CCNA Org Complexity Questions

75 of 455 questions · Page 6/7 · Org Complexity topic · Answers revealed

376
MCQeasy

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with a specific KMS key. What is the MOST efficient way to achieve this?

A.Use AWS Config rules to detect unencrypted buckets and trigger a Lambda function to encrypt them retroactively.
B.Attach a service control policy (SCP) to the root organizational unit that denies s3:PutBucketEncryption unless the specified KMS key is used.
C.Deploy a CloudFormation StackSet that creates a bucket policy in each account requiring encryption.
D.Create an IAM policy in each account that denies PutBucketEncryption unless the specified KMS key is used.
AnswerB

SCPs can enforce policies across all accounts in an OU, including preventing non-compliant actions.

Why this answer

Using an SCP under the root OU prevents any account from creating unencrypted buckets or using a different KMS key. Option A is wrong because individual account IAM policies are harder to manage at scale. Option C is wrong because AWS Config can detect but not enforce.

Option D is wrong because CloudFormation StackSets require manual deployment to each account.

377
MCQhard

A company is using AWS Organizations with hundreds of accounts. They need to ensure that no account can modify the VPC default security group. Which SCP should they apply to the root OU?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:DeleteSecurityGroup","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:ModifySecurityGroup*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:ModifySecurityGroupRules","Resource":"arn:aws:ec2:*:*:security-group/*","Condition":{"StringEquals":{"ec2:Vpc":"arn:aws:ec2:*:*:vpc/*"}}}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:CreateSecurityGroup","Resource":"*"}]}
AnswerC

Denies modification of rules on any security group but not creation/deletion.

Why this answer

Option A is correct because it denies the ec2:ModifySecurityGroupRules action on the default security group. Option B is wrong because it denies all security group modifications. Option C is wrong because it denies creation.

Option D is wrong because it denies deletion.

378
MCQhard

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

A.The S3 bucket has a lifecycle policy that deletes logs after a short period.
B.The S3 bucket has a bucket policy that requires the analyst to assume a role in the logging account.
C.The S3 bucket policy includes a condition that only allows access from the logging account's AWS service principals, not from individual IAM users.
D.The S3 bucket is encrypted with an AWS KMS key, and the analyst does not have permissions to decrypt.
AnswerC

The bucket policy likely restricts access to the logging account's role, so the analyst's direct access is denied.

Why this answer

Option C is correct because the S3 bucket policy likely includes a condition that restricts access to only AWS service principals (e.g., the logging account's own services) rather than individual IAM users or roles from other accounts. Even with read-only access granted to the analyst's IAM user or role, the bucket policy's explicit deny for non-service principals overrides any allow, preventing the analyst from accessing the logs. This is a common cross-account access issue where bucket policies must explicitly allow principals from other accounts.

Exam trap

The trap here is that candidates often overlook bucket policy conditions that restrict principal types, assuming that granting read-only access to the S3 bucket via IAM is sufficient, when in fact the bucket policy itself may explicitly deny access to non-service principals.

How to eliminate wrong answers

Option A is wrong because a lifecycle policy that deletes logs after a short period would cause logs to be missing, but the analyst cannot access any logs at all, indicating a permissions issue rather than data absence. Option B is wrong because requiring the analyst to assume a role in the logging account is a valid cross-account access pattern; if the bucket policy allowed it, the analyst could assume the role and access the logs, so this is not the most likely cause. Option D is wrong because while KMS encryption could block access if the analyst lacks decrypt permissions, the question states the analyst has read-only access to the S3 bucket, and KMS key permissions are separate from S3 bucket policies; the most likely cause is a bucket policy restriction, not encryption.

379
MCQhard

A company with multiple AWS accounts wants to centralize CloudTrail logging. They create a CloudTrail trail in the management account that logs all events across all accounts and regions. However, the security team notices that some management events from member accounts are not being logged. What is the most likely cause?

A.The SCPs applied to member accounts are blocking CloudTrail from sending logs.
B.CloudTrail is a regional service and the trail is only in one region.
C.Member accounts have IAM policies that deny CloudTrail logging.
D.The trail was not created as an organization trail.
AnswerD

An organization trail must be enabled to log events from all accounts.

Why this answer

Option B is correct because a single trail in the management account can log events for all member accounts only if CloudTrail is configured to include all accounts (organization trail). Option A is wrong because SCPs do not affect CloudTrail logging. Option C is wrong because CloudTrail is not a regional service; organization trails log all regions.

Option D is wrong because IAM permissions do not affect logging once the trail is configured.

380
Multi-Selectmedium

A company uses AWS Organizations with 50 accounts. They need to manage EC2 instance inventory across all accounts. Which THREE steps are necessary to achieve this?

Select 3 answers
A.Configure Amazon CloudWatch agent to send inventory data.
B.Set up an AWS Config aggregator in the management account.
C.Enable AWS Systems Manager Inventory in each account.
D.Create an IAM role in each member account that trusts the central account.
E.Enable AWS Systems Manager in each account.
AnswersC, D, E

Inventory collects instance information.

Why this answer

Option A is correct because AWS Systems Manager Inventory can collect instance metadata. Option C is correct because a cross-account role is needed for Systems Manager to access instances in other accounts. Option E is correct because enabling Systems Manager in each account is required.

Option B is wrong because Config aggregator collects configuration data, not inventory metadata. Option D is wrong because CloudWatch only collects metrics.

381
MCQeasy

A startup is using a single AWS account for development, testing, and production. They want to isolate environments and improve security. What is the most aligned AWS best practice?

A.Use separate VPCs within the same account.
B.Use IAM policies to restrict access per environment.
C.Create separate AWS accounts for each environment using AWS Organizations.
D.Use resource tagging to separate environments.
AnswerC

Accounts provide strong isolation boundaries.

Why this answer

Option A is correct because AWS Organizations with multiple accounts is the recommended approach for environment isolation. Option B is wrong because VPC separation is not enough within the same account. Option C is wrong because tags do not provide isolation.

Option D is wrong because IAM alone does not isolate resources.

382
Multi-Selecthard

Which THREE design patterns are recommended for decoupling components in a microservices architecture on AWS?

Select 3 answers
A.Use Amazon EventBridge for event-driven integration.
B.Use AWS Direct Connect for private connectivity.
C.Use Amazon SNS topics for pub/sub messaging.
D.Use Amazon SQS queues between services.
E.Use Elastic Load Balancing to distribute traffic.
AnswersA, C, D

EventBridge decouples event producers and consumers.

Why this answer

Options A, C, and D are correct. Option A: SQS decouples services via message queues. Option C: SNS enables fan-out to multiple subscribers.

Option D: EventBridge supports event-driven communication. Option B is wrong because ELB is for load balancing, not decoupling. Option E is wrong because Direct Connect is for hybrid connectivity.

383
MCQeasy

A company uses AWS Organizations and wants to ensure that all member accounts have AWS CloudTrail enabled and logs are delivered to a central S3 bucket in the management account. Which approach is MOST efficient?

A.Use AWS Config rules to detect accounts without CloudTrail and auto-remediate.
B.Manually enable CloudTrail in each account by logging into every account.
C.Use AWS CloudFormation StackSets to deploy a CloudTrail template to all accounts.
D.Create an SCP that requires CloudTrail to be enabled in each account.
AnswerC

StackSets allow centralized, automated deployment of CloudTrail across accounts.

Why this answer

Option C is correct because AWS CloudFormation StackSets allow you to deploy a single CloudTrail template across all member accounts in an AWS Organization from a central management account. This approach is the most efficient as it automates the deployment, ensures consistent configuration, and delivers logs to the specified central S3 bucket without requiring manual intervention or per-account scripting.

Exam trap

The trap here is that candidates often confuse the capabilities of SCPs (which only control permissions) with resource enforcement, leading them to incorrectly select Option D, not realizing that SCPs cannot create or enable resources like CloudTrail.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can only detect non-compliance and trigger auto-remediation via Systems Manager Automation or Lambda, but they do not natively deploy CloudTrail across all accounts; they react to existing resources rather than proactively provisioning them, making them less efficient for initial deployment. Option B is wrong because manually enabling CloudTrail in each account by logging into every account is not scalable, error-prone, and violates the principle of least effort for a multi-account environment. Option D is wrong because Service Control Policies (SCPs) can only deny or allow API actions, not enforce the presence of a resource like CloudTrail; an SCP cannot require CloudTrail to be enabled—it can only block actions that disable it, which is insufficient to ensure initial enablement.

384
MCQmedium

An administrator runs the above command and sees that the 'Prod' account is suspended. What is the MOST likely cause?

A.The account has an unpaid AWS bill.
B.The account was suspended due to a Service Control Policy (SCP) violation.
C.The account was suspended due to a security breach detected by AWS.
D.The account was removed from the organization by the root user.
AnswerA

AWS suspends accounts with overdue payments.

Why this answer

Option C is correct because accounts are typically suspended due to non-payment of AWS bills. Option A is wrong because AWS Organizations does not suspend accounts for SCP violations. Option B is wrong because nothing in the output indicates a service compromise.

Option D is wrong because the account was created after the management account, so it was not the root.

385
MCQmedium

A global company is using a multi-account AWS Organizations setup with a centralized logging account. They want to aggregate CloudTrail logs from all accounts into a single S3 bucket in the logging account. Which combination of steps will meet this requirement?

A.Create an IAM role in each account that allows the logging account to assume and copy logs. Schedule a Lambda function to copy logs hourly.
B.Create an S3 bucket in the logging account with a bucket policy that grants read/write access to all accounts. Configure each account's CloudTrail to deliver to that bucket.
C.Create a CloudTrail trail in the management account that applies to all accounts in the organization, and specify the S3 bucket in the logging account as the destination.
D.Enable AWS Config in each account and stream configuration history to a centralized S3 bucket.
AnswerC

Organization trails deliver logs from all accounts to a single bucket.

Why this answer

Option C is correct because AWS Organizations allows you to create a single CloudTrail trail in the management account that automatically applies to all member accounts. By specifying the S3 bucket in the centralized logging account as the destination, CloudTrail delivers logs from every account directly to that bucket without needing cross-account IAM roles or manual copying. This leverages the organization trail feature, which simplifies log aggregation and ensures consistent logging across the entire organization.

Exam trap

The trap here is that candidates often assume they need to configure CloudTrail in each account individually or use cross-account IAM roles to copy logs, but AWS Organizations provides a native organization trail feature that automatically aggregates logs from all accounts into a single S3 bucket in a centralized logging account.

How to eliminate wrong answers

Option A is wrong because it introduces unnecessary complexity and latency by requiring an IAM role in each account and a scheduled Lambda function to copy logs hourly, which is not real-time and violates the principle of least privilege by granting cross-account copy permissions. Option B is wrong because CloudTrail does not support delivering logs to an S3 bucket in a different account using a bucket policy that grants read/write access to all accounts; CloudTrail requires the destination bucket to be in the same account as the trail or uses an organization trail with a bucket policy that grants CloudTrail service principal write access, not all accounts. Option D is wrong because AWS Config streams configuration history and changes, not CloudTrail logs, and it does not aggregate CloudTrail API activity logs; it serves a different purpose for compliance and resource tracking.

386
MCQmedium

A company has a multi-account environment with a central security account. They want to use AWS Security Hub to aggregate findings from all accounts. What is the correct setup?

A.Set up Amazon EventBridge to forward findings from each account to the central account.
B.Use Amazon CloudWatch cross-account dashboards to view findings.
C.Enable AWS Config aggregator in the central account.
D.Enable Security Hub in the central account and invite member accounts to enable Security Hub.
AnswerD

This is the standard way to aggregate findings in Security Hub.

Why this answer

Option D is correct because AWS Security Hub uses a multi-account architecture where a central administrator account invites member accounts to enable Security Hub. This allows the administrator account to aggregate findings, insights, and compliance scores from all member accounts into a single view, enabling centralized security monitoring without additional forwarding infrastructure.

Exam trap

The trap here is that candidates confuse Security Hub's multi-account model with other aggregation services like AWS Config aggregator or CloudWatch cross-account dashboards, assuming any cross-account aggregation tool can consolidate Security Hub findings, when in fact Security Hub requires its own dedicated multi-account feature.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge can forward events but is not the native mechanism for Security Hub multi-account aggregation; Security Hub uses its own invitation-based model, and EventBridge would require custom event buses and rules, adding unnecessary complexity and missing native cross-account finding consolidation. Option B is wrong because Amazon CloudWatch cross-account dashboards aggregate metrics and logs, not Security Hub findings; Security Hub findings are not stored in CloudWatch Logs or Metrics by default, so dashboards cannot display them. Option C is wrong because AWS Config aggregator aggregates AWS Config rules and compliance data across accounts, not Security Hub findings; Security Hub findings are separate from AWS Config and require Security Hub's own multi-account enablement.

387
MCQhard

A global company is using AWS Organizations with hundreds of accounts. The IT team needs to centrally manage DNS records for all accounts using Amazon Route 53 private hosted zones. The solution must be highly available and support cross-account DNS resolution. What should the team do?

A.Create a private hosted zone in the central account and configure Route 53 Resolver rules in each account to forward queries to the central account.
B.Create a private hosted zone in each account and configure Route 53 inbound endpoints in the central account to accept DNS queries.
C.Create a private hosted zone in the central account, associate it with a central VPC, and configure Route 53 Resolver outbound endpoints in each account to forward DNS queries to the central account.
D.Create a private hosted zone in each account and use Route 53 zone sharing to share it with the central account.
AnswerC

Resolver endpoints enable cross-account DNS resolution.

Why this answer

Option B is correct because using a Route 53 Resolver outbound endpoint in the central account and associating the private hosted zone with the shared VPC allows cross-account DNS resolution. Option A is wrong because sharing the entire private hosted zone with all accounts is not possible. Option C is wrong because Route 53 inbound endpoints only handle DNS queries from on-premises.

Option D is wrong because using Route 53 Resolver rules is part of the correct solution but the zone still needs to be associated with the central VPC.

388
MCQhard

A company uses AWS Organizations with hundreds of accounts. The security team needs to ensure that no IAM user in any account can create a new IAM user or access key. What is the most scalable way to enforce this?

A.Use AWS Config rules to detect and automatically delete any new users or keys.
B.Enable AWS CloudTrail and create a metric filter to alert on these actions.
C.Attach an IAM policy to the Administrator role in each account that denies these actions.
D.Apply a service control policy (SCP) that denies the iam:CreateUser and iam:CreateAccessKey actions.
AnswerD

SCPs apply to all principals in the account.

Why this answer

Service control policies (SCPs) are the most scalable way to enforce restrictions across all accounts in an AWS Organization because they apply to all IAM users and roles in every member account, including the root user. By denying the iam:CreateUser and iam:CreateAccessKey actions at the organization root or OU level, the security team can prevent any IAM user from creating new users or access keys without needing to manage individual account policies or rely on reactive measures.

Exam trap

The trap here is that candidates often choose Option C because they think attaching a deny policy to the Administrator role is sufficient, but they overlook that SCPs are the only mechanism that can restrict the root user and scale across hundreds of accounts without per-account management.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are reactive—they detect non-compliant resources after creation and can trigger auto-remediation, but they do not prevent the action from occurring, leaving a window where the user or key exists and could be used. Option B is wrong because CloudTrail with metric filters and alerts only provides notification after the fact; it does not block the action, so the security violation still occurs. Option C is wrong because attaching an IAM policy to the Administrator role in each account is not scalable for hundreds of accounts—it requires manual per-account configuration and does not prevent actions by the root user or other roles that might bypass the policy.

389
Multi-Selecthard

A company is migrating to a multi-account AWS environment. They want to centralize DNS management using Amazon Route 53 private hosted zones. The private zones must be accessible from all VPCs in the organization. Which THREE steps are required to achieve this?

Select 3 answers
A.Create a private hosted zone in the central networking account.
B.Share the private hosted zone with other accounts using AWS Resource Access Manager.
C.Create a public hosted zone with the same name and configure DNSSEC.
D.Associate the private hosted zone with the VPCs in the member accounts.
E.Create a Route 53 Resolver outbound endpoint in each account.
AnswersA, B, D

Central account holds the zone.

Why this answer

Option A is correct because a private hosted zone must be created in a central networking account to serve as the authoritative DNS namespace for the organization's internal resources. This central account acts as the zone owner, allowing the zone to be associated with VPCs across multiple accounts via AWS Resource Access Manager (RAM).

Exam trap

The trap here is that candidates often confuse the need for a public hosted zone or outbound endpoints with the simpler mechanism of sharing a private hosted zone via AWS RAM and associating it with VPCs, leading them to select unnecessary or incorrect options.

390
MCQmedium

A solutions architect sees this output from the AWS CLI. The management account (111111111111) has a service control policy (SCP) attached that denies all actions unless the request originates from a specific IP range. Which account(s) are affected by this SCP?

A.Only the ProductionAccount (222222222222).
B.Neither account.
C.Both accounts.
D.The ManagementAccount (111111111111) only.
AnswerA

SCPs do not apply to the management account.

Why this answer

Option A is correct because SCPs attached to the root or OU affect all member accounts, but not the management account itself. The management account (111111111111) is not affected by SCPs. Option B is wrong because the management account is not affected.

Option C is wrong because the production account is a member account and is affected. Option D is wrong because only the production account is affected.

391
MCQmedium

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. They need to ensure that users can authenticate to AWS resources using their existing corporate credentials. What is the MOST secure and scalable solution?

A.Federate using SAML 2.0 with on-premises ADFS and map AD groups to IAM roles.
B.Deploy AD Connector in each VPC to proxy authentication requests to on-premises Active Directory.
C.Set up AWS Managed Microsoft AD and establish a trust with the on-premises Active Directory. Use IAM roles to grant access based on AD groups.
D.Use AWS Directory Service Simple AD and synchronize with on-premises Active Directory using AD Connector.
AnswerC

AWS Managed Microsoft AD supports trust relationships and can be used for IAM authentication.

Why this answer

Option C is correct because AWS Managed Microsoft AD can establish a forest trust with an on-premises Active Directory, allowing users to authenticate using their existing corporate credentials. This approach is secure (Kerberos-based trust, no password exposure) and scalable (AWS handles AD infrastructure). IAM roles can then be mapped to AD groups via SAML or IAM Identity Center for fine-grained access to AWS resources.

Exam trap

The trap here is that candidates often confuse AD Connector (a proxy) with a trust relationship, thinking it provides the same level of integration, but AD Connector does not support native Kerberos trusts or scalable authentication for AWS Managed Microsoft AD migration.

How to eliminate wrong answers

Option A is wrong because federating with SAML 2.0 and ADFS requires maintaining a separate federation infrastructure and does not directly integrate with AWS Managed Microsoft AD for native AD authentication; it also adds complexity without leveraging the trust relationship. Option B is wrong because AD Connector is a proxy that forwards authentication requests to on-premises AD, but it does not provide a scalable solution for migrating to AWS Managed Microsoft AD and introduces a single point of failure in each VPC. Option D is wrong because Simple AD is a standalone LDAP directory based on Samba 4, not compatible with Active Directory trusts or Kerberos authentication, and AD Connector cannot synchronize with Simple AD; it only proxies to on-premises AD.

392
MCQhard

A company ran the command above. The management account (111111111111) has an SCP attached that denies all actions. The DevAccount (222222222222) has no SCP. What can the root user of the DevAccount do?

A.Full access to all AWS services because no SCP is applied to the DevAccount.
B.Nothing, because the management account's SCP applies to all accounts.
C.Only read-only actions because of default SCP.
D.Only actions allowed by the root user's implicit full access.
AnswerA

Without SCP, only IAM policies restrict.

Why this answer

SCPs are inherited from the root OU. Since no SCP is attached to the DevAccount or its OU, there is no restriction. Option A is wrong because management account SCP does not apply.

Option C is wrong because root user can be restricted by SCP. Option D is wrong because there is no SCP.

393
MCQhard

A company uses AWS Organizations with a policy that denies access to services unless they are explicitly allowed. The security team wants to allow only approved services. What type of policy should they use?

A.Use an SCP with an Allow effect for approved services.
B.Use an SCP with a Deny effect for all services except approved ones.
C.Use an SCP with a Deny effect for unapproved services.
D.Use an IAM policy with a Deny effect for unapproved services.
AnswerC

SCPs can deny specific services across accounts.

Why this answer

Option D is correct because an SCP with a Deny effect for unapproved services is the standard approach. Option A is wrong because Allow lists are not natively supported by SCPs. Option B is wrong because it's the opposite.

Option C is wrong because service control policies are for Organizations.

394
MCQhard

A multinational corporation uses AWS Organizations with hundreds of accounts. The security team requires that all Amazon S3 buckets across the organization be encrypted with a specific AWS KMS key from the security account. Which combination of controls should be implemented to enforce this requirement?

A.Create an AWS Service Catalog portfolio that restricts bucket creation to encrypted buckets only.
B.Use IAM policies in each account to deny PutBucketEncryption actions that do not specify the required KMS key.
C.Enable AWS CloudTrail and create a CloudWatch Events rule to automatically remediate non-compliant buckets.
D.Apply an SCP to deny s3:PutBucketEncryption with any key other than the required KMS key, and use AWS Config rules to detect and remediate existing non-compliant buckets.
AnswerD

SCPs enforce at the organizational level; AWS Config detects violations for remediation.

Why this answer

Option D is correct because SCPs can deny the creation of S3 buckets without encryption or with the wrong KMS key, and AWS Config rules can detect non-compliant existing buckets for remediation. Option A is wrong because IAM policies alone cannot enforce encryption at the organizational level across multiple accounts. Option B is wrong because AWS CloudTrail only logs, not enforces.

Option C is wrong because AWS Service Catalog is not designed for this purpose.

395
MCQeasy

A company has a multi-account AWS environment with a centralized logging account. They want to collect VPC Flow Logs from all accounts and store them in a centralized S3 bucket in the logging account. What is the MOST scalable and cost-effective solution?

A.Configure VPC Flow Logs to deliver to an S3 bucket in each account, then enable S3 Cross-Region Replication to the central bucket in the logging account.
B.Use Amazon Kinesis Data Firehose in each account to stream logs to a central S3 bucket.
C.Create a Lambda function in each account that copies log files to the central bucket.
D.Use S3 Batch Operations to copy logs from each account to the central bucket daily.
AnswerA

S3 replication is serverless, cost-effective, and scales automatically.

Why this answer

Option B is correct because it uses S3 Cross-Region Replication to aggregate logs without additional compute, and is scalable. Option A (Lambda) adds cost and complexity. Option C (Amazon Kinesis Data Firehose) is more expensive for log aggregation than replication.

Option D (S3 batch operations) is not designed for real-time log delivery.

396
MCQeasy

A company has a multi-account AWS environment with a central networking account that hosts all VPCs and a shared services account that hosts common resources like directory services. The company wants to allow all accounts to use the same VPC for their workloads instead of creating separate VPCs. The security team requires that traffic between accounts is encrypted in transit and that accounts cannot directly access each other's resources without going through the central networking account. The network team proposes using AWS Transit Gateway with inter-region peering and VPC attachments. However, the security team is concerned about compliance with encryption requirements. What should the network team do to meet the requirements?

A.Use AWS Client VPN to connect each account to the central VPC.
B.Use VPC Peering between the central VPC and each member account VPC.
C.Use AWS Direct Connect between accounts.
D.Use AWS Transit Gateway with VPN attachments between the central networking account and each member account VPC.
AnswerD

Provides IPsec encryption and centralized routing.

Why this answer

Option D is correct because AWS Transit Gateway with VPN attachments enables encrypted traffic between the central networking account and each member account VPC using IPsec tunnels. This satisfies the encryption-in-transit requirement while ensuring all traffic routes through the central networking account, preventing direct account-to-account access. Transit Gateway also allows all accounts to share a single VPC for workloads without creating separate VPCs.

Exam trap

The trap here is that candidates may assume VPC Peering or Direct Connect inherently meet encryption requirements, but VPC Peering does not encrypt traffic and Direct Connect requires an additional VPN layer for encryption, while Transit Gateway VPN attachments provide both encryption and centralized routing control.

How to eliminate wrong answers

Option A is wrong because AWS Client VPN provides encrypted client-to-VPN access but is designed for individual user connections, not for routing traffic between VPCs or accounts, and it does not enforce that all inter-account traffic must go through the central networking account. Option B is wrong because VPC Peering does not natively encrypt traffic in transit; it relies on AWS's physical network security but does not meet explicit encryption requirements, and it allows direct peering relationships that could bypass the central networking account. Option C is wrong because AWS Direct Connect provides a dedicated private connection from on-premises to AWS, not between accounts, and it does not inherently encrypt traffic unless combined with IPsec VPN, which is not specified in the option.

397
MCQhard

Refer to the exhibit. A security engineer ran this AWS CLI command to investigate who created a CloudTrail trail in January 2024. The command returned no results. However, the security team knows that a trail was created during that period. What is the most likely reason for the empty result?

A.The start time is too far in the past and CloudTrail only retains events for 90 days.
B.The trail was created using the AWS Management Console, not the CLI.
C.The trail was created in a different region and the command did not specify a region.
D.The command syntax is incorrect; the --lookup-attributes parameter should be --attribute.
AnswerC

By default, the CLI uses the current region; the trail might be in another region.

Why this answer

The AWS CLI command `aws cloudtrail lookup-events` defaults to the region configured in the AWS CLI profile (e.g., `us-east-1`). If the CloudTrail trail was created in a different region, the command will return no results unless the `--region` parameter is explicitly specified. Since the security team knows the trail was created in January 2024, the most likely reason for the empty result is that the command did not target the correct region.

Exam trap

The trap here is that candidates assume CloudTrail events are globally visible by default, but `lookup-events` is region-scoped unless the trail is a multi-region trail, and even then, the command must be run in the home region of the trail to see the creation event.

How to eliminate wrong answers

Option A is wrong because CloudTrail `lookup-events` can retrieve events for up to 90 days, but the command can also access events beyond that if the trail is configured to send events to CloudWatch Logs or S3, and the `--lookup-attributes` parameter does not impose a 90-day limit on the API itself. Option B is wrong because the method of creation (Console vs. CLI) does not affect the ability of `lookup-events` to retrieve the event; CloudTrail records all management events regardless of the interface used.

Option D is wrong because the `--lookup-attributes` parameter is the correct syntax for the `lookup-events` command; there is no `--attribute` parameter in the AWS CLI for CloudTrail.

398
MCQhard

A company has a data lake in AWS using S3 and Glue. The security team requires that all data in the data lake be encrypted at rest using a customer-managed KMS key. However, some users are able to upload data without encryption. What is the most effective way to enforce encryption?

A.Apply an S3 bucket policy that denies s3:PutObject unless encryption headers are present
B.Use AWS Config rules to remediate non-compliant objects
C.Require users to use pre-signed URLs for uploads
D.Attach an SCP that denies s3:PutObject without encryption
AnswerA

Bucket policies can enforce encryption at upload time.

Why this answer

Option A is correct because an S3 bucket policy with a condition that denies s3:PutObject unless the x-amz-server-side-encryption header is present and specifies the required KMS key enforces encryption at the point of upload. This prevents any unencrypted object from being written to the bucket, regardless of the client or tool used, and works with any IAM principal. It is the most effective and direct method to enforce encryption for all uploads.

Exam trap

The trap here is that candidates often choose AWS Config (Option B) thinking it can enforce encryption, but Config is detective and reactive, not preventive, whereas a bucket policy with a deny condition is the only way to block unencrypted uploads at the API level.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are reactive, not preventive; they can detect non-compliant objects after upload and trigger remediation (e.g., copying the object with encryption), but they do not block the initial unencrypted write, leaving a window where data is stored without encryption. Option C is wrong because pre-signed URLs control access duration and permissions but do not enforce encryption headers; a pre-signed URL for s3:PutObject can be used to upload unencrypted data unless the bucket policy explicitly denies such requests. Option D is wrong because Service Control Policies (SCPs) apply to all IAM principals in an AWS Organizations account but cannot enforce object-level encryption headers; SCPs can deny actions based on conditions, but the condition for encryption headers (e.g., s3:x-amz-server-side-encryption) is not supported in SCPs, making this option ineffective.

399
Multi-Selecthard

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?

Select 2 answers
A.Create an SCP that denies the ec2:RunInstances action for specific instance types.
B.Use AWS Config rules to detect non-compliant instance types and automatically terminate them using AWS Systems Manager Automation.
C.Use AWS CloudTrail to monitor launches of prohibited instance types and automatically terminate them.
D.Use Service Quotas to restrict the number of instances of specific types.
E.Create an IAM policy in each account that denies the specified instance types.
AnswersA, B

SCPs can deny actions based on condition keys like ec2:InstanceType.

Why this answer

Option A is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict permissions across all accounts in the organization. By creating an SCP that denies the ec2:RunInstances action with a condition key like ec2:InstanceType matching specific prohibited instance types, you can enforce this restriction at the organization, OU, or account level, preventing any user or role from launching those instance types regardless of their IAM permissions.

Exam trap

The trap here is that candidates often confuse detective controls (AWS Config, CloudTrail) with preventive controls (SCPs), or they assume IAM policies can be centrally managed across accounts, when in fact SCPs are the only native mechanism for organization-wide preventive restrictions.

400
MCQmedium

A company uses AWS Organizations and has a member account that needs to access a shared S3 bucket in another member account. The bucket policy allows access from the account's root user. What is the simplest way to grant an IAM user in the member account access?

A.Create an IAM role in the source account and have the user assume it.
B.Update the bucket policy to allow the user's ARN directly.
C.Attach an IAM policy to the user that allows s3:GetObject on the bucket.
D.Use a bucket ACL to grant access to the user's canonical ID.
AnswerC

Since the bucket policy trusts the account, the user just needs IAM permissions.

Why this answer

Option C is correct because the simplest way to grant an IAM user in a member account access to a shared S3 bucket in another member account is to attach an IAM policy to the user that allows the required S3 action (e.g., s3:GetObject) on the bucket. Since the bucket policy already allows access from the account's root user, the IAM user inherits permissions through the account's identity-based policies, and no cross-account role assumption or bucket policy update is needed.

Exam trap

The trap here is that candidates often overcomplicate cross-account access by assuming a role or modifying the bucket policy, when the simplest solution is to use an IAM policy on the user because the bucket policy already authorizes the account's root user.

How to eliminate wrong answers

Option A is wrong because creating an IAM role in the source account and having the user assume it introduces unnecessary complexity; the bucket policy already allows the account's root user, so a simple IAM policy on the user suffices. Option B is wrong because updating the bucket policy to allow the user's ARN directly is not the simplest approach and would require modifying the bucket policy, which is more complex than attaching an IAM policy to the user. Option D is wrong because bucket ACLs are legacy and do not support granting access to IAM users directly; they only grant access to AWS accounts or canonical IDs, not individual IAM users.

401
MCQmedium

A company has multiple AWS accounts managed using AWS Organizations. The security team wants to enforce that all new accounts automatically have a specific AWS Config rule enabled to prohibit public S3 bucket access. Which solution requires the least operational overhead?

A.Use AWS CloudFormation StackSets to deploy the AWS Config rule to all accounts.
B.Enable AWS Config in the management account and use an aggregator for all accounts.
C.Use an SCP to automatically enable the AWS Config rule in all accounts.
D.Use an SCP to deny the s3:PutBucketPublicAccessBlock action if a specific tag is not present.
AnswerD

SCPs can deny actions based on conditions, but this option is not ideal; the correct approach is to use an SCP with a condition to require the public access block. However, the best answer is to use an SCP to prevent disabling the AWS Config rule.

Why this answer

Option D is correct because it uses a service control policy (SCP) to deny the s3:PutBucketPublicAccessBlock action unless a specific tag is present. This enforces the desired AWS Config rule indirectly by preventing any action that would disable or bypass the public access block, and it applies automatically to all new accounts in the organization with minimal overhead—no per-account deployment or configuration is needed.

Exam trap

The trap here is that candidates assume SCPs can directly create or enable AWS resources like Config rules, but SCPs only control API actions and cannot perform resource creation or configuration.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets require manual setup and ongoing maintenance to deploy to new accounts as they are added, which adds operational overhead compared to a policy-based approach. Option B is wrong because enabling AWS Config in the management account and using an aggregator only centralizes compliance data; it does not enforce the Config rule in new accounts automatically. Option C is wrong because SCPs cannot directly enable AWS Config rules; they can only deny or allow API actions, not create or configure AWS resources.

402
MCQmedium

A company uses AWS Organizations and has a central IT team that manages VPCs. The team wants to ensure that only authorized accounts can create VPCs, and that all VPCs must have a specific tag. Which solution enforces this?

A.Use AWS Config to detect and delete untagged VPCs.
B.Use IAM policies in each account to require tags.
C.Apply an SCP that denies ec2:CreateVpc if the request does not include the required tag.
D.Use AWS CloudFormation StackSets to deploy VPC templates with tags.
AnswerC

Prevents creation at the organization level.

Why this answer

Option C is correct because AWS Organizations Service Control Policies (SCPs) can centrally restrict actions across all member accounts. By applying an SCP that denies ec2:CreateVpc unless the request includes a specific tag (using the ec2:ResourceTag condition key), the central IT team ensures that only authorized accounts (which cannot bypass the SCP) can create VPCs, and all VPCs must have the required tag at creation time.

Exam trap

The trap here is that candidates often confuse AWS Config's detective capabilities with preventive controls, or assume IAM policies in individual accounts can be centrally enforced, when only SCPs provide organization-wide preventive enforcement that cannot be bypassed by account-level administrators.

How to eliminate wrong answers

Option A is wrong because AWS Config can detect and report untagged VPCs, but it cannot prevent their creation; it only provides post-hoc compliance evaluation and can trigger remediation, not enforce the tag at creation time. Option B is wrong because IAM policies in each account can require tags, but they are managed per-account and cannot be enforced centrally across all accounts in the organization; a user with sufficient permissions in their own account could modify or remove the IAM policy. Option D is wrong because AWS CloudFormation StackSets can deploy VPC templates with tags, but they do not prevent users from creating VPCs outside of CloudFormation using the console, CLI, or SDK, so they do not enforce the tag requirement.

403
MCQmedium

A company's AWS environment includes multiple VPCs across several accounts that are connected via a transit gateway. The network team wants to monitor all network traffic between VPCs for security analysis. Which solution is the most scalable and cost-effective?

A.Use AWS Traffic Mirroring to mirror all traffic to a central inspection appliance.
B.Enable VPC Flow Logs and publish them to a central S3 bucket, then use Amazon Athena to query the logs.
C.Enable VPC Flow Logs for each VPC and stream them to Amazon CloudWatch Logs in each account.
D.Place a network load balancer in each VPC and capture traffic using a packet sniffer.
AnswerB

Scalable and cost-effective.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic metadata (not full packets) and can be centrally published to an S3 bucket across accounts using a central logging account. Querying with Athena is serverless, scales automatically, and incurs cost only for data scanned, making it the most scalable and cost-effective solution for security analysis of inter-VPC traffic.

Exam trap

The trap here is that candidates may over-engineer the solution by choosing Traffic Mirroring or NLB-based packet capture, thinking full packet inspection is needed, when metadata from Flow Logs is sufficient for security analysis and far more cost-effective at scale.

How to eliminate wrong answers

Option A is wrong because Traffic Mirroring copies full packet contents to a central appliance, which incurs high data transfer and processing costs, and requires managing a separate inspection instance that does not scale elastically. Option C is wrong because streaming Flow Logs to CloudWatch Logs in each account creates a decentralized, harder-to-query setup with higher per-log ingestion and storage costs, and lacks a single pane of glass for cross-account analysis. Option D is wrong because placing a Network Load Balancer in each VPC does not inherently capture traffic; packet sniffers require agent installation and cannot capture all traffic without significant performance overhead and architectural complexity.

404
MCQeasy

A company wants to implement a single sign-on (SSO) solution for its employees to access multiple AWS accounts. The company has an existing identity provider (IdP) that supports SAML 2.0. Which AWS service should be used to integrate with the IdP?

A.AWS Directory Service for Microsoft Active Directory.
B.Amazon Cognito user pools.
C.AWS IAM Identity Center.
D.AWS Identity and Access Management (IAM) with SAML federation.
AnswerC

IAM Identity Center integrates with SAML 2.0 IdPs and provides SSO across multiple AWS accounts.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the recommended service for centrally managing SSO access to multiple AWS accounts. It natively integrates with external SAML 2.0 identity providers, allowing you to define permissions sets that govern user access across accounts without creating IAM users. This provides a single place to manage user assignments and enforce least-privilege access across your AWS Organization.

Exam trap

The trap here is that candidates often confuse IAM SAML federation (which works for a single account) with IAM Identity Center (which is the correct multi-account SSO solution), leading them to select Option D because they know SAML 2.0 is supported, but they miss the requirement for multiple AWS accounts.

How to eliminate wrong answers

Option A is wrong because AWS Directory Service for Microsoft Active Directory is a managed AD service that supports SAML federation but is designed for integrating with Microsoft AD workloads, not as a general-purpose SAML IdP broker for multiple AWS accounts; it would require additional configuration with IAM roles and does not natively manage cross-account permissions sets. Option B is wrong because Amazon Cognito user pools are intended for customer-facing identity and access management in applications, not for workforce SSO to AWS accounts; they lack the ability to assign permissions sets across multiple AWS accounts. Option D is wrong because IAM with SAML federation allows you to federate a single IdP into a single AWS account, but it does not provide centralized management across multiple accounts; you would need to manually configure roles and trust policies in each account, which is not scalable for multi-account SSO.

405
Multi-Selecthard

A company has a multi-account AWS environment with a centralized logging account. The security team needs to analyze VPC Flow Logs from all accounts using Amazon Athena. Which THREE steps are required to enable this analysis? (Choose THREE.)

Select 3 answers
A.Create an AWS Glue table or use Athena's CREATE TABLE statement to define the schema of the Flow Logs.
B.Ensure the Flow Logs are delivered in GZIP format (default) or uncompressed.
C.Deliver VPC Flow Logs from each account to a centralized S3 bucket in the logging account.
D.Replicate the S3 bucket to a single AWS Region for consistency.
E.Configure a Kinesis Data Firehose delivery stream to convert Flow Logs to Parquet format.
AnswersA, B, C

Athena needs a table definition to query the data.

Why this answer

Option B is correct because Athena requires a table defined over the data. Option C is correct because Flow Logs should be stored in a central S3 bucket. Option D is correct because Flow Logs are delivered to S3 in GZIP format, which Athena can query.

Option A is incorrect because Kinesis Data Firehose is not needed; Flow Logs can go directly to S3. Option E is incorrect because the logs must be in the same region as the Athena queries.

406
MCQeasy

A company has a centralized logging solution using Amazon OpenSearch Service (Elasticsearch) and wants to ensure logs from all AWS accounts are shipped to a central account. Which AWS service can be used to collect and forward logs from multiple accounts to a single destination?

A.Amazon S3 bucket with cross-account bucket policy
B.Amazon Kinesis Data Firehose delivery stream with cross-account access
C.Amazon CloudWatch Logs subscription filter
D.AWS Lambda function in each account that sends logs to a central API
AnswerB

Firehose can accept data from multiple accounts via IAM roles and deliver to a central OpenSearch domain.

Why this answer

Option B is correct because Amazon Kinesis Data Firehose can receive logs from multiple accounts via subscriptions and deliver to OpenSearch. Option A is wrong because CloudWatch Logs subscription can forward logs but requires each account to have a subscription filter. Option C is wrong because S3 is a destination, not a forwarding mechanism.

Option D is wrong because Lambda can process logs but is not designed for centralized cross-account ingestion.

407
Multi-Selectmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts use AWS CloudTrail with logs delivered to a central S3 bucket. Which TWO actions should be taken to enforce this?

Select 2 answers
A.Create an IAM role in each account that requires CloudTrail to be enabled
B.Use CloudFormation StackSets to deploy a CloudTrail trail in each account
C.Use AWS Config rules to detect when CloudTrail is not configured correctly and trigger remediation
D.Use AWS Lambda to automatically re-enable CloudTrail if it is disabled
E.Use a service control policy (SCP) to deny actions that disable CloudTrail or modify the trail configuration
AnswersC, E

Config rules can monitor and auto-remediate to ensure compliance.

Why this answer

Options A and D are correct. SCPs can prevent disabling CloudTrail or modifying the trail. AWS Config rules can detect missing or misconfigured trails.

Option B is wrong because IAM roles do not enforce CloudTrail. Option C is wrong because Lambda can create but not enforce. Option E is wrong because CloudFormation can deploy but not prevent removal.

408
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization have server-side encryption enabled. Which is the MOST efficient way to enforce this policy?

A.Use AWS CloudTrail to monitor and alert on unencrypted buckets
B.Enable S3 default encryption in each account
C.Apply a service control policy (SCP) that denies creation of S3 buckets without encryption
D.Use S3 bucket policies to require encryption
AnswerC

SCP can be applied to the entire organization or OU to enforce encryption at account creation.

Why this answer

Option C is correct because a service control policy (SCP) can centrally deny the creation of S3 buckets that do not have server-side encryption enabled across all accounts in an AWS Organization. This approach enforces the security team's requirement at the organizational level, preventing non-compliant buckets from being created regardless of individual account configurations, which is the most efficient and scalable method.

Exam trap

The trap here is that candidates often confuse S3 bucket policies (which control access to objects) with SCPs (which control API actions at the account level), leading them to choose option D, which cannot enforce encryption on the bucket itself.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail only provides logging and monitoring capabilities; it cannot proactively enforce or prevent the creation of unencrypted buckets, only alert after the fact. Option B is wrong because enabling S3 default encryption in each account relies on individual account administrators to configure it correctly, and it does not prevent users from explicitly overriding the default during bucket creation. Option D is wrong because S3 bucket policies can require encryption for objects uploaded to a bucket, but they do not enforce encryption on the bucket itself (i.e., the bucket's default encryption setting) and cannot prevent the creation of a bucket without encryption enabled.

409
MCQhard

A company uses AWS Organizations with 500 accounts. They want to enforce that all accounts use a specific set of allowed AMIs for EC2. What is the MOST scalable solution?

A.Apply an SCP that denies ec2:RunInstances with a condition on ec2:ImageId.
B.Use AWS Config to detect non-compliant AMIs and stop the instances.
C.Create a service catalog product for EC2 with allowed AMIs.
D.Use AWS Systems Manager to enforce AMI compliance.
AnswerA

SCP applies to all accounts in the organization.

Why this answer

An SCP that denies RunInstances unless the AMI ID is in the allowed list is scalable. Option A is wrong because it's per-account. Option C is wrong because it doesn't prevent.

Option D is wrong because it's after creation.

410
Multi-Selecthard

A company wants to implement a data lake strategy using Amazon S3 across multiple AWS accounts. They need to ensure that data is encrypted at rest using a centralized AWS KMS key from a security account. Which THREE steps should they take?

Select 3 answers
A.Configure S3 bucket policies in each account to enforce encryption using the KMS key.
B.Configure S3 buckets in each account to use the shared KMS key for server-side encryption.
C.Create a customer managed KMS key in the security account and share it with the other accounts using AWS Resource Access Manager (RAM).
D.Create IAM users in the security account and grant them access to the KMS key.
E.Apply a service control policy (SCP) that denies s3:PutObject unless the request uses the required KMS key.
AnswersB, C, E

Buckets must be configured to use the shared key for encryption.

Why this answer

Options A, C, and D are correct. Create a KMS key in the security account and share it via RAM. In each account, use the shared KMS key when creating S3 buckets.

Apply an SCP to enforce the use of the shared KMS key. Option B is wrong because S3 bucket policies are account-specific and cannot enforce across accounts. Option E is wrong because IAM users are not the best mechanism for cross-account access; RAM is simpler.

411
MCQeasy

A company needs to share a VPC subnet with multiple accounts in the same AWS Organization. What is the MOST secure way to achieve this?

A.Create a Transit Gateway and attach all accounts.
B.Set up a VPN connection between accounts.
C.Use AWS RAM to share the subnet with the organization.
D.Create a VPC peering connection between each account and the VPC owner.
AnswerC

RAM allows sharing subnets with accounts in the organization.

Why this answer

AWS Resource Access Manager (RAM) allows sharing subnets securely without VPC peering. Option A is wrong because VPC peering is one-to-one. Option C is wrong because VPN adds complexity.

Option D is wrong because it doesn't share the subnet.

412
MCQeasy

A company has a decentralized IT structure where each business unit manages its own AWS accounts. The central IT team wants to enforce security policies across all accounts but allow business units to retain administrative control. Which solution should the central IT team implement?

A.Deploy AWS CloudFormation StackSets to each account with security templates.
B.Create a shared services account and use IAM cross-account roles for each business unit.
C.Use AWS Organizations with service control policies (SCPs) to enforce baseline permissions, and delegate administration to organizational units (OUs) for each business unit.
D.Migrate all workloads to a single AWS account and use IAM roles for each business unit.
AnswerC

SCPs enforce policies across all accounts while OUs allow delegation.

Why this answer

AWS Organizations with SCPs allows the central IT team to enforce baseline security policies across all accounts without removing administrative control from business units. By delegating administration to OUs for each business unit, the central team sets guardrails while business units retain full IAM management within their accounts, satisfying the decentralized structure requirement.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs remove all administrative control, when in fact SCPs only set upper permission boundaries and allow business units to retain full administrative autonomy within those limits.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets deploy resources and templates but do not enforce ongoing security policies; business units could modify or delete the deployed resources, and StackSets lack the ability to set permission guardrails. Option B is wrong because a shared services account with cross-account roles centralizes access control, which contradicts the requirement for business units to retain administrative control over their own accounts. Option D is wrong because migrating all workloads to a single account violates the decentralized IT structure and removes business unit autonomy, while IAM roles alone cannot enforce baseline security policies across separate accounts.

413
MCQeasy

A company uses AWS Organizations with a management account and several member accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. What should they do?

A.Create a CloudTrail trail in the management account that applies to all accounts in the organization.
B.Use AWS CloudFormation StackSets to deploy a CloudTrail configuration to all accounts.
C.Enable CloudTrail in each member account and configure it to deliver logs to the management account's S3 bucket.
D.Apply an SCP to require CloudTrail to be enabled in all accounts.
AnswerA

Organization trail simplifies management.

Why this answer

Option A is correct because AWS CloudTrail supports organization trails, which can be created in the management account and automatically apply to all member accounts within the AWS Organization. This ensures that all accounts have CloudTrail enabled and logs are delivered to a centralized S3 bucket in the management account without requiring per-account configuration.

Exam trap

The trap here is that candidates often think SCPs can enforce positive actions like enabling a service, but SCPs only deny or allow actions and cannot proactively configure resources.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation StackSets can deploy CloudTrail configurations across accounts, but this approach requires manual setup, ongoing maintenance, and does not automatically apply to new accounts added to the organization. Option C is wrong because enabling CloudTrail in each member account individually is inefficient, does not scale, and does not enforce compliance across all accounts; it also requires manual configuration for each account. Option D is wrong because Service Control Policies (SCPs) can only restrict permissions (e.g., deny disabling CloudTrail) but cannot proactively enable CloudTrail or configure it to deliver logs to a centralized bucket.

414
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with AWS KMS and that bucket policies enforce HTTPS. What is the MOST efficient way to enforce these policies across all accounts?

A.Apply a service control policy (SCP) to the management account.
B.Create a custom AWS Lambda function to monitor and remediate non-compliant buckets.
C.Apply a service control policy (SCP) to the organizational unit (OU) containing all accounts.
D.Use AWS Config rules with automatic remediation in each account.
AnswerC

SCPs at the OU level enforce policies across all member accounts.

Why this answer

Option B is correct because SCPs can be applied at the OU level to deny non-compliant actions across all accounts, providing centralized enforcement. Option A is wrong because service control policies are not applied to the management account. Option C is wrong because AWS Config rules detect non-compliance but do not enforce.

Option D is wrong because custom Lambda functions would require per-account deployment and are less efficient.

415
MCQhard

An organization uses AWS Organizations with a multi-account strategy. The security team needs to ensure that all accounts must use AWS CloudTrail with logs delivered to a centralized S3 bucket. They also want to receive notifications if any account disables CloudTrail. What is the MOST efficient solution?

A.Create an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail. Use an S3 event notification on the centralized bucket to trigger a Lambda function that sends an SNS alert if logs stop arriving.
B.Use AWS CloudTrail to log management events and set up a CloudWatch Events rule that triggers on StopLogging API calls.
C.Use an SCP that requires all accounts to have a specific trust policy for CloudTrail. Use CloudTrail Insights to detect anomalous activity.
D.Deploy a Lambda function in each account that periodically checks CloudTrail status and sends an SNS message if disabled.
AnswerA

SCPs prevent disabling; S3 events detect missing logs.

Why this answer

Option A is correct because it combines a preventive control (SCP) to block CloudTrail disabling actions with a detective control (S3 event notification + Lambda + SNS) to alert if logs stop arriving. The SCP ensures that even if an account has administrative privileges, it cannot stop or delete the trail, while the S3 event notification on the centralized bucket detects the absence of new log files, triggering an alert. This is the most efficient solution as it requires minimal overhead and provides both enforcement and notification.

Exam trap

The trap here is that candidates often focus only on detecting the API call (option B) or rely on periodic checks (option D), missing the need for a preventive control (SCP) to block the disabling action entirely, and the requirement for a notification mechanism that detects the absence of logs rather than just the API call.

How to eliminate wrong answers

Option B is wrong because a CloudWatch Events rule triggered on StopLogging API calls only detects the API call itself, but does not prevent it; if an account disables CloudTrail, the rule fires after the fact, and the logs may already be lost. Additionally, it does not cover the case where CloudTrail is deleted or logs stop arriving due to other reasons (e.g., misconfiguration). Option C is wrong because an SCP that requires a specific trust policy for CloudTrail does not prevent disabling CloudTrail; trust policies are for cross-account roles, not for controlling CloudTrail operations.

CloudTrail Insights detects anomalous API activity but does not enforce that CloudTrail remains enabled or send notifications for disabling. Option D is wrong because deploying a Lambda function in each account that periodically checks CloudTrail status is inefficient and introduces latency; it requires managing Lambda in every account, and the check is not real-time, potentially missing short-lived disabling events. It also does not prevent the disabling action.

416
MCQeasy

A company wants to ensure that no IAM user in any account can create access keys. The company uses AWS Organizations. Which approach should be used?

A.Enable AWS CloudTrail and set up a metric filter for CreateAccessKey
B.Apply an IAM policy to all users in each account that denies iam:CreateAccessKey
C.Attach an SCP to the root OU that denies iam:CreateAccessKey
D.Use AWS Config to detect access key creation and trigger a Lambda to delete the key
AnswerC

SCPs centrally deny actions across all accounts.

Why this answer

Option B is correct because an SCP can deny the CreateAccessKey action across all accounts. Option A is wrong because an IAM policy in each account is not centrally managed. Option C is wrong because AWS Config can detect but not prevent.

Option D is wrong because CloudTrail is for logging.

417
MCQhard

A large enterprise uses AWS Organizations with 200 accounts. The central security team has implemented a service control policy (SCP) that denies all actions unless the request comes from a specific set of allowed AWS services. The SCP is attached to the root OU. Recently, the DevOps team reported that they cannot launch Amazon EC2 instances in any account, even though they have full administrator access via IAM roles. The security team verifies that the SCP is correctly configured and that allowed services include EC2. However, the error message states 'Action 'ec2:RunInstances' is not authorized.' The DevOps team is using the AWS Management Console. What is the MOST LIKELY cause?

A.The SCP does not include 'ec2:RunInstances' in the list of allowed actions.
B.The SCP is attached only to the root OU and not to the specific account OUs.
C.The IAM roles used by the DevOps team do not have a trust policy that allows the EC2 service.
D.The SCP denies all actions except those from allowed services, but the console makes calls that are not from an allowed service.
AnswerD

The console may call other services (e.g., CloudFormation) to launch instances, which could be denied if not in allowed list.

Why this answer

Option D is correct because SCPs that deny all actions unless the request comes from allowed services would block the initial API call to EC2 because the console makes calls to multiple services. Option A is wrong because the SCP already allows EC2. Option B is wrong because the SCP is attached to the root OU, so it applies to all accounts.

Option C is wrong because the issue is not about resource-based policies.

418
MCQeasy

A company has multiple AWS accounts and wants to centralize CloudTrail logs in a single S3 bucket in the security account. Which policy should be applied to the S3 bucket to allow cross-account delivery from all member accounts?

A.Add an IAM role in the security account and allow the CloudTrail service in each member account to assume that role.
B.Configure the bucket ACL to allow write access for all member account root users.
C.Add a bucket policy that grants the service principal 'logs.amazonaws.com' s3:PutObject permissions.
D.Add a bucket policy that grants the CloudTrail service principal s3:PutObject permissions for the bucket, with a condition that the source account is in the organization.
AnswerD

This is the standard method for cross-account CloudTrail log delivery.

Why this answer

Option B is correct because the bucket policy must explicitly grant the CloudTrail service principal (cloudtrail.amazonaws.com) permission to write objects, and include a condition to restrict access to the organization's accounts. Option A is wrong because CloudTrail does not use IAM roles from the source accounts to write to the bucket. Option C is wrong because the service principal is 'cloudtrail.amazonaws.com', not 'logs.amazonaws.com'.

Option D is wrong because the bucket policy must be on the destination bucket, not on the source accounts.

419
MCQeasy

A company has a single AWS account and wants to implement a multi-account strategy for better isolation. Which AWS service is designed to help centrally manage multiple accounts?

A.AWS IAM
B.AWS Organizations
C.AWS Control Tower
D.AWS Service Catalog
AnswerB

Organizations allows you to centrally manage multiple accounts.

Why this answer

AWS Organizations is the native AWS service designed to centrally manage multiple AWS accounts. It allows you to create a hierarchy of accounts with organizational units (OUs), apply service control policies (SCPs) for governance, and consolidate billing. This directly addresses the need for a multi-account strategy with centralized management.

Exam trap

The trap here is that candidates often confuse AWS Control Tower (a managed landing zone service) with AWS Organizations (the underlying account management service), but Control Tower relies on Organizations and is not the service designed for direct central management of multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS IAM is an identity and access management service for a single account; it cannot create or manage multiple accounts. Option C is wrong because AWS Control Tower is a higher-level service that uses AWS Organizations under the hood to set up a multi-account landing zone, but it is not the core service designed for central management—it is an orchestration layer. Option D is wrong because AWS Service Catalog is used to create and manage a catalog of approved IT services (e.g., EC2, RDS) for end users; it does not manage multiple accounts or their structure.

420
MCQeasy

A company uses AWS Organizations with several OUs for different environments (dev, test, prod). They want to restrict the use of specific EC2 instance types in the prod OU only. Which approach should they use?

A.Create a separate AWS account for prod and use an IAM policy on the account.
B.Attach a service control policy (SCP) to the prod OU that denies ec2:RunInstances for non-approved instance types.
C.Attach an IAM policy to all users in the prod accounts that denies non-approved instance types.
D.Use AWS Config to detect non-approved instance types and terminate them.
AnswerB

SCPs can be applied to OUs to restrict actions in specific accounts.

Why this answer

Service control policies (SCPs) are the correct mechanism to centrally restrict permissions across all accounts within an AWS Organizations organizational unit (OU). By attaching an SCP to the prod OU that denies ec2:RunInstances for non-approved instance types, you enforce a guardrail that applies to every principal (including root users) in all accounts under that OU, regardless of IAM policies. This ensures that even if a user or role has an IAM policy allowing all EC2 instances, the SCP will block the non-approved types.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM policies can centrally restrict all accounts in an OU, when in fact SCPs are the only AWS Organizations feature that applies a guardrail across all accounts without requiring per-account configuration.

How to eliminate wrong answers

Option A is wrong because creating a separate account for prod does not by itself restrict instance types; you would still need an SCP or IAM policy to enforce the restriction, and IAM policies on a single account cannot centrally manage multiple accounts. Option C is wrong because IAM policies attached to users in prod accounts can be overridden by other IAM policies or bypassed by users with administrative privileges, and they do not apply to the root user or services running without an explicit IAM role. Option D is wrong because AWS Config is a detective control that can detect non-approved instance types after they are launched, but it cannot prevent the launch; it would require a separate remediation action (e.g., Lambda) to terminate instances, which is reactive and not a preventive restriction.

421
MCQhard

A company has a multi-account AWS environment with a central logging account. They want to ensure that all VPC Flow Logs are enabled for every VPC in every account and that the logs are sent to a central S3 bucket. What combination of services should they use to automatically enforce this?

A.Use AWS Lambda to scan all VPCs daily and enable Flow Logs if missing, sending logs to the central bucket.
B.Use AWS Config rules with automatic remediation to enable VPC Flow Logs, and a CloudWatch Events rule to copy logs to the central bucket.
C.Use AWS CloudFormation StackSets to deploy a VPC with Flow Logs enabled in each account.
D.Use AWS Config rules with automatic remediation to enable VPC Flow Logs that publish to a central S3 bucket, and use an SCP to prevent disabling Flow Logs.
AnswerD

Config rules can detect VPCs without Flow Logs and remediate by enabling them; SCPs prevent tampering.

Why this answer

Option D is correct because AWS Config rules can continuously evaluate whether VPC Flow Logs are enabled for every VPC, and automatic remediation (via an SSM automation document or Lambda) can enable them if they are missing, publishing directly to a central S3 bucket. An SCP (Service Control Policy) then prevents any IAM action that would disable or modify the Flow Log configuration, ensuring enforcement is permanent and cannot be bypassed by account administrators.

Exam trap

Cisco often tests the misconception that a reactive approach (like daily Lambda scans) or a deployment-only approach (like StackSets) is sufficient, when the real requirement is continuous enforcement and prevention of disabling — which demands a combination of AWS Config with remediation and an SCP.

How to eliminate wrong answers

Option A is wrong because a daily Lambda scan is reactive and not continuous; it introduces a window of non-compliance between scans, and it does not prevent disabling of Flow Logs after they are enabled. Option B is wrong because while AWS Config rules with remediation can enable Flow Logs, copying logs via CloudWatch Events to a central bucket is inefficient and adds complexity; VPC Flow Logs can be published directly to a central S3 bucket without needing a separate copy mechanism. Option C is wrong because CloudFormation StackSets can only deploy resources where they are explicitly defined; they cannot enforce Flow Logs on existing VPCs or prevent future VPCs from being created without Flow Logs, nor can they prevent disabling of Flow Logs.

422
MCQeasy

A company uses AWS Organizations and has a requirement that all root user activities in member accounts must be immediately reported to the security team. Which combination of actions should be taken to meet this requirement? (Choose the best answer.)

A.Enable AWS CloudTrail and use Amazon Athena to query logs periodically and send a report.
B.Enable AWS CloudTrail in all accounts with a trail that logs management events and delivers to a centralized S3 bucket. Use Amazon CloudWatch Events to create a rule that matches root user API calls and sends notifications via Amazon SNS.
C.Use AWS Config rules to detect root user activities and trigger an AWS Lambda function to send an email.
D.Use AWS Trusted Advisor to check for root user usage and generate a weekly report.
AnswerB

This provides real-time alerting on root activities.

Why this answer

Option B is correct because it combines AWS CloudTrail logging of management events across all accounts into a centralized S3 bucket with Amazon CloudWatch Events (now Amazon EventBridge) to detect root user API calls in real time. This setup ensures immediate notification via Amazon SNS, meeting the requirement for instant reporting without manual polling or batch processing.

Exam trap

The trap here is that candidates may confuse AWS Config rules (which monitor resource configurations) with CloudTrail event monitoring, or assume periodic tools like Athena or Trusted Advisor can satisfy an immediate reporting requirement.

How to eliminate wrong answers

Option A is wrong because using Amazon Athena to query logs periodically introduces a delay (not immediate reporting) and requires manual or scheduled queries, which does not meet the real-time requirement. Option C is wrong because AWS Config rules are designed for resource configuration compliance and change detection, not for monitoring API calls like root user activities; they cannot directly capture CloudTrail events or root user login actions. Option D is wrong because AWS Trusted Advisor provides a weekly report on root user usage, which is not immediate and fails the requirement for real-time notification.

423
MCQeasy

A company has a multi-account AWS environment. They want to use AWS CloudTrail to log all API calls across all accounts and deliver the logs to a central S3 bucket in the logging account. They have configured a trail in the management account that logs management events for all accounts. However, they notice that the logs from member accounts are not being delivered to the central S3 bucket. What is the most likely cause?

A.CloudTrail cannot log management events for member accounts from the management account.
B.The S3 bucket policy does not grant the CloudTrail service principal from member accounts write access.
C.The trail is configured to log only read events.
D.The member accounts have disabled CloudTrail.
AnswerB

Cross-account log delivery requires proper bucket policy.

Why this answer

Option B is correct because a trail in the management account can log management events for all accounts, but it requires that the trail be created with the option 'Apply trail to all accounts in the organization' and the S3 bucket policy must allow CloudTrail to write from member accounts. Option A is wrong because there is no such limitation. Option C is wrong because CloudTrail supports cross-account delivery.

Option D is wrong because the bucket policy is likely the issue.

424
MCQhard

A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all accounts in the organization. The logs are stored in S3 buckets. The security team wants to analyze these logs using Amazon Athena. What is the MOST cost-effective way to ensure that the Athena queries only scan the necessary data?

A.Partition the data by account ID, region, and date in the S3 bucket, and use partitions in Athena.
B.Use S3 object-level compression (e.g., gzip) to reduce data volume.
C.Create AWS Glue partition indexes on the table.
D.Create separate Athena tables for each account and region.
AnswerA

Partition pruning ensures Athena scans only relevant partitions.

Why this answer

Partitioning the S3 data by account ID, region, and date allows Athena to use partition pruning, which limits the amount of data scanned to only the relevant partitions based on query filters. This directly reduces query cost because Athena charges per amount of data scanned, and partitioning is the most effective way to minimize scanned data without additional compression or indexing overhead.

Exam trap

The trap here is that candidates often confuse performance optimization (e.g., compression, indexes) with cost optimization (reducing data scanned), and they may overlook that partition pruning is the primary mechanism to minimize Athena query costs, not just speed up queries.

How to eliminate wrong answers

Option B is wrong because S3 object-level compression (e.g., gzip) reduces storage size and can reduce data scanned if Athena supports reading compressed files, but it does not limit which files are scanned; Athena still must read all compressed objects unless partitions are used. Option C is wrong because AWS Glue partition indexes improve query performance by reducing metadata lookup time, but they do not reduce the amount of data scanned; they only speed up partition discovery, not cost. Option D is wrong because creating separate Athena tables for each account and region increases management overhead and does not inherently reduce data scanned; queries would still scan entire tables unless partitions are used within each table, and this approach duplicates schema management without cost benefit.

425
MCQmedium

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all new member accounts automatically have AWS Config enabled with a specific set of rules. Which solution is the MOST efficient?

A.Create an AWS Config aggregator in the management account and enable Config for each account manually.
B.Use AWS CloudFormation StackSets to deploy a Config template to each account, and manually add new accounts to the StackSet.
C.Use AWS Lambda functions triggered by AWS CloudTrail to enable Config and deploy rules whenever a new account is created.
D.Create an SCP to deny disabling AWS Config, and use an AWS Config conformance pack in a delegated admin account to enforce rules across the organization.
AnswerD

SCP enforces Config enablement; conformance pack enforces rules automatically on new accounts.

Why this answer

Option C is correct because using an SCP in the root OU to prevent disabling Config, combined with AWS Config conformance packs in a delegation admin account, ensures accounts are created with Config enabled and rules enforced without manual intervention. Option A is wrong because it requires manual setup per account. Option B is wrong because CloudFormation StackSets require manual stack instance updates.

Option D is wrong because Lambda functions triggered by account creation can be delayed and may not cover all cases.

426
MCQmedium

A company is implementing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS and that access must be logged. The data lake has millions of objects, and the security team wants to detect any changes to bucket policies or encryption settings. Which combination of services should be used?

A.Amazon CloudWatch Events and Amazon S3 event notifications
B.Amazon CloudWatch Logs and VPC Flow Logs
C.AWS Config and AWS CloudTrail
D.AWS CloudTrail for management events and Amazon S3 server access logs
AnswerD

CloudTrail records S3 API calls for bucket-level actions; S3 server access logs provide object-level access details.

Why this answer

Option A is correct because CloudTrail logs S3 management events (including bucket policy changes and encryption settings) and S3 server access logs record object-level access. Option B is wrong because CloudWatch Logs does not directly log S3 configuration changes. Option C is wrong because AWS Config can track configuration changes but not access logs.

Option D is wrong because CloudWatch Events can trigger on events but not provide historical logging.

427
MCQmedium

A company attaches the above SCP to the root organizational unit. The development team in a member account wants to launch an EC2 instance in the ap-southeast-1 region. What will happen?

A.The EC2 instance launch will be denied only if there is an explicit allow for us-east-1 and eu-west-1.
B.The EC2 instance launch will succeed because SCPs only restrict permissions, not deny.
C.The EC2 instance launch will be denied because the SCP denies actions in regions not listed.
D.The EC2 instance launch will succeed if the developer has IAM permissions to launch in ap-southeast-1.
AnswerC

The SCP explicitly denies ec2:* in disallowed regions.

Why this answer

Option B is correct. The SCP denies EC2 actions in all regions except us-east-1 and eu-west-1. Since ap-southeast-1 is not in the allowed list, the action will be denied.

Option A is wrong because the SCP explicitly denies. Option C is wrong because SCPs apply to all IAM principals. Option D is wrong because there is no explicit allow; the default is allow but this deny overrides.

428
MCQeasy

A company has an AWS Organization with a management account and several member accounts. The management account hosts a central S3 bucket that stores CloudTrail logs from all accounts. The company wants to ensure that only the management account can delete objects from this bucket. Which policy should be applied to the bucket?

A.An SCP that denies s3:DeleteObject for all member accounts.
B.An SCP that denies s3:DeleteObject for all accounts except the management account.
C.A bucket policy that allows s3:DeleteObject only for the organizational unit containing the management account.
D.A bucket policy that denies s3:DeleteObject unless the request is from the management account's root user.
AnswerD

This policy explicitly restricts deletion to the management account.

Why this answer

Option B is correct because a bucket policy with a condition that denies DeleteObject actions unless the account is the management account achieves the goal. Option A is wrong because it does not prevent other accounts from deleting. Option C is wrong because SCPs cannot be applied to resources.

Option D is wrong because bucket policies cannot be attached to organizational units.

429
MCQeasy

A company is migrating to AWS and plans to use a multi-account strategy. The management account will be used solely for administrative purposes. Which best practice should be followed when setting up AWS Organizations?

A.Enable all AWS services in the management account to centrally manage them.
B.Use the management account as the payer account and also host production workloads.
C.Restrict access to the management account and use it only for organization management tasks.
D.Use the management account for development environments to avoid creating additional accounts.
AnswerC

This minimizes the attack surface.

Why this answer

Option C is correct because the management account should have limited access and be reserved for organization management tasks. Option A is wrong because enabling all services in the management account increases risk. Option B is wrong because the management account cannot be used as a payer account if it is also used for production.

Option D is wrong because the management account should not be used for development.

430
MCQeasy

A company has a multi-account AWS environment with a centralized network account that hosts a transit gateway. The company wants to share the transit gateway with multiple member accounts. Which AWS service should be used to share the transit gateway?

A.AWS Resource Access Manager (RAM)
B.AWS PrivateLink
C.VPC peering connection
D.AWS Direct Connect
AnswerA

RAM enables sharing of transit gateways across accounts.

Why this answer

AWS Resource Access Manager (RAM) enables you to share a transit gateway owned by a central network account with other AWS accounts in your organization. This eliminates the need to create separate transit gateway attachments or VPC peering connections, simplifying network architecture and reducing operational overhead.

Exam trap

The trap here is that candidates often confuse VPC peering (which is point-to-point and non-transitive) with transit gateway sharing via RAM, which provides transitive routing and centralized management across multiple accounts.

How to eliminate wrong answers

Option B is wrong because AWS PrivateLink is used to expose services privately within a VPC via interface endpoints, not for sharing transit gateways across accounts. Option C is wrong because VPC peering connects individual VPCs directly but does not provide a centralized hub-and-spoke model or support transitive routing between multiple VPCs and accounts. Option D is wrong because AWS Direct Connect establishes dedicated network connections from on-premises to AWS, not for sharing transit gateways between accounts.

431
MCQeasy

A company wants to provide its developers with access to a shared development environment in AWS. The developers are in different AWS accounts, and they need to assume an IAM role in the development account. What is the secure way to allow cross-account access?

A.Use a service control policy to allow access from other accounts
B.Create IAM users in the development account for each developer
C.Share the access keys of an IAM user in the development account
D.Create an IAM role in the development account with a trust policy that allows the developers' accounts to assume it
AnswerD

This follows AWS best practices for cross-account access.

Why this answer

Option C is correct because the standard cross-account access pattern uses IAM roles with trust policies. Option A is wrong because IAM users are per-account and not scalable. Option B is wrong because access keys are not secure for cross-account access.

Option D is wrong because SCPs are for restrictions, not granting access.

432
MCQeasy

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by business unit. Each business unit has its own AWS account. The team needs a solution that allows them to generate cost reports filtered by business unit without additional overhead. Which action should be taken?

A.Use Cost Explorer to filter by linked account, which automatically groups by business unit.
B.Use AWS Budgets to create budgets per account and manually aggregate.
C.Apply tags to resources and enable cost allocation tags in Billing and Cost Management.
D.Create a separate payer account for each business unit.
AnswerC

Correct: Tagging enables filtering by business unit.

Why this answer

Option C is correct because applying tags to resources and enabling cost allocation tags in AWS Billing and Cost Management allows the finance team to categorize costs by business unit without additional overhead. Each business unit's AWS account can have resources tagged with a key like 'BusinessUnit', and once cost allocation tags are activated, Cost Explorer and cost reports can filter and group by these tags, providing automated cost tracking across accounts in AWS Organizations.

Exam trap

The trap here is that candidates may think filtering by linked account in Cost Explorer is sufficient, but they overlook that without tags or a structured account naming convention, linking accounts to business units requires manual effort, which violates the 'without additional overhead' requirement.

How to eliminate wrong answers

Option A is wrong because Cost Explorer can filter by linked account, but it does not automatically group by business unit unless accounts are tagged or organized in a way that maps to business units; filtering by linked account alone requires manual mapping of account IDs to business units, which adds overhead. Option B is wrong because AWS Budgets is a budgeting tool, not a cost reporting and aggregation tool; manually aggregating budgets per account introduces significant overhead and does not provide a scalable, automated solution for generating cost reports filtered by business unit. Option D is wrong because creating a separate payer account for each business unit defeats the purpose of consolidated billing and increases management complexity, as AWS Organizations is designed to consolidate multiple accounts under a single payer for centralized billing and cost management.

433
MCQmedium

A company uses AWS Organizations with consolidated billing. The finance team needs to track costs by department, which are tagged with 'department' tags. However, some resources are not tagged. The team wants to ensure that all new resources are tagged, and existing untagged resources are identified. What should they do?

A.Use a service control policy (SCP) to deny resource creation without the 'department' tag, and use AWS Config rules to detect untagged resources.
B.Use AWS Config rules to enforce tagging on existing resources and automatically tag them.
C.Use AWS Cost Explorer to report on untagged resources.
D.Create an IAM policy that requires tagging for all actions and attach it to all users.
AnswerA

SCPs prevent creation of untagged resources; Config identifies existing untagged resources.

Why this answer

Option A is correct because SCPs can deny resource creation without required tags, and AWS Config rules can identify untagged resources. Option B is wrong because SCPs cannot enforce tags on existing resources. Option C is wrong because IAM policies cannot be enforced across accounts easily.

Option D is wrong because Cost Explorer can filter by tags but does not enforce tagging.

434
Multi-Selecthard

A multinational corporation is using AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization have server-side encryption enabled, and any new bucket created without encryption must be automatically remediated. Which TWO steps should the team take to achieve this? (Choose two.)

Select 2 answers
A.Use an IAM policy to deny s3:PutBucketEncryption without encryption settings
B.Use AWS Trusted Advisor to check bucket encryption and send alerts
C.Use a CloudWatch Events rule to trigger a Lambda function that enables encryption on any new bucket
D.Use an SCP to deny PutBucketEncryption without encryption settings
E.Use AWS Config with a managed rule to detect non-compliant buckets and an auto-remediation action
AnswersC, D

This remediates new buckets, but requires additional setup; combined with SCP it's effective for new buckets.

Why this answer

Option C is correct because a CloudWatch Events rule (now Amazon EventBridge) can detect the 'CreateBucket' API call and trigger an AWS Lambda function that automatically enables server-side encryption on the newly created bucket. This provides real-time, event-driven remediation without manual intervention, ensuring compliance immediately after bucket creation.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, thinking an IAM deny policy can enforce encryption organization-wide, but SCPs are the correct tool for account-level restrictions in AWS Organizations, while IAM policies are user/role-specific and cannot prevent actions by the root user or service-linked roles.

435
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS keys managed by the security team. What is the MOST scalable and maintainable solution?

A.Apply a service control policy (SCP) at the root OU that denies s3:PutBucketAcl or s3:PutBucketPolicy actions unless encryption is configured.
B.Use AWS Trusted Advisor to check for unencrypted buckets and notify the security team.
C.Use AWS Config rules in each account to detect non-compliant buckets and trigger auto-remediation.
D.Create a CloudFormation StackSet that deploys an S3 bucket policy in every account.
AnswerA

SCPs are scalable and enforce prevention across all accounts.

Why this answer

Option A is correct because an SCP applied at the root OU can deny any S3 PutBucketAcl or PutBucketPolicy action unless the request includes a condition that the bucket encryption uses a KMS key from the security team’s account. This approach is centralized, scales across all accounts automatically, and prevents non-compliant buckets from being created or modified, making it the most scalable and maintainable solution.

Exam trap

The trap here is that candidates often assume AWS Config rules or Trusted Advisor are sufficient for enforcement, but they only detect or remediate after the fact, whereas SCPs provide preventive control at the organizational level, which is the key to scalability and maintainability.

How to eliminate wrong answers

Option B is wrong because Trusted Advisor only provides reactive checks and notifications; it does not enforce encryption or prevent non-compliant buckets from being created. Option C is wrong because AWS Config rules must be deployed in each account individually (or via delegation), and auto-remediation can be complex to maintain across many accounts; it is less scalable and centralized than an SCP. Option D is wrong because a CloudFormation StackSet deploys a bucket policy in each account, but bucket policies cannot enforce encryption on the bucket itself (they control access), and they can be overridden by the account owner; this does not prevent creation of unencrypted buckets.

436
Multi-Selectmedium

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no account in the 'Production' OU can disable AWS CloudTrail or delete CloudTrail log files. Which two steps should be taken? (Choose TWO.)

Select 2 answers
A.Enable AWS CloudTrail Insights to detect unusual activity.
B.Create an SCP attached to the 'Production' OU that denies CloudTrail and S3 actions related to stopping or deleting trails and logs.
C.Use IAM roles with a permissions boundary that restricts CloudTrail actions.
D.Add an S3 bucket policy on the CloudTrail log bucket that denies s3:DeleteObject for all principals in the 'Production' OU.
AnswersB, D

SCP prevents the actions at the account level.

Why this answer

Option B is correct because Service Control Policies (SCPs) attached to an OU can deny specific AWS actions for all accounts within that OU, including actions like cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject on the CloudTrail log bucket. This ensures that no account in the 'Production' OU can disable CloudTrail or delete its log files, regardless of IAM permissions within the account. Option D is correct because an S3 bucket policy on the CloudTrail log bucket that explicitly denies s3:DeleteObject for all principals in the 'Production' OU adds a second layer of defense, preventing deletion of log files even if an account gains elevated privileges.

Exam trap

The trap here is that candidates often think IAM permissions boundaries or CloudTrail Insights can enforce preventive controls, but only SCPs and resource-based policies (like S3 bucket policies) can deny actions across all users and roles in an account at the organizational level.

437
MCQmedium

A company has multiple AWS accounts and wants to centralize operational data such as cost reports, security findings, and resource inventory. The solution should provide a single pane of glass for the operations team. Which AWS service should be used?

A.Use Amazon QuickSight to connect to each account's AWS Cost and Usage Report and AWS Config data.
B.Use AWS Control Tower to set up a landing zone and use the built-in dashboard for operational data.
C.Use AWS Config aggregator to collect resource configurations from all accounts.
D.Use AWS Organizations to create a central management account and use AWS Systems Manager Explorer to aggregate operational data.
AnswerD

Systems Manager Explorer provides a single dashboard for operational data.

Why this answer

Option D is correct because AWS Systems Manager Explorer, when used with AWS Organizations, provides a single-pane-of-glass dashboard that aggregates operational data (e.g., cost reports, security findings, resource inventory) across multiple accounts. The central management account in Organizations enables Explorer to collect and display data from all member accounts without requiring individual connections or manual aggregation.

Exam trap

The trap here is that candidates often confuse AWS Config aggregator (which only handles resource configurations) with a full operational data aggregator, or assume QuickSight can natively aggregate multi-account operational data without custom integration, leading them to overlook Systems Manager Explorer's purpose-built multi-account dashboard capabilities.

How to eliminate wrong answers

Option A is wrong because Amazon QuickSight is a business intelligence service for visualizing data, not a native aggregator for operational data; connecting to each account's Cost and Usage Report and Config data would require complex, custom pipelines and does not provide a built-in single pane of glass for operations. Option B is wrong because AWS Control Tower's built-in dashboard focuses on governance and compliance (e.g., guardrails, account factory status), not on aggregating operational data like cost reports, security findings, and resource inventory across accounts. Option C is wrong because AWS Config aggregator only collects resource configurations and compliance history, not cost reports or security findings, so it fails to meet the requirement for a comprehensive operational data view.

438
MCQeasy

A company uses AWS Organizations with a multi-account strategy. The DevOps team wants to allow developers to launch EC2 instances only in specific Regions and only with approved AMIs. Which AWS service should be used to enforce these controls across all accounts?

A.AWS Config rules with auto-remediation
B.AWS Service Catalog with a portfolio of approved AMIs
C.AWS Identity and Access Management (IAM) policies in each account
D.AWS Organizations Service Control Policies (SCPs)
AnswerD

Correct: SCPs can centrally restrict actions across accounts.

Why this answer

AWS Organizations Service Control Policies (SCPs) are the correct choice because they allow you to centrally define and enforce permission guardrails across all accounts in your organization. SCPs can restrict EC2 actions to specific Regions using the `aws:RequestedRegion` condition key and limit AMI usage by denying launch actions unless the AMI ID matches an approved list, ensuring compliance without requiring per-account configuration.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking that IAM policies in each account can centrally enforce controls, but SCPs are the only mechanism that applies across all accounts in an organization without requiring per-account management.

How to eliminate wrong answers

Option A is wrong because AWS Config rules with auto-remediation are detective and reactive—they can detect non-compliant resources and trigger remediation actions, but they cannot proactively prevent developers from launching EC2 instances in unapproved Regions or with unapproved AMIs at the time of the API call. Option B is wrong because AWS Service Catalog allows you to create a portfolio of approved AMIs that developers can launch, but it does not enforce controls across all accounts; developers could still bypass Service Catalog and launch EC2 directly via the console or CLI if not restricted by other policies. Option C is wrong because IAM policies in each account would require manual duplication and management across every account, leading to inconsistency and administrative overhead, and they cannot be enforced from a central point like SCPs can.

439
MCQhard

A company uses AWS Organizations with a large number of accounts. The networking team wants to centrally manage VPCs and subnets using AWS Resource Access Manager (RAM) and share subnets to member accounts. What must be done in the member accounts to use shared subnets?

A.The member account must create an IAM role to assume for launching resources in the shared subnet.
B.The member account must create a VPC and then associate the shared subnet.
C.The member account must accept the resource share invitation.
D.Nothing, shared subnets are automatically available to all accounts in the organization.
AnswerD

Within an organization, resource shares are automatically accepted.

Why this answer

Option A is correct because shared subnets automatically appear in the member account's VPC console, and they can launch resources without additional configuration. Option B is wrong because no resource share acceptance is needed if sharing within the same organization. Option C is wrong because shared subnets are already in the member account's VPC.

Option D is wrong because no IAM role is needed for subnet sharing.

440
MCQhard

A company has multiple AWS accounts managed through AWS Organizations. The central IT team wants to allow developers to launch EC2 instances only in specific Regions, but allow full access to all other services. What is the BEST approach?

A.Configure IAM permissions boundaries on all developer roles to restrict EC2 actions to allowed Regions.
B.Apply an SCP that allows EC2 actions only in the allowed Regions.
C.Use AWS Config rules to terminate EC2 instances launched in disallowed Regions.
D.Create a Service Control Policy (SCP) that denies EC2 actions in disallowed Regions.
AnswerB

SCPs deny actions by default, so you must explicitly allow only the desired Regions.

Why this answer

Using an SCP with a Deny effect for EC2 actions outside allowed Regions is the best approach because it prevents the action across all accounts. Option A is wrong because IAM permissions boundaries are per-role. Option B is wrong because it allows EC2 in all Regions.

Option D is wrong because it allows launching in all Regions.

441
Multi-Selecthard

A company has a production AWS account that contains sensitive data. The security team wants to ensure that no one can disable AWS CloudTrail or delete the CloudTrail S3 bucket. Which THREE actions should be taken to protect these resources? (Choose three.)

Select 3 answers
A.Use IAM groups to restrict access to CloudTrail and S3.
B.Enable multi-factor authentication (MFA) delete on the S3 bucket.
C.Configure S3 bucket versioning and enable S3 Object Lock.
D.Attach a service control policy (SCP) to the account that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
E.Store CloudTrail logs in a separate account that only the security team can access.
AnswersB, C, D

MFA delete adds an extra layer of protection to prevent accidental or malicious deletion.

442
Multi-Selecthard

A company has multiple AWS accounts and wants to centralize logging of all API calls. Which TWO services should be used together to achieve this?

Select 2 answers
A.VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Logs
E.Amazon S3
AnswersB, D

CloudTrail records API calls.

Why this answer

Option B is correct because CloudTrail logs API calls. Option C is correct because CloudWatch Logs can aggregate logs from multiple accounts into a central account. Option A is wrong because S3 is storage, not aggregation.

Option D is wrong because Config records resource changes, not API calls. Option E is wrong because VPC Flow Logs capture network traffic.

443
MCQeasy

A company is using AWS Organizations and wants to allow certain member accounts to create VPCs with specific CIDR ranges. Which mechanism should be used to enforce this restriction?

A.Use AWS Config rules to automatically delete non-compliant VPCs.
B.Use IAM policies with conditions on the ec2:CreateVpc action in each account.
C.Use AWS CloudTrail to monitor VPC creation and alert the security team.
D.Use SCPs with conditions on the ec2:CreateVpc action, specifying allowed CIDR ranges.
AnswerD

SCPs can deny VPC creation if the CIDR does not match allowed ranges.

Why this answer

Option B is correct because SCPs can be attached to OUs or accounts to deny actions that do not meet conditions. Option A is wrong because IAM policies are for users/roles within an account, not for controlling actions across accounts. Option C is wrong because AWS Config can detect non-compliant VPCs but cannot prevent creation.

Option D is wrong because CloudTrail logs but does not enforce.

444
MCQhard

A company has a multi-account architecture with a central networking account that hosts a Transit Gateway. Each workload account has VPCs attached to the Transit Gateway. The company wants to centrally manage DNS resolution across all VPCs using Route 53 Resolver. They create a Route 53 Resolver outbound endpoint in the networking account and associate it with the workload VPCs via RAM. However, workload accounts cannot resolve on-premises hostnames. What is the missing configuration?

A.Establish VPC peering between the workload VPCs and the networking account VPC.
B.Create a Route 53 private hosted zone in the networking account and associate it with the workload VPCs.
C.Create a Route 53 Resolver inbound endpoint in the networking account.
D.Create a Route 53 Resolver rule in each workload account that forwards queries for the on-premises domain to the outbound endpoint.
AnswerD

Resolver rules determine how DNS queries are forwarded.

Why this answer

Option A is correct because the workload VPCs need to forward DNS queries to the outbound endpoint via a rule. Option B is wrong because the inbound endpoint is for on-premises to resolve AWS resources. Option C is wrong because a private hosted zone is not directly related to forwarding.

Option D is wrong because VPC peering is not required when using Transit Gateway.

445
Multi-Selecthard

A company has a multi-account AWS environment and wants to enforce that all IAM roles in member accounts must include a specific tag (e.g., CostCenter). Which THREE steps should be taken to enforce this policy using AWS Organizations?

Select 3 answers
A.Create an IAM policy in each account that requires tags on role creation
B.Set up AWS Budgets to alert on untagged roles
C.Attach the SCP to the root organizational unit to apply it to all accounts
D.Create a service control policy (SCP) that denies iam:CreateRole if the request does not include the required tag
E.Use AWS Config rules to detect roles missing the tag and trigger automatic remediation
AnswersC, D, E

Attaching to root ensures all accounts are covered.

Why this answer

Option C is correct because AWS Organizations allows you to attach a service control policy (SCP) to the root organizational unit (OU), which applies the policy to all member accounts in the organization. This ensures that the tag enforcement is centrally managed and cannot be bypassed by individual account administrators, as SCPs set permission boundaries that override IAM policies.

Exam trap

The trap here is that candidates often confuse AWS Budgets (a cost alerting tool) with a governance enforcement mechanism, or think that per-account IAM policies are sufficient for centralized control, missing the fact that SCPs are the only way to enforce organization-wide guardrails that cannot be overridden by account administrators.

446
MCQhard

A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?

A.Use AWS Service Catalog to provide a password policy product and require account owners to launch it.
B.Use an SCP to deny the iam:UpdateAccountPasswordPolicy action and deploy a password policy using CloudFormation StackSets.
C.Use an SCP to deny the iam:CreateUser action unless the request includes a condition that the password policy meets the requirement.
D.Use AWS Config rules to detect accounts without the required password policy and auto-remediate with a Lambda function.
AnswerB

Correct: Prevents changes and enforces policy.

Why this answer

Option B is correct because an SCP can deny the iam:UpdateAccountPasswordPolicy action, preventing member accounts from altering the password policy, while CloudFormation StackSets can deploy a compliant password policy across all member accounts automatically. This combination provides a preventive control that enforces the minimum 14-character requirement without relying on user action or reactive detection.

Exam trap

The trap here is that candidates often choose a detective/reactive solution (like AWS Config with auto-remediation) because it seems automated, but the question explicitly asks for a preventive control that is enforced automatically, which requires blocking the ability to change the policy (SCP) and proactively applying the correct policy (StackSets).

How to eliminate wrong answers

Option A is wrong because AWS Service Catalog requires account owners to manually launch the product, which is not automatic and does not prevent non-compliance if they skip it. Option C is wrong because SCPs cannot conditionally deny iam:CreateUser based on password policy requirements; password policy is an account-level setting, not a per-user request parameter, and the iam:CreateUser action does not support such a condition key. Option D is wrong because AWS Config rules are detective and reactive, not preventive; they detect non-compliance after the fact and auto-remediation via Lambda is still a corrective action, not an automatic preventive enforcement.

447
MCQhard

Refer to the exhibit. A company attached the above SCP to an OU in AWS Organizations. The SCP is intended to allow only t3.micro and t3.small EC2 instances. However, users in accounts within that OU are still able to launch other instance types. What is the most likely reason?

A.The SCP syntax is invalid because it uses StringNotEquals
B.The SCP must also allow the allowed instance types in a separate statement
C.The SCP does not include an Allow statement for the allowed instance types
D.The SCP is not attached to the correct OU or root
AnswerD

If the SCP is not attached to the OU containing the accounts, it will not take effect.

Why this answer

Option B is correct because the SCP denies RunInstances only when the instance type is not t3.micro or t3.small, but it applies only to the instance resource (arn:aws:ec2:*:*:instance/*). The RunInstances action also requires permissions on other resources like images, network interfaces, etc. If the SCP does not cover those resources, the condition may not be evaluated fully, or the SCP might not deny the action if other resources are not specified.

Alternatively, the SCP might not be attached to the correct OU, or there might be an allow SCP overriding it. The most common issue is that the SCP is not attached to the correct path. Option A is wrong because SCPs do not need to allow actions explicitly; they are deny-only.

Option C is wrong because the syntax is correct. Option D is wrong because SCPs do not require an Allow statement to work.

448
MCQmedium

A company uses AWS Control Tower to manage a multi-account environment. They need to deploy a custom CloudFormation template to all accounts in a specific organizational unit (OU) whenever a new account is added. What should they use?

A.Use AWS Service Catalog portfolio to share templates.
B.Use AWS Lambda with lifecycle hooks in AWS CloudFormation.
C.Use AWS CloudFormation StackSets and manually trigger them for new accounts.
D.Use AWS Control Tower Account Factory Customization (AFC).
AnswerD

AFC automatically deploys custom templates to new accounts.

Why this answer

Option B is correct because Account Factory Customization (AFC) in Control Tower allows automatic deployment of custom templates when new accounts are provisioned. Option A is wrong because StackSets require manual invocation. Option C is wrong because Service Catalog does not automate deployment.

Option D is wrong because Lifecycle hooks are not part of Control Tower.

449
MCQhard

A company is designing a serverless event-driven architecture using AWS Lambda, Amazon SQS, and Amazon DynamoDB. The architecture must handle sudden spikes in traffic without losing events. Which configuration ensures the highest reliability?

A.Increase the SQS visibility timeout to 30 minutes.
B.Use DynamoDB on-demand capacity mode.
C.Configure an SQS dead-letter queue for failed messages.
D.Set Lambda reserved concurrency to a low value to control costs.
AnswerC

DLQ captures messages that cannot be processed, ensuring no data loss.

Why this answer

Option D is correct because enabling a dead-letter queue (DLQ) on SQS captures messages that fail processing, preventing loss. Option A is wrong because reserved concurrency limits throughput. Option B is wrong because maxBatchingWindow increases latency.

Option C is wrong because provisioned capacity may not handle spikes efficiently.

450
MCQhard

A global e-commerce company uses AWS Organizations with over 500 accounts. They have a central security account that aggregates CloudTrail logs and VPC Flow Logs from all accounts. The security team needs to analyze these logs using Amazon Athena and visualize the results in Amazon QuickSight. The logs are stored in an S3 bucket in the security account, and each member account writes its own prefix. The current setup uses a bucket policy to allow member accounts to write logs. Recently, the security team has been unable to query logs for the past week. They suspect the issue is related to a new SCP that was applied to the root. The SCP denies s3:PutObject unless the request includes a specific tag. Which action should the security team take to restore log delivery without compromising security?

A.Remove the SCP from the root.
B.Modify the bucket policy to allow s3:PutObject without tags.
C.Modify the SCP to allow s3:PutObject for the CloudTrail and VPC Flow Logs service principals without requiring the tag.
D.Create a new S3 bucket without the tag requirement and reconfigure logging to use that bucket.
AnswerC

This allows the logging services to write logs while still requiring tags for other PutObject calls.

Why this answer

The SCP denies s3:PutObject unless the request includes a specific tag. CloudTrail and VPC Flow Logs do not automatically include tags. The solution is to modify the SCP to allow the necessary services even without the tag.

Option C allows the services to bypass the tag requirement.

← PreviousPage 6 of 7 · 455 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Org Complexity questions.