AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 676750

1738 questions total · 24pages · All types, answers revealed

Page 9

Page 10 of 24

Page 11
676
Multi-Selectmedium

A company is designing a data protection strategy for its Amazon S3 buckets. Which TWO actions can help protect data from accidental deletion or overwrite?

Select 2 answers
A.Enable MFA Delete on the bucket.
B.Enable Cross-Region Replication.
C.Enable default encryption.
D.Enable versioning on the bucket.
E.Set a lifecycle policy to expire objects.
AnswersA, D

Requires multi-factor authentication to delete objects.

Why this answer

The correct answers are A and C. Option A: MFA Delete adds an extra authentication step to delete objects. Option C: Versioning allows recovery of overwritten or deleted objects.

Option B: Cross-Region Replication is for disaster recovery, not deletion protection. Option D: Default encryption protects data at rest, not deletion. Option E: Lifecycle policies can delete objects, not protect them.

677
MCQeasy

A company needs to monitor for unauthorized S3 bucket deletions. Which CloudWatch Logs metric filter should be used on CloudTrail logs?

A.eventName = GetBucketAcl
B.eventName = DeleteBucket
C.eventName = PutBucketPolicy
D.eventName = ListBuckets
AnswerB

DeleteBucket is the API call for deleting a bucket.

Why this answer

Option B is correct because the CloudTrail event `DeleteBucket` is logged when an S3 bucket is deleted. By creating a CloudWatch Logs metric filter that matches `eventName = DeleteBucket` on the CloudTrail log group, you can trigger an alarm or automated response to detect unauthorized bucket deletions. This directly addresses the monitoring requirement.

Exam trap

The trap here is that candidates may confuse read-only or policy-modifying events (like `GetBucketAcl`, `PutBucketPolicy`, or `ListBuckets`) with the actual deletion event, failing to recognize that only `DeleteBucket` directly corresponds to bucket removal.

How to eliminate wrong answers

Option A is wrong because `GetBucketAcl` retrieves the bucket's access control list, not a deletion event, so it would not detect bucket deletions. Option C is wrong because `PutBucketPolicy` modifies the bucket policy, which could lead to unauthorized access but is not a deletion action. Option D is wrong because `ListBuckets` enumerates all buckets in the account and is a read-only operation, not a deletion.

678
Multi-Selectmedium

A company uses AWS Config to record resources. Which TWO actions can be taken to automatically remediate non-compliant resources detected by AWS Config rules?

Select 2 answers
A.Configure AWS Config rules to invoke an AWS Lambda function for remediation
B.Configure AWS Config rules to send notifications to an SNS topic
C.Use AWS Systems Manager Automation documents as remediation actions
D.Use AWS CloudTrail to log non-compliant events
E.Use Amazon CloudWatch Events to trigger an AWS Step Functions state machine
AnswersA, C

Lambda can be used for custom remediation.

Why this answer

Option A is correct because AWS Config rules can be configured with remediation actions that invoke an AWS Lambda function. When a resource is evaluated as non-compliant, the rule triggers the Lambda function, which can execute custom logic to modify or fix the resource, such as adjusting security group rules or enabling encryption. This provides automated, programmable remediation directly integrated with AWS Config's evaluation lifecycle.

Exam trap

The trap here is that candidates often confuse notification-based responses (like SNS or CloudWatch Events) with actual automated remediation, forgetting that AWS Config's native remediation actions are limited to Lambda functions and Systems Manager Automation documents, not generic event-driven workflows.

679
MCQhard

A security engineer is reviewing the following IAM policy attached to an S3 bucket: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.0/8" } } } ] } The bucket contains sensitive data and should only be accessible from the corporate network (CIDR 10.0.0.0/8). However, the engineer is concerned that this policy might not be effective. What is the primary security concern with this policy?

A.The bucket policy does not include a Deny statement for requests outside the IP range, so the default allow might still permit access from other IPs.
B.The policy grants public access to the bucket because the Principal is "*", allowing anyone from the specified IP range to access objects.
C.The condition key aws:SourceIp only evaluates the IP address of the client, but if the request comes through a proxy, the IP might not match.
D.The policy uses s3:GetObject but does not include s3:ListBucket, so users cannot see the object list, but they can guess object keys.
AnswerB

Any user from the allowed IP range can access the bucket, which is essentially public access to that network.

Why this answer

Option B is correct because the policy allows anonymous access; any user from the specified IP range can access objects. Option A is wrong because the condition does restrict by IP. Option C is wrong because the bucket policy does not block public access if the bucket policy explicitly allows it.

Option D is wrong because the policy does not open the entire bucket; it only allows GetObject.

680
MCQeasy

A security engineer is configuring CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are delivered to an S3 bucket owned by a separate AWS account for centralized auditing. Which additional configuration is required to allow the S3 bucket in the other account to receive these logs?

A.Create an S3 bucket policy on the source account's bucket to allow cross-account access.
B.Enable S3 server-side encryption with KMS on the destination bucket.
C.Create an IAM role in the source account and attach a trust policy for CloudTrail.
D.Add a bucket policy to the destination S3 bucket that allows CloudTrail to write objects.
AnswerD

Required for cross-account delivery.

Why this answer

Option A is correct because cross-account S3 delivery requires a bucket policy on the destination bucket that grants CloudTrail (the service principal) permission to write objects. Option B is wrong because the bucket policy goes on the destination bucket, not the source. Option C is wrong because KMS encryption is not required for cross-account delivery.

Option D is wrong because CloudTrail does not use IAM roles for cross-account delivery.

681
Multi-Selecthard

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

Select 2 answers
A.Create a security group for the web servers that allows outbound traffic on port 3306 to the database security group.
B.Create a security group for the database servers that allows inbound traffic on port 3306 from the web subnet CIDR.
C.Place the database servers in a public subnet for easier connectivity.
D.Configure the network ACL for the database subnet to allow inbound traffic on port 3306 from the web subnet CIDR.
E.Create a security group for the database servers that allows inbound traffic on port 3306 from the web security group ID.
AnswersA, E

Security groups are stateful and will allow return traffic automatically.

Why this answer

Option A is correct because security groups are stateful, so allowing outbound traffic on port 3306 from the web servers to the database security group automatically permits the corresponding return traffic. This adheres to the principle of least privilege by specifying the destination as the database security group ID rather than a broad CIDR range, ensuring only the intended web servers can initiate the connection.

Exam trap

The trap here is that candidates often confuse security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and incorrectly assume that a subnet CIDR-based rule in a security group is equivalent to using a security group ID, when in fact the latter provides stricter least-privilege control by limiting access to only the specific instances in the web security group.

682
MCQeasy

A company needs to protect data stored in S3 from accidental deletion by users. Which S3 feature should be used?

A.S3 Lifecycle policies
B.S3 MFA Delete
C.S3 Versioning
D.S3 Block Public Access
AnswerC

Versioning preserves all versions of an object, including deleted or overwritten ones.

Why this answer

Option B is correct because S3 Versioning allows retrieval of overwritten or deleted objects. Option A is incorrect because MFA Delete protects against deletion but is not the primary protection against accidental deletion. Option C is incorrect because S3 Block Public Access prevents public access, not deletion.

Option D is incorrect because S3 Lifecycle policies manage storage classes, not deletion protection.

683
MCQhard

A company uses AWS CloudTrail to log all API activity and delivers logs to an S3 bucket with server-side encryption (SSE-S3). The security team needs to ensure that only authorized personnel can access the logs and that any unauthorized access attempts are logged and alerted. Additionally, the team wants to prevent the logs from being deleted for at least one year. Which combination of actions should be taken?

A.Enable S3 Object Lock with a retention period of one year; enable S3 server access logs; use a bucket policy with a condition that allows access only from authorized IAM roles or users.
B.Enable S3 default encryption (SSE-S3) on the bucket; enable S3 server access logs; attach an IAM policy that allows only authorized users to access the bucket.
C.Enable MFA Delete on the bucket; enable CloudTrail log file validation; use bucket ACLs to restrict access.
D.Enable S3 Inventory to track objects; enable CloudTrail to log S3 API calls; use a bucket policy with a deny effect for unauthorized users.
AnswerA

Object Lock prevents deletion; server access logs record all requests; bucket policy with conditions restricts access.

Why this answer

Option C is correct because enabling S3 Object Lock with a retention period prevents deletion, enabling S3 server access logs records all requests, and using bucket policies with conditions restricts access to authorized users. Option A is wrong because S3 default encryption (SSE-S3) does not prevent deletion; S3 server access logs record requests, not access attempts; and IAM policies alone are not sufficient to restrict access if bucket policies are permissive. Option B is wrong because MFA Delete prevents deletion but requires additional setup; CloudTrail logs already record API calls; bucket ACLs are not recommended for access control.

Option D is wrong because S3 Inventory lists objects but does not prevent deletion; CloudWatch Logs can monitor but S3 Object Lock is more direct for preventing deletion.

684
MCQeasy

An IAM policy attached to a user contains the above statements. The user attempts to download an object from 'example-bucket/confidential/report.pdf'. What is the result?

A.The download fails because the user is not an administrator.
B.The download succeeds because the user can access other objects.
C.The download succeeds because the first statement allows GetObject.
D.The download fails because the deny statement applies to the object.
AnswerD

Explicit deny on the path.

Why this answer

The explicit deny on the confidential folder overrides the allow. Option A is incorrect because deny overrides. Option B is incorrect because the user is not an admin.

Option D is incorrect because the deny is for the specific path.

685
MCQhard

A company has a VPC with public and private subnets. The private sub host Amazon RDS instances. To allow the RDS instances to access the internet for software updates without exposing them to inbound internet traffic, what should be configured?

A.Use a VPN connection to an on-premises network that has internet access.
B.Set up a VPC peering connection to a VPC with internet access.
C.Create a NAT gateway in a public subnet and add a route to the NAT gateway in the private subnet route table.
D.Attach an internet gateway to the private subnet route table.
AnswerC

NAT gateway allows outbound internet, blocks inbound.

Why this answer

Option B is correct because a NAT gateway allows outbound internet traffic from private subnets while blocking inbound. Option A is wrong because an internet gateway in a private subnet would expose the instance. Option C is wrong because VPC peering is for connecting VPCs, not internet access.

Option D is wrong because a VPN does not provide internet access.

686
MCQeasy

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which security mechanism should be used?

A.Use an S3 bucket policy with a condition that restricts access to the VPC endpoint ID.
B.Assign an IAM role to the S3 bucket.
C.Attach a security group to the S3 bucket.
D.Configure a network ACL on the VPC subnet to allow traffic to S3.
AnswerA

This allows only traffic originating from the specified VPC endpoint.

Why this answer

An S3 bucket policy with a condition that limits access to the VPC endpoint ID is the correct approach. Network ACLs do not apply to S3, security groups are not used for S3, and IAM roles alone cannot restrict by network path.

687
MCQeasy

A security engineer needs to ensure that all data stored in an Amazon S3 bucket is encrypted at rest. The bucket must use server-side encryption with a key managed by the customer (SSE-C). What must the engineer include in the PUT request to enforce this?

A.x-amz-server-side-encryption-customer-algorithm and x-amz-server-side-encryption-customer-key
B.x-amz-server-side-encryption: AES256
C.x-amz-server-side-encryption: aws:kms
D.x-amz-server-side-encryption-bucket-key-enabled: true
AnswerA

These headers are required for SSE-C to provide the encryption key.

Why this answer

Option B is correct because SSE-C requires the encryption key to be provided in the request headers. Option A is wrong because SSE-S3 uses AWS-managed keys. Option C is wrong because SSE-KMS uses KMS keys.

Option D is wrong because bucket policies can enforce encryption but the key must still be provided in the request.

688
Multi-Selecteasy

A company wants to receive notifications when AWS CloudTrail logs are delivered to an S3 bucket. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon S3 Event Notifications
B.AWS CloudTrail
C.AWS Lambda
D.Amazon Simple Queue Service (SQS)
E.Amazon Simple Notification Service (SNS)
AnswersA, E

S3 can send event notifications when objects are created.

Why this answer

S3 Event Notifications can be sent to SNS, which can then send notifications. SQS is for queueing, not direct notifications. CloudWatch Events (now Amazon EventBridge) can also trigger on S3 events.

CloudTrail does not send notifications directly.

689
MCQmedium

A company has multiple AWS accounts managed through AWS Organizations. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI). Which governance control should be implemented?

A.Use a service control policy (SCP) that denies ec2:RunInstances unless the AMI ID is in an approved list.
B.Deploy an AWS Config rule that triggers a Lambda function to terminate non-compliant instances.
C.Use AWS CloudTrail to monitor instance launches and alert the security team.
D.Use an IAM policy that restricts ec2:RunInstances to approved AMIs.
AnswerA

SCPs can enforce restrictions across all accounts in the organization.

Why this answer

A service control policy (SCP) is the correct governance control because it operates at the AWS Organizations level, allowing the security team to enforce a deny on ec2:RunInstances across all member accounts unless the AMI ID matches an approved list. SCPs are account permission boundaries that cannot be overridden by IAM policies within the account, ensuring that no user or role can launch an EC2 instance with an unapproved AMI, even if they have full administrative privileges. This provides a preventive control that blocks non-compliant actions before they occur, which is more robust than detective or reactive measures.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, assuming that an IAM policy can enforce organization-wide controls, but SCPs are the only mechanism that applies as a permission boundary across all accounts in an AWS Organization and cannot be overridden by account administrators.

How to eliminate wrong answers

Option B is wrong because an AWS Config rule with a Lambda function to terminate non-compliant instances is a detective and reactive control, not a preventive governance control; it only acts after the instance is launched, incurring potential cost and security exposure. Option C is wrong because AWS CloudTrail is a logging and monitoring service that records API calls but does not prevent the launch; it only alerts the security team after the fact, leaving a window for non-compliant instances to run. Option D is wrong because an IAM policy that restricts ec2:RunInstances to approved AMIs can be bypassed by users with higher privileges (e.g., an administrator) or by modifying the policy within the account, whereas an SCP applies as a boundary that cannot be overridden by account-level IAM policies.

690
MCQeasy

A developer is trying to use the AWS CLI to list objects in an S3 bucket but receives an AccessDenied error. The developer has an IAM user with a policy that allows s3:ListBucket on the bucket. What could be causing the error?

A.The developer has not enabled MFA on their IAM user.
B.The S3 bucket has a bucket policy that denies access to the developer's IAM user.
C.The S3 bucket does not exist in the same AWS region as the CLI is configured.
D.The IAM policy is attached to a group, not directly to the user.
AnswerB

An explicit deny in a bucket policy overrides an allow in an IAM policy.

Why this answer

Option A is correct because even if the IAM policy allows the action, the bucket policy may explicitly deny access. Option B is wrong because MFA is not required unless a condition exists. Option C is wrong because the developer can have multiple policies that combine.

Option D is wrong because the bucket exists if the error is AccessDenied.

691
MCQeasy

A company needs to securely store database credentials for a legacy application running on Amazon EC2. The credentials are currently hardcoded in the application code. Which service should be used to rotate and retrieve secrets automatically?

A.AWS Systems Manager Parameter Store with a SecureString parameter.
B.AWS Key Management Service (KMS).
C.AWS Secrets Manager.
D.AWS CloudHSM.
AnswerC

Supports automatic rotation and secure storage.

Why this answer

Option B is correct because AWS Secrets Manager supports automatic rotation of secrets. Option A is wrong because SSM Parameter Store does not natively support automatic rotation. Option C is wrong because KMS is for encryption keys, not secrets management.

Option D is wrong because CloudHSM is for hardware security modules.

692
MCQmedium

A security engineer is tasked with implementing network segmentation for a multi-tier application. The web tier must be accessible from the internet, but the application tier must only be accessible from the web tier. The database tier must only be accessible from the application tier. All tiers are in the same VPC. Which design meets these requirements?

A.Create a security group for each tier. Configure inbound rules to allow traffic only from the preceding tier's security group.
B.Use a single security group for all instances and use IAM policies to restrict access.
C.Place each tier in separate subnets and use network ACLs with CIDR blocks to allow traffic between tiers.
D.Place all instances in public subnets and restrict access using security groups.
AnswerA

Security group references provide granular control.

Why this answer

Option B is correct because security groups can be referenced in inbound rules of other security groups, allowing the web tier SG to allow inbound from the ALB SG, the app tier SG to allow inbound from the web tier SG, and the database tier SG to allow inbound from the app tier SG. Option A is wrong because using CIDR blocks is less granular and does not scale. Option C is wrong because public subnets expose the application tier to the internet.

Option D is wrong because NACLs are stateless and require more rules.

693
MCQmedium

A security engineer inspects two KMS keys. Which key can be used for envelope encryption with automatic key rotation?

A.Key 1234abcd-12ab-34cd-56ef-1234567890ab.
B.Key 2345bcde-23bc-45de-67fg-2345678901bc.
C.Neither key supports envelope encryption with automatic rotation.
D.Both keys support envelope encryption with automatic rotation.
AnswerA

Customer-managed key with rotation enabled.

Why this answer

Option A is correct because key 1234abcd has KeyRotationEnabled: true and is a customer-managed key (KeyManager: CUSTOMER) which supports automatic rotation. Key 2345bcde is AWS managed (KeyManager: AWS) but rotation is not enabled. However, AWS managed keys do not support automatic rotation.

Therefore, the only key that can have rotation enabled is key 1234abcd.

694
MCQhard

A company has an IAM policy that allows s3:GetObject on all buckets. However, a specific S3 bucket policy explicitly denies s3:GetObject to all principals. An IAM user with the IAM policy tries to read an object from that bucket. What is the result?

A.The request is allowed because the IAM policy is more specific.
B.The request is allowed because the IAM policy allows the action.
C.The request is denied because the bucket policy applies only to IAM users.
D.The request is denied because the explicit deny in the bucket policy overrides the allow in the IAM policy.
AnswerD

Explicit deny always overrides any allow.

Why this answer

Option A is correct because an explicit deny in a bucket policy overrides any allow. Option B is wrong because explicit deny overrides allow. Option C is wrong because the bucket policy deny applies to all principals.

Option D is wrong because the IAM policy allows the action but the bucket policy denies it.

695
Multi-Selecthard

A company has an S3 bucket with a bucket policy that allows access to a specific IAM role. However, users assume the role but still get access denied. Which THREE factors could cause this?

Select 3 answers
A.The bucket policy does not reference the role's trust policy.
B.A service control policy (SCP) denies the required actions.
C.The bucket policy has a condition on aws:RoleSessionName that does not match.
D.The role's trust policy does not allow the user's account to assume the role.
E.The bucket policy grants access to an IAM user instead of the role.
AnswersB, D, E

SCPs can override IAM permissions.

Why this answer

Options B, C, and D are correct. B: The bucket policy must explicitly allow the role, and if it refers to a user instead, it will fail. C: If the role's trust policy does not allow the user's account, the role cannot be assumed.

D: A service control policy (SCP) can block access even if IAM allows. Option A is wrong because the bucket policy does not need the role's trust policy. Option E is wrong because bucket policies do not have condition key for role session name.

696
MCQhard

A company wants to deploy a web application that must be accessible over HTTPS only. The application runs behind an Application Load Balancer (ALB). The security team wants to enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. Which configuration achieves this?

A.Use AWS CloudFront with a custom header that enforces HSTS
B.Configure the ALB to redirect HTTP traffic to HTTPS and have the application set the Strict-Transport-Security header in the response
C.Configure the ALB listener to use HTTPS only and set a custom header via a listener rule
D.Enable HSTS on the ALB via the AWS Management Console
AnswerB

HSTS is set by the application; ALB can redirect HTTP.

Why this answer

Option C (Configure ALB to redirect HTTP to HTTPS and set the Strict-Transport-Security header) is correct. Option A is wrong because HSTS is a header, not a listener rule. Option B is wrong because HSTS is not a CloudFront feature.

Option D is wrong because ALB can add custom headers.

697
MCQeasy

A security team needs to detect unauthorized attempts to access an S3 bucket that contains sensitive data. Which AWS service can automatically analyze S3 access logs and generate findings for suspicious activity?

A.Amazon Macie
B.Amazon GuardDuty
C.AWS Trusted Advisor
D.Amazon Detective
AnswerB

GuardDuty analyzes S3 data events for suspicious activity.

Why this answer

Option B is correct because Amazon GuardDuty can analyze S3 data events (via CloudTrail) and generate findings for suspicious access patterns. Option A is wrong because Amazon Macie is for discovering sensitive data, not analyzing access logs. Option C is wrong because AWS Trusted Advisor provides cost and performance recommendations.

Option D is wrong because Amazon Detective investigates security incidents but does not automatically analyze S3 access logs for suspicious activity.

698
MCQmedium

An organization has a production AWS account and a development AWS account. Developers need to access the production account from the development account using IAM roles. What is the MOST secure way to set this up?

A.Create an IAM role in the production account with a trust policy allowing the development account to assume it.
B.Create IAM users in the production account and share access keys with developers.
C.Establish a VPN connection between the accounts and use directory credentials.
D.Create the same IAM users in both accounts with identical permissions.
AnswerA

Cross-account roles provide temporary credentials.

Why this answer

Option B is correct because cross-account roles allow granting least privilege access without sharing long-term credentials. Option A is wrong because sharing access keys is insecure. Option C is wrong because placing users in both accounts is not a cross-account solution.

Option D is wrong because VPN does not provide IAM access.

699
MCQmedium

Refer to the exhibit. A role has two policies attached. The custom policy includes an Allow for s3:PutObject. An IAM user assumes this role and tries to upload a file to S3. What happens?

A.The upload succeeds because the custom policy allows s3:PutObject
B.The upload fails because the managed policy only allows read
C.The upload is denied by default because no explicit allow
D.The upload fails because the managed policy overrides the custom policy
AnswerA

The custom policy grants write access.

Why this answer

The upload succeeds because IAM evaluates policies in a default-deny environment, and the custom policy attached to the role explicitly allows s3:PutObject. When a user assumes the role, the effective permissions are the union of all attached policies; the managed policy's read-only restriction does not block the explicit allow for s3:PutObject. Since there is no explicit deny for s3:PutObject, the allow from the custom policy grants the action.

Exam trap

The trap here is that candidates mistakenly believe a more restrictive policy (managed read-only) overrides a less restrictive one (custom allow), but IAM never overrides policies; it only denies if an explicit deny exists, and allows if any explicit allow exists.

How to eliminate wrong answers

Option B is wrong because the managed policy's read-only restriction does not override an explicit allow; IAM uses an allow-list model where any explicit allow permits the action unless there is an explicit deny. Option C is wrong because the custom policy provides an explicit allow for s3:PutObject, so the action is not denied by default. Option D is wrong because no policy overrides another in IAM; the effective permissions are the union of all allows minus any explicit denies, and the managed policy does not contain a deny for s3:PutObject.

700
MCQhard

A security engineer is investigating a potential data exfiltration incident. They suspect that an EC2 instance was compromised and used to transfer large amounts of data from an S3 bucket to an external IP address. The engineer has enabled VPC Flow Logs for the subnet where the EC2 instance resides, but the logs are not capturing traffic to the external IP. What is the most likely reason?

A.The EC2 instance's security group is blocking the traffic.
B.VPC Flow Logs only capture rejected traffic.
C.VPC Flow Logs only capture traffic to and from other VPC resources.
D.The traffic is routed through a NAT gateway, and flow logs are not enabled on the NAT gateway's subnet.
AnswerD

Flow Logs need to be enabled on the subnet where the NAT gateway resides to capture its traffic.

Why this answer

Option C is correct because VPC Flow Logs do not capture traffic to external IPs that is routed through a NAT gateway if the flow log is configured only for the subnet where the EC2 instance is located; the NAT gateway's traffic is captured by flow logs on the subnet where the NAT gateway is. Option A is wrong because Flow Logs can capture accepted traffic. Option B is wrong because Flow Logs capture traffic even if Security Groups are present.

Option D is wrong because Flow Logs capture all IP traffic, not just intra-VPC.

701
MCQeasy

A security analyst wants to monitor unsuccessful login attempts to the AWS Management Console. Which AWS service and log combination should be used?

A.Amazon S3 server access logs.
B.VPC Flow Logs.
C.Amazon CloudWatch Logs.
D.AWS CloudTrail.
AnswerD

CloudTrail records API calls, including ConsoleLogin events.

Why this answer

AWS CloudTrail logs console sign-in events, including failed attempts. The ConsoleLogin event with a failure status is logged. Option A is wrong because S3 access logs track object-level access.

Option B is wrong because VPC Flow Logs track network traffic. Option C is wrong because CloudWatch Logs is a destination, not a source of login events.

702
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team needs to implement a centralized logging solution where all VPC Flow Logs from all accounts are sent to a central S3 bucket in the security account. The flow logs must be encrypted with a customer-managed KMS key (CMK) that is owned by the security account. The security engineer has enabled VPC Flow Logs in each account and configured the destination to be the central S3 bucket. However, the flow logs are not being delivered. The engineer checks the S3 bucket policy and confirms that it grants the required permissions to the Flow Logs service principal. What is the MOST likely cause of the failure?

A.The VPC Flow Logs service does not support cross-account delivery.
B.The KMS key policy does not grant the Flow Logs service principal permission to use the key.
C.CloudTrail must be enabled in the source account for Flow Logs to work.
D.The S3 bucket policy is missing a condition for source account.
AnswerB

The key policy must allow the service principal to encrypt.

Why this answer

Option C is correct because the KMS key policy must grant the Flow Logs service principal permission to use the key for encryption. Option A is wrong because VPC Flow Logs can write to cross-account buckets. Option B is wrong because the bucket policy is already set.

Option D is wrong because CloudTrail is not involved in Flow Logs delivery.

703
Drag & Dropmedium

Drag and drop the steps to respond to a suspected AWS IAM credential compromise in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Credential compromise response starts with rotation, log review, disabling user, revoking temp creds, and notification.

704
MCQeasy

A company is using AWS WAF to protect its Application Load Balancer (ALB). The security team wants to block requests that do not contain a valid API key in the HTTP header 'X-API-Key'. Which WAF rule type should be used?

A.String match condition
B.Regex pattern set
C.Rate-based rule
D.IP set
AnswerB

Can define a pattern for valid API keys and block invalid ones.

Why this answer

A regex pattern set rule is the correct choice because it allows you to define a regular expression pattern that matches the expected format of valid API keys in the 'X-API-Key' header. AWS WAF regex pattern sets can be used in a rule to inspect the header value and block requests that do not match the pattern, providing flexible and precise validation beyond simple string matching.

Exam trap

The trap here is that candidates often confuse string match conditions with regex pattern sets, assuming that a simple 'contains' or 'starts with' string match is sufficient for validating structured data like API keys, when in fact regex provides the necessary pattern flexibility.

How to eliminate wrong answers

Option A is wrong because a string match condition can only check for exact or substring matches, not complex patterns like varying alphanumeric formats or specific character sequences typical of API keys. Option C is wrong because a rate-based rule is designed to block IPs based on request rate thresholds, not to inspect header content for a valid API key. Option D is wrong because an IP set rule blocks or allows traffic based on source IP addresses, not on the presence or validity of an API key in a header.

705
MCQmedium

A security engineer notices that an IAM user in the company's AWS account is making API calls from an IP address outside the allowed corporate network. The engineer needs to be alerted immediately when such activity occurs. Which solution meets these requirements with the least operational overhead?

A.Create an Amazon CloudWatch Events rule that matches the IAM user's API calls from the unauthorized IP and sends an SNS notification.
B.Enable AWS Trusted Advisor and configure email notifications for security checks.
C.Enable VPC Flow Logs and analyze them with Amazon Athena to detect suspicious IPs.
D.Configure S3 server access logs on the IAM users' bucket and use Amazon Macie to detect anomalies.
AnswerA

CloudWatch Events can filter CloudTrail events and trigger alerts in real time.

Why this answer

Option C is correct because CloudWatch Events (now Amazon EventBridge) can capture API calls from CloudTrail and trigger an SNS notification based on a rule matching the source IP address. Option A is wrong because Trusted Advisor does not monitor IAM user API calls in real time. Option B is wrong because VPC Flow Logs capture network traffic but not API-level details.

Option D is wrong because S3 server access logs are for S3 operations only.

706
MCQeasy

A company uses AWS Organizations and wants to centrally manage CloudTrail trails across all accounts. Which feature should be enabled?

A.CloudTrail organization trail
B.Cross-account CloudTrail
C.Service Control Policy for CloudTrail
D.AWS Config aggregator
AnswerA

An organization trail logs events for all accounts in the organization.

Why this answer

Option B is correct because CloudTrail organization trails allow a single trail to log events for all accounts in the organization. Option A is wrong because CloudTrail does not support cross-account trails without organization trails. Option C is wrong because SCPs are for permissions, not logging.

Option D is wrong because Config aggregators are for configuration compliance, not logging.

707
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes credit card numbers and must comply with PCI DSS. The security team requires that all credit card numbers be encrypted at rest and in transit. The application stores the encrypted credit card numbers in Amazon RDS for MySQL. The RDS instance is encrypted at rest using AWS KMS. The application decrypts the credit card numbers after retrieval using a KMS key. The security team has noticed that some credit card numbers are being logged in plaintext in Amazon CloudWatch Logs by the application. The developers claim they are not logging the decrypted values. What is the MOST likely cause and solution?

A.Disable RDS audit logging or ensure that the query logs do not contain sensitive data.
B.Use AWS KMS key policies to prevent the application from decrypting the credit card numbers.
C.Modify the application code to encrypt the credit card numbers before logging.
D.Enable SSL/TLS encryption for the connection between the application and RDS.
AnswerA

RDS query logs may capture the plaintext data if it is sent in SQL statements.

Why this answer

Option C is correct. If the RDS query logs (general logs or slow query logs) are enabled and sent to CloudWatch, they may contain the plaintext credit card numbers if the application sends the decrypted values in SQL queries. Disabling query logging or ensuring it does not contain sensitive data solves the problem.

Option A is wrong because SSL/TLS encryption does not affect logging. Option B is wrong because application logging is not the issue; the logs are from RDS. Option D is wrong because KMS audit logs would not contain the plaintext data.

708
MCQeasy

A company uses AWS Secrets Manager to store database credentials. They need to rotate the secrets automatically every 30 days. Which rotation strategy should they use?

A.Use AWS Systems Manager Parameter Store to rotate the secret.
B.Manually update the secret every 30 days.
C.Enable automatic rotation in Secrets Manager and specify a Lambda rotation function.
D.Use an AWS Config rule to trigger rotation.
AnswerC

Secrets Manager rotation uses Lambda to update the secret and the database.

Why this answer

Option C is correct because AWS Secrets Manager natively supports automatic rotation of secrets, and you must specify an AWS Lambda function to perform the rotation logic (e.g., updating the database password and storing the new secret). This ensures the secret is rotated on a schedule (every 30 days) without manual intervention, meeting the requirement for automated rotation.

Exam trap

The trap here is that candidates may confuse AWS Systems Manager Parameter Store with Secrets Manager, thinking Parameter Store can also rotate secrets automatically, or they may incorrectly assume AWS Config rules can schedule rotations, when in fact only Secrets Manager with a Lambda function provides native automatic rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store does not have built-in automatic rotation capabilities; it is a parameter store, not a secrets rotation service, and would require custom automation to rotate secrets. Option B is wrong because manually updating the secret every 30 days is not automated and defeats the purpose of using Secrets Manager for rotation; it introduces human error and operational overhead. Option D is wrong because AWS Config rules are used for compliance evaluation and remediation, not for scheduling or executing secret rotation; they can trigger a Lambda function for remediation but are not designed as a rotation scheduler.

709
MCQeasy

An organization wants to use AWS Organizations to centrally manage permissions for multiple accounts. Which IAM feature is used to grant cross-account access within the organization?

A.IAM roles
B.Service control policies (SCPs)
C.Resource-based policies
D.IAM groups
AnswerA

IAM roles allow cross-account access through role assumption.

Why this answer

AWS Organizations allows you to use service control policies (SCPs) to centrally control permissions, but for actual cross-account access, IAM roles are still used. Option B is correct because IAM roles allow users in one account to assume a role in another account. Option A is wrong because SCPs are for permission boundaries, not direct access.

Option C is wrong because resource-based policies are for specific services, not general cross-account access. Option D is wrong because IAM groups are within a single account.

710
MCQhard

A financial services company runs a critical application on Amazon EC2 instances in a VPC. The application processes sensitive financial data and must meet strict compliance requirements. The security team recently discovered that an EC2 instance was compromised due to an unpatched vulnerability. The attacker used the instance's IAM role to access an S3 bucket containing customer data and exfiltrated the data. The security team needs to prevent such incidents in the future. They have implemented the following controls: - All EC2 instances are launched in private subnets. - The IAM roles used by EC2 instances follow the principle of least privilege. - Security groups restrict inbound and outbound traffic. - AWS Systems Manager Patch Manager is used to patch instances. - AWS CloudTrail is enabled and logs are sent to a centralized S3 bucket. - Amazon GuardDuty is enabled. Despite these controls, the team is concerned about the blast radius if an instance is compromised again. Which additional measure would MOST effectively limit the blast radius of a compromised EC2 instance?

A.Enable VPC Flow Logs to monitor traffic to S3.
B.Use S3 VPC Endpoints with a bucket policy that only allows access from the VPC endpoint, and use Systems Manager Session Manager instead of SSH.
C.Deploy AWS WAF in front of the S3 bucket.
D.Create an AWS Config rule to detect S3 access from EC2 instances.
AnswerB

This restricts S3 access to the VPC and reduces the attack surface for data exfiltration.

Why this answer

Option B is correct because using an S3 VPC endpoint with a bucket policy that restricts access exclusively to that endpoint ensures that compromised EC2 instances can only reach S3 through the VPC endpoint, preventing data exfiltration over the internet. Additionally, replacing SSH with Systems Manager Session Manager eliminates the need for open inbound SSH ports and provides fine-grained access control through IAM, reducing the attack surface and blast radius.

Exam trap

The trap here is that candidates may choose VPC Flow Logs (Option A) thinking it provides active protection, but it is only a monitoring tool that does not reduce the blast radius; the key is to implement network-level and access-level restrictions that prevent data exfiltration even if an instance is compromised.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs only provide visibility into traffic patterns and do not actively limit the blast radius or prevent data exfiltration. Option C is wrong because AWS WAF is a web application firewall designed to protect web-facing resources like ALB or CloudFront, not S3 buckets directly; it cannot restrict access from EC2 instances to S3. Option D is wrong because an AWS Config rule is a detective control that can detect non-compliant access after it occurs, but it does not proactively limit the blast radius or prevent exfiltration in real time.

711
Multi-Selecteasy

A company needs to protect data in transit between an on-premises data center and AWS. Which THREE services can be used to encrypt data in transit?

Select 3 answers
A.AWS Key Management Service (KMS)
B.AWS Shield
C.HTTPS
D.AWS Site-to-Site VPN
E.AWS Certificate Manager (ACM)
AnswersC, D, E

Encrypts web traffic.

Why this answer

The correct answers are A, C, and E. Option A: TLS certificates encrypt data in transit. Option C: IPsec VPN encrypts network traffic.

Option E: HTTPS encrypts web traffic. Option B: AWS KMS manages encryption keys, not transit. Option D: AWS Shield protects against DDoS attacks, not data encryption.

712
MCQeasy

A security engineer needs to centralize logs from multiple AWS accounts into a single S3 bucket. Which solution is most secure?

A.Deliver logs to separate buckets per account and use S3 replication to copy them to a central bucket.
B.Use a single S3 bucket in the management account and have each account write logs directly without additional permissions.
C.Configure each account's CloudTrail to deliver to a centralized S3 bucket in a logging account, with a bucket policy allowing CloudTrail from source accounts.
D.Stream logs to Amazon Kinesis Data Firehose in each account and consolidate into a single S3 bucket via cross-account delivery.
AnswerC

This uses cross-account bucket policies, a best practice for centralized logging.

Why this answer

Option A is correct because using a centralized S3 bucket with a bucket policy that grants cross-account permissions from each source account's CloudTrail is a standard secure approach. Option B is incorrect because writing from one account to another requires explicit permissions, not automatic. Option C is incorrect because delivering to separate buckets then copying adds complexity and potential security gaps.

Option D is incorrect because Kinesis Firehose can be used but is not required; S3 bucket policy is simpler and secure.

713
MCQmedium

A company has a security group that allows inbound SSH from 0.0.0.0/0. The security team wants to restrict access to only the company's public IP range 203.0.113.0/24. What change should be made?

A.Add a network ACL rule to deny SSH from 0.0.0.0/0.
B.Modify the inbound SSH rule in the security group to source 203.0.113.0/24.
C.Add a network ACL rule to allow SSH from 203.0.113.0/24.
D.Remove the inbound SSH rule from the security group.
AnswerB

Directly restricts SSH to company IP range.

Why this answer

Option B is correct because security groups are stateful and act as a virtual firewall for instances. To restrict inbound SSH access from 0.0.0.0/0 to only the company's public IP range, you must modify the existing inbound rule's source CIDR from 0.0.0.0/0 to 203.0.113.0/24. This change directly updates the allowed source IP range, and since security groups evaluate all rules before making a decision, the more specific allowed range will take effect without needing additional rules.

Exam trap

The trap here is that candidates often confuse the stateless behavior of network ACLs with the stateful behavior of security groups, leading them to incorrectly believe that adding a deny rule in a network ACL can override a security group's allow rule for the same traffic.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and operate at the subnet level, not at the instance level; adding a deny rule in a network ACL would not override the security group's allow rule for SSH, and it would also require an explicit allow rule for return traffic due to statelessness. Option C is wrong because adding a network ACL rule to allow SSH from 203.0.113.0/24 does not change the security group's existing inbound SSH rule that allows 0.0.0.0/0, so SSH from any IP would still be permitted by the security group. Option D is wrong because removing the inbound SSH rule entirely would block all SSH access, including from the company's intended IP range, which is not the desired outcome.

714
MCQhard

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to get and put objects in the S3 bucket 'example-bucket' only from the IP range 203.0.113.0/24. However, the user reports that they are unable to put objects from an IP within that range. What is the most likely cause of this issue?

A.The condition key should be 'aws:sourceIp' (lowercase 's').
B.The policy should use the 'NotIpAddress' condition operator instead of 'IpAddress'.
C.The resource ARN should be 'arn:aws:s3:::example-bucket' without the '/*' suffix.
D.The policy lacks a separate statement to allow 's3:ListBucket' on the bucket resource.
AnswerD

For console access, ListBucket is required; without it, the user cannot see the bucket but can still perform PutObject via API. However, the question implies inability to put objects, which could be due to missing ListBucket in some SDK scenarios.

Why this answer

Option D is correct because the policy only grants s3:GetObject and s3:PutObject actions on the bucket's objects (arn:aws:s3:::example-bucket/*), but does not include a separate statement allowing s3:ListBucket on the bucket resource (arn:aws:s3:::example-bucket). Without s3:ListBucket, the user cannot list the bucket's contents, which is often required by the AWS CLI or SDK to resolve object keys before performing put operations. The IP condition is correctly applied, so the issue is the missing list permission.

Exam trap

The trap here is that candidates focus on the IP condition syntax or resource ARN format and overlook the common requirement for an explicit s3:ListBucket permission when performing object operations via the AWS CLI or SDK.

How to eliminate wrong answers

Option A is wrong because 'aws:sourceIp' is the correct case-sensitive condition key; AWS condition keys are case-sensitive and 'aws:sourceIp' is valid. Option B is wrong because using 'NotIpAddress' would deny access from the specified range and allow all others, which is the opposite of the intended effect. Option C is wrong because the resource ARN 'arn:aws:s3:::example-bucket/*' is correct for object-level actions (GetObject, PutObject); the bucket-level ARN without '/*' is used for bucket-level actions like ListBucket, not for object operations.

715
MCQhard

A security engineer runs the above CloudTrail lookup command to investigate a change to the S3 bucket policy. The command only returns one event, but the engineer knows that the bucket policy was changed multiple times. What is the most likely reason?

A.The bucket policy changes were made through the AWS Management Console, which is not logged.
B.The event is not logged because PutBucketPolicy is not supported by CloudTrail.
C.The command is filtering by the wrong attribute.
D.The command is limiting results to one event.
AnswerD

Max results parameter limits output.

Why this answer

Option C is correct because the command uses --max-results 1, limiting output to one event. Option A is wrong because the query is for ResourceName. Option B is wrong because the event is shown.

Option D is wrong because the console uses the same CloudTrail data.

716
Multi-Selecthard

A security engineer is designing a solution to automatically remediate noncompliant EC2 security groups. The company uses AWS Organizations with multiple accounts. The engineer wants to deploy an AWS Config rule and a custom Lambda function in a central security account to evaluate and remediate security groups across all accounts. Which combination of steps is REQUIRED to allow the Lambda function to modify security groups in member accounts? (Choose TWO.)

Select 2 answers
A.Create an IAM role in each member account that allows the central security account to assume it.
B.Use AWS CloudFormation StackSets to deploy the Lambda function to all member accounts.
C.Configure an AWS Config remediation action that invokes the Lambda function in the central account.
D.Attach a resource-based policy to the Lambda function granting access to Config from all member accounts.
E.Create the Lambda function in each member account and configure Config rules in each account.
AnswersA, C

This enables cross-account access for the Lambda function to modify security groups.

Why this answer

The correct approach is to use AWS Config aggregated rules with remediation actions that invoke Lambda cross-account. Option A is required to allow the central account to assume a role in member accounts; Option C is required to invoke the Lambda function from Config. Option B (same account) is not cross-account.

Option D is not required because Config aggregates can work with individual accounts. Option E is redundant.

717
Multi-Selectmedium

A security engineer is designing a secure VPC architecture. Which THREE components should be used to implement defense in depth? (Choose three.)

Select 3 answers
A.VPN connection
B.Internet gateway
C.Security groups
D.Network ACLs
E.VPC Flow Logs
AnswersC, D, E

Instance-level firewall.

Why this answer

Security groups (C) are stateful virtual firewalls that control inbound and outbound traffic at the instance level. They operate at the network interface (ENI) level, allowing only explicitly permitted traffic and automatically allowing return traffic for permitted sessions. This provides a critical layer of host-level defense within the VPC.

Exam trap

The trap here is that candidates often confuse connectivity components (VPN, Internet gateway) with security controls, or they overlook that VPC Flow Logs are a detective control (not preventive) but still a valid part of defense in depth, leading them to select A or B instead of the correct trio of security groups, network ACLs, and VPC Flow Logs.

718
MCQmedium

A company has an AWS Direct Connect connection to its on-premises data center. The security team wants to ensure that traffic between the VPC and the data center is encrypted. Which solution should they use?

A.Set up an IPsec VPN connection over the Direct Connect virtual interface.
B.Enable encryption on the Direct Connect virtual interface.
C.Use AWS Site-to-Site VPN over the internet.
D.Use VPC Peering to connect the VPC to the data center.
AnswerA

This encrypts traffic between on-premises and AWS.

Why this answer

AWS Direct Connect does not encrypt traffic by default. To encrypt, you can use IPsec VPN over Direct Connect or encrypt the data at the application layer. Option A is correct.

Option B is not possible because VPC Peering is for VPC-to-VPC. Option C is for internet-based VPN. Option D is not for encryption.

719
Multi-Selectmedium

A company is designing a network architecture for a critical application that must be highly available and secure. Which TWO actions should be taken to ensure high availability of the network infrastructure?

Select 2 answers
A.Deploy resources across multiple Availability Zones.
B.Use Elastic IP addresses for failover between instances.
C.Use a single internet gateway for the VPC.
D.Use a single Availability Zone for all resources to reduce complexity.
E.Place all instances in a public subnet for easy access.
AnswersA, B

Multi-AZ deployment provides fault isolation.

Why this answer

Deploying resources across multiple Availability Zones (A) and using Elastic IP addresses for failover (C) improve availability. Option A and C are correct. Single AZ (B) is not high availability.

Internet gateway (D) is a single point of failure if not redundant. Public subnet (E) doesn't guarantee availability.

720
MCQeasy

A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?

A.Enable VPC Flow Logs and analyze for S3 API traffic
B.Configure an AWS Config rule to detect changes and invoke a Lambda function
C.Create an Amazon CloudWatch Events rule that matches the PutBucketPolicy API call and triggers an SNS notification
D.Enable S3 server access logs and parse them for PutBucketPolicy entries
AnswerC

CloudWatch Events can match API calls from CloudTrail.

Why this answer

Option C is correct because Amazon CloudWatch Events (now Amazon EventBridge) can directly capture the PutBucketPolicy API call as a real-time event and trigger an SNS notification without any additional compute or polling. This is the most efficient method as it requires no log parsing, no custom code, and no additional infrastructure, providing immediate alerting with minimal overhead.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing log-based methods (A or D) or evaluation-based methods (B), missing that CloudWatch Events provides the simplest and most direct real-time alerting for specific API calls without additional overhead.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log API-level operations like PutBucketPolicy; they cannot identify the specific S3 API call being made. Option B is wrong because an AWS Config rule detects configuration changes after they occur via periodic evaluations or configuration item changes, which introduces latency and requires a Lambda function for notification, making it less efficient than a direct event-driven approach. Option D is wrong because S3 server access logs are delivered on a best-effort basis with delays (often hours), require parsing to extract PutBucketPolicy entries, and are not designed for real-time alerting.

721
MCQhard

A company uses AWS Config to track resource changes. They notice that a weekly compliance report shows an S3 bucket as non-compliant with a rule that checks for server-side encryption. However, the bucket has default encryption enabled. What is the MOST likely reason for this discrepancy?

A.The Config rule checks for SSE on objects, not default bucket encryption.
B.The Config rule was deleted and recreated without re-evaluating existing resources.
C.The Config rule is only evaluating resources in a single AWS Region.
D.The S3 bucket is not tagged with a required tag for the Config rule.
AnswerA

The rule 's3-bucket-server-side-encryption-enabled' checks if the bucket policy requires encryption, not default encryption. Default encryption does not enforce encryption on uploads.

Why this answer

Option B is correct because AWS Config rules evaluate the bucket configuration at the time of the change, and default encryption is a bucket-level setting, but the rule might be checking for encryption on objects. Option A is wrong because AWS Config evaluates all regions by default but can be scoped. Option C is wrong because the rule exists.

Option D is wrong because Config does not require a resource to be tagged to evaluate it.

722
MCQmedium

A security engineer needs to ensure that all data in an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must deny any PutObject request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy element should be used?

A.Deny with NotPrincipal
B.Deny with condition StringNotEquals for s3:x-amz-server-side-encryption
C.Deny on s3:PutObjectAcl
D.Allow with condition StringEquals for s3:x-amz-server-side-encryption
AnswerB

This denies uploads that do not have the required encryption header.

Why this answer

To enforce encryption, use a bucket policy with a Deny effect on s3:PutObject when the condition aws:SecureTransport or s3:x-amz-server-side-encryption is not set to aws:kms. Option A is correct because it uses a Deny with a condition for the encryption header. Option B is incorrect because Allow with condition does not deny unencrypted requests.

Option C is incorrect because NotPrincipal is used for cross-account, not for encryption enforcement. Option D is incorrect because s3:PutObjectAcl is not relevant.

723
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team receives an alert from Amazon GuardDuty that one of the EC2 instances is generating outbound traffic to a known command-and-control (C2) IP address. The instance is part of an Auto Scaling group (ASG) with a minimum of 2 and maximum of 10 instances. The security incident response playbook instructs the team to isolate the compromised instance without affecting the application's availability. The team needs to preserve the instance for forensic analysis. Which action should the team take first?

A.Terminate the compromised EC2 instance and allow the ASG to launch a replacement.
B.Detach the EBS root volume from the instance and attach it to a forensic instance.
C.Shut down the instance from within the OS using AWS Systems Manager Run Command.
D.Remove the instance from the ALB target group and attach a security group that denies all traffic.
AnswerD

Isolates the instance while preserving it for forensics.

Why this answer

Option D is correct because removing the instance from the ALB target group immediately stops new traffic from reaching the application, while attaching a security group that denies all traffic (e.g., a custom security group with no inbound/outbound rules) effectively isolates the instance at the network layer. This preserves the instance for forensic analysis and does not affect application availability, as the ASG will not automatically terminate the instance (since it is still running and healthy from the ASG's perspective). The ALB will continue to route traffic to the remaining healthy instances in the target group, maintaining service continuity.

Exam trap

The trap here is that candidates may think terminating the instance (Option A) is the fastest way to stop the threat, but they overlook the requirement to preserve the instance for forensic analysis and the need to maintain application availability by not triggering an ASG replacement prematurely.

How to eliminate wrong answers

Option A is wrong because terminating the instance would destroy the forensic evidence (e.g., memory, disk, logs) and the ASG would launch a replacement, but the immediate isolation step should be network-level, not termination. Option B is wrong because detaching the EBS root volume requires the instance to be stopped first, which would take the instance out of service and potentially trigger an ASG replacement, and it does not address the immediate need to stop outbound C2 traffic. Option C is wrong because shutting down the instance from within the OS using Systems Manager Run Command would stop the instance, causing the ASG to launch a replacement (since the instance count drops below the minimum), and it does not preserve the instance for forensic analysis (the instance is stopped, not isolated).

724
MCQhard

Refer to the exhibit. A security engineer is troubleshooting a decryption failure. The command uses the AWS CLI to decrypt a file. The decryption fails with an 'AccessDeniedException' error. The IAM user has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "*" } ] } What is the most likely cause of the failure?

A.The KMS key policy does not grant the IAM user decrypt permission
B.The IAM user does not have permission to call kms:Decrypt on the specific key
C.The ciphertext blob is not valid
D.The IAM user is not authorized to use the AWS CLI
AnswerA

Key policies can restrict access even if IAM allows.

Why this answer

Option C is correct because the KMS key policy must explicitly allow the IAM user to decrypt. Even if IAM allows, the key policy can deny. Option A is wrong because the command uses the default KMS key if not specified, but the key policy might not allow the user.

Option B is wrong because the IAM policy grants decrypt on all keys. Option D is wrong because the file contains the ciphertext, not the key ID.

725
Multi-Selecthard

A company's security team is configuring Amazon GuardDuty to detect crypto-mining activities on EC2 instances. Which THREE indicators should the team monitor? (Choose 3.)

Select 3 answers
A.Outbound connections to IP addresses on port 3333.
B.Unusually high CPU utilization on EC2 instances.
C.High volume of inbound network traffic.
D.DNS queries to known crypto-mining pools.
E.High disk I/O operations.
AnswersA, B, D

Port 3333 is commonly used by mining pools.

Why this answer

Option A is correct because crypto-mining malware often uses port 3333 for communication with mining pools or command-and-control servers. GuardDuty can detect outbound connections to known malicious IP addresses on this port as part of its threat intelligence feeds, which include indicators of compromise (IOCs) associated with crypto-mining activity.

Exam trap

The trap here is that candidates may confuse high inbound traffic with outbound traffic, or assume disk I/O is a primary indicator of crypto-mining, when in fact CPU utilization and DNS queries to mining pools are the key signals GuardDuty uses.

726
Multi-Selecthard

A company is implementing a data classification policy using AWS. The policy requires that all S3 objects containing personally identifiable information (PII) be automatically tagged and encrypted. Which THREE services should be used together to meet this requirement?

Select 3 answers
A.Amazon Macie
B.Amazon S3 default encryption
C.AWS Config
D.AWS Lambda
E.AWS CloudTrail
AnswersA, B, D

Macie discovers and classifies PII in S3.

Why this answer

Options A, B, and D are correct. Option A: Amazon Macie can automatically discover and classify PII in S3. Option B: AWS Lambda can process Macie findings and apply tags.

Option D: S3 default encryption ensures objects are encrypted. Option C is wrong because AWS Config does not classify data. Option E is wrong because CloudTrail is for logging.

727
MCQeasy

An application running on an EC2 instance needs to read from an S3 bucket. What is the BEST practice for granting permissions to the EC2 instance?

A.Store AWS access keys in the application code.
B.Create an IAM user and give access keys to the developer.
C.Use an IAM role and attach it to the EC2 instance profile.
D.Use the root account credentials.
AnswerC

This provides temporary credentials automatically.

Why this answer

Using an IAM role attached to the EC2 instance is the secure and recommended way to grant permissions to applications on EC2.

728
Multi-Selecthard

A security engineer is designing a solution to detect and alert on any S3 bucket that is publicly accessible. Which THREE services can be used together to achieve this?

Select 3 answers
A.AWS Security Hub
B.Amazon S3 Block Public Access settings
C.AWS Config
D.AWS CloudTrail
E.Amazon VPC Flow Logs
AnswersA, C, D

Aggregates findings from Config and other services.

Why this answer

Option A is correct: CloudTrail logs S3 bucket policy changes. Option B is correct: AWS Config can evaluate bucket policies against a rule for public access. Option D is correct: S3 itself can block public access via account-level settings, but that is not detection.

Option C is correct: Security Hub aggregates findings from Config. Option E is wrong: VPC Flow Logs do not deal with S3 bucket policies.

729
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that any new account created in the organization automatically has an S3 bucket policy that blocks public access. What is the most efficient way to enforce this requirement?

A.Create an AWS CloudFormation template that includes the S3 bucket policy and deploy it to each new account manually.
B.Use AWS Config rules to detect S3 buckets without public access block and automatically remediate.
C.Use AWS CloudFormation StackSets to deploy the bucket policy to all existing and future accounts.
D.Attach a service control policy (SCP) at the root level that denies the s3:PutBucketPublicAccessBlock action with a condition that the bucket must have public access blocked.
AnswerD

SCP at the root enforces the requirement for all accounts, including new ones.

Why this answer

Option D is correct because a service control policy (SCP) can be applied at the root organizational unit to deny the creation of S3 buckets without the public access block. Option A is wrong because it would require manual creation for each account. Option B is wrong because CloudFormation StackSets require accounts to be part of the stack set, which is not automatic for new accounts.

Option C is wrong because Config rules can detect but not enforce automatically.

730
MCQhard

Refer to the exhibit. A security engineer finds the above IAM policy attached to an IAM group. The policy is intended to allow all EC2 actions only from the corporate network (10.0.0.0/8). However, users report that they can perform EC2 actions from outside the corporate network. What is the MOST likely reason?

A.The IAM group has an additional policy that allows all EC2 actions without conditions.
B.The policy allows access to all EC2 actions, but the condition only applies to the ec2:* actions, which includes all EC2 actions.
C.The aws:SourceIp condition key does not apply to API calls made through the AWS Management Console; the console uses AWS IP addresses.
D.The policy should use a NotIpAddress condition instead of IpAddress.
AnswerC

Correct: Console API calls originate from AWS IPs, not the user's client IP, so the condition is ineffective.

Why this answer

Option C is correct because the `aws:SourceIp` condition key does not evaluate the source IP of requests made through the AWS Management Console. When a user signs in to the console, the console makes API calls on their behalf using AWS service endpoints, which have AWS-owned IP addresses, not the user's corporate IP. Therefore, the condition `IpAddress` fails, and the policy denies console-based EC2 actions from the corporate network, but the policy actually allows all EC2 actions (since the default effect is Allow) when the condition is not met? Wait—the policy has an Allow effect with a condition; if the condition is not met, the Allow does not apply, but there is no explicit Deny, so other policies or the default implicit Deny would block the action.

However, the question states users can perform EC2 actions from outside the corporate network, meaning the policy is not blocking them. The most likely reason is that the console uses AWS IP addresses, so the condition never matches, and the Allow never applies, but users are still able to perform actions because they are using the console? Actually, the console uses AWS IPs, so the condition `IpAddress` would not match, and the Allow would not apply, leading to implicit Deny—but users report they can perform actions. This indicates that the policy is not the only one; perhaps there is another policy allowing EC2 actions without conditions (Option A).

But the question asks for the MOST likely reason given the exhibit and the intent. The trap is that the `aws:SourceIp` condition does not work for console-based API calls because the console uses AWS IP addresses, so the condition is effectively ignored for console users, allowing them to bypass the intended restriction. This is a well-known limitation documented by AWS.

Exam trap

The trap here is that candidates assume `aws:SourceIp` works universally for all API calls, but AWS explicitly documents that it does not apply to requests made through the AWS Management Console because the console uses AWS service IPs, not the user's client IP.

How to eliminate wrong answers

Option A is wrong because while an additional permissive policy could override the intended restriction, the question asks for the MOST likely reason based on the exhibit and typical misconfiguration; the exhibit shows only one policy, and the most common mistake is misunderstanding how `aws:SourceIp` works with the console. Option B is wrong because the condition applies to all `ec2:*` actions, which includes all EC2 actions, so the condition is correctly scoped; the issue is not the action coverage but the condition key's behavior with the console. Option D is wrong because using `NotIpAddress` would allow all IPs except the corporate network, which is the opposite of the intended effect; the policy intends to allow only from corporate network, so `IpAddress` is correct—the problem is not the condition type but the fact that the console does not pass the user's source IP.

731
MCQhard

A security engineer applies the bucket policy shown in the exhibit to an S3 bucket. What is the effect of this policy?

A.Allows uploads only if they use SSE-S3.
B.Allows uploads without encryption.
C.Allows uploads with any server-side encryption.
D.Allows uploads only if they use SSE-KMS.
AnswerD

Denies non-KMS (first statement) and null header (second statement).

Why this answer

Option B is correct because the second statement denies uploads if the SSE header is null, meaning no encryption specified. Combined with the first statement, only SSE-KMS uploads are allowed. Option A is incorrect because the policy denies non-KMS and no-encryption.

Option C is incorrect because it denies both. Option D is incorrect because it allows SSE-S3? No, it denies.

732
MCQhard

A company has a compliance requirement to encrypt all data in Amazon S3 using keys that are managed by the company's internal security team. The keys must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Key Management Service (KMS)
C.Amazon S3 default encryption with SSE-C
D.AWS CloudHSM
AnswerD

CloudHSM provides dedicated HSMs with Level 3 certification.

Why this answer

Option B is correct because CloudHSM provides dedicated HSMs that are FIPS 140-2 Level 3 certified. Option A is wrong because KMS is Level 2 overall (though some regions have Level 3, but not fully). Option C is wrong because S3 does not provide HSM storage.

Option D is wrong because Secrets Manager does not store keys in HSMs.

733
MCQmedium

An application running on EC2 instances needs to access an S3 bucket. The Security Engineer wants to ensure that the EC2 instances do not have access keys and that the access is restricted to only the required bucket. What is the most secure way to provide this access?

A.Generate an access key for an IAM user with permissions to the S3 bucket and store it in the EC2 instance.
B.Create an S3 bucket policy that allows the EC2 instance's public IP address to access the bucket.
C.Create an IAM role with a policy that allows access to the specific S3 bucket, and attach the role to the EC2 instance profile.
D.Use the root user's access keys to configure the application.
AnswerC

This uses temporary credentials and least privilege.

Why this answer

Option A is correct because an IAM role with a policy that grants access to the specific bucket and attached to an instance profile is the most secure and scalable method. Option B is wrong because storing access keys in the instance is insecure. Option C is wrong because using the root user's credentials is highly insecure.

Option D is wrong because a bucket policy alone does not grant access to EC2 instances; the instances need credentials to sign requests.

734
MCQmedium

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy element should be used in the S3 bucket policy?

A.aws:Referer
B.aws:SourceVpce
C.aws:SourceVpc
D.aws:SourceIp
AnswerB

SourceVpce restricts by VPC endpoint ID.

Why this answer

The aws:SourceVpce condition key limits access to requests originating from a specific VPC endpoint. Option C is correct. Option A (aws:SourceIp) is for IP addresses, not VPC endpoints.

Option B (aws:SourceVpc) is for entire VPCs, not specific endpoints. Option D (aws:Referer) is for HTTP referer headers.

735
MCQhard

Refer to the exhibit. An application running on EC2 behind an ALB is unreachable from the internet. The ALB health checks are failing. What is the most likely cause?

A.The security group inbound rule allows HTTP from 0.0.0.0/0, but it should only allow traffic from the ALB's security group.
B.The network ACL outbound rules deny all traffic, so the instance cannot send responses back to the ALB.
C.The security group outbound rule allows all traffic, which is too permissive and causes the ALB to reject the instance as unhealthy.
D.The network ACL inbound rule only allows traffic from 10.0.0.0/16 on ports 80 and 443, but the ALB is in a different subnet (public subnet) with a different CIDR (e.g., 10.0.2.0/24). The ALB's traffic to the instance must come from its private IP, which is in the same VPC but may not be within 10.0.0.0/16 if the VPC CIDR is not /16.
AnswerD

The network ACL allows only from 10.0.0.0/16. If the VPC CIDR is, for example, 10.0.0.0/20, the ALB's private IP could be outside that range. Also, the ALB's traffic originates from its private IP, so if the subnet CIDR is not within 10.0.0.0/16, traffic is denied.

Why this answer

The network ACL inbound rules only allow traffic from 10.0.0.0/16 on HTTP/HTTPS. If the ALB's private IP is not within that CIDR (e.g., VPC is 10.0.0.0/20, ALB subnet is 10.0.2.0/24, which is within 10.0.0.0/16 if /16 covers all 10.0.x.x. Actually, 10.0.0.0/16 covers 10.0.0.0 to 10.0.255.255, so 10.0.2.0/24 is within.

However, if the VPC CIDR is different, it might not. The most common mistake is network ACL not allowing the ALB's source IP. Option B is correct.

736
Multi-Selectmedium

A security engineer is reviewing the following IAM policy attached to a role. Which TWO actions are allowed by this policy? (Choose two.)

Select 2 answers
A.s3:ListBucket
B.ec2:TerminateInstances
C.iam:CreateUser
D.kms:Decrypt
E.s3:GetObject
AnswersA, E

Explicitly allowed.

Why this answer

Options A and D are correct because the policy allows s3:GetObject and s3:ListBucket. Option B is wrong because ec2:TerminateInstances is not allowed. Option C is wrong because iam:CreateUser is not allowed.

Option E is wrong because kms:Decrypt is not allowed.

737
MCQeasy

A company wants to ensure that any deleted CloudTrail logs are detected and alerted within minutes. Which approach should they use?

A.Enable S3 event notifications on the CloudTrail bucket for DELETE events.
B.Configure CloudTrail to send logs to CloudWatch Logs, create a metric filter for DeleteTrail events, and set a CloudWatch alarm to send an SNS notification.
C.Use AWS Config to track CloudTrail configuration changes and trigger a Lambda function.
D.Enable Amazon GuardDuty to monitor CloudTrail management events.
AnswerB

Real-time detection via CloudWatch Logs metric filters.

Why this answer

Option B is correct because CloudTrail management events (including DeleteTrail) are delivered to CloudWatch Logs, where a metric filter can match the exact event name. A CloudWatch alarm on that metric triggers an SNS notification within minutes, meeting the detection and alerting requirement. This approach directly monitors the CloudTrail API call that deletes the trail itself, not just the log files.

Exam trap

The trap here is that candidates confuse detecting deletion of log files (S3 events) with detecting deletion of the trail itself (CloudTrail API call), leading them to choose Option A instead of the correct CloudWatch-based approach.

How to eliminate wrong answers

Option A is wrong because S3 event notifications on the CloudTrail bucket detect deletion of log objects (e.g., individual log files), but they do not detect the deletion of the CloudTrail trail itself, which is a management API call. Option C is wrong because AWS Config evaluates configuration changes against rules, but its evaluation is not real-time; it typically runs every few minutes or on a config change, and it does not natively provide sub-minute alerting via SNS without additional custom logic. Option D is wrong because Amazon GuardDuty monitors for suspicious activity using CloudTrail management events as a data source, but it does not provide immediate, dedicated alerting for the specific DeleteTrail event; its findings are generated based on threat detection models and may have a delay.

738
MCQmedium

A company has an AWS Lambda function that processes sensitive data. The security team wants to ensure that any errors or suspicious behavior are immediately investigated. Which combination of services should be used to send real-time notifications for anomalous function executions?

A.CloudWatch Logs and SNS
B.CloudTrail and SNS
C.AWS Config and SQS
D.Amazon Detective and SES
AnswerA

CloudWatch Logs metric filters on error patterns can trigger alarms via SNS.

Why this answer

Option A is correct because CloudWatch Logs can capture Lambda function execution logs, and a CloudWatch Logs metric filter can be configured to detect patterns indicative of errors or suspicious behavior (e.g., 'ERROR', 'Exception', or custom anomaly patterns). When the metric filter triggers a CloudWatch alarm, it can publish a message directly to an Amazon SNS topic, which then sends real-time notifications (e.g., email, SMS, or HTTP endpoint) to the security team for immediate investigation.

Exam trap

The trap here is that candidates often confuse CloudTrail (which logs API calls) with CloudWatch Logs (which captures application-level execution output), leading them to choose CloudTrail for real-time error monitoring when it is actually designed for auditing and compliance, not for triggering on application errors.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail records API calls and management events (e.g., who invoked the Lambda function), not the function's execution logs or error output; it cannot trigger real-time notifications based on anomalous function behavior. Option C is wrong because AWS Config is designed for resource configuration compliance and change tracking, not for monitoring real-time execution errors or suspicious behavior; SQS is a message queue that requires a separate consumer to process notifications, adding latency and complexity. Option D is wrong because Amazon Detective is a post-incident investigation service that analyzes historical data to identify root causes of security findings, not a real-time notification service; SES is an email-sending service that requires custom integration and does not natively trigger from Lambda execution anomalies.

739
Multi-Selectmedium

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are encrypted at rest and that access to the logs is controlled. Which actions should be taken? (Choose two.)

Select 2 answers
A.Enable CloudTrail log file validation
B.Enable default encryption on the S3 bucket where CloudTrail logs are stored
C.Attach an S3 bucket policy that restricts access to the CloudTrail logs to authorized principals
D.Use AWS KMS to encrypt the CloudTrail log files
E.Store logs in Amazon CloudWatch Logs with encryption enabled
AnswersB, C

Encrypts logs at rest using SSE-S3 or SSE-KMS.

Why this answer

Option A (Enable S3 Server-Side Encryption) and Option B (Use S3 bucket policy to restrict access) are correct. Option C is wrong because CloudTrail does not support KMS per trail; it uses S3 SSE. Option D is wrong because CloudTrail does not support bucket policies for delivery.

Option E is wrong because CloudWatch Logs can be encrypted but not the primary method for S3.

740
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. The user is trying to download an object from 'example-bucket' from an IP address of 10.1.1.1. What will happen?

A.Access is denied because the policy does not include an explicit deny
B.Access is allowed because the condition key is misspelled
C.Access is denied because the IP address is not in the allowed range
D.Access is allowed because the policy allows s3:GetObject
AnswerC

The condition restricts to 10.0.0.0/16; 10.1.1.1 is not in that range.

Why this answer

Option B is correct because the condition restricts access to the IP range 10.0.0.0/16, and the user's IP is outside that range, so access is denied by default. Option A is incorrect because the condition is evaluated. Option C is incorrect because there is no explicit deny.

Option D is incorrect because the condition key is valid.

741
Multi-Selecteasy

Which TWO of the following are valid options for encrypting data at rest in Amazon EBS? (Choose two.)

Select 2 answers
A.Enable EBS encryption by default using the AWS managed key for EBS.
B.Use a customer managed KMS key.
C.Use an encryption script on the EC2 instance to encrypt the volume.
D.Use AWS CloudHSM to generate and store the encryption key.
E.Use S3 server-side encryption to encrypt the EBS snapshot.
AnswersA, B

AWS managed key for EBS is used when no custom key is specified.

Why this answer

Options A and C are correct. EBS encryption can be enabled using KMS (customer managed or AWS managed). Option B is wrong because CloudHSM is not directly used for EBS encryption.

Option D is wrong because EBS encryption is not performed by the EC2 instance. Option E is wrong because S3 is not used for EBS encryption.

742
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centralize security logs (CloudTrail, VPC Flow Logs, AWS Config) from all accounts into a single S3 bucket for analysis. What is the MOST secure way to set up this centralized logging?

A.Create a dedicated S3 bucket in the management account, enable S3 default encryption, and configure service delivery for each account.
B.Create a dedicated S3 bucket in the security account with a bucket policy that grants write access to the logging services of all accounts and enforces encryption in transit and at rest.
C.Configure each account to deliver logs to the same S3 bucket used for other data.
D.Create an S3 bucket in each account and use S3 replication to copy logs to a central bucket.
AnswerB

This approach uses a centralized bucket with proper cross-account bucket policy and encryption, ensuring secure and auditable logging.

Why this answer

Option D is correct because using a centralized S3 bucket with a bucket policy that grants cross-account access and enforces encryption is secure and auditable. Option A is wrong because using the same bucket used for other purposes may break the principle of least privilege and increase risk. Option B is wrong because creating individual buckets for each account defeats centralization.

Option C is wrong because enabling S3 default encryption on a bucket that already receives logs via cross-account policies is not sufficient; the bucket policy must explicitly grant permissions.

743
Multi-Selectmedium

Which TWO actions should a security engineer take to protect an Amazon EC2 instance from unauthorized access? (Choose two.)

Select 2 answers
A.Place the instance in a public subnet and rely solely on security groups.
B.Disable termination protection so the instance can be easily terminated if compromised.
C.Configure security groups to allow only necessary inbound traffic.
D.Place the instance in a private subnet and use a bastion host for administrative access.
E.Enable detailed billing to monitor instance usage.
AnswersC, D

Minimizing inbound traffic reduces attack surface.

Why this answer

Options A and C are correct. Using security groups to restrict inbound traffic to necessary ports and placing the instance in a private subnet without direct internet access are fundamental security best practices. Option B (disabling termination protection) does not prevent unauthorized access.

Option D (using a public subnet) increases exposure. Option E (enabling detailed billing) is cost-related, not security.

744
MCQmedium

Refer to the exhibit. A security engineer is reviewing the key policy for a customer managed key. The engineer notices that a user with the IAM role 'Admin' can encrypt and decrypt data using this key. However, the engineer wants to ensure that only requests coming from the company's VPC (vpc-12345678) can use the key. What should be added to the key policy?

A.Add a condition kms:ViaService with value s3.amazonaws.com
B.Add a condition kms:CallerAccount with value 111122223333
C.Add a condition aws:SourceVpc with value vpc-12345678 to the 'Allow use of the key' statement
D.Add a new statement with Effect: Deny and a condition aws:SourceVpc not equal to vpc-12345678
AnswerC

Restricts access to requests from the specified VPC.

Why this answer

To restrict key usage to a VPC, you need to add a condition to the key policy using the aws:SourceVpc key. Option B is correct. Option A is incorrect because the condition should be added to the existing statements, not a new statement.

Option C is incorrect because kms:ViaService restricts to a service endpoint, not a VPC. Option D is incorrect because kms:CallerAccount is not relevant.

745
MCQeasy

A security administrator needs to ensure that all IAM users in the account use multi-factor authentication (MFA) to access the AWS Management Console. What is the most effective way to enforce this?

A.Set the IAM password policy to require MFA.
B.Use an SCP to deny access if MFA is not present, with a condition "aws:MultiFactorAuthPresent":"true".
C.Enable MFA for the root user and require all IAM users to use the root user credentials.
D.Create an IAM policy that denies all actions unless MFA is present, and attach it to all users.
AnswerD

An IAM policy with a condition on aws:MultiFactorAuthPresent can enforce MFA.

Why this answer

Option C is correct because an IAM policy with a condition that denies actions if MFA is not present can be attached to users or groups. Option A is wrong because the root user MFA is separate. Option B is wrong because password policy does not enforce MFA.

Option D is wrong because the condition in a policy must use 'aws:MultiFactorAuthPresent' with a boolean value, not 'true'.

746
MCQhard

A security engineer is reviewing an SCP that denies access to a specific AWS service. The engineer notices that the SCP has an Effect of 'Deny' for 's3:PutObject' but the condition block uses 'StringEquals' with 'aws:SourceIp' set to an IP range. Users in the account are still able to upload objects to S3 from IP addresses outside the range. What is the most likely reason?

A.The SCP condition key 'aws:SourceIp' is not supported for SCPs; SCPs only support conditions that are resource-based.
B.The SCP only applies to IAM users and groups, not to the root user.
C.The SCP condition key 'aws:SourceIp' is not available for use in SCPs; SCPs only support condition keys that are global and listed in the AWS Global Condition Context Keys documentation for SCPs.
D.The SCP is evaluated after IAM policies, so an IAM policy allowing the action overrides the SCP.
AnswerC

The 'aws:SourceIp' condition key is not supported in SCPs, so the condition is ignored, and the deny does not apply.

Why this answer

Option D is correct because SCPs do not support the aws:SourceIp condition key; they only support condition keys that are global in the context of the service control policy. Option A is wrong because SCPs are not limited to IAM users and groups; they apply to all principals in the account. Option B is wrong because SCPs support conditions, but not all condition keys are available.

Option C is wrong because SCPs are evaluated before IAM policies and can deny actions.

747
Multi-Selecteasy

A security engineer is designing a monitoring solution for a multi-account AWS environment using AWS Organizations. The solution must provide a centralized view of all API activities and send alerts for suspicious events. Which TWO services together can achieve this? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.AWS Lambda
C.AWS CloudTrail
D.Amazon CloudWatch Logs
E.AWS Config
AnswersC, D

CloudTrail logs API calls across accounts and can be set up as an organization trail.

Why this answer

AWS CloudTrail is correct because it records all API activity across an AWS environment, and when integrated with AWS Organizations, it can deliver a centralized view of API calls from all accounts into a single CloudTrail trail. Amazon CloudWatch Logs is correct because it can ingest CloudTrail logs from a centralized logging account, allowing the security engineer to create metric filters and alarms that trigger alerts for suspicious events based on specific API patterns.

Exam trap

The trap here is that candidates often pick GuardDuty (A) because it is a security service, but they overlook that GuardDuty does not provide a centralized view of all API activities or allow custom alerting on specific API events, which requires CloudTrail and CloudWatch Logs.

748
Multi-Selecteasy

Which TWO AWS services can be used to monitor and detect unauthorized changes to Amazon S3 bucket policies? (Choose two.)

Select 2 answers
A.AWS CloudTrail
B.Amazon GuardDuty
C.Amazon CloudWatch Logs
D.AWS Config
E.Amazon VPC Flow Logs
AnswersA, D

CloudTrail logs PutBucketPolicy API calls.

Why this answer

Option A is correct because AWS Config can track changes to S3 bucket policies and trigger notifications. Option B is correct because CloudTrail logs API calls that modify S3 bucket policies. Option C is incorrect because CloudWatch Logs is for storing logs, not detecting changes.

Option D is incorrect because VPC Flow Logs do not track S3 policy changes. Option E is incorrect because GuardDuty does not monitor S3 policy changes.

749
Multi-Selecteasy

A security engineer is configuring a VPC with a public subnet for web servers and a private subnet for databases. The web servers need to download patches from the internet. Which TWO components are required to allow the web servers to access the internet while keeping the database servers isolated?

Select 2 answers
A.Internet gateway attached to the VPC.
B.VPC endpoint for Amazon S3.
C.Transit gateway between the public and private subnets.
D.NAT gateway in the public subnet.
E.Virtual private gateway attached to the VPC.
AnswersA, D

Internet gateway enables communication between the VPC and the internet.

Why this answer

Option A is correct because an internet gateway is needed for the public subnet to reach the internet. Option C is correct because a NAT gateway in the public subnet allows the private subnet instances to initiate outbound traffic to the internet (for patches) while preventing inbound traffic from the internet. Option B is wrong because a virtual private gateway is for VPN connections.

Option D is wrong because a transit gateway is for connecting multiple VPCs. Option E is wrong because a VPC endpoint is for accessing AWS services privately, not internet.

750
MCQhard

A company needs to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI was encrypted using a customer managed key (CMK) in AWS KMS. What steps are required to allow the target account to launch an EC2 instance from the shared AMI?

A.Modify the AMI launch permissions to include the target account and add the target account to the KMS key policy
B.Copy the AMI and share the copy; the key is automatically shared
C.Only modify the AMI launch permissions to include the target account
D.Only add the target account to the KMS key policy
AnswerA

Both the AMI and key must be accessible to the target account.

Why this answer

Option A is correct because both the AMI and KMS key must be shared. Option B is wrong because sharing the AMI alone won't allow decryption. Option C is wrong because sharing the KMS key alone won't give AMI access.

Option D is wrong because the key must be shared with the target account.

Page 9

Page 10 of 24

Page 11