AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 175

1738 questions total · 24pages · All types, answers revealed

Page 1 of 24

Page 2
1
MCQhard

A large enterprise uses AWS Organizations to manage multiple accounts. The security team has implemented a Service Control Policy (SCP) at the root level that denies all actions unless the request originates from the corporate IP range (10.0.0.0/8). Recently, a developer in a member account tried to launch an EC2 instance from the AWS Management Console while connected via a VPN that provides an IP address within the corporate range. However, the launch failed with an 'AccessDenied' error. The developer is using an IAM user with full EC2 permissions (ec2:*). The SCP is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"NotIpAddress":{"aws:SourceIp":"10.0.0.0/8"}}}]}. What is the MOST likely reason for the failure?

A.The SCP allows actions only from the specified IP range, but the developer's IP is not in that range.
B.The SCP does not apply to IAM users in member accounts; it only applies to the root user.
C.The aws:SourceIp condition key does not work correctly for requests made via the AWS Management Console because the console may use a different IP.
D.The IAM user does not have the necessary permissions because the SCP explicitly denies all actions.
AnswerC

The console may use intermediary IPs; the source IP condition is not reliable for console access.

Why this answer

Option C is correct. The SCP uses the aws:SourceIp condition, but when accessing the Management Console, the IP address seen by AWS is the console's IP, which may not be the same as the developer's VPN IP if the console uses a proxy or if the VPN is configured incorrectly. Option A is wrong because SCPs affect all principals, including the root user.

Option B is wrong because the SCP denies actions, not allows them; an explicit deny overrides allows. Option D is wrong because the SCP denies all actions, so even if the developer has permissions, the SCP denies them.

2
Multi-Selecthard

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive customer data. The bucket must be encrypted at rest using a customer managed key (CMK) that is stored in AWS KMS. The company also needs to ensure that only authorized users can decrypt objects. Which TWO actions should the company take?

Select 2 answers
A.Create a bucket policy that denies s3:GetObject unless the request includes a specific encryption context
B.Modify the KMS key policy to allow only the authorized IAM roles to use the key
C.Attach an IAM policy to the authorized users that grants kms:Decrypt on the CMK
D.Create a VPC endpoint for S3 and use bucket policies to restrict access to the endpoint
E.Use SSE-C with a customer-provided key
AnswersB, C

Key policy controls access to the key.

Why this answer

To control decryption access, you need to grant kms:Decrypt permission to authorized users and restrict the key policy accordingly. Option B and D are correct because they control access to the key. Option A is incorrect because a bucket policy alone cannot control decryption; it works with the key policy.

Option C is incorrect because SSE-KMS uses KMS keys, not SSE-C. Option E is incorrect because S3 does not support IAM conditions for VPC endpoint on decryption.

3
Multi-Selecthard

Which THREE practices are recommended for managing encryption keys in AWS KMS? (Choose 3.)

Select 3 answers
A.Delete the KMS key immediately when it is no longer needed.
B.Enable automatic rotation of the KMS key annually.
C.Export the KMS key material and store it in a secure S3 bucket.
D.Use key policies to restrict which IAM roles can use the key.
E.Enable AWS CloudTrail logging to record KMS key usage.
AnswersB, D, E

Rotation helps meet compliance requirements.

Why this answer

Options B, C, and D are correct. B: Enabling automatic key rotation annually is a best practice. C: Using key policies to control access follows least privilege.

D: Using CloudTrail to audit KMS API calls provides visibility. Option A is wrong because sharing the key material defeats the purpose of KMS. Option E is wrong because deleting a key immediately can cause data loss; it should be scheduled for deletion.

4
MCQmedium

Refer to the exhibit. A security engineer creates this IAM policy for a user. Which action can the user perform?

A.Decrypt KMS keys only for resources in us-east-1.
B.Decrypt KMS keys when the request originates from S3 in us-east-1.
C.Decrypt any KMS key from any service.
D.Decrypt only S3 objects.
AnswerB

Condition specifies S3 service.

Why this answer

Option B is correct because the policy allows decrypting KMS keys only when the request comes through S3. Option A is wrong because it requires S3 endpoint. Option C is wrong because the policy is limited to S3.

Option D is wrong because there is no resource restriction.

5
MCQeasy

Which AWS service can be used to centrally manage VPC security groups and network ACLs across multiple accounts in AWS Organizations?

A.AWS Firewall Manager
B.AWS Shield
C.AWS Config
D.AWS WAF
AnswerA

Firewall Manager centrally manages security groups and NACLs.

Why this answer

AWS Firewall Manager is the service for centrally managing security rules across accounts. Option C is correct. AWS Config (A) is for compliance, not management.

AWS Shield (B) is for DDoS protection. AWS WAF (D) is for web application firewalls, not security groups.

6
MCQeasy

Which IAM entity can be used to grant temporary access to AWS resources for users from a different AWS account?

A.IAM group
B.IAM role
C.IAM policy
D.IAM user
AnswerB

Roles provide temporary credentials via sts:AssumeRole.

Why this answer

An IAM role is the correct entity because it is specifically designed to grant temporary, cross-account access to AWS resources. When a user from a different AWS account assumes a role, AWS STS (Security Token Service) issues temporary security credentials (access key, secret key, and session token) that are valid for a configurable duration (default 1 hour, max 12 hours). This avoids the need to create permanent IAM users or share long-term credentials across accounts.

Exam trap

The trap here is that candidates often confuse an IAM policy with an IAM role, thinking that attaching a policy directly to an external user grants access, but policies alone cannot be assumed and do not generate temporary credentials.

How to eliminate wrong answers

Option A is wrong because an IAM group is a container for IAM users within the same AWS account and cannot be used to grant access to users from a different AWS account; it has no cross-account trust policy. Option C is wrong because an IAM policy is a document that defines permissions but is not an identity that can be assumed; it must be attached to an IAM user, group, or role to grant permissions, and by itself cannot provide temporary credentials. Option D is wrong because an IAM user is a permanent identity tied to a single AWS account; while you could create a user in your account for an external user, that would require sharing long-term access keys, which violates security best practices and does not provide temporary, scoped credentials.

7
MCQhard

A company's security team discovers that an IAM role has been assumed from an unexpected external AWS account. Which AWS service can be used to analyze the trust policy and identify unintended access?

A.AWS IAM Access Analyzer
B.AWS CloudTrail Insights
C.AWS Config
D.AWS Security Hub
AnswerA

Identifies external access to resources by analyzing policies.

Why this answer

IAM Access Analyzer analyzes resource-based policies (including trust policies) to identify external access. It generates findings for roles, S3 buckets, etc.

8
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team requires that all security groups restrict SSH access to only the company's VPN public IP address range (203.0.113.0/24). A developer creates a stack that includes a security group with SSH open to 0.0.0.0/0. The stack deploys successfully. Which action should the security team take to prevent this in the future?

A.Create an AWS CloudFormation stack policy to block security groups with SSH open to 0.0.0.0/0.
B.Use an AWS Config managed rule to detect security groups with unrestricted SSH access and trigger an automatic remediation.
C.Implement a service control policy (SCP) to deny the ec2:AuthorizeSecurityGroupIngress action for port 22 from 0.0.0.0/0.
D.Add an IAM policy to deny the ec2:AuthorizeSecurityGroupIngress action for port 22 from 0.0.0.0/0.
AnswerB

AWS Config can evaluate security group rules and trigger remediation via Systems Manager Automation.

Why this answer

Using AWS CloudFormation Stack Policies allows you to define which stack resources can be updated or deleted, but not to enforce security rules. AWS Config rules can evaluate resources against desired configurations and trigger remediation or notifications. Service control policies (SCPs) are for AWS Organizations and cannot block resource creation at the account level.

IAM permissions can prevent users from creating security groups with open SSH, but that requires careful management and does not cover all cases. Option B is the correct answer because an AWS Config managed rule can detect security groups with unrestricted SSH access and trigger an automatic remediation action via AWS Systems Manager Automation.

9
Multi-Selectmedium

A company uses AWS Organizations and wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail log files from S3. Which TWO actions should the security team take? (Choose TWO.)

Select 2 answers
A.Create an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
B.Enable MFA delete on the S3 bucket that stores CloudTrail logs.
C.Apply an SCP to the management account to prevent disabling CloudTrail.
D.Add an S3 bucket policy that denies s3:DeleteObject for the CloudTrail log bucket.
E.Create an IAM role for CloudTrail with permissions to write logs only.
AnswersA, D

Prevents stopping or deleting CloudTrail across accounts.

Why this answer

Options A and C are correct. An SCP can deny the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions. An S3 bucket policy with a deny effect can protect the log files from deletion.

Option B is incorrect because CloudTrail does not support MFA for log file deletion directly. Option D is incorrect because IAM roles are not preventive. Option E is incorrect because SCPs cannot be applied to the management account in a way that prevents it from modifying CloudTrail; the management account is not affected by SCPs.

10
MCQeasy

A developer needs to allow an EC2 instance to access an S3 bucket. Which is the best practice for granting permissions?

A.Store IAM user access keys in a configuration file on the EC2 instance.
B.Use a security group to allow the EC2 instance to access S3.
C.Attach an S3 bucket policy that grants access to the EC2 instance ID.
D.Create an IAM role with S3 access and attach it to the EC2 instance profile.
AnswerD

The instance assumes the role and obtains temporary credentials automatically.

Why this answer

Option B is correct because an IAM role attached to the EC2 instance provides temporary credentials via the instance metadata service, avoiding long-term keys. Option A is wrong because storing keys on the instance is insecure. Option C is wrong because a bucket policy granting access to the instance ID is not a valid principal.

Option D is wrong because security groups do not grant IAM permissions.

11
MCQhard

A security engineer notices that an S3 bucket containing sensitive data has been accessed from an IP address outside the allowed range. CloudTrail logs show the access was made using temporary credentials from an assumed role. What additional logging is needed to trace the access back to the original IAM user who assumed the role?

A.Enable CloudTrail to log data events for the S3 bucket.
B.Enable VPC Flow Logs for the VPC where the request originated.
C.Configure CloudWatch Logs to capture the EC2 instance's system logs.
D.Enable S3 server access logging for the bucket.
E.Enable AWS Config to record S3 bucket policies.
AnswerE

AWS Config does not record API calls; CloudTrail already records the session issuer in management events.

Why this answer

Option A is correct because CloudTrail logs include the 'sessionIssuer' field for assumed roles, which identifies the user who assumed the role. Option B is wrong because VPC Flow Logs do not contain IAM user information. Option C is wrong because CloudWatch Logs is a destination, not a source of identity info.

Option D is wrong because S3 server access logs do not include session issuer details. Option E is wrong because AWS Config does not record API calls.

12
MCQeasy

A developer has created an S3 bucket policy that grants public read access. The security team wants to prevent any S3 bucket from becoming public. Which AWS service can enforce this restriction across all accounts?

A.AWS CloudTrail with a metric filter
B.S3 Block Public Access settings on each account
C.A service control policy (SCP) denying s3:PutBucketPolicy
D.IAM permissions boundary
AnswerC

SCPs can deny actions across all accounts in an organization.

Why this answer

AWS Organizations SCPs can deny specific S3 actions that make buckets public. Option C is correct. Option A (IAM policies) are per-user, not account-wide.

Option B (S3 Block Public Access) is per-account or per-bucket, but can be overridden. Option D (CloudTrail) only logs.

13
Matchingmedium

Match each AWS service to its primary security function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Web application firewall

DDoS protection

Key management and encryption

Identity and access management

Data discovery and classification

Why these pairings

These are core AWS security services with distinct purposes.

14
MCQhard

A financial services company must ensure that all data at rest in Amazon RDS for PostgreSQL is encrypted. The current database is unencrypted. What is the MOST operationally efficient way to enable encryption?

A.Export the database to S3 using pg_dump, then import into a new encrypted RDS instance.
B.Create a read replica with encryption enabled and promote it to primary.
C.Take a snapshot of the database, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new DB instance.
D.Enable encryption directly on the existing RDS instance by modifying the DB instance settings.
AnswerC

This is the supported method to encrypt an existing unencrypted RDS instance.

Why this answer

Option C is correct because RDS does not support direct encryption of existing unencrypted databases; you must create a snapshot, copy it with encryption, and restore. Option A is wrong because you cannot enable encryption on a running instance. Option B is wrong because enabling encryption on the fly is not supported.

Option D is wrong because copying a snapshot without encryption is unnecessary.

15
Multi-Selecthard

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to allow only HTTP and HTTPS traffic from the internet to the ALB, and only HTTP traffic from the ALB to the EC2 instances. Which THREE security group configurations are required? (Choose three.)

Select 3 answers
A.ALB security group: inbound rule allowing HTTP from 0.0.0.0/0.
B.EC2 security group: inbound rule allowing HTTP from 0.0.0.0/0.
C.EC2 security group: inbound rule allowing HTTP from ALB security group.
D.EC2 security group: inbound rule allowing HTTPS from ALB security group.
E.ALB security group: inbound rule allowing HTTPS from 0.0.0.0/0.
AnswersA, C, E

Allows HTTP traffic from internet to ALB.

Why this answer

Options A, C, and D are correct. Option A is correct for allowing HTTPS to ALB. Option C is correct for allowing HTTP to ALB.

Option D is correct for allowing HTTP from ALB to EC2. Option B is wrong because HTTPS should not be terminated on EC2 if ALB handles SSL. Option E is wrong because it restricts from internet directly to EC2, bypassing ALB.

16
Multi-Selecthard

A security engineer wants to detect and alert on AWS account root user activity. Which THREE services can be used together to achieve this? (Select THREE.)

Select 3 answers
A.AWS Config
B.Amazon CloudWatch Events (EventBridge)
C.AWS CloudTrail
D.Amazon CloudWatch Logs
E.Amazon GuardDuty
AnswersB, C, D

CloudWatch Events can filter and alert on root user events.

Why this answer

Amazon CloudWatch Events (EventBridge) is correct because it can be used to create a rule that matches specific API calls recorded by AWS CloudTrail. When the root user performs an action, CloudTrail logs the event, and EventBridge can trigger a notification (e.g., via SNS or Lambda) based on that event. This combination allows real-time detection and alerting of root user activity.

Exam trap

The trap here is that candidates may think Amazon GuardDuty is the correct choice because it detects threats, but it does not provide a native, customizable alerting mechanism for root user activity; instead, the combination of CloudTrail, EventBridge, and CloudWatch Logs is the standard AWS-recommended approach.

17
MCQhard

A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow all EC2 actions except deleting volumes in the Production environment. However, the user reports being able to delete volumes that are tagged with Environment=Production. What is the reason for this behavior?

A.The policy is not attached to the correct IAM entity.
B.The Deny statement should use iam:ResourceTag instead of ec2:ResourceTag.
C.The condition in the Deny statement uses StringNotEquals, which denies deletion for non-Production volumes, not Production volumes.
D.The Allow statement uses a wildcard for the action, which overrides the Deny statement.
AnswerC

The condition StringNotEquals denies when the tag is not equal to Production, so it denies non-Production volumes, allowing Production volumes to be deleted.

Why this answer

Option C is correct because the Deny statement denies delete volume only when the tag is NOT Production, meaning it denies deleting non-Production volumes, but allows deleting Production volumes. The condition should be StringEquals to deny Production volumes. Option A is wrong because wildcard does not affect this.

Option B is wrong because the policy is for EC2, not IAM. Option D is wrong because the policy is attached to the user.

18
Multi-Selecteasy

A company is storing sensitive data in Amazon S3. They want to ensure that all data is encrypted at rest using server-side encryption. Which THREE options are available for server-side encryption in S3? (Select THREE.)

Select 3 answers
A.Client-side encryption
B.SSE-KMS
C.SSE-S3
D.SSE-C
E.AWS CloudHSM
AnswersB, C, D

AWS KMS-managed keys.

Why this answer

Options A, B, and C are correct. SSE-S3, SSE-KMS, and SSE-C are the three server-side encryption options. Option D is wrong because client-side encryption is not server-side.

Option E is wrong because AWS CloudHSM is a service for hardware security modules, not an S3 encryption option.

19
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create new IAM users. Which approach should be used?

A.Apply an IAM policy to the root user of each account.
B.Use an SCP attached to each IAM user.
C.Use an IAM permissions boundary on each IAM user.
D.Apply a service control policy (SCP) at the root organizational unit that denies IAM:CreateUser.
AnswerD

SCPs can deny actions across all accounts in the organization.

Why this answer

Option B is correct because an SCP can deny the IAM:CreateUser action across all accounts. Option A is wrong because it only applies to the root user. Option C is wrong because it affects only one account.

Option D is wrong because SCPs cannot be attached to IAM users.

20
MCQeasy

A security engineer is investigating a potential compromise of an S3 bucket. The engineer needs to determine if any objects were accessed by an unauthorized user. Which AWS service can provide detailed access logs for S3 objects?

A.AWS CloudTrail
B.S3 server access logs
C.AWS Config
D.Amazon Inspector
AnswerB

S3 server access logs record object-level access details.

Why this answer

S3 server access logs provide detailed records of requests made to an S3 bucket, including the requester, bucket name, request time, action, and response status. This granularity is essential for identifying unauthorized access to specific objects, as it logs every GET, PUT, DELETE, and HEAD request at the object level. AWS CloudTrail, while useful for management events, does not log data-level operations like object reads by default unless data events are explicitly enabled, and even then, it may not capture all object-level access details as comprehensively as server access logs.

Exam trap

The trap here is that candidates often assume AWS CloudTrail is sufficient for all logging needs, but the exam specifically tests the distinction between management events (CloudTrail default) and data-level object access logs (S3 server access logs), and that CloudTrail data events require explicit enablement and still lack the granularity of server access logs.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail primarily logs management events (e.g., bucket creation, policy changes) and, even when data events are enabled for S3, it logs object-level operations at a higher level (e.g., GetObject, PutObject) but does not provide the per-request detail (e.g., HTTP method, object key, response status) that S3 server access logs offer; relying solely on CloudTrail could miss unauthorized access patterns. Option C is wrong because AWS Config is a configuration auditing and compliance service that tracks resource configuration changes (e.g., bucket policies, lifecycle rules) and does not log individual object access requests; it cannot reveal who accessed an object or when. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container workloads for software vulnerabilities and network exposure; it has no capability to log or analyze S3 object access requests.

21
MCQeasy

A company stores sensitive customer data in Amazon S3. They want to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS. Which S3 bucket policy statement should be added to deny uploads that do not request SSE-KMS?

A.Deny PutObject unless 's3:x-amz-server-side-encryption' is 'AES256'
B.Deny PutObject unless 's3:x-amz-server-side-encryption' is 'aws:kms'
C.Deny PutObject unless 'aws:SourceArn' equals the bucket ARN
D.Deny PutObject unless 's3:x-amz-server-side-encryption-aws-kms-key-id' is present
AnswerB

This condition ensures the object is encrypted with SSE-KMS.

Why this answer

Option A is correct because the condition 's3:x-amz-server-side-encryption' with 'aws:SecureTransport' is not the right condition. Option B uses 's3:x-amz-server-side-encryption-aws-kms-key-id' which is too specific. Option C is the correct standard policy to deny PutObject without SSE-KMS.

Option D is wrong because it requires a specific KMS key ID, not just any KMS key.

22
MCQhard

A company uses AWS Shield Advanced to protect its web application from DDoS attacks. The security team wants to receive real-time notifications when a DDoS attack is detected. Which configuration should be used?

A.Use Amazon CloudWatch Events to trigger an AWS Lambda function that sends an Amazon SNS notification when a Shield Advanced event occurs.
B.Enable VPC Flow Logs and create a CloudWatch alarm for high traffic volume.
C.Subscribe an SNS topic to Shield Advanced notifications directly.
D.Enable AWS CloudTrail and create a metric filter for DDoS events.
AnswerA

Shield Advanced publishes events to CloudWatch Events.

Why this answer

Option B is correct because Shield Advanced sends events to CloudWatch Events, which can trigger a Lambda function to send notifications. Option A is wrong because CloudTrail does not capture DDoS events. Option C is wrong because VPC Flow Logs are for network traffic, not DDoS events.

Option D is wrong because Shield Advanced does not directly integrate with SNS; it uses CloudWatch Events.

23
Multi-Selectmedium

Which THREE AWS services can be used to detect potentially compromised EC2 instances? (Choose 3.)

Select 3 answers
A.AWS WAF
B.VPC Flow Logs
C.AWS Shield
D.Amazon GuardDuty
E.Amazon Inspector
AnswersB, D, E

Flow Logs can reveal unusual network traffic indicating compromise.

Why this answer

VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol, packet/byte counts) for network interfaces in a VPC. By analyzing flow logs for anomalous patterns—such as unexpected outbound connections to known malicious IPs, port scanning, or data exfiltration attempts—you can detect potentially compromised EC2 instances. This makes VPC Flow Logs a key detective control for threat detection.

Exam trap

The trap here is that candidates often confuse AWS WAF (a web-layer filter) or AWS Shield (a DDoS mitigator) with detective services, when the question specifically asks for services that *detect* compromised instances—not prevent attacks or filter traffic.

24
MCQhard

An organization wants to enforce that all IAM users use MFA. The security team creates an IAM policy that denies all actions unless MFA is present. However, some users report they cannot even change their own password to enable MFA. What should the security team do to resolve this?

A.Add a statement that allows all actions when MFA is present.
B.Add an exception statement that allows iam:ChangePassword without MFA.
C.Assign the policy only after users have enabled MFA.
D.Remove the MFA condition from the policy.
AnswerB

Allows users to set up MFA by changing their password first.

Why this answer

Option C is correct because the policy should include an exception for the iam:ChangePassword action to allow users to change their password (and set up MFA) before the MFA condition is enforced. Option A would allow all actions without MFA. Option B is too permissive.

Option D doesn't fix the issue.

25
MCQhard

A company uses AWS WAF to protect its web application from common web exploits. The security team wants to block requests that contain SQL injection or cross-site scripting (XSS) in the query string. Which rule type should be used?

A.Custom regex pattern set
B.Managed rule group for SQL injection and XSS
C.Rate-based rule
D.Geographic match rule
AnswerB

AWS provides managed rule groups for common threats.

Why this answer

Option B is correct because AWS WAF has managed rule groups for SQL injection and XSS. Option A is wrong because rate-based rules are for rate limiting. Option C is wrong because geographic rules are for location-based blocking.

Option D is wrong because regex patterns are custom, but managed rules are more comprehensive.

26
Multi-Selecteasy

Which TWO AWS services can be used to detect anomalous behavior in an AWS environment?

Select 2 answers
A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon Inspector
E.AWS Security Hub
AnswersB, E

GuardDuty detects anomalies using ML and threat intelligence.

Why this answer

Amazon GuardDuty and AWS Security Hub both provide anomaly detection. GuardDuty uses machine learning to detect threats. Security Hub aggregates findings and can detect anomalies through integrated services.

AWS Config is for compliance. AWS CloudTrail is logging. Amazon Inspector is for vulnerabilities.

27
MCQmedium

A company wants to allow an IAM user to manage only their own access keys. Which IAM policy should be attached to the user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"arn:aws:iam::*:user/*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:*AccessKey*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"arn:aws:iam::*:user/${aws:username}"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"*"}]}
AnswerC

Restricts to the user's own access keys using a resource ARN with a condition variable.

Why this answer

Option C is correct because the IAM policy with 'Condition': {'StringEquals': {'iam:username': '${aws:username}'}} restricts the user to manage only their own access keys. Option A gives full access to all users' keys. Option B denies all key management.

Option D allows full access without restriction.

28
MCQhard

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team needs to ensure high availability and durability of the keys. Which architecture should be recommended?

A.Use AWS KMS instead of CloudHSM for better durability
B.Deploy a single CloudHSM instance in one Availability Zone
C.Deploy CloudHSM in two AWS Regions with automatic replication
D.Deploy a CloudHSM cluster with at least two HSMs in different Availability Zones
AnswerD

Provides redundancy and high availability.

Why this answer

Option B is correct because CloudHSM clusters with multiple HSMs provide high availability and durability. Option A is wrong because a single HSM is a single point of failure. Option C is wrong because CloudHSM is a hardware appliance, not a software service.

Option D is wrong because CloudHSM does not automatically replicate to another region.

29
Multi-Selecthard

A company is designing a data protection strategy for Amazon S3. The compliance team requires that all objects be encrypted at rest and that any attempt to upload an unencrypted object be blocked. Which THREE steps should the company take? (Choose THREE.)

Select 3 answers
A.Enable default encryption on the bucket with SSE-S3 or SSE-KMS.
B.Add a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header.
C.Enable S3 Object Lock.
D.Enable S3 Transfer Acceleration.
E.Enable S3 Block Public Access.
AnswersA, B, E

Default encryption encrypts objects automatically.

Why this answer

Options A, B, and D are correct. Option A: Enabling default encryption ensures objects are encrypted at rest. Option B: Using a bucket policy to deny PutObject without encryption header blocks unencrypted uploads.

Option D: Using S3 Block Public Access prevents public exposure. Option C is wrong because S3 Transfer Acceleration does not encrypt data. Option E is wrong because S3 Object Lock does not enforce encryption.

30
MCQhard

A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. The rotation function must be implemented with minimal operational overhead. Which approach should be used?

A.Create an Amazon EventBridge rule that triggers a Lambda function to rotate the secret
B.Use AWS CLI to schedule a cron job that runs every 30 days and rotates the secret
C.Use Amazon CloudWatch Events to invoke an AWS Lambda function that updates the secret
D.Enable automatic rotation in Secrets Manager and configure the rotation interval to 30 days
AnswerD

Correct: Secrets Manager natively supports automatic rotation with a configurable interval.

Why this answer

Option B is correct because Secrets Manager provides built-in rotation support for supported services like RDS, with automatic trigger via Lambda. Option A is wrong because EventBridge rules are not needed; Secrets Manager handles scheduling. Option C is wrong because manual rotation using CLI defeats automation.

Option D is wrong because CloudWatch Events is not needed; rotation is managed internally.

31
MCQhard

A company has a security group that allows inbound SSH from a specific IP range. A security engineer notices that the security group rule is not being applied to a newly launched EC2 instance. What is the most likely cause?

A.The new EC2 instance was not launched with the correct security group
B.The security group is using the default VPC security group
C.The security group is configured as stateless
D.The network ACL is blocking SSH traffic to the subnet
AnswerA

Each instance must have the desired security group assigned.

Why this answer

Option B is correct because security groups are attached at the instance level; a new instance must have the security group assigned. Option A is wrong because security groups are stateful. Option C is wrong because NACLs are subnet-level, not instance-level.

Option D is wrong because the default security group does not automatically include custom rules.

32
Drag & Dropmedium

Drag and drop the steps to set up AWS Certificate Manager (ACM) for a custom domain in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ACM certificate requires request, DNS validation, issuance, association, and automatic renewal.

33
MCQmedium

A company wants to protect data at rest in Amazon S3 using client-side encryption. The application will run on Amazon EC2 instances. Which approach meets these requirements?

A.Use SSE-S3 and rely on S3 to manage keys
B.Enable S3 default encryption on the bucket
C.Use SSE-KMS with a customer managed key
D.Use the AWS Encryption SDK to encrypt data before uploading to S3
AnswerD

Client-side encryption occurs before data reaches S3.

Why this answer

Client-side encryption requires the encryption process to occur on the client side before data is uploaded to S3. The AWS Encryption SDK is designed for this purpose, allowing you to encrypt data locally on the EC2 instance using your own keys, ensuring that S3 never sees the plaintext data. This meets the requirement to protect data at rest with client-side encryption, as the data is encrypted before leaving the application environment.

Exam trap

The trap here is that candidates confuse server-side encryption options (SSE-S3, SSE-KMS) with client-side encryption, assuming that using a customer managed key (SSE-KMS) satisfies client-side requirements when it actually still encrypts data on the server side.

How to eliminate wrong answers

Option A is wrong because SSE-S3 is a server-side encryption method where S3 manages the keys and encrypts data after it is received, not client-side encryption. Option B is wrong because enabling S3 default encryption on the bucket applies server-side encryption (SSE-S3 or SSE-KMS) to objects at the time of upload, not client-side encryption. Option C is wrong because SSE-KMS with a customer managed key is still server-side encryption; the encryption happens on the S3 side after the data is transmitted, not on the client side.

34
MCQhard

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes sensitive customer data. The Security team has enabled VPC Flow Logs, CloudTrail, and GuardDuty. Recently, the team received a GuardDuty finding indicating a potential SSH brute force attack originating from an external IP address 203.0.113.50 targeting one of the EC2 instances. The Security Engineer needs to automatically isolate the affected instance and capture forensic evidence for analysis. The company has strict requirements: the instance must be isolated immediately, and a snapshot of the EBS volume must be taken before any remediation actions are taken. The instance is part of an Auto Scaling group, and the Security Engineer wants to minimize manual intervention. The Security Engineer has access to AWS Systems Manager and AWS Lambda. Which combination of steps should the Security Engineer implement to meet the requirements?

A.Use AWS Systems Manager to automatically connect to the instance via EC2 Instance Connect, run commands to capture forensic data, and then modify the security group to deny all inbound traffic.
B.Create a CloudWatch Logs metric filter on the VPC Flow Logs for the attacker IP. When the metric breaches a threshold, trigger an SNS topic that runs an AWS Systems Manager Automation document to isolate the instance and take an EBS snapshot.
C.Configure Amazon EventBridge to detect the GuardDuty finding and invoke an AWS Lambda function. The Lambda function first calls the EC2 CreateSnapshot API to capture a forensic snapshot of the instance's EBS volume. Then, it uses AWS Systems Manager Automation to run a pre-defined automation document that isolates the instance by modifying the instance's security group to only allow traffic from a trusted management IP, and then stops the instance.
D.Configure a CloudWatch Events rule to detect the GuardDuty finding and invoke an AWS Lambda function. The Lambda function terminates the EC2 instance and then takes a snapshot of the EBS volume for forensic analysis.
AnswerC

This correctly automates the response: EventBridge triggers on GuardDuty finding, Lambda takes a snapshot first for evidence, then Systems Manager Automation isolates and stops the instance.

Why this answer

Option D is correct because EventBridge can trigger a Lambda function on GuardDuty findings. The Lambda function takes an EBS snapshot for forensic analysis, then uses Systems Manager Automation to isolate the instance by modifying the security group and stopping the instance. This ensures isolation and evidence capture in an automated manner.

Option A is wrong because terminating the instance before taking a snapshot loses forensic data. Option B is wrong because EC2 Instance Connect is for direct access, not for automated isolation. Option C is wrong because CloudWatch Logs does not trigger on GuardDuty findings; EventBridge is the appropriate service.

35
MCQhard

A company uses Amazon GuardDuty and AWS Security Hub. The security team has configured a custom insight in Security Hub to track findings related to S3 bucket exposures. They want to automatically remediate these findings by applying an S3 bucket policy that blocks public access. The team has created a Lambda function that applies the bucket policy and configured Security Hub to send findings to the Lambda function via a custom action. However, when a new finding is generated, the Lambda function is invoked but fails to apply the policy because it does not have permission to modify the S3 bucket. The Lambda function's execution role has permissions to modify S3 bucket policies, but the function is in the same account as the bucket. What should the team check?

A.Add the Lambda function's execution role to the bucket's Access Control List (ACL).
B.Ensure that the Lambda function's execution role has a trust policy that allows Security Hub to assume it.
C.Check the S3 bucket policy for any explicit deny statements that might block the Lambda function's role.
D.Verify that the S3 bucket's block public access settings are not preventing the policy update.
AnswerC

An explicit deny in the bucket policy would prevent the role from modifying it.

Why this answer

Option C is correct because even if the function has permissions, the bucket policy may explicitly deny access to the Lambda function's role. Option A is wrong because the function is in the same account, so cross-account is not needed. Option B is wrong because S3 block public access settings are separate from bucket policies.

Option D is wrong because the function has permissions; the issue is likely at the bucket policy level.

36
Multi-Selecthard

A company uses AWS Organizations and wants to implement a centralized incident response process. Which THREE steps should be taken to ensure that security teams can respond to incidents across all accounts effectively?

Select 3 answers
A.Create IAM roles in each member account that grant incident responders cross-account access from the security account
B.Set up AWS Systems Manager Incident Manager in each account independently
C.Create a single CloudTrail trail in the management account to log events from all accounts
D.Configure a centralized S3 bucket to store CloudTrail logs from all accounts using an organization trail
E.Designate a delegated administrator account for Amazon GuardDuty to centralize threat detection findings
AnswersA, D, E

Allows responders to assume roles in affected accounts.

Why this answer

Option A (delegated administrator for GuardDuty) centralizes findings. Option C (centralized S3 bucket for CloudTrail logs) enables log analysis. Option D (cross-account IAM roles) allows incident responders to access affected accounts.

Option B (single CloudTrail trail in management account) is not sufficient; organization trail logs all accounts. Option E (separate Incident Manager per account) is not centralized.

37
MCQeasy

A company uses IAM roles for EC2 instances to access DynamoDB. The security team wants to ensure that the instances can only access specific DynamoDB tables. They create an IAM policy that allows dynamodb:GetItem and dynamodb:PutItem on the specific table ARN. The policy is attached to the instance role. However, when an application on the instance tries to read from the table, it receives an 'AccessDeniedException'. The application is using the correct table name. What is the MOST likely cause?

A.The IAM policy is not attached to the instance profile.
B.The DynamoDB table is encrypted with a customer managed key that the role does not have access to.
C.The policy does not include dynamodb:DescribeTable action.
D.The instance does not have the required instance profile associated.
AnswerC

Many SDKs need DescribeTable.

Why this answer

Option B is correct. DynamoDB requires the user to have permission on the table ARN, but also on the index ARN if using indexes. However, the most common mistake is that the policy does not allow the necessary actions like dynamodb:DescribeTable, which is often required by SDKs.

Option A is wrong because the policy is attached. Option C is wrong because the instance profile is correct. Option D is wrong because the role is not about encryption.

38
MCQhard

A financial services company has a multi-account AWS environment with over 200 accounts managed through AWS Organizations. The security team is responsible for monitoring all accounts for security incidents. They have enabled AWS CloudTrail in all accounts with trails that deliver logs to a centralized S3 bucket in the security account. Additionally, they have enabled Amazon GuardDuty in all accounts with the security account as the administrator. The team uses Amazon EventBridge to trigger automated responses to GuardDuty findings. Recently, they noticed that some GuardDuty findings from member accounts are not appearing in the security account. The security team verified that the findings are generated in the member accounts (they can see them in the member account GuardDuty console) but are not being sent to the administrator account. The CloudTrail logs are being delivered correctly. What is the MOST likely cause of this issue?

A.The member accounts have not accepted the invitation from the GuardDuty administrator account.
B.The S3 bucket policy in the centralized logging bucket is blocking GuardDuty findings from being written.
C.The EventBridge rules in the security account are not configured to receive events from member accounts.
D.The GuardDuty service-linked role in the member accounts does not have permissions to publish findings to the administrator account.
AnswerA

Each member account must explicitly accept the invitation to share findings. Without acceptance, findings remain local.

Why this answer

In GuardDuty multi-account setup, each member account must accept the invitation from the administrator account to enable sharing of findings. If a member account has not accepted the invitation, findings will not be sent to the administrator. This is a common misconfiguration.

39
MCQeasy

A company wants to encrypt data in transit between an on-premises data center and AWS over a VPN connection. Which AWS service or feature should be used?

A.AWS Route 53 Resolver
B.AWS Certificate Manager (ACM)
C.AWS Site-to-Site VPN
D.Amazon API Gateway
AnswerC

Site-to-Site VPN creates encrypted tunnels.

Why this answer

Option A is correct because AWS Site-to-Site VPN provides encrypted tunnels. Option B is for domain registration. Option C is for managing SSL certificates.

Option D is for API gateway.

40
MCQhard

A company has a single AWS account with multiple IAM users. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They attach an IAM policy that denies all actions if the user does not have MFA. However, after attaching the policy, some users report that they are unable to perform any actions even after authenticating with MFA. The policy uses the condition "aws:MultiFactorAuthPresent": "false". The security team verifies that the users have MFA enabled and are using it. What is the most likely cause of this issue?

A.The condition should be "Bool": "aws:MultiFactorAuthPresent": "false" but the policy uses StringLike.
B.The policy is missing a NotAction element; it should deny all actions except for the ones needed for MFA enrollment.
C.The policy is incorrectly written; it should use "Effect": "Allow" and the condition "aws:MultiFactorAuthPresent": "true".
D.The users are signing in as the root user of the account, not as IAM users.
AnswerD

Root user does not have the aws:MultiFactorAuthPresent condition key.

Why this answer

Option A is correct because the condition key aws:MultiFactorAuthPresent is not present when a user uses the root user or when the session is from a federated identity without MFA. However, for IAM users using the console, the key should be present if MFA is used. But if the policy is attached to the user and includes a Deny for aws:MultiFactorAuthPresent false, but the user is using MFA, the condition should evaluate to true (MFA present).

If users still get denied, it might be because they are using the root user (not IAM user) or the policy is too broad. Option B is wrong because the policy condition is correctly written to deny when MFA is not present. Option C is wrong because the policy is fine.

Option D is wrong because the effect is Deny. The most likely cause in typical SCS-C02 scenarios is that the users are using the root user instead of an IAM user, because root user does not have the aws:MultiFactorAuthPresent key. Alternatively, the policy might be missing an Allow for the console itself.

However, the question states "IAM users" so likely root user is not the case. Another common issue: the condition key aws:MultiFactorAuthPresent is only present when the session is established using MFA; for long-lived sessions, it might be missing. But the most likely is that the policy does not include an Allow for the actions they need; it only denies.

Since all actions are denied by default, they need an Allow. But the policy only denies. Actually, the policy denies if MFA not present; if MFA is present, the condition fails, so the Deny does not apply, and other Allow policies can take effect.

So if there is no Allow policy, they would still be denied. But typically, IAM users have an Allow for necessary services. A common mistake is that the policy is too restrictive because it denies all actions, but the condition only applies when MFA not present.

If MFA is present, the Deny does not apply. So the issue might be that the users are not using MFA. But they report they are.

Another possibility: the policy is attached to the user but also there is a deny-all policy. Option B might be correct if the policy uses "Effect": "Deny" and the condition, but the condition works. Option A is plausible if they are using root.

I'll go with A because root user is a common pitfall.

41
MCQeasy

A security engineer needs to audit all changes to AWS resources in an account. Which AWS service should be enabled?

A.Amazon Inspector
B.AWS CloudTrail
C.AWS Config
D.Amazon GuardDuty
AnswerB

CloudTrail logs all API calls for auditing and compliance.

Why this answer

AWS CloudTrail is the correct service because it records API activity and changes to AWS resources as events, providing an audit log of who made what change, when, and from where. This directly meets the requirement to audit all changes, as every AWS API call (e.g., CreateInstance, ModifySecurityGroup) is captured in a CloudTrail event history or delivered to an S3 bucket for long-term analysis.

Exam trap

The trap here is that candidates confuse AWS Config's configuration tracking (which shows what changed) with CloudTrail's API audit trail (which shows who changed it and how), leading them to pick AWS Config when the question explicitly asks for auditing all changes, which requires the API-level logging only CloudTrail provides.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, not a change audit service. Option C is wrong because AWS Config evaluates resource configurations against desired rules and tracks configuration changes over time, but it does not capture who made the change or the API call details—it focuses on resource state, not the API audit trail. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, not a service that audits all resource changes.

42
MCQeasy

A company wants to protect data in transit between an EC2 instance and an S3 bucket. Which method should be used?

A.Use a VPN connection with IPsec
B.Install an SSL certificate on the EC2 instance
C.Use SSH to transfer files
D.Use HTTPS endpoints for S3 API calls
AnswerD

HTTPS encrypts data in transit between EC2 and S3.

Why this answer

Using HTTPS (TLS) encrypts data in transit. Option C is correct. Option A is incorrect because SSL certificates are for web servers.

Option B is incorrect because IPsec is for site-to-site VPN. Option D is incorrect because SSH is for remote administration.

43
MCQeasy

An administrator needs to grant an IAM user the ability to change their own password without allowing them to change other users' passwords. Which IAM action should be included in the policy?

A.iam:CreateLoginProfile
B.iam:UpdateAccountPasswordPolicy
C.iam:UpdateServiceSpecificCredential
D.iam:ChangePassword
AnswerD

Allows the user to change their own password.

Why this answer

Option A is correct because iam:ChangePassword allows a user to change their own password. Option B allows any password change. Option C is for creating login profiles.

Option D is a service control policy action.

44
MCQmedium

A company uses AWS KMS to manage encryption keys for sensitive data stored in S3. The security team wants to ensure that keys are rotated automatically every year. What should they do?

A.Enable automatic key rotation on a customer managed key.
B.Use a custom key store and rotate keys manually.
C.Use a CloudHSM to store keys and rotate them manually.
D.Use an AWS managed key, which rotates automatically every year.
AnswerD

AWS managed keys are automatically rotated every year.

Why this answer

Option C is correct because AWS managed KMS keys automatically rotate yearly. Option A is incorrect because customer managed keys do not auto-rotate by default. Option B is incorrect because key rotation is not disabled by default.

Option D is incorrect because manual rotation is not automatic.

45
MCQmedium

A company is using AWS CloudTrail to log API calls. The security team needs to ensure that log files are not tampered with and can be used to verify integrity. Which feature should be enabled?

A.Enable MFA delete on the log bucket.
B.Enable log file integrity validation in CloudTrail.
C.Enable server-side encryption with AWS KMS on the log bucket.
D.Enable S3 versioning on the log bucket.
AnswerB

Integrity validation uses hash chains to detect tampering.

Why this answer

Option C is correct because CloudTrail log file integrity validation uses hash chains to verify that log files have not been modified. Option A is wrong because S3 versioning protects against overwrites but does not provide cryptographic verification. Option B is wrong because MFA delete protects against accidental deletion but does not verify integrity.

Option D is wrong because KMS encryption protects confidentiality, not integrity.

46
MCQeasy

A security engineer is reviewing a CloudTrail log entry (exhibit). What is the most immediate security concern indicated by this event?

A.The source IP address 203.0.113.5 is from a known malicious IP range.
B.A security group rule was added allowing SSH access from any IP address.
C.The API call was made from the AWS CLI, which may indicate a compromised access key.
D.The user JohnDoe did not use multi-factor authentication (MFA) for this API call.
AnswerB

AuthorizeSecurityGroupIngress with 0.0.0.0/0 on port 22 is a common misconfiguration that exposes the instance to the internet.

Why this answer

The CloudTrail log shows an AuthorizeSecurityGroupIngress API call that added a security group rule with the CIDR 0.0.0.0/0 for port 22 (SSH). This effectively opens SSH access to the entire internet, creating a severe exposure that could allow any attacker to attempt brute-force or credential-stuffing attacks against any EC2 instance associated with that security group. This is the most immediate security concern because it directly introduces a wide-open attack surface.

Exam trap

The trap here is that candidates focus on the user identity or authentication details (like MFA or CLI usage) instead of recognizing that the actual API action—opening SSH to 0.0.0.0/0—is the most immediate and dangerous security concern.

How to eliminate wrong answers

Option A is wrong because the source IP 203.0.113.5 is a TEST-NET-1 address (RFC 5735) reserved for documentation and examples, not a known malicious IP range; real CloudTrail logs would show a routable IP. Option C is wrong because the event source is 'ec2.amazonaws.com' and the user agent indicates the AWS Management Console, not the AWS CLI; a CLI call would show 'aws-cli' or 'botocore' in the user agent field. Option D is wrong because while MFA is a best practice, the absence of MFA alone is not the most immediate concern—the critical issue is the actual security group rule change that opens SSH to the world, not the authentication method used for the API call.

47
Multi-Selecthard

Which THREE are benefits of using AWS CloudTrail for security governance? (Choose three.)

Select 3 answers
A.Enables real-time log analysis with Amazon CloudWatch Logs
B.Automatically remediates noncompliant resources
C.Supports compliance audits by providing event history
D.Provides a record of API activity in the account
E.Allows security analysis of user activity
AnswersC, D, E

CloudTrail logs are used for compliance.

Why this answer

CloudTrail logs API calls (A), helps with compliance (C), and enables security analysis (E). Option B is for CloudWatch Logs. Option D is for Config.

48
Multi-Selectmedium

A security engineer is designing a solution to allow a Lambda function to write logs to CloudWatch Logs. Which TWO actions are required in the IAM execution role? (Choose TWO.)

Select 2 answers
A.logs:GetLogEvents
B.logs:PutLogEvents
C.logs:CreateLogStream
D.logs:PutRetentionPolicy
E.logs:CreateLogGroup
AnswersB, E

Needed to write log events.

Why this answer

The correct options are B and D. logs:CreateLogGroup is needed to create a log group if it doesn't exist, and logs:PutLogEvents is needed to write log events. Option A is for reading, C is for managing retention, E is for creating streams, but CreateLogStream is not always needed if the group already exists? Actually, the Lambda runtime automatically creates the log stream, but the IAM role still needs logs:CreateLogStream. However, the typical minimum permissions are logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.

Since the question says 'Which TWO', the most essential are CreateLogGroup and PutLogEvents. But CreateLogStream is also required. However, in many documentation, they list all three.

Given the constraint, we choose the two that are absolutely necessary: CreateLogGroup (once) and PutLogEvents (every write). But CreateLogStream is also needed per invocation. Let's see the options: A is reading, B is creating group, C is setting retention, D is writing events, E is creating stream.

The correct answer set should be B and D, as CreateLogStream might be implicitly required but not listed? Actually, the question expects B and D. I'll go with that.

49
MCQhard

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The engineer needs to quickly block all traffic to that IP while preserving the instance for forensic analysis. Which approach is the most effective?

A.Stop the instance immediately.
B.Modify the instance's security group to deny outbound traffic to the malicious IP.
C.Add a network ACL rule to deny outbound traffic from the instance's subnet to the malicious IP.
D.Modify the route table to route traffic to the malicious IP to a blackhole.
AnswerB

Security group rules can be updated quickly to block specific traffic.

Why this answer

Modifying the security group to deny outbound traffic to that IP is quick and reversible. Using NACLs is slower and affects subnets. Stopping the instance loses volatile data.

Route table modification is not effective for a single IP.

50
MCQmedium

A company wants to ensure that all S3 buckets in their AWS account have encryption enabled. Which AWS service can continuously evaluate compliance and automatically remediate non-compliant buckets?

A.AWS CloudTrail
B.AWS Config
C.AWS IAM
D.Amazon S3
AnswerB

AWS Config evaluates resources against rules and can auto-remediate.

Why this answer

Option D is correct: AWS Config with a managed rule 's3-bucket-server-side-encryption-enabled' can evaluate compliance and trigger an auto-remediation action to enable encryption. Option A is wrong because CloudTrail only logs. Option B is wrong because IAM does not manage bucket encryption.

Option C is wrong because S3 itself does not auto-remediate.

51
MCQeasy

A security engineer notices that an Amazon S3 bucket has been accessed from an IP address outside the company's allowed range. The engineer needs to identify the IAM user who made the request. Which AWS service should be used to find this information?

A.S3 server access logs
B.AWS CloudTrail
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerB

CloudTrail records API calls and includes the identity of the caller.

Why this answer

AWS CloudTrail records API calls made to AWS services, including the identity of the caller. Option B is correct. Option A is wrong because VPC Flow Logs capture network traffic metadata but do not include IAM user details.

Option C is wrong because CloudWatch Logs can store logs but do not directly capture API caller identity. Option D is wrong because S3 server access logs contain requester information but are not as comprehensive as CloudTrail for IAM user identification.

52
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer. The security team wants to ensure that only traffic from the ALB can reach the EC2 instances. Which configuration should be applied?

A.Configure the instances' security group to allow traffic from the ALB's security group.
B.Configure the instances' security group to allow traffic from the client's source IP addresses.
C.Configure a network ACL on the subnet to allow traffic from the ALB's private IP addresses.
D.Assign an IAM role to the instances that allows traffic only from the ALB.
AnswerA

This ensures only traffic that passes through the ALB can reach the instances.

Why this answer

Using the ALB's security group as the source in the instance's security group is the best practice. Network ACLs are stateless and less granular, IAM roles do not control network traffic, and source IP from the client would include direct traffic.

53
MCQhard

A security engineer is troubleshooting why Amazon GuardDuty is not generating findings for suspicious S3 API calls made by an IAM role. The engineer has verified that GuardDuty is enabled in the account and region. What is a likely reason for the missing findings?

A.CloudTrail management events are not being logged for the IAM role.
B.VPC Flow Logs are not enabled for the VPC where the role is used.
C.The account is not a Delegated Admin for GuardDuty.
D.S3 data events are not enabled in CloudTrail.
AnswerA

GuardDuty relies on CloudTrail management events; if the trail excludes those events, findings may be missed.

Why this answer

Option C is correct because GuardDuty requires CloudTrail management events to be logged; if the trail is not logging management events for the role's API calls, GuardDuty cannot analyze them. Option A is wrong because GuardDuty can analyze S3 data events if enabled. Option B is wrong because Delegated Admin is for multi-account management, not single account.

Option D is wrong because VPC Flow Logs are not used for S3 API calls.

54
MCQhard

A company uses AWS KMS to encrypt its RDS database. The security team needs to ensure that the key can be used only from within the company's VPC and not from the internet. Which action should be taken?

A.Enable automatic key rotation and use an alias to restrict access
B.Use a key policy that denies all access except from the RDS instance's security group
C.Create a VPC endpoint for KMS and modify the key policy to allow only requests from the VPC endpoint
D.Create the key with a region restriction in the key policy
AnswerC

VPC endpoint with key policy condition allows VPC-only usage.

Why this answer

KMS supports VPC endpoints (AWS PrivateLink) and key policies with conditions. To restrict usage to a VPC, you can create a VPC endpoint for KMS and modify the key policy to deny access unless the request comes from the VPC endpoint. Option D is correct.

Option A is incorrect because KMS keys are regional, not restricted to VPCs via that attribute. Option B is incorrect as it would deny all access. Option C is incorrect because the VPC endpoint is needed, and the key policy must reference it.

55
Multi-Selectmedium

A security engineer is designing IAM policies for a data analytics platform that uses Amazon S3, Amazon Athena, and AWS Glue. The platform must allow data scientists to query data in S3 using Athena, but only from specific VPC subnets. Additionally, the data must be encrypted at rest using AWS KMS. Which TWO actions should the engineer take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Grant kms:Decrypt permission in the IAM policy and configure the KMS key policy to allow the IAM role to use the key.
B.Add kms:EncryptionContext condition to the IAM policy to require a specific encryption context.
C.Create a VPC endpoint for Athena and attach a bucket policy that restricts access to that endpoint.
D.Use the s3:SourceIp condition key in the IAM policy to restrict access to the private IP ranges of the VPC subnets.
E.Enable default encryption on the S3 bucket using SSE-S3 and configure the KMS key policy to allow the IAM role.
AnswersA, C

Correct – Allows Athena to decrypt S3 objects with the KMS key.

Why this answer

A: Correct – Using a VPC endpoint for Athena with a bucket policy that restricts access to the VPC endpoint ensures that queries are only allowed from the specified VPC subnets. D: Correct – Granting kms:Decrypt permission in the IAM policy and ensuring the KMS key policy allows the IAM role enables Athena to decrypt S3 objects encrypted with a customer-managed KMS key. B: Incorrect – The s3:SourceIp condition key does not work for VPC endpoints; use aws:SourceVpce instead.

C: Incorrect – The kms:EncryptionContext condition is not used for restricting encryption at rest; it is used for encryption context in KMS operations. E: Incorrect – S3 default encryption (SSE-S3) does not use KMS, so the KMS key policy would not be relevant.

56
Multi-Selecthard

Which TWO IAM policy conditions can be used to enforce that API calls originate from a specific AWS region? (Choose TWO.)

Select 1 answer
A.ec2:Region
B.aws:UserAgent
C.aws:SourceIp
D.aws:RequestedRegion
E.aws:Region
AnswersD

Use this condition to check the region in the API request.

Why this answer

The correct answers are B and C. aws:RequestedRegion is the condition key to check the region in the request. aws:SourceIp can be used to restrict IP addresses, but not directly region. However, there is also a condition key aws:Region that can be used in some services, but aws:RequestedRegion is the standard for most services. Option A is wrong because there is no aws:Region condition.

Option D is wrong because ec2:Region is specific to EC2. Option E is wrong because aws:SourceIp is for IP, not region.

57
MCQeasy

A company wants to encrypt data at rest for an Amazon S3 bucket. Which action should be taken?

A.Use client-side encryption before uploading objects.
B.Enable default encryption on the S3 bucket.
C.Enable SSL/TLS for the bucket.
D.Use AWS CloudHSM to encrypt the bucket.
AnswerB

Default encryption ensures all objects are encrypted at rest.

Why this answer

Enabling default encryption on the S3 bucket ensures that all objects stored in the bucket are automatically encrypted at rest using server-side encryption (SSE-S3, SSE-KMS, or SSE-C). This meets the requirement for encrypting data at rest without requiring any client-side changes, as the encryption is applied by S3 upon write.

Exam trap

The trap here is confusing encryption at rest (server-side encryption) with encryption in transit (SSL/TLS), leading candidates to select Option C, which only protects data during transfer, not while stored.

How to eliminate wrong answers

Option A is wrong because client-side encryption encrypts data before upload, which is a valid approach but not the action the question asks for—it requires client-side changes and does not leverage S3's native server-side encryption. Option C is wrong because SSL/TLS encrypts data in transit between the client and S3, not data at rest within the bucket. Option D is wrong because AWS CloudHSM provides hardware security modules for key storage and cryptographic operations, but it does not directly encrypt an S3 bucket; you would need to integrate it with AWS KMS (via custom key store) to use it for S3 server-side encryption, and even then the action is to enable default encryption with SSE-KMS, not to use CloudHSM directly.

58
MCQeasy

A company wants to protect sensitive data stored in Amazon S3 by encrypting it at rest. Which AWS service can be used to manage the encryption keys?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS S3-managed keys (SSE-S3)
D.AWS Key Management Service (AWS KMS)
AnswerD

KMS is the managed key management service.

Why this answer

AWS KMS is the service for managing encryption keys. Option A is wrong because S3-managed keys (SSE-S3) are managed by AWS, not the customer. Option B is wrong because AWS CloudHSM provides hardware security modules but is not a key management service.

Option D is wrong because AWS Secrets Manager is for secrets, not encryption keys.

59
MCQmedium

A company runs a web application on Amazon EC2 instances that processes credit card data. The application must store the data in an encrypted format. The security team wants to minimize the performance impact of encryption and offload the encryption operations to a dedicated hardware security module (HSM). Which solution should the architect choose?

A.Use Amazon EBS encryption on the EC2 instance's root volume.
B.Use the Linux dm-crypt utility to encrypt the data at the application level.
C.Use AWS CloudHSM to perform encryption operations from the application.
D.Use AWS KMS with a customer-managed key to encrypt the data in the application.
AnswerC

CloudHSM provides a dedicated HSM, offloading encryption.

Why this answer

Option C is correct because AWS CloudHSM provides a dedicated HSM appliance that can be used to offload encryption operations, reducing performance impact on EC2. Option A is wrong because AWS KMS is a software-based service; it does not provide a dedicated HSM. Option B is wrong because using host-based encryption on the application server adds CPU overhead.

Option D is wrong because EBS encryption encrypts the volume but does not offload encryption operations for application-level encryption.

60
MCQeasy

A security team wants to detect unauthorized API calls in real time and automatically block the source IP address using network ACLs. Which AWS service should be used for detection?

A.Amazon GuardDuty
B.AWS CloudTrail
C.AWS WAF
D.AWS Config
AnswerA

GuardDuty uses machine learning to detect suspicious API activity.

Why this answer

Amazon GuardDuty is the correct choice because it is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, including API calls from unusual or known-bad IP addresses. It uses machine learning, anomaly detection, and integrated threat intelligence to generate findings that can trigger automated remediation, such as updating network ACLs via AWS Lambda and Amazon EventBridge. This aligns with the requirement for real-time detection and automated blocking of source IPs.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with real-time threat detection, overlooking that GuardDuty is specifically designed for proactive security monitoring and automated response, while CloudTrail is purely a logging and auditing service.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because it is an auditing service that records API call history for compliance and governance, but it does not perform real-time threat detection or generate alerts for unauthorized activity; it lacks built-in anomaly detection or threat intelligence. Option C (AWS WAF) is wrong because it is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting at the application layer, not for detecting unauthorized API calls or blocking IPs via network ACLs; it operates on HTTP/HTTPS traffic, not all API calls. Option D (AWS Config) is wrong because it is a configuration management and compliance service that evaluates resource configurations against rules, not a threat detection service; it cannot detect unauthorized API calls or trigger network ACL updates in real time.

61
Multi-Selecthard

A company uses AWS Organizations and wants to enforce that all member accounts enable VPC Flow Logs for all VPCs. Which THREE services or features should be used to enforce this policy automatically?

Select 3 answers
A.AWS Service Catalog
B.AWS CloudTrail
C.AWS Organizations Service Control Policies (SCPs)
D.AWS CloudFormation StackSets
E.AWS Config Conformance Packs
AnswersC, D, E

SCPs can deny the creation of VPCs without VPC Flow Logs.

Why this answer

Options A, B, and D are correct because AWS Organizations can use SCPs to restrict actions, AWS Config Rules can evaluate compliance, and AWS CloudFormation StackSets can deploy VPC Flow Logs across accounts. Option C is wrong because AWS CloudTrail records API calls, not resource configurations. Option E is wrong because AWS Service Catalog is for creating and managing IT services, not for enforcing logging.

62
MCQeasy

A security engineer needs to identify which IAM users have been inactive for the past 90 days. Which AWS service should the engineer use?

A.AWS IAM Credential Report
B.Amazon CloudWatch Logs
C.AWS Config
D.AWS CloudTrail
AnswerA

The IAM credential report provides a CSV file with user activity, including password last used and access key last used dates.

Why this answer

Option B is correct because IAM provides credential reports that show last activity dates. Option A is wrong because CloudTrail logs API calls but requires analysis to determine inactivity. Option C is wrong because AWS Config tracks resource configuration.

Option D is wrong because CloudWatch Logs stores log data, not user activity summaries.

63
MCQmedium

A company wants to enforce that all EC2 instances use a specific AMI ID. Which AWS service can be used to detect and remediate non-compliant instances?

A.AWS Systems Manager
B.Amazon Inspector
C.AWS Config
D.AWS CloudTrail
AnswerC

Config detects non-compliant resources and can auto-remediate.

Why this answer

AWS Config is the correct service because it continuously evaluates your AWS resource configurations against desired policies, such as requiring a specific AMI ID for all EC2 instances. You can create an AWS Config rule (e.g., a custom Lambda rule or a managed rule like 'ec2-instance-managed-by-systems-manager') to detect non-compliant instances, and then use AWS Config auto-remediation with Systems Manager Automation documents to terminate or replace them. This directly enforces compliance by both detecting and remediating violations.

Exam trap

The trap here is that candidates often confuse AWS Config with AWS Systems Manager because both can perform remediation, but only AWS Config provides continuous configuration evaluation and rule-based detection of non-compliant resources like AMI IDs.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager is primarily an operations and management service for patching, inventory, and automation, but it lacks native configuration compliance evaluation and remediation triggering based on resource state; it can be used as part of a remediation action but not as the primary detection and enforcement service. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposures, not for enforcing AMI ID compliance on EC2 instances. Option D is wrong because AWS CloudTrail is an audit logging service that records API calls for governance and compliance, but it does not detect or remediate non-compliant resource configurations.

64
MCQhard

A company runs a serverless application using AWS Lambda functions that access an Amazon DynamoDB table. The Lambda functions are part of a microservices architecture and need to read and write to the DynamoDB table. The security team wants to ensure that the Lambda functions have the minimum required permissions. Initially, the team attached the AWS managed policy 'AWSLambdaDynamoDBExecutionRole' to the Lambda execution role, but later discovered that this policy grants more permissions than needed. The team decides to create a custom policy with only the required actions: GetItem, PutItem, UpdateItem, and DeleteItem. However, after attaching the custom policy, the Lambda functions start failing with 'AccessDeniedException' when trying to access DynamoDB. The CloudWatch logs show that the Lambda function is unable to write logs to CloudWatch Logs. What is the MOST likely cause of the failures?

A.The custom policy does not include permissions for CloudWatch Logs actions (logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents), which are required for Lambda to write logs.
B.The custom policy does not include dynamodb:ListTables, which is required for the DynamoDB SDK to work.
C.The DynamoDB table has a resource-based policy that denies access from Lambda functions without a specific condition key.
D.The Lambda function is attached to a VPC and requires permissions to create Elastic Network Interfaces (ec2:CreateNetworkInterface).
AnswerA

Lambda uses CloudWatch Logs for logging; without these permissions, the function fails when trying to log.

Why this answer

Option A is correct. The custom policy only grants DynamoDB permissions but does not include permissions for CloudWatch Logs, which are needed for Lambda to write logs. The managed policy included both DynamoDB and CloudWatch Logs permissions.

Option B is wrong because the Lambda function does not need VPC permissions unless it is in a VPC. Option C is wrong because the Lambda function does not need to list tables to perform read/write operations. Option D is wrong because the condition keys are not the issue; the problem is missing permissions.

65
Multi-Selectmedium

A security engineer is troubleshooting an issue where CloudTrail is not delivering logs to an S3 bucket. The bucket policy appears correct. Which TWO additional steps should the engineer take to diagnose the issue? (Choose TWO.)

Select 2 answers
A.Verify that the S3 bucket exists and is in the correct region.
B.Check CloudWatch Logs for CloudTrail errors.
C.Create an IAM role for CloudTrail with S3 write permissions.
D.Enable S3 server access logging on the bucket.
E.Review the CloudTrail configuration in the AWS Management Console for error messages.
AnswersA, E

Basic check.

Why this answer

Options A and D are correct. Verifying that the bucket exists and checking the CloudTrail error messages in the CloudTrail console are standard troubleshooting steps. Option B is wrong because CloudWatch Logs is not required for S3 delivery.

Option C is wrong because S3 server access logs are separate. Option E is wrong because CloudTrail does not use IAM roles for S3 delivery.

66
MCQmedium

A security engineer runs the IAM policy simulator with a custom policy. The output shows the above. Which statement is true about the policy?

A.The policy allows iam:DeleteUser but denies iam:CreateUser.
B.The policy allows all actions by default.
C.The policy contains a statement that explicitly denies iam:DeleteUser.
D.The policy has no effect because the simulator returned errors.
AnswerC

Simulator shows explicitDeny.

Why this answer

The simulator indicates 'explicitDeny' for DeleteUser, meaning a deny statement exists. Option A is correct. Option B is wrong because there is a deny.

Option C is wrong because CreateUser is allowed. Option D is wrong because simulator shows explicit deny.

67
Multi-Selectmedium

A company uses AWS KMS to encrypt sensitive data. The security team needs to ensure that KMS keys cannot be deleted accidentally. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Attach an SCP that denies kms:ScheduleKeyDeletion for all accounts.
B.Enable CloudTrail to log key deletion events.
C.Enable automatic key rotation.
D.Modify the key policy to deny kms:ScheduleKeyDeletion for all principals.
E.Disable the key to prevent usage.
AnswersA, D

Prevents scheduling key deletion.

Why this answer

Options A and C are correct. Enabling key rotation creates new cryptographic material but does not prevent deletion; however, the question asks about preventing deletion, so key rotation is not directly relevant. Actually, the correct answers are: enabling deletion protection on the key (Option B is correct if we consider that KMS now supports key deletion protection; but traditionally, the way to prevent deletion is to disable key deletion via key policy or using SCP.

Option A: enabling automatic key rotation does not prevent deletion. Option B: disabling the key does not prevent deletion. Option C: using SCP to deny kms:ScheduleKeyDeletion is correct.

Option D: using a key policy to deny deletion is correct. Option E: using CloudTrail is detective, not preventive. The correct two are C and D.

I'll revise:

68
MCQhard

A company uses AWS CloudTrail to log all API activity. They want to ensure that log files are tamper-proof and can be validated for forensic purposes. Which of the following should they enable?

A.AWS KMS server-side encryption on the S3 bucket
B.CloudTrail log file integrity validation
C.S3 bucket versioning
D.S3 Object Lock with governance mode
AnswerB

This feature creates a hash of each log file and signs it with a private key, enabling verification of file integrity.

Why this answer

CloudTrail log file integrity validation uses digital signatures (SHA-256) to verify that log files have not been modified after delivery. It also provides a digest file for validation.

69
MCQhard

Refer to the exhibit. A security engineer is reviewing a resource-based policy attached to an AWS Lambda function. The engineer notices that the policy allows any Lambda function in the account to invoke the function. Which security concern should the engineer address?

A.The policy grants excessive permissions by allowing all actions.
B.The policy does not specify a resource ARN, so it applies to all functions.
C.The policy allows invocation from any Lambda function across all AWS accounts.
D.The policy allows the Lambda service to modify the function code.
AnswerC

Without a source account condition, any Lambda service principal can invoke.

Why this answer

Option C is correct because the resource-based policy on the Lambda function uses a principal of `*` without any condition key (such as `aws:SourceAccount` or `aws:SourceArn`) to restrict invocation to only the same account. This means any Lambda function in any AWS account can invoke this function, which is a security concern as it allows cross-account invocation without authorization.

Exam trap

The trap here is that candidates often confuse a wildcard principal (`*`) with a wildcard resource (`*`), assuming that `*` in the principal field automatically restricts to the same account, but it actually allows cross-account access unless a condition key is used.

How to eliminate wrong answers

Option A is wrong because the policy does not grant excessive permissions by allowing all actions; it only specifies the `lambda:InvokeFunction` action, which is a single, specific action. Option B is wrong because the policy does specify a resource ARN (the function's own ARN), so it does not apply to all functions; the issue is the principal, not the resource. Option D is wrong because the policy only allows invocation (`lambda:InvokeFunction`), not modification of function code; modifying code would require `lambda:UpdateFunctionCode` or similar actions.

70
MCQmedium

A security engineer is configuring a Network ACL for a public subnet that hosts a web server. The web server must accept HTTPS (TCP 443) traffic from the internet and respond. It must also be able to initiate outbound connections to the internet for software updates (HTTPS). What is the MINIMUM set of rules required for the inbound and outbound Network ACL?

A.Inbound: allow TCP 443 from 0.0.0.0/0 and TCP 22 from a management IP; Outbound: allow all traffic to 0.0.0.0/0.
B.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 443 to a specific software update server IP.
C.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow all traffic to 0.0.0.0/0.
D.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 1024-65535 to 0.0.0.0/0 (for return traffic) and allow TCP 443 to 0.0.0.0/0 (for updates).
AnswerD

This is the minimal set: inbound HTTPS, outbound ephemeral ports for return, and outbound HTTPS for updates.

Why this answer

Option A is correct because inbound allows HTTPS from anywhere (0.0.0.0/0) and outbound allows ephemeral ports for return traffic and destination 0.0.0.0/0 for the outbound updates. Option B is wrong because it allows all inbound traffic. Option C is wrong because it allows all outbound traffic, which is not minimal but acceptable, but it also allows inbound SSH, which is not needed.

Option D is wrong because it restricts outbound to only the update server, which may be too restrictive.

71
Multi-Selecthard

Which THREE are valid ways to restrict access to an S3 bucket using IAM policies? (Choose 3.)

Select 3 answers
A.Requiring server-side encryption using the 's3:x-amz-server-side-encryption' condition key
B.Using the 'aws:PrincipalOrgID' condition key
C.Restricting access to a specific VPC using the 'aws:SourceVpc' condition key
D.Using the 's3:ResourceAccount' condition key to restrict access to a specific bucket
E.Limiting access to specific IP addresses using the 'aws:SourceIp' condition key
AnswersA, C, E

This can be done in IAM policies to enforce encryption.

Why this answer

Options B, C, and D are correct. B: You can use condition keys like 's3:x-amz-server-side-encryption' in an IAM policy. C: You can limit access to specific IP addresses using the 'aws:SourceIp' condition key.

D: You can restrict access to specific VPCs using the 'aws:SourceVpc' condition key. Option A is wrong because IAM policies cannot use the 'aws:PrincipalOrgID' condition key to restrict access to an S3 bucket; that key is used in resource-based policies. Option E is wrong because restricting access to a specific bucket is done by specifying the bucket ARN in the Resource element, not by a condition key.

72
MCQmedium

A company is migrating on-premises databases to Amazon RDS for MySQL. The security team requires that data be encrypted at rest and in transit. Which combination of steps should the team take to meet these requirements?

A.Use an RDS proxy with TLS termination and enable encryption at rest.
B.Enable encryption at rest on the RDS instance and set the rds.force_ssl parameter to 1 in the DB parameter group.
C.Enable encryption at rest on the RDS instance and use a client-side encryption library.
D.Enable encryption at rest and configure the security group to allow only HTTPS traffic.
AnswerB

This ensures both at-rest and in-transit encryption.

Why this answer

Option D is correct because enabling encryption at rest on the RDS instance (which can be done during creation or via snapshot) and requiring SSL for connections (by setting the rds.force_ssl parameter to 1) meets both requirements. Option A is wrong because enabling encryption at rest alone does not cover in-transit. Option B is wrong because using a client-side encryption library is not a standard RDS feature.

Option C is wrong because using an RDS proxy with TLS does not enforce SSL for direct connections.

73
Multi-Selecteasy

Which TWO AWS services can be used to detect anomalous API activity in an AWS account? (Choose two.)

Select 2 answers
A.Amazon GuardDuty
B.AWS CloudTrail
C.VPC Flow Logs
D.AWS Config
E.Amazon Inspector
AnswersA, B

GuardDuty detects anomalous API activity using ML.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior, including anomalous API activity. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze AWS CloudTrail management and data events, VPC Flow Logs, and DNS logs. When GuardDuty detects unusual API calls, such as a spike in failed authentication attempts or API calls from an unusual geographic location, it generates a security finding.

This makes GuardDuty a correct choice for detecting anomalous API activity.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail as a detection service, but CloudTrail is only the logging source that records API activity; it does not analyze or detect anomalies on its own—GuardDuty consumes those logs for detection.

74
Multi-Selectmedium

Which THREE of the following are best practices for protecting data in transit within AWS? (Choose 3.)

Select 3 answers
A.Use VPC Peering with encryption
B.Use TLS listeners on Elastic Load Balancers
C.Enable S3 Transfer Acceleration
D.Configure Amazon CloudFront to require HTTPS
E.Use AWS Site-to-Site VPN for on-premises connectivity
AnswersB, D, E

Correct: TLS encrypts traffic between clients and load balancers.

Why this answer

Options A, C, and E are correct. Using TLS for ELB, enforcing HTTPS on CloudFront, and using VPN for on-premises connectivity are all best practices. Option B is wrong because S3 Transfer Acceleration does not enforce encryption.

Option D is wrong because VPC Peering does not encrypt traffic.

75
Multi-Selecthard

Which TWO of the following are valid methods to enforce encryption at rest for an Amazon RDS for PostgreSQL DB instance? (Choose 2.)

Select 2 answers
A.Enable encryption on an existing unencrypted DB instance
B.Restore a DB instance from an encrypted snapshot
C.Take a snapshot of the unencrypted instance and enable encryption on the snapshot
D.Create an encrypted read replica and promote it
E.Create a new encrypted DB instance from the start
AnswersB, E

Correct: The restored instance inherits encryption from the snapshot.

Why this answer

Options B and D are correct. You can only enable encryption at creation time or by restoring from an encrypted snapshot. Option A is wrong because you cannot encrypt an existing unencrypted instance.

Option C is wrong because enabling encryption on a snapshot is not supported; you must copy it. Option E is wrong because read replicas inherit encryption settings from the source.

Page 1 of 24

Page 2