AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 751825

1738 questions total · 24pages · All types, answers revealed

Page 10

Page 11 of 24

Page 12
751
Multi-Selectmedium

Which TWO actions are valid ways to send application logs from an EC2 instance to Amazon CloudWatch Logs? (Select TWO.)

Select 2 answers
A.Configure the EC2 instance to stream syslog to AWS CloudTrail.
B.Write logs to an S3 bucket and use S3 event notifications to send to CloudWatch Logs.
C.Install and configure the unified CloudWatch agent on the EC2 instance.
D.Enable VPC Flow Logs to capture application traffic.
E.Install and configure the legacy CloudWatch Logs agent.
AnswersC, E

The unified agent can collect logs and metrics.

Why this answer

Options A and D are correct. Option A: The unified CloudWatch agent can collect logs and send to CloudWatch Logs. Option D: The older CloudWatch Logs agent (awslogs) can also send logs.

Option B is wrong because CloudTrail is for API logging, not application logs. Option C is wrong because S3 does not directly send to CloudWatch Logs. Option E is wrong because VPC Flow Logs are for network traffic.

752
MCQhard

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The security team uses Amazon GuardDuty and has enabled Amazon Detective. Recently, GuardDuty raised a 'Recon:EC2/PortProbeUnprotectedPort' finding for one of the instances. The security engineer verified that the ALB security group only allows inbound HTTP/HTTPS from the internet. However, the finding indicates that the instance is receiving probes on port 22 (SSH). Further investigation with Detective shows that the probes originate from multiple IP addresses and are reaching the instance's private IP address. The engineer suspects that the SSH port is exposed despite the security group configuration. What is the MOST likely cause of this exposure?

A.The EC2 instance's security group allows inbound SSH from 0.0.0.0/0.
B.VPC Flow Logs are misconfigured and are inadvertently forwarding traffic to the instance.
C.AWS Shield Advanced is causing false positives by marking legitimate traffic as probes.
D.The ALB security group has an inbound rule that allows SSH from the internet.
AnswerA

If the instance's security group allows SSH from anywhere, the instance is exposed even if behind an ALB.

Why this answer

The GuardDuty finding 'Recon:EC2/PortProbeUnprotectedPort' indicates that an EC2 instance is receiving unsolicited probes on a port that should not be publicly accessible. Since the ALB security group only allows HTTP/HTTPS from the internet, but the probes are reaching the instance's private IP on port 22 (SSH), the most likely cause is that the instance's own security group has an inbound rule allowing SSH from 0.0.0.0/0. This bypasses the ALB's security group because the instance's security group is evaluated independently for direct traffic to the instance's private IP, and if it permits SSH from anywhere, the probes will reach the instance.

Exam trap

The trap here is that candidates assume the ALB's security group fully protects the backend instances, forgetting that instances have their own security groups that are evaluated independently for direct traffic to their private IPs.

How to eliminate wrong answers

Option B is wrong because VPC Flow Logs are a monitoring feature that captures metadata about IP traffic; they do not forward or route traffic to instances, so misconfiguration cannot cause exposure. Option C is wrong because AWS Shield Advanced is a DDoS protection service that does not generate false positives for port probes; GuardDuty findings are independent of Shield, and Shield does not mark legitimate traffic as probes. Option D is wrong because the ALB security group only allows HTTP/HTTPS from the internet, and even if it allowed SSH, that would only affect traffic to the ALB, not directly to the instance's private IP; the probes are reaching the instance directly, not through the ALB.

753
MCQhard

A company uses AWS KMS to encrypt data at rest in Amazon RDS for MySQL. The security team needs to ensure that the RDS instance can only be decrypted by a specific IAM role used by the production application, and not by any other IAM user or role. What is the most secure way to achieve this?

A.Enable key rotation and use a custom key store to isolate the key.
B.Create an IAM policy that denies 'kms:Decrypt' to all principals except the production role, and attach it to the key.
C.Attach the production IAM role to the RDS instance and use a condition in the IAM role's policy to allow decrypt.
D.Modify the KMS key policy to allow 'kms:Decrypt' only for the production role and deny for all other principals.
AnswerD

Key policies directly control access to the KMS key.

Why this answer

Option B is correct because using a KMS key policy that grants decrypt permission only to the production role ensures that only that role can decrypt the RDS instance. Option A is wrong because IAM policies alone cannot restrict decryption if the key policy allows broader access. Option C is wrong because RDS does not support attaching IAM roles at the instance level for this purpose.

Option D is wrong because it makes the key accessible to all users.

754
MCQmedium

A security team wants to audit who accessed an S3 object that contains sensitive data. Which AWS service provides this capability?

A.AWS Config
B.Amazon CloudWatch Logs
C.S3 Server Access Logs
D.AWS CloudTrail
AnswerC

S3 Server Access Logs record all requests made to a bucket, including object-level operations.

Why this answer

Option A is correct because S3 Server Access Logs provide detailed records about requests. Option B is incorrect because CloudTrail logs API calls but not object-level access unless Data Events are enabled. Option C is incorrect because AWS Config tracks resource configuration, not access.

Option D is incorrect because CloudWatch Logs can store logs but does not generate them by default.

755
MCQmedium

A company has a requirement to retain AWS CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The company wants to reduce storage costs by automatically moving older logs to a cheaper storage class. Which solution should the company implement?

A.Use S3 Intelligent-Tiering to automatically move logs to the most cost-effective access tier.
B.Configure an S3 Lifecycle policy to transition objects from S3 Standard to S3 Glacier after a specified number of days.
C.Move logs to S3 Standard-IA after 30 days.
D.Use S3 Batch Operations to manually copy logs to S3 Glacier.
AnswerB

S3 Lifecycle policies can automatically transition objects to lower-cost storage classes like Glacier for archival.

Why this answer

Option A is correct because S3 Lifecycle policies can transition objects to Glacier after a specified period. Option B is wrong because S3 Intelligent-Tiering is for unknown access patterns, but the goal is to reduce costs for logs that are rarely accessed. Option C is wrong because S3 Standard-IA is for infrequently accessed data but not the cheapest for archival.

Option D is wrong because S3 Batch Operations is for bulk actions, not automatic transitions.

756
MCQeasy

Which IAM feature allows you to grant temporary, limited-privilege credentials for a specific role?

A.Resource-based policies
B.IAM roles
C.AWS STS
D.Service control policies
AnswerC

Security Token Service issues temporary credentials.

Why this answer

Option A is correct because STS is used for temporary credentials. Option B is wrong because IAM roles are the entity, not the feature. Option C is wrong because SCPs are for Organizations.

Option D is wrong because resource-based policies are for granting to other accounts.

757
MCQmedium

A company uses AWS Key Management Service (KMS) to encrypt data. The security team needs to ensure that KMS keys cannot be deleted accidentally. Which action should be taken?

A.Apply an SCP that denies kms:ScheduleKeyDeletion for all accounts.
B.Create an IAM policy that denies kms:ScheduleKeyDeletion for the key.
C.Enable automatic key rotation.
D.Enable deletion protection on the key.
AnswerB

This prevents authorized users from scheduling key deletion.

Why this answer

Enabling key rotation does not prevent deletion; disabling and scheduling deletion is the way to delete. To prevent accidental deletion, you must disable the option to schedule key deletion via an IAM policy or use a multi-region key? The best practice is to use an IAM policy that denies kms:ScheduleKeyDeletion for specific keys or to use a CloudWatch alarm. Among the options, setting a CloudWatch alarm on the deletion event is a detective control, but the question asks to prevent accidental deletion.

The correct answer is to use an IAM policy to deny the schedule key deletion action. Option B (enabling deletion protection) does not exist for KMS. Option A (rotation) does not prevent deletion.

Option D (SCP) can help but at org level. The best is IAM policy.

758
Multi-Selectmedium

A security engineer needs to capture all network traffic between EC2 instances in a VPC for forensic analysis. Which TWO services should be used together? (Choose TWO.)

Select 2 answers
A.Amazon VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon Athena
E.Amazon GuardDuty
AnswersA, D

Captures network traffic metadata.

Why this answer

Amazon VPC Flow Logs capture IP traffic information for network interfaces in a VPC, including metadata such as source/destination IPs, ports, protocols, and packet accept/reject decisions. To perform forensic analysis on this raw flow log data, you can use Amazon Athena to query the logs directly from S3 using standard SQL, enabling efficient filtering and pattern detection across large volumes of network traffic.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (network metadata) with AWS CloudTrail (API activity) or GuardDuty (threat detection), failing to recognize that forensic analysis of raw traffic requires both a capture mechanism and a query engine like Athena.

759
MCQhard

A company is designing a network architecture for a multi-tier web application. The application consists of a public-facing ALB, web servers in private subnets, and an RDS database in isolated subnets. The security team requires that the web servers have no direct internet access. Which VPC configuration meets this requirement?

A.Public subnets with an Internet Gateway.
B.Isolated subnets with no route to the internet.
C.Private subnets with a NAT Gateway in a public subnet.
D.Private subnets with a VPN connection to the corporate network.
AnswerC

Private subnets have no direct inbound internet, but NAT enables outbound.

Why this answer

Option B is correct because private subnets with a NAT Gateway allow outbound internet access for updates while preventing inbound internet traffic. Option A is wrong because public subnets have direct internet access. Option C is wrong because isolated subnets cannot access the internet even for updates.

Option D is wrong because a VPN does not provide internet access.

760
MCQeasy

A security team needs to centrally manage permissions for multiple AWS accounts. Which AWS service should they use?

A.AWS IAM
B.AWS Config
C.AWS Organizations with service control policies (SCPs)
D.AWS CloudTrail
AnswerC

Organizations centrally manage accounts and permissions.

Why this answer

AWS Organizations with service control policies (SCPs) is the correct choice because SCPs allow you to centrally manage permissions across multiple AWS accounts by defining maximum permissions for member accounts. Unlike IAM policies that are attached to users or roles within a single account, SCPs act as a guardrail at the organization or organizational unit (OU) level, restricting what actions accounts and their IAM principals can perform, even if the account's own IAM policies allow more.

Exam trap

The trap here is that candidates often confuse AWS IAM (which manages permissions within a single account) with the need for cross-account permission management, leading them to select IAM instead of recognizing that AWS Organizations with SCPs is the correct service for central governance across multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS IAM manages permissions for users, groups, and roles within a single AWS account, not across multiple accounts centrally. Option B is wrong because AWS Config is a service for evaluating resource configurations against rules and tracking compliance, not for managing permissions. Option D is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not enforce or manage permissions.

761
MCQhard

A security engineer runs the above AWS CLI command to search for CreateKey events in CloudTrail. The command returns no events, but the security engineer knows that a KMS key was created in us-east-1 on January 1, 2023. What is the most likely reason for the empty result?

A.The event name is incorrect; the correct event is 'CreateKey' but it is case-sensitive
B.The CloudTrail trail is not multi-region and is configured in a different region
C.The user does not have permission to view KMS events in CloudTrail
D.The time range specified is outside the retention period of CloudTrail
AnswerB

If the trail is single-region and in another region, us-east-1 events are not captured.

Why this answer

Option A is correct because the event name for creating a KMS key is 'CreateKey' but the correct API call is 'CreateKey' for KMS? Actually, the CloudTrail event name for creating a KMS key is 'CreateKey'. However, the issue might be that the event is logged under a different name? Wait, the correct event name is 'CreateKey' indeed. But the output is empty.

Option B: CloudTrail might not be logging KMS events? Option C: The time range might be wrong? Option D: The region might be wrong. The most likely reason is that the CloudTrail trail is not enabled in us-east-1 or the event was not captured due to trail configuration. Option A is plausible but not specific.

Actually, the command shows no events, but KMS key creation is a data event for KMS. CloudTrail by default only logs management events, not data events. KMS key creation is a management event? Actually, CreateKey is a management event.

So it should be logged. The most likely is that the trail is not configured to log management events in that region, or the trail is not multi-region. Option D: The correct event name might be 'CreateKey' but the API is 'CreateKey' for KMS; there is no other event name.

Option C: The time range is correct. Option A: The key was created but the event might be logged under a different event name? Not really. The most common cause is that the CloudTrail trail is only logging events for a specific region, not us-east-1.

So the correct answer is B? Let's think: The command specifies region us-east-1. If the trail is not multi-region and is in another region, the event will not be visible. So option B: The trail is not multi-region and is configured in a different region.

That makes sense. But the exhibit does not show trail configuration. Option D: The event name should be 'CreateKey' but maybe it's 'CreateKey'? Actually, it is correct.

So I'll go with B.

762
MCQhard

A financial services company is designing a data protection strategy for its DynamoDB table containing sensitive customer data. The table has a global secondary index (GSI). The company needs to encrypt the data at rest using a customer managed key (CMK) that is rotated annually. Which solution meets these requirements?

A.Create the table with default encryption, then update the table to use a CMK and enable automatic rotation
B.Create the table without encryption, then enable encryption on the table and GSI separately using a CMK
C.Create the table with an AWS managed key and use AWS KMS automatic rotation
D.Create the table with a customer managed key (CMK) and enable automatic key rotation
AnswerD

CMK with auto rotation meets requirements; GSI inherits encryption.

Why this answer

DynamoDB supports encryption at rest using AWS KMS. When a table is created, you can specify a CMK. The GSI inherits the encryption settings from the base table.

Option D is correct because you can specify a CMK at table creation and enable automatic key rotation. Option A is incorrect because you cannot change the encryption key after table creation without recreating the table. Option B is incorrect because using an AWS managed key does not allow customer-controlled rotation.

Option C is incorrect because enabling encryption on the GSI separately is not supported; encryption is inherited from the table.

763
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage permissions across multiple AWS accounts?

Select 2 answers
A.AWS Single Sign-On
B.AWS Config
C.AWS WAF
D.AWS Identity and Access Management (IAM)
E.AWS Organizations
AnswersA, E

SSO manages permissions across accounts.

Why this answer

AWS Organizations allows policy-based management. AWS SSO provides single sign-on and permission sets. Option C is a single account service.

Option D is for resource compliance. Option E is for web application firewall.

764
MCQmedium

A company wants to protect data in transit between its on-premises network and Amazon VPC using IPsec VPN. Which AWS service should be used to establish this VPN connection?

A.AWS Client VPN
B.AWS Site-to-Site VPN
C.AWS Transit Gateway
D.AWS Direct Connect
AnswerB

Provides IPsec VPN tunnels.

Why this answer

Option A is correct because AWS Site-to-Site VPN provides IPsec VPN connections between on-premises networks and VPCs. Option B is incorrect because AWS Direct Connect is a dedicated connection, not IPsec VPN. Option C is incorrect because Client VPN is for individual users.

Option D is incorrect because Transit Gateway is used to connect multiple VPCs, but the VPN connection is established using Site-to-Site VPN.

765
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centralize all CloudTrail logs from all accounts into a single S3 bucket in the management account. The bucket policy allows cross-account access. However, logs from member accounts are not being delivered. What is the most likely cause?

A.CloudTrail cannot deliver logs to a bucket in a different account.
B.The S3 bucket is not configured with a CloudTrail prefix.
C.CloudTrail is not enabled in the member accounts.
D.The S3 bucket policy does not grant `s3:PutObject` permission to the member accounts.
AnswerD

Without this permission, CloudTrail cannot write logs to the bucket.

Why this answer

Option B is correct because CloudTrail in member accounts must have permissions via a bucket policy that grants the `s3:PutObject` action. Option A is incorrect because CloudTrail is enabled by default for the last 90 days, but that is not related to delivery. Option C is incorrect because CloudTrail supports delivering logs to another account's S3 bucket.

Option D is incorrect because CloudTrail logs are delivered to a prefix, not a separate bucket.

766
MCQhard

A company wants to allow cross-account access to an S3 bucket. The bucket owner (Account A) wants to grant read-only access to users in Account B. Which combination of policies is required?

A.A bucket ACL in Account A granting READ access to Account B
B.A bucket policy in Account A granting s3:GetObject to Account B and an IAM policy in Account B allowing s3:GetObject
C.An IAM policy in Account A that allows s3:GetObject
D.An IAM role in Account B that grants s3:GetObject to Account A
AnswerB

Both policies are needed: the bucket policy allows cross-account access, and the IAM policy allows the user to perform the action.

Why this answer

Option A is correct because cross-account access requires both a bucket policy granting access and an IAM policy in the accessing account allowing the action. Option B is wrong because an IAM role in Account A would require users to assume the role. Option C is wrong because a bucket ACL is not the recommended method and does not work with IAM policies alone.

Option D is wrong because the accessing account must have an IAM policy to allow the action.

767
MCQeasy

A company wants to log all API calls made in their AWS account for auditing. Which AWS service should be enabled to capture these logs?

A.VPC Flow Logs
B.Amazon CloudWatch Logs
C.Amazon S3 server access logs
D.AWS CloudTrail
AnswerD

CloudTrail records all API calls for auditing.

Why this answer

Option B is correct because AWS CloudTrail records API activity. Option A is wrong because VPC Flow Logs capture network traffic. Option C is wrong because CloudWatch Logs stores logs, not captures API calls.

Option D is wrong because S3 is storage.

768
MCQhard

A company uses Amazon RDS for PostgreSQL with encryption at rest enabled using AWS KMS. The security team wants to ensure that database backups (automated snapshots) are also encrypted and that the encryption key can be rotated on demand without re-encrypting the data. Which approach should be taken?

A.Use a separate KMS key for backups by enabling 'Copy tags to snapshots' and specifying a different key.
B.Disable the old KMS key and enable a new KMS key for the RDS instance. The old backup will remain encrypted with the old key.
C.Enable automatic key rotation in KMS and import new key material every 90 days.
D.Create a new KMS key and modify the RDS instance to use the new key. The existing backup will be re-encrypted with the new key when the instance is modified.
AnswerD

Modifying the RDS instance to use a new KMS key triggers a re-encryption of the data and backups.

Why this answer

Option B is correct because KMS supports automatic key rotation and manual rotation by creating a new key and updating the RDS instance to use the new key, which re-encrypts the data with the new key. Option A is wrong because RDS does not support importing key material. Option C is wrong because disabling the old key would break access to existing backups.

Option D is wrong because RDS does not support using a different key for backups; backups use the same key as the DB instance.

769
MCQmedium

A security engineer has attached the above IAM policy to a user. The user reports that they cannot upload objects to the S3 bucket from their office, which has a public IP address of 198.51.100.50. What is the MOST likely reason for the failure?

A.The policy does not specify the bucket resource for the PutObject action.
B.The policy is not attached to the user.
C.The policy restricts access to the 10.0.0.0/8 IP range, but the user's IP is outside that range.
D.The policy does not allow the s3:PutObject action.
AnswerC

The condition requires the source IP to be in 10.0.0.0/8.

Why this answer

Option D is correct because the policy only allows access from the 10.0.0.0/8 IP range, but the user's office IP is 198.51.100.50, which is outside that range. Option A is wrong because the policy allows s3:PutObject. Option B is wrong because the policy applies to the user.

Option C is wrong because the bucket is not specified as the resource for the action s3:PutObject, but the resource is the bucket contents (*).

770
Multi-Selecteasy

A security engineer is investigating a possible data exfiltration from an S3 bucket. Which THREE AWS services can be used to detect and alert on suspicious activity? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
E.Amazon Macie
AnswersB, C, E

GuardDuty can detect suspicious S3 activity such as unusual data access.

Why this answer

Option A is correct: CloudTrail can log S3 API calls. Option C is correct: GuardDuty can detect suspicious S3 activity. Option D is correct: Macie can identify sensitive data and anomalous access patterns.

Option B is wrong because CloudWatch Logs is a log destination, not a detection service. Option E is wrong because AWS Config is for configuration compliance, not threat detection.

771
MCQhard

A security engineer is troubleshooting an issue where CloudTrail logs for a single AWS account are not being delivered to the centralized S3 bucket in the logging account. The engineer has verified that the CloudTrail trail is enabled, the S3 bucket policy allows CloudTrail to write, and the bucket exists. However, no log files have been delivered for the past 6 hours. The engineer checks the CloudTrail console and sees that the trail status shows 'Logging' but the latest log file time is from 8 hours ago. The engineer suspects a permission issue but cannot find any explicit deny in the bucket policy. What is the MOST likely cause of this issue?

A.The CloudTrail trail is not configured to deliver to a cross-account bucket.
B.The CloudTrail trail is configured with a role that does not have S3 full access.
C.The S3 bucket is in a different region than the CloudTrail trail.
D.The KMS key policy used by the S3 bucket does not grant CloudTrail permission to use the key.
AnswerD

CloudTrail needs kms:Decrypt permission on the KMS key to write to SSE-KMS encrypted buckets.

Why this answer

The issue is likely that the KMS key used for server-side encryption of the S3 bucket is not configured to allow CloudTrail to decrypt logs. CloudTrail requires decrypt permission on the KMS key to write logs, even if the trail uses SSE-S3 for the log files themselves. The bucket policy may allow CloudTrail to write, but if the KMS key policy does not grant kms:Decrypt to the CloudTrail service principal, log delivery will fail.

Option A is correct because the KMS key policy likely needs a statement allowing CloudTrail to use the key. Option B is wrong because CloudTrail does not need S3 full access, only write access. Option C is wrong because the bucket exists and is accessible.

Option D is wrong because CloudTrail can deliver to a bucket in another account with proper permissions.

772
MCQeasy

A developer needs to run an application on an EC2 instance that accesses an S3 bucket. What is the best practice for granting permissions?

A.Use an SCP to allow S3 access for the instance.
B.Create a bucket policy that grants access to the instance ID.
C.Store AWS access keys on the instance and use them in the application.
D.Create an IAM role with S3 access and attach it to the EC2 instance profile.
AnswerD

Roles avoid long-term credentials and follow best practices.

Why this answer

Option A is correct because IAM roles are the secure and recommended way to grant permissions to EC2. Option B is wrong because access keys are less secure. Option C is wrong because the bucket policy should not grant access to the instance; it should grant to the role.

Option D is wrong because a service control policy does not grant permissions.

773
Multi-Selecthard

A company has enabled Amazon GuardDuty in multiple AWS accounts. The security team wants to centralize GuardDuty findings into a single account for analysis. Which THREE steps are required to achieve this? (Choose THREE.)

Select 3 answers
A.Configure CloudWatch Logs cross-account subscription to aggregate findings.
B.Create an EventBridge rule to forward findings to the master account.
C.Invite member accounts to join the GuardDuty master account.
D.Accept the invitation in each member account.
E.Designate one account as the GuardDuty master account.
AnswersC, D, E

Invitation process.

Why this answer

Option C is correct because in Amazon GuardDuty, to centralize findings from multiple accounts, you must designate a master account and then invite member accounts to join. The invitation process establishes a trusted relationship where the master account can aggregate and analyze findings from all member accounts. Without this step, the master account cannot receive findings from other accounts.

Exam trap

The trap here is that candidates often confuse the GuardDuty multi-account setup with other cross-account aggregation methods (like CloudWatch Logs subscription filters or EventBridge cross-account rules), but GuardDuty has its own built-in master-member mechanism that does not require those services.

774
MCQhard

Refer to the exhibit. A security engineer is troubleshooting why an IAM user (Alice) cannot encrypt data using a KMS key. Alice has full S3 and KMS permissions via an IAM policy. The key policy is shown. Which statement explains the issue?

A.The key policy is missing a statement to allow the IAM user to use the key via IAM policies
B.The IAM user does not have the kms:Encrypt permission in their IAM policy
C.The key policy does not include the root account principal
D.The key policy does not allow the IAM user to use the key for any action
AnswerD

Only Admin role gets kms:Put* and kms:Create*, not encrypt.

Why this answer

The key policy only grants kms:Put* and kms:Create* to the Admin role, not to Alice. Since the key policy does not allow Alice's actions, the IAM policy alone is insufficient because KMS requires key policy to grant access unless the key policy allows IAM policies. Option C correctly identifies the missing kms:Encrypt permission.

Option A is incorrect because root is allowed; B is wrong because the key policy is restrictive; D is wrong because Alice has IAM permissions but key policy doesn't allow them.

775
MCQeasy

A company wants to monitor for unauthorized changes to its Amazon S3 bucket policies. Which AWS service should be used to detect such changes?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.Amazon CloudWatch Logs Insights
AnswerA

AWS Config can evaluate resource configurations against rules, including S3 bucket policies.

Why this answer

Option C is correct because AWS Config has managed rules like 's3-bucket-policy-not-more-permissive' that can evaluate bucket policies. Option A is incorrect because CloudTrail logs API calls but does not evaluate policies. Option B is incorrect because GuardDuty detects threats but not policy compliance.

Option D is incorrect because CloudWatch Logs Insights can query logs but is not proactive detection.

776
Multi-Selectmedium

A company is designing a data protection strategy for Amazon EBS volumes. Which THREE practices should be implemented? (Choose THREE.)

Select 3 answers
A.Enable encryption by default for new EBS volumes
B.Use S3 Object Lock to prevent deletion of snapshots
C.Enable automated backups for Amazon RDS
D.Take regular snapshots of EBS volumes and store them in a different region
E.Use EBS multi-attach for high availability
AnswersA, D, E

This ensures all new volumes are encrypted.

Why this answer

Options A, B, and C are correct for EBS data protection. Option D is for S3. Option E is for RDS.

777
Multi-Selecthard

A company wants to enforce encryption in transit for all data transferred between its Amazon EC2 instances and an Application Load Balancer (ALB). The company uses AWS Certificate Manager (ACM) to provision TLS certificates. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Configure the target group to use HTTPS protocol.
B.Enable encryption at rest on the EC2 instances.
C.Use a network load balancer instead of an ALB.
D.Assign a certificate from ACM to the ALB listener.
E.Configure the ALB listener to use HTTPS protocol.
AnswersA, E

HTTPS target group ensures encryption between ALB and EC2.

Why this answer

Option A is correct because configuring the target group to use HTTPS protocol ensures that traffic between the Application Load Balancer (ALB) and the EC2 instances is encrypted in transit. This enforces TLS encryption on the backend connection, meeting the requirement for data-in-transit protection between the ALB and instances.

Exam trap

The trap here is that candidates often assume assigning a certificate to the ALB listener alone (Option D) is sufficient for encryption in transit, overlooking that the target group protocol must also be HTTPS to enforce encryption on the backend connection between the ALB and EC2 instances.

778
Multi-Selectmedium

A security engineer is investigating a potential security incident. Which TWO AWS services can be used to analyze historical network traffic patterns? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.AWS CloudTrail
E.Amazon Athena
AnswersB, E

VPC Flow Logs capture network traffic metadata.

Why this answer

Option A and Option D are correct. VPC Flow Logs capture IP traffic information, and Amazon Athena can query VPC Flow Logs stored in S3. Option B is wrong because CloudTrail records API calls, not network traffic.

Option C is wrong because GuardDuty is for real-time threat detection. Option E is wrong because CloudWatch Logs can store flow logs but is not primarily for analysis.

779
Multi-Selectmedium

A company is implementing a data protection strategy for Amazon S3. Which TWO actions should be taken to protect data from accidental deletion or overwrite?

Select 2 answers
A.Enable cross-region replication
B.Enable MFA Delete on the bucket
C.Apply a bucket policy that denies s3:DeleteObject
D.Enable S3 Versioning on the bucket
E.Enable default encryption on the bucket
AnswersB, D

Requires MFA for delete operations.

Why this answer

Options B and D are correct. Enable versioning to preserve previous versions, and enable MFA Delete to require multi-factor authentication for deletions. Option A is wrong because bucket policies alone do not prevent deletion.

Option C is wrong because encryption does not prevent deletion. Option E is wrong because replication does not protect against deletion in the source bucket.

780
Multi-Selecthard

A company is using AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises network to a VPC. The security team wants to encrypt traffic over the Direct Connect connection. Which TWO options can be used? (Choose TWO.)

Select 2 answers
A.Use AWS KMS to encrypt the traffic.
B.Use AWS Certificate Manager to issue certificates for the connection.
C.Enable MACsec on the Direct Connect connection.
D.Use SSL/TLS to encrypt the traffic between on-premises and AWS.
E.Establish an IPsec VPN tunnel over the Direct Connect connection.
AnswersC, E

MACsec provides encryption at the data link layer.

Why this answer

Option A is correct because IPsec VPN can be established over the private VIF to encrypt traffic. Option B is correct because MACsec can be enabled at the physical layer for encryption. Option C is wrong because SSL/TLS is application-level encryption, not for the link.

Option D is wrong because AWS KMS does not encrypt network traffic. Option E is wrong because AWS Certificate Manager does not encrypt traffic.

781
MCQhard

A company is using Amazon GuardDuty to detect threats. The security team notices that GuardDuty findings are not triggering the intended automated response via a CloudWatch Events rule. What is the most likely reason?

A.The CloudWatch Events rule's event pattern does not match the GuardDuty finding event structure.
B.The GuardDuty detector is in a different region than the CloudWatch Events rule.
C.The Lambda function invoked by CloudWatch Events does not have an IAM role assigned.
D.VPC Flow Logs are not enabled.
AnswerA

The event pattern must specify 'source': ['aws.guardduty'] and 'detail-type': ['GuardDuty Finding'] to match.

Why this answer

Option D is correct because GuardDuty sends findings as custom events in the 'aws.guardduty' source; the CloudWatch Events rule must have an event pattern that matches this source and detail type. Option A is incorrect because GuardDuty does not require VPC Flow Logs to generate findings. Option B is incorrect because GuardDuty findings are generated in the region where GuardDuty is enabled; cross-region aggregation is not a common issue.

Option C is incorrect because IAM roles are not required for CloudWatch Events to trigger a Lambda function; Lambda needs a role to execute, but that wouldn't prevent the event from triggering.

782
MCQhard

A Security Engineer is troubleshooting why AWS CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail access. What is a likely cause of the issue?

A.The S3 bucket uses SSE-KMS and the key policy does not grant CloudTrail permission
B.The S3 bucket has a lifecycle policy that deletes objects too quickly
C.CloudTrail is not enabled in the region
D.The S3 bucket is in a different region than the trail
AnswerA

CloudTrail needs kms:GenerateDataKey and kms:Decrypt permissions.

Why this answer

When an S3 bucket uses SSE-KMS (Server-Side Encryption with AWS KMS), CloudTrail must have explicit permissions in the KMS key policy to decrypt the key and encrypt log files. Even if the S3 bucket policy grants CloudTrail access, the KMS key policy is a separate authorization layer; without a statement allowing CloudTrail to use the kms:GenerateDataKey and kms:Decrypt actions, log delivery will fail silently or with access denied errors.

Exam trap

The trap here is that candidates assume the S3 bucket policy is the only authorization layer, overlooking that KMS key policies act as an independent permission boundary when SSE-KMS is used, leading them to choose incorrect options like cross-region or lifecycle issues.

How to eliminate wrong answers

Option B is wrong because a lifecycle policy that deletes objects too quickly would cause logs to be removed after delivery, not prevent delivery itself; CloudTrail would still successfully deliver logs initially. Option C is wrong because CloudTrail must be enabled in the region where the trail is created, but the question states the trail exists and is not delivering logs, implying it is enabled; the issue is not about enabling the service. Option D is wrong because CloudTrail can deliver logs to an S3 bucket in a different region; cross-region delivery is supported and not a cause of delivery failure.

783
Multi-Selectmedium

A company is designing a data protection strategy for sensitive customer data stored in Amazon S3. Which TWO actions should be taken to protect the data from accidental deletion?

Select 2 answers
A.Use S3 Object Lock with retention mode.
B.Enable cross-region replication to another bucket.
C.Configure an S3 bucket policy that denies s3:DeleteObject for all principals.
D.Enable MFA Delete on the S3 bucket.
E.Enable S3 Versioning on the bucket.
AnswersD, E

Requires MFA to delete objects.

Why this answer

Options A and D are correct. MFA Delete adds an extra authentication factor for delete operations. S3 Versioning allows recovery of deleted objects.

Option B is wrong because bucket policies do not prevent deletion by authorized users. Option C is wrong because cross-region replication does not protect against deletion in the source bucket. Option E is wrong because lifecycle policies can delete objects.

784
MCQmedium

A company has enabled CloudTrail in all regions and is logging to a single S3 bucket. The security team needs to ensure that any attempted deletion of CloudTrail logs generates an immediate alert. Which solution meets this requirement?

A.Configure an S3 event notification on the bucket for s3:ObjectRemoved:* events, invoke a Lambda function to publish to an SNS topic.
B.Use AWS Config to create a rule that checks for deleted objects and sends an SNS notification.
C.Enable CloudTrail Insights to detect unusual deletion activity and send alerts.
D.Create a CloudWatch Logs metric filter on the CloudTrail log group for DeleteObject events and trigger an alarm.
AnswerA

S3 events can trigger real-time alerts for object deletions.

Why this answer

S3 Events can trigger a Lambda function to send a notification via SNS when an object delete action occurs. Option C is correct because it integrates S3 events with Lambda and SNS for real-time alerting. Option A is wrong because CloudWatch Logs does not directly monitor S3 object deletions.

Option B is wrong because CloudTrail Insights detects unusual API activity, not specific delete events in S3. Option D is wrong because Config rules evaluate resource configurations, not real-time events.

785
MCQhard

Refer to the exhibit. A security engineer attaches this bucket policy to an S3 bucket. A user from IP address 203.0.113.10 tries to download an object using HTTP (not HTTPS). What will happen?

A.The request is allowed because the IP address matches the allow statement.
B.The request is denied because the IP is not in the allowed range.
C.The request is denied because HTTP is used.
D.The request is allowed because the user is using a valid IP.
AnswerC

The deny statement blocks any request using HTTP.

Why this answer

Option D is correct because the first statement denies all S3 actions when HTTPS is not used. Since the request uses HTTP, the condition aws:SecureTransport is false, so the request is denied. The second statement allows GetObject from the specified IP, but the deny statement takes precedence.

Option A is wrong because the deny applies. Option B is wrong because the deny overrides the allow. Option C is wrong because the condition is evaluated correctly.

786
Multi-Selecthard

A security engineer is investigating a security incident where an EC2 instance was used to launch an outbound denial-of-service (DoS) attack. The engineer needs to collect forensic evidence. Which THREE actions should the engineer take? (Choose three.)

Select 2 answers
A.Reboot the instance to clear any malicious processes.
B.Delete the CloudTrail logs that show the instance's API calls.
C.Create an Amazon EBS snapshot of the instance's root volume.
D.Capture the instance's memory using a tool like LiME or Amazon EC2 instance memory capture.
E.Terminate the instance to stop the attack immediately.
AnswersC, D

EBS snapshots preserve disk state for offline analysis.

Why this answer

Option C is correct because creating an Amazon EBS snapshot of the instance's root volume preserves the file system, logs, binaries, and any persistent artifacts (e.g., malware scripts, modified configuration files) at the time of the incident. This snapshot can be used for offline forensic analysis without altering the original evidence, which is critical for incident response and potential legal proceedings.

Exam trap

The trap here is that candidates may confuse 'stopping the attack' (Option E) with 'preserving evidence,' forgetting that termination destroys volatile data and that forensic capture must occur before any disruptive action.

787
MCQmedium

A company stores sensitive data in an S3 bucket. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). An application writes objects to the bucket but sometimes fails because the encryption key is not found. What is the MOST likely cause?

A.The KMS key is in a different AWS Region than the S3 bucket.
B.The bucket policy does not allow SSE-KMS.
C.The KMS key has expired.
D.The KMS key does not have automatic rotation enabled.
AnswerA

SSE-KMS requires the key to be in the same region as the bucket.

Why this answer

Option D is correct because SSE-KMS requires the KMS key to be in the same region as the S3 bucket; cross-region keys are not supported. Option A is wrong because SSE-S3 is not used. Option B is wrong because KMS keys do not expire.

Option C is wrong because SSE-KMS does not require customer master key (CMK) rotation to be enabled.

788
MCQeasy

A company wants to allow users to assume a role in another AWS account to access a specific S3 bucket. What must be configured?

A.A trust policy on the IAM role that allows the user's account to assume the role.
B.An S3 bucket policy that allows the user to access the bucket.
C.An IAM role with a trust policy allowing the user's account and a bucket policy granting the role access to the bucket.
D.A resource-based policy on the S3 bucket that allows the user's account.
AnswerC

Both policies are required for cross-account access via role assumption.

Why this answer

Option C is correct because both the trust policy (in the account with the role) and the resource-based policy (on the bucket) must allow access. Option A is wrong because a trust policy alone is insufficient; the bucket policy must also grant access. Option B is wrong because the bucket policy alone is insufficient; the role trust policy must allow the user to assume the role.

Option D is wrong because resource-based policies alone cannot grant cross-account role assumption.

789
MCQmedium

A security team needs to centralize audit logs from multiple AWS accounts into a single S3 bucket. The solution must be scalable and support future account additions. Which approach meets these requirements?

A.Use Amazon CloudWatch Logs to stream logs from each account to a central account.
B.Use AWS Trusted Advisor to collect logs from all accounts.
C.Configure CloudTrail in each account to deliver logs to the same S3 bucket.
D.Use AWS Organizations to create a CloudTrail trail that applies to all accounts in the organization.
AnswerD

Correct: Centralized logging via organization trail.

Why this answer

Option A is correct because AWS Organizations with CloudTrail allows creating a trail that logs all accounts in the organization, delivering to a single bucket. Option B is wrong because it requires manual configuration per account. Option C is wrong because CloudWatch Logs is not for cross-account log delivery.

Option D is wrong because Trusted Advisor does not collect logs.

790
MCQhard

A security engineer is investigating a potential compromise. They notice that an IAM user 'svc-backup' has been making unusual API calls from an IP address outside the company's VPC. The engineer wants to ensure all future API calls from this user are logged with full event details. However, the current CloudTrail trail is set to log only management events. What should the engineer do to capture the required details?

A.Enable VPC Flow Logs and correlate with CloudTrail logs.
B.Update the existing trail to log data events for IAM.
C.Create a new trail that logs data events for S3 and configure it to deliver to a separate S3 bucket.
D.Enable CloudTrail Insights to detect unusual activity for the user.
AnswerB

IAM data events include API calls like GetUser, ListAccessKeys, etc., which are needed for investigation.

Why this answer

Option B is correct because the trail needs to log data events for IAM to capture calls like GetUser, ListAccessKeys, etc. Option A is wrong because it logs management events (control plane), not data events. Option C is wrong because it only captures S3 data events.

Option D is wrong because CloudTrail does not support VPC Flow Logs integration.

791
MCQeasy

A company is designing a data lake on Amazon S3 and needs to encrypt data at rest. The compliance team requires that the encryption keys be managed by the company and not by AWS. Which encryption option should be used?

A.SSE-C
B.SSE-S3
C.Client-side encryption
D.SSE-KMS
AnswerA

Customer provides their own keys.

Why this answer

Option C is correct because SSE-C allows the customer to provide their own encryption keys. Option A is wrong because SSE-S3 keys are managed by AWS. Option B is wrong because SSE-KMS keys are managed by AWS.

Option D is wrong because client-side encryption involves more overhead and is not server-side.

792
MCQeasy

A DevOps engineer needs to monitor failed SSH login attempts to Amazon EC2 instances. Which AWS service should the engineer use to collect and analyze the login events?

A.AWS Config
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.VPC Flow Logs
AnswerB

The CloudWatch Logs agent can collect system log files such as /var/log/auth.log or /var/log/secure where failed SSH attempts are recorded.

Why this answer

Option A is correct because CloudWatch Logs can collect log files from EC2 instances via the CloudWatch agent and can be used to search for failed SSH attempts. Option B is wrong because AWS Config tracks resource configuration changes, not OS-level logs. Option C is wrong because CloudTrail logs API calls, not OS login events.

Option D is wrong because VPC Flow Logs capture network traffic, not OS authentication events.

793
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. Which approach is MOST effective and scalable?

A.Use an S3 bucket policy in each account to deny PutObject without encryption.
B.Use AWS Config rules to mark non-compliant buckets and automatically remediate.
C.Enable CloudTrail and monitor for buckets without encryption.
D.Apply a service control policy (SCP) that denies s3:CreateBucket unless the bucket has encryption enabled.
AnswerD

SCPs can enforce this across all accounts in the organization.

Why this answer

A service control policy (SCP) can deny the creation of S3 buckets without encryption at the organization level, which is the most effective and scalable. S3 bucket policies require per-bucket management, CloudTrail is detective, and Config rules are reactive.

794
Multi-Selectmedium

Which TWO AWS services can be used to monitor and audit data access patterns to Amazon S3 buckets? (Choose 2.)

Select 2 answers
A.AWS Config
B.AWS CloudWatch
C.AWS CloudTrail
D.Amazon S3 Server Access Logs
E.AWS Trusted Advisor
AnswersC, D

Logs S3 API calls.

Why this answer

AWS CloudTrail is correct because it records API activity for Amazon S3, including data-level events such as GetObject, PutObject, and DeleteObject. By enabling data events on a trail, you can capture who accessed which object, from which IP address, and when, providing a complete audit trail for data access patterns.

Exam trap

The trap here is that candidates often confuse AWS Config (which checks configuration compliance) with CloudTrail (which records API activity), or they overlook that S3 Server Access Logs are a separate, native logging feature distinct from CloudTrail.

795
MCQhard

A company is using AWS Organizations with SCPs. The management account has an SCP that denies access to all EC2 actions. A developer in a member account tries to launch an EC2 instance but receives an authorization error. The developer has an IAM policy that allows ec2:RunInstances. What is the most likely cause of the error?

A.The IAM policy does not include the ec2:RunInstances permission.
B.The IAM policy is applied before the SCP.
C.The SCP denies the action, overriding the IAM policy.
D.The SCP is applied only to the root user.
AnswerC

SCPs act as a filter; if denied, the action is blocked.

Why this answer

Option C is correct because SCPs take precedence over IAM policies; if an SCP denies an action, even if the IAM policy allows it, the action is denied. Option A is wrong because SCPs do not override IAM only; they are evaluated together. Option B is wrong because SCPs apply to all users in the account, including the root user.

Option D is wrong because SCPs apply to all principals, not just the root.

796
MCQmedium

A security engineer created the above IAM policy for an S3 bucket. What does this policy accomplish?

A.It allows uploading objects with any server-side encryption.
B.It denies uploading objects with SSE-S3 encryption.
C.It denies uploading objects unless they are encrypted with AWS KMS.
D.It requires objects to be encrypted with a specific KMS key.
AnswerC

The condition denies PutObject when encryption is not KMS.

Why this answer

Option B is correct. The policy denies PutObject if server-side encryption is not AWS KMS (aws:kms). Option A is incorrect because it allows encryption with any SSE.

Option C is incorrect because it denies SSE-S3. Option D is incorrect because the condition is on encryption, not on KMS key ID.

797
Multi-Selectmedium

Which THREE actions should be taken when preparing an incident response plan for AWS?

Select 3 answers
A.Enable AWS CloudTrail in all regions.
B.Share the AWS account root user password with the incident response team.
C.Automate incident response using AWS Systems Manager Automation runbooks.
D.Disable VPC Flow Logs to reduce log volume.
E.Create IAM roles with limited permissions for incident responders.
AnswersA, C, E

CloudTrail provides a log of all API calls for investigation.

Why this answer

AWS CloudTrail must be enabled in all regions to ensure that all API calls across the entire AWS infrastructure are logged. This provides a comprehensive audit trail essential for forensic investigation and identifying the scope of a security incident. Without multi-region CloudTrail, an attacker could operate in an unmonitored region, leaving no trace for incident responders.

Exam trap

The trap here is that candidates may think sharing the root password is acceptable for emergency access, but AWS explicitly prohibits this and recommends using IAM roles with break-glass procedures instead.

798
MCQeasy

A security engineer needs to monitor for suspicious API calls in near real-time and trigger an automated response. Which AWS service should be used to capture and analyze these API calls?

A.AWS CloudHSM
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
AnswerC

AWS CloudTrail records API calls for audit and can be integrated with CloudWatch Logs for near real-time monitoring.

Why this answer

Option B is correct because AWS CloudTrail records API calls and can deliver events to CloudWatch Logs for near real-time analysis. Option A is wrong because AWS Config monitors resource configurations, not API calls. Option C is wrong because Amazon GuardDuty is a threat detection service that uses various data sources, but it does not directly capture API calls for custom analysis.

Option D is wrong because AWS CloudHSM is a hardware security module, not a logging service.

799
MCQmedium

An administrator wants to audit all IAM actions in the account. Which AWS service should be used?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerC

CloudTrail records all API calls for auditing.

Why this answer

Option D is correct: AWS CloudTrail records API activity. Option A is wrong because CloudWatch is for monitoring metrics. Option B is wrong because Config tracks resource configuration changes.

Option C is wrong because GuardDuty is for threat detection.

800
MCQhard

A company's security team is implementing a data classification policy for S3 objects using S3 Object Tags. They need to ensure that any object uploaded without the required 'classification' tag is automatically denied. Which S3 bucket policy condition should be used?

A.s3:x-amz-tagging-directive
B.s3:ExistingObjectTag
C.aws:RequestTag
D.s3:object-lock-mode
AnswerB

Checks tags already on the object.

Why this answer

Option C is correct because using 's3:ExistingObjectTag' with a deny condition ensures that if the tag does not exist, the request is denied. Option A is incorrect because 's3:x-amz-tagging-directive' is for copy operations. Option B is incorrect because 'aws:RequestTag' checks tags provided in the request, not existing tags.

Option D is incorrect because 's3:object-lock-mode' is for object lock.

801
MCQeasy

A security engineer needs to monitor for failed SSH login attempts to EC2 instances and send alerts. Which combination of AWS services should be used?

A.VPC Flow Logs and Amazon Athena.
B.AWS CloudTrail and Amazon SNS.
C.Amazon S3 event notifications and AWS Lambda.
D.CloudWatch Logs agent on EC2, CloudWatch Logs metric filter, and CloudWatch Alarm.
AnswerD

This captures OS logs and alerts on failed SSH attempts.

Why this answer

Option A is correct because CloudWatch Logs agent can capture /var/log/secure (or auth.log) and send to CloudWatch Logs, which can then trigger a metric filter and alarm. Option B is wrong because CloudTrail does not capture OS-level logs. Option C is wrong because VPC Flow Logs capture network traffic, not SSH login attempts.

Option D is wrong because S3 event notifications are for object-level events.

802
MCQmedium

A security engineer notices suspicious API calls from an EC2 instance that has an IAM role attached. The engineer wants to quickly determine if the instance's credentials have been compromised and are being used from an external IP address. What is the most efficient way to detect this?

A.Check VPC Flow Logs for traffic from the instance to unusual destinations.
B.Review AWS CloudTrail logs for the instance's IAM role and look for source IP addresses outside the VPC.
C.Enable Amazon GuardDuty and look for the finding type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration'.
D.Use IAM Access Analyzer to review the trust policy of the instance's IAM role.
AnswerC

GuardDuty automatically detects credential exfiltration.

Why this answer

Option B is correct because GuardDuty has a finding type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' that detects when EC2 instance credentials are used from an external IP. Option A is wrong because CloudTrail logs would show the calls but require manual analysis. Option C is wrong because VPC Flow Logs do not include IAM principal information.

Option D is wrong because IAM Access Analyzer focuses on resource policies, not credential misuse.

803
Multi-Selecthard

A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The role must be able to read from an S3 bucket (my-bucket) and write to CloudWatch Logs. Which THREE conditions must be met for the role to have effective permissions? (Choose THREE.)

Select 3 answers
A.The EC2 instance must have an instance profile attached.
B.The effective permissions are the intersection of the boundary and identity-based policies.
C.The identity-based policy attached to the role must allow the required actions.
D.The permissions boundary policy must allow the required actions.
E.The S3 bucket policy must explicitly allow the role.
AnswersB, C, D

Permissions boundary and identity policy together define effective permissions.

Why this answer

Options A, B, and D are correct: the permissions boundary must allow the actions, the identity-based policy must allow them, and the intersection is effective. Option C is not required; resource-based policies are optional. Option E is irrelevant.

804
Multi-Selecthard

A company has an AWS Lambda function that processes sensitive data and writes the results to an Amazon S3 bucket. The security team requires that the data is encrypted at rest in S3 and that the Lambda function has the minimum permissions necessary. Which THREE actions should the team take?

Select 3 answers
A.Enable default encryption on the S3 bucket with SSE-KMS
B.Grant the Lambda execution role kms:Encrypt permission
C.Grant the Lambda execution role kms:CreateKey permission
D.Use a KMS key policy that allows the Lambda execution role to use the key
E.Grant the Lambda execution role kms:GenerateDataKey and kms:Decrypt permissions
AnswersA, D, E

Ensures encryption at rest.

Why this answer

Option A (Enable default encryption on the S3 bucket with SSE-KMS), Option C (Grant the Lambda execution role the kms:GenerateDataKey and kms:Decrypt permissions), and Option D (Use a KMS key policy that allows the Lambda execution role to use the key) are correct. Default encryption ensures all objects are encrypted. Lambda needs kms:GenerateDataKey to write and kms:Decrypt to read.

The key policy must allow the execution role. Option B is wrong because kms:Encrypt is not needed; GenerateDataKey is used. Option E is wrong because kms:CreateKey is for key management, not usage.

805
MCQhard

A security engineer is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a policy that allows sts:AssumeRole. The user receives an error: 'Access denied: User is not authorized to perform sts:AssumeRole.' What is the MOST likely cause?

A.The user's policy does not specify the resource ARN of the role.
B.The role requires an external ID that the user did not provide.
C.The user must use multi-factor authentication (MFA).
D.The trust policy does not include the user's IAM user ARN.
AnswerA

The policy must have a Resource element matching the role ARN.

Why this answer

Option C is correct because if the user's IAM policy does not explicitly allow the specific role ARN, sts:AssumeRole will fail. Option A is wrong because external ID is optional unless required by the trust policy. Option B is wrong because MFA is not required unless the policy specifies it.

Option D is wrong because the trust policy already allows the account.

806
Multi-Selecteasy

Which TWO are valid ways to authenticate to AWS for API calls? (Choose two.)

Select 2 answers
A.SSH key pairs
B.IAM user access keys
C.Database master password
D.Temporary credentials from an IAM role
E.Root user access keys
AnswersB, D

Access keys consist of an access key ID and secret access key.

Why this answer

IAM user access keys (option B) are a valid authentication method for programmatic API calls to AWS. They consist of an access key ID and a secret access key, which are used to sign requests using Signature Version 4 (SigV4). This is a standard, long-term credential for IAM users to interact with AWS services via CLI, SDK, or direct API calls.

Exam trap

The trap here is that candidates may think root user access keys (option E) are invalid or not a real authentication method, but they are technically valid—the question asks for 'valid ways,' and the correct pairing is B and D because they are the two primary recommended methods for programmatic access, while root keys are valid but discouraged and not a standard choice.

807
MCQhard

A security engineer is configuring a VPC for a highly sensitive application. The VPC must not have a route to the internet, but the application needs to periodically download security patches from a specific domain (patches.example.com). Which solution meets these requirements with minimal operational overhead?

A.Launch a proxy server in a public subnet and configure the application to use the proxy.
B.Use a VPC endpoint for Amazon S3 and DynamoDB to download patches.
C.Create a VPC interface endpoint for AWS Systems Manager and use Systems Manager Patch Manager to apply patches.
D.Deploy a NAT gateway in a public subnet and add a route to the NAT gateway for the private subnet.
AnswerC

Systems Manager can manage patches without internet access via VPC endpoints, and Patch Manager supports custom patch baselines.

Why this answer

Option C is correct because VPC endpoints for S3 and DynamoDB are for specific services, not general internet access. Option A is wrong because a NAT gateway requires an internet gateway and a route to the internet. Option B is wrong because a proxy would still need outbound internet access.

Option D is correct because a VPC interface endpoint for AWS Systems Manager allows outbound-only communication to download patches without internet access.

808
MCQhard

A company uses Amazon Detective to investigate security findings. The security team is analyzing a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. The team wants to use Detective to understand the full scope of the incident, including which other resources the instance communicated with and any IAM roles used. However, when the team opens the finding in Detective, they see no network activity data for the instance. The instance is in a VPC with VPC Flow Logs enabled, and Flow Logs are being published to CloudWatch Logs. What should the team do to enable Detective to display the network activity?

A.Re-enable the GuardDuty finding in Amazon Detective.
B.Enable GuardDuty EKS Audit Logs monitoring.
C.Ensure that VPC Flow Logs are enabled for the VPC and are being published to Amazon CloudWatch Logs in the same account and Region as Detective.
D.Install the Amazon Detective agent on the EC2 instance.
AnswerC

Detective ingests VPC Flow Logs from CloudWatch Logs to provide network activity data.

Why this answer

Option A is correct because Detective ingests VPC Flow Logs from CloudWatch Logs to analyze network traffic. The VPC Flow Logs must be in the correct format and delivered to CloudWatch Logs for Detective to consume. Option B is wrong because Detective does not need direct access to the instance.

Option C is wrong because the GuardDuty finding is already in Detective; the issue is network data. Option D is wrong because enabling more GuardDuty findings does not add network data.

809
Multi-Selectmedium

A company wants to use AWS services to detect and respond to a potential DDoS attack on their web application hosted on EC2 instances behind an Application Load Balancer (ALB). Which TWO AWS services should the company use for detection and mitigation?

Select 2 answers
A.AWS WAF
B.AWS Shield Advanced
C.Amazon Route 53
D.Amazon CloudFront
E.Amazon GuardDuty
AnswersA, B

WAF can create rate-based rules to block excessive requests.

Why this answer

AWS WAF is correct because it allows you to create web access control lists (web ACLs) to filter and monitor HTTP/HTTPS requests to your Application Load Balancer. By defining rate-based rules, you can automatically block IP addresses that exceed a threshold of requests per 5-minute window, mitigating layer 7 DDoS attacks such as HTTP floods or SQL injection attempts.

Exam trap

The trap here is that candidates often confuse AWS Shield Advanced (which provides network-layer DDoS detection and mitigation) with AWS WAF (which provides application-layer filtering), but the question requires both detection and mitigation, and Shield Advanced alone does not offer the granular application-layer rule customization that WAF provides for an ALB-based web application.

810
MCQhard

A company runs a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) in a public subnet, EC2 instances in private subnets for the web tier, and an RDS MySQL database in a private subnet. The security team has noticed that the EC2 instances are receiving traffic from unexpected IP addresses on port 22 (SSH). The instances were launched with a default security group that allowed SSH from 0.0.0.0/0. The security engineer has corrected the security group to allow SSH only from the company's bastion host security group. However, the engineer also wants to implement defense-in-depth by adding a network ACL to the private subnet to block SSH from all sources except the bastion host's private IP (10.0.1.10). The private subnet's current network ACL allows all inbound and outbound traffic. The engineer creates a new network ACL with the following rules: Inbound: Rule 100: Allow SSH from 10.0.1.10/32; Rule 200: Deny SSH from 0.0.0.0/0; Rule *: Deny all. Outbound: Rule 100: Allow all. After associating this new NACL with the private subnet, the engineer finds that SSH connections from the bastion host are still being blocked. What is the most likely cause?

A.The outbound rule of the network ACL does not allow ephemeral ports for return traffic.
B.The new network ACL was not associated with the private subnet.
C.The security group on the EC2 instances still allows SSH from 0.0.0.0/0.
D.The network ACL rules are out of order; the deny rule should be before the allow rule.
AnswerB

If the NACL is not associated, the default NACL (which allows all) is in effect. But the engineer associated it; however, maybe they associated it with the wrong subnet. This is a common oversight.

Why this answer

Option B is correct. Network ACLs are stateless, meaning that return traffic must be explicitly allowed. The outbound rule only allows all traffic, but the inbound rule denies SSH from 0.0.0.0/0, which would block the return traffic for the SSH session because the source of the response is the instance, not the bastion host.

Actually, the issue is that the inbound rule denies SSH from all, but the allow rule for the bastion host should work. However, because NACLs are stateless, the response from the instance to the bastion host would be considered outbound traffic, which is allowed. The real issue is that the NACL rules are evaluated in order; the deny rule (200) might block the bastion host if the allow rule (100) is not matched correctly.

But the more likely cause is that the network ACL does not allow ephemeral ports for the return traffic. When the bastion host initiates SSH (source port 22, destination port 22), the response from the instance uses an ephemeral port (1024-65535) as source. The outbound rule allows all traffic, so that should be fine.

However, the inbound rule for the ephemeral ports is missing. But the question says the inbound rule denies all SSH, which would block the initial connection from the bastion host? Wait, the inbound rule allows SSH from 10.0.1.10/32, so that should work. The deny rule would block other SSH.

The problem might be that the network ACL is not associated correctly. But the most common mistake is forgetting that NACLs are stateless and need rules for ephemeral ports. However, the outbound rule allows all, so that should not be an issue.

Let's think: The inbound rule allows SSH from bastion host; the outbound rule allows all. So why would it be blocked? Possibly because the inbound deny rule for SSH from 0.0.0.0/0 also matches the bastion host if the allow rule is not evaluated first? But NACLs are evaluated in order; rule 100 is evaluated before rule 200. So the allow should take precedence.

Maybe the issue is that the network ACL is not associated with the subnet, or the bastion host's IP is not exactly 10.0.1.10. However, the most plausible answer among the options is that the network ACL is not associated with the subnet, but the question says the engineer associated it. Option B says the network ACL is not associated with the subnet, which could be the case if the engineer forgot to associate it.

Option A (security group still allows SSH from 0.0.0.0/0) would not cause blocking. Option C (outbound rule denies ephemeral ports) is incorrect because outbound is allow all. Option D (NACL rules are out of order) is plausible but the order is correct.

Given typical exam logic, the most common mistake is forgetting to associate the NACL. So I'll go with B.

811
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all Amazon S3 buckets across the organization are configured to block public access. Which solution should be used to centrally enforce this requirement?

A.Enable AWS Trusted Advisor to automatically remediate public buckets.
B.Use a service control policy (SCP) to deny the s3:PutBucketPublicAccessBlock action at the organization root.
C.Create an IAM role in each account that denies the s3:PutBucketPublicAccessBlock action.
D.Apply a bucket policy to each bucket that blocks public access.
AnswerB

SCPs can centrally deny actions across accounts.

Why this answer

Option B is correct because SCPs can be applied at the OU or account level to deny actions that allow public access to S3 buckets. Option A is wrong because IAM roles are for permissions within an account, not for cross-account enforcement. Option C is wrong because bucket policies are per-bucket and cannot be centrally enforced.

Option D is wrong because Trusted Advisor provides recommendations but does not enforce policies.

812
Multi-Selecteasy

Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Select TWO.)

Select 2 answers
A.AWS Config
B.Amazon Athena (to query logs in S3)
C.Amazon S3 (as a central log repository)
D.Amazon Inspector
E.AWS Shield
AnswersB, C

Athena can run SQL queries on log data in S3.

Why this answer

Options A and B are correct. Amazon S3 can be used as a central log destination, and Amazon Athena can query logs directly in S3. Option C is wrong because Amazon Inspector is for vulnerability assessment, not log analysis.

Option D is wrong because AWS Config is for resource configuration tracking. Option E is wrong because AWS Shield is for DDoS protection.

813
MCQeasy

A company wants to ensure that data stored in Amazon S3 is encrypted at rest using keys managed by AWS. Which encryption option should they choose?

A.Client-side encryption.
B.Server-side encryption with AWS KMS (SSE-KMS).
C.Server-side encryption with customer-provided keys (SSE-C).
D.Server-side encryption with S3 managed keys (SSE-S3).
AnswerD

Keys are managed by AWS.

Why this answer

SSE-S3 uses AES-256 encryption keys managed entirely by AWS, fulfilling the requirement for encryption at rest with AWS-managed keys. When you upload an object, S3 encrypts it before writing to disk and decrypts it when you access it, all without any customer action or key management overhead.

Exam trap

The trap here is that candidates often confuse SSE-KMS as 'AWS-managed' because KMS can use AWS managed keys, but the question specifically requires keys managed solely by AWS without any customer involvement, which only SSE-S3 provides.

How to eliminate wrong answers

Option A is wrong because client-side encryption requires the customer to manage keys and encrypt data before uploading, which does not meet the requirement for AWS-managed keys. Option B is wrong because SSE-KMS uses AWS KMS keys that are customer-managed (or AWS-managed but with customer control over key policies and rotation), not purely AWS-managed keys as specified. Option C is wrong because SSE-C requires the customer to provide and manage their own encryption keys, which contradicts the requirement for keys managed by AWS.

814
MCQhard

A security engineer is designing a system to detect and respond to IAM policy changes that could grant excessive permissions. The solution must alert within minutes of the change and automatically revert the change if it violates a predefined baseline. Which combination of services should the engineer use?

A.AWS CloudTrail and Amazon S3
B.AWS CloudTrail, Amazon CloudWatch Events, and AWS Lambda
C.AWS Config and AWS Systems Manager
D.IAM Access Analyzer and AWS Lambda
AnswerB

This combination provides real-time alerting and automated remediation.

Why this answer

Option D is correct: AWS CloudTrail logs the change, CloudWatch Events triggers a Lambda function that compares the new policy to a baseline stored in S3, and if a violation is detected, the function reverts the change. Option A is wrong because AWS Config does not auto-remediate quickly and is not event-driven in real time. Option B is wrong because S3 does not process events.

Option C is wrong because IAM Access Analyzer does not auto-remediate.

815
MCQeasy

A company wants to automatically trigger a Lambda function when a new security finding is generated in AWS Security Hub. Which service should be used to invoke the Lambda function?

A.Amazon Simple Notification Service (SNS)
B.AWS Security Hub itself
C.Amazon EventBridge
D.AWS CloudTrail
AnswerC

EventBridge can match Security Hub findings and invoke Lambda.

Why this answer

Amazon EventBridge is the correct service because AWS Security Hub automatically sends all findings to the default EventBridge bus as events. You can create an EventBridge rule that matches the 'Security Hub Findings - Imported' event pattern and targets a Lambda function for invocation. This is the native, recommended integration for event-driven responses to Security Hub findings.

Exam trap

The trap here is that candidates may think Security Hub can directly invoke Lambda or that SNS is the primary integration, but AWS explicitly designed EventBridge as the central event bus for all Security Hub findings to enable flexible, rule-based routing.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub notification service that can be used as a target for EventBridge rules, but it is not the service that directly invokes Lambda in response to Security Hub findings; SNS would require a separate subscription and does not natively parse Security Hub event patterns. Option B is wrong because AWS Security Hub itself does not invoke Lambda functions directly; it only generates findings and sends them to EventBridge, CloudWatch, or S3 via integrations. Option D is wrong because AWS CloudTrail records API calls for auditing and does not provide real-time event-driven invocation of Lambda functions based on Security Hub findings.

816
MCQeasy

A security engineer is configuring a VPC with public and private subnets. The engineer needs to allow instances in the private subnet to download software updates from the internet. Which component should be added to the VPC?

A.VPN connection to on-premises.
B.VPC endpoint for Amazon S3.
C.Bastion host in a public subnet.
D.NAT gateway in a public subnet.
AnswerD

NAT gateway provides outbound internet connectivity for private subnets.

Why this answer

Option A is correct because a NAT gateway allows outbound internet access from private subnets. Option B is wrong because a bastion host is for SSH/RDP access, not internet access. Option C is wrong because a VPC endpoint is for private access to AWS services.

Option D is wrong because a VPN connection is for hybrid networking.

817
Multi-Selecteasy

A security engineer needs to detect and respond to suspicious activity on an Amazon RDS database. Which TWO services can be used together to monitor database activity and trigger automated remediation?

Select 2 answers
A.Amazon Detective
B.Amazon RDS Enhanced Monitoring
C.AWS Lambda
D.Amazon RDS Performance Insights
E.Amazon GuardDuty
AnswersC, E

Lambda can be used to automate response actions.

Why this answer

Option B (RDS Enhanced Monitoring) provides OS-level metrics, not database queries. Option C (Amazon GuardDuty) does not monitor RDS data plane. Option D (Amazon Detective) analyzes findings but does not trigger remediation.

Option E (AWS Lambda) can execute remediation. Option A (Amazon RDS Performance Insights) monitors database load, but for security, use CloudWatch Logs with metric filters. Actually, correct combination: Amazon RDS for monitoring (CloudWatch Logs) and Lambda for response.

But the answer choices: Option A (Performance Insights) is for performance, not security. Option B (Enhanced Monitoring) is for OS metrics. Option C (GuardDuty) monitors RDS for suspicious behavior but does not trigger remediation directly.

Option D (Detective) is analysis. Option E (Lambda) can be used for response. The best two are: GuardDuty (detection) and Lambda (response).

However, GuardDuty does monitor RDS login events. So answer: C and E.

818
MCQeasy

An IAM policy allows the iam:PassRole action for a specific role only when the role is passed to EC2. A developer tries to launch an EC2 instance with this role, but fails. What is the most likely missing permission?

A.The developer does not have ec2:RunInstances permission.
B.The developer needs to create the role first.
C.The developer does not have iam:PassRole permission for the role.
D.The condition in the policy is incorrect; it should use 'ec2.amazonaws.com' as the service.
AnswerA

Launching an instance requires RunInstances permission.

Why this answer

Option B is correct because the developer also needs ec2:RunInstances permission to launch the instance. Option A is wrong because the PassRole permission is already granted. Option C is wrong because the condition is correct.

Option D is wrong because the developer does not need to create the role.

819
MCQeasy

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific IAM role can decrypt objects. What is the MOST secure way to achieve this?

A.Use a customer managed KMS key with a key policy that grants kms:Decrypt only to the specific IAM role, and configure the S3 bucket policy to allow only that role to access the bucket.
B.Enable automatic key rotation in KMS and assign the key to the IAM role.
C.Configure an S3 bucket policy that denies all users except the specific IAM role.
D.Use S3 default encryption with an AWS managed key and trust the IAM role.
AnswerA

Key policy controls who can decrypt, bucket policy controls access to the object.

Why this answer

Option C is correct because using a KMS key with a key policy that grants decrypt only to the specific IAM role ensures that only that role can decrypt, while the bucket policy restricts who can access the bucket. Option A is wrong because the bucket policy alone cannot control decryption. Option B is wrong because S3 default encryption does not restrict decryption.

Option D is wrong because KMS automatic key rotation does not control access.

820
MCQeasy

A startup is deploying a web application on AWS. The application runs on EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that all traffic to the EC2 instances is encrypted. They configure the ALB to listen on HTTPS (port 443) and forward traffic to the EC2 instances on HTTP (port 80). Additionally, they create a security group for the EC2 instances that only allows inbound traffic from the ALB's security group on port 80. However, a security audit reveals that the traffic between the ALB and EC2 instances is not encrypted. Which step should the security team take to encrypt the traffic between the ALB and EC2 instances?

A.Update the EC2 security group to allow traffic on port 443 from the ALB.
B.Enable encryption at rest on the EC2 instances.
C.Configure the target group to use HTTPS protocol and install a certificate on the EC2 instances.
D.Change the ALB listener to use TCP instead of HTTPS.
AnswerC

Encrypts traffic between ALB and EC2.

Why this answer

Option D is correct because to encrypt traffic between ALB and targets, you need to configure HTTPS on the target group so the ALB sends HTTPS requests to the EC2 instances. Option A is wrong because the listener is already HTTPS. Option B is wrong because the security group already filters.

Option C is wrong because encryption at rest does not affect traffic.

821
Multi-Selecthard

An organization is using Amazon EKS for container workloads. The security team wants to detect container escape attempts. Which THREE AWS services or features should be enabled? (Choose THREE.)

Select 3 answers
A.AWS WAF
B.AWS Security Hub
C.VPC Flow Logs
D.Amazon GuardDuty with EKS Runtime Monitoring
E.AWS CloudTrail
AnswersB, D, E

Aggregates findings from GuardDuty and others.

Why this answer

Amazon GuardDuty with EKS Runtime Monitoring (Option D) detects container escape attempts by monitoring Kubernetes audit logs and runtime behavior at the host and container level. AWS CloudTrail (Option E) records API calls to EKS, including suspicious actions like unauthorized pod creation or privilege escalation. AWS Security Hub (Option B) aggregates findings from GuardDuty and CloudTrail, providing a centralized view of container escape alerts and enabling automated incident response workflows.

Exam trap

The trap here is that candidates often confuse network-level monitoring (VPC Flow Logs) or web-layer protection (WAF) with the runtime and API-level visibility required to detect container escapes, leading them to select options that address different attack surfaces.

822
MCQmedium

A DevOps engineer is configuring VPC Flow Logs for a subnet that contains a public-facing Application Load Balancer (ALB). The engineer wants to capture only accepted traffic for security analysis. What should the engineer do?

A.Create a flow log and use a subscription filter in CloudWatch Logs to include only records with 'ACCEPT'.
B.Configure the security group to log only accepted traffic.
C.Use the default flow log format and filter at the S3 bucket using S3 Select.
D.Create a flow log with a custom format that includes the 'action' field, and filter for 'ACCEPT'.
AnswerA

CloudWatch Logs subscription filter can be used to filter flow log records based on the 'action' field.

Why this answer

VPC Flow Logs can filter by acceptance status. The 'accept' field in the flow log record indicates whether traffic was accepted or rejected. Setting a filter to capture only 'ACCEPT' records meets the requirement.

Option A is wrong because security groups accept all traffic allowed by rules. Option C is wrong because network ACLs also accept traffic. Option D is wrong because changing the format does not filter.

823
MCQhard

Refer to the exhibit. A user has this IAM policy attached. They attempt to download an object from example-bucket using the AWS CLI without specifying server-side encryption. Will the request succeed?

A.Yes, because the bucket policy may override the condition.
B.No, because the condition is not satisfied.
C.No, because S3 requires encryption for all requests.
D.Yes, because the Allow statement grants s3:GetObject.
AnswerB

The request lacks the required encryption header, so the Allow does not apply and the request is denied by default.

Why this answer

Option B is correct. The condition requires that the request includes the header x-amz-server-side-encryption with value AES256. Without that header, the condition is not met, so the Allow does not apply.

There is no explicit Deny, but since the Allow does not apply, the default implicit Deny takes effect, and the request fails.

824
MCQhard

A company uses AWS Organizations and wants to prevent any IAM user from creating access keys for a long period. Which SCP should be applied to the root OU to enforce that IAM users cannot create access keys unless explicitly allowed?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:CreateAccessKey","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:DeleteAccessKey","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:CreateAccessKey","Resource":"arn:aws:iam::*:user/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:CreateAccessKey","Resource":"arn:aws:iam::*:user/*","Condition":{"StringNotEquals":{"aws:ResourceTag/purpose":"temporary"}}}]}
AnswerD

Denies creation unless tag 'purpose' is 'temporary'.

Why this answer

SCPs can deny actions. Option A is correct because it denies CreateAccessKey to all IAM users unless they have a specific tag. Option B allows all.

Option C only prevents deletion. Option D allows creation.

825
Multi-Selectmedium

A company is designing an IAM policy to grant a group of developers access to manage EC2 instances and RDS databases. Which TWO actions should be included to follow the principle of least privilege?

Select 2 answers
A.rds:CreateDBInstance
B.ec2:StartInstances
C.ec2:CreateInstances
D.rds:StartDBInstance
E.ec2:*
AnswersB, D

'ec2:StartInstances' is a specific action needed to start EC2 instances.

Why this answer

Options B and C are correct because they specify the minimum actions needed. Option A is not a valid action. Option D is too broad.

Option E is not a valid action.

Page 10

Page 11 of 24

Page 12