CCNA Org Complexity Questions

75 of 455 questions · Page 3/7 · Org Complexity topic · Answers revealed

151
Matchingmedium

Match each AWS disaster recovery strategy to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lowest cost, RPO in hours, RTO in hours to days

Core services run in standby, ready to scale

Scaled-down production environment, ready to scale up

Both sites serve traffic, failover is immediate

One site active, other on standby

Why these pairings

DR strategies balance cost and recovery time objectives.

152
Multi-Selecthard

A company has a multi-account AWS environment with a central security account. The security team wants to implement a solution that allows them to centrally manage and audit IAM permissions across all accounts. Which THREE services should be combined to achieve this?

Select 3 answers
A.AWS Organizations
B.AWS Config
C.AWS IAM Access Analyzer
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersA, C, D

Organizations provides a central view and management of all accounts.

Why this answer

Options A, C, and D are correct. IAM Access Analyzer helps identify external access to resources. AWS CloudTrail logs all API calls for auditing.

AWS Organizations provides a central view and management of accounts. Option B is wrong because AWS Config is for resource configuration, not IAM permissions. Option E is wrong because Amazon GuardDuty is for threat detection, not IAM audit.

153
MCQmedium

A company has multiple AWS accounts and wants to centrally manage VPC flow logs for all accounts. The flow logs should be sent to a central S3 bucket in the logging account. The solution must be automated for new accounts added to the organization. What should the team do?

A.Use AWS Config rules to detect missing flow logs and send alerts to the security team.
B.Use AWS CloudFormation StackSets to deploy a VPC flow log configuration to all accounts and regions, and configure the S3 bucket policy to allow cross-account delivery from all accounts.
C.Use an SCP to require that VPC flow logs be enabled.
D.Manually enable VPC flow logs in each account and region, and specify the central S3 bucket as the destination.
AnswerB

StackSets automate deployment across accounts and regions.

Why this answer

Option D is correct because AWS CloudFormation StackSets can deploy the flow log configuration to all accounts and regions, and a central S3 bucket policy allows cross-account delivery. Option A is wrong because manual creation does not scale. Option B is wrong because SCPs cannot create resources.

Option C is wrong because AWS Config can detect but not automatically enable in all regions easily.

154
Multi-Selectmedium

A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet compliance requirements that logs be immutable and stored for 7 years. Which THREE services should be combined to achieve this?

Select 3 answers
A.AWS Glue
B.S3 Object Lock
C.AWS CloudTrail
D.Amazon S3
E.Amazon Kinesis Data Streams
AnswersB, C, D

Prevents deletion or overwriting of logs.

Why this answer

S3 Object Lock is correct because it enforces a write-once-read-many (WORM) model on S3 objects, preventing any deletion or overwriting for a specified retention period. Combined with Amazon S3 for durable storage and AWS CloudTrail for logging API activity across accounts, this meets the 7-year immutability and retention compliance requirements.

Exam trap

The trap here is that candidates may confuse Kinesis Data Streams as a storage service for logs, but it is a streaming ingestion layer with no built-in immutability or long-term retention, while Glue is mistakenly chosen for its data cataloging capabilities rather than for log storage.

155
MCQmedium

A company has a centralized logging solution using Amazon S3 and AWS CloudTrail across multiple accounts. The logs are delivered to a central S3 bucket. The security team needs to ensure that logs are encrypted at rest and access is limited to only authorized security personnel. Which combination of actions should be taken?

A.Enable CloudTrail log file validation and use IAM policies to limit access.
B.Use an SCP to require SSE-KMS for all S3 put operations, and apply a bucket policy that only allows access from a specific IAM role.
C.Enable default encryption on the S3 bucket using SSE-S3 and apply a bucket policy to restrict access.
D.Use AWS KMS with a customer managed key and attach an SCP to prevent deletion of the key.
AnswerB

SCP enforces encryption, and bucket policy restricts access to the required role.

Why this answer

Option B is correct because using an SCP to require SSE-KMS for all S3 put operations ensures that any log data written to the central bucket is encrypted at rest with AWS KMS, providing an additional layer of control and auditability. The bucket policy that restricts access to a specific IAM role ensures that only authorized security personnel can access the logs, meeting the security team's requirements for encryption and access limitation.

Exam trap

The trap here is that candidates often confuse enabling default encryption (which only applies to new objects if no encryption header is provided) with enforcing encryption via policy, or they overlook that SCPs can enforce encryption requirements across all accounts in an organization, not just within a single account.

How to eliminate wrong answers

Option A is wrong because CloudTrail log file validation only provides integrity verification (detecting if logs were modified), not encryption at rest or access control; IAM policies alone cannot enforce encryption requirements. Option C is wrong because SSE-S3 provides encryption at rest but does not allow the security team to control key management or enforce encryption via policy; a bucket policy alone cannot prevent unauthorized access if IAM roles are not properly scoped. Option D is wrong because while using a customer managed key with KMS is good, attaching an SCP to prevent key deletion does not enforce encryption on S3 put operations or restrict access to the bucket; it only protects the key from deletion, not the logs themselves.

156
Multi-Selectmedium

Which TWO actions should a company take to implement a least-privilege access model across multiple AWS accounts? (Choose TWO.)

Select 2 answers
A.Use IAM roles in each account with cross-account trust from a central identity provider, granting only required permissions.
B.Apply SCPs to deny high-risk actions across all accounts.
C.Generate long-term access keys for each user in the central account.
D.Share the root user credentials of each account with the central team.
E.Create IAM users in each account with full administrator access for all users.
AnswersA, B

Roles allow temporary credentials with limited permissions.

Why this answer

Using IAM roles with cross-account trust and granting only necessary permissions (option A) and using SCPs to restrict high-risk actions (option D) are correct. Option B is wrong because it grants full access. Option C is wrong because it uses static keys.

Option E is wrong because root user should not be used.

157
MCQmedium

A company uses AWS Organizations with a central logging account. They want to ensure that all VPC Flow Logs from member accounts are published to a central S3 bucket in the logging account. Which steps are required?

A.Configure VPC Flow Logs in each member account to deliver to a central S3 bucket using a bucket policy.
B.Use Amazon Kinesis Data Firehose to stream logs to the central bucket.
C.Create a CloudWatch Logs subscription in the central account that receives logs from all accounts.
D.Create a CloudWatch Logs log group in each member account and use a subscription filter to forward to a central S3 bucket via Kinesis.
AnswerA

Flow Logs can deliver to S3, and bucket policy allows cross-account delivery.

Why this answer

Option A is correct because VPC Flow Logs can be published directly to an S3 bucket in a different account by configuring the destination S3 bucket with a bucket policy that grants the required permissions (e.g., `AWS:SourceAccount` and `AWS:SourceArn`) to the member account's VPC Flow Logs service. This allows each member account to write flow logs directly to the central logging account's S3 bucket without needing intermediate services, aligning with AWS Organizations' centralized logging best practices.

Exam trap

The trap here is that candidates often assume VPC Flow Logs must go through CloudWatch Logs or Kinesis for cross-account delivery, but AWS directly supports publishing to a cross-account S3 bucket with the correct bucket policy, making intermediate services unnecessary.

How to eliminate wrong answers

Option B is wrong because Amazon Kinesis Data Firehose is not a native destination for VPC Flow Logs; VPC Flow Logs can only be published to CloudWatch Logs or S3 directly, and using Firehose would require an unnecessary intermediate step and additional cost. Option C is wrong because a CloudWatch Logs subscription in the central account cannot receive logs from member accounts directly; subscriptions must be set up in each member account to forward logs to a central destination, and the central account cannot initiate the subscription. Option D is wrong because VPC Flow Logs cannot be sent to a CloudWatch Logs log group and then forwarded to S3 via a subscription filter and Kinesis; VPC Flow Logs can only be delivered to CloudWatch Logs or S3 directly, and the described pipeline is not supported without custom solutions.

158
MCQhard

A company is using AWS Organizations with a set of member accounts that need to access a shared Amazon S3 bucket in the master account. The bucket policy allows access only from the member accounts' root user. However, developers in member accounts are unable to access the bucket even when they assume an IAM role. What is the most likely cause?

A.The bucket is encrypted with an AWS KMS key that the role does not have permissions to use.
B.The bucket policy requires an explicit Deny for all principals except the root user.
C.A service control policy (SCP) is denying access to the S3 bucket.
D.The bucket policy grants access to the member account root user ARN, but the role session has a different ARN.
AnswerD

When a user assumes a role, the principal becomes the role's ARN, not the root user.

Why this answer

The bucket policy explicitly grants access to the member account's root user ARN (e.g., `arn:aws:iam::123456789012:root`). When a developer assumes an IAM role in the member account, the resulting session has a different ARN (e.g., `arn:aws:sts::123456789012:assumed-role/DevRole/session`). Because the bucket policy's Principal is restricted to the root user ARN, the role session is not recognized as a matching principal, and access is denied.

This is a common misconfiguration when mixing root user grants with assumed-role access.

Exam trap

The trap here is that candidates often assume that granting access to a member account's root user automatically grants access to all IAM users and roles in that account, but in reality, root user ARN is a specific principal that does not cover assumed-role sessions or IAM users unless explicitly included.

How to eliminate wrong answers

Option A is wrong because the question states the bucket policy allows access only from the member accounts' root user, and there is no mention of KMS encryption or a KMS key permission issue; the problem is purely about principal matching in the bucket policy. Option B is wrong because an explicit Deny for all principals except the root user would still not allow the role session to access the bucket, but the question describes a bucket policy that 'allows access only from the member accounts' root user' — this is an Allow with a specific principal, not an explicit Deny, and the core issue is the principal mismatch, not an explicit Deny statement. Option C is wrong because while an SCP could deny access, the question asks for the 'most likely cause' given the specific bucket policy configuration; the direct and most common cause is the principal mismatch between the root user ARN in the policy and the assumed-role ARN used by the developers.

159
MCQmedium

A multinational company is adopting AWS Organizations to manage multiple accounts across business units. The security team requires that specific IAM roles be automatically deployed to all existing and future member accounts. Which solution should the company use?

A.Use AWS Config rules to enforce the role creation in each account.
B.Use AWS CloudFormation StackSets with automatic deployment enabled in the organization.
C.Use AWS Service Catalog to create a portfolio with the IAM role product and share it with all accounts.
D.Use AWS Lambda functions triggered by AWS CloudTrail events to create the role in each account.
AnswerB

StackSets can deploy stacks across accounts and automatically to new accounts.

Why this answer

AWS CloudFormation StackSets with automatic deployment enabled allows you to deploy IAM roles across all accounts in an AWS Organization, including future accounts, by specifying the organization root or OUs as targets. This ensures consistent role creation without manual intervention, as StackSets automatically provisions stacks in new accounts as they join the organization.

Exam trap

The trap here is that candidates often confuse AWS Config's remediation actions with direct resource creation, or they assume Service Catalog's sharing mechanism automatically deploys resources, when in fact only CloudFormation StackSets with automatic deployment provides native, organization-wide, and future-proof resource deployment.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are for evaluating resource compliance, not for creating or deploying resources; they can trigger remediation actions via Lambda or Systems Manager, but they do not directly create IAM roles across accounts. Option C is wrong because AWS Service Catalog allows users to provision products from a portfolio, but it does not automatically deploy roles to all accounts; it requires users to manually launch the product in each account. Option D is wrong because while Lambda functions triggered by CloudTrail events could create roles, this approach is event-driven and reactive, requiring custom code and handling for future accounts, and lacks the native, automated, and scalable deployment mechanism that StackSets provides for organizations.

160
Multi-Selecthard

A company is implementing a data lake on AWS using Amazon S3 as the storage layer. The data lake must support multiple consumer accounts within the organization. The security team requires that data is encrypted at rest using AWS KMS with customer-managed keys (CMKs) and that access to the keys is strictly controlled. Which THREE steps should be taken to meet these requirements?

Select 3 answers
A.Create a customer-managed KMS key with a key policy that allows the consumer accounts to use the key.
B.Grant cross-account access to the S3 bucket using bucket policies.
C.Configure the S3 bucket policy to deny uploads that do not use the required KMS key.
D.Use an SCP to require that all S3 buckets use server-side encryption with KMS.
E.Create IAM roles in each consumer account that grant access to the KMS key.
AnswersA, B, C

Allows cross-account decryption.

Why this answer

Option A is correct because creating a customer-managed KMS key (CMK) with a key policy that explicitly grants the consumer accounts permission to use the key (e.g., via the `kms:Decrypt` and `kms:GenerateDataKey` actions) is required for cross-account encryption. This ensures that the S3 bucket can encrypt objects with the CMK, and consumer accounts can decrypt them using their own IAM permissions, meeting the security team's requirement for strict key control.

Exam trap

The trap here is that candidates often confuse SCPs with resource-based policies, thinking an SCP can enforce cross-account encryption access, when in reality SCPs only set permission boundaries and cannot grant the specific KMS key usage permissions required for cross-account decryption.

161
MCQhard

A company has multiple business units, each with its own AWS account. They want to enforce that all EC2 instances launched across accounts use only approved AMIs. The AMIs are stored in a central account. What is the MOST scalable and secure way to enforce this?

A.Tag approved AMIs and use IAM policies to require that tag.
B.Use an IAM policy in each account to allow only specific AMI IDs.
C.Use AWS Config rules to check AMI IDs against a parameter store and auto-remediate.
D.Use an SCP to deny ec2:RunInstances unless the AMI ID matches an approved list.
AnswerC

Config rules can evaluate resources and trigger remediation, scalable across accounts.

Why this answer

Option D is correct because AWS Config rules in each account can check the AMI ID against a centralized parameter store. Option A is wrong because SCPs cannot enforce AMI IDs. Option B is wrong because it requires manual tagging.

Option C is wrong because IAM policies cannot restrict AMI IDs based on source account.

162
Matchingmedium

Match each AWS service to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centrally manage multiple AWS accounts

Connect VPCs and on-premises networks

Dedicated private network connection to AWS

Secure connection over the internet to AWS

Privately access services across VPCs

Why these pairings

These are key networking and account management services.

163
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must block public access. How can this be enforced centrally with minimal operational overhead?

A.Enable AWS Config in each account and create a rule to mark public buckets as non-compliant.
B.Create an IAM role in each account with a policy that denies public access modifications and assign it to all users.
C.Use a bucket policy on each existing bucket to deny public access and rely on AWS Config to detect new buckets.
D.Create a service control policy (SCP) to deny s3:PutBucketPublicAccessBlock actions with conditions that require public access block settings.
AnswerD

SCPs can centrally enforce restrictions across all accounts in the organization.

Why this answer

Option D is correct because an SCP applied at the AWS Organizations root or OU level can centrally deny the `s3:PutBucketPublicAccessBlock` action unless the request includes specific public access block settings. This enforces the security requirement across all accounts without per-account configuration, minimizing operational overhead. SCPs are the only mechanism that can prevent actions at the account level before they occur, making them ideal for mandatory security baselines.

Exam trap

The trap here is that candidates often choose AWS Config (option A) because it is a common detective control, but they overlook that SCPs are the only preventive control that works centrally across all accounts with zero per-account setup.

How to eliminate wrong answers

Option A is wrong because AWS Config rules only detect and report non-compliant resources after they exist; they do not prevent the creation of public buckets, so operational overhead remains for remediation. Option B is wrong because IAM roles assigned to users cannot prevent actions performed by services (e.g., AWS Lambda, CloudFormation) or root users, and managing roles across many accounts adds significant overhead. Option C is wrong because applying bucket policies to existing buckets is a reactive, per-bucket manual process that does not prevent new public buckets from being created, and AWS Config detection still requires remediation effort.

164
MCQhard

A multinational company is implementing a multi-account strategy using AWS Organizations. The security team needs to ensure that all newly created accounts automatically have a specific baseline CloudTrail trail and a set of AWS Config rules applied. The company also wants to enforce that no account can disable these controls. Which solution should be used?

A.Create an SCP that denies actions to disable CloudTrail and AWS Config, and use AWS CloudFormation StackSets to deploy the baseline resources to all accounts in the organization.
B.Use IAM roles with a trust policy that allows the management account to deploy CloudTrail and AWS Config, and use AWS Lambda to monitor for changes.
C.Use AWS Control Tower to set up the baseline and enforce it via preventive guardrails.
D.Use AWS Organizations to create an SCP that deploys AWS Config rules and CloudTrail via AWS CloudFormation StackSets.
AnswerA

SCPs enforce prevention, and StackSets automate deployment.

Why this answer

Option A is correct because it combines an SCP that denies actions to disable CloudTrail and AWS Config (e.g., `cloudtrail:StopLogging`, `config:DeleteConfigRule`) with AWS CloudFormation StackSets to deploy the baseline resources across all accounts in the organization. The SCP enforces that no account (including root users) can disable the controls, while StackSets automatically deploy the CloudTrail trail and Config rules to new accounts as they join the organization. This meets both the automatic deployment and enforcement requirements.

Exam trap

The trap here is that candidates confuse SCPs with deployment mechanisms—SCPs only deny or allow actions, they cannot create resources, so StackSets (or similar) are required for deployment, and Control Tower guardrails are often mistaken for being able to deploy custom resources when they only enforce pre-defined policies.

How to eliminate wrong answers

Option B is wrong because IAM roles with a trust policy from the management account can deploy resources, but they do not prevent accounts from disabling CloudTrail or Config; they only allow the management account to deploy, not enforce. Option C is wrong because AWS Control Tower guardrails can enforce preventive controls (e.g., disallow disabling CloudTrail), but Control Tower does not automatically deploy custom CloudTrail trails or custom Config rules; it only provides pre-defined guardrails and cannot deploy arbitrary baseline resources. Option D is wrong because an SCP cannot deploy resources; SCPs only define permission boundaries and cannot create CloudTrail trails or Config rules—StackSets must be used separately, and the option incorrectly states that the SCP itself deploys the resources.

165
MCQmedium

A company has a multi-account AWS environment and wants to centralize the management of IAM roles. The security team needs to ensure that all IAM roles across all accounts trust the same identity provider (IdP) for federated access. The company uses AWS IAM Identity Center (successor to AWS SSO) for user management. Which solution should be implemented?

A.Use AWS IAM Identity Center to create permission sets that grant access to accounts. IAM Identity Center automatically creates and manages the necessary IAM roles with the IdP trust.
B.Use an SCP to require that all IAM roles trust the corporate IdP.
C.Create IAM roles in each account with a trust policy that allows the corporate IdP.
D.Use AWS CloudFormation StackSets to deploy IAM roles with the IdP trust policy to all accounts.
AnswerA

IAM Identity Center centralizes federation and role management.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is designed to centralize user access across multiple AWS accounts. When you create permission sets in IAM Identity Center, it automatically provisions the necessary IAM roles in each target account with a trust policy that trusts the IAM Identity Center's own identity provider. This eliminates the need to manually create or manage IAM roles and their trust policies, ensuring all accounts use the same IdP for federated access.

Exam trap

The trap here is that candidates often confuse SCPs as a mechanism to enforce trust policies, but SCPs cannot modify IAM role trust relationships; they only control the maximum permissions for IAM users and roles within an account.

How to eliminate wrong answers

Option B is wrong because Service Control Policies (SCPs) can restrict permissions but cannot enforce trust policy conditions on IAM roles; SCPs operate at the account level to control which AWS services and actions are allowed, not to modify or mandate the content of IAM role trust policies. Option C is wrong because manually creating IAM roles in each account with a trust policy for the corporate IdP is operationally complex, error-prone, and does not leverage the centralized management capabilities of IAM Identity Center; it also does not automatically synchronize role creation across accounts. Option D is wrong because while AWS CloudFormation StackSets can deploy IAM roles with a specific trust policy to multiple accounts, this approach still requires manual definition and maintenance of the trust policy and does not integrate with IAM Identity Center's automatic role provisioning and lifecycle management.

166
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts have server-side encryption with AWS KMS (SSE-KMS) enabled, and any new bucket that does not comply must be automatically remediated. Which design should be used?

A.Use AWS Resource Access Manager (RAM) to share a KMS key across accounts, and enable default encryption in each account's S3 settings.
B.Use a Service Control Policy (SCP) to deny PutBucketEncryption actions that do not set SSE-KMS, and use AWS Config with a custom rule and automatic remediation via Lambda to fix existing buckets.
C.Use AWS Config to detect non-compliant buckets and a Service Control Policy (SCP) to enforce encryption on existing buckets.
D.Use AWS CloudTrail to monitor bucket creation, and trigger a Lambda function to enable SSE-KMS on new buckets.
AnswerB

This combines prevention with SCP and remediation with Config auto-remediation.

Why this answer

Option C is correct because it uses a Service Control Policy (SCP) to deny creation of buckets without SSE-KMS, and a Config rule with auto-remediation via Lambda to fix existing non-compliant buckets. Option A is wrong because SCPs cannot remediate existing buckets. Option B is wrong because CloudTrail is for logging, not enforcement.

Option D is wrong because Resource Access Manager (RAM) does not enforce encryption.

167
MCQhard

A large enterprise is migrating to AWS and wants to implement a multi-account strategy with centralized network connectivity. The company has multiple VPCs in various accounts that need to communicate with each other and with on-premises resources. The solution must be scalable and minimize operational overhead. Which design should be used?

A.Use AWS PrivateLink to connect VPCs via interface endpoints.
B.Create a VPC peering connection between each pair of VPCs that need to communicate.
C.Set up a VPN connection from each VPC to the on-premises network and use routing to enable inter-VPC communication.
D.Use an AWS Transit Gateway in a central network account and attach all VPCs from the various accounts.
AnswerD

Transit Gateway provides scalable, transitive connectivity.

Why this answer

Option D is correct because AWS Transit Gateway acts as a central hub for interconnecting VPCs and on-premises networks, enabling scalable, low-operational-overhead connectivity across multiple accounts. By placing the Transit Gateway in a central network account and using AWS Resource Access Manager to share it with other accounts, the enterprise can avoid the complexity of managing many individual connections while supporting transitive routing and centralized control.

Exam trap

The trap here is that candidates often confuse AWS PrivateLink (which is for service-to-service communication) with a hub-and-spoke solution, or assume VPC peering can scale linearly, ignoring the lack of transitive routing and the operational burden of managing a full mesh.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink is designed for private access to specific services or endpoints, not for transitive routing between multiple VPCs or connecting to on-premises networks; it does not replace a hub-and-spoke architecture. Option B is wrong because VPC peering does not support transitive routing, requiring a full mesh of connections (O(n²)) that becomes unscalable and operationally heavy as the number of VPCs grows. Option C is wrong because establishing individual VPN connections from each VPC to on-premises does not enable inter-VPC communication without additional routing complexity and fails to provide a centralized, scalable hub for multi-account connectivity.

168
MCQhard

A company uses AWS Organizations with a multi-account strategy. They want to allow a centralized DevOps team to manage EC2 instances across all accounts using AWS Systems Manager. The DevOps team should not have direct IAM access to the target accounts. How can this be achieved?

A.Set up a Systems Manager inventory in each account and grant the DevOps team IAM roles with AssumeRole permissions to each account.
B.Install Systems Manager agent on all instances and manage them from a central account without any IAM roles.
C.Create an SCP that allows Systems Manager actions in all accounts and assign it to the DevOps IAM role.
D.Share the EC2 console credentials of each account with the DevOps team.
AnswerA

Cross-account IAM roles allow centralized management without sharing credentials.

Why this answer

Option A is correct because it uses AWS Systems Manager's cross-account management capability combined with IAM roles. By setting up Systems Manager inventory in each target account and granting the DevOps team IAM roles with AssumeRole permissions, the team can centrally manage EC2 instances without having direct IAM access to those accounts. This leverages the AWS Security Token Service (STS) to assume a role in each target account, allowing Systems Manager actions like Run Command or Patch Manager to be executed from a central account.

Exam trap

The trap here is that candidates often confuse Service Control Policies (SCPs) with IAM policies, thinking SCPs can grant permissions, when in fact SCPs only provide a guardrail by denying or allowing permissions that are then further restricted by IAM policies.

How to eliminate wrong answers

Option B is wrong because installing the Systems Manager agent alone does not provide cross-account management; IAM roles are required to authenticate and authorize actions across accounts, and without them, the central account cannot interact with instances in other accounts. Option C is wrong because Service Control Policies (SCPs) are used to restrict permissions across accounts in an organization, not to grant permissions; they cannot be assigned to an IAM role and do not allow actions by themselves. Option D is wrong because sharing EC2 console credentials violates the principle of least privilege and security best practices, and it does not use Systems Manager for centralized management; it also gives direct access to target accounts, which the requirement explicitly forbids.

169
MCQhard

A company is migrating a legacy monolithic application to a microservices architecture on AWS. The application has strict latency requirements and must be deployed across multiple Availability Zones. Which design strategy BEST meets these requirements while minimizing operational overhead?

A.Use Amazon ECS with Fargate launch type, defining services across multiple AZs.
B.Use AWS Lambda functions for each microservice, triggered by API Gateway.
C.Deploy each microservice on Amazon EC2 instances in an Auto Scaling group across AZs.
D.Use Amazon EKS with worker nodes on EC2, and deploy microservices as Kubernetes pods.
AnswerA

Fargate manages containers serverlessly, reducing overhead and enabling multi-AZ deployment.

Why this answer

Option D is correct because Amazon ECS with Fargate provides serverless container orchestration, reducing operational overhead, and can be deployed across AZs for high availability and low latency. Option A is wrong because AWS Lambda has execution time limits and may not suit long-running services. Option B is wrong because EC2 requires patching and capacity management.

Option C is wrong because EKS adds Kubernetes complexity.

170
MCQhard

A company uses AWS Organizations with multiple OUs. The security team wants to prevent all accounts in the 'Production' OU from using non-compliant EC2 instance types, but allow exceptions for specific accounts. Which combination of controls should be used?

A.Use AWS Config rules to mark non-compliant instances and use AWS Lambda to terminate them.
B.Use resource tags to identify compliant instances and enforce via IAM conditions.
C.Use IAM policies to deny non-compliant instance types for the Production OU, and attach a different IAM policy to exception accounts.
D.Use an SCP to deny non-compliant instance types at the OU level, and use resource-based policies on exception accounts to allow them.
AnswerD

SCPs deny at the OU level, and resource-based policies can allow specific accounts to override the SCP.

Why this answer

Option D is correct because SCPs can deny access to non-compliant instance types at the OU level, and resource-based policies on the exception accounts can allow them to override the SCP. Option A is wrong because IAM policies alone are not effective when an SCP denies the action. Option B is wrong because AWS Config rules only detect, not block.

Option C is wrong because tagging alone does not enforce instance type restrictions.

171
MCQeasy

A company wants to centralize AWS CloudTrail logs from all accounts in AWS Organizations into a single S3 bucket. Which configuration is required?

A.Configure each account's CloudTrail to send logs to a central CloudWatch Logs group
B.Create a CloudTrail trail in each account and deliver logs to the same S3 bucket
C.Create an organization trail in the management account that is enabled for all accounts
D.Use S3 replication to copy logs from individual account buckets to a central bucket
AnswerC

Organization trails automatically apply to all accounts in the organization.

Why this answer

Option C is correct because AWS Organizations supports creating an organization trail in the management account that automatically applies to all accounts in the organization. This centralizes CloudTrail logs from every account into a single S3 bucket without requiring per-account configuration, ensuring consistent logging and simplifying management.

Exam trap

The trap here is that candidates may think individual trails per account (Option B) are necessary or simpler, but AWS Organizations provides a native, centralized mechanism that automatically includes all accounts without per-account configuration.

How to eliminate wrong answers

Option A is wrong because CloudTrail cannot send logs directly to a CloudWatch Logs group; it can send events to CloudWatch Logs, but the question specifies centralizing logs into a single S3 bucket, not a CloudWatch Logs group. Option B is wrong because creating individual trails in each account and delivering to the same S3 bucket would require manual setup per account, does not leverage AWS Organizations integration, and may cause permission issues or log duplication without centralized management. Option D is wrong because S3 replication copies objects after they are written, but it does not address the initial delivery of CloudTrail logs from multiple accounts; each account would still need its own trail and bucket, adding complexity and cost.

172
MCQeasy

A company uses a single AWS account for development and production workloads. To improve security and cost allocation, the company decides to separate environments into multiple accounts. What is the PRIMARY benefit of using multiple accounts?

A.Reducing overall compute costs by sharing reserved instances across environments.
B.Simplifying backup and disaster recovery procedures.
C.Decreasing network latency between development and production environments.
D.Enabling centralized security controls and consolidated billing.
AnswerD

Multiple accounts allow SCPs and consolidated billing through AWS Organizations.

Why this answer

Separating environments into multiple AWS accounts provides a strong security boundary (via AWS Organizations SCPs) and enables consolidated billing with cost allocation tags. This allows centralized security controls (e.g., guardrails, IAM policies) across accounts while aggregating usage for volume discounts, which is the primary benefit for improving security and cost allocation.

Exam trap

The trap here is that candidates confuse the secondary benefit of cost savings (shared RIs) with the primary benefit of security isolation and centralized governance, which is the core reason for multi-account strategies in the SAP-C02 exam.

How to eliminate wrong answers

Option A is wrong because sharing Reserved Instances across accounts is possible with consolidated billing, but this is a cost-saving benefit, not the primary security and cost allocation benefit of multi-account separation. Option B is wrong because backup and disaster recovery procedures are not inherently simplified by multiple accounts; they often require cross-account replication and additional orchestration. Option C is wrong because network latency between environments is not decreased by separate accounts; in fact, inter-account traffic typically adds latency compared to intra-VPC communication within a single account.

173
Multi-Selecteasy

A company wants to centrally manage IAM users across multiple AWS accounts using AWS IAM Identity Center (successor to AWS Single Sign-On). Which of the following are true? (Choose TWO.)

Select 2 answers
A.Users can be granted access to multiple accounts from a central location.
B.Users must be IAM users in each account.
C.Identity Center requires an on-premises Active Directory.
D.Permission sets are assigned to IAM roles in the management account.
E.Users can be created in the Identity Center directory.
AnswersA, E

Identity Center provides centralized access management.

Why this answer

Options A and D are correct. Option B is wrong because Identity Center does not use IAM users directly. Option C is wrong because it creates permission sets, not IAM roles in the management account.

Option E is wrong because it integrates with Active Directory, but it is not required for all users.

174
MCQeasy

A company wants to centralize management of Amazon EC2 instances across multiple AWS accounts. They need to be able to run commands on instances in any account from a central management account. Which service should be used?

A.AWS Systems Manager
B.AWS Config
C.Amazon ECS
D.AWS OpsWorks
AnswerA

Systems Manager Run Command and Session Manager can target instances across accounts.

Why this answer

AWS Systems Manager (SSM) is the correct choice because it provides a unified interface to manage EC2 instances across multiple AWS accounts via the Systems Manager Agent (SSM Agent). With SSM, you can use Run Command, Session Manager, or State Manager to execute commands on instances in any account, as long as the instances are registered in AWS Systems Manager and the appropriate cross-account IAM roles and resource access manager (RAM) sharing are configured. This centralizes management without requiring SSH or bastion hosts.

Exam trap

The trap here is that candidates may confuse AWS Config's compliance and auditing capabilities with Systems Manager's operational command execution, or mistakenly think OpsWorks (which also uses agents) is suitable for cross-account command execution, but OpsWorks lacks native cross-account centralized command features and is more focused on application lifecycle management.

How to eliminate wrong answers

Option B (AWS Config) is wrong because AWS Config is a service for evaluating, auditing, and recording resource configurations and compliance over time, not for executing commands on EC2 instances. Option C (Amazon ECS) is wrong because Amazon ECS is a container orchestration service for running Docker containers, not a tool for managing EC2 instances or running commands on them. Option D (AWS OpsWorks) is wrong because AWS OpsWorks is a configuration management service that uses Chef or Puppet, but it is designed for managing stacks and applications, not for centralized cross-account command execution on EC2 instances; it also requires agents and is more complex for simple command execution.

175
MCQeasy

A company uses AWS Organizations with multiple accounts. The network team wants to centrally manage Amazon VPC IP addresses using Amazon VPC IP Address Manager (IPAM). They have enabled IPAM in the management account and delegated an administrator account. However, the delegated administrator account cannot create IPAM pools. What is the most likely cause?

A.The delegated administrator account does not have the required IAM permissions to manage IPAM
B.IPAM must be used only from the management account and cannot be delegated
C.IPAM is not supported in the AWS Region where the delegated administrator account operates
D.An SCP in the organization denies IPAM actions for all accounts
AnswerA

IAM permissions are necessary for the delegated account to perform IPAM actions.

Why this answer

Option A is correct because when you delegate an administrator account for IPAM in AWS Organizations, that account still requires explicit IAM permissions to perform IPAM actions such as creating pools. The delegation only allows the account to manage IPAM resources on behalf of the organization; it does not automatically grant the necessary IAM permissions. Without a policy that allows actions like `ec2:CreateIpamPool`, the delegated administrator will receive an authorization error.

Exam trap

The trap here is that candidates often assume delegation in AWS Organizations automatically grants full administrative permissions, but in reality, IAM policies are still required for the delegated account to perform specific actions.

How to eliminate wrong answers

Option B is wrong because IPAM does support delegation to a member account within AWS Organizations; it is not restricted to the management account only. Option C is wrong because IPAM is available in multiple AWS Regions, and the question does not indicate that the Region is unsupported; the issue is permissions, not regional availability. Option D is wrong because while an SCP could deny IPAM actions, the question states that the delegated administrator cannot create pools, which is most commonly due to missing IAM permissions rather than an SCP, and SCPs affect all accounts in the organization uniformly, not just the delegated administrator.

176
Matchingmedium

Match each AWS migration service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Track migration progress across multiple tools

Automate migration of on-premises servers to AWS

Migrate databases to AWS with minimal downtime

Rehost applications from physical or virtual servers

Simplify, automate, and accelerate moving data to AWS

Why these pairings

AWS provides services to simplify and automate migration tasks.

177
MCQmedium

A company uses AWS Organizations and wants to centrally manage AWS Config rules across all member accounts. They have enabled AWS Config in the management account and used AWS Config aggregator to view compliance status across accounts. However, they want to enforce a specific Config rule in all accounts automatically. Which solution should they use?

A.Use AWS Config conformance packs with AWS Organizations to deploy the rule across all accounts.
B.Use the AWS Config aggregator to manually enable the rule in each account.
C.Use AWS CloudFormation StackSets to deploy a Config rule template to each account.
D.Create an SCP that requires all accounts to enable AWS Config.
AnswerA

Conformance packs can be deployed organization-wide.

Why this answer

Option B is correct because AWS Config rules can be deployed across accounts using AWS Organizations by enabling the rule with 'All accounts' option. Option A is wrong because SCPs cannot enforce Config rules. Option C is wrong because CloudFormation StackSets can deploy rules but requires manual management.

Option D is wrong because Config aggregator only aggregates, not enforces.

178
MCQmedium

A company uses AWS Organizations with a multi-account strategy. The security team wants to restrict the use of specific instance types across all accounts. What is the MOST effective way to enforce this policy?

A.Create an IAM policy in each account that denies launching non-approved instance types.
B.Use AWS Config rules to detect non-compliant instances and trigger an AWS Lambda function to terminate them.
C.Create a Service Control Policy (SCP) that denies ec2:RunInstances for all users and then attach it to the root OU.
D.Create a Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not allowed, and attach it to the root organizational unit.
AnswerD

SCPs apply to all accounts in the OU.

Why this answer

Option A is correct because SCPs can deny EC2 RunInstances actions with conditions on instance type across all accounts in the organization. Option B is wrong because IAM policies are account-specific and cannot be applied across accounts. Option C is wrong because Config rules only detect non-compliance, they do not enforce.

Option D is wrong because Service Control Policies cannot be applied to individual IAM users.

179
MCQmedium

A company has a multi-account AWS environment with a centralized logging account. The security team wants to ensure that all CloudTrail logs from all accounts are delivered to a single S3 bucket in the logging account. The logging account's S3 bucket policy allows CloudTrail to write logs from other accounts. The CloudTrail trail in each account is configured to deliver to the centralized bucket. However, logs from some accounts are not appearing. The security team has verified that the IAM permissions for CloudTrail are correct. What is the most likely reason for the missing logs?

A.CloudTrail cannot deliver logs to a bucket in a different AWS account
B.The S3 bucket policy does not include a condition for aws:SourceOrgID
C.The S3 bucket policy does not grant CloudTrail write access from the source accounts
D.The accounts need to enable VPC endpoints for S3 to communicate with the logging account
AnswerC

The bucket policy must allow the CloudTrail service principal from each source account to write logs.

Why this answer

Option C is correct because the most likely reason for missing logs is that the S3 bucket policy in the logging account does not explicitly grant CloudTrail write access from the source accounts. Even though the bucket policy allows CloudTrail to write logs, it must include a principal that identifies the source account's CloudTrail service (e.g., `AWS:SourceAccount` or `AWS:SourceArn`) to authorize cross-account writes. Without this, CloudTrail from other accounts cannot deliver logs to the centralized bucket, regardless of correct IAM permissions in the source accounts.

Exam trap

The trap here is that candidates often assume IAM permissions in the source account are sufficient, but they overlook that cross-account S3 access requires explicit permission in the destination bucket's resource-based policy, not just the source's identity-based policy.

How to eliminate wrong answers

Option A is wrong because CloudTrail can deliver logs to an S3 bucket in a different AWS account when the bucket policy grants the necessary cross-account permissions; this is a supported feature. Option B is wrong because `aws:SourceOrgID` is an optional condition key used for additional security (e.g., to prevent confused deputy issues) but is not required for basic cross-account log delivery; its absence would not prevent logs from appearing. Option D is wrong because VPC endpoints for S3 are not required for CloudTrail log delivery across accounts; CloudTrail communicates with S3 over the public internet or via AWS PrivateLink, but the issue here is policy-based, not network connectivity.

180
MCQmedium

A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?

A.Use AWS PrivateLink to connect each VPC to the security VPC via interface endpoints.
B.Set up AWS Direct Connect gateway and route all traffic through the security account.
C.Create VPC peering connections between each VPC and the security VPC, then configure route tables to route traffic through the firewall.
D.Use AWS Transit Gateway with a central appliance VPC, and configure route tables to send traffic to the firewall for inspection.
AnswerD

Correct: Centrally managed and scales well.

Why this answer

Option D is correct because AWS Transit Gateway (TGW) allows you to centralize network traffic through a security appliance VPC. By attaching all VPCs to a single TGW and configuring route tables to route inter-VPC traffic to the firewall appliance in the security VPC, you meet the inspection requirement without manual route table manipulation in each spoke VPC. This design minimizes complexity by using a hub-and-spoke topology with centralized routing control.

Exam trap

The trap here is that candidates often choose VPC peering (Option C) because it is familiar, but they overlook the requirement to avoid route table manipulation and the lack of transitive routing, which makes peering unsuitable for centralized inspection across multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink interface endpoints are used for private connectivity to specific services, not for routing all inter-VPC traffic through a firewall; they do not support traffic inspection between VPCs. Option B is wrong because AWS Direct Connect gateway is a managed service for connecting on-premises networks to multiple VPCs, not for routing traffic between VPCs in different accounts, and it does not inherently force traffic through a centralized firewall. Option C is wrong because VPC peering connections require explicit route table entries in every VPC to direct traffic through the firewall, which violates the requirement to minimize complexity and avoid route table manipulation; peering also does not support transitive routing, so you would need a full mesh of peering connections.

181
MCQmedium

Refer to the exhibit. A company has created a CloudTrail trail named 'my-trail' in the management account of AWS Organizations. The trail is configured to deliver logs to a central S3 bucket. The security team wants to capture all management events from all accounts in the organization. Based on the exhibit, what is the most likely issue?

A.The trail is not a multi-region trail
B.The trail does not include global service events
C.The trail has log file validation enabled, which prevents cross-account delivery
D.The trail is not an organization trail
AnswerD

Only organization trails automatically capture events from all accounts in the organization.

Why this answer

Option D is correct because the trail is not an organization trail (IsOrganizationTrail: false). Organization trails automatically apply to all accounts in the organization. Without that, each account must create its own trail.

Option A is wrong because global service events are enabled. Option B is wrong because multi-region is not required for management events if the trail is in the correct region, but organization trail is the key. Option C is wrong because log file validation does not affect coverage.

182
Multi-Selecthard

A company is using AWS Organizations with multiple accounts. The security team wants to enforce encryption at rest for all Amazon S3 buckets across the organization. The solution must be automated and should not prevent existing compliant buckets from being used. Which TWO services should be combined to achieve this?

Select 2 answers
A.AWS Lambda
B.AWS Config
C.AWS Trusted Advisor
D.Service control policy (SCP)
E.AWS CloudFormation StackSets
AnswersB, E

Config can evaluate bucket encryption compliance.

Why this answer

Options A and C are correct because AWS Config can detect non-compliant buckets, and AWS CloudFormation StackSets can deploy a bucket policy to enforce encryption. Option B is wrong because SCPs cannot enforce encryption settings on existing buckets. Option D is wrong because AWS Trusted Advisor only provides recommendations, not enforcement.

Option E is wrong because AWS Lambda alone cannot deploy policies across accounts without additional orchestration.

183
MCQmedium

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no IAM role in any member account can be assumed by a user from outside the organization. Which policy should be used?

A.Enable AWS CloudTrail to log role assumptions and send alerts when external assumptions occur.
B.Use AWS Config to detect roles with external trust relationships and automatically delete them.
C.Modify the trust policy of each IAM role to allow only principals from the organization.
D.Attach a service control policy (SCP) that denies sts:AssumeRole if the aws:PrincipalOrgID condition is not set.
AnswerD

SCPs with aws:PrincipalOrgID condition can restrict role assumption to principals within the organization.

Why this answer

Option D is correct because a service control policy (SCP) can centrally enforce that all IAM role trust policies in member accounts require the `aws:PrincipalOrgID` condition key. This condition ensures that only principals within the organization can assume roles, blocking any external user from assuming a role even if the role's trust policy is misconfigured. SCPs apply to all accounts in an OU or organization, providing a preventive control that cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often choose Option C (modifying trust policies) because it seems direct, but they overlook that SCPs provide a centralized, scalable, and preventive control that enforces the policy across all accounts without requiring per-role changes.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a logging service that records events but does not prevent external role assumptions; it only provides visibility after the fact. Option B is wrong because AWS Config can detect roles with external trust relationships but cannot automatically delete them; it can trigger remediation actions via Systems Manager Automation, but deletion is not a native Config action and would require custom logic, and this approach is reactive rather than preventive. Option C is wrong because modifying the trust policy of each IAM role individually is impractical at scale across many accounts and roles, and it does not prevent a future role from being created with an overly permissive trust policy; it also lacks centralized enforcement.

184
MCQmedium

A global company uses AWS Organizations with multiple business units. Each business unit has its own OU and VPCs that need to communicate with a central shared services VPC. The network team wants to minimize latency and maximize throughput. Which design should they use?

A.Create a VPN connection from each business unit VPC to the shared services VPC.
B.Deploy an AWS Transit Gateway and attach all VPCs (business unit and shared services) to it.
C.Use AWS PrivateLink to connect services in the shared services VPC to the business unit VPCs.
D.Set up VPC peering between each business unit VPC and the shared services VPC.
AnswerB

Transit Gateway acts as a hub for transitive routing, simplifying network management and providing high bandwidth.

Why this answer

AWS Transit Gateway acts as a hub-and-spoke router, allowing all VPCs (business units and shared services) to connect through a single gateway. This minimizes latency by using the AWS global network backbone and maximizes throughput with up to 50 Gbps per VPC attachment, scaling horizontally across multiple attachments. It simplifies management compared to mesh peering and avoids the bandwidth limitations of VPN or PrivateLink for inter-VPC routing.

Exam trap

The trap here is that candidates often choose VPC peering (D) due to its simplicity and zero additional cost, overlooking the management overhead and lack of transitive routing when scaling across many VPCs, while Transit Gateway provides a centralized, high-performance solution that aligns with the requirements for minimizing latency and maximizing throughput.

How to eliminate wrong answers

Option A is wrong because VPN connections introduce encryption overhead, higher latency, and throughput limits (typically up to 1.25 Gbps per tunnel), making them unsuitable for minimizing latency and maximizing throughput. Option C is wrong because AWS PrivateLink is designed for exposing specific services (e.g., via NLB) rather than full IP-level routing between VPCs, and it adds per-connection costs and does not support transitive routing or high-throughput bulk data transfer. Option D is wrong because VPC peering requires a full mesh of connections (each business unit VPC must peer individually with the shared services VPC), does not support transitive routing, and can hit the default limit of 125 peering connections per VPC, creating management overhead and potential scaling issues.

185
MCQmedium

A security engineer created the above bucket policy on the central-logging-bucket in account 111111111111. They want account 222222222222 to deliver CloudTrail logs to this bucket. What is missing?

A.The prefix AWSLogs/111111111111 is incorrect; it should use the source account ID 222222222222.
B.The role CrossAccountRole does not exist in account 222222222222.
C.The bucket policy must grant s3:PutObject to the CloudTrail service principal, not to a role.
D.The bucket must be in the same account as CloudTrail.
AnswerC

CloudTrail uses its own service principal to write logs.

Why this answer

The bucket policy grants PutObject to a specific role, but CloudTrail requires a bucket policy that grants PutObject to the CloudTrail service principal for cross-account delivery. Option A is wrong because the role exists. Option C is wrong because bucket already exists.

Option D is wrong because the prefix is correct for CloudTrail.

186
MCQeasy

A company is using AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a member account. Which step is required?

A.Enable IAM Identity Center in the management account and then register the member account as a delegated administrator.
B.Create a service control policy that allows the member account to manage IAM Identity Center.
C.Use AWS CloudFormation StackSets to deploy IAM Identity Center configurations to the member account.
D.Set up AWS Config rules to enforce IAM Identity Center settings in the member account.
AnswerA

This is the standard process to delegate administration.

Why this answer

To delegate administration of IAM Identity Center to a member account, you must first enable IAM Identity Center in the management account. Then, you can register the member account as a delegated administrator using the IAM Identity Center console or the RegisterDelegatedAdministrator API. This allows the member account to manage IAM Identity Center settings, users, and groups without requiring management account credentials.

Exam trap

The trap here is that candidates often confuse service control policies (SCPs) with delegation mechanisms, assuming an SCP can grant administrative rights, when in fact SCPs only deny or allow existing permissions and cannot delegate IAM Identity Center administration.

How to eliminate wrong answers

Option B is wrong because service control policies (SCPs) can only deny or allow actions at the account level, but they cannot delegate administrative permissions for IAM Identity Center; delegation requires explicit registration via the management account. Option C is wrong because AWS CloudFormation StackSets can deploy resources across accounts but cannot register a delegated administrator for IAM Identity Center, which is a management-plane operation. Option D is wrong because AWS Config rules can only evaluate and enforce compliance of resource configurations, not grant administrative delegation or manage IAM Identity Center settings.

187
MCQmedium

A company is using AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have a specific AWS Config rule enabled and that any drift is automatically remediated. Which approach should be used?

A.Use EC2 Auto Scaling to apply the Config rule to all accounts.
B.Use AWS Control Tower lifecycle events and customizations to deploy the Config rule and set up automatic remediation.
C.Use AWS CloudTrail to monitor for accounts without the Config rule and trigger a Lambda function to add it.
D.Use AWS Config to create a conformance pack that applies the rule, and use an SCP to require it.
AnswerB

Control Tower provides governance and drift detection.

Why this answer

Option A is correct because Control Tower uses lifecycle events and customizations (like AWS Config rules) to detect and remediate drift. Option B is wrong because EC2 Auto Scaling is unrelated. Option C is wrong because AWS Config cannot enforce rules across all accounts without additional configuration like Control Tower.

Option D is wrong because CloudTrail does not enforce rules.

188
Multi-Selectmedium

A company uses AWS Organizations and wants to establish a central logging solution. They need to collect CloudTrail logs from all accounts and store them in a central S3 bucket in the management account. Which THREE steps are required to achieve this?

Select 3 answers
A.Create an AWS Config rule to monitor CloudTrail configuration.
B.Apply a service control policy (SCP) to enforce CloudTrail logging.
C.Create a new CloudTrail trail in the management account with organization trail enabled.
D.Configure the trail to deliver logs to a central S3 bucket in the management account.
E.Enable CloudTrail in each member account individually.
AnswersC, D, E

An organization trail automatically applies to all accounts.

Why this answer

Option C is correct because enabling organization trail in the management account allows CloudTrail to automatically create a trail that logs events for all accounts in the AWS Organization, eliminating the need to manually enable CloudTrail in each member account. This is the only way to centrally collect CloudTrail logs from all accounts without individual account configuration.

Exam trap

The trap here is that candidates often think they must enable CloudTrail in each member account individually (Option E) or use SCPs to enforce logging (Option B), but the organization trail feature in the management account handles both the creation and central delivery automatically.

189
MCQhard

A multinational corporation is migrating to AWS and needs to manage permissions across multiple accounts using AWS IAM Identity Center (successor to AWS SSO). The company has a central identity source in Microsoft Active Directory. They need to grant different levels of access to users based on their job function. Which combination of AWS services will provide the most scalable and maintainable solution?

A.Create a permission set in IAM Identity Center for each job function and assign to appropriate groups.
B.Use AWS Organizations to attach SCPs that grant permissions based on user tags.
C.Use attribute-based access control (ABAC) with IAM Identity Center and session tags from Active Directory.
D.Use IAM roles directly in each account and manage trust policies centrally.
AnswerC

ABAC with session tags allows permissions to be based on user attributes, simplifying management.

Why this answer

Option C is correct because it uses attribute-based access control (ABAC) with IAM Identity Center, which allows permissions to be dynamically granted based on user attributes (e.g., job function) passed as session tags from Active Directory. This approach scales seamlessly as users and accounts grow, since policies reference tags rather than individual users or groups, and it centralizes identity management without requiring per-account role updates.

Exam trap

The trap here is that candidates often choose Option A (permission sets per job function) because it seems straightforward, but they overlook the scalability and maintenance benefits of ABAC, which AWS explicitly recommends for large, dynamic environments with a central identity source.

How to eliminate wrong answers

Option A is wrong because creating a permission set per job function and assigning to groups still requires manual updates when job functions change or new accounts are added, leading to maintenance overhead and reduced scalability. Option B is wrong because AWS Organizations SCPs cannot grant permissions based on user tags; SCPs only provide coarse-grained guardrails (allow/deny) at the account level and cannot evaluate user-specific attributes like tags from Active Directory. Option D is wrong because managing IAM roles directly in each account with centralized trust policies becomes unmanageable as the number of accounts grows, requiring cross-account trust updates and increasing the risk of misconfiguration.

190
MCQhard

A company has a multi-account AWS environment with a shared services account that hosts Active Directory for authentication. Developers need to launch EC2 instances in development accounts and join them to the domain. What is the most secure way to allow this?

A.Establish VPC peering between the shared services VPC and each developer VPC
B.Create a shared secret for the domain and store it in AWS Secrets Manager in each developer account
C.Use AWS Systems Manager to automate domain join with a custom document
D.Use AWS Managed Microsoft AD in the shared services account and set up a trust relationship with each developer account
AnswerD

Trust relationships allow domain join across accounts securely.

Why this answer

Option D is correct because AWS Managed Microsoft AD in the shared services account can establish a one-way or two-way forest trust with a separate AWS Managed Microsoft AD directory in each developer account. This allows EC2 instances in the developer VPCs to authenticate against the shared Active Directory without exposing the directory directly across accounts, maintaining security boundaries while enabling seamless domain join.

Exam trap

The trap here is that candidates often assume VPC peering (Option A) is sufficient for cross-account domain join, but they overlook the need for a trust relationship between Active Directory domains and the complexities of DNS resolution across accounts.

How to eliminate wrong answers

Option A is wrong because VPC peering alone does not enable domain join; it only provides network connectivity between VPCs. The developer EC2 instances would still need to resolve and reach the Active Directory domain controller, and without proper DNS resolution and security group rules, domain join would fail. Option B is wrong because storing a shared secret (e.g., domain admin password) in Secrets Manager in each developer account violates the principle of least privilege and creates a security risk; it also does not automate the domain join process or handle the necessary DNS and network configuration.

Option C is wrong because AWS Systems Manager can automate domain join using a custom document, but it still requires the EC2 instances to have network access to the Active Directory domain controller and proper DNS resolution; it does not solve the cross-account authentication and trust challenge.

191
MCQmedium

A company has a central IT team that manages AWS Organizations. The development team needs to create and manage their own AWS accounts for new projects. What is the BEST way to automate account creation while maintaining governance?

A.Create an AWS Service Catalog product that uses AWS Organizations APIs to create a new account, applies a baseline CloudFormation template, and moves the account to the correct OU.
B.Use AWS CloudFormation StackSets to create accounts in bulk.
C.Use the AWS Organizations console to manually create accounts and assign them to the appropriate OU.
D.Give the development team the credentials to the management account and let them create accounts directly.
AnswerA

Service Catalog provides a self-service portal for end users with governance controls.

Why this answer

Option A is correct because it uses AWS Service Catalog to provide a self-service portal for the development team, while the central IT team retains governance by embedding AWS Organizations API calls to create accounts, apply a baseline CloudFormation template for security and compliance, and automatically move the account to the correct Organizational Unit (OU). This approach enforces guardrails without granting direct management account access.

Exam trap

The trap here is that candidates often confuse CloudFormation StackSets with account creation, but StackSets only operate on existing accounts, not create new ones.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation StackSets deploy resources across existing accounts and regions; they cannot create new AWS accounts. Option C is wrong because manual creation via the AWS Organizations console is not automated and does not scale for new projects, violating the requirement for automation. Option D is wrong because giving development team credentials to the management account violates the principle of least privilege and central governance, exposing the organization to security risks and accidental changes.

192
MCQhard

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The directory will be used for authentication across multiple VPCs in different accounts. The company needs to ensure that resources in all VPCs can resolve DNS names from the directory. What is the MOST scalable and secure solution?

A.Create a VPN connection between each VPC and the on-premises AD, then use DNS forwarders.
B.Use Amazon Route 53 private hosted zones and associate them with all VPCs.
C.Deploy the directory in each VPC and use AWS Managed Microsoft AD multi-region replication.
D.Deploy the directory in a shared services VPC in the management account. Use AWS Transit Gateway to connect all VPCs and configure the directory's DNS as a forwarder via Amazon Route 53 Resolver.
AnswerD

Transit Gateway provides scalable connectivity, and Route 53 Resolver can forward DNS to the directory.

Why this answer

Option A is correct because using AWS Transit Gateway with a shared services VPC allows centralized DNS resolution via VPC Peering or DNS forwarding. Option B (Route 53 Resolver endpoints) is also a good solution but is more complex and costly. Option C (Direct Connect) is not needed.

Option D (VPN) is less scalable.

193
Multi-Selecthard

A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)

Select 2 answers
A.Attach an S3 bucket policy that denies access unless the aws:SourceVpce condition matches the approved VPC endpoint IDs.
B.Enable S3 Block Public Access at the account level.
C.Configure AWS Network Firewall in the central security account to inspect traffic to the S3 endpoints and allow only encrypted traffic.
D.Use AWS Certificate Manager to issue certificates for S3 bucket access.
E.Attach an S3 bucket policy that denies access unless the aws:SourceVpc condition matches the approved VPC IDs.
AnswersA, C

Correct: Restricts access to specific endpoints.

Why this answer

Option A is correct because the `aws:SourceVpce` condition key in an S3 bucket policy allows you to restrict access to traffic originating from specific VPC endpoints (interface or gateway endpoints). This ensures that only requests coming through approved VPC endpoints can access the data lake, directly enforcing the mandate that access must originate from approved VPCs.

Exam trap

The trap here is that candidates often confuse `aws:SourceVpc` with `aws:SourceVpce`, not realizing that `aws:SourceVpc` does not work when traffic goes through a VPC endpoint, and they may overlook the need for a separate encryption-in-transit control like Network Firewall because S3 supports HTTPS by default but does not enforce it without a bucket policy or inspection.

194
MCQhard

A company uses a cross-account IAM role 'LogDelivery' in account 111122223333 to write logs to an S3 bucket 'my-company-logs' in a logging account. The bucket policy is shown above. Logs are not being delivered. What is the MOST likely issue?

A.The bucket policy lacks s3:GetObject permission.
B.The bucket policy restricts access to a specific account only.
C.The IAM role is not trusted by the bucket policy.
D.The bucket policy has an explicit deny that overrides the allow.
AnswerB

The resource pattern includes account 111122223333, so logs from other accounts would be denied.

Why this answer

Option D is correct because the bucket policy only allows the LogDelivery role from account 111122223333, but the logs may be coming from a different account (e.g., the source account of the logs). Option A is wrong because the policy does not deny, it allows. Option B is wrong because the policy is correct for the given role.

Option C is wrong because the policy allows PutObject, not GetObject.

195
MCQeasy

A company has a centralized IT team that manages AWS accounts for multiple departments. They need to grant the team permissions to create and manage IAM roles in all accounts, but without giving them full administrator access. What should they use?

A.Use AWS Single Sign-On with permission sets.
B.Create an IAM user in each account with AdministratorAccess.
C.Use AWS Organizations with a delegated administrator for IAM.
D.Use cross-account roles with a policy that allows iam:CreateRole.
AnswerC

Delegated administrator can manage IAM across accounts.

Why this answer

Option B is correct because AWS Organizations allows you to create service-linked roles and delegate administration. Option A is wrong because it gives full admin. Option C is wrong because it does not scale across accounts.

Option D is wrong because it is not for role creation.

196
MCQmedium

A multinational company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled. The company wants to enforce this policy centrally without modifying each bucket individually. Which solution is MOST effective?

A.Apply a service control policy (SCP) to the root organizational unit that denies s3:PutBucketEncryption unless encryption is set.
B.Create an IAM role that all users must assume to create buckets, and attach a policy requiring encryption.
C.Use AWS CloudTrail to monitor bucket creation and trigger a Lambda function to enable encryption.
D.Enable default encryption on each S3 bucket using a custom AWS Config rule.
AnswerA

SCPs centrally enforce policies on all accounts in the organization.

Why this answer

Option C is correct because using an SCP at the root OU can deny the creation of S3 buckets without encryption across all accounts. Option A is wrong because S3 default encryption is per-bucket and not centrally enforced. Option B is wrong because IAM roles cannot enforce encryption across accounts.

Option D is wrong because CloudTrail only logs, not enforces.

197
MCQhard

A company has a multi-account AWS environment with a centralized security account. The security team wants to ensure that any IAM role created in any account with a trust policy allowing access from another AWS account must be approved by the security team. Which approach should be used?

A.Use service control policies (SCPs) to deny role creation unless the trust policy meets conditions
B.Use IAM policies to restrict who can create roles
C.Use AWS Lambda to automatically delete non-compliant roles
D.Use AWS Config rules to detect and alert on risky trust policies
AnswerA

SCPs can deny IAM role creation if the trust policy includes a principal that is not part of the organization, effectively requiring approval.

Why this answer

Option D is correct because SCPs can deny creation of roles with trust policies that include a specific condition (like a principal that is not within the organization) unless approved. Option A is wrong because IAM policies cannot prevent role creation. Option B is wrong because AWS Config can detect but not deny.

Option C is wrong because Lambda can revoke but not prevent.

198
Multi-Selecteasy

A company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled and block public access. Which TWO actions should be taken to enforce these requirements centrally?

Select 2 answers
A.Use AWS Service Catalog to enforce S3 bucket encryption and public access settings.
B.Define a tag policy that requires encryption and public access tags on all S3 buckets.
C.Create an SCP to deny PutBucketAcl, PutBucketPolicy, and PutBucketPublicAccessBlock actions that do not meet the requirements.
D.Use IAM policies in the management account to restrict S3 permissions for all users.
E.Enable AWS Config and create rules to detect and automatically remediate non-compliant S3 buckets.
AnswersC, E

SCPs can centrally deny actions across all accounts.

Why this answer

Option A is correct because SCPs can deny actions that do not meet encryption or public access requirements. Option D is correct because AWS Config rules can be used to detect and remediate non-compliant buckets. Option B is wrong because IAM permissions are per-account and not centrally enforced.

Option C is wrong because tagging does not enforce security requirements. Option E is wrong because it does not enforce across all accounts; it only sets defaults for new buckets.

199
MCQeasy

A company uses AWS Organizations and has a requirement that all Amazon S3 buckets must have versioning enabled. The company wants to automatically enable versioning on any bucket that is created without it. Which solution should be implemented?

A.Use AWS Config with a managed rule s3-bucket-versioning-enabled and configure auto-remediation using an AWS Systems Manager Automation document to enable versioning.
B.Use an SCP to deny s3:CreateBucket unless versioning is enabled.
C.Use AWS Config to detect buckets without versioning and send an SNS notification.
D.Use AWS CloudFormation StackSets to deploy a bucket with versioning enabled in each account.
AnswerA

Config rule detects and auto-remediates by enabling versioning.

Why this answer

Option A is correct because AWS Config can detect S3 buckets without versioning using the managed rule `s3-bucket-versioning-enabled`, and then automatically remediate the noncompliant resource by invoking an AWS Systems Manager Automation document that enables versioning on the bucket. This provides a fully automated, event-driven solution that meets the requirement without manual intervention or blocking bucket creation.

Exam trap

The trap here is that candidates often choose Option B (SCP) because they assume SCPs can enforce API-level conditions like versioning, but SCPs cannot evaluate request parameters that are not supported as condition keys in the IAM policy context.

How to eliminate wrong answers

Option B is wrong because SCPs cannot conditionally deny `s3:CreateBucket` based on whether versioning is enabled at creation time; the `s3:CreateBucket` API call does not support a condition key for versioning, so the SCP would either block all bucket creation or be ineffective. Option C is wrong because sending an SNS notification only alerts administrators but does not automatically enable versioning, failing the requirement to 'automatically enable versioning'. Option D is wrong because AWS CloudFormation StackSets can only deploy resources in accounts where they are explicitly applied; they cannot retroactively fix buckets created outside the StackSet or in accounts not included in the stack instance, leaving gaps in coverage.

200
MCQmedium

A company is using AWS Organizations with multiple accounts. The central IT team wants to enforce that all EC2 instances are launched with specific tags (e.g., CostCenter and Environment). The solution should prevent any untagged instances from being created. Which approach should be taken?

A.Use AWS Service Catalog to provision EC2 instances only from pre-configured products that include required tags.
B.Use an AWS Config rule to detect untagged instances and trigger a Lambda function to terminate them.
C.Create an SCP that denies the ec2:RunInstances action if the required tags are not specified in the request.
D.Create an IAM policy for each account that requires tags on instance creation.
AnswerC

SCPs can enforce tagging requirements at the organization level.

Why this answer

Option D is correct because an SCP can deny the ec2:RunInstances action if the required tags are not present. Option A is wrong because AWS Config rules can detect non-compliance but cannot prevent the action. Option B is wrong because IAM policies in each account would require manual management.

Option C is wrong because tagging is not enforced at launch.

201
MCQeasy

A company is designing a centralized logging solution for multiple AWS accounts. They need to aggregate VPC Flow Logs, CloudTrail logs, and DNS logs from all accounts into a single S3 bucket. Which AWS service should be used to centralize the log collection?

A.Amazon S3 cross-region replication
B.Amazon Kinesis Data Firehose
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail organization trail can deliver logs from all accounts to a single S3 bucket.

Why this answer

AWS CloudTrail can be configured to deliver logs from multiple accounts to a single S3 bucket by setting up a trail in the management account and using CloudTrail's organization trail feature. This automatically aggregates VPC Flow Logs, CloudTrail logs, and DNS logs from all member accounts into the designated centralized S3 bucket without requiring additional infrastructure.

Exam trap

The trap here is that candidates often confuse CloudTrail's log aggregation capability with other services like Kinesis Data Firehose or S3 replication, but CloudTrail is the only service that natively supports centralized log collection from multiple accounts via organization trails.

How to eliminate wrong answers

Option A is wrong because S3 cross-region replication replicates objects between buckets in different regions but does not collect or aggregate logs from multiple AWS accounts; it only copies existing objects. Option B is wrong because Amazon Kinesis Data Firehose is a streaming data delivery service that can ingest and transform data, but it is not designed to natively aggregate logs from multiple accounts into a single S3 bucket without custom cross-account IAM roles and additional configuration. Option D is wrong because AWS Config records resource configuration changes and compliance, not log aggregation; it cannot centralize VPC Flow Logs, CloudTrail logs, or DNS logs into a single S3 bucket.

202
MCQmedium

A large enterprise with multiple business units (BUs) uses AWS Organizations with a shared services account and BU-specific accounts. Each BU account has a VPC with multiple subnets. The shared services account hosts a central NAT gateway that provides outbound internet access to all BU private subnets via VPC peering. Recently, the network team noticed that traffic from one BU's private subnet is being blocked by the security group in the shared services account. They verified that the route tables are correctly configured. What is the most likely cause and solution?

A.The BU account's route table does not have a route to the NAT gateway's private IP. Add a route via the VPC peering connection.
B.The security group attached to the NAT gateway's ENI does not allow incoming traffic from the BU private subnet. Update the security group to allow inbound traffic from the BU subnet CIDR.
C.The VPC peering connection is not in the 'active' state. Recreate the VPC peering connection.
D.The NAT gateway's Elastic IP is not attached. Attach an Elastic IP to the NAT gateway.
AnswerB

NAT gateway's security group must allow inbound traffic from private subnets.

Why this answer

VPC peering does not support transitive routing. In this setup, traffic from BU private subnets goes to the NAT gateway in the shared services account via VPC peering. However, the NAT gateway's security group must allow inbound traffic from the BU private subnet CIDR.

If it does not, traffic will be blocked. The solution is to update the NAT gateway's security group. Option D is correct.

203
MCQeasy

A company is using AWS Organizations with consolidated billing. They want to track costs by department, where each department has its own AWS account. Which service should they use to tag resources with department IDs and view cost breakdowns?

A.AWS Budgets with tag-based filters.
B.AWS Trusted Advisor cost optimization checks.
C.AWS Cost Explorer with tag-based filtering.
D.AWS Cost Explorer with cost allocation tags.
AnswerD

Cost allocation tags (user-defined) can be applied to resources and used in Cost Explorer to break down costs by department.

Why this answer

Cost allocation tags in AWS allow you to tag resources (e.g., EC2 instances, S3 buckets) with department IDs and then use AWS Cost Explorer to view cost breakdowns by those tags. This directly meets the requirement to track costs per department account within AWS Organizations with consolidated billing.

Exam trap

The trap here is confusing 'tag-based filtering' (which is not a native Cost Explorer feature) with 'cost allocation tags' (the correct mechanism), leading candidates to pick Option C instead of D.

How to eliminate wrong answers

Option A is wrong because AWS Budgets can use tag-based filters to create budget alerts, but it does not provide a historical cost breakdown view by tag; it only monitors against a threshold. Option B is wrong because AWS Trusted Advisor cost optimization checks provide recommendations to reduce costs (e.g., idle resources), but it cannot tag resources or break down costs by department tags. Option C is wrong because AWS Cost Explorer with tag-based filtering is not a feature; Cost Explorer supports filtering by tags only after they are activated as cost allocation tags, and the phrase 'tag-based filtering' is misleading—Cost Explorer uses cost allocation tags, not arbitrary tag-based filtering.

204
Multi-Selectmedium

A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances must use a specific AMI ID that is approved by the security team. Which two actions should the team take to achieve this? (Choose two.)

Select 2 answers
A.Create an SCP that denies ec2:RunInstances unless the ami id matches an approved list.
B.Use AWS Resource Access Manager to share the approved AMI with all accounts.
C.Use AWS Config rules to detect instances launched with non-approved AMIs and trigger remediation.
D.Use AWS CloudTrail to monitor instance launches and send alerts.
E.Attach an IAM policy to each account's IAM roles that allows only approved AMIs.
AnswersA, C

SCPs can deny actions based on conditions.

Why this answer

Options A and D are correct. An SCP can deny the ec2:RunInstances action if the AMI ID is not in an approved list, and AWS Config can detect noncompliant instances. Option B is wrong because AMI IDs are account-specific and shared via RAM.

Option C is wrong because IAM policies cannot enforce specific AMIs across accounts easily. Option E is wrong because CloudTrail does not prevent launches.

205
MCQhard

A company runs a global application on AWS spanning multiple regions. They need to enforce that IAM users in specific accounts can only launch EC2 instances in approved regions. The company uses AWS Organizations. What is the most effective way to enforce this?

A.Use AWS Config rules to detect EC2 instances in non-approved regions and trigger automatic termination.
B.Create IAM policies in each account that deny EC2 actions outside approved regions.
C.Use VPC endpoints to restrict API calls to approved regions.
D.Create a Service Control Policy (SCP) that denies EC2:RunInstances in non-approved regions.
AnswerD

SCPs are applied at the OU or account level and prevent actions.

Why this answer

Option D is correct because SCPs can deny EC2 actions in non-approved regions across all accounts. Option A is wrong because IAM policies in each account require manual management. Option B is wrong because AWS Config only detects non-compliance.

Option C is wrong because VPC endpoints do not restrict EC2 launch.

206
Multi-Selectmedium

A company is implementing a multi-account strategy using AWS Organizations. They want to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which TWO steps are required to achieve this? (Choose two.)

Select 2 answers
A.Use S3 replication to copy logs from member account buckets to the central bucket.
B.Create an IAM role in each member account that allows CloudTrail to write to the central bucket.
C.Enable AWS Config in each member account to forward logs to the central bucket.
D.Create a CloudTrail trail in the management account with the 'Enable for all accounts in my organization' option.
E.Configure the S3 bucket policy to grant the CloudTrail service principal write access from all accounts.
AnswersD, E

This allows CloudTrail to deliver logs from all accounts to the management account's bucket.

207
MCQmedium

A company is using AWS Organizations to manage multiple accounts. The security team requires that all newly created member accounts automatically have an AWS Config rule enabled that checks whether S3 buckets have default encryption enabled. Which solution should be used?

A.Use an SCP in the root to require encryption on S3 buckets.
B.Use AWS CloudFormation StackSets with automatic deployment to deploy the AWS Config rule across all accounts in the organization.
C.Create an AWS Config rule in the management account and delegate an admin account to apply it to all member accounts.
D.Configure AWS CloudTrail to automatically enable the AWS Config rule in new accounts.
AnswerB

StackSets with automatic deployment apply templates to new accounts as they join the organization.

Why this answer

Option D is correct because AWS CloudFormation StackSets can deploy the AWS Config rule across all accounts in the organization, and with automatic deployment enabled, it applies to new accounts as they are created. Option A is wrong because AWS Config rules are not automatically applied to new accounts unless set up via delegation. Option B is wrong because Service Control Policies (SCPs) control permissions but cannot directly enable AWS Config rules.

Option C is wrong because AWS CloudTrail is for logging API calls, not for deploying Config rules.

208
MCQmedium

A company has multiple AWS accounts and wants to centralize logging from all accounts to a single S3 bucket in a logging account. The logs must be encrypted with a KMS key managed by the logging account. What is the MOST secure way to allow cross-account S3 server access logs?

A.Set the bucket policy to allow the source accounts to write logs, and enable default encryption on the bucket with the KMS key.
B.Use a bucket policy in the logging account that grants the S3 log delivery service principal access to write objects, and configure the KMS key policy to allow the log delivery service to use the key.
C.Create an IAM role in the logging account and allow the source accounts to assume it, then configure the source accounts to use that role for logging.
D.Configure the logging account's KMS key with a policy that allows the S3 service to use it, and set the bucket policy to allow the source accounts to write logs.
AnswerB

The S3 logging service uses the log delivery group (log-delivery.log.amazonaws.com) and needs both bucket policy and KMS key policy permissions.

Why this answer

Option C is correct because the S3 bucket policy can grant cross-account permissions to the logging service principal, and the logging account's KMS key policy must allow the log delivery service to use the key. Option A is wrong because KMS key policies must explicitly allow the service to use the key. Option B is wrong because cross-account roles are not automatically used by S3 logging.

Option D is wrong because the bucket policy alone does not handle KMS encryption.

209
Multi-Selecteasy

A company wants to implement a data perimeter across all AWS accounts to prevent data exfiltration. Which TWO strategies should the company use? (Choose TWO.)

Select 2 answers
A.Disable public access to all S3 buckets and restrict cross-account access.
B.Use AWS Resource Access Manager to share resources only with trusted accounts.
C.Use SCPs to deny access to external AWS accounts unless explicitly allowed.
D.Use VPC endpoints for all AWS services and ensure they are private.
E.Use security groups to restrict outbound traffic to known IP addresses.
AnswersB, C

RAM allows fine-grained control over resource sharing within the organization.

Why this answer

Option B is correct because AWS Resource Access Manager (RAM) enables you to share resources such as subnets, transit gateways, and License Manager configurations only with specific AWS accounts or organizational units, which directly supports a data perimeter by preventing unintended cross-account access. Option C is correct because Service Control Policies (SCPs) can be applied at the organization root, OU, or account level to deny access to external AWS accounts unless explicitly allowed, effectively creating a boundary that prevents data exfiltration to unauthorized accounts.

Exam trap

The trap here is that candidates often confuse network-level controls (like VPC endpoints or security groups) with identity and resource-based perimeter controls, leading them to choose options D or E, which only address network paths and not the authorization boundaries needed to prevent data exfiltration across accounts.

210
MCQeasy

A company wants to centralize logging from multiple AWS accounts into a single Amazon S3 bucket. The logging accounts are part of an AWS Organization. Which approach should be used to allow CloudTrail to deliver logs from all accounts to the central bucket?

A.Configure the central S3 bucket policy to allow CloudTrail from all accounts in the organization to write logs.
B.Use a VPC endpoint and route logs through a central VPC.
C.Attach an SCP to allow CloudTrail to write to the central bucket.
D.Create an IAM role in each member account and allow the central account to assume it.
AnswerA

A bucket policy with a condition for AWS:SourceOrgID allows all accounts in the organization.

Why this answer

Option A is correct because CloudTrail can deliver logs from all accounts in an AWS Organization to a single central S3 bucket by configuring the bucket policy to grant the CloudTrail service principal (cloudtrail.amazonaws.com) from each member account the s3:PutObject permission. This approach leverages the organization's trusted access, eliminating the need for individual IAM roles or cross-account assumptions, as CloudTrail automatically uses the organization's management account to validate member account identities.

Exam trap

The trap here is that candidates often confuse SCPs with resource-based policies, thinking an SCP can grant cross-account write access to an S3 bucket, when in reality only the bucket policy (or a combination of bucket policy and IAM) can authorize CloudTrail's service principal from another account.

How to eliminate wrong answers

Option B is wrong because VPC endpoints (Gateway or Interface endpoints) are used for private connectivity to AWS services within a VPC, not for cross-account log delivery from CloudTrail; CloudTrail delivers logs directly to S3 over the public internet or via an interface endpoint, but routing through a central VPC does not solve the multi-account authorization requirement. Option C is wrong because Service Control Policies (SCPs) are used to restrict permissions across accounts in an organization, not to grant permissions; an SCP cannot allow CloudTrail to write to a bucket—it can only deny or allow actions, and the actual write permission must come from the bucket policy or IAM. Option D is wrong because CloudTrail does not use IAM roles for cross-account log delivery; instead, it relies on the bucket policy to grant the CloudTrail service principal from each account the necessary write access, making IAM role assumption unnecessary and architecturally incorrect.

211
MCQmedium

A company with multiple AWS accounts wants to centrally manage network security policies. The security team needs to inspect all traffic between VPCs in different accounts and block malicious traffic. Which solution is MOST operationally efficient?

A.AWS PrivateLink to route traffic through a centralized security appliance in a single account.
B.VPC Peering connections between all VPCs and use security groups to control traffic.
C.AWS Network Firewall with AWS Firewall Manager and AWS Resource Access Manager to deploy across accounts.
D.AWS Transit Gateway with a centralized inspection VPC using a Gateway Load Balancer.
AnswerC

This provides centralized policy management and automatic deployment across accounts with minimal operational effort.

Why this answer

Option C is correct because AWS Network Firewall, combined with AWS Firewall Manager and AWS Resource Access Manager, provides a centralized, policy-based approach to deploy and manage network security rules across multiple accounts and VPCs. Firewall Manager allows you to define common security policies (e.g., domain filtering, intrusion prevention) and automatically apply them to new and existing VPCs, while RAM enables sharing the firewall subnet across accounts. This eliminates the need for manual per-account configuration, making it the most operationally efficient solution for centrally inspecting and blocking malicious traffic between VPCs in different accounts.

Exam trap

The trap here is that candidates often assume AWS Transit Gateway with a Gateway Load Balancer is the most operationally efficient because it provides centralized inspection, but they overlook the automated policy management and cross-account deployment capabilities of AWS Firewall Manager, which reduces operational overhead significantly for multi-account environments.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink is designed for private connectivity to services (e.g., VPC endpoints) and does not provide traffic inspection or routing capabilities; it cannot inspect or block traffic between VPCs. Option B is wrong because VPC Peering creates point-to-point connections without a central inspection point, requiring security groups to be managed per VPC, which is not scalable for cross-account traffic inspection and does not support centralized policy enforcement. Option D is wrong because while AWS Transit Gateway with a centralized inspection VPC using a Gateway Load Balancer can inspect traffic, it requires significant manual setup (e.g., route tables, GWLB endpoints) and does not offer the same level of automated policy deployment and management across accounts as Firewall Manager, making it less operationally efficient.

212
MCQmedium

A company uses AWS Organizations and wants to allow certain accounts to use AWS Service Catalog for self-service provisioning. The IT team needs to control which products are available. Where should the product portfolio be shared?

A.Share the portfolio with the target accounts from the Service Catalog console
B.Use AWS CloudFormation StackSets to deploy products to each account
C.Use SCPs to allow specific accounts to use Service Catalog
D.Create IAM roles in the central account that developers can assume
AnswerA

Portfolio sharing enables cross-account access to products.

Why this answer

Option A is correct because AWS Service Catalog allows you to share a product portfolio directly with individual AWS accounts or organizational units (OUs) within AWS Organizations. By sharing the portfolio from the Service Catalog console, the IT team can control which products are available to specific accounts, enabling self-service provisioning while maintaining governance. This approach leverages Service Catalog's native portfolio sharing mechanism, which does not require additional infrastructure or cross-account IAM roles.

Exam trap

The trap here is that candidates often confuse AWS Service Catalog portfolio sharing with other cross-account mechanisms like CloudFormation StackSets or IAM roles, failing to recognize that Service Catalog's native sharing via RAM is the correct way to control product availability for self-service provisioning.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation StackSets are used to deploy infrastructure across multiple accounts and regions, but they do not provide a self-service catalog for end users to provision products on demand; they are an automation tool, not a governance mechanism for product availability. Option C is wrong because Service Control Policies (SCPs) are used to restrict permissions at the AWS Organizations level, but they cannot control which specific Service Catalog products are available to an account; SCPs only allow or deny actions on the Service Catalog API, not portfolio-level sharing. Option D is wrong because creating IAM roles in the central account for developers to assume does not directly control which Service Catalog products are available in target accounts; it only grants cross-account access, but the portfolio must still be shared with the target account for the products to appear in that account's Service Catalog.

213
MCQhard

A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to use AWS Transit Gateway to connect VPCs across accounts. The network team has created a Transit Gateway in the network account and shared it using AWS Resource Access Manager (RAM) with the workload accounts. The workload accounts have created VPC attachments to the Transit Gateway. However, traffic is not flowing between the VPCs. The route tables in the workload VPCs have routes pointing to the Transit Gateway. What is the most likely cause?

A.The Transit Gateway is in a different AWS account, so route propagation is not automatic.
B.The Transit Gateway route tables do not have routes for the attached VPCs.
C.The security groups in the workload VPCs are blocking traffic.
D.VPC flow logs are not enabled.
AnswerB

Transit Gateway route tables need routes to forward traffic.

Why this answer

Option C is correct because even if the Transit Gateway is shared and attachments are created, the Transit Gateway route tables must have routes for the VPCs to communicate. By default, the Transit Gateway route table does not propagate attachments automatically. Option A is wrong because VPC flow logs are not required.

Option B is wrong because the Transit Gateway is not in the same account, but it is shared. Option D is wrong because security groups are within the VPC, not the Transit Gateway.

214
MCQeasy

A company wants to centralize management of AWS resources across multiple accounts using AWS Control Tower. What is a prerequisite for setting up Control Tower?

A.A pre-configured landing zone.
B.An AWS Organizations management account.
C.At least three organizational units (OUs).
D.Existing AWS Config rules in all accounts.
AnswerB

Control Tower is built on Organizations.

Why this answer

Option B is correct because Control Tower requires an AWS Organizations management account. Option A is wrong because it is not required. Option C is wrong because Control Tower sets up a landing zone.

Option D is wrong because multiple OUs are created automatically.

215
MCQmedium

A company has a centralized AWS account for managing Amazon Route 53 DNS. The company has 100 VPCs across multiple accounts, and each VPC needs to resolve private hosted zones in the central account. What is the most scalable solution to enable DNS resolution across accounts?

A.Use CloudFormation StackSets to deploy Route 53 private hosted zones in each account
B.Use Route 53 Resolver outbound endpoints in the central account and share Resolver rules with other accounts using AWS RAM
C.Create a VPC peering connection between each VPC and the central account's VPC
D.Use AWS PrivateLink to connect VPCs to a central DNS service
AnswerB

This allows conditional forwarding of DNS queries to the central hosted zones.

Why this answer

Option B is correct because Route 53 Resolver rules can be shared with other accounts using AWS Resource Access Manager (RAM), and outbound endpoints can forward queries. Option A is wrong because VPC peering does not support DNS resolution of private hosted zones across accounts by default. Option C is wrong because PrivateLink is for accessing services, not DNS.

Option D is wrong because CloudFormation does not provide DNS resolution.

216
MCQeasy

A company uses AWS Organizations with a single OU for all accounts. The security team wants to prevent any account from leaving the organization without approval. What should they do?

A.Configure IAM policies on the root user of each account to deny leave actions.
B.Create an AWS Config rule to detect leave attempts.
C.Enable AWS CloudTrail to monitor leave events and send alerts.
D.Apply an SCP that denies the organizations:LeaveOrganization action.
AnswerD

SCP can deny the action across all accounts.

Why this answer

An SCP with a Deny effect on organizations:LeaveOrganization prevents any account from leaving. Option B is wrong because IAM is account-specific. Option C is wrong because CloudTrail only logs.

Option D is wrong because it doesn't prevent.

217
MCQhard

A multinational corporation is using AWS Organizations with hundreds of accounts. The finance team needs to track costs by cost center, which is stored as a tag on each resource. However, some resources are missing the tag. What is the most efficient way to ensure that all resources are tagged correctly going forward?

A.Use AWS Config rules to identify untagged resources and send alerts
B.Use tag policies in AWS Organizations to enforce tagging on new resources
C.Attach an SCP that denies all actions if the resource does not have the cost center tag
D.Create a Lambda function that runs daily to tag untagged resources
AnswerB

Tag policies proactively enforce tagging rules.

Why this answer

Option B is correct because tag policies in AWS Organizations allow you to define a set of tagging rules that are enforced across all accounts in the organization. When a tag policy is attached to an organizational root, OU, or account, AWS automatically prevents the creation of resources that do not comply with the specified tags, ensuring that all new resources are tagged correctly from the start without requiring manual remediation or custom scripts.

Exam trap

The trap here is that candidates often confuse AWS Config rules (detective control) with tag policies (preventive control), or incorrectly assume that SCPs can enforce tagging at resource creation, when in fact SCPs cannot condition on resource tags for most services and are not designed for tag enforcement.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can only detect and alert on untagged resources after they are created; they do not prevent the creation of untagged resources, so they are not the most efficient way to ensure tagging going forward. Option C is wrong because an SCP that denies all actions if a resource does not have the cost center tag would be overly broad and impractical—SCPs cannot condition on resource tags at the time of creation for most services, and such a policy would block legitimate actions on existing untagged resources or services that do not support tag-based conditions. Option D is wrong because a Lambda function that runs daily to tag untagged resources is reactive and inefficient; it does not prevent the creation of untagged resources and adds operational overhead, whereas tag policies enforce tagging proactively at resource creation.

218
MCQhard

A global company uses a multi-account AWS Organizations structure with hundreds of accounts. The network team wants to centrally manage VPC flow logs for all accounts and send them to a centralized S3 bucket in the security account. Which solution is MOST scalable and operationally efficient?

A.Use AWS Config to detect VPCs without flow logs and trigger a Lambda function to enable them.
B.Use CloudFormation StackSets to deploy a stack that enables VPC flow logs in every account and region, sending logs to a centralized S3 bucket with appropriate bucket policies.
C.Write a script that uses the AWS API to enable VPC flow logs in each account and region, triggered by AWS Config rules.
D.Set up a VPN connection from each account to the security account and configure flow logs to use a S3 endpoint in the security account.
AnswerB

StackSets allow automated deployment across accounts and regions with minimal overhead.

Why this answer

CloudFormation StackSets allow you to deploy a single CloudFormation template across multiple accounts and regions in an AWS Organization, making it the most scalable and operationally efficient solution for centrally enabling VPC Flow Logs. By including the appropriate S3 bucket policy in the security account, you can ensure logs from all accounts are delivered to a centralized bucket without manual intervention.

Exam trap

The trap here is that candidates often overcomplicate the solution by considering VPNs or custom scripts, when the most scalable and operationally efficient approach is to use CloudFormation StackSets with a service-managed permission model to deploy a standardized stack across the entire organization.

How to eliminate wrong answers

Option A is wrong because AWS Config can detect non-compliant VPCs, but relying on a Lambda function to enable flow logs introduces a single point of failure and is less scalable than a declarative, infrastructure-as-code approach like StackSets. Option C is wrong because writing a custom script that uses the AWS API to enable flow logs in each account and region is error-prone, requires ongoing maintenance, and does not provide the same level of consistency and rollback capabilities as StackSets. Option D is wrong because setting up a VPN connection from each account to the security account is unnecessary and adds significant complexity and cost; VPC Flow Logs can be delivered directly to a centralized S3 bucket using a bucket policy that grants cross-account access, without requiring network connectivity.

219
MCQeasy

A company uses AWS Organizations with a management account and multiple member accounts. The management account has a trail in AWS CloudTrail that logs all management events for all accounts. The security team wants to also log data events for S3 buckets across all accounts. They create a new trail in the management account with data events enabled for all S3 buckets in all accounts. However, data events from member accounts are not appearing in the CloudTrail logs. What is the most likely cause?

A.The S3 bucket in the management account does not have a bucket policy that allows CloudTrail to write logs from member accounts.
B.The trail is not configured to log data events for all S3 buckets; it only logs for specific buckets.
C.Data events for S3 buckets are not logged centrally by a trail created in the management account; each account must have its own trail for data events.
D.The S3 bucket is encrypted with a KMS key that CloudTrail does not have permission to use.
AnswerC

Data events are per-account unless using advanced event selectors with cross-account support (which is not default).

Why this answer

Option B is correct because a trail in the management account can log management events for all accounts, but to log data events for member accounts, the trail must be created in each member account or use a trail in the management account with the 'Include global services' option not applicable. Data events are per-account unless using advanced event selectors with cross-account support, but standard trails require account-specific settings. Option A is wrong because CloudTrail does not require S3 bucket policies for logging.

Option C is wrong because there is no such limitation. Option D is wrong because encryption does not affect logging.

220
MCQhard

A financial services company uses AWS Organizations with a multi-account structure: a central security account, a shared services account, and multiple workload accounts. The security team needs to centrally manage and audit all changes to security groups across all accounts. They have implemented AWS Config with an aggregator in the security account. However, they notice that changes to security groups in workload accounts are not appearing in the aggregator. The workload accounts have AWS Config enabled and are recording security group changes. The security account has the necessary cross-account permissions. What is the most likely cause and solution?

A.The security account is not authorized in each workload account's Config settings. The security team must add the security account as an authorized aggregator in each workload account.
B.AWS CloudTrail is not enabled in workload accounts. The security team must enable CloudTrail.
C.Service Control Policies are blocking cross-account access. The security team must modify SCPs to allow Config aggregation.
D.AWS Config in workload accounts is not recording security group changes. The security team must enable recording for security groups.
AnswerA

Config aggregator requires explicit authorization from source accounts.

Why this answer

Option A is correct because AWS Config aggregator requires an authorized aggregator account that is set up in each source account. Without this authorization, the aggregator cannot collect data. Option B is wrong because Config is recording changes.

Option C is wrong because CloudTrail is not needed for Config aggregation. Option D is wrong because SCPs do not block Config aggregation.

221
Multi-Selectmedium

A company is implementing a hybrid network architecture with multiple VPCs in different AWS accounts. They need to ensure private connectivity between the VPCs and their on-premises data center. Which TWO services should they use together to meet this requirement?

Select 2 answers
A.AWS Direct Connect
B.Amazon Route 53 Resolver
C.VPC peering
D.AWS Transit Gateway
E.AWS Client VPN
AnswersA, D

Direct Connect provides private, dedicated connectivity to on-premises.

Why this answer

AWS Direct Connect provides a dedicated private network connection from an on-premises data center to AWS, bypassing the public internet for consistent latency and bandwidth. AWS Transit Gateway acts as a central hub to interconnect multiple VPCs across different AWS accounts and route traffic to the Direct Connect virtual interface, enabling a scalable hub-and-spoke architecture for hybrid connectivity.

Exam trap

The trap here is that candidates often choose VPC peering (Option C) thinking it can connect multiple VPCs to on-premises directly, but VPC peering lacks transitive routing and cannot terminate a Direct Connect connection, making Transit Gateway the required central aggregation point.

222
MCQeasy

Refer to the exhibit. A company runs this CLI command and sees the output. Which account is the management account?

A.333333333333
B.222222222222
C.o-example1
D.111111111111
AnswerD

The management account is the one that created the organization; it is typically the first account.

Why this answer

Option A is correct because the management account is the one that created the organization, and its account ID is shown in the ARN of the organization (222222222222). However, in the list-accounts output, the management account itself is listed with JoinedMethod: INVITED. Actually, the management account is the one that invited others, but it appears as INVITED when listing itself.

The account ID 111111111111 is the management account because it is the one that owns the organization (the ARN contains the management account ID). But wait: the ARN shows the organization ID is 'o-example1' and the account ID in the ARN is the management account ID? Actually, the ARN format for an account is arn:aws:organizations::management-account-id:account/o-orgid/account-id. So the management account ID is 222222222222.

But that account is not listed? The list shows two accounts: 111111111111 and 333333333333. So the management account is 111111111111 because it is the first account and the organization's management account is typically the first account. However, the ARN shows management account ID as 222222222222, which is inconsistent.

In reality, the management account ID is 111111111111 if it is the first account. The exhibit might be designed to trick. Actually, in AWS Organizations, the management account is the account that created the organization.

The list-accounts output includes the management account. The ARN format is arn:aws:organizations::management-account-id:account/o-orgid/account-id. So the management account ID is 222222222222, but that account is not in the list? This is a trick: the management account ID is 222222222222, but it is not listed because the command might have been run from a delegated admin? Actually, the simplest answer: the management account is the one with the email admin@example.com (111111111111) because it is the first account and typically the management account.

Option A is correct.

223
MCQhard

A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and DNS logs from all accounts in AWS Organizations. The logs are stored in Amazon S3. The security team needs to query these logs for specific IP addresses and time ranges. Which solution is MOST cost-effective and scalable?

A.Use Amazon Athena to query the logs directly in S3.
B.Use Amazon S3 Select to retrieve only the relevant log entries based on the IP address and time range.
C.Stream the logs to Amazon OpenSearch Service for real-time querying.
D.Use AWS Glue to catalog the logs and query with Amazon Redshift Spectrum.
AnswerB

S3 Select filters server-side and only returns matching data, minimizing data transfer and cost.

Why this answer

Amazon S3 Select allows you to retrieve only a subset of data from an object using SQL expressions, making it highly cost-effective for scanning large log files for specific IP addresses and time ranges. It reduces the amount of data transferred and processed compared to reading the entire object, and it scales automatically without provisioning any infrastructure. This approach is ideal for ad-hoc queries on structured or semi-structured log data stored in S3.

Exam trap

The trap here is that candidates often assume Athena is the default choice for querying S3 logs, overlooking that S3 Select is more cost-effective for simple, selective row retrieval from individual objects without the need for a full SQL engine or schema-on-read overhead.

How to eliminate wrong answers

Option A is wrong because Amazon Athena would require scanning the entire dataset (or using partitions) and incurs costs based on the amount of data scanned per query, which is less cost-effective than S3 Select for simple filtering on individual objects. Option C is wrong because streaming logs to Amazon OpenSearch Service involves ongoing ingestion costs, cluster management overhead, and is not as cost-effective for infrequent, ad-hoc queries on historical log data. Option D is wrong because AWS Glue and Redshift Spectrum introduce additional complexity and cost for cataloging and querying, and are overkill for simple IP and time-range filtering on log files that can be handled directly with S3 Select.

224
MCQmedium

A company uses AWS Organizations with multiple accounts. They want to centralize VPC flow logs for all VPCs across accounts. The logs should be stored in a central S3 bucket in the management account. What is the MOST efficient way to achieve this?

A.Use a bucket policy on the central S3 bucket to allow cross-account delivery from all accounts.
B.Enable VPC flow logs at the organization level using CloudTrail.
C.Create a flow log in each account and configure it to deliver to a central S3 bucket.
D.Use CloudWatch Logs in each account and stream to a central log group.
AnswerA

Bucket policy allows any account to deliver logs to that bucket.

Why this answer

Option C is correct because you can create a bucket policy in the management account that allows cross-account delivery. Option A is wrong because it requires manual setup. Option B is wrong because CloudWatch Logs is not centralized.

Option D is wrong because enabling flow logs on each VPC individually is inefficient.

225
MCQhard

A company is using a multi-account strategy with AWS Organizations. The security team discovers that an SCP intended to block access to non-compliant AWS regions is not working. The SCP is attached to the root OU. When a user in a member account attempts to launch an EC2 instance in a blocked region, the request succeeds. What is the most likely cause?

A.The IAM policy of the user overrides the SCP.
B.The SCP is not attached to the member account's OU.
C.The SCP is missing an explicit allow statement for the regions.
D.The user belongs to the management account, and SCPs do not apply to the management account.
AnswerD

SCPs do not affect the management account.

Why this answer

SCPs do not apply to the management account of an AWS Organizations hierarchy. Since the user belongs to the management account, the SCP attached to the root OU has no effect on their actions, allowing the EC2 launch in a blocked region to succeed.

Exam trap

The trap here is that candidates assume SCPs apply to all accounts in the organization, forgetting the explicit exemption for the management account, which is a common oversight in multi-account security scenarios.

How to eliminate wrong answers

Option A is wrong because IAM policies cannot override SCPs; SCPs set the maximum permissions boundary, and any action denied by an SCP cannot be allowed by an IAM policy. Option B is wrong because the SCP is attached to the root OU, which applies to all member accounts and OUs under it, so the member account's OU is already covered. Option C is wrong because SCPs use an implicit deny by default; an explicit allow is not required for regions not blocked—only an explicit deny is needed to block them.

← PreviousPage 3 of 7 · 455 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Org Complexity questions.