AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 9761050

1738 questions total · 24pages · All types, answers revealed

Page 13

Page 14 of 24

Page 15
976
MCQmedium

A company wants to enforce that all IAM users in its AWS account use multi-factor authentication (MFA) for console login. Which action should be taken to ensure compliance?

A.Apply an SCP to the AWS account that mandates MFA for all users.
B.Create an IAM policy that denies access unless MFA is present and attach it to all IAM users.
C.Enable MFA on the root user and share credentials with all users.
D.Configure the account password policy to require MFA.
AnswerB

Correct: IAM policies can use conditions to require MFA for access.

Why this answer

Option A is correct because an IAM policy with a condition that checks 'aws:MultiFactorAuthPresent' can deny API actions if MFA is not used. Option B is wrong because AWS Organizations service control policies (SCPs) cannot enforce MFA at the user level. Option C is wrong because MFA is not enforced through a password policy.

Option D is wrong because MFA is not enforced by enabling it on the root user.

977
MCQeasy

A company wants to grant temporary credentials to mobile app users to access their own data in an S3 bucket. Which AWS service should be used to achieve this securely?

A.Amazon Cognito identity pools
B.AWS Key Management Service (KMS)
C.IAM users with long-term access keys
D.Amazon CloudFront signed URLs
AnswerA

Cognito identity pools provide temporary credentials for authenticated users.

Why this answer

Option A is correct because Cognito Identity Pools can issue temporary AWS credentials for authenticated users. Option B is wrong because IAM users are not suitable for millions of mobile users. Option C is wrong because KMS is for encryption keys.

Option D is wrong because CloudFront is a CDN, not for issuing credentials.

978
MCQeasy

A company wants to ensure that all API calls made to their AWS account are logged and immutable. They have enabled AWS CloudTrail and are delivering logs to an S3 bucket. The security team requires that logs cannot be deleted or modified by anyone, including the root user. What should they do?

A.Enable S3 Object Lock with Compliance retention mode on the bucket.
B.Enable MFA Delete on the S3 bucket.
C.Enable S3 Versioning on the bucket.
D.Add a bucket policy that denies s3:DeleteObject for all principals.
AnswerA

Compliance mode prevents any deletion even by root.

Why this answer

Option A is correct because S3 Object Lock with retention mode Compliance prevents any user, including root, from deleting or overwriting objects. Option B is wrong because MFA Delete prevents deletion but can be disabled by root. Option C is wrong because bucket policies can be changed by root.

Option D is wrong because versioning alone does not prevent deletion of versions.

979
MCQeasy

The IAM policy above is attached to a role used by an EC2 instance to send logs to CloudWatch Logs. The instance is unable to send logs. What is the MOST likely issue?

A.The policy is designed for the CloudWatch Logs service, not for an EC2 instance role.
B.The policy does not include logs:DescribeLogGroups.
C.The resource ARN is incorrect.
D.The log group does not exist.
AnswerA

The principal is logs.amazonaws.com, but the role should have these actions without principal restriction.

Why this answer

Option D is correct because the policy allows logs:CreateLogStream and logs:PutLogEvents, but the principal is set to the logs service, not the EC2 instance role. The role should have these permissions. Option A is wrong because the log group exists.

Option B is wrong because the resource ARN is correct. Option C is wrong because CloudWatch agent does not need logs:DescribeLogGroups.

980
Multi-Selecthard

A company wants to enforce encryption in transit for all traffic between its VPC and on-premises data center over AWS Direct Connect. Which TWO configurations can achieve this?

Select 2 answers
A.Use a public virtual interface with Direct Connect and configure an IPsec VPN over it.
B.Use a Site-to-Site VPN connection over the internet.
C.Use a Direct Connect Gateway and configure an IPsec VPN over the private virtual interface.
D.Use a Transit VPC architecture with VPN attachments.
E.Use a private virtual interface with Direct Connect.
AnswersA, C

This provides encryption over the Direct Connect connection.

Why this answer

Option B (IPsec VPN over public VIF) and Option D (IPsec VPN over private VIF using Direct Connect Gateway) are correct. Option A is wrong because Direct Connect private virtual interface does not encrypt traffic by default. Option C is wrong because a Site-to-Site VPN over the internet does not use Direct Connect.

Option E is wrong because Transit VPC is a network topology, not an encryption method.

981
MCQeasy

A company wants to ensure that all IAM users have multi-factor authentication (MFA) enabled. Which AWS service can be used to detect users without MFA and automatically send a notification?

A.AWS Trusted Advisor
B.AWS CloudTrail
C.AWS Config
D.AWS IAM
AnswerC

Config can evaluate resources against rules and trigger notifications.

Why this answer

Option B is correct because AWS Config has a managed rule 'iam-user-mfa-enabled' that can evaluate IAM users and trigger an SNS notification. Option A is wrong because IAM itself does not have automatic detection and notification. Option C is wrong because CloudTrail records events but does not evaluate configuration.

Option D is wrong because Trusted Advisor checks for MFA on root account but not on all IAM users.

982
MCQhard

Refer to the exhibit. This is a line from a VPC Flow Log. A security analyst notices that the log shows an ACCEPT record for a connection from 10.0.1.5 to 10.0.2.10 on port 443. However, the analyst expected the connection to be denied. Which field in the flow log record indicates that the connection was accepted?

A.The action field (ACCEPT)
B.The version field (2)
C.The protocol field (6)
D.The destination port field (443)
AnswerA

The action field indicates accepted or rejected.

Why this answer

Option D is correct. The 11th field (ACCEPT) is the action field, which indicates whether the traffic was accepted or rejected. Option A is wrong because the version field (1st field) is 2.

Option B is wrong because the protocol field (7th field) is 6 (TCP). Option C is wrong because the destination port (5th field) is 443.

983
MCQhard

A security engineer is analyzing an IAM policy that is attached to a group. The policy is intended to allow users to manage their own credentials. However, users are reporting that they cannot change their password. The policy is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:ChangePassword", "iam:GetAccountPasswordPolicy"], "Resource": "*" } ] } What is the issue?

A.The policy does not include the iam:UpdateLoginProfile action.
B.The policy should be attached to the user instead of the group.
C.The policy is missing the iam:CreateLoginProfile action.
D.The policy resource is set to "*", but ChangePassword requires the resource to be the specific user ARN.
AnswerD

IAM enforces that ChangePassword must be scoped to the user's own ARN.

Why this answer

Option B is correct: the ChangePassword action requires the resource ARN to be the user's own ARN. With a wildcard, it fails. Option A is false.

Option C is false; the action is correct. Option D is false.

984
MCQeasy

A company's security team wants to detect unauthorized S3 bucket access attempts in real time. Which service should they use to generate alerts when an IAM user attempts to access a bucket without proper permissions?

A.Amazon GuardDuty
B.AWS CloudTrail with CloudWatch alarms
C.S3 server access logs
D.AWS Config
AnswerB

CloudTrail logs every API call; metric filters on error codes trigger alarms in real time.

Why this answer

AWS CloudTrail logs all API calls made to S3, including access denied errors. By creating a CloudWatch alarm on the `S3 AccessDenied` event in CloudTrail logs, the security team can receive real-time alerts when an IAM user attempts to access a bucket without proper permissions. This approach directly captures the unauthorized attempt at the API level, enabling immediate detection.

Exam trap

The trap here is that candidates often choose Amazon GuardDuty because it is associated with threat detection, but they overlook that GuardDuty does not provide real-time, per-user unauthorized access alerts for S3; instead, CloudTrail with CloudWatch alarms directly captures the specific API error event needed for this use case.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, but it does not generate real-time alerts specifically for individual IAM user unauthorized S3 access attempts; it focuses on broader threat patterns. Option C is wrong because S3 server access logs are delivered on a best-effort basis, typically with a delay of several hours, making them unsuitable for real-time alerting. Option D is wrong because AWS Config is a service for evaluating resource compliance and tracking configuration changes, not for monitoring real-time API access attempts or generating alerts for unauthorized access.

985
MCQmedium

A company uses AWS CloudTrail to log all API activity. The security team needs to retain the logs for 7 years and ensure they are tamper-proof. Additionally, the team must be able to query the logs for investigations. Which solution meets these requirements?

A.Store logs in AWS CloudTrail Lake and use the built-in query feature.
B.Store logs in Amazon CloudWatch Logs with a retention policy of 7 years.
C.Store logs in an Amazon S3 bucket with standard settings and use Amazon S3 Select for querying.
D.Store logs in an Amazon S3 bucket with S3 Object Lock enabled and query using Amazon Athena.
AnswerD

Object Lock provides immutability; Athena enables querying.

Why this answer

Option D is correct because Amazon S3 Object Lock provides a write-once-read-many (WORM) model that prevents logs from being deleted or overwritten, ensuring tamper-proof retention for 7 years. Amazon Athena allows querying the logs directly in S3 using standard SQL, meeting the investigation requirement without needing to move data.

Exam trap

The trap here is that candidates often choose CloudTrail Lake (Option A) because it offers built-in querying, but they overlook the tamper-proof requirement, which only S3 Object Lock can guarantee for long-term retention.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail Lake is designed for short-term retention and analysis (up to 7 years but with limited query capabilities and higher cost), and it does not provide native tamper-proof controls like S3 Object Lock. Option B is wrong because Amazon CloudWatch Logs has a maximum retention period of 10 years, but it does not offer tamper-proof features; logs can be deleted or modified by authorized users, and querying is limited to CloudWatch Logs Insights, which is not as flexible as Athena for large-scale analysis. Option C is wrong because storing logs in an S3 bucket with standard settings does not prevent tampering—logs can be overwritten or deleted—and Amazon S3 Select is limited to simple filtering and cannot handle complex SQL queries needed for thorough investigations.

986
Multi-Selectmedium

An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::example-bucket/*', 'Condition': {'IpAddress': {'aws:SourceIp': '192.0.2.0/24'}}. Which TWO statements about this policy are correct?

Select 2 answers
A.The policy allows s3:PutObject from the IP range 192.0.2.0/24.
B.Requests from outside 192.0.2.0/24 will be implicitly denied.
C.The policy allows s3:GetObject only if the bucket owner matches.
D.The policy allows anonymous access.
E.The policy allows s3:GetObject from the IP range 192.0.2.0/24.
AnswersB, E

IAM policies default deny; if condition not met, access is denied.

Why this answer

Option A and D are correct because the policy allows GetObject from the specified IP range, and any request from outside that range will be implicitly denied. Option B is wrong because the condition is on source IP, not bucket owner. Option C is wrong because the policy allows GetObject, not PutObject.

Option E is wrong because the policy does not allow anonymous access; it requires the request to come from the specified IP.

987
MCQeasy

A company wants to centrally manage backups for Amazon RDS instances across multiple AWS accounts. Which AWS service should be used to automate the creation and enforcement of backup policies?

A.S3 Lifecycle policies
B.AWS Backup
C.AWS CloudTrail
D.AWS Systems Manager
AnswerB

AWS Backup provides centralized backup management across accounts.

Why this answer

Option B is correct because AWS Backup allows centralized backup policies across accounts and regions. Option A is wrong because S3 Lifecycle policies are for object lifecycle, not RDS backups. Option C is wrong because CloudTrail is for auditing API calls.

Option D is wrong because Systems Manager is for operational management, not backup policies.

988
Multi-Selecthard

A company is implementing a data protection strategy for its Amazon S3 bucket that contains sensitive data. The company requires that all objects be encrypted at rest using server-side encryption with a customer managed key (SSE-KMS). Additionally, the company wants to ensure that only a specific IAM role can decrypt objects. Which THREE actions should the company take?

Select 3 answers
A.Attach an IAM policy to the specific role that grants kms:Decrypt on the customer managed key
B.Create a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header with value aws:kms
C.Use the default S3-managed key (SSE-S3) for encryption
D.Modify the KMS key policy to allow the specific IAM role to use the key for decryption
E.Use client-side encryption with a customer managed key
AnswersA, B, D

Allows decryption by that role.

Why this answer

To enforce SSE-KMS, use a bucket policy that denies PutObject without the x-amz-server-side-encryption header set to aws:kms and a specific key. To control decryption, grant kms:Decrypt to the specific role. Option A, C, and D are correct.

Option B is incorrect because using SSE-S3 does not meet the requirement. Option E is incorrect because client-side encryption is not S3 server-side encryption.

989
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all CloudTrail trails are enabled and logging to a central S3 bucket. They need to detect any account that disables or modifies its CloudTrail trail. Which approach meets these requirements with the least operational overhead?

A.Use AWS Config rules with an aggregator in the management account to evaluate CloudTrail configuration across all accounts.
B.Enable CloudTrail Insights in all accounts to detect unusual activity.
C.Enable IAM Access Analyzer in each account to monitor CloudTrail changes.
D.Create a Lambda function that periodically checks CloudTrail status in each account via the API.
AnswerA

AWS Config rules can continuously evaluate compliance and trigger notifications on changes.

Why this answer

AWS Config rules with an aggregator in the management account can evaluate CloudTrail configuration across all accounts in AWS Organizations without deploying per-account resources. The aggregator collects configuration snapshots and changes from member accounts, allowing a single managed rule (e.g., cloud-trail-enabled) to detect when a trail is disabled or modified. This approach minimizes operational overhead because it uses native AWS services with no custom code or cross-account IAM roles to manage.

Exam trap

The trap here is that candidates may think a custom Lambda function (Option D) is necessary for cross-account monitoring, overlooking that AWS Config with an aggregator natively supports multi-account evaluation with far less operational overhead.

How to eliminate wrong answers

Option B is wrong because CloudTrail Insights detects unusual API activity (e.g., write events with error rates), not configuration changes to the trail itself; it does not monitor whether a trail is enabled or modified. Option C is wrong because IAM Access Analyzer analyzes resource-based policies for external access, not CloudTrail trail configuration or status; it cannot detect trail disablement or modification. Option D is wrong because a Lambda function that periodically checks CloudTrail status via the API requires custom code, cross-account IAM roles, and scheduling infrastructure, resulting in higher operational overhead compared to a managed AWS Config rule with an aggregator.

990
Multi-Selecteasy

A company is using AWS Organizations and wants to restrict the use of specific AWS services in member accounts. Which TWO approaches can be used to enforce these restrictions? (Choose TWO.)

Select 2 answers
A.Use Service Quotas to limit the number of resources per service.
B.Enable AWS CloudTrail to log service usage.
C.Apply a service control policy (SCP) to the organizational unit (OU).
D.Create IAM policies in each member account to deny access to the services.
E.Use AWS Config rules to automatically terminate resources.
AnswersC, D

Denies actions at the account level.

Why this answer

Options A and B are correct. Option A: SCPs can deny service actions across all accounts in an OU. Option B: IAM policies can restrict users within an account.

Option C is wrong because AWS Config only detects noncompliance, does not prevent. Option D is wrong because CloudTrail is for logging. Option E is wrong because Service Quotas does not restrict service usage.

991
MCQhard

An organization has a VPC with public and private subnets. A NAT Gateway is deployed in a public subnet to allow instances in private subnets to access the internet. The security team notices that instances in a private subnet can reach the internet, but cannot initiate connections to an on-premises network connected via AWS Direct Connect. The on-premises network advertises a specific route. What is the most likely cause?

A.The security group assigned to the instances does not allow outbound traffic to the on-premises network.
B.The network ACL on the private subnet is blocking inbound traffic from the on-premises network.
C.The private subnet route table has a route for the on-premises CIDR pointing to the NAT Gateway.
D.The internet gateway is not attached to the VPC.
AnswerC

The NAT Gateway route may override the Direct Connect route.

Why this answer

Option A is correct because a more specific route to the on-premises network via the NAT Gateway may override the Direct Connect route in the route table. Option B is wrong because Security Groups do not affect outbound traffic initiated by instances. Option C is wrong because NACLs are stateless but would affect both directions.

Option D is wrong because the internet gateway is not involved in Direct Connect traffic.

992
MCQmedium

A company is designing a data protection solution for Amazon S3 that must prevent any user from accidentally deleting objects. Which combination of S3 features should be used?

A.Use S3 Cross-Region Replication to another bucket.
B.Enable S3 Object Lock with governance mode.
C.Configure S3 default encryption with SSE-KMS.
D.Enable S3 Versioning and MFA Delete.
AnswerD

Versioning preserves objects and MFA Delete requires multi-factor authentication to delete versions.

Why this answer

Option A is correct because MFA Delete adds an extra factor for deletions, and versioning allows recovery of deleted objects. Option B is wrong because Object Lock prevents overwrites/deletion only if retention period is set, but doesn't prevent deletion of the bucket. Option C is wrong because replication doesn't protect against deletion.

Option D is wrong because default encryption doesn't prevent deletion.

993
Matchingmedium

Match each AWS security-related acronym to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Center for Internet Security

Payment Card Industry Data Security Standard

Health Insurance Portability and Accountability Act

System and Organization Controls

International standard for information security management

Why these pairings

Common compliance frameworks and standards.

994
Multi-Selectmedium

A company has an S3 bucket that stores sensitive data. The security team wants to ensure that all objects in the bucket are encrypted at rest. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Use an SCP to deny the s3:PutObject action unless the request includes the x-amz-server-side-encryption header.
B.Use AWS KMS to create a customer master key and assign it to the bucket.
C.Enable AWS CloudTrail to log S3 API calls.
D.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS.
E.Add a bucket policy that denies s3:PutObject if the object is not encrypted.
AnswersA, D

This enforces encryption for new objects across the account.

Why this answer

Option B and D are correct. Enabling default encryption ensures new objects are encrypted. Using SCPs can enforce that objects are encrypted.

Option A is wrong because bucket policies cannot directly enforce encryption at rest; they can only require it via conditions but not prevent uploads without encryption if the user has permissions. Option C is wrong because CloudTrail does not enforce encryption. Option E is wrong because KMS keys do not automatically encrypt objects.

995
Multi-Selecthard

A security engineer is designing a centralized logging solution for 10 AWS accounts. Which THREE AWS services should be used to aggregate, store, and analyze logs?

Select 3 answers
A.Amazon Kinesis Data Streams
B.AWS Organizations
C.Amazon Athena
D.Amazon CloudWatch Logs
E.Amazon S3
AnswersB, C, E

Organizations helps manage multiple accounts centrally.

Why this answer

Options B, C, and D are correct. Amazon S3 provides durable storage, Amazon Athena allows querying logs, and AWS Organizations enables centralized management. Option A (Kinesis Data Streams) is for real-time streaming, not necessary.

Option E (CloudWatch Logs) is for real-time monitoring but not ideal for long-term analysis.

996
MCQmedium

A security team notices that an S3 bucket containing sensitive data is publicly accessible. The bucket policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } ] } Which step should be taken to secure the bucket while maintaining access for authorized users?

A.Use AWS Config to automatically block all public access.
B.Create an IAM role with S3 access and assign it to the bucket.
C.Add a Deny statement for any IP address outside the corporate network.
D.Delete the public bucket policy and attach a new policy that allows access only through a VPC Endpoint.
AnswerD

Restricts access to the VPC endpoint.

Why this answer

Option B is correct because removing the public access and using a VPC Endpoint with a bucket policy that restricts access to the endpoint ensures only authorized users within the VPC can access the bucket. Option A is wrong because an IAM role alone does not prevent public access. Option C is wrong because the bucket policy already allows public access.

Option D is wrong because blocking all public access prevents even authorized users if they are not in the VPC.

997
MCQhard

A company has a VPC with multiple subnets across multiple Availability Zones. The security team wants to inspect all traffic between subnets for malicious activity. Which AWS service should be used?

A.VPC Flow Logs
B.AWS Network Firewall
C.AWS WAF
D.Security groups
AnswerB

Network Firewall provides stateful inspection and threat detection across VPC traffic.

Why this answer

Option D is correct because AWS Network Firewall can inspect traffic between subnets and provide intrusion prevention. Option A is wrong because VPC Flow Logs only provide metadata, not inspection. Option B is wrong because security groups are stateful firewalls but not for inspection.

Option C is wrong because AWS WAF is for web application traffic, not for network-layer inspection.

998
MCQeasy

A security engineer is reviewing CloudTrail logs and notices an event with the key 'eventType' set to 'AwsServiceEvent'. What does this indicate?

A.The event was initiated by an IAM user via the AWS Management Console.
B.The event was initiated by an AWS service.
C.The event was a sign-in event from the AWS Management Console.
D.The event type is an error in the log.
AnswerB

AwsServiceEvent indicates the event was generated by an AWS service.

Why this answer

Option B is correct because AwsServiceEvent indicates the event was initiated by an AWS service on behalf of the customer. Option A is wrong because that would be AwsApiCall. Option C is wrong because that would be AwsConsoleSignin.

Option D is wrong because AwsServiceEvent is a valid event type.

999
MCQeasy

A company wants to ensure that all Amazon EC2 instances in a VPC can only be accessed via SSH from a specific IP address range (203.0.113.0/24). Which VPC component should be used to enforce this restriction?

A.Security group
B.Route table
C.Network ACL
D.Internet gateway
AnswerC

Network ACLs are stateless and can deny traffic from IP ranges not in the allowed range.

Why this answer

Option A is correct because a network ACL is a stateless firewall that controls inbound and outbound traffic at the subnet level, and can restrict SSH access to a specific IP range. Option B is wrong because security groups are stateful and cannot deny traffic by IP in a single rule (they only allow). Option C is wrong because an internet gateway is not a security control.

Option D is wrong because a route table only controls traffic routing, not filtering.

1000
MCQmedium

An organization wants to detect and alert on any IAM user that creates a new access key without using multi-factor authentication (MFA). What is the MOST efficient way to achieve this?

A.Create a CloudWatch Events rule that triggers on CreateAccessKey events, and check if the user's MFA status is inactive.
B.Analyze S3 server access logs to detect access key creation.
C.Enable AWS Config managed rule for IAM user MFA, which monitors if users have MFA enabled.
D.Use IAM Access Analyzer to monitor for unused access keys.
AnswerA

CloudTrail logs the event and CloudWatch Events can evaluate conditions in real time.

Why this answer

Option B is correct because CloudTrail logs the CreateAccessKey API call, and a CloudWatch Events rule can trigger on this event and evaluate whether MFA was used (via the userIdentity details). Option A is wrong because IAM Access Analyzer is for analyzing resource policies, not monitoring API calls. Option C is wrong because Config rules can evaluate resource configurations, but detecting MFA usage during an API call is better done via CloudTrail.

Option D is wrong because S3 server access logs do not capture API events.

1001
MCQmedium

A company has an AWS environment with multiple accounts managed under AWS Organizations. The security team wants to enforce that all newly created S3 buckets in any account have encryption enabled by default. Which approach should the security team take?

A.Use AWS Config rules to detect unencrypted buckets and send alerts.
B.Enable S3 default encryption in each account's S3 settings.
C.Apply an IAM policy to the root user of each account to enforce bucket encryption.
D.Create a Service Control Policy (SCP) that denies the creation of S3 buckets without encryption.
AnswerD

SCPs can be applied to all accounts in the organization to prevent non-compliant resource creation.

Why this answer

Option C is correct because SCPs can be applied to all accounts in the organization to deny the creation of S3 buckets without encryption. Option A is wrong because S3 default encryption is a bucket-level setting, not an organization-wide enforcement. Option B is wrong because AWS Config rules are reactive, not preventive.

Option D is wrong because IAM policies are account-specific and cannot be centrally enforced across all accounts.

1002
Multi-Selecthard

A company has an S3 bucket that contains sensitive data. The security team wants to enforce that all access to the bucket must use HTTPS and that requests originating from outside the corporate network (as defined by a specific IP range 203.0.113.0/24) must be denied. Which THREE conditions should be included in the S3 bucket policy? (Choose THREE.)

Select 3 answers
A."Condition": {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
B."Condition": {"StringLike": {"aws:Referer": "https://corporate.internal/*"}}
C."Condition": {"Bool": {"aws:SecureTransport": "true"}}
D."Effect": "Deny", "Condition": {"NotIpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
E."Condition": {"NotIpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
AnswersC, D, E

Enforces HTTPS by requiring SecureTransport to be true.

Why this answer

Options A, B, and D are correct. To enforce HTTPS, use the condition aws:SecureTransport. To deny non-corporate IPs, use a Deny statement with aws:SourceIp condition and the NotIpAddress operator for the corporate range.

Option C is wrong because aws:Referer is for referrer header, not network location. Option E is wrong because using IpAddress with a Deny effect would deny the corporate IPs, which is opposite of the requirement.

1003
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that when an object is retrieved, it is automatically decrypted. They have configured the S3 bucket to use SSE-KMS with a customer managed key. However, when a user downloads an object using the AWS CLI, the object is still encrypted. The IAM policy for the user includes kms:Decrypt permission. What is the MOST likely reason for this issue?

A.The KMS key policy does not allow the user to decrypt.
B.The user is using SSE-C instead of SSE-KMS.
C.The user does not have s3:GetObject permission.
D.The user is not specifying the correct encryption context in the request.
AnswerD

For SSE-KMS, the encryption context must match; otherwise, decryption fails.

Why this answer

Option A is correct because if the user does not include the --sse-customer-key parameter or the correct encryption context, S3 may not decrypt. However, for SSE-KMS, S3 automatically decrypts if the user has kms:Decrypt permission. The issue might be that the user is using a different tool or not specifying the correct headers.

Option B is wrong because SSE-KMS does not require a customer key. Option C is wrong because S3 handles decryption transparently. Option D is wrong because the user has the decrypt permission.

1004
MCQmedium

A company has a requirement to automatically rotate secrets for an RDS database every 90 days. The secrets are stored in AWS Secrets Manager. Which resource should be configured to perform the rotation?

A.CloudWatch Logs subscription filter
B.Amazon EventBridge scheduled rule
C.AWS Config rule
D.AWS Lambda function
AnswerD

Performs the actual rotation.

Why this answer

Option D is correct because Secrets Manager uses a Lambda function to rotate secrets. Option A is wrong because AWS Config is for compliance, not rotation. Option B is wrong because Amazon EventBridge can trigger rotation but the actual rotation logic is in Lambda.

Option C is wrong because CloudWatch Logs is for log storage.

1005
MCQeasy

A company is using Amazon S3 to store sensitive data. They want to ensure that all objects uploaded to a specific bucket are encrypted using server-side encryption with AWS KMS. Which bucket policy condition should be used to enforce this?

A.Condition: 's3:x-amz-server-side-encryption-customer-algorithm': 'AES256'
B.Condition: 's3:x-amz-server-side-encryption': 'aws:kms'
C.Condition: 's3:x-amz-server-side-encryption-aws-kms-key-id': 'arn:aws:kms:...'
D.Condition: 's3:x-amz-server-side-encryption': 'AES256'
AnswerB

This enforces that the request includes the header for SSE-KMS.

Why this answer

Option D is correct because using 's3:x-amz-server-side-encryption' condition with 'aws:kms' enforces that server-side encryption with KMS is used. Option A is wrong because it enforces SSE-S3. Option B is wrong because it enforces SSE-C.

Option C is wrong because it checks the KMS key ID but not the encryption method.

1006
Matchingmedium

Match each AWS CloudHSM feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware security module

Cryptographic token interface standard

Java Cryptography Extension provider

Security standard for cryptographic modules

Why these pairings

CloudHSM provides dedicated hardware security modules.

1007
MCQeasy

A company uses Amazon CloudFront to distribute content from an S3 bucket. The security team wants to ensure that only CloudFront can access the S3 bucket. Which configuration should be used?

A.Set the bucket policy to allow all principals and rely on CloudFront to restrict access.
B.Configure the bucket policy to allow access only from CloudFront's IP addresses.
C.Create an Origin Access Identity (OAI) and grant it read access to the S3 bucket.
D.Use CloudFront trusted signers to restrict access to the S3 bucket.
AnswerC

OAI is the standard way to restrict access to CloudFront only.

Why this answer

Option A is correct because an Origin Access Identity (OAI) allows CloudFront to access S3. Option B is wrong because a bucket policy allowing CloudFront's IPs is not recommended as IPs can change. Option C is wrong because trusted signers are for signed URLs, not for origin access.

Option D is wrong because a bucket policy allowing all principals is too permissive.

1008
MCQhard

Your organization uses AWS Organizations with 50 member accounts. You are the security administrator for the root account. You have enabled AWS CloudTrail in all accounts and centralized the logs in an S3 bucket in the root account. You also enabled Amazon GuardDuty in the root account and have delegated an administrator account. Recently, you received an alert from GuardDuty about a potential credential compromise in a member account. The finding indicates that an IAM user in that account made an API call from an unusual IP address. You need to quickly gather all CloudTrail events for that user from the last 30 days across all accounts. The logs are stored in a single S3 bucket with a prefix structure like 'AWSLogs/<account-id>/CloudTrail/<region>/<year>/<month>/<day>'. What is the MOST efficient way to query these logs?

A.Use Amazon Athena to query the CloudTrail logs by creating a table partitioned by account, region, and date.
B.Enable AWS CloudTrail Lake and create a new event data store that includes the historical logs.
C.Download all log files from the S3 bucket for the last 30 days and parse them locally.
D.Use Amazon CloudWatch Logs Insights to query the logs from the member account.
AnswerA

Athena allows efficient SQL querying of the log data.

Why this answer

Amazon Athena is the most efficient way to query CloudTrail logs stored in S3 because it allows you to run SQL queries directly on the data without moving or downloading it. By creating a table partitioned by account, region, and date, you can quickly filter for the specific IAM user's events across all 50 accounts for the last 30 days, leveraging partition pruning to scan only the relevant log files. This approach minimizes data scanned and cost, while providing near-instant results.

Exam trap

The trap here is that candidates may think CloudTrail Lake (Option B) is the only way to query CloudTrail logs efficiently, but Athena is actually the native, cost-effective solution for querying CloudTrail logs stored in S3 without additional ingestion steps.

How to eliminate wrong answers

Option B is wrong because CloudTrail Lake requires you to create a new event data store, which would need to ingest the historical logs from S3, incurring additional costs and time for data ingestion and indexing, making it less efficient than directly querying the existing S3 logs with Athena. Option C is wrong because downloading all log files for 30 days from a multi-account S3 bucket would be extremely time-consuming, bandwidth-intensive, and impractical for 50 accounts, and parsing them locally would require significant manual effort and storage. Option D is wrong because CloudWatch Logs Insights can only query logs that are sent to CloudWatch Logs, but the CloudTrail logs are stored in S3, not in CloudWatch Logs, and even if they were, CloudWatch Logs Insights cannot query logs across multiple accounts from a single query.

1009
MCQhard

A security engineer notices that S3 server access logs are not being delivered to the specified destination bucket. The source bucket has a bucket policy that grants s3:PutObject permission to the Log Delivery group. The destination bucket is in the same AWS account but a different region. What is the most likely cause of the failure?

A.The destination bucket does not have versioning enabled.
B.The destination bucket is in a different AWS account.
C.The Log Delivery group does not have an IAM role assigned.
D.The destination bucket is in a different AWS region.
AnswerD

S3 server access logs must be delivered to a bucket in the same region.

Why this answer

S3 server access logs cannot be delivered to a bucket in a different region; the destination bucket must be in the same region as the source bucket. Option A is wrong because cross-account delivery is possible with proper permissions. Option B is wrong because no additional IAM role is needed for server access logs.

Option D is wrong because enabling versioning is not required for log delivery.

1010
MCQeasy

A company wants to centrally collect and analyze logs from multiple AWS accounts. Which AWS service should be used to aggregate logs from various sources for monitoring and alerting?

A.Amazon S3
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerD

CloudWatch Logs can aggregate logs from multiple sources and accounts.

Why this answer

CloudWatch Logs can aggregate logs from multiple accounts using cross-account log groups or with the help of Kinesis. Option B is correct because CloudWatch Logs is the primary log aggregation service. Option A is wrong because CloudTrail is for API logging, not general log aggregation.

Option C is wrong because S3 is storage, not a monitoring service. Option D is wrong because Config is for configuration tracking.

1011
MCQmedium

A security engineer is configuring an S3 bucket policy to restrict access to only requests that originate from a specific VPC endpoint. Which condition key should be used?

A.aws:VpcSourceIp
B.aws:SourceVpc
C.aws:SourceIp
D.aws:SourceVpce
AnswerD

This condition key restricts access to requests that originate from the specified VPC endpoint.

Why this answer

Option C is correct because 'aws:SourceVpce' restricts access to a specific VPC endpoint. Option A is wrong because 'aws:SourceVpc' restricts to a VPC, not the endpoint. Option B is wrong because 'aws:SourceIp' restricts by IP address.

Option D is wrong because 'aws:VpcSourceIp' is not a valid condition key.

1012
MCQeasy

A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. The engineer wants to receive real-time notifications when a security group rule is added, modified, or removed. Which AWS service should the engineer use to capture these API calls?

A.Amazon GuardDuty
B.AWS CloudTrail
C.VPC Flow Logs
D.AWS Config
AnswerB

CloudTrail records all API calls, including security group modifications.

Why this answer

Option B is correct because CloudTrail records API calls, including EC2 AuthorizeSecurityGroupIngress, etc. Option A is wrong because VPC Flow Logs capture network traffic, not API calls. Option C is wrong because Config records resource state changes but not real-time API calls.

Option D is wrong because GuardDuty detects threats, not API logging.

1013
MCQmedium

Refer to the exhibit. A security engineer reviews an S3 bucket policy that is intended to allow the root user of account 123456789012 to get objects only from the 10.0.0.0/24 IP range. However, the policy is not working as expected. What is the MOST likely reason?

A.The principal is set to root, which cannot be used in bucket policies.
B.The resource ARN is incorrect because it should include the bucket name without /*.
C.The condition should use 'aws:VpcSourceIp' instead of 'aws:SourceIp' when requests come through a VPC endpoint.
D.The condition key 'aws:SourceIp' is not supported for S3 bucket policies.
AnswerC

If the request is made through a VPC endpoint, the source IP is the endpoint IP, and 'aws:VpcSourceIp' is needed.

Why this answer

Option C is correct because when requests to an S3 bucket originate from a VPC endpoint (such as a gateway VPC endpoint for S3), the source IP address is translated to the private IP of the VPC endpoint, and the `aws:SourceIp` condition key cannot be used to evaluate the original client IP. Instead, you must use the `aws:VpcSourceIp` condition key to restrict access based on the IP address of the VPC endpoint. The policy as written would fail to match any requests coming through the VPC endpoint, causing the intended restriction to not work.

Exam trap

The trap here is that candidates assume `aws:SourceIp` works universally for all S3 access scenarios, but they overlook the special behavior of VPC endpoints where the source IP is replaced, making `aws:VpcSourceIp` the correct key for IP-based restrictions in that context.

How to eliminate wrong answers

Option A is wrong because the root user of an AWS account can be specified as a principal in a bucket policy using the ARN `arn:aws:iam::123456789012:root`, and it is a valid principal for S3 bucket policies. Option B is wrong because the resource ARN `arn:aws:s3:::bucket-name/*` is correct for granting access to objects within the bucket; omitting `/*` would only grant access to the bucket itself, not its objects. Option D is wrong because `aws:SourceIp` is fully supported in S3 bucket policies for IP-based restrictions, but it does not work when the request traverses a VPC endpoint due to IP address translation.

1014
MCQhard

A company has a multi-account AWS organization with centralized logging in a Security account. The Security account contains an S3 bucket that stores CloudTrail logs from all member accounts. The bucket policy allows CloudTrail from member accounts to deliver logs. Recently, a security audit revealed that the bucket is publicly accessible. The security engineer must ensure that only authorized accounts can access the logs. The engineer updates the bucket policy to include a condition that restricts access to specific AWS accounts. However, after the change, member accounts report that CloudTrail is failing to deliver logs to the bucket. The bucket policy currently includes the following statement: { "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::central-logs/*", "Condition": { "StringEquals": { "aws:SourceAccount": "111111111111" } } } The Security account ID is 222222222222. What is the MOST likely cause of the delivery failure, and what should the engineer do to fix it?

A.Modify the KMS key policy to allow CloudTrail to decrypt and re-encrypt logs if SSE-KMS is enabled.
B.Update the bucket ACL to grant the CloudTrail service write access, as CloudTrail requires both bucket policy and ACL permissions.
C.Change the Principal from "*" to the CloudTrail service principal to restrict access more tightly.
D.Create an IAM role in the Security account and configure member accounts to use that role for log delivery.
AnswerB

Correct: CloudTrail checks bucket ACL for PutObject; the bucket ACL must allow CloudTrail to write.

Why this answer

Option B is correct because CloudTrail uses GetBucketAcl to verify bucket ownership. The bucket ACL must grant the CloudTrail service access, but the bucket ACL is separate from the bucket policy. The error suggests that the bucket ACL does not grant CloudTrail the necessary permissions.

Option A is incorrect because the bucket policy already allows PutObject. Option C is incorrect because CloudTrail does not need to assume a role for log delivery; it uses its own service principal. Option D is incorrect because the issue is not related to KMS key policy but to bucket ACL.

1015
MCQmedium

A company stores sensitive data in Amazon S3 and requires that objects are automatically encrypted using server-side encryption with AWS KMS. The bucket policy must deny any PUT request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy condition key should be used?

A.s3:x-amz-server-side-encryption
B.aws:SourceIp
C.aws:RequestedRegion
D.kms:EncryptionContext
AnswerA

This condition key evaluates the encryption header in PUT requests.

Why this answer

The condition key s3:x-amz-server-side-encryption can be used to check the header value. Condition key aws:SourceIp is for source IP; aws:RequestedRegion is for region; kms:EncryptionContext is for KMS encryption context. Option A is correct.

1016
MCQmedium

A security engineer notices that an IAM user has been using an access key that was not rotated for over 90 days. What is the BEST action to take?

A.Disable the user's access key and create a new one.
B.Do nothing; 90 days is acceptable.
C.Delete the IAM user and create a new one.
D.Notify the user and ask them to rotate the key.
AnswerA

This forces rotation and maintains access.

Why this answer

Rotating access keys regularly is a security best practice to reduce the risk of compromised keys.

1017
MCQmedium

Refer to the exhibit. A security engineer applies the IAM policy to a user, and then successfully runs the CLI command. Later, the user attempts to upload an object without specifying the ACL. What will happen?

A.The upload fails because the Deny statement explicitly denies any PutObject that does not have the ACL set to bucket-owner-full-control.
B.The upload succeeds because the bucket policy allows it.
C.The upload succeeds because the Allow statement allows PutObject without condition.
D.The upload fails because the bucket policy requires ACL to be bucket-owner-full-control.
AnswerA

The Deny statement covers all PutObject actions where the ACL is not bucket-owner-full-control. If no ACL is specified, the condition matches (StringNotEquals), and the Deny takes effect.

Why this answer

The IAM policy explicitly denies PutObject when the ACL is not set to bucket-owner-full-control. Since the user does not specify an ACL, the condition 'StringNotEquals' evaluates to true, triggering the Deny.

1018
MCQeasy

A security engineer needs to ensure that all API calls made in an AWS account are captured and retained for auditing purposes. The engineer must be able to query the logs for specific user activity over the past 90 days. Which AWS service should the engineer use to meet these requirements?

A.AWS CloudTrail
B.Amazon VPC Flow Logs
C.Amazon CloudWatch Logs
D.AWS Config
AnswerA

CloudTrail records all API calls and can be stored in S3 for long-term retention and queried with Athena.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made in an AWS account, including the identity, source IP, request parameters, and response elements. By default, CloudTrail stores event history for the last 90 days, which can be queried via the Event History console or API, meeting the requirement to query logs for specific user activity over the past 90 days without additional configuration.

Exam trap

The trap here is that candidates may confuse CloudTrail's default 90-day Event History with the need to create a trail and store logs in S3, but the question explicitly states 'captured and retained for auditing purposes' and 'query the logs for specific user activity over the past 90 days,' which is exactly what the built-in Event History provides without additional configuration.

How to eliminate wrong answers

Option B is wrong because Amazon VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol) at the network interface level, not API calls or user activity, so they cannot be used to audit API-level actions. Option C is wrong because Amazon CloudWatch Logs is a service for storing, monitoring, and accessing log files from various sources (e.g., applications, AWS services), but it does not natively capture all AWS API calls; CloudTrail logs must be explicitly sent to CloudWatch Logs for that purpose, and the requirement is for a service that directly captures and retains API calls, not a downstream log destination. Option D is wrong because AWS Config evaluates and records resource configuration changes and compliance, not API calls; it tracks the state of resources over time but does not capture the API requests that caused those changes.

1019
MCQhard

A company is using AWS CloudFormation to deploy a multi-tier application. The security team requires that the database tier (RDS) be deployed in private subnets that are not directly routable from the application tier (EC2). The application tier must communicate with the database using an internal network path. Which solution meets these requirements?

A.Place the RDS instance in the same subnet as the application tier and use security groups
B.Use ClassicLink to connect the application tier to the RDS instance
C.Use a NAT Gateway in the application subnet to route traffic to the RDS instance
D.Deploy the RDS instance in private subnets and use an RDS VPC Endpoint (Interface) in the application subnets
AnswerD

Allows private connectivity without direct routing.

Why this answer

Option C (VPC Endpoint for RDS) is correct because it provides private connectivity without routing through subnets. Option A is wrong because direct routing would require routes. Option B is wrong because ClassicLink is legacy.

Option D is wrong because a proxy is not needed.

1020
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team needs to ensure that all CloudFormation stacks include a specific tag with a value that complies with corporate policies. Which AWS service can enforce this requirement?

A.AWS Config
B.AWS Identity and Access Management (IAM)
C.AWS Service Catalog
D.AWS CloudTrail
AnswerC

Service Catalog can enforce tagging policies on stacks.

Why this answer

Option A is correct because AWS Service Catalog can enforce tag requirements on provisioned products. Option B is wrong because AWS Config can detect but not enforce. Option C is wrong because IAM policies can require tags but not specific values.

Option D is wrong because CloudTrail logs API calls but does not enforce.

1021
MCQmedium

A security engineer is investigating a potential security incident involving an EC2 instance that was used to launch an outbound DDoS attack. The engineer needs to determine the source of the attack and the commands executed on the instance. Which logs should be analyzed?

A.VPC Flow Logs and Network ACL logs
B.EC2 instance OS logs (e.g., /var/log/secure) and CloudTrail logs for API calls that launched the instance
C.S3 server access logs and CloudWatch Logs
D.AWS CloudTrail and AWS Config history
AnswerB

OS logs show commands executed; CloudTrail shows who launched the instance.

Why this answer

Option A is correct because EC2 instance logs (OS logs) capture commands executed on the instance. Option B is wrong because VPC Flow Logs only show network traffic, not commands. Option C is wrong because CloudTrail logs API calls, not OS commands.

Option D is wrong because S3 access logs track S3 access, not EC2 activity.

1022
MCQeasy

A company wants to centrally manage and enforce backup policies for all EC2 instances across multiple AWS accounts. Which AWS service should be used?

A.AWS Config
B.AWS CloudFormation StackSets
C.AWS Backup
D.AWS Systems Manager
AnswerC

Centralized backup service with policy enforcement.

Why this answer

AWS Backup is the correct service because it provides a centralized, policy-based solution to define and enforce backup policies across multiple AWS accounts and regions. It integrates with AWS Organizations to manage backups for EC2 instances and other supported resources, ensuring compliance with governance requirements without needing custom scripts or manual processes.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation (which can detect missing backups) with actual backup enforcement, or they mistakenly think CloudFormation StackSets can schedule backups, but neither service provides the centralized backup lifecycle management that AWS Backup offers.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against desired policies (e.g., compliance rules), not for creating or enforcing backup schedules. Option B is wrong because AWS CloudFormation StackSets deploy and manage infrastructure as code across accounts, but they do not natively provide backup lifecycle management or automated backup policies. Option D is wrong because AWS Systems Manager is an operations hub for patch management, automation, and inventory, but it lacks native backup policy enforcement for EC2 instances across multiple accounts.

1023
MCQhard

A company is implementing a data loss prevention (DLP) solution for data stored in Amazon S3. The data includes personally identifiable information (PII). The company wants to automatically identify and classify PII objects, then apply encryption using AWS KMS with a customer-managed key. Which AWS service should be used to identify PII?

A.AWS CloudTrail
B.Amazon Macie
C.Amazon GuardDuty
D.AWS Config
AnswerB

Macie is designed to discover and classify sensitive data in S3.

Why this answer

Option D is correct because Amazon Macie uses machine learning and pattern matching to discover sensitive data such as PII in S3. Option A is wrong because AWS Config evaluates resource configurations, not data content. Option B is wrong because Amazon GuardDuty detects threats, not PII.

Option C is wrong because AWS CloudTrail logs API calls, not data content.

1024
Multi-Selectmedium

A company wants to automate security assessments of its AWS environment. Which TWO AWS services can be used to perform vulnerability scanning and compliance checks?

Select 2 answers
A.AWS Shield
B.Amazon Inspector
C.AWS Security Hub
D.AWS WAF
E.AWS Config
AnswersB, C

Amazon Inspector scans for vulnerabilities and deviations from best practices.

Why this answer

Option A (Amazon Inspector) is correct for vulnerability scanning. Option D (AWS Security Hub) is correct for compliance checks. Option B (AWS Config) tracks resource changes but does not scan vulnerabilities.

Option C (AWS Shield) is for DDoS protection. Option E (AWS WAF) is for web application firewall.

1025
Multi-Selecteasy

Which TWO are best practices for securing an AWS account's root user? (Choose two.)

Select 2 answers
A.Share the root user credentials with the security team.
B.Delete the root user account.
C.Enable multi-factor authentication (MFA) on the root user.
D.Delete any access keys associated with the root user.
E.Use the root user for daily administrative tasks.
AnswersC, D

MFA adds a layer of security.

Why this answer

Option C is correct because enabling multi-factor authentication (MFA) on the root user adds a second layer of security beyond the password and is the single most effective control to prevent unauthorized access to the most privileged account in an AWS environment. AWS strongly recommends MFA for the root user as it mitigates the risk of credential theft or compromise, which could lead to full account takeover and irreversible damage.

Exam trap

The trap here is that candidates may think deleting the root user (Option B) is possible or that sharing credentials with a team (Option A) is a valid security practice, when in fact AWS prohibits deletion of the root user and sharing credentials violates security best practices.

1026
MCQeasy

An IAM policy includes the following statement: 'Effect': 'Deny', 'Action': 's3:*', 'Resource': '*', 'Condition': {'Bool': {'aws:SecureTransport': 'false'}}. What does this policy do?

A.Denies all S3 actions when the request is not using HTTPS.
B.Denies all S3 actions to a specific bucket.
C.Denies all S3 actions for all users.
D.Allows all S3 actions only when using HTTPS.
AnswerA

The condition denies when SecureTransport is false (HTTP).

Why this answer

Option D is correct because the policy denies all S3 actions when the request is not using HTTPS. Option A is wrong because it denies, not allows. Option B is wrong because it denies all S3 actions, not just certain ones.

Option C is wrong because it denies all S3 actions, not just to a specific bucket.

1027
MCQhard

A company's security policy requires that all data stored in Amazon S3 be encrypted using envelope encryption with a key hierarchy. The master key must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which solution should the company implement?

A.Use AWS KMS with a custom key store backed by AWS CloudHSM.
B.Use AWS KMS with the default KMS key store.
C.Use Amazon S3 with SSE-S3 and enable default encryption.
D.Use AWS CloudHSM to generate a master key and implement envelope encryption in the application.
AnswerA

Custom key store provides Level 3 HSMs and envelope encryption via KMS.

Why this answer

Option C is correct because AWS KMS uses envelope encryption and supports custom key stores backed by CloudHSM, which is FIPS 140-2 Level 3 validated. Option A is wrong because KMS default key store uses FIPS 140-2 Level 2 validated HSMs. Option B is wrong because CloudHSM alone does not provide envelope encryption; you would need to implement it yourself.

Option D is wrong because S3 does not have a built-in envelope encryption feature.

1028
MCQeasy

A company wants to automatically detect and remediate S3 buckets that are publicly accessible. Which AWS service can be used to evaluate bucket policies against a defined rule and trigger an automated response?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Inspector
D.AWS Config
AnswerD

AWS Config rules can evaluate resource compliance and trigger remediation.

Why this answer

Option B is correct because AWS Config rules can evaluate resources and trigger remediation actions. Option A is incorrect because CloudTrail is for auditing API calls, not real-time evaluation. Option C is incorrect because GuardDuty is a threat detection service.

Option D is incorrect because Inspector is for vulnerability assessment.

1029
MCQhard

A company is designing a shared services VPC architecture with multiple VPCs connected via a transit gateway. The security engineer needs to ensure that all traffic between VPCs is inspected by a centralized firewall appliance deployed in the shared services VPC. What configuration is required?

A.Create VPC peering connections between each VPC and the shared services VPC.
B.Configure transit gateway route tables to route all inter-VPC traffic through the firewall appliance.
C.Use security groups to route traffic through the firewall.
D.Deploy a Gateway Load Balancer (GWLB) in the shared services VPC and register the firewall as a target.
AnswerB

Transit gateway route tables can send traffic to a network appliance in the shared services VPC for inspection.

Why this answer

Option D is correct because transit gateway route tables can be used to route traffic to the firewall appliance for inspection. Option A is wrong because VPC peering would bypass the firewall. Option B is wrong because a GWLB can be used but it is not the only way; transit gateway route tables can also do it.

Option C is wrong because security groups are not for routing.

1030
MCQeasy

A company wants to grant a third-party auditor read-only access to specific CloudTrail log files stored in an S3 bucket. The auditor should not be able to list or access any other objects in the bucket. What is the most secure way to achieve this?

A.Use CloudTrail's built-in console access for the auditor.
B.Create a new IAM user for the auditor with an S3 policy that grants s3:GetObject on the entire bucket.
C.Generate pre-signed URLs for the specific log files and share them with the auditor.
D.Use a bucket policy that grants the auditor's IAM user s3:GetObject access to the specific log file prefix.
AnswerC

Pre-signed URLs provide time-limited access to specific objects without requiring AWS credentials.

Why this answer

Using S3 pre-signed URLs grants time-limited access to specific objects without requiring the auditor to have AWS credentials. Option A is wrong because it grants broad access. Option B is wrong because a bucket policy granting GetObject for the auditor's IAM user still allows listing if they have ListBucket permission.

Option D is wrong because CloudTrail does not natively provide access to log files.

1031
MCQeasy

A company uses Amazon GuardDuty to monitor for malicious activity in their AWS account. The security team receives a GuardDuty finding that indicates an EC2 instance is communicating with a known cryptocurrency mining pool. The team needs to investigate the finding and determine which security group rules allowed the outbound traffic. The EC2 instance is in a VPC with a single security group attached. Which AWS service should the security team use to review the outbound traffic details?

A.AWS CloudTrail
B.VPC Flow Logs
C.AWS Config
D.Amazon GuardDuty
AnswerB

VPC Flow Logs record outbound traffic details.

Why this answer

Option A is correct because VPC Flow Logs capture network traffic metadata, including outbound connections. Option B is wrong because CloudTrail does not capture network traffic. Option C is wrong because GuardDuty provides findings but not traffic logs.

Option D is wrong because Config does not log network traffic.

1032
MCQmedium

A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that when an EC2 instance is launched, the attached EBS volumes are always encrypted using a specific customer managed key. Which action will enforce this?

A.Use a service control policy (SCP) to deny ec2:RunInstances if the volume encryption key is not the required key
B.Create an IAM role that requires the ec2:RunInstances action to include the kms:KeyId condition
C.Configure the KMS key policy to allow only the specific key for EBS encryption
D.Enable encryption by default for EBS volumes in the account
AnswerA

SCPs can enforce key usage across the account.

Why this answer

Option D is correct because an SCP can deny ec2:RunInstances if the volume encryption key is not the required key. Option A is wrong because IAM roles do not enforce encryption at launch. Option B is wrong because KMS key policies control who can use the key, not which key is used.

Option C is wrong because default encryption uses the account's default key, not necessarily the required key.

1033
MCQmedium

A security engineer runs the command shown in the exhibit. What is the primary purpose of this command?

A.To generate a data key without plaintext.
B.To re-encrypt an existing encrypted file under a new key.
C.To decrypt the file secret.txt using a KMS key.
D.To encrypt the contents of secret.txt using a KMS key and store the result in encrypted_secret.txt.
AnswerD

Encrypts plaintext with KMS and saves ciphertext.

Why this answer

Option B is correct because the command uses KMS to encrypt the contents of secret.txt and writes the base64-decoded ciphertext to a file. Option A is about decrypting. Option C is about generating a data key.

Option D is about re-encrypting.

1034
MCQhard

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The security team needs to monitor for unauthorized changes to security groups. They have enabled AWS Config with the security-group-change detection rule. However, they notice that changes are being detected but not all changes trigger a notification. The team wants to ensure that every security group modification (create, delete, or rule change) sends an alert to the security operations center via Amazon SNS. The current setup: AWS Config rules evaluate resources periodically, and SNS notifications are sent only when the rule compliance status changes. What should the team do to achieve real-time alerts for all security group changes?

A.Deploy Amazon GuardDuty and enable the Security Group Monitoring feature.
B.Configure an Amazon EventBridge rule that matches API calls via CloudTrail for security group modifications and sends notifications to an SNS topic.
C.Increase the frequency of AWS Config rule evaluations to every minute to reduce detection latency.
D.Enable VPC Flow Logs and set up a metric filter for security group-related traffic anomalies.
AnswerB

EventBridge rules can trigger in near real-time based on CloudTrail events, ensuring immediate notification.

Why this answer

The correct answer is B. CloudTrail logs all API calls, including security group modifications, in real time. By creating a CloudWatch Events (now Amazon EventBridge) rule that matches SecurityGroup events and targets SNS, the team can receive immediate notifications.

Option A is incorrect because AWS Config rules are not real-time; they evaluate periodically or on configuration changes but are not designed for real-time alerting. Option C is incorrect because VPC Flow Logs monitor network traffic, not security group changes. Option D is incorrect because GuardDuty focuses on threat detection, not configuration changes.

1035
Multi-Selecthard

A company has an AWS Organization with hundreds of accounts. The security team wants to enforce that no account can disable AWS CloudTrail logging. Which TWO approaches can achieve this?

Select 2 answers
A.Enable CloudTrail as a trusted service and create an organization trail.
B.Apply an IAM policy to each account's root user to prevent disabling CloudTrail.
C.Create an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
D.Use AWS Config to automatically re-enable CloudTrail if it is disabled.
E.Configure CloudWatch Logs to monitor CloudTrail logs and alert if logging stops.
AnswersA, C

Organization trails cannot be stopped or deleted by member accounts.

Why this answer

Options A and D are correct. An SCP can deny the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions (A), and enabling CloudTrail as a trusted service with organization trail (D) prevents accounts from stopping logging. Option B is wrong because IAM policies are account-specific and cannot be enforced across all accounts.

Option C is wrong because CloudWatch Logs does not prevent disabling CloudTrail. Option E is wrong because Config cannot prevent the disabling of CloudTrail.

1036
Multi-Selecteasy

A company needs to implement data protection for Amazon EFS file systems. Which TWO features should be configured?

Select 2 answers
A.Configure EFS Block Public Access.
B.Enable EFS versioning.
C.Enable encryption in transit using TLS.
D.Configure EFS lifecycle management to transition files to Infrequent Access.
E.Enable encryption at rest using AWS KMS.
AnswersC, E

Clients can mount using TLS to encrypt data in transit.

Why this answer

Option B is correct because EFS supports encryption at rest using KMS. Option D is correct because encryption in transit can be enforced using a mount option. Option A is wrong because EFS does not support versioning.

Option C is wrong because EFS does not have Block Public Access; it uses security groups. Option E is wrong because EFS does not use lifecycle policies for data protection; they manage storage tiers.

1037
MCQhard

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that only traffic from the ALB reaches the EC2 instances, and that instances cannot initiate outbound connections to the internet. Which combination of security group rules should be implemented? (Select TWO.)

A.Inbound rule: Allow HTTP/HTTPS from 0.0.0.0/0.
B.Inbound rule: Allow HTTP/HTTPS from the ALB's security group.
C.Outbound rule: Allow all traffic to the ALB's security group only.
D.Outbound rule: Deny all traffic to 0.0.0.0/0.
E.Outbound rule: Allow all traffic to 0.0.0.0/0.
AnswerB, D

This ensures only ALB traffic reaches the instances.

Why this answer

Option A is correct because allowing inbound traffic from the ALB's security group ensures only ALB traffic reaches the instances. Option D is correct because blocking all outbound traffic to 0.0.0.0/0 prevents instances from initiating internet connections. Option B is wrong because allowing inbound from 0.0.0.0/0 would permit direct access to instances.

Option C is wrong because allowing outbound to 0.0.0.0/0 would allow internet connections. Option E is wrong because allowing outbound only to the ALB does not prevent instances from reaching the internet via other paths.

1038
MCQeasy

A company uses Amazon RDS for its database. The security team needs to detect when a database instance is started or stopped outside of maintenance windows. Which AWS service should the team use to monitor these API calls?

A.Amazon CloudWatch
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail logs all RDS API calls, enabling monitoring and alerting.

Why this answer

AWS CloudTrail is the correct service because it records API activity in your AWS account, including StartDBInstance and StopDBInstance calls from the RDS service. By monitoring CloudTrail logs, the security team can detect when a database instance is started or stopped outside of maintenance windows, as each API call is logged with a timestamp and user identity. CloudTrail is specifically designed for auditing API calls, making it the appropriate tool for this use case.

Exam trap

The trap here is that candidates confuse CloudWatch's ability to create alarms on CloudTrail events with CloudWatch itself being the service that records API calls, but CloudWatch only processes logs delivered by CloudTrail and cannot natively capture API activity without CloudTrail as the source.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, but it does not natively capture or record API calls like StartDBInstance or StopDBInstance; it can only alert on CloudTrail-delivered events via a metric filter, not directly detect the API calls themselves. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail management events for malicious activity, but it is not designed for custom operational monitoring of specific API calls like database start/stop events; it focuses on security threats, not operational compliance. Option D is wrong because AWS Config is a configuration tracking and compliance service that evaluates resource configurations against rules, but it does not monitor real-time API calls; it can detect configuration changes (e.g., a DB instance being stopped) only after they occur via configuration changes, not the API call event itself.

1039
MCQeasy

A company wants to detect and alert on suspicious IAM user behavior, such as accessing services that are not typically used. Which AWS service provides prebuilt anomaly detection for IAM users?

A.AWS Trusted Advisor
B.AWS CloudTrail
C.Amazon GuardDuty
D.Amazon Inspector
AnswerC

GuardDuty uses ML to detect anomalous IAM user behavior.

Why this answer

Amazon GuardDuty is the correct answer because it is a threat detection service that uses machine learning and anomaly detection to identify suspicious IAM user behavior, such as accessing services not typically used. It analyzes AWS CloudTrail management and data events, VPC Flow Logs, and DNS logs to establish baselines and generate findings for unusual API calls or access patterns. This prebuilt capability directly addresses the requirement for detecting atypical IAM activity without manual configuration.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, assuming that because CloudTrail records API calls, it can also detect anomalies, but it lacks the machine learning engine required for prebuilt anomaly detection.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is a service that provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not perform real-time anomaly detection or monitor IAM user behavior. Option B is wrong because AWS CloudTrail is a logging service that records API activity for auditing and compliance, but it lacks built-in anomaly detection; it requires integration with other services like GuardDuty or third-party tools to identify suspicious behavior. Option D is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not IAM user behavior or API call anomalies.

1040
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that all Amazon S3 buckets across all accounts are encrypted with AWS KMS customer managed keys (CMKs). They have implemented a service control policy (SCP) that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header with value aws:kms. Additionally, they have an SCP that denies s3:CreateBucket unless the bucket is configured with default encryption using KMS. Despite these policies, a developer in the production account reports that they were able to upload a sensitive object to an existing bucket without encryption. The developer used the AWS CLI with the command: aws s3 cp sensitive.txt s3://my-bucket/. The bucket does not have default encryption enabled. The SCPs are attached to the root organizational unit (OU) and are in effect. What is the MOST likely reason the upload succeeded?

A.The SCP does not apply to the management account of the organization.
B.The SCP uses the wrong condition key; it should use s3:x-amz-server-side-encryption instead.
C.The SCP was not attached to the production account's OU.
D.The developer used an IAM role that bypasses SCPs.
AnswerA

SCPs are not effective for the management account, so actions from that account are not restricted.

Why this answer

The SCP denies PutObject without the encryption header, but the command did not specify the header. However, SCPs do not affect the root user? No, root user is not used here. The developer used an IAM role.

SCPs apply to all IAM principals. The issue might be that the SCP uses a condition key that is not evaluated properly? Another common issue: SCPs cannot deny actions that are performed by the AWS service itself? No. The most likely reason is that the SCP was not applied to the production account because it was attached to the root OU, but the production account might be in a different OU that does not inherit the SCP? Or the SCP might have been disabled? Or the developer might be using an IAM role that has a service-linked role? Actually, a known limitation: SCPs do not affect the management account.

If the production account is the management account, SCPs do not apply. That is a classic gotcha. The question says "multi-account AWS environment using AWS Organizations" but does not specify that the production account is the management account.

But it's plausible. Another possibility: The SCP denies s3:PutObject without the header, but the CLI command might automatically add the header if the bucket has default encryption? No, bucket does not have default encryption. The SCP should deny.

So the most likely cause is that the production account is the management account of the organization, and SCPs do not apply to the management account.

1041
Multi-Selecthard

A company has a requirement to automatically rotate encryption keys for S3 objects every 90 days. They are using SSE-KMS with a customer managed key. Which combination of actions will meet the requirement without breaking access to existing objects? (Choose two.)

Select 2 answers
A.Configure an S3 lifecycle policy to re-encrypt objects
B.Use S3 Batch Operations to re-encrypt existing objects with the new key
C.Manually rotate the key every 90 days and re-encrypt all objects
D.Delete the existing key and create a new one each 90 days
E.Enable automatic key rotation in AWS KMS for the customer managed key
AnswersB, E

Batch Operations can re-encrypt objects.

Why this answer

Options A and D are correct because enabling automatic key rotation in KMS rotates the key material annually (but not 90 days), and re-encrypting existing objects with the new key ensures they are encrypted with the latest key. Option B is incorrect because deleting the old key breaks access. Option C is incorrect because S3 does not automatically re-encrypt.

Option E is incorrect because manual rotation every 90 days is not necessary if automatic rotation is enabled, and re-encryption is needed.

1042
Multi-Selecteasy

Which TWO of the following are valid options for encrypting data at rest in Amazon S3? (Choose 2.)

Select 2 answers
A.SSL/TLS encryption
B.IAM policy encryption
C.SSE-S3
D.CloudHSM client-side encryption
E.SSE-KMS
AnswersC, E

Correct: Server-side encryption with Amazon S3-managed keys.

Why this answer

SSE-S3 is correct because it provides server-side encryption where Amazon S3 manages the encryption keys entirely. When you upload an object, S3 encrypts it using AES-256 before writing to disk and decrypts it when you access it, with no additional configuration needed beyond enabling the header `x-amz-server-side-encryption: AES256`.

Exam trap

The trap here is confusing encryption at rest with encryption in transit, leading candidates to select SSL/TLS, or misinterpreting IAM policies as an encryption mechanism, or assuming CloudHSM is a native S3 server-side encryption option rather than a client-side tool.

1043
MCQhard

A company has a multi-account AWS Organization with 50 accounts. The security team wants to monitor for unauthorized IAM role assumption across all accounts. They have enabled AWS CloudTrail in all accounts and are delivering logs to a central S3 bucket in the security account. They also have Amazon GuardDuty enabled in all accounts. The security team wants a centralized dashboard to visualize cross-account role assumption events. They have limited budget and want to use existing services. What should they do?

A.Use Amazon Athena to query CloudTrail logs in S3 and visualize with Amazon QuickSight.
B.Use AWS Config aggregator to view cross-account IAM role creation.
C.Use Amazon CloudWatch Logs Insights to query logs from the central S3 bucket.
D.Use Amazon Elasticsearch Service to index CloudTrail logs from S3 and visualize with Kibana.
AnswerA

Athena can query logs directly in S3, and QuickSight can create dashboards.

Why this answer

Option B is correct because Amazon Athena can query CloudTrail logs in S3 using SQL, and Amazon QuickSight can visualize the results. Option A is wrong because Amazon Elasticsearch Service is not free and adds cost. Option C is wrong because CloudWatch Logs Insights can query logs but requires logs to be in CloudWatch Logs, not S3.

Option D is wrong because AWS Config is for resource configuration, not API call analysis.

1044
MCQhard

An organization has a requirement to retain all AWS CloudTrail logs for at least 7 years for compliance. Currently, logs are stored in an S3 bucket with default settings. What is the MOST cost-effective way to meet the retention requirement?

A.Use S3 Glacier Deep Archive immediately.
B.Set an S3 lifecycle policy to delete objects after 7 years.
C.Set the CloudTrail trail to store logs in an S3 bucket with 7-year retention.
D.Configure S3 lifecycle policy to transition objects to S3 Glacier after 30 days and expire after 7 years.
AnswerD

Transitioning to Glacier reduces cost while meeting retention.

Why this answer

Option B is correct because S3 lifecycle policies can transition objects to Glacier after a period and expire after 7 years. Option A is wrong because S3 Standard is expensive for long-term retention. Option C is wrong because CloudTrail does not manage retention.

Option D is wrong because Glacier Deep Archive is for longer than 7 years but is less cost-effective if accessed.

1045
MCQmedium

A company uses AWS CloudTrail and wants to ensure that any modification to the trail itself is detected immediately. What should be done?

A.Configure Amazon GuardDuty to monitor for trail modifications
B.Enable CloudTrail Insights to detect unusual activity
C.Create a CloudWatch Events rule that matches the StopLogging or UpdateTrail API calls and sends an alert
D.Enable S3 event notifications on the trail's S3 bucket
AnswerC

CloudWatch Events can trigger on CloudTrail management events.

Why this answer

Option C is correct because CloudWatch Events (now part of Amazon EventBridge) can be configured with a rule that matches specific API calls like StopLogging or UpdateTrail via CloudTrail. When such an API call is made, the rule triggers an action such as sending an SNS notification or invoking a Lambda function, enabling immediate detection of trail modifications. This approach directly monitors the control plane operations that alter the trail's configuration.

Exam trap

The trap here is that candidates often confuse monitoring the trail's log files (S3 events) with monitoring the trail's configuration (CloudTrail API calls), leading them to choose Option D instead of the correct CloudWatch Events approach.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail management events for malicious activity, but it does not provide real-time alerting on specific API calls like UpdateTrail; it focuses on threat intelligence rather than configuration change monitoring. Option B is wrong because CloudTrail Insights identifies unusual API activity and write management events, but it is designed for anomaly detection over time, not immediate alerting on specific trail modifications. Option D is wrong because S3 event notifications on the trail's S3 bucket would only detect changes to the log files stored in the bucket, not modifications to the trail configuration itself (e.g., disabling logging or changing the trail's settings).

1046
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centralize VPC Flow Logs from all accounts into a single S3 bucket in the security account. The flow logs are created in the member accounts and sent to the centralized bucket. However, the security team notices that flow logs from some member accounts are not being delivered. What is the most likely cause?

A.The member accounts need an IAM role with permissions to write to the centralized bucket.
B.CloudTrail must be enabled in each member account before VPC Flow Logs can be sent to a centralized bucket.
C.The S3 bucket policy does not grant write permissions to the member accounts.
D.VPC Flow Logs cannot be aggregated across multiple AWS accounts.
AnswerC

Bucket policy must allow member accounts to put objects.

Why this answer

Option B is correct because VPC Flow Logs require a resource-based policy on the destination bucket to allow the member accounts to write logs. Option A is wrong because flow logs can be aggregated across accounts. Option C is wrong because CloudTrail is not used for VPC Flow Logs.

Option D is wrong because VPC Flow Logs do not require IAM roles on member accounts.

1047
MCQhard

A company uses AWS KMS to encrypt data in S3. The security policy requires that keys be rotated every 12 months. Which type of KMS key supports automatic rotation?

A.Customer managed keys with automatic rotation enabled
B.Imported key material
C.Custom key store keys
D.AWS managed keys
AnswerA

Customer managed keys can be configured to rotate automatically every 12 months.

Why this answer

Customer managed keys (CMKs) support optional automatic rotation every year. AWS managed keys rotate automatically every 3 years but cannot be configured. Option B is correct.

Option A is incorrect because AWS managed keys rotate every 3 years, not 12 months. Option C is incorrect because custom key store keys do not support automatic rotation. Option D is incorrect because imported key material does not support automatic rotation.

1048
MCQeasy

A company is designing a multi-tier web application. The web servers must be accessible from the internet, but the application servers must only be accessible from the web servers. Which AWS feature should be used to meet these requirements?

A.Use security groups with rules that allow inbound traffic to the web servers from the internet, and allow inbound traffic to the application servers only from the web server security group.
B.Use a VPC peering connection between the web tier and application tier subnets.
C.Use network ACLs to allow inbound traffic to the web tier from the internet and to the application tier only from the web tier.
D.Use a VPN connection to isolate the application tier from the web tier.
AnswerA

Security groups support referencing another security group as a source, making this straightforward.

Why this answer

The correct answer is B because security groups act as a virtual firewall for instances, and you can reference another security group as a source. Option A is wrong because a NACL is stateless and applied at the subnet level; it can be used but security groups are simpler for instance-level control. Option C is wrong because a VPC peering is for connecting VPCs.

Option D is wrong because a VPN connection is for hybrid connectivity.

1049
Drag & Dropmedium

Drag and drop the steps to configure a VPC with private subnets and NAT gateway for outbound internet access in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPC creation, subnets, internet gateway, NAT gateway, and route table update are required for private subnet internet access.

1050
MCQmedium

A security team needs to be alerted when an IAM user generates a console login failure. Which combination of AWS services should be used to meet this requirement?

A.CloudTrail and Amazon S3
B.CloudTrail, Amazon CloudWatch Logs, and CloudWatch Alarms
C.AWS Config and Amazon SNS
D.Amazon GuardDuty and AWS Lambda
AnswerB

CloudTrail delivers events to CloudWatch Logs, where a metric filter can detect failures and trigger an alarm.

Why this answer

Option B is correct because CloudTrail captures IAM console login failures as CloudTrail events, which can be streamed to CloudWatch Logs. A CloudWatch Alarm can then be configured to trigger on a metric filter that matches the specific 'ConsoleLogin' event with a 'Failure' status, enabling real-time alerting via Amazon SNS.

Exam trap

The trap here is that candidates may think CloudTrail alone is sufficient for alerting, but CloudTrail only logs events; it requires integration with CloudWatch Logs and Alarms to generate notifications, and options like GuardDuty or Config are often mistakenly chosen because they sound security-related but do not directly address the specific login failure alerting requirement.

How to eliminate wrong answers

Option A is wrong because Amazon S3 alone cannot generate alerts; it is a storage service and lacks native alerting capabilities. Option C is wrong because AWS Config is designed for resource compliance and configuration tracking, not for monitoring real-time API events like login failures. Option D is wrong because Amazon GuardDuty focuses on threat detection using DNS, VPC flow logs, and CloudTrail management events, but it does not provide direct alerting for IAM console login failures without additional custom Lambda logic, and it is not the standard recommended combination for this specific requirement.

Page 13

Page 14 of 24

Page 15