CCNA Org Complexity Questions

5 of 455 questions · Page 7/7 · Org Complexity topic · Answers revealed

451
MCQhard

A company wants to implement a least-privilege permission model across all AWS accounts. The security team needs to ensure that no IAM user has full administrator access. However, the operations team occasionally needs emergency access. Which solution meets these requirements?

A.Configure AWS IAM Identity Center with permission sets that grant temporary elevated access, and require approval for emergency access.
B.Use an SCP that denies all IAM actions except those from a specific admin account.
C.Use an IAM password policy that requires multi-factor authentication for all users.
D.Create an IAM role in each account with full administrator access and use a break-glass process to assume it.
AnswerA

IAM Identity Center allows time-limited, auditable access elevation.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) allows you to define permission sets that grant temporary, scoped access to AWS accounts. By requiring approval for emergency access, you enforce a least-privilege model while still providing a controlled break-glass mechanism. This avoids permanent admin rights and ensures all elevated access is auditable and time-limited.

Exam trap

The trap here is that candidates often confuse a static IAM role with a break-glass process (Option D) as sufficient for least privilege, but they overlook that without temporary credentials and approval workflows, the role grants persistent full admin access to anyone who can assume it, violating the least-privilege principle.

How to eliminate wrong answers

Option B is wrong because an SCP that denies all IAM actions except from a specific admin account would block the operations team from assuming any role or performing IAM operations, including the emergency access they need, and does not provide a temporary elevation mechanism. Option C is wrong because an IAM password policy requiring MFA only controls password-based authentication for IAM users; it does not prevent a user from having full administrator access or provide a way to grant temporary elevated permissions. Option D is wrong because creating an IAM role with full administrator access in each account and using a break-glass process to assume it does not enforce least privilege—it grants permanent full admin access to anyone who can assume the role, and the 'break-glass' process is not inherently controlled or audited without additional mechanisms like approval workflows.

452
Multi-Selectmedium

A company wants to implement a least-privilege security model across multiple AWS accounts. Which TWO services can help enforce this?

Select 2 answers
A.AWS Key Management Service (KMS)
B.AWS Organizations Service Control Policies (SCPs)
C.AWS Config
D.AWS Identity and Access Management (IAM) Access Analyzer
E.AWS CloudTrail
AnswersB, D

SCPs can restrict permissions at the account level, enforcing least privilege.

Why this answer

AWS Organizations Service Control Policies (SCPs) are correct because they allow you to centrally control the maximum available permissions for all accounts in your organization, enabling a least-privilege model by restricting actions at the account level. SCPs act as a guardrail that applies to all IAM users, roles, and root users within an account, ensuring that even if a principal has broad IAM policies, the SCP can deny specific high-risk actions across the entire organization.

Exam trap

The trap here is that candidates often confuse AWS Config (which detects compliance) with a service that enforces policies, or they think KMS or CloudTrail can restrict permissions, when in fact only SCPs and IAM Access Analyzer (for validating policies against least-privilege) directly support enforcing or validating a least-privilege model across multiple accounts.

453
MCQmedium

A company is implementing a data lake on Amazon S3. The data lake must be accessible from multiple accounts within the same AWS Organization. Objects must be encrypted at rest, and the company wants to use a single AWS KMS key for simplicity. Which solution meets these requirements?

A.Use SSE-S3 encryption. Grant cross-account access via bucket policy.
B.Use SSE-C encryption. Provide the same customer key to all accounts.
C.Use a customer managed AWS KMS key with a key policy that allows access from all accounts in the organization.
D.Use SSE-KMS with a key per account and use S3 bucket policy to allow cross-account access.
AnswerC

Allows centralized key management and cross-account access via key policy.

Why this answer

Option C is correct because a multi-region key is not needed, and cross-account access requires key policy. Option A is wrong because SSE-S3 does not allow cross-account access control. Option B is wrong because SSE-C requires managing keys externally.

Option D is wrong because S3 bucket policies cannot grant access to KMS keys.

454
Multi-Selecthard

Which THREE components are required to set up a centralized logging solution for multiple AWS accounts using Amazon S3? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs subscription filter in each account.
B.AWS CloudTrail in the central account only.
C.A central S3 bucket in the logging account.
D.A bucket policy on the central bucket that grants write access to the source accounts.
E.IAM roles in each source account with permissions to write to the central bucket.
AnswersC, D, E

Destination for logs.

Why this answer

A central S3 bucket (option B), a bucket policy that allows cross-account writes (option C), and IAM roles in each account to push logs (option D) are required. Option A is wrong because it's one way but not required if using S3. Option E is wrong because CloudWatch Logs is not required.

455
Multi-Selecteasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally manage CloudWatch Logs from all accounts. The logs should be sent to a central S3 bucket in the management account. Which two actions should the team take? (Choose two.)

Select 2 answers
A.Create a subscription filter in each member account's log groups that sends logs to the central S3 bucket.
B.Configure the S3 bucket policy to allow the member accounts to write objects.
C.Create an IAM role in the management account that can read logs from member accounts.
D.Apply an SCP that requires all log groups to export logs to the central bucket.
E.Use AWS CloudTrail to deliver logs to the central bucket.
AnswersA, B

Subscription filters deliver logs to destinations like S3.

Why this answer

Options A and C are correct. The management account must create a subscription filter policy in each account (or use cross-account subscription), and the S3 bucket policy must allow cross-account writes. Option B is wrong because SCPs cannot create log delivery.

Option D is wrong because IAM roles in member accounts are needed for the subscription, not for the bucket. Option E is wrong because CloudWatch Logs does not natively send to S3 without subscription filters.

← PreviousPage 7 of 7 · 455 questions total

Ready to test yourself?

Try a timed practice session using only Org Complexity questions.