0.0.0/0, Firewall Manager automatically creates the required security groups and attaches them to the designated resources, ensuring compliance without manual intervention. This approach directly enforces the policy rather than just detecting or reporting violations.

Exam trap

The trap here is that candidates often confuse AWS Firewall Manager's audit-only mode (which generates reports) with its enforcement mode (which automatically creates and manages security groups), leading them to choose the reporting option instead of the correct enforcement option.

How to eliminate wrong answers

Option A is wrong because AWS Config rules with Lambda remediation are reactive—they detect non-compliant resources after creation and then attempt to fix them, which is not a preventive enforcement mechanism and can introduce latency or race conditions. Option C is wrong because auditing and generating reports only provides visibility into non-compliance but does not actively enforce the policy or prevent insecure security groups from being used. Option D is wrong because SCPs cannot deny specific API actions like ec2:AuthorizeSecurityGroupIngress based on port numbers or IP ranges; SCPs operate at the API action level and cannot inspect the parameters of the request, so they cannot block opening a specific port to the internet.

50
MCQeasy

A company's IT team uses AWS CloudFormation to deploy infrastructure. They want to enforce tagging standards across all stacks. Which approach should they use?

A.Create an IAM policy that requires tags on all resources and attach it to all IAM users.
B.Configure CloudFormation to reject any stack that does not include tags.
C.Define stack-level tags in CloudFormation templates and use an SCP to deny creation of stacks without required tags.
D.Use AWS Config to detect resources without tags and automatically remediate using Systems Manager Automation.
AnswerC

SCPs can enforce that all stacks have required tags, and stack-level tags propagate to resources.

Why this answer

Using CloudFormation stack-level tags with a service control policy (SCP) that requires tags is the correct approach. Option B is incorrect because IAM policies can enforce tags on resources created by CloudFormation. Option C is incorrect because AWS Config can detect but not enforce.

Option D is incorrect because CloudFormation does not natively enforce tag propagation without additional mechanisms.

51
MCQmedium

A company wants to centralize access control for multiple AWS accounts using AWS Organizations. They need to allow developers in a specific account to launch EC2 instances only in certain regions. What is the most scalable solution?

A.Create an IAM role in each account with a policy to deny non-compliant regions.
B.Use AWS Config rules to detect and terminate instances in non-compliant regions.
C.Use an SCP attached to the organizational unit to deny EC2 actions in non-compliant regions.
D.Create an IAM policy in each account to deny non-compliant regions.
AnswerC

SCPs provide centralized policy enforcement across accounts in an organization.

Why this answer

Option B is correct because SCPs allow you to centrally control the maximum available permissions for all accounts in an organization, enabling region restrictions at the organizational level. Option A is wrong because IAM policies in individual accounts are harder to manage across many accounts. Option C is wrong because AWS Config does not enforce policies, it only checks compliance.

Option D is wrong because Service Control Policies (SCPs) are the correct mechanism for this, not IAM roles.

52
MCQeasy

A company uses AWS Organizations and wants to centrally manage backups for EC2 instances across multiple accounts. They want to create a backup plan that backs up all EC2 instances tagged with Backup=Weekly. The backup must be stored in a central backup vault in the management account. Which solution meets these requirements?

A.Create a backup plan in each account targeting the tagged instances and store backups in the management account's vault using cross-account backup.
B.Use AWS CloudFormation StackSets to deploy a backup plan to each account.
C.Use AWS Backup with a backup policy in AWS Organizations to centrally manage backups across accounts.
D.Use Amazon Data Lifecycle Manager to create cross-account snapshot copies for tagged instances.
AnswerC

Backup policies can target resources by tags across accounts.

Why this answer

Option C is correct because AWS Backup can be configured across accounts using backup policies in AWS Organizations, which can apply a backup plan to resources in member accounts based on tags. Option A is wrong because AWS Backup does not have a central vault concept without cross-account backup policies. Option B is wrong because lifecycle manager is for EBS snapshots, not centralized backup management.

Option D is wrong because CloudFormation StackSets do not manage backups dynamically based on tags.

53
MCQmedium

A company uses AWS Control Tower to manage a multi-account environment. They want to ensure that all accounts are enrolled in AWS Shield Advanced for DDoS protection. What is the MOST efficient way to achieve this?

A.Use AWS Control Tower Account Factory Customization to deploy a CloudFormation template that enables Shield Advanced.
B.Manually enable Shield Advanced in each account after creation.
C.Use AWS Config to detect accounts without Shield Advanced and send notifications.
D.Use AWS Organizations to create an SCP that requires Shield Advanced.
AnswerA

This automates the setup for all new and existing accounts.

Why this answer

AWS Control Tower Account Factory Customization (AFC) allows you to automatically apply AWS CloudFormation templates to accounts as they are created or updated in the landing zone. By deploying a CloudFormation template that subscribes each account to AWS Shield Advanced, you ensure consistent, automated DDoS protection across all accounts without manual intervention. This is the most efficient method because it integrates directly with the account provisioning lifecycle.

Exam trap

The trap here is that candidates often confuse SCPs with proactive resource provisioning, assuming an SCP can enable a service, when in reality SCPs only control permissions and cannot perform actions like subscribing to Shield Advanced.

How to eliminate wrong answers

Option B is wrong because manually enabling Shield Advanced in each account after creation is inefficient, error-prone, and does not scale in a multi-account environment. Option C is wrong because AWS Config can only detect non-compliance and send notifications; it cannot automatically enable Shield Advanced, so it requires additional manual or automated remediation steps, making it less efficient than a proactive deployment. Option D is wrong because AWS Organizations Service Control Policies (SCPs) can only restrict permissions (e.g., deny disabling Shield Advanced) but cannot enable a service or perform actions like subscribing to Shield Advanced; SCPs are not capable of provisioning resources.

54
MCQeasy

A company has multiple AWS accounts managed through AWS Organizations. The security team requires that all VPC flow logs be enabled in every account and region. What is the MOST efficient way to enforce this requirement?

A.Apply a service control policy (SCP) that requires all VPCs to have flow logs enabled.
B.Use AWS CloudFormation StackSets to deploy a stack that enables VPC Flow Logs in every account and region.
C.Create an AWS Config rule in each account to check for flow logs and trigger an auto-remediation action.
D.Use AWS Service Catalog to create a VPC product that includes flow logs, and require accounts to use it.
AnswerB

StackSets can deploy stacks across accounts and regions from a single admin account.

Why this answer

AWS CloudFormation StackSets allows you to deploy a single CloudFormation template across multiple accounts and regions in a single operation, making it the most efficient way to enforce VPC Flow Logs across all accounts and regions. This approach ensures consistent configuration without requiring manual per-account or per-region setup, and it integrates with AWS Organizations for automated deployment to new accounts.

Exam trap

The trap here is that candidates often confuse SCPs with resource policies, thinking they can enforce resource configurations, but SCPs only control IAM permissions and cannot directly enable features like VPC Flow Logs.

How to eliminate wrong answers

Option A is wrong because SCPs cannot enforce resource configurations like enabling VPC Flow Logs; they only restrict permissions (e.g., deny actions) and cannot create or modify resources. Option C is wrong because while an AWS Config rule can detect non-compliant VPCs and trigger auto-remediation, it is reactive and requires each account to have the rule deployed, making it less efficient than a proactive, centralized deployment. Option D is wrong because AWS Service Catalog provides a pre-approved product template but does not enforce its use; accounts can still create VPCs without flow logs, so it does not guarantee compliance.

55
Multi-Selectmedium

A company is using AWS Organizations with a centralized logging account. They want to collect VPC Flow Logs from all member accounts into a single S3 bucket in the logging account. Which TWO steps are required to achieve this?

Select 2 answers
A.Create a bucket policy in the logging account that grants the member accounts permission to write flow logs.
B.Attach an SCP to the logging account that allows PutObject to the bucket.
C.Configure the bucket policy to include a condition that the principal is the VPC Flow Logs service.
D.Use AWS Resource Access Manager (RAM) to share the bucket with member accounts.
E.Attach an SCP to the member accounts that allows them to create flow logs.
AnswersA, C

Bucket policy allows cross-account writes.

Why this answer

Options A and D are correct. Option A: VPC Flow Logs can be published to a central bucket using a bucket policy that allows the member accounts to write. Option D: The bucket policy must grant s3:PutObject permissions to the member accounts' VPC Flow Logs service.

Option B is wrong because bucket policies cannot be applied via SCP. Option C is wrong because SCPs cannot be attached to resources. Option E is wrong because sharing the bucket via RAM is not needed; bucket policy suffices.

56
MCQhard

A company has a complex AWS environment with hundreds of accounts. They want to implement a tagging strategy that allows them to track costs by department and project. The tags must be propagated from resources to cost reports automatically. Which approach meets these requirements with minimal ongoing maintenance?

A.Create a CloudFormation template that applies tags to all resources and deploy it via StackSets.
B.Use AWS Organizations tag policies to enforce required tags on resources, and activate cost allocation tags in the management account.
C.Use AWS Config rules to detect untagged resources and trigger a Lambda function to add tags.
D.Use AWS Cost Explorer to filter by resource tags after they are manually applied.
AnswerB

Tag policies enforce tags across accounts, and cost allocation tags are automatically activated.

Why this answer

Option B is correct because AWS Organizations tag policies allow you to define and enforce required tags across all accounts in the organization, ensuring consistent tagging. When you activate cost allocation tags in the management account, these tags are automatically propagated to AWS Cost Explorer and cost reports without any manual intervention or ongoing maintenance, meeting the requirement for minimal ongoing effort.

Exam trap

The trap here is that candidates often confuse reactive remediation (like Config rules with Lambda) with proactive enforcement (like tag policies), and overlook that cost allocation tags must be explicitly activated in the management account to appear in cost reports.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets can only apply tags to resources created by CloudFormation stacks, not to resources created outside of CloudFormation or pre-existing resources, and maintaining templates for hundreds of accounts introduces significant ongoing overhead. Option C is wrong because AWS Config rules with Lambda remediation is a reactive, event-driven approach that adds tags after resource creation, which does not guarantee propagation to cost reports automatically and requires ongoing maintenance of Lambda functions and Config rules. Option D is wrong because Cost Explorer can only filter by tags that are already applied and activated; manually applying tags does not ensure automatic propagation to cost reports and requires manual effort, failing the minimal ongoing maintenance requirement.

57
MCQeasy

A company uses a central IT team to manage multiple AWS accounts. The team wants to provide developers with the ability to launch EC2 instances but restrict them to using only specific instance types. How should this be enforced?

A.Create a service control policy in AWS Organizations that restricts instance types for all accounts.
B.Use AWS Config to automatically terminate instances that are not of allowed types.
C.Create an IAM policy that denies ec2:RunInstances unless the instance type matches an allowed list, and attach it to the developers' IAM group.
D.Configure an S3 bucket policy that only allows specific instance types to be used.
AnswerC

IAM policies can restrict RunInstances actions based on instance type.

Why this answer

Option C is correct because an IAM policy with a condition key like ec2:InstanceType can deny or allow ec2:RunInstances based on specific instance types. This policy is attached to the developers' IAM group, ensuring that only permitted instance types can be launched, while still allowing other EC2 actions. This approach directly controls the API call at the IAM level, which is the most precise and scalable method for restricting resource creation across multiple accounts managed by a central IT team.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can restrict specific users or groups within an account, when in fact SCPs only set account-wide permission boundaries and require additional IAM policies to enforce fine-grained restrictions.

How to eliminate wrong answers

Option A is wrong because a service control policy (SCP) in AWS Organizations sets permissions boundaries for all accounts in the organization, but it cannot be used to restrict specific IAM users or groups within an account; it only defines the maximum allowed permissions for the entire account, and developers could still launch instances if the account-level permissions are not further restricted. Option B is wrong because AWS Config is a compliance and auditing service that can detect non-compliant instances and trigger remediation (e.g., termination), but it does not prevent the launch in real time; instances could be running and incurring costs before being terminated, and the termination itself might cause data loss or disruption. Option D is wrong because an S3 bucket policy controls access to S3 resources, not EC2 instance launches; it has no effect on the ec2:RunInstances API call and cannot restrict instance types.

58
MCQmedium

A company is migrating a legacy application to AWS. The application requires a static IP address that can be used for whitelisting by third-party partners. The application will be deployed in multiple Availability Zones for high availability. The company wants to use a load balancer to distribute traffic. The solution must provide a single static IP address that does not change even if the underlying instances are replaced. Which combination of services should the company use?

A.Use an Application Load Balancer (ALB) with a static Elastic IP address attached to the ALB.
B.Use AWS Global Accelerator with an ALB as the endpoint.
C.Use Amazon CloudFront with an ALB as the origin.
D.Use a Network Load Balancer (NLB) with Elastic IP addresses assigned to each subnet.
AnswerD

NLBs support static IPs via Elastic IPs.

Why this answer

Option D is correct because a Network Load Balancer (NLB) supports static IP addresses by allowing you to assign Elastic IP addresses to each Availability Zone subnet. This provides a single static IP per AZ that does not change even when backend instances are replaced, meeting the requirement for a fixed whitelisting address across multiple AZs.

Exam trap

The trap here is that candidates often assume an ALB can have a static IP attached because it is a common load balancer, but ALBs are Layer 7 and inherently use dynamic IPs, while only NLBs (Layer 4) support Elastic IP assignment per subnet.

How to eliminate wrong answers

Option A is wrong because an Application Load Balancer (ALB) does not support attaching Elastic IP addresses directly; ALBs are assigned dynamic DNS names and cannot provide a static IP. Option B is wrong because AWS Global Accelerator provides static anycast IP addresses but uses an ALB as an endpoint, which still requires the ALB's DNS name and does not give the ALB itself a static IP; the static IPs are at the accelerator level, not the load balancer. Option C is wrong because Amazon CloudFront provides static IP addresses for edge locations, but the origin (ALB) still uses a dynamic DNS name and does not receive a static IP; CloudFront is a CDN, not a load balancer for direct traffic distribution.

59
MCQmedium

A company is using AWS Organizations with a single OU for all production accounts. The security team wants to restrict the use of specific instance types across all accounts in the OU. They create a Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not in the allowed list. However, some accounts still launch disallowed instance types. What is the most likely cause?

A.The SCP only denies future API calls; it does not affect already running instances.
B.The SCP has a delay of up to 24 hours before it takes effect.
C.The SCP is not attached to the management account.
D.The SCP condition is incorrectly formatted; SCPs cannot evaluate instance types.
AnswerA

SCPs are preventive, not detective or corrective.

Why this answer

Option C is correct because SCPs cannot affect resources created before the SCP was applied. Option A is wrong because SCPs do not affect IAM users in the management account unless explicitly applied. Option B is wrong because SCPs take effect within minutes.

Option D is wrong because SCPs can use conditions based on instance type.

60
MCQeasy

A company uses AWS Organizations with consolidated billing. The finance team wants to track costs by department. Each department has its own AWS account. Which feature should be used to map costs to departments?

A.Use cost allocation tags to tag resources with a department tag.
B.Use Amazon CloudWatch custom metrics to record department IDs.
C.Use service control policies (SCPs) to restrict costs per account.
D.Use AWS Budgets to create budgets per department.
AnswerA

Tags can be activated in AWS Cost Explorer to group costs.

Why this answer

Option C is correct because cost allocation tags are the standard method. Option A is wrong because CloudWatch is for monitoring, not cost tracking. Option B is wrong because SCPs are for permissions.

Option D is wrong because Budgets can alert but not map costs.

61
MCQmedium

Refer to the exhibit. This bucket policy is applied to a central logging bucket in account 111111111111. Account 222222222222 wants to deliver CloudTrail logs to this bucket. However, log delivery fails. What is the MOST likely cause?

A.The resource ARN is incorrect.
B.The principal should be the CloudTrail service principal, not the root account of 111111111111.
C.The bucket policy requires the x-amz-acl header, which CloudTrail does not set.
D.The bucket policy does not allow s3:PutObject for the account 222222222222.
AnswerB

CloudTrail uses a service principal to write logs across accounts.

Why this answer

Option D is correct because CloudTrail uses a service principal, not the root account. Option A is wrong because the policy allows PutObject. Option B is wrong because CloudTrail delivers logs with bucket-owner-full-control.

Option C is wrong because the resource is correct.

62
MCQmedium

A company is designing a cross-account backup strategy using AWS Backup. They have a central backup account that needs to manage backups for multiple member accounts. What is the minimal set of permissions required?

A.Create an IAM role in each member account that trusts the backup account and allows backup and restore actions.
B.Create a customer managed key in the backup account and share it with member accounts.
C.Grant the backup account full S3 access to member account buckets.
D.Enable AWS Config in member accounts to track backup compliance.
AnswerA

Cross-account role assumption is the standard pattern.

Why this answer

Option A is correct because AWS Backup requires cross-account role assumption and specific backup permissions. Option B is wrong because KMS permissions are needed only if using custom keys. Option C is wrong because S3 permissions are not required for backup.

Option D is wrong because Config permissions are not needed.

63
MCQmedium

A multinational company operates a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all Amazon S3 buckets are encrypted at rest using AWS KMS customer managed keys (CMKs) and that no bucket policies allow anonymous access. What is the MOST efficient way to achieve this across all accounts?

A.Create IAM roles in each account that deny non-encrypted S3 operations and attach to all users.
B.Create AWS Organizations service control policies (SCPs) that deny PutBucketPolicy with anonymous effects and PutObject without encryption.
C.Use S3 bucket policies with Deny statements for anonymous access and missing encryption.
D.Deploy AWS Config rules to detect unencrypted buckets and anonymous access, with auto-remediation using Lambda.
AnswerB

SCPs centrally enforce restrictions across all accounts, covering all users including root.

Why this answer

Option C is correct because SCPs can centrally deny actions across all accounts in an organization, enforcing encryption and blocking anonymous access without requiring changes to each account. Option A (IAM roles) requires per-account setup and cannot prevent root user actions. Option B (bucket policies) must be applied per bucket.

Option D (AWS Config rules) can detect violations but not prevent them proactively.

64
MCQhard

A large e-commerce company uses a multi-account AWS Organizations setup with a central logging account. The company has enabled AWS CloudTrail in all accounts and configured it to deliver logs to a centralized Amazon S3 bucket in the logging account. Recently, the security team noticed that some log files are missing for a period of 2 hours. The CloudTrail console shows that trails are still enabled and delivering to the bucket, but no new log files were created during that time. The team verified that there were API calls made during that period. Which action is most likely to resolve the issue and prevent recurrence?

A.Review the SCPs attached to the organization root; there might be a policy that denies CloudTrail actions.
B.Check the S3 bucket policy in the logging account to ensure it grants the required permissions to the CloudTrail service principal from all accounts.
C.Ensure that the KMS key used for encryption is accessible by the CloudTrail service.
D.Enable AWS Config to monitor CloudTrail delivery status and automatically restart the trail if logs are missing.
AnswerB

If the bucket policy inadvertently denies access, CloudTrail cannot write logs.

Why this answer

The most likely cause is that the S3 bucket policy in the central logging account does not grant the necessary permissions for CloudTrail from all accounts to write log files. Even though trails are enabled and appear to be delivering, a missing or misconfigured bucket policy can silently drop log deliveries when the CloudTrail service principal (cloudtrail.amazonaws.com) attempts to write objects. The security team verified API calls occurred, so the issue is at the delivery destination, not the trail configuration itself.

Exam trap

The trap here is that candidates assume missing logs are always due to trail misconfiguration or KMS issues, but the real cause is often a missing or overly restrictive S3 bucket policy that silently blocks CloudTrail writes without generating an obvious error in the CloudTrail console.

How to eliminate wrong answers

Option A is wrong because SCPs deny actions at the account level, but CloudTrail trails are still enabled and delivering; if an SCP denied CloudTrail actions, the trail would fail to start or stop logging entirely, not selectively miss logs for a 2-hour window. Option C is wrong because if the KMS key were inaccessible, CloudTrail would log a failure event and typically stop delivering all logs until the issue is resolved, not just miss a 2-hour period while continuing to deliver before and after. Option D is wrong because AWS Config can monitor delivery status but cannot automatically restart a trail; it only provides compliance checks and notifications, and the trail is already enabled and delivering—restarting it would not fix a missing bucket policy permission.

65
MCQeasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that no one can disable AWS CloudTrail or delete CloudTrail log files across any account. What is the most effective way to enforce this?

A.Use an SCP to require that CloudTrail is enabled.
B.Use IAM policies in each account to deny the same actions.
C.Use AWS Config rules to detect and remediate changes.
D.Attach an SCP to the root OU that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject actions for the CloudTrail S3 bucket.
AnswerD

SCPs can deny these sensitive actions across all accounts.

Why this answer

Option D is correct because Service Control Policies (SCPs) in AWS Organizations can be attached to the root organizational unit (OU) to centrally deny specific actions across all accounts, including the management account. By denying `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, and `s3:DeleteObject` on the CloudTrail S3 bucket, the security team ensures that no principal in any account can disable CloudTrail or delete log files, regardless of their IAM permissions. SCPs are the only mechanism that can enforce such guardrails across all accounts in an organization without requiring per-account configuration.

Exam trap

The trap here is that candidates often choose Option A (SCP to require CloudTrail) because they confuse 'requiring' a service with 'preventing its disablement,' but SCPs cannot enforce that a service is running—they can only deny API actions, making Option D the only effective preventive control.

How to eliminate wrong answers

Option A is wrong because an SCP that 'requires' CloudTrail to be enabled does not prevent disabling or deleting it after it is enabled; SCPs can only deny actions, not enforce a state or configuration. Option B is wrong because IAM policies in each account can be overridden by a user with sufficient privileges (e.g., an account admin) and do not provide a centralized, unchangeable guardrail across all accounts. Option C is wrong because AWS Config rules can detect and trigger remediation (e.g., via Lambda), but they are reactive and can be bypassed if the rule or remediation role is modified or if the change occurs faster than the remediation cycle; they do not prevent the action from happening in the first place.

66
MCQmedium

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all new member accounts automatically have a specific AWS Config rule enabled. Which solution should be used?

A.Use AWS CloudFormation StackSets in each account.
B.Create an AWS Lambda function in the management account to enable Config rules.
C.Use an SCP to require Config recording.
D.Deploy an AWS Config conformance pack across accounts using AWS Organizations.
AnswerD

Conformance packs can be deployed to all accounts and regions via a single API call.

Why this answer

AWS Config conformance packs are collections of AWS Config rules and remediation actions that can be deployed across multiple accounts and Regions using AWS Organizations. By deploying a conformance pack from the management account, you ensure that all existing and new member accounts automatically inherit the specified Config rules, as the conformance pack is applied at the organization level and propagates to new accounts as they are created.

Exam trap

The trap here is that candidates often confuse SCPs with direct resource configuration, thinking they can enforce Config rules via permission boundaries, but SCPs only control API calls and cannot enable services or rules themselves.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets require manual setup or automation to target new accounts; they do not automatically apply to new member accounts unless you update the stack set instances or use automatic deployment, which is not a native feature of StackSets alone. Option B is wrong because creating an AWS Lambda function in the management account to enable Config rules would require custom code to detect new accounts and apply rules, and it does not leverage AWS Organizations' native integration for automatic propagation. Option C is wrong because Service Control Policies (SCPs) are used to restrict permissions and cannot directly enable AWS Config rules or recording; they only control what actions are allowed or denied.

67
MCQmedium

A company has multiple AWS accounts managed under AWS Organizations. The security team wants to enforce that all new S3 buckets created in any account are automatically tagged with the cost center and environment (e.g., dev, prod). Which solution should the team implement?

A.Use AWS CloudFormation StackSets to deploy a bucket template with tags.
B.Use IAM policies in each account to require tags on bucket creation.
C.Use a Service Control Policy (SCP) in AWS Organizations that denies s3:CreateBucket if the request does not include the required tags.
D.Use AWS Config rules to automatically tag buckets after creation.
AnswerC

SCPs prevent the action at the account level.

Why this answer

Option C is correct because a Service Control Policy (SCP) in AWS Organizations can centrally deny the s3:CreateBucket action if the request does not include the required tags (cost center and environment). SCPs apply to all accounts in the organization, enforcing the tagging requirement at the API level before the bucket is created, which is the most effective preventive control.

Exam trap

The trap here is that candidates often choose a reactive solution like AWS Config (Option D) because it can tag buckets, but they miss that the question requires enforcement at creation time, which only a preventive control like an SCP can achieve.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets can deploy a bucket template with tags, but they do not enforce tagging on buckets created outside of that template (e.g., via the console, CLI, or SDK). Option B is wrong because IAM policies in each account can require tags, but they are not centrally managed and can be overridden by account administrators; also, IAM policies cannot enforce tags on the s3:CreateBucket action because the condition key for tags (aws:RequestTag) is not evaluated for all services in the same way. Option D is wrong because AWS Config rules can detect and tag buckets after creation (reactive), but they do not prevent untagged buckets from being created, which violates the security team's requirement to enforce tagging automatically at creation time.

68
MCQeasy

A company uses AWS Organizations and wants to allow a development account to assume a role in the production account for deployment purposes. Which component is necessary for this cross-account access?

A.A VPC peering connection between the accounts
B.An IAM role in the production account with a trust policy allowing the development account
C.A service control policy (SCP) that permits AssumeRole
D.An AWS Config rule to validate the role
AnswerB

Trust policies enable cross-account role assumption.

Why this answer

Cross-account IAM access requires a role in the target (production) account with a trust policy that explicitly lists the source (development) account as a trusted principal. The development account then uses the STS AssumeRole API to obtain temporary credentials for that role. Without this trust policy, the role cannot be assumed from another account.

Exam trap

The trap here is confusing network connectivity (VPC peering) with IAM authorization, or assuming that an SCP alone can enable cross-account access when SCPs only act as a permission guardrail within an organization.

How to eliminate wrong answers

Option A is wrong because VPC peering connects networks at Layer 3 and does not provide any IAM-based authentication or authorization for cross-account role assumption. Option C is wrong because SCPs can only deny or allow permissions for principals within the same organization; they cannot grant cross-account access or replace the need for a trust policy on the target role. Option D is wrong because AWS Config rules evaluate resource compliance after the fact and do not enable or control the ability to assume a role across accounts.

69
MCQmedium

Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?

A.The condition uses 'BoolIfExists' instead of 'Bool' which causes the policy to fail when the key is present.
B.The role requires MFA, but the user's MFA device is not configured correctly.
C.The user is not passing the MFA serial number and token code in the assume-role API call.
D.The principal is set to the root account, which does not allow IAM users to assume the role.
AnswerC

Even if MFA is enabled, the user must provide serial number and token code in the STS AssumeRole call.

Why this answer

Option C is correct because the IAM role trust policy includes a condition that checks for the presence of both `aws:MultiFactorAuthPresent` and `aws:MultiFactorAuthAge`. Even though the user has MFA enabled and is passing the MFA token, the `aws:MultiFactorAuthSerialNumber` and `aws:MultiFactorAuthTokenCode` parameters must be explicitly included in the `sts:AssumeRole` API call. Without these, the condition evaluates to false, resulting in an 'AccessDenied' error.

Exam trap

The trap here is that candidates often assume that simply having MFA enabled and passing the token in the session is sufficient, but the `sts:AssumeRole` API call requires the MFA serial number and token code to be explicitly provided as parameters, which is a common oversight in programmatic role assumption scenarios.

How to eliminate wrong answers

Option A is wrong because `BoolIfExists` is a valid condition operator that returns true if the key exists and matches the value, or if the key is absent (missing). In this case, the condition uses `BoolIfExists` correctly to allow the role to be assumed when MFA is present; the failure is not due to the operator choice. Option B is wrong because the user has MFA enabled and is passing the MFA token, so the MFA device is configured correctly; the issue is that the MFA serial number and token code are not being passed in the API call.

Option D is wrong because setting the principal to the root account (the account ID) allows any IAM user in that account to assume the role, provided they meet the conditions; the root principal does not inherently block IAM users.

70
MCQmedium

Refer to the exhibit. A company has a trust policy on an IAM role in account 222222222222. The trust policy allows the root user of account 111111111111 to assume the role. However, a user in account 111111111111 is unable to assume the role. What is the most likely cause?

A.A service control policy in account 222222222222 is denying the sts:AssumeRole action
B.The role is not in the same region as the user
C.The trust policy only allows the root user, not individual users
D.The trust policy is malformed
AnswerC

The principal is the root user ARN; individual users need a separate ARN or permissions.

Why this answer

Option C is correct because the trust policy allows the root user but not individual users. To allow a user to assume the role, the trust policy must specify the user's ARN, or the user must have explicit permission in their account to assume the role (via an IAM policy). Option A is wrong because the policy is valid.

Option B is wrong because it is exactly that. Option D is wrong because SCPs in the role's account could deny, but the trust policy itself is the issue.

71
Multi-Selecteasy

Which TWO AWS services can be used to automate the enforcement of compliance policies across multiple AWS accounts? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Organizations SCPs
C.AWS CloudFormation StackSets
D.Amazon VPC Flow Logs
E.AWS Config rules
AnswersB, E

SCPs can deny or allow actions across accounts.

Why this answer

AWS Config rules (option A) and SCPs (option C) can enforce compliance. Option B is wrong because CloudTrail is logging. Option D is wrong because CloudFormation deploys resources but does not enforce policies.

Option E is wrong because VPC Flow Logs are for network logging.

72
MCQmedium

An administrator attached the above IAM policy to a group of developers. A developer tries to launch a t3.medium EC2 instance and receives an 'AccessDenied' error. What is the MOST likely reason?

A.The policy denies all instance types except t3.micro and t3.small.
B.The policy has a syntax error that causes all actions to be denied.
C.The policy does not explicitly allow ec2:RunInstances.
D.The policy requires a specific Amazon Machine Image (AMI) that the developer is not using.
AnswerA

The condition denies if the instance type is not in the list.

Why this answer

Option B is correct because the policy denies ec2:RunInstances for instance types that are not t3.micro or t3.small. Since t3.medium is not in the allowed list, the action is denied. Option A is wrong because the policy allows the action for allowed types.

Option C is wrong because the condition is on instance type, not AMI. Option D is wrong because there is no explicit allow, but the default implicit deny is overridden by the explicit deny.

73
MCQhard

A company has a multi-account setup with AWS Organizations. The security team wants to enforce that all IAM users must have MFA enabled. Which approach is most effective?

A.Use AWS Config rules to detect users without MFA and send alerts.
B.Use AWS CloudTrail to monitor and disable users without MFA.
C.Set an IAM password policy that requires MFA for all users.
D.Apply an SCP that denies all actions if the principal does not have MFA.
AnswerD

Forces MFA for all API calls.

Why this answer

Option D is correct because Service Control Policies (SCPs) in AWS Organizations can enforce preventive security controls across all accounts in the organization. By denying all actions when a principal does not have MFA, the SCP effectively blocks any API call from IAM users or roles that haven't authenticated with MFA, ensuring compliance at the organizational level regardless of individual account configurations.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config alerts) with preventive controls (like SCPs), or mistakenly think IAM password policies can enforce MFA, when in fact password policies only govern password characteristics, not multi-factor authentication.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are detective, not preventive; they can detect users without MFA and send alerts, but they cannot enforce MFA or block actions. Option B is wrong because AWS CloudTrail is a logging service that records API calls; it cannot disable users or enforce MFA, and monitoring alone does not prevent non-compliant actions. Option C is wrong because an IAM password policy cannot require MFA for all users; password policies control password complexity, rotation, and reuse, but MFA enforcement must be done via IAM policies or SCPs, not password policies.

74
MCQmedium

A company has a centralized security account and wants to enable AWS Config in all accounts. They want to centrally manage Config rules and view compliance. What should they do?

A.Apply an SCP to enable AWS Config in all accounts.
B.Use CloudFormation StackSets to deploy Config rules, then view in each account.
C.Enable AWS Config in the security account only and use cross-account roles.
D.Enable AWS Config in each account and use an aggregator in the security account.
AnswerD

Aggregator collects compliance data from multiple accounts.

Why this answer

AWS Config aggregator allows viewing compliance from multiple accounts. Option B is wrong because it doesn't aggregate. Option C is wrong because CloudFormation is per-account.

Option D is wrong because SCPs cannot enable Config.

75
MCQhard

A company has a centralized AWS account for security tools and multiple member accounts. They want to use AWS GuardDuty to detect threats across all accounts. They have enabled GuardDuty in the management account and invited all member accounts. GuardDuty is set to send findings to a central S3 bucket in the security account. However, findings from member accounts are not appearing in the central S3 bucket. The security account has a bucket policy that allows the GuardDuty service principal to write findings. What is the most likely cause?

A.The GuardDuty detector in the management account is not configured to publish findings to S3.
B.GuardDuty cannot send findings from member accounts to a central S3 bucket; it only supports CloudWatch Events.
C.The S3 bucket policy does not grant the GuardDuty service principal from member accounts write access.
D.Each member account must individually configure the S3 bucket as a publishing destination for its own findings.
AnswerD

Each account must set up its own publishing destination.

Why this answer

Option D is correct because for GuardDuty to send findings to a central S3 bucket, each member account must configure the publishing destination as well. Simply enabling GuardDuty in the management account does not automatically forward findings from member accounts to a central bucket. Option A is wrong because the bucket policy is already in place.

Option B is wrong because GuardDuty supports cross-account. Option C is wrong because there is no such setting.

Page 1 of 7 · 455 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Org Complexity questions.