AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 901975

1738 questions total · 24pages · All types, answers revealed

Page 12

Page 13 of 24

Page 14
901
Multi-Selecthard

A company has a security requirement that any Amazon RDS database must be encrypted at rest. Which TWO actions should be taken to enforce this requirement?

Select 2 answers
A.Configure VPC security groups to block unencrypted connections.
B.Use an AWS Config rule to detect unencrypted RDS instances and trigger auto-remediation.
C.Attach an SCP to the OU to require encryption for all RDS instances.
D.Use an IAM policy to deny the rds:CreateDBInstance action unless encryption is enabled.
E.Enable encryption on all existing RDS instances using a Lambda function.
AnswersB, D

Correct: Detects and remediates non-compliant instances.

Why this answer

Options A and C are correct. To enforce encryption, you can use IAM policies with conditions that require encryption parameters, and use AWS Config rules to detect unencrypted databases and trigger remediation. Option B is wrong because enabling encryption on existing databases requires a snapshot restore.

Option D is wrong because SCPs cannot enforce encryption at the service level. Option E is wrong because VPC security groups control network access, not encryption.

902
Multi-Selectmedium

Which TWO are best practices for managing IAM roles for EC2 instances?

Select 2 answers
A.Regularly rotate IAM user access keys.
B.Attach the same role to all instances for simplicity.
C.Apply the principle of least privilege when defining role permissions.
D.Use an IAM role to grant permissions to applications running on EC2.
E.Store AWS access keys directly on the instance.
AnswersC, D

Minimizes security risk.

Why this answer

Using instance profiles with roles avoids long-term credentials. Rotating keys is for IAM users. Option C is correct for role assumption.

Option D is correct for limiting permissions. Option E is not a best practice.

903
MCQhard

A security engineer is reviewing AWS CloudTrail logs and notices a large number of `DescribeInstances` API calls from a single IAM user in a short period. The engineer suspects a credential compromise. What is the most effective way to automatically revoke the compromised credentials and notify the security team?

A.Use AWS CloudTrail to automatically disable the IAM user's access keys.
B.Create an Amazon EventBridge rule that triggers an AWS Lambda function to revoke the keys and send an SNS notification.
C.Create an AWS Config rule that checks for excessive API calls and revokes keys.
D.Enable Amazon GuardDuty to automatically revoke compromised credentials.
AnswerB

EventBridge can match CloudTrail events, invoke Lambda to revoke keys, and publish to SNS.

Why this answer

AWS CloudTrail can trigger a Lambda function via CloudWatch Events (now Amazon EventBridge). The Lambda function can then revoke the IAM user's keys and notify via SNS. AWS Config cannot revoke keys.

IAM does not have built-in automatic revocation based on CloudTrail events. GuardDuty provides findings but does not automatically revoke credentials.

904
MCQmedium

A company uses AWS CloudTrail to log all API calls. The security team wants to ensure that any attempt to disable CloudTrail logging is detected and alerted within minutes. Which solution should they implement?

A.Create a CloudWatch metric filter on CloudTrail logs for StopLogging or DeleteTrail events and set an alarm.
B.Use Amazon GuardDuty to monitor for disablement events.
C.Create an AWS Config rule to detect when CloudTrail is disabled.
D.Configure S3 event notifications on the CloudTrail bucket.
AnswerA

Real-time detection.

Why this answer

Option C is correct because CloudTrail itself logs the StopLogging or DeleteTrail API calls. Those logs can be streamed to CloudWatch Logs, where a metric filter can detect the event and trigger an alarm that sends an SNS notification. Option A is wrong because Config rules evaluate resource configurations, not API calls.

Option B is wrong because GuardDuty does not monitor CloudTrail API calls. Option D is wrong because S3 events are for object-level operations, not CloudTrail API calls.

905
MCQhard

A security engineer is investigating a potential security incident. They suspect that an IAM user's credentials were compromised and used to launch EC2 instances in a region where the user normally does not operate. Which AWS service can help the engineer identify the source IP address and user agent of the API calls that launched the instances?

A.AWS CloudHSM
B.AWS CloudTrail
C.Amazon Inspector
D.AWS Artifact
AnswerB

CloudTrail logs API calls with source IP and user agent.

Why this answer

Option B is correct because AWS CloudTrail records all API calls with details like source IP address and user agent. Option A is incorrect because Amazon Inspector is for vulnerability assessment. Option C is incorrect because AWS CloudHSM is for hardware security modules.

Option D is incorrect because AWS Artifact is for compliance reports.

906
MCQeasy

A security engineer needs to ensure that all traffic to an EC2 instance in a VPC is inspected by a network firewall appliance. The firewall is deployed in a separate subnet. What is the MOST secure and scalable way to route traffic through the firewall?

A.Configure a NAT gateway in the firewall subnet and route all traffic through it.
B.Use a Gateway Load Balancer with a Gateway Load Balancer endpoint in each subnet.
C.Use an Application Load Balancer in front of the firewall.
D.Create a transit gateway and route traffic through the firewall subnet.
AnswerB

Gateway Load Balancer transparently forwards traffic to the firewall appliance and supports scaling.

Why this answer

Option B is correct because a Gateway Load Balancer with a Gateway Load Balancer endpoint in each subnet allows scaling and transparent inspection. Option A is wrong because a NAT gateway only handles outbound traffic. Option C is wrong because an ALB is for load balancing at layer 7, not for traffic inspection routing.

Option D is wrong because a transit gateway is for connecting VPCs, not for routing traffic through a firewall.

907
Multi-Selectmedium

Which TWO of the following are valid methods to centrally manage security policies and enforce compliance across multiple AWS accounts? (Choose two.)

Select 2 answers
A.Deploy AWS Config conformance packs using AWS CloudFormation StackSets across accounts.
B.Attach IAM policies to all IAM users in each account.
C.Use AWS Security Hub to automatically enforce compliance rules.
D.Use AWS Organizations service control policies (SCPs) to restrict allowed actions.
E.Enable VPC Flow Logs in each account and send them to a central S3 bucket.
AnswersA, D

Conformance packs contain rules and remediation actions that can be deployed centrally.

Why this answer

AWS Config conformance packs provide a way to deploy a collection of AWS Config rules and remediation actions across multiple accounts and Regions. When combined with AWS CloudFormation StackSets, you can centrally deploy these conformance packs to all accounts in an AWS Organization, ensuring consistent compliance enforcement. This approach allows you to define and manage security policies as code, automatically evaluating resources against desired configurations.

Exam trap

The trap here is that candidates often confuse AWS Security Hub's detection and aggregation capabilities with actual enforcement, but Security Hub does not automatically enforce compliance—it only reports findings, while conformance packs and SCPs provide the enforcement mechanism.

908
MCQeasy

A security engineer wants to receive real-time notifications when an AWS API call is made to delete an S3 bucket. Which service should be used to capture and forward these events to an Amazon SNS topic?

A.AWS CloudTrail with CloudWatch Events
B.AWS Trusted Advisor
C.Amazon GuardDuty
D.AWS Config
AnswerA

CloudTrail logs API calls, and CloudWatch Events can filter for DeleteBucket events and trigger an SNS notification.

Why this answer

AWS CloudTrail captures all API calls made to S3, including DeleteBucket. By sending these CloudTrail events to Amazon CloudWatch Events (now part of Amazon EventBridge), you can create a rule that matches the specific API call and forwards it to an SNS topic for real-time notification. This combination provides the exact event-driven pipeline needed for immediate alerting on S3 bucket deletions.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to detect configuration changes with the need for real-time API call capture, leading them to choose AWS Config instead of CloudTrail with CloudWatch Events.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor provides best-practice recommendations and cost optimization checks, but it does not capture or forward real-time API events. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, but it does not directly forward specific API calls to SNS topics. Option D is wrong because AWS Config evaluates resource configurations and compliance rules, but it does not capture real-time API calls or forward them to SNS; it focuses on configuration changes and drift detection.

909
Multi-Selecteasy

A company wants to protect sensitive data in Amazon S3 by ensuring that all objects are encrypted at rest. Which TWO options meet this requirement? (Choose TWO.)

Select 2 answers
A.Use server-side encryption with S3 managed keys (SSE-S3)
B.Use SSL/TLS for data in transit
C.Use client-side encryption with the AWS Encryption SDK
D.Use server-side encryption with AWS KMS (SSE-KMS)
E.Use Amazon Macie to classify and mask data
AnswersA, D

S3 encrypts objects with S3 managed keys.

Why this answer

Options A and C are correct encryption methods provided by S3. Option B is for client-side, but not S3's own encryption. Option D is for data in transit.

Option E is for masking, not encryption.

910
MCQhard

A security engineer notices that a developer's IAM user has full administrator access. The engineer wants to implement the principle of least privilege for the developer. What is the best way to proceed?

A.Create a new IAM group with the AdministratorAccess policy and add the developer to the group.
B.Use IAM Access Advisor to review the developer's historical usage and create a custom policy that only includes the services and actions used.
C.Replace the AdministratorAccess policy with a managed job function policy such as PowerUserAccess.
D.Remove the administrative access and ask the developer to request permissions as needed.
AnswerB

This allows granting only the permissions actually needed.

Why this answer

Option B is correct because starting with a minimal set of permissions and gradually adding based on actual usage is the principle of least privilege. Option A is wrong because using the managed policy for job function may grant more permissions than needed. Option C is wrong because removing administrative access without providing alternative permissions would break the developer's work.

Option D is wrong because IAM Access Analyzer helps analyze existing policies but does not provide automated least privilege.

911
MCQhard

A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The security team wants to allow only traffic from the ALB to reach the EC2 instances. Which security group configuration should be used?

A.Allow inbound traffic from the ALB's private IP addresses on the EC2 security group.
B.Allow inbound traffic from the VPC CIDR block on the EC2 security group.
C.Allow inbound traffic from the ALB's security group ID on the EC2 security group.
D.Allow inbound HTTP traffic from 0.0.0.0/0 on the EC2 security group.
AnswerC

Security group ID reference ensures traffic only from ALB.

Why this answer

Option C is correct because security groups can reference each other by ID, allowing you to create a rule on the EC2 security group that permits inbound traffic only from the ALB's security group. This ensures that only traffic that has passed through the ALB can reach the EC2 instances, regardless of the ALB's IP addresses, which can change due to scaling or replacement.

Exam trap

The trap here is that candidates often assume ALBs have fixed private IP addresses and choose Option A, not realizing that ALB IPs are dynamic and that security group referencing is the AWS-recommended method for this pattern.

How to eliminate wrong answers

Option A is wrong because ALBs do not have static private IP addresses; they use elastic network interfaces that can change, making IP-based rules unreliable and requiring constant updates. Option B is wrong because allowing traffic from the entire VPC CIDR block would permit any resource in the VPC (including compromised instances or unauthorized services) to reach the EC2 instances, bypassing the ALB. Option D is wrong because allowing HTTP traffic from 0.0.0.0/0 would expose the EC2 instances directly to the internet, defeating the purpose of using an ALB for traffic control and security.

912
MCQmedium

A company uses a hybrid architecture with on-premises servers and AWS. The company uses AWS Site-to-Site VPN to connect to a VPC. The security team suspects that a VPN tunnel has been compromised and an attacker is intercepting traffic. The team needs to verify the integrity of the VPN connection. What is the MOST effective way to detect if traffic is being intercepted?

A.Monitor Amazon CloudWatch metrics for the VPN tunnel, such as tunnel state and data throughput.
B.Use AWS Config to check VPN configuration compliance.
C.Use a third-party network monitoring tool to perform deep packet inspection.
D.Enable VPC Flow Logs and analyze traffic patterns for unusual destinations.
AnswerA

Anomalies in metrics can indicate issues.

Why this answer

Option A is correct because monitoring Amazon CloudWatch metrics for the VPN tunnel, specifically the 'TunnelState' metric, directly indicates whether the tunnel is up or down. A compromised tunnel that is intercepting traffic would likely cause the tunnel to flap or drop unexpectedly, which CloudWatch can alert on. Additionally, abnormal data throughput patterns (e.g., sudden spikes or drops) can signal interception or rerouting of traffic, making this the most effective way to detect integrity issues without relying on traffic content.

Exam trap

The trap here is that candidates confuse configuration compliance (AWS Config) or traffic analysis (VPC Flow Logs) with active tunnel integrity verification, overlooking that CloudWatch metrics directly monitor the VPN tunnel's operational state and performance, which is the most reliable indicator of compromise without requiring decryption.

How to eliminate wrong answers

Option B is wrong because AWS Config checks configuration compliance (e.g., encryption settings, routing rules) but cannot detect active interception or compromise of a live VPN tunnel; it only validates static configuration. Option C is wrong because deep packet inspection (DPI) requires decrypting the VPN traffic, which is not possible without the VPN encryption keys; the attacker would also be encrypted, so DPI cannot distinguish legitimate from intercepted traffic. Option D is wrong because VPC Flow Logs capture metadata (IPs, ports, protocols) but not the content or integrity of the VPN tunnel; unusual destinations might indicate exfiltration but do not directly confirm tunnel interception, and flow logs cannot detect if traffic is being modified or replayed within the encrypted tunnel.

913
Multi-Selecthard

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only users from a specific AWS account can decrypt objects. Which TWO steps should be taken to achieve this?

Select 2 answers
A.Add a bucket policy that denies decrypt for all users except those from the target account.
B.Configure the KMS key policy to allow the target AWS account to use the key for decrypt.
C.Use a different KMS key for each object to isolate permissions.
D.Create an IAM policy in the target account that allows the kms:Decrypt action.
E.Enable S3 default encryption with the KMS key.
AnswersB, D

Key policy must grant decrypt to the target account.

Why this answer

Options A and D are correct. A key policy that grants decrypt permission to a specific account (option A) and an IAM policy in the target account that allows the user to call KMS Decrypt (option D) are both required. Option B is wrong because an S3 bucket policy does not control KMS decryption.

Option C is wrong because S3 default encryption only sets server-side encryption, not cross-account restrictions. Option E is wrong because using a different KMS key for each object is unnecessary and complex.

914
MCQeasy

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. What is the MOST efficient way to enable GuardDuty for all accounts?

A.Create a Lambda function that uses AWS Organizations API to enable GuardDuty in each account
B.Use AWS Service Catalog to provision GuardDuty across accounts
C.Manually enable GuardDuty in each member account
D.Enable GuardDuty in the management account and designate a delegated administrator to manage GuardDuty
AnswerD

GuardDuty supports delegated administrator for Organizations, simplifying enablement.

Why this answer

Option D is correct because AWS Organizations allows you to enable GuardDuty at the management account level and then designate a delegated administrator to manage GuardDuty across all member accounts. This approach is the most efficient as it eliminates the need for per-account manual or scripted enablement, leveraging the Organizations API to automatically enroll all existing and future accounts.

Exam trap

The trap here is that candidates may think a custom Lambda function or manual per-account setup is required, overlooking the built-in delegated administrator feature that streamlines multi-account GuardDuty management via AWS Organizations.

How to eliminate wrong answers

Option A is wrong because creating a Lambda function to call the Organizations API for each account is unnecessary and less efficient; the delegated administrator feature in GuardDuty already automates multi-account enablement without custom code. Option B is wrong because AWS Service Catalog is designed for provisioning and governing IT service catalogs, not for enabling security services like GuardDuty across accounts; it adds complexity without benefit. Option C is wrong because manually enabling GuardDuty in each member account is inefficient, error-prone, and does not scale, especially in environments with many accounts or frequent account creation.

915
MCQhard

A company is using AWS Organizations and wants to delegate the administration of certain accounts to different teams. For example, the finance team should be able to manage billing-related accounts, but not development accounts. Which AWS feature allows this type of delegation?

A.AWS Organizations delegated administrator
B.AWS IAM Identity Center (AWS SSO)
C.Service control policies (SCPs)
D.IAM roles in each account
AnswerA

Delegated administrator allows specific accounts to manage other accounts for a service.

Why this answer

Option A is correct because AWS Organizations delegated administrator allows you to register member accounts as delegated administrators for specific services, giving them limited administrative permissions. Option B is wrong because SCPs are for denying permissions, not for delegation. Option C is wrong because IAM roles are for users, not for account-level delegation.

Option D is wrong because AWS SSO provides user access, not account management delegation.

916
MCQhard

A security engineer suspects that an EC2 instance is communicating with a known malicious IP address. The engineer needs to capture the full network packets for analysis. Which approach should be taken?

A.Enable AWS Security Hub to detect and capture malicious traffic.
B.Install the Amazon CloudWatch agent on the instance to capture network logs.
C.Enable VPC Flow Logs on the subnet and analyze the logs.
D.Use VPC Traffic Mirroring to mirror the instance's ENI to a monitoring appliance.
AnswerD

Traffic Mirroring captures full packets for deep packet inspection.

Why this answer

VPC Traffic Mirroring captures and copies all network traffic from an EC2 instance's Elastic Network Interface (ENI) and forwards it to a monitoring appliance (e.g., a security appliance or packet analyzer) for full packet-level analysis. This is the only option that provides raw, full network packets (including headers and payloads) without impacting the instance's performance or requiring software installation on the instance itself.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which provide metadata only) with full packet capture, leading them to choose Option C, but VPC Flow Logs cannot capture packet payloads required for deep forensic analysis.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a security posture management service that aggregates findings from other services (e.g., GuardDuty, Inspector) and does not capture raw network packets. Option B is wrong because the Amazon CloudWatch agent collects metrics and logs (e.g., CPU, memory, application logs) but cannot capture full network packets at the OSI Layer 2/3 level; it lacks packet capture capabilities. Option C is wrong because VPC Flow Logs capture metadata (e.g., source/destination IP, port, protocol, packet count) but do not capture the actual packet payloads or full network packets required for deep analysis.

917
Multi-Selectmedium

A security engineer is designing a system to manage access to an S3 bucket containing confidential data. Which TWO actions should the engineer take to implement least privilege?

Select 2 answers
A.Use a condition in the IAM policy to restrict access to requests from a specific IP range.
B.Grant only the specific S3 actions needed (e.g., s3:GetObject) rather than s3:*
C.Use a policy that allows s3:* for all users in the organization.
D.Make the bucket public and rely on object ACLs to restrict access.
E.Use pre-signed URLs for all access to the bucket.
AnswersA, B

Restricting by IP reduces the attack surface.

Why this answer

Option A and D are correct. Option A: granting only required actions limits permissions. Option D: using a condition for source IP restricts access to known networks.

Option B is wrong because full access is not least privilege. Option C is wrong because pre-signed URLs are for temporary access, not for ongoing least privilege. Option E is wrong because public access is the opposite.

918
Multi-Selecthard

A security engineer is investigating a potential data breach. The engineer wants to analyze historical API calls made by a specific IAM user. Which TWO AWS services can be used together to achieve this? (Select TWO.)

Select 2 answers
A.S3 Server Access Logs
B.VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs Insights
E.Amazon CloudWatch Logs
AnswersC, E

CloudTrail records API activity for the account.

Why this answer

Options A and D are correct. CloudTrail logs API calls and can deliver them to CloudWatch Logs for querying. Option B is wrong because VPC Flow Logs capture network traffic, not API calls.

Option C is wrong because CloudWatch Logs Insights can query logs but needs CloudTrail as the source. Option E is wrong because S3 Server Access Logs are for S3 access only, not all API calls.

919
MCQmedium

A security engineer is designing a network ACL for a public subnet containing an Application Load Balancer. The subnet must allow inbound HTTPS traffic from the internet and outbound traffic to the internet for patches. Which inbound rule should be added?

A.Allow TCP port 1024-65535 from 0.0.0.0/0
B.Allow UDP port 443 from 0.0.0.0/0
C.Allow all traffic from 0.0.0.0/0
D.Allow TCP port 443 from 0.0.0.0/0
AnswerD

HTTPS uses TCP port 443.

Why this answer

Option B is correct because HTTPS uses TCP port 443. Option A is wrong because HTTPS does not use UDP. Option C is wrong because the ALB should not allow all inbound traffic.

Option D is wrong because ephemeral ports are for outbound, not inbound.

920
MCQmedium

A company is designing a VPC with public and private subnets in two Availability Zones. They need to ensure that instances in the private subnets can access the internet for software updates but cannot be directly accessed from the internet. Which AWS service or feature should be used to meet this requirement?

A.NAT Gateway
B.VPC Peering
C.AWS VPN
D.Internet Gateway
AnswerA

A NAT Gateway enables outbound internet access from private subnets while blocking inbound connections.

Why this answer

Option B is correct because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option A is wrong because an Internet Gateway is used for public subnets and allows inbound traffic. Option C is wrong because a VPN connection is for site-to-site connectivity, not internet access.

Option D is wrong because a VPC Peering connection connects VPCs, not to the internet.

921
MCQeasy

A company has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The security team wants to ensure that any attempt to disable CloudTrail logging is detected and alerted. Which approach should be used?

A.Enable Amazon GuardDuty to detect CloudTrail disablement.
B.Use AWS Config to create a rule that checks if CloudTrail is enabled.
C.Create a CloudWatch Events rule that matches the StopLogging API call and sends a notification via SNS.
D.Enable VPC Flow Logs to capture traffic to the CloudTrail endpoint.
AnswerC

EventBridge can match CloudTrail API calls and trigger alerts.

Why this answer

Option B is correct because a CloudWatch Events (EventBridge) rule can match the StopLogging or UpdateTrail API calls from CloudTrail and trigger an SNS notification. Option A is wrong because AWS Config can evaluate whether CloudTrail is enabled, but may not detect a disablement in real-time; it is more for compliance. Option C is wrong because VPC Flow Logs do not capture API calls.

Option D is wrong because Amazon GuardDuty does not monitor CloudTrail configuration changes.

922
MCQeasy

A company uses AWS CloudTrail to log all API calls in their AWS account. They need to ensure that log files are not tampered with after they are delivered to the S3 bucket. Which feature should be enabled to provide integrity validation?

A.Enable S3 Versioning on the CloudTrail bucket.
B.Enable S3 server-side encryption with SSE-S3.
C.Enable CloudTrail log file integrity validation.
D.Enable S3 Object Lock on the CloudTrail bucket.
AnswerC

This feature provides cryptographic verification of log file integrity.

Why this answer

Option B is correct because CloudTrail log file integrity validation uses SHA-256 hashing and digital signatures to verify that log files have not been altered. Option A is incorrect because server-side encryption (SSE-S3) only encrypts data at rest, not integrity. Option C is incorrect because S3 Versioning helps preserve object versions but does not validate integrity.

Option D is incorrect because S3 Object Lock prevents deletion but not modification detection.

923
Multi-Selecteasy

A company is designing an incident response plan for AWS. The plan must include the ability to collect forensic data from EC2 instances without requiring SSH key pairs. Which TWO AWS services can be used to acquire forensic data from EC2 instances without remote access? (Choose 2.)

Select 2 answers
A.AWS Systems Manager Run Command
B.AWS Config
C.Amazon Inspector
D.AWS CloudTrail
E.Amazon EBS snapshots
AnswersA, E

Run Command executes commands without SSH.

Why this answer

AWS Systems Manager Run Command allows you to run scripts or commands on EC2 instances via the SSM Agent, without requiring SSH keys or direct network access. This enables forensic data collection (e.g., memory dumps, log files) by executing commands remotely through the AWS Systems Manager service, using IAM roles for authentication.

Exam trap

The trap here is that candidates often confuse AWS Config or CloudTrail as tools for collecting instance-level forensic data, when in fact they are governance and logging services that do not provide direct access to instance memory or disk contents.

924
MCQhard

A company is using AWS KMS to encrypt data in Amazon Redshift. They need to rotate the KMS key annually. Which approach meets the requirement with minimal operational impact?

A.Create a new KMS key each year and update the Redshift cluster to use the new key
B.Use an AWS Lambda function to rotate the key every year
C.Enable automatic key rotation on the KMS key
D.Rotate the key by re-importing key material into an existing KMS key
AnswerC

Automated annual rotation.

Why this answer

Option C is correct because AWS KMS supports automatic annual key rotation for customer-managed KMS keys. Enabling this feature automatically rotates the key material once per year with no manual intervention, minimal operational overhead, and no impact on the Redshift cluster, which continues to use the same key ID.

Exam trap

The trap here is that candidates may think automatic rotation is not available for KMS keys or that they must manually rotate keys using Lambda or by creating new keys, when in fact KMS provides a simple toggle for annual automatic rotation that requires no additional resources.

How to eliminate wrong answers

Option A is wrong because creating a new KMS key each year and updating the Redshift cluster requires manual re-encryption of all data and reconfiguration of the cluster, causing significant operational impact and potential downtime. Option B is wrong because AWS Lambda is unnecessary and adds complexity; KMS already provides built-in automatic rotation that does not require custom code or scheduling. Option D is wrong because re-importing key material into an existing KMS key is only applicable to imported key material (not AWS-generated keys) and does not meet the requirement for annual rotation of an AWS KMS key; it also requires manual steps and does not automate the rotation schedule.

925
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to enforce that all S3 buckets created by CloudFormation have encryption enabled. Which approach should be used to enforce this policy?

A.Use AWS Service Catalog to enforce encryption
B.Use AWS CloudFormation Guard to validate templates
C.Enable AWS CloudTrail to detect unencrypted buckets
D.Create an SCP to deny creation of unencrypted S3 buckets
AnswerB

CloudFormation Guard can check for encryption settings before deployment.

Why this answer

Option B is correct because a CloudFormation Guard rule can validate templates before deployment to ensure encryption is configured. Option A is wrong because SCPs cannot enforce resource configurations within a stack. Option C is wrong because CloudTrail cannot enforce.

Option D is wrong because Service Catalog enforces on products, not on all CloudFormation templates.

926
Multi-Selectmedium

A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys are not used by unauthorized principals. Which TWO measures should be implemented? (Choose TWO.)

Select 2 answers
A.Define a key policy that grants kms:Encrypt and kms:Decrypt only to specific IAM roles.
B.Delete any KMS keys that are not used for more than 90 days.
C.Create aliases for frequently used keys.
D.Grant kms:* permissions to all IAM users in the account.
E.Enable automatic key rotation for all customer managed keys.
AnswersA, E

Key policies are the primary way to control access to KMS keys.

Why this answer

Using key policies to restrict which IAM roles can use the key (Option A) and enabling key rotation to limit the window of compromise (Option D) are effective. Granting broad access (Option B) is not recommended. Deleting unused keys (Option C) does not prevent unauthorized use of remaining keys.

Using aliases (Option E) does not control access.

927
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to prevent members of the 'Developers' group from modifying IAM roles in any account. What is the most effective way to enforce this restriction?

A.Apply a service control policy (SCP) that denies IAM role modification actions to all accounts in the organization.
B.Attach an IAM policy to the Developers group in the management account that denies IAM actions.
C.Use AWS Config to detect IAM role modifications and automatically revert them.
D.Create a cross-account role in each member account that denies IAM actions.
AnswerA

Correct: SCPs apply to all accounts and cannot be overridden by IAM policies.

Why this answer

Option D is correct because an SCP can deny IAM role modifications (iam:*Role*) for the entire organization, and it cannot be overridden by account-level permissions. Option A is wrong because a cross-account role only defines access, not restrictions. Option B is wrong because IAM policies can be overridden by administrators in the member account.

Option C is wrong because attaching a policy to the Developers group only affects users in the management account, not all accounts.

928
Multi-Selectmedium

A company is considering using AWS Shield Advanced to protect against DDoS attacks. Which three features are included with AWS Shield Advanced? (Choose THREE.)

Select 3 answers
A.Cost protection against DDoS-related scaling charges
B.Dedicated IP addresses for EC2 instances
C.AWS Site-to-Site VPN
D.Integration with AWS WAF for web ACLs
E.24/7 access to the AWS DDoS Response Team (DRT)
AnswersA, D, E

Shield Advanced includes cost protection.

Why this answer

Options A, C, and E are correct. AWS Shield Advanced includes 24/7 access to the DDoS Response Team (DRT), cost protection against scaling charges, and integration with AWS WAF for web ACLs. Option B is incorrect because AWS Shield Advanced does not include a VPN.

Option D is incorrect because dedicated IP addresses are not a feature of Shield Advanced.

929
MCQeasy

A company wants to encrypt data at rest in an Amazon S3 bucket. Which AWS service can centrally manage the encryption keys?

A.AWS CloudHSM
B.AWS Certificate Manager (ACM)
C.AWS Key Management Service (AWS KMS)
D.AWS Secrets Manager
AnswerC

AWS KMS is a managed service for creating and controlling encryption keys.

Why this answer

Option B is correct because AWS KMS is the managed service for creating and controlling encryption keys used to encrypt data. Option A is wrong because AWS CloudHSM provides hardware security modules but not central key management. Option C is wrong because AWS Secrets Manager is for managing secrets, not encryption keys for S3.

Option D is wrong because AWS Certificate Manager manages SSL/TLS certificates, not encryption keys for data at rest.

930
MCQeasy

A security engineer is designing a system to centrally manage IAM users and roles across multiple AWS accounts. The company uses AWS Organizations. Which AWS service should be used to manage permissions across accounts?

A.AWS Config
B.AWS Artifact
C.AWS CloudTrail
D.AWS IAM Identity Center (AWS SSO)
AnswerD

Centrally manages access across accounts.

Why this answer

Option A is correct because AWS IAM Identity Center (formerly AWS SSO) is the service for centrally managing user access to multiple accounts. Option B is wrong because AWS Config is for resource compliance. Option C is wrong because AWS CloudTrail is for auditing API activity.

Option D is wrong because AWS Artifact is for compliance reports.

931
Multi-Selecthard

A company has a security policy that requires all IAM users to use multi-factor authentication (MFA) when accessing the AWS Management Console. The company also wants to enforce this policy using an SCP. Which TWO conditions must be met for the SCP to be effective?

Select 2 answers
A.The SCP must use a condition that checks if MFA is present.
B.The SCP must use the condition key 'aws:SourceIp' to allow only MFA-enabled IPs.
C.The SCP must require users to register MFA devices before accessing the console.
D.The SCP must be attached to the root organizational unit to apply to all accounts.
E.The SCP must be attached to individual IAM users.
AnswersA, D

The SCP uses aws:MultiFactorAuthPresent to check MFA status.

Why this answer

Options A and E are correct. The SCP must deny actions if the user has not authenticated with MFA (A), and the SCP must be attached to the root organizational unit (E) to apply to all accounts. Option B is wrong because the condition key aws:MultiFactorAuthPresent is the correct one.

Option C is wrong because SCPs cannot enforce MFA registration; they can only deny access. Option D is wrong because MFA authentication is required for console access, not just API calls.

932
MCQeasy

A security engineer is reviewing AWS CloudTrail and notices `AssumeRole` API calls to a role that should not be assumed by the source identity. What is the FIRST step in the incident response process?

A.Enable AWS GuardDuty to detect future anomalies.
B.Delete the IAM role immediately.
C.Investigate the source IP address and user agent of the `AssumeRole` calls.
D.Disable the AWS account and contact support.
AnswerC

Helps determine if the activity is malicious.

Why this answer

The first step in any incident response process is to investigate and gather evidence to understand the scope and impact of the potential security event. Option C is correct because analyzing the source IP address and user agent of the `AssumeRole` API calls provides critical forensic data to determine if the activity is malicious or a false positive, without disrupting operations or destroying evidence. AWS CloudTrail logs these details, enabling the security engineer to trace the origin of the unauthorized assumption before taking any containment or remediation actions.

Exam trap

The trap here is that candidates often jump to containment actions like deleting the role or disabling the account, forgetting that the first step in incident response is always to investigate and gather evidence to confirm the threat and preserve forensic data.

How to eliminate wrong answers

Option A is wrong because enabling AWS GuardDuty is a proactive detection measure, not an immediate first step during an active incident; it would not help investigate the existing suspicious `AssumeRole` calls already logged. Option B is wrong because immediately deleting the IAM role could destroy forensic evidence, disrupt legitimate workloads that depend on the role, and is a hasty containment action that should only follow a thorough investigation. Option D is wrong because disabling the entire AWS account is an extreme, disproportionate response that would cause a complete denial of service for all users and applications, and contacting support is not a technical first step for investigation.

933
Multi-Selectmedium

A security engineer is implementing a data classification policy for an S3 bucket that contains sensitive customer data. The policy requires that all objects be encrypted at rest using AWS KMS and that any attempt to upload an unencrypted object be denied. Which THREE steps should the engineer take to enforce this policy? (Choose THREE.)

Select 3 answers
A.Enable S3 bucket keys to reduce KMS API calls.
B.Create a customer managed KMS key.
C.Enable bucket policy to enforce SSL (aws:SecureTransport).
D.Add a bucket policy that denies PutObject if s3:x-amz-server-side-encryption is not aws:kms.
E.Enable S3 default encryption with the KMS key.
AnswersB, D, E

Provides encryption key for S3.

Why this answer

Options A, E, and B are correct. Option A: KMS key can be used for server-side encryption. Option E: Bucket policy with condition s3:x-amz-server-side-encryption-aws:kms denies uploads without KMS encryption.

Option B: Default encryption ensures objects are encrypted even if no header is provided. Option C is wrong because enforcing SSL does not relate to encryption at rest. Option D is wrong because bucket keys are for performance, not policy enforcement.

934
Multi-Selecthard

A company wants to use AWS CloudTrail to monitor data events for all S3 buckets. Which THREE steps are necessary? (Choose THREE.)

Select 3 answers
A.Specify an S3 bucket to store the log files
B.Create a new CloudTrail trail
C.Create a CloudWatch Events rule to forward data events
D.Enable CloudTrail Insights to detect unusual data access
E.Enable data events for all S3 buckets in the trail configuration
AnswersA, B, E

Logs must be delivered to an S3 bucket.

Why this answer

Option A is correct because CloudTrail requires a destination S3 bucket to store the log files it generates. Without specifying a bucket, the trail cannot persist logs, and this bucket must have appropriate bucket policies to allow CloudTrail to write logs. This is a mandatory step when creating any trail, whether for management or data events.

Exam trap

The trap here is that candidates often confuse CloudTrail Insights (which analyzes management events for anomalies) with the ability to log data events, or mistakenly think a CloudWatch Events rule is needed to forward data events, when in fact data events are configured directly in the trail's event selector.

935
MCQhard

A company is using Amazon CloudWatch Logs to store application logs. The security team needs to retain logs for 7 years to comply with regulatory requirements. The logs are accessed infrequently after the first 90 days. What is the MOST cost-effective way to meet these retention and access requirements?

A.Export logs from CloudWatch Logs to an S3 bucket, then use S3 Lifecycle policies to transition logs to S3 Glacier Deep Archive after 90 days.
B.Stream logs to an S3 bucket using Kinesis, then use S3 Lifecycle policies to transition logs to S3 Standard-IA after 90 days.
C.Set a retention policy on the CloudWatch Logs log group to 7 years and use CloudWatch Logs Insights for queries.
D.Set a retention policy on the CloudWatch Logs log group to 7 years and use CloudWatch Logs lifecycle policies to transition to Amazon S3 Glacier.
AnswerA

This approach minimizes cost by using low-cost archival storage for data rarely accessed.

Why this answer

Option A is correct because exporting logs to S3 and using S3 Lifecycle policies to transition to Glacier Deep Archive provides long-term retention at low cost. Option B is wrong because CloudWatch Logs does not support lifecycle policies to Glacier, only to S3. Option C is wrong because CloudWatch Logs Insights is not designed for long-term archival storage.

Option D is wrong because S3 Standard-IA is not cost-effective for 7 years of infrequently accessed data; Glacier Deep Archive is cheaper.

936
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to prevent all users in the production account from disabling AWS CloudTrail or modifying its configuration. What is the MOST effective way to achieve this?

A.Use IAM policies to deny only cloudtrail:DeleteTrail for all users.
B.Enable CloudTrail log file validation and use AWS Config to detect changes.
C.Create an SCP in AWS Organizations that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, cloudtrail:UpdateTrail, and similar actions.
D.Attach an IAM permissions boundary to all IAM roles in the production account that denies CloudTrail modifications.
AnswerC

SCPs can deny actions across all accounts in the organization.

Why this answer

Option C is correct because an SCP can deny actions related to CloudTrail across the entire account. Option A is wrong because IAM permissions boundaries limit permissions but can be overridden by an SCP. Option B is wrong because CloudTrail itself cannot prevent modifications to its configuration.

Option D is wrong because it only prevents deletion, not modification.

937
MCQeasy

A security engineer is investigating a potential compromise of an EC2 instance. The engineer needs to capture network traffic to and from the instance for forensic analysis. Which AWS service should be used to capture this traffic?

A.AWS Config
B.AWS Network Firewall
C.VPC Traffic Mirroring
D.Amazon Inspector
AnswerC

VPC Traffic Mirroring replicates network traffic for analysis.

Why this answer

VPC Traffic Mirroring captures and inspects network traffic at the Elastic Network Interface (ENI) level by copying packets from a source ENI to a target, such as a Network Load Balancer or another ENI. This allows the security engineer to perform deep packet inspection and forensic analysis without impacting the production traffic flow. It supports both IPv4 and IPv6 traffic and can filter by protocol, port, or packet direction, making it ideal for incident response scenarios.

Exam trap

The trap here is that candidates confuse VPC Traffic Mirroring with AWS Network Firewall, assuming that a firewall inherently captures traffic, but Network Firewall only inspects and filters traffic in-line without providing a separate packet capture stream for forensic analysis.

How to eliminate wrong answers

Option A is wrong because AWS Config is a resource inventory and compliance auditing service that records configuration changes, not network traffic. Option B is wrong because AWS Network Firewall is a managed firewall service that filters traffic at the VPC level but does not capture or mirror traffic for forensic analysis; it blocks or allows traffic based on rules. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and unintended network exposure, not a packet capture tool.

938
Multi-Selectmedium

A security engineer is designing a threat detection solution for a multi-account AWS environment. The engineer needs to detect and respond to suspicious API activity across all accounts. Which TWO services should be used together to achieve this? (Choose two.)

Select 2 answers
A.Amazon CloudWatch
B.Amazon GuardDuty
C.AWS Security Hub
D.Amazon Inspector
E.AWS Config
AnswersB, C

GuardDuty analyzes CloudTrail, DNS, and VPC Flow Logs for threats.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior across AWS accounts, including suspicious API activity. By enabling GuardDuty in all accounts and aggregating findings to a central administrator account, it provides the necessary detection layer for multi-account environments.

Exam trap

The trap here is that candidates often confuse AWS Security Hub (a findings aggregation and compliance service) with a primary detection tool, but Security Hub itself does not generate threat detections—it ingests findings from GuardDuty and other services, so both are needed together.

939
MCQeasy

A company wants to monitor failed SSH login attempts to its EC2 instances. Which AWS service should be used to collect and analyze these logs?

A.VPC Flow Logs
B.Amazon CloudWatch Logs with the unified CloudWatch agent
C.AWS CloudTrail
D.AWS Config
AnswerB

The CloudWatch agent can collect OS logs and deliver them to CloudWatch Logs for analysis.

Why this answer

Amazon CloudWatch Logs with the unified CloudWatch agent is the correct choice because the agent can be configured to collect and forward system log files, such as /var/log/secure (Amazon Linux) or /var/log/auth.log (Ubuntu), which record SSH authentication attempts including failures. This allows centralized monitoring and analysis of failed SSH logins via CloudWatch Logs Insights or metric filters.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (network-level) with OS-level logs, or assume CloudTrail captures all activity including guest OS events, when in fact CloudTrail only records AWS API calls, not in-OS authentication logs.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture metadata about network traffic (IP addresses, ports, protocols) but do not log application-level events like SSH authentication failures. Option C is wrong because AWS CloudTrail records API calls made to the AWS control plane (e.g., EC2 RunInstances) but does not capture guest OS-level logs such as SSH login attempts. Option D is wrong because AWS Config tracks resource configuration changes and compliance, not operating system log events.

940
Multi-Selecthard

A company is using AWS Organizations and wants to enable a central security team to view API activity across all member accounts. Which THREE steps are required? (Choose THREE.)

Select 3 answers
A.Grant the security team read access to the central S3 bucket via bucket policy or IAM.
B.Enable CloudTrail in the management account only.
C.Configure each account's CloudTrail to deliver logs to a central S3 bucket in the security account.
D.Enable CloudTrail in each member account.
E.Create an IAM role in each account for the security team to assume.
AnswersA, C, D

Access must be granted to view the logs.

Why this answer

Option A, Option C, and Option D are correct. CloudTrail must be enabled in each account, logs must be delivered to a central S3 bucket, and the security team must have read access to that bucket. Option B is wrong because CloudTrail can be enabled per account without Organizations.

Option E is wrong because IAM roles are not needed for read access if bucket policy is used.

941
MCQmedium

Refer to the exhibit. A security engineer runs this AWS CLI command to investigate root user logins. The output shows a successful ConsoleLogin event. What should the engineer do next to improve security?

A.Delete the root user account.
B.Disable the root user password and require all logins via IAM users.
C.Enable IAM Access Analyzer to detect and alert on root user activity.
D.Enable multi-factor authentication (MFA) for the root user.
AnswerC

Access Analyzer can monitor root user activity.

Why this answer

Option B is correct because the root user should not be used for daily activities. The best practice is to enable IAM Access Analyzer to detect root user activity. Option A is wrong because the root user password cannot be disabled; it can only be deleted.

Option C is wrong because root user MFA is important but not the most direct response to this finding. Option D is wrong because the root user cannot be deleted.

942
MCQeasy

A security team detects that an IAM user's access keys are being used from an unusual geographic location. Which AWS service provides this type of anomaly detection?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerC

GuardDuty detects anomalous behavior such as unusual geographic access.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, including anomalous API calls from unusual geographic locations. It uses machine learning models and integrated threat intelligence to analyze AWS CloudTrail management events, VPC Flow Logs, and DNS logs, making it the correct service for detecting IAM user access key usage from an unexpected region.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, but CloudTrail only records events and does not analyze them for anomalies—GuardDuty is the service that performs the analysis and generates findings.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for monitoring IAM user activity or geographic anomalies. Option B is wrong because AWS CloudTrail is a governance, compliance, and auditing service that records API activity but does not perform real-time anomaly detection or flag unusual geographic patterns on its own. Option D is wrong because AWS Config is a resource inventory and compliance service that evaluates resource configurations against rules, not a threat detection service for anomalous user behavior.

943
MCQmedium

A company uses Amazon GuardDuty and AWS Security Hub. The security team wants to automatically remediate high-severity GuardDuty findings that indicate an EC2 instance is communicating with a known command and control (C&C) server. The remediation should isolate the instance by modifying the security group to deny all inbound and outbound traffic. Which solution is the most efficient?

A.Use Amazon CloudWatch Events to directly modify the security group when a GuardDuty finding is published.
B.Send Security Hub findings to Amazon EventBridge, which triggers a Lambda function to modify the security group.
C.Configure GuardDuty to automatically update the security group when a finding is generated.
D.Create an AWS Config rule that triggers a Lambda function when a security group change is detected.
AnswerB

EventBridge can route findings to Lambda for custom remediation actions.

Why this answer

Option B is correct because it leverages Security Hub as a central aggregation point for GuardDuty findings, then uses EventBridge to trigger a Lambda function that modifies the security group. This is the most efficient architecture as Security Hub normalizes findings from multiple sources, and EventBridge provides reliable, low-latency event routing to Lambda for custom remediation logic without requiring direct GuardDuty-to-security-group integration.

Exam trap

The trap here is that candidates assume GuardDuty can directly modify security groups (Option C) or that CloudWatch Events can directly perform API actions (Option A), when in reality both require a Lambda function as an intermediary to execute the remediation logic.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events (now part of EventBridge) can trigger on GuardDuty findings, but directly modifying a security group from a CloudWatch Events rule is not possible — CloudWatch Events cannot execute API calls to modify security groups; it only routes events to targets like Lambda. Option C is wrong because GuardDuty does not have native capability to automatically modify security groups; it only generates findings and can send them to EventBridge or Security Hub, but cannot directly perform remediation actions. Option D is wrong because an AWS Config rule that triggers on security group changes is reactive and does not address the requirement to automatically remediate the GuardDuty finding; it would only detect changes after they occur, not initiate the isolation based on the finding.

944
MCQeasy

Refer to the exhibit. A CloudFormation template creates an S3 bucket. Which security control is NOT enabled by this template?

A.Bucket versioning
B.Bucket policy restrictions
C.Blocking public access
D.Server-side encryption
AnswerA

Versioning is not configured.

Why this answer

The template enables default encryption (AES256) and public access blocks, but it does not enable versioning. Option C is correct. Option A is wrong because SSE is enabled.

Option B is wrong because public access is blocked. Option D is wrong because bucket policy is blocked.

945
Multi-Selecthard

A security team needs to ensure that all IAM users in a production account use multi-factor authentication (MFA) before accessing the AWS Management Console. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Use AWS Config rules to detect users without MFA.
B.Enable MFA for each IAM user.
C.Attach an IAM policy that denies console access if MFA is not present.
D.Apply an SCP that requires MFA for console access.
E.Configure an IAM password policy to require MFA.
AnswersB, C, E

Required for users to have MFA devices.

Why this answer

Options A, C, and E are correct. Enabling MFA on each user, using IAM policy to deny console access without MFA, and using a password policy that requires MFA are all necessary steps. Option B is incorrect because AWS Config can detect but not enforce MFA usage.

Option D is incorrect because SCPs apply to accounts, not individual user console access.

946
MCQhard

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to a user. The user reports that they are able to stop and start instances, but they cannot terminate instances. However, the engineer notices that there is no explicit deny for termination. Why is the user unable to terminate instances?

A.The policy does not include an explicit Allow for ec2:TerminateInstances.
B.The second statement's Resource is set to '*' but the Action list does not include termination.
C.The first statement's Resource element is too restrictive and does not include the termination API call.
D.The policy has a syntax error that prevents termination from being evaluated.
AnswerA

Without an explicit Allow, the action is implicitly denied.

Why this answer

Option B is correct. The policy only allows specific actions. Since there is no 'ec2:TerminateInstances' action allowed, the user is implicitly denied the ability to terminate instances.

AWS IAM defaults to implicit deny, so an explicit allow is required. Option A is incorrect because the resource in the first statement is 'instance/*' which covers termination if allowed. Option C is incorrect because termination is a separate action not included.

Option D is incorrect because the policy is valid JSON and would be evaluated.

947
MCQhard

A security engineer is designing a centralized logging solution for a multi-account AWS environment using AWS Organizations. The solution must ensure that all CloudTrail logs from all accounts are delivered to a single S3 bucket in the security account. Additionally, the logs must be encrypted with a KMS key that is managed by the security account. Which combination of steps is required?

A.Create a trail in each account, each delivering to the same S3 bucket. Use a bucket policy to allow cross-account writes. Use a single KMS key with appropriate key policy.
B.Use AWS Config to deliver logs to a central bucket. Enable CloudWatch Logs in each account and stream to the security account.
C.Create a trail in the management account with organization trail enabled, delivering to a bucket in the management account. Use KMS default encryption.
D.Create a trail in the security account with organization trail enabled, delivering to a bucket in the security account. Configure bucket policy and KMS key policy to allow CloudTrail and S3 from all accounts.
AnswerD

Organization trail from security account centralizes logs; proper policies allow cross-account delivery.

Why this answer

Option D is correct because a trail in the security account with organization trail enabled will deliver logs from all accounts to the specified S3 bucket. The S3 bucket policy must grant CloudTrail write access from all accounts, and the KMS key policy must grant CloudTrail and S3 permissions for all accounts. Option A is wrong because organization trails can only be created in the management account.

Option B is wrong because individual trails per account are not centralized. Option C is wrong because CloudWatch Logs is not required.

948
Multi-Selectmedium

A company wants to protect sensitive data stored in Amazon S3. Which TWO actions should the company take to meet this goal? (Choose TWO.)

Select 2 answers
A.Enable S3 Transfer Acceleration.
B.Configure S3 event notifications to send events to Amazon SNS.
C.Enable S3 Block Public Access.
D.Enable S3 Object Lock.
E.Enable default encryption on the bucket.
AnswersC, E

Block Public Access prevents public access to data.

Why this answer

Options B and D are correct. Option B: Enabling default encryption ensures that new objects are automatically encrypted. Option D: Using S3 Block Public Access prevents accidental public exposure.

Option A is wrong because S3 Transfer Acceleration is for speed, not security. Option C is wrong because S3 event notifications are for automation, not protection. Option E is wrong because S3 Object Lock prevents deletion/modification, not unauthorized access.

949
MCQmedium

A financial services company uses AWS Organizations to manage multiple accounts. The Security team has enabled AWS CloudTrail in all accounts and logs are delivered to a central S3 bucket in the management account. The company has a requirement to detect and alert on any IAM user or role that performs a console login without multi-factor authentication (MFA) across all accounts. Currently, the team manually reviews CloudTrail logs, which is time-consuming and error-prone. They want an automated solution that uses AWS services and follows AWS best practices for security governance. The solution must be cost-effective and should not require custom code or third-party tools. What should the Security team do to meet this requirement?

A.Enable Amazon GuardDuty and create a custom rule to detect console logins without MFA.
B.Configure CloudTrail to deliver logs to Amazon CloudWatch Logs. Create a metric filter for the event name 'ConsoleLogin' with additionalEventData.MFAUsed != 'Yes'. Create a CloudWatch Alarm on the metric to send a notification via Amazon SNS.
C.Create an AWS Config managed rule to check for console logins without MFA across all accounts.
D.Use AWS IAM Access Analyzer to generate findings when IAM users log in without MFA.
AnswerB

This solution uses CloudTrail logs, CloudWatch Logs metric filter, and CloudWatch Alarm to detect and alert on console logins without MFA. It is automated, cost-effective, and requires no custom code.

Why this answer

Option B is correct because it uses AWS CloudTrail with Amazon CloudWatch Logs and a metric filter to detect console logins without MFA, and then creates a CloudWatch Alarm to trigger an SNS notification. This approach is automated, serverless, and follows AWS best practices without custom code. Option A is incorrect because AWS Config managed rules can evaluate resource configurations but cannot evaluate CloudTrail events like console login MFA status.

Option C is incorrect because Amazon GuardDuty focuses on threat detection (e.g., unusual API calls, compromised instances), not IAM MFA compliance. Option D is incorrect because AWS IAM Access Analyzer analyzes resource policies for external access, not user behavior such as MFA usage during login.

950
Multi-Selectmedium

A company wants to detect and respond to potential security threats in near real-time. Which THREE AWS services should the company use together? (Select THREE.)

Select 3 answers
A.AWS Security Hub
B.Amazon Inspector
C.Amazon Detective
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersA, C, E

Security Hub aggregates findings from multiple services and provides a centralized view.

Why this answer

Options A, B, and D are correct. Amazon GuardDuty identifies threats, AWS Security Hub aggregates findings, and Amazon Detective investigates them. Option C is wrong because AWS CloudTrail is a logging service, not a detection or response service.

Option E is wrong because Amazon Inspector is for vulnerability assessment, not general threat detection.

951
MCQeasy

A company has a VPC with multiple subnets. The security team wants to control traffic between subnets using a stateful firewall that can automatically allow return traffic. Which AWS service should be used?

A.Network ACLs
B.AWS Firewall Manager
C.AWS WAF
D.Security groups
AnswerD

Security groups are stateful and can be used for subnet-level traffic control.

Why this answer

Option B is correct because security groups are stateful and can be used to control traffic between subnets when attached to ENIs. Option A is wrong because network ACLs are stateless. Option C is wrong because AWS WAF is for web traffic at the application layer.

Option D is wrong because AWS Firewall Manager is a policy management service, not a firewall itself.

952
Multi-Selectmedium

A security engineer is designing a governance framework for a multi-account AWS environment. The framework must enforce the principle of least privilege for cross-account access. Which TWO strategies should be implemented?

Select 2 answers
A.Enable AWS CloudTrail in all accounts and aggregate logs.
B.Grant full administrative access to a central security group.
C.Use a single IAM user across all accounts for administrative tasks.
D.Use IAM roles with specific permissions and trust policies for cross-account access.
E.Define service control policies (SCPs) that restrict the maximum permissions per account.
AnswersD, E

Roles allow temporary, scoped access.

Why this answer

Option D is correct because IAM roles with specific permissions and trust policies enable cross-account access without sharing long-term credentials. The trust policy defines which accounts can assume the role, and the permissions policy grants only the necessary actions, enforcing the principle of least privilege.

Exam trap

The trap here is that candidates may confuse detective controls (like CloudTrail logging) with preventive controls (like IAM roles and SCPs), or mistakenly think that sharing a single IAM user or granting broad permissions is acceptable for administrative convenience.

953
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all newly created accounts automatically have AWS CloudTrail enabled, with logs delivered to a centralized S3 bucket. Which solution meets these requirements with the least operational overhead?

A.Create an SCP that enables CloudTrail and enforces log delivery to the centralized S3 bucket.
B.Use AWS Trusted Advisor to check CloudTrail status and send alerts to the security team.
C.Create an SCP that denies actions to disable CloudTrail and modify the S3 bucket policy. Use AWS CloudFormation StackSets to deploy a CloudTrail trail in each account.
D.Use AWS Config rules with auto-remediation to enable CloudTrail in each account.
AnswerC

Correct: StackSets automate deployment of CloudTrail across accounts, and SCP prevents disabling.

Why this answer

Option A is correct because SCPs can be used to prevent disabling CloudTrail and to enforce delivery to a specific bucket, but enabling it requires a proactive mechanism like AWS Config rules with auto-remediation or a custom resource. However, the best approach is to use CloudFormation StackSets or AWS Control Tower, but since Control Tower is not listed, the correct answer is using an SCP to prevent disabling and a CloudFormation StackSet to enable it. Actually, the simplest is to use AWS CloudFormation StackSets to deploy a CloudTrail trail across all accounts.

Option B is wrong because Lambda functions need to be triggered by something. Option C is wrong because SCPs cannot enable services, only deny. Option D is wrong because Trusted Advisor does not enforce configurations.

954
MCQeasy

A security engineer needs to centrally collect and analyze AWS CloudTrail logs from multiple accounts. Which service is designed for this purpose?

A.Configure each account to send logs to a central S3 bucket
B.Enable Amazon GuardDuty in each account and aggregate findings
C.Use Amazon CloudWatch Logs to stream logs from each account to a central account
D.Use AWS Organizations to create a CloudTrail trail that applies to all accounts
AnswerD

Organizations allows a single trail to log all accounts.

Why this answer

Option D is correct because AWS Organizations allows you to create a single CloudTrail trail that applies to all accounts in the organization, centrally collecting management and data events into a single S3 bucket (and optionally CloudWatch Logs). This eliminates the need to manually configure trails in each account and ensures consistent logging across the entire organization, meeting the requirement for central collection and analysis.

Exam trap

The trap here is that candidates often confuse 'centralized logging' with simply sending logs to a central S3 bucket (Option A), missing the key requirement that AWS Organizations provides a single, managed trail that applies to all accounts automatically, rather than requiring per-account configuration.

How to eliminate wrong answers

Option A is wrong because simply configuring each account to send logs to a central S3 bucket requires manual setup per account, does not enforce consistent trail configuration, and lacks native aggregation of logs from multiple accounts into a single trail for analysis. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS, VPC flow logs, and CloudTrail logs for malicious activity, but it does not centrally collect or store raw CloudTrail logs for analysis; it only provides findings. Option C is wrong because Amazon CloudWatch Logs can stream logs from multiple accounts, but it requires each account to have its own CloudTrail trail configured and then stream to a central account, which adds complexity and does not provide a single, unified trail across all accounts.

955
MCQeasy

A company wants to centrally collect CloudTrail logs from multiple AWS accounts and enable real-time analysis. Which combination of services should be used?

A.CloudTrail, Amazon Kinesis Data Firehose, and Amazon Athena.
B.CloudTrail, Amazon S3, S3 Event Notifications, and AWS Lambda.
C.CloudTrail, Amazon CloudWatch Logs, and cross-account log subscription.
D.CloudTrail, Amazon S3, and Amazon Simple Queue Service (SQS).
AnswerB

S3 Event Notifications trigger Lambda to process logs into CloudWatch Logs for real-time analysis.

Why this answer

Using CloudTrail to deliver logs to a central S3 bucket, with S3 Event Notifications triggering a Lambda function that ingests logs into CloudWatch Logs for real-time analysis, is a common pattern. Option A is wrong because Kinesis Data Firehose can be used but adds latency. Option B is wrong because CloudWatch Logs does not directly aggregate across accounts.

Option D is wrong because SQS alone does not provide analysis.

956
MCQhard

A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket even though the IAM role attached to the instance has an Allow policy for s3:GetObject. The S3 bucket policy includes a Deny statement with the condition 'aws:SourceIp': ['10.0.0.0/8']. What is the likely cause of the failure?

A.The IAM role’s permissions boundary is blocking the action.
B.The IAM role does not have an STS trust policy.
C.The S3 bucket is in a different region.
D.The Deny statement in the bucket policy is blocking the request because the EC2 instance’s IP falls within the 10.0.0.0/8 range.
AnswerD

The bucket policy denies all requests from the private IP range, including the EC2 instance.

Why this answer

Option A is correct because the Deny in the bucket policy overrides the Allow from the IAM role. Even though the role allows the action, the bucket policy denies it based on the source IP. Option B is wrong because roles can access S3.

Option C is irrelevant. Option D is not the cause.

957
MCQhard

A company wants to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI uses an EBS snapshot encrypted with a customer managed key in KMS. What is the correct procedure to allow the other account to launch an EC2 instance from this AMI?

A.Export the snapshot as an unencrypted snapshot and share it.
B.Share the AMI and have the target account create a new KMS key to encrypt the snapshot.
C.Share only the AMI; the snapshot permissions are inherited from the AMI.
D.Share the AMI, share the snapshot, and grant the target account decrypt permissions on the KMS key.
AnswerD

The target account needs access to the encrypted snapshot and the key to decrypt it.

Why this answer

Option A is correct because to share an encrypted AMI, you must share the AMI, the snapshot, and the KMS key with the target account. Option B is incorrect because the target account cannot use its own KMS key to decrypt a snapshot encrypted with a different key. Option C is incorrect because sharing the AMI alone is insufficient.

Option D is incorrect because the source account must grant decrypt permissions; the target account does not need to create a snapshot.

958
MCQeasy

A company is using Amazon CloudWatch Logs to store application logs. The security team needs to ensure that logs are encrypted at rest using a customer-managed KMS key (CMK). What configuration is required?

A.Add a KMS key policy that allows CloudWatch Logs to use the key.
B.Associate the CMK with the CloudWatch Logs log group by specifying the key ARN in the log group's encryption configuration.
C.Enable default encryption on the S3 bucket used for log export with a CMK.
D.Configure the S3 bucket policy to require SSE-KMS for log delivery.
AnswerB

You can encrypt a log group with a CMK using the console, CLI, or API.

Why this answer

Option B is correct because CloudWatch Logs uses the KMS key specified in the log group's encryption setting. Option A is wrong because CloudWatch Logs does not support KMS key via bucket policy. Option C is wrong because S3 encryption policies are for S3 buckets, not CloudWatch Logs.

Option D is wrong because KMS key policies grant permissions, but the log group must be associated with the key.

959
MCQmedium

A security engineer needs to ensure that all S3 object-level API calls (e.g., GetObject, PutObject) on the bucket 'my-bucket' are logged. The current CloudTrail configuration is as shown in the exhibit. What change should the engineer make?

A.Remove the DataResources section and add an AdvancedEventSelector for S3.
B.Change the bucket ARN to 'arn:aws:s3:::my-bucket' without a trailing slash.
C.Enable management events by setting IncludeManagementEvents to true.
D.Change the data resource value to 'arn:aws:s3:::my-bucket/' to cover all objects.
AnswerD

This includes all object-level events for the bucket.

Why this answer

Option B is correct because the current data resource only specifies the prefix 'logs/', not the entire bucket. To log all object-level events for the bucket, the value should be 'arn:aws:s3:::my-bucket/'. Option A is wrong because the bucket itself is not the issue; the prefix is.

Option C is wrong because the trail already includes management events. Option D is wrong because the trail already has a data resource for S3.

960
Multi-Selecteasy

A security engineer is setting up monitoring for AWS API calls. Which TWO AWS services can be used to capture and analyze API activity?

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS Config
C.Amazon Inspector
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersA, D

CloudWatch Logs can receive CloudTrail events for analysis.

Why this answer

Amazon CloudWatch Logs can capture and analyze API activity by ingesting log data from various AWS services, including AWS CloudTrail. You can configure CloudWatch Logs to monitor API calls in real time, set up metric filters to detect specific patterns, and trigger alarms based on API activity. This makes it a valid service for capturing and analyzing API calls, especially when combined with CloudTrail for detailed event records.

Exam trap

The trap here is that candidates often confuse AWS Config (which records resource configuration changes) with CloudTrail (which records API calls), or they think Amazon GuardDuty directly captures API logs, when in fact it only analyzes logs from other services like CloudTrail.

961
MCQhard

A company runs a critical web application on a fleet of EC2 instances behind an Application Load Balancer (ALB). The application uses an Aurora MySQL database. The security team receives an alert from Amazon GuardDuty that a specific EC2 instance is exhibiting behavior consistent with a cryptocurrency mining attack, including outbound connections to known mining pools. The instance is part of an Auto Scaling group that uses a launch template with a security group that allows outbound HTTPS traffic to 0.0.0.0/0. The security engineer needs to contain the incident while minimizing downtime for the application. The engineer has already taken a forensic snapshot of the instance's EBS volume. Which course of action should the engineer take next?

A.Modify the security group attached to the instance to deny all outbound traffic, and let Auto Scaling launch a replacement instance.
B.SSH into the instance and run a script to kill the mining process.
C.Detach the instance from the Auto Scaling group and isolate it by removing all security group rules.
D.Immediately terminate the compromised EC2 instance and allow Auto Scaling to launch a new instance.
AnswerA

This immediately blocks outbound communication from the compromised instance while Auto Scaling replaces it, minimizing downtime.

Why this answer

Option A is correct because modifying the security group to deny all outbound traffic immediately stops the cryptocurrency mining communication to known mining pools without terminating the instance, preserving forensic data. The Auto Scaling group will detect the instance's health check failure (due to the application becoming unreachable) and automatically launch a replacement instance, minimizing downtime. This approach contains the incident while allowing the application to recover through the Auto Scaling group's self-healing mechanism.

Exam trap

The trap here is that candidates may think immediate termination (Option D) is the fastest containment method, but they overlook that security group modification can contain the threat instantly without destroying evidence or causing unnecessary downtime.

How to eliminate wrong answers

Option B is wrong because SSHing into a compromised instance is unsafe; the attacker may have modified system binaries or installed rootkits, and killing the process is temporary as it could restart or the instance could be reinfected. Option C is wrong because detaching the instance from the Auto Scaling group and removing security group rules does not stop the outbound mining traffic immediately—the instance still has network access via its existing security group until rules are removed, and detaching prevents Auto Scaling from automatically replacing it. Option D is wrong because immediately terminating the instance destroys the forensic snapshot's value (the snapshot is already taken, but termination is premature) and could cause application downtime if the replacement instance takes time to launch, whereas containing via security group allows a smoother transition.

962
MCQhard

A security engineer is investigating a potential compromise. The engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address on port 443. The engineer needs to determine if the instance is communicating with a known command and control (C2) server. Which AWS service can the engineer use to check the reputation of the destination IP address?

A.AWS CloudTrail
B.VPC Flow Logs
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerD

GuardDuty uses threat intelligence to detect communication with known malicious IPs.

Why this answer

Option C is correct because GuardDuty uses threat intelligence feeds to identify known malicious IPs. Option A is wrong because VPC Flow Logs only show traffic metadata, not reputation. Option B is wrong because CloudTrail does not analyze network traffic.

Option D is wrong because Trusted Advisor provides best practice checks, not IP reputation.

963
Multi-Selectmedium

A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which TWO steps are required?

Select 2 answers
A.Add a bucket policy that denies access unless the request source VPC endpoint matches the created endpoint.
B.Add a bucket policy with aws:SourceVpc condition.
C.Create a VPC endpoint for S3 and attach it to the VPC.
D.Attach a VPC endpoint policy that allows the required actions.
E.Create a bucket policy that allows access from the VPC ID.
AnswersA, C

Use aws:sourceVpce condition.

Why this answer

Options B and D are correct. B: Create a VPC endpoint for S3 and attach it to the VPC. D: Add a bucket policy that denies access unless the request comes from the VPC endpoint.

Option A is wrong because a bucket policy can reference the VPC endpoint. Option C is wrong because a VPC endpoint policy is not required; the bucket policy can enforce the condition. Option E is wrong because bucket policies do not have condition keys for VPC ID directly.

964
MCQmedium

A company uses AWS IAM Identity Center (AWS SSO) to manage access. A user is assigned to a permission set that grants AdministratorAccess. However, when the user tries to access the AWS console, they receive an error that they are not authorized. What is a possible reason?

A.The user is not assigned to the AWS account in Identity Center
B.The user has not set up MFA
C.The permission set does not include the necessary policies
D.The user does not have permissions to manage permission sets
AnswerA

Account assignment is required.

Why this answer

Option A is correct because the user may not have been granted access to the specific account. Option B is wrong because permission set is sufficient. Option C is wrong because MFA might be required but not the only cause.

Option D is wrong because the user might not have AWS credentials to manage permission sets.

965
MCQhard

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The security engineer has set up a NAT gateway in a public subnet and updated the route tables accordingly. However, instances in the private subnets cannot reach the internet. The engineer checks the security group for the NAT gateway and finds that it allows all outbound traffic. What is the most likely cause of the issue?

A.The route table for the private subnet does not have a default route (0.0.0.0/0) pointing to the NAT gateway.
B.The NAT gateway does not have an Elastic IP address assigned.
C.The security group for the NAT gateway does not allow inbound traffic from the private subnets.
D.The network ACL for the private subnet does not allow inbound HTTP/HTTPS traffic.
AnswerC

The NAT gateway's security group must allow inbound traffic from the private subnets to forward responses.

Why this answer

Option D is correct because the NAT gateway's security group must allow inbound traffic from the private subnets to receive return traffic. Option A is incorrect because the NAT gateway automatically responds. Option B is incorrect because network ACLs are stateless and require inbound rules for return traffic.

Option C is incorrect because the private subnets' route table must have a route to the NAT gateway.

966
Multi-Selecthard

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. The bucket policy must deny all requests that do not come from the VPC endpoint. Which TWO statements are true for this configuration?

Select 2 answers
A.Use the aws:SourceIp condition key to restrict IP addresses.
B.Set the Principal to the VPC endpoint ID.
C.Use the aws:SourceVpce condition key in the bucket policy.
D.Set the Effect to Deny and include a condition for the VPC endpoint.
E.Ensure the bucket policy has an explicit Allow for the VPC endpoint.
AnswersC, D

This key restricts access to a specific VPC endpoint.

Why this answer

The aws:SourceVpce condition key restricts requests to a specific VPC endpoint. The Principal must be '*' to apply to all principals, and the Effect Deny ensures non-VPC endpoint requests are blocked.

967
MCQmedium

A security engineer notices that an S3 bucket containing sensitive logs is publicly accessible. Which service should be used to automatically remediate this by applying a bucket policy?

A.AWS Config
B.Amazon GuardDuty
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerA

AWS Config can evaluate rules and trigger automatic remediation actions.

Why this answer

Option C is correct because AWS Config rules can be set to auto-remediate using Systems Manager Automation or Lambda functions to apply a restrictive bucket policy. Option A is incorrect because CloudTrail cannot remediate. Option B is incorrect because GuardDuty detects threats but does not remediate S3 bucket policies.

Option D is incorrect because Trusted Advisor provides best practice checks but does not automatically remediate.

968
MCQeasy

Which AWS service can be used to detect and alert on suspicious network traffic patterns within a VPC, such as port scanning or unusual outbound traffic?

A.AWS WAF
B.Amazon GuardDuty
C.AWS Network Firewall
D.VPC Flow Logs
AnswerB

GuardDuty uses machine learning and threat intelligence to detect suspicious network activity.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors VPC Flow Logs, DNS logs, and CloudTrail events to identify suspicious network traffic patterns such as port scanning, unusual outbound traffic, and other malicious activities. It uses machine learning, anomaly detection, and integrated threat intelligence to generate security alerts without requiring manual rules or signatures.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (a raw data source) with a detection service, or assume AWS Network Firewall's stateful inspection includes anomaly-based alerting, when in fact GuardDuty is the only service that provides automated threat detection and alerting for network patterns like port scanning and unusual outbound traffic.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting at the application layer (HTTP/HTTPS), not for detecting network-level anomalies like port scanning or unusual outbound traffic within a VPC. Option C is wrong because AWS Network Firewall is a stateful managed firewall that enforces network traffic rules (e.g., allow/deny based on IP, port, protocol) but does not perform threat detection or anomaly-based alerting for patterns like port scanning; it requires explicit rule configuration. Option D is wrong because VPC Flow Logs is a raw logging feature that captures metadata about IP traffic (e.g., source/destination IP, port, protocol) but does not analyze, detect, or alert on suspicious patterns; it only provides the data that services like GuardDuty consume.

969
Multi-Selectmedium

A security engineer needs to design a system where an EC2 instance can write logs to a CloudWatch log group. Which TWO steps are required?

Select 2 answers
A.Enable server-side encryption for the log group.
B.Attach the IAM role to the EC2 instance profile.
C.Create a CloudWatch log group resource policy that allows the EC2 instance to write logs.
D.Install and configure the CloudWatch agent on the EC2 instance.
E.Create an IAM role with the policy allowing logs:CreateLogStream and logs:PutLogEvents.
AnswersB, E

The role must be attached to the instance to provide credentials.

Why this answer

Options A and C are correct because the IAM role attached to EC2 must have permission to write logs, and the instance must be configured to send logs. Option B is wrong because CloudWatch log groups don't have resource policies for EC2; IAM roles suffice. Option D is wrong because SSE is optional.

Option E is wrong because CloudWatch agent needs to be installed and configured.

970
Multi-Selectmedium

A company is designing a VPC with multiple subnets. The security team wants to ensure that traffic between the application tier and database tier is encrypted in transit. Which TWO actions should be taken?

Select 2 answers
A.Attach an internet gateway to the database subnet
B.Enable encryption on the database connections using TLS/SSL
C.Use security group rules to restrict traffic to the database port
D.Configure the application to use an encrypted protocol when connecting to the database
E.Use VPC Peering to connect the subnets
AnswersB, D

TLS/SSL encrypts data between application and database.

Why this answer

Options A and C are correct. Using TLS/SSL for database connections encrypts data in transit, and ensuring the application uses an encrypted protocol is fundamental. Option B is wrong because VPC Peering does not encrypt traffic.

Option D is wrong because security groups do not encrypt. Option E is wrong because an internet gateway does not provide encryption.

971
MCQmedium

A company is running a critical application on EC2 instances behind an Application Load Balancer. The security team wants to ensure that only traffic from the ALB reaches the EC2 instances. How can this be achieved?

A.Use the ALB's private IP address in the EC2 security group.
B.Configure a Network ACL to allow only the ALB's subnet.
C.Reference the ALB's security group in the EC2 security group inbound rule.
D.Use the ALB's public IP address in the EC2 security group.
AnswerC

Securely restricts traffic to the ALB.

Why this answer

Option D is correct because referencing the ALB's security group in the EC2 security group ensures only traffic from the ALB is allowed. Option A is wrong because the ALB's private IP can change. Option B is wrong because public IPs are not used.

Option C is wrong because a Network ACL would affect all instances in the subnet.

972
MCQhard

An IAM policy includes: { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/MyRole" }. What does this allow?

A.Allows the user to create the role MyRole.
B.Allows the user to pass the role MyRole to an AWS service like Lambda.
C.Allows the user to assume the role MyRole.
D.Allows the user to attach the role to an IAM user.
AnswerB

PassRole is used when a service needs to assume a role.

Why this answer

Option C is correct because PassRole allows passing a role to an AWS service. Option A is wrong because it's not about assuming. Option B is wrong because it's not about creating.

Option D is wrong because it's not about attaching to users.

973
MCQmedium

Refer to the exhibit. A security engineer is investigating a potential compromise. What is the most critical finding?

A.The root user does not have MFA enabled, as indicated by AccountMFAEnabled being 1 (true) but that means MFA is enabled? Actually, the summary shows AccountMFAEnabled: 1, which means MFA is enabled for the root account? Wait, the key is "AccountMFAEnabled" which indicates if the account (root) has MFA enabled. 1 means true. So MFA is enabled. But there are access keys present. The critical finding is that the root user has access keys.
B.The root user's console login succeeded, which indicates that the root account password is weak.
C.The root user logged in successfully from an unknown IP address.
D.The IP address 203.0.113.5 is not from the company's trusted IP range.
AnswerA

The get-account-summary shows AccountAccessKeysPresent: 2, meaning the root account has two access keys. Root access keys are a security risk and should be removed.

Why this answer

AWS best practice is to delete root user access keys and enable MFA. The exhibit shows the root account has two access keys (AccountAccessKeysPresent: 2), which is a significant security risk. Option B correctly identifies this.

974
Multi-Selecthard

Which TWO steps are part of the forensic acquisition process for an EC2 instance suspected of being compromised?

Select 2 answers
A.Stop the instance immediately to prevent further damage.
B.Enable termination protection on the instance.
C.Terminate the instance to ensure the threat is contained.
D.Capture the instance's memory using a forensic tool.
E.Create a snapshot of the root EBS volume.
AnswersD, E

Memory contains volatile data like running processes.

Why this answer

Option D is correct because capturing the instance's memory using a forensic tool (such as LiME or F-Response) preserves volatile data—including running processes, network connections, and encryption keys—that would be lost if the instance were stopped or terminated. This is a critical step in the forensic acquisition process to gather evidence of compromise without altering the system state.

Exam trap

The trap here is that candidates often confuse incident response containment (stopping or terminating the instance) with forensic acquisition, which requires preserving both volatile memory and disk state before any changes are made.

975
Multi-Selecteasy

Which TWO AWS services can be used to automatically enforce policies on resources at the time of creation? (Choose two.)

Select 2 answers
A.AWS Key Management Service (KMS)
B.AWS CloudTrail
C.AWS IAM
D.AWS Service Catalog
E.AWS Config (with automatic remediation)
AnswersD, E

Service Catalog allows creation of resources with predefined policies.

Why this answer

Options B and D are correct. AWS Service Catalog allows creation of pre-approved resources with policies, and AWS Config rules with remediation can enforce policies after creation. Option A is wrong because IAM policies are for permissions.

Option C is wrong because CloudTrail is for logging. Option E is wrong because AWS KMS is for encryption keys.

Page 12

Page 13 of 24

Page 14