Sample questions
AWS Certified Security Specialty SCS-C02 practice questions
Drag and drop the steps to configure AWS WAF with rate-based rules in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up AWS Shield Advanced with automatic application layer DDoS mitigation in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to implement AWS KMS key rotation in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a VPC with private subnets and NAT gateway for outbound internet access in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure AWS CloudTrail for logging across all regions and accounts in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up a secure S3 bucket with encryption and access control in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?
Trap 1: Create an S3 bucket policy in each account to deny access to…
Bucket policies are per-bucket and do not prevent creation of new buckets without encryption.
Trap 2: Use AWS Config rules to detect buckets without encryption and send…
Config rules are detective, not preventive.
Trap 3: Create an IAM role in each account that requires encryption when…
IAM roles cannot enforce policies across all accounts centrally.
- A
Create an S3 bucket policy in each account to deny access to unencrypted buckets.
Why wrong: Bucket policies are per-bucket and do not prevent creation of new buckets without encryption.
- B
Use AWS Config rules to detect buckets without encryption and send alerts.
Why wrong: Config rules are detective, not preventive.
- C
Create an IAM role in each account that requires encryption when creating buckets.
Why wrong: IAM roles cannot enforce policies across all accounts centrally.
- D
Create a service control policy (SCP) that denies s3:CreateBucket if the bucket does not have encryption enabled.
SCPs allow central policy enforcement across all accounts in the organization.
A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?
Trap 1: Place all tiers in public subnets and use security groups to…
This exposes app and database tiers to the internet, which is not isolated.
Trap 2: Place the web and app tiers in public subnets and the database in a…
The app tier in a public subnet is exposed and unnecessary.
Trap 3: Place all tiers in private subnets and use a single security group…
A single security group does not provide fine-grained isolation between tiers.
- A
Place all tiers in public subnets and use security groups to restrict traffic.
Why wrong: This exposes app and database tiers to the internet, which is not isolated.
- B
Place the web tier in a public subnet with an internet gateway, and the app and database tiers in private subnets. Use separate security groups for each tier, allowing only necessary traffic.
This ensures isolation and encryption can be applied at the application layer.
- C
Place the web and app tiers in public subnets and the database in a private subnet.
Why wrong: The app tier in a public subnet is exposed and unnecessary.
- D
Place all tiers in private subnets and use a single security group to allow traffic between them.
Why wrong: A single security group does not provide fine-grained isolation between tiers.
A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?
Trap 1: Create a security group for the database servers that allows…
Using the web security group ID as source is more dynamic and secure than IP CIDR.
Trap 2: Place the database servers in a public subnet for easier…
Databases should be in private subnets, not exposed to the internet.
Trap 3: Configure the network ACL for the database subnet to allow inbound…
NACLs are stateless and require explicit outbound rules; security groups are simpler and stateful.
- A
Create a security group for the web servers that allows outbound traffic on port 3306 to the database security group.
Security groups are stateful and will allow return traffic automatically.
- B
Create a security group for the database servers that allows inbound traffic on port 3306 from the web subnet CIDR.
Why wrong: Using the web security group ID as source is more dynamic and secure than IP CIDR.
- C
Place the database servers in a public subnet for easier connectivity.
Why wrong: Databases should be in private subnets, not exposed to the internet.
- D
Configure the network ACL for the database subnet to allow inbound traffic on port 3306 from the web subnet CIDR.
Why wrong: NACLs are stateless and require explicit outbound rules; security groups are simpler and stateful.
- E
Create a security group for the database servers that allows inbound traffic on port 3306 from the web security group ID.
This ensures only instances in the web security group can connect.
A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?
Trap 1: The network ACL for the subnet is blocking outbound traffic to the…
Outbound traffic is reaching on-premises, so NACL is not blocking outbound.
Trap 2: The virtual private gateway is not attached to the VPC.
If the gateway were not attached, outbound traffic would not reach on-premises.
Trap 3: The security group does not allow inbound traffic from the…
Security groups are stateful; if outbound is allowed, return traffic is automatically allowed.
- A
The on-premises router does not have a route pointing the VPC CIDR back to the Direct Connect interface.
Without a return route, responses from on-premises are dropped.
- B
The network ACL for the subnet is blocking outbound traffic to the on-premises CIDR.
Why wrong: Outbound traffic is reaching on-premises, so NACL is not blocking outbound.
- C
The virtual private gateway is not attached to the VPC.
Why wrong: If the gateway were not attached, outbound traffic would not reach on-premises.
- D
The security group does not allow inbound traffic from the on-premises server.
Why wrong: Security groups are stateful; if outbound is allowed, return traffic is automatically allowed.
A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?
Exhibit
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:sns:us-east-1:123456789012:MyTopic"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:ReceiveMessage",
"Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
}
]
}Trap 1: The policy does not specify a principal, so it will not work.
Principal '*' is allowed when used with conditions.
Trap 2: The aws:SourceArn condition uses ArnLike which is deprecated.
ArnLike is valid and commonly used.
Trap 3: The aws:SourceIp condition cannot be used with SQS queue policies.
aws:SourceIp can be used with SQS.
- A
The second statement allows any principal in the 10.0.0.0/8 range to receive messages from the queue.
This is overly permissive and should be scoped down.
- B
The policy does not specify a principal, so it will not work.
Why wrong: Principal '*' is allowed when used with conditions.
- C
The aws:SourceArn condition uses ArnLike which is deprecated.
Why wrong: ArnLike is valid and commonly used.
- D
The aws:SourceIp condition cannot be used with SQS queue policies.
Why wrong: aws:SourceIp can be used with SQS.
A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the production account must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?
Trap 1: Use an SCP to deny access to the AWS Management Console unless MFA…
SCPs can deny actions, but they cannot enforce MFA at the console login level; they cannot require MFA for the initial sign-in.
Trap 2: Disable password-based access for all IAM users and require…
Disabling password access prevents all console login; the requirement is for IAM users to use MFA, not to remove password access.
Trap 3: Enable MFA on the root user and apply a password policy that…
Root MFA does not enforce MFA for other users; password policy does not require MFA for sign-in.
- A
Use an SCP to deny access to the AWS Management Console unless MFA is present. Attach the SCP to the production OU.
Why wrong: SCPs can deny actions, but they cannot enforce MFA at the console login level; they cannot require MFA for the initial sign-in.
- B
Disable password-based access for all IAM users and require federation with an identity provider that enforces MFA.
Why wrong: Disabling password access prevents all console login; the requirement is for IAM users to use MFA, not to remove password access.
- C
Enable MFA on the root user and apply a password policy that requires MFA.
Why wrong: Root MFA does not enforce MFA for other users; password policy does not require MFA for sign-in.
- D
Create an IAM policy that denies all console actions unless MFA is present. Attach the policy to the IAM group that contains all production users.
This policy ensures that after login, without MFA, users cannot perform any console actions; combined with requiring MFA for sensitive actions, it effectively enforces MFA for console access.
A developer is trying to upload an object to an S3 bucket named 'my-bucket' using the AWS CLI. The developer has an IAM user with a policy that includes 's3:PutObject' for 'arn:aws:s3:::my-bucket/*'. However, the upload fails with an 'Access Denied' error. The bucket policy is set to allow all principals from the same AWS account to perform 's3:PutObject'. What is the most likely cause of this failure?
Trap 1: The IAM user is not authorized to perform 's3:PutObject' on the…
The IAM policy explicitly allows 's3:PutObject' on objects in that bucket, so the user is authorized.
Trap 2: The bucket policy denies access because the principal is not…
The bucket policy allows all principals in the same account, so the developer's user is included.
Trap 3: The bucket 'my-bucket' does not exist in the same region as the CLI…
The CLI uses the correct region; bucket names are globally unique.
- A
The IAM user is not authorized to perform 's3:PutObject' on the bucket 'my-bucket'.
Why wrong: The IAM policy explicitly allows 's3:PutObject' on objects in that bucket, so the user is authorized.
- B
The bucket policy denies access because the principal is not explicitly listed.
Why wrong: The bucket policy allows all principals in the same account, so the developer's user is included.
- C
The IAM policy grants 's3:PutObject' only on objects (/*), but the request may also require 's3:PutObject' on the bucket itself for some operations.
The IAM policy should allow 's3:PutObject' on the bucket ARN as well, or the bucket policy should explicitly allow the user. The bucket policy allows all principals in the account, so that is not the issue.
- D
The bucket 'my-bucket' does not exist in the same region as the CLI request.
Why wrong: The CLI uses the correct region; bucket names are globally unique.
A security administrator is designing a cross-account access strategy. The administrator needs to allow users in Account A to assume an IAM role in Account B to access an S3 bucket. Which TWO of the following statements are true regarding this configuration?
Trap 1: The trust policy for the role must be defined in Account A.
The trust policy is attached to the role in Account B.
Trap 2: The S3 bucket policy must grant access to the IAM users in Account…
The bucket policy should grant access to the role ARN, not the users directly.
Trap 3: The IAM users in Account A must have cross-account permissions on…
The users do not interact directly with the bucket; they assume the role which has the permissions.
- A
The IAM users in Account A must have an IAM policy that allows the sts:AssumeRole action for the role ARN in Account B.
Users need explicit permission to call AssumeRole.
- B
The trust policy for the role must be defined in Account A.
Why wrong: The trust policy is attached to the role in Account B.
- C
The S3 bucket policy must grant access to the IAM users in Account A.
Why wrong: The bucket policy should grant access to the role ARN, not the users directly.
- D
The role in Account B must have a trust policy that allows the IAM users in Account A to assume the role.
The trust policy defines which principals are allowed to assume the role.
- E
The IAM users in Account A must have cross-account permissions on the S3 bucket in Account B.
Why wrong: The users do not interact directly with the bucket; they assume the role which has the permissions.
An IAM policy is attached to a user. The user is trying to change their own password in the IAM console but receives an 'Access Denied' error. The user has an MFA device configured and is logged in with MFA. Why is the password change failing?
Exhibit
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "*"
}
]
}Trap 1: The Allow statement for iam:ChangePassword is not sufficient…
The Deny is conditional; if the condition is not met, the Deny does not apply. But the condition is met due to BoolIfExists.
Trap 2: The Deny statement denies all actions unconditionally, so the Allow…
The Deny has a condition; it is not unconditional.
Trap 3: The user does not have permission to change their own password…
The Allow statement allows iam:ChangePassword on all resources, which includes the user's own password.
- A
The Allow statement for iam:ChangePassword is not sufficient because the Deny statement explicitly denies all actions.
Why wrong: The Deny is conditional; if the condition is not met, the Deny does not apply. But the condition is met due to BoolIfExists.
- B
The Deny statement uses 'BoolIfExists' which evaluates to true if the condition key is not present. In the IAM console, the 'aws:MultiFactorAuthPresent' key may not be set, causing the Deny to apply even when the user has MFA.
BoolIfExists returns true if the key does not exist, so the Deny applies, blocking all actions including password change.
- C
The Deny statement denies all actions unconditionally, so the Allow statement cannot override it.
Why wrong: The Deny has a condition; it is not unconditional.
- D
The user does not have permission to change their own password because the Allow statement is not specific enough.
Why wrong: The Allow statement allows iam:ChangePassword on all resources, which includes the user's own password.
A security engineer is reviewing a CloudTrail log entry (exhibit). What is the most immediate security concern indicated by this event?
Exhibit
Refer to the exhibit.
```
{
"Records": [
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"arn": "arn:aws:iam::123456789012:user/JohnDoe",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE"
},
"eventTime": "2024-08-01T12:34:56Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.5",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"groupId": "sg-0123456789abcdef0",
"ipPermissions": {
"items": [
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"ipRanges": [
{
"cidrIp": "0.0.0.0/0"
}
]
}
]
}
}
}
]
}
```Trap 1: The source IP address 203.0.113.5 is from a known malicious IP…
The IP address is an example (RFC 5735) and not necessarily malicious.
Trap 2: The API call was made from the AWS CLI, which may indicate a…
The userAgent shows 'console.amazonaws.com', indicating the call came from the Management Console, not the CLI.
Trap 3: The user JohnDoe did not use multi-factor authentication (MFA) for…
The CloudTrail log does not include MFA status; it cannot be determined from this entry alone.
- A
The source IP address 203.0.113.5 is from a known malicious IP range.
Why wrong: The IP address is an example (RFC 5735) and not necessarily malicious.
- B
A security group rule was added allowing SSH access from any IP address.
AuthorizeSecurityGroupIngress with 0.0.0.0/0 on port 22 is a common misconfiguration that exposes the instance to the internet.
- C
The API call was made from the AWS CLI, which may indicate a compromised access key.
Why wrong: The userAgent shows 'console.amazonaws.com', indicating the call came from the Management Console, not the CLI.
- D
The user JohnDoe did not use multi-factor authentication (MFA) for this API call.
Why wrong: The CloudTrail log does not include MFA status; it cannot be determined from this entry alone.
A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?
Trap 1: Use AWS KMS with a customer master key (CMK) and import key…
KMS does not allow direct use of an external HSM for key management; imported key material is still inside KMS.
Trap 2: Store the encryption keys in AWS Secrets Manager and use them to…
Secrets Manager is not designed for database encryption at rest; it's for application secrets.
Trap 3: Use AWS KMS with a custom key store backed by AWS CloudHSM.
This uses CloudHSM but the key management is still through KMS, and you don't directly control the HSM.
- A
Use AWS CloudHSM to store the encryption keys and enable RDS encryption with CloudHSM.
CloudHSM provides a dedicated HSM that you control, and RDS can be encrypted using keys from CloudHSM.
- B
Use AWS KMS with a customer master key (CMK) and import key material from the on-premises HSM.
Why wrong: KMS does not allow direct use of an external HSM for key management; imported key material is still inside KMS.
- C
Store the encryption keys in AWS Secrets Manager and use them to encrypt the database.
Why wrong: Secrets Manager is not designed for database encryption at rest; it's for application secrets.
- D
Use AWS KMS with a custom key store backed by AWS CloudHSM.
Why wrong: This uses CloudHSM but the key management is still through KMS, and you don't directly control the HSM.
Which TWO of the following are valid methods to centrally manage security policies and enforce compliance across multiple AWS accounts? (Choose two.)
Trap 1: Attach IAM policies to all IAM users in each account.
IAM policies are per-account and not centrally managed across accounts.
Trap 2: Use AWS Security Hub to automatically enforce compliance rules.
Security Hub aggregates findings but does not enforce policies.
Trap 3: Enable VPC Flow Logs in each account and send them to a central S3…
VPC Flow Logs provide network traffic logs, not policy enforcement.
- A
Deploy AWS Config conformance packs using AWS CloudFormation StackSets across accounts.
Conformance packs contain rules and remediation actions that can be deployed centrally.
- B
Attach IAM policies to all IAM users in each account.
Why wrong: IAM policies are per-account and not centrally managed across accounts.
- C
Use AWS Security Hub to automatically enforce compliance rules.
Why wrong: Security Hub aggregates findings but does not enforce policies.
- D
Use AWS Organizations service control policies (SCPs) to restrict allowed actions.
SCPs are centrally managed and apply to all accounts in the organization.
- E
Enable VPC Flow Logs in each account and send them to a central S3 bucket.
Why wrong: VPC Flow Logs provide network traffic logs, not policy enforcement.
Refer to the exhibit. An organization applies this SCP to an OU containing a developer account. A developer in that account tries to launch an m5.large instance using the AWS Management Console. What is the outcome?
Exhibit
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": ["t2.micro", "t2.small"]
}
}
}
]
}Trap 1: The instance launches successfully because the SCP only applies to…
The SCP denies both RunInstances and StartInstances.
Trap 2: The instance launches successfully because the SCP does not…
SCPs are deny lists; they can block actions even without an explicit allow.
Trap 3: The launch fails only if the developer's IAM policy also denies the…
SCPs apply regardless of IAM policies; they cannot be overridden.
- A
The instance launches successfully because the SCP only applies to StartInstances, not RunInstances.
Why wrong: The SCP denies both RunInstances and StartInstances.
- B
The launch fails because the SCP denies RunInstances for instance types other than t2.micro and t2.small.
Condition StringNotEquals matches m5.large, so Deny applies.
- C
The instance launches successfully because the SCP does not explicitly allow any actions.
Why wrong: SCPs are deny lists; they can block actions even without an explicit allow.
- D
The launch fails only if the developer's IAM policy also denies the action.
Why wrong: SCPs apply regardless of IAM policies; they cannot be overridden.
A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)
Trap 1: Enable default encryption on the bucket using SSE-S3.
SSE-S3 only encrypts at rest, not in transit.
Trap 2: Enable S3 server access logs and send them to a separate bucket.
Access logs do not capture failed attempts reliably; CloudTrail is preferred for auditing.
Trap 3: Enable MFA Delete on the bucket.
MFA Delete provides extra protection but does not allow reversal of deletion; versioning does.
- A
Enable default encryption on the bucket using SSE-S3.
Why wrong: SSE-S3 only encrypts at rest, not in transit.
- B
Enable AWS CloudTrail with data events for S3.
CloudTrail logs all API calls, including failed ones, for auditing.
- C
Enable S3 Versioning on the bucket.
Versioning allows recovery of deleted objects within the version retention period.
- D
Enable S3 server access logs and send them to a separate bucket.
Why wrong: Access logs do not capture failed attempts reliably; CloudTrail is preferred for auditing.
- E
Enable MFA Delete on the bucket.
Why wrong: MFA Delete provides extra protection but does not allow reversal of deletion; versioning does.
A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?
Trap 1: Configure a bucket policy that denies s3:PutObject with…
This would also deny reading objects encrypted with SSE-KMS if the policy is applied to all actions.
Trap 2: Use an S3 Lifecycle policy to transition existing SSE-KMS objects…
Lifecycle policies do not change encryption of existing objects; they only transition storage class.
Trap 3: Disable SSE-KMS in the AWS KMS key policy to prevent its use.
Disabling the key would make existing SSE-KMS objects unreadable.
- A
Configure a bucket policy that denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms.
Why wrong: This would also deny reading objects encrypted with SSE-KMS if the policy is applied to all actions.
- B
Use an S3 Lifecycle policy to transition existing SSE-KMS objects to SSE-S3.
Why wrong: Lifecycle policies do not change encryption of existing objects; they only transition storage class.
- C
Apply a bucket policy that denies s3:PutObject unless the x-amz-server-side-encryption header is AES256.
This policy enforces SSE-S3 for uploads without affecting reads of existing objects.
- D
Disable SSE-KMS in the AWS KMS key policy to prevent its use.
Why wrong: Disabling the key would make existing SSE-KMS objects unreadable.
A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?
Trap 1: Enable automatic key rotation on the existing CMK.
Automatic rotation is only available annually (365 days), not 90 days.
Trap 2: Use a CMK with imported key material and rotate the material every…
Importing key material is more complex and still requires manual rotation.
Trap 3: Continue creating new CMKs but use a script to update the…
This still requires manual intervention and downtime.
- A
Enable automatic key rotation on the existing CMK.
Why wrong: Automatic rotation is only available annually (365 days), not 90 days.
- B
Create a new CMK every 90 days and update the alias to point to the new key. Applications reference the alias.
Alias updates are immediate and do not require application changes; old keys remain available for decryption.
- C
Use a CMK with imported key material and rotate the material every 90 days.
Why wrong: Importing key material is more complex and still requires manual rotation.
- D
Continue creating new CMKs but use a script to update the application configuration files.
Why wrong: This still requires manual intervention and downtime.
A security engineer is designing a centralized logging solution for a multi-account AWS environment. They need to ensure log files are tamper-proof and cannot be deleted or modified by anyone, including the root user of any account. Which configuration meets these requirements?
Trap 1: Create a bucket policy that denies s3:DeleteObject and s3:PutObject…
Root user can modify or delete the bucket policy itself, then delete objects.
Trap 2: Enable MFA Delete on the S3 bucket and configure CloudTrail to log…
MFA Delete can be bypassed by root user if they have MFA; it also does not prevent modification.
Trap 3: Enable CloudTrail log file validation and store logs in a separate…
Validation detects tampering but does not prevent deletion or modification.
- A
Create a bucket policy that denies s3:DeleteObject and s3:PutObject to all principals.
Why wrong: Root user can modify or delete the bucket policy itself, then delete objects.
- B
Enable MFA Delete on the S3 bucket and configure CloudTrail to log to that bucket.
Why wrong: MFA Delete can be bypassed by root user if they have MFA; it also does not prevent modification.
- C
Enable CloudTrail log file validation and store logs in a separate account.
Why wrong: Validation detects tampering but does not prevent deletion or modification.
- D
Enable S3 Object Lock in Governance mode with a retention period, and use a separate account to manage the retention settings.
Object Lock prevents object deletion/modification, and Governance mode allows only users with special permissions to bypass retention, which can be restricted to a different account.
A company uses AWS Organizations with multiple accounts and wants to ensure that all newly created S3 buckets have encryption enabled. The Security team needs a solution that automatically remediates non-compliant buckets without manual intervention. What should they do?
Trap 1: Use an S3 bucket policy that denies PutObject unless the request…
This denies object uploads without encryption but does not enforce encryption at the bucket level during creation.
Trap 2: Enable AWS Config with the s3-bucket-server-side-encryption-enabled…
AWS Config detects but does not automatically remediate without additional setup; this is not the simplest preventive solution.
Trap 3: Create an IAM role with permissions to enforce encryption and…
IAM roles do not enforce encryption on bucket creation; they grant permissions but do not set bucket properties.
- A
Apply a service control policy (SCP) that denies the s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption actions unless the bucket has encryption enabled.
SCPs can prevent creation of buckets that do not meet encryption requirements, providing preventive control.
- B
Use an S3 bucket policy that denies PutObject unless the request includes the x-amz-server-side-encryption header.
Why wrong: This denies object uploads without encryption but does not enforce encryption at the bucket level during creation.
- C
Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule and set up automatic remediation using Systems Manager Automation.
Why wrong: AWS Config detects but does not automatically remediate without additional setup; this is not the simplest preventive solution.
- D
Create an IAM role with permissions to enforce encryption and attach it to all accounts in the organization.
Why wrong: IAM roles do not enforce encryption on bucket creation; they grant permissions but do not set bucket properties.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.