AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 10511125

1738 questions total · 24pages · All types, answers revealed

Page 14

Page 15 of 24

Page 16
1051
MCQhard

An IAM role has the above trust policy. Users from account 123456789012 try to assume the role. What is required for the AssumeRole API call to succeed?

A.The user must be an IAM user in the same account as the role.
B.The user must have an IAM policy that allows sts:AssumeRole.
C.The user must have MFA enabled and present the MFA token.
D.The request must originate from a specific IP address range.
AnswerC

Condition requires MFA.

Why this answer

The condition requires MFA to be present. Option A is incorrect because MFA is required. Option B is about source IP, not required.

Option D is incorrect because the role can be assumed without additional permissions.

1052
MCQhard

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that an EC2 instance in the same VPC can access the bucket, but an instance in a peered VPC cannot. Both instances have the same IAM role attached. The VPC endpoint is in the first VPC and is shared via a transit gateway. What is the MOST likely reason the second instance cannot access the bucket?

A.The IAM role does not have permissions for the second instance.
B.The bucket policy condition on aws:sourceVpce does not match requests from the peered VPC.
C.The VPC endpoint is not accessible from the peered VPC.
D.The transit gateway does not support S3 traffic.
AnswerB

Requests from peered VPC do not use the endpoint.

Why this answer

Option D is correct. The bucket policy condition aws:sourceVpce checks the VPC endpoint ID. If the request comes from a peered VPC, it does not go through the VPC endpoint; it goes through the transit gateway, so the condition fails.

Option A is wrong because IAM policies are not the issue. Option B is wrong because the transit gateway does not inherently block S3. Option C is wrong because VPC peering does not automatically provide access to the endpoint.

1053
MCQmedium

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which action should be taken?

A.Enable automatic key rotation on the customer managed key.
B.Create a new key and update the alias to point to the new key every year.
C.Enable automatic key rotation on the AWS managed key.
D.Use an AWS CloudTrail event to trigger a Lambda function that rotates the key.
AnswerA

Automatic rotation can be enabled on customer managed keys to rotate yearly.

Why this answer

Option B is correct because AWS KMS supports automatic key rotation for customer managed keys (CMKs) when enabled. Option A is incorrect because automatic rotation is available for CMKs, not just AWS managed keys. Option C is incorrect because manual rotation is not required.

Option D is incorrect because rotation is independent of CloudTrail.

1054
Multi-Selecthard

Which THREE components are required to set up a client VPN for remote access to a VPC? (Choose 3.)

Select 3 answers
A.Client VPN endpoint
B.Virtual Private Gateway
C.Customer Gateway
D.Authorization rule
E.Target network association
AnswersA, D, E

The VPN server component.

Why this answer

Options A, C, and E are correct. A Client VPN endpoint is the VPN server. A target network association connects the endpoint to subnets.

An authorization rule grants access to specific network paths. Option B is wrong because a Virtual Private Gateway is used for site-to-site VPN. Option D is wrong because a Customer Gateway is for site-to-site VPN.

1055
MCQmedium

A security team needs to monitor for failed login attempts to an EC2 instance running Linux. The team wants to send a real-time alert when more than 10 failed SSH attempts occur within 5 minutes. Which solution is the most efficient?

A.Install the CloudWatch Logs agent on the EC2 instance to stream /var/log/secure to CloudWatch Logs. Create a metric filter for 'Failed password' and set a CloudWatch alarm.
B.Enable VPC Flow Logs and filter for SSH traffic to detect failed attempts.
C.Configure the EC2 instance to write failed attempts to a file in S3 and use S3 events to trigger a Lambda function for alerting.
D.Enable Amazon GuardDuty and create a custom threat list for failed SSH attempts.
AnswerA

This approach provides real-time monitoring and alerting.

Why this answer

The CloudWatch Logs agent can send /var/log/secure to CloudWatch Logs, where a metric filter can count failed attempts and trigger an alarm. Option A is correct. Option B is wrong because modifying /etc/hosts.deny is not monitoring.

Option C is wrong because VPC Flow Logs do not capture application-level login attempts. Option D is wrong because GuardDuty detects threats but is not as targeted for this specific metric.

1056
MCQhard

A security engineer creates the IAM policy shown in the exhibit. The policy is attached to an IAM role. When a user assumes the role and attempts to upload an object to the bucket without specifying server-side encryption, what is the expected behavior?

A.The request is denied because the condition is not met.
B.The request succeeds because the condition is ignored for PutObject.
C.The request is denied only if the object is publicly accessible.
D.The request succeeds because the condition is only for GetObject.
AnswerA

The condition requires the encryption header to be present and set to 'aws:kms'.

Why this answer

Option A is correct because the policy requires the condition s3:x-amz-server-side-encryption to be equal to aws:kms. If the request does not include encryption, the condition fails and the request is denied. Option B is wrong because the policy does not allow requests without encryption.

Option C is wrong because the condition applies to PutObject as well. Option D is wrong because the condition is not ignored.

1057
MCQmedium

A company wants to allow a third-party auditor to read objects in an S3 bucket for a limited time. The auditor does not have an AWS account. What is the most secure way to grant this access?

A.Use a bucket policy that grants read access to the auditor's AWS account (if they have one).
B.Generate presigned URLs for all objects in the bucket and share them with the auditor.
C.Create a cross-account IAM role with an external ID and allow the auditor to assume the role using AWS STS.
D.Create an IAM user with read-only access and share the credentials with the auditor.
AnswerC

This provides time-limited, secure access without sharing permanent credentials.

Why this answer

Option C is correct because it uses cross-account roles with external ID and temporary credentials, which provide time-limited access without exposing long-term keys. Option A is wrong because sharing keys violates security best practices. Option B is wrong because ACLs do not support cross-account access without granting ListBucket permission.

Option D is wrong because presigned URLs are typically used for individual objects, not a bucket-wide audit.

1058
Multi-Selecteasy

Which TWO AWS services can be used to detect and alert on suspicious API activity in real-time? (Choose two.)

Select 2 answers
A.AWS CloudTrail with CloudWatch Events
B.VPC Flow Logs
C.Amazon S3
D.AWS Config
E.Amazon GuardDuty
AnswersA, E

CloudTrail logs API calls and CloudWatch can alert.

Why this answer

Options B and C are correct. Option A is wrong because VPC Flow Logs are for network traffic. Option D is wrong because Config is for compliance.

Option E is wrong because S3 is storage.

1059
MCQhard

A security engineer has attached the above IAM policy to a role used by an application to write logs to an S3 bucket. However, the application is unable to write logs. What is the MOST likely reason?

A.The Effect is set to Allow, which is too permissive.
B.The application does not set the x-amz-acl header to bucket-owner-full-control on PutObject requests.
C.The policy does not allow server-side encryption.
D.The resource ARN is incorrect; it should be arn:aws:s3:::my-log-bucket/*.
AnswerB

The condition requires the ACL to be set; without it, the request fails.

Why this answer

Option A is correct because the policy requires the condition s3:x-amz-acl to be set to bucket-owner-full-control, but the application may not be setting that ACL. Option B is wrong because the resource ARN is correct for the specified path. Option C is wrong because the Effect is Allow.

Option D is wrong because the policy does not mention encryption.

1060
Multi-Selecthard

A company wants to centrally manage and enforce security policies across multiple AWS accounts using AWS Organizations. Which THREE actions should be taken? (Choose three.)

Select 3 answers
A.Use the root user of each member account for administrative tasks.
B.Enable all features in AWS Organizations and create service control policies (SCPs) to restrict actions.
C.Use AWS CloudTrail to log API calls in all accounts and deliver logs to a centralized S3 bucket.
D.Create IAM roles in member accounts that grant cross-account access from the management account.
E.Disable CloudTrail in member accounts to reduce costs.
AnswersB, C, D

Correct: SCPs centrally enforce policies.

Why this answer

Options A, B, and D are correct. SCPs enforce policies across accounts. Centralized logging with CloudTrail provides auditing.

IAM roles for cross-account access allow secure management. Option C is wrong because using the root user for each account is not a best practice. Option E is wrong because disabling CloudTrail in member accounts removes auditing.

1061
MCQmedium

A company is designing a data encryption solution for its Amazon RDS for PostgreSQL database. The database must be encrypted at rest. What is the simplest way to achieve this?

A.Enable encryption when creating the RDS instance using a KMS key.
B.Enable AWS KMS encryption on the RDS instance after creation.
C.Use application-level encryption before inserting data into the database.
D.Use AWS CloudHSM to encrypt the EBS volumes attached to the RDS instance.
AnswerA

RDS encryption at rest is enabled at launch.

Why this answer

Option A is correct because RDS supports encryption at rest for new databases using AWS KMS. Option B is incorrect because there is no separate encryption layer; RDS uses KMS. Option C is incorrect because application-level encryption is not the simplest.

Option D is incorrect because RDS does not support CloudHSM for encryption at rest.

1062
MCQeasy

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation fails with an error indicating that the secret cannot be accessed. What is the most likely cause?

A.The Lambda rotation function lacks IAM permissions to update the secret
B.The KMS key used to encrypt the secret is disabled
C.The secret is not encrypted
D.The secret is not in the same region as the database
AnswerA

The Lambda function needs permissions to read and update the secret.

Why this answer

Option C is correct because the Lambda function needs permissions to read the secret and update the database. Option A is not about rotation. Option B would cause an unrelated error.

Option D is about encryption key permissions, but the error is about accessing the secret.

1063
Multi-Selecthard

Which THREE are benefits of using AWS Systems Manager Session Manager to connect to EC2 instances? (Choose THREE.)

Select 3 answers
A.It allows closing inbound SSH and RDP ports on the instance.
B.It automatically rotates SSH keys on the instance.
C.It eliminates the need for a bastion host or jump box.
D.It requires an internet gateway or NAT gateway for the instance to communicate with the Session Manager service.
E.It provides session logging to AWS CloudTrail for auditing.
AnswersA, C, E

No open ports are needed for Session Manager.

Why this answer

Options A, C, and D are correct. Session Manager eliminates the need for a bastion host, does not require opening SSH or RDP ports, and logs sessions to CloudTrail for auditing. Option B is wrong because Session Manager does not require an internet gateway or NAT gateway for connectivity; it uses the SSM agent.

Option E is wrong because it does not automatically rotate SSH keys; it uses IAM for access control.

1064
MCQmedium

A developer needs to grant an EC2 instance access to an S3 bucket. Which is the most secure way to provide credentials to the EC2 instance?

A.Store AWS access keys in the application code
B.Store the keys in an S3 bucket and download them at startup
C.Create an IAM role and attach it to the EC2 instance profile
D.Use environment variables to store the keys
AnswerC

IAM roles provide temporary credentials that are automatically rotated.

Why this answer

Option C is correct because it uses an IAM role attached to an EC2 instance profile, which allows the instance to obtain temporary, automatically rotated credentials from the AWS STS service via the instance metadata service (IMDS). This eliminates the need to hardcode, store, or manage long-term access keys, significantly reducing the risk of credential exposure.

Exam trap

The trap here is that candidates may think storing keys in S3 or environment variables is acceptable, but the exam emphasizes that any form of long-term static credential storage on an EC2 instance is insecure compared to using IAM roles with instance profiles and temporary credentials from STS.

How to eliminate wrong answers

Option A is wrong because storing AWS access keys in application code exposes them to version control, code reviews, and potential leaks, violating the principle of least privilege and long-term credential security. Option B is wrong because storing keys in an S3 bucket and downloading them at startup still requires the instance to have long-term credentials to access the bucket, creating a circular dependency and exposing keys during transit and at rest. Option D is wrong because environment variables can be read by any process or user on the instance, are often logged or captured in debugging output, and still rely on long-term access keys that must be manually rotated.

1065
MCQeasy

A company has a security group rule that allows inbound traffic from 0.0.0.0/0 on port 22. The security engineer wants to restrict SSH access to only the company's public IP range (203.0.113.0/24). What is the correct way to update the security group rule?

A.Remove the existing inbound rule and do not add any new rule; SSH access will be denied by default.
B.Modify the existing inbound rule to change the source from 0.0.0.0/0 to 203.0.113.0/24.
C.Add a new inbound rule with source 203.0.113.0/24 and the security group will automatically deny all other traffic.
D.Change the outbound rules to restrict traffic.
AnswerB

You can edit the CIDR of an existing rule.

Why this answer

Option A is correct because you can modify the CIDR of an existing rule. Option B is wrong because security groups don't have a default deny rule; you need to remove the old rule. Option C is wrong because security groups are stateful.

Option D is wrong because removing the rule without adding a new one would block all SSH.

1066
MCQeasy

A security engineer needs to detect and respond to potential credential theft where an IAM user's access key is being used from an unusual geographic location. Which AWS service should be used to generate alerts based on this anomaly?

A.AWS IAM Access Analyzer
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerC

GuardDuty uses ML to detect suspicious API activity, including credential compromise.

Why this answer

Amazon GuardDuty is the correct choice because it is a threat detection service that uses machine learning and integrated threat intelligence to identify anomalous behavior, such as an IAM access key being used from an unusual geographic location. It specifically analyzes CloudTrail management and data events, VPC flow logs, and DNS logs to detect credential theft patterns like a new geolocation or an impossible travel scenario, and can trigger alerts via Amazon EventBridge or SNS for automated response.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, assuming that CloudTrail alone can generate alerts for geographic anomalies, when in reality it only provides raw logs that require additional analysis services like GuardDuty or custom solutions to detect and alert on such patterns.

How to eliminate wrong answers

Option A is wrong because AWS IAM Access Analyzer is designed to identify resources shared with external entities by analyzing resource-based policies, not to detect anomalous usage patterns like geographic anomalies in access key usage. Option B is wrong because AWS CloudTrail is a logging service that records API activity but does not perform real-time anomaly detection or generate alerts based on unusual geographic locations; it would require additional custom logic (e.g., Athena queries or Lambda functions) to analyze the logs for such patterns. Option D is wrong because AWS Config is a configuration management and compliance service that tracks resource configuration changes and evaluates rules, not a threat detection service capable of identifying credential theft or geographic anomalies in IAM user activity.

1067
MCQeasy

A developer needs to grant an IAM user the ability to manage their own password and access keys, but not any other IAM users. Which IAM policy should be used?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:CreateAccessKey", "iam:UpdateAccessKey", "iam:DeleteAccessKey", "iam:UpdateLoginProfile"], "Resource": "arn:aws:iam::*:user/*" } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:CreateAccessKey", "iam:UpdateAccessKey", "iam:DeleteAccessKey", "iam:UpdateLoginProfile"], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:*", "Resource": "*" } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:CreateAccessKey", "iam:UpdateAccessKey", "iam:DeleteAccessKey"], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
AnswerB

Correctly restricts to the user's own ARN using a variable.

Why this answer

Option C is correct because it uses a condition to limit actions to the user's own ARN. Option A grants access to all users. Option B grants full IAM access.

Option D does not include password management.

1068
MCQmedium

Refer to the exhibit. A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?

A.The policy has no effect because the condition is invalid
B.Objects without encryption headers are allowed
C.All objects must be encrypted with SSE-KMS
D.All objects must be encrypted with SSE-S3
AnswerD

Correct: The condition requires s3:x-amz-server-side-encryption to be AES256, which is SSE-S3.

Why this answer

Option B is correct. The policy denies PutObject requests that do not include the x-amz-server-side-encryption header with value AES256, thus enforcing SSE-S3 encryption on all uploads. Option A is wrong because it does not enforce SSE-KMS.

Option C is wrong because the condition checks for AES256, not for the absence of encryption. Option D is wrong because the policy denies unencrypted uploads, not allows them.

1069
MCQmedium

An IAM policy grants access to a DynamoDB table with a condition that the request must originate from a specific VPC endpoint. However, requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

A.The EC2 instance does not have a public IP address.
B.The security group on the EC2 instance does not allow outbound traffic to the DynamoDB endpoint.
C.The EC2 instance is not using the VPC endpoint to access DynamoDB; it is using an internet gateway.
D.The VPC endpoint policy does not allow the specific DynamoDB action.
AnswerC

The condition requires the request to come through the VPC endpoint; if the instance routes traffic via internet, the condition fails.

Why this answer

Option A is correct because the EC2 instance needs to have a route to the VPC endpoint; if not, traffic goes through the internet and doesn't use the endpoint. Option B is wrong because the instance does not need a public IP. Option C is wrong because the endpoint policy must allow the action.

Option D is wrong because security groups control network traffic, not IAM conditions.

1070
MCQmedium

A security engineer is auditing an S3 bucket policy that allows cross-account access. The engineer wants to ensure that only encrypted connections are permitted. Which condition should be added to the policy?

A.aws:SourceIp
B.aws:Referer
C.aws:SecureTransport
D.s3:x-amz-server-side-encryption
AnswerC

Enforces HTTPS connections.

Why this answer

Option C is correct because aws:SecureTransport is the condition key that enforces HTTPS. Option A is wrong because aws:SourceIp controls IP addresses, not encryption. Option B is wrong because s3:x-amz-server-side-encryption controls server-side encryption headers, not transport encryption.

Option D is wrong because aws:Referer controls referrer headers.

1071
MCQeasy

A security engineer needs to ensure that any changes to an S3 bucket's public access settings are immediately detected and an alert is sent. Which combination of AWS services should be used?

A.Amazon GuardDuty and AWS Lambda
B.Amazon CloudWatch Logs and Amazon SNS
C.AWS CloudTrail and Amazon CloudWatch Logs
D.AWS Config and AWS Lambda
AnswerD

Config can evaluate S3 bucket public access settings and trigger a Lambda function for alerting.

Why this answer

AWS Config continuously monitors and records changes to AWS resource configurations, including S3 bucket public access settings. By creating a Config rule that triggers on changes to the `PublicAccessBlockConfiguration` or bucket ACLs, you can invoke an AWS Lambda function via an Amazon SNS topic to send an alert. This combination provides real-time detection and automated response to unauthorized public access changes.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which evaluates configuration compliance), leading them to choose Option C, but CloudTrail alone cannot trigger alerts without additional services like CloudWatch Logs and Lambda, and it lacks the continuous compliance evaluation that AWS Config provides.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity (e.g., unusual API calls or compromised credentials), not for configuration changes to S3 bucket public access settings. Option B is wrong because Amazon CloudWatch Logs can store log data but does not natively detect or alert on S3 configuration changes; it would require additional services like CloudTrail to capture the events, and the combination lacks the rule-based evaluation needed for immediate detection. Option C is wrong because AWS CloudTrail logs API calls (including changes to S3 bucket policies), but CloudTrail alone does not provide real-time alerting; while you can create a metric filter on CloudWatch Logs, this setup requires manual configuration and does not natively evaluate configuration compliance like AWS Config does, and it lacks the automated remediation capability of AWS Lambda.

1072
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team uses AWS Security Hub to consolidate findings. They notice that a critical finding in the production account is not being aggregated in Security Hub. The finding is generated by Amazon GuardDuty. What is the MOST likely cause?

A.Amazon GuardDuty is not enabled in the production account.
B.The IAM role for Security Hub does not have permissions to read GuardDuty findings.
C.AWS Config is not enabled in the production account.
D.VPC Flow Logs are not enabled in the production account.
AnswerA

GuardDuty must be enabled in each account to generate findings that Security Hub aggregates.

Why this answer

Amazon Security Hub aggregates findings from enabled security services across accounts. For GuardDuty findings to appear in Security Hub, GuardDuty must be enabled in the account where the finding is generated. If GuardDuty is not enabled in the production account, it cannot produce findings for Security Hub to consume, which is the most likely cause of the missing critical finding.

Exam trap

The trap here is that candidates may assume Security Hub automatically enables or integrates with all security services across accounts, but in reality, each service (like GuardDuty) must be individually enabled in each account for its findings to be aggregated.

How to eliminate wrong answers

Option B is wrong because Security Hub uses a service-linked role (AWSServiceRoleForSecurityHub) that automatically includes permissions to read findings from GuardDuty via the BatchImportFindings API; an explicit IAM role for reading GuardDuty findings is not required. Option C is wrong because AWS Config is not a prerequisite for Security Hub to aggregate GuardDuty findings; Security Hub can ingest GuardDuty findings independently of Config. Option D is wrong because VPC Flow Logs are not a source of findings for Security Hub; they are used by GuardDuty for anomaly detection but are not required for Security Hub to receive GuardDuty findings.

1073
MCQeasy

A company uses AWS Organizations and wants to restrict all IAM users in member accounts from using the Amazon EC2 RunInstances API unless they have MFA. What is the most efficient way to enforce this?

A.Create an IAM policy in each member account and attach it to all IAM users.
B.Use a security group to block outbound traffic from EC2 instances unless MFA is used.
C.Create a service control policy (SCP) that denies ec2:RunInstances unless MFA is present, and attach it to the organization root or relevant OUs.
D.Attach a policy to the root user of the master account.
AnswerC

SCPs can centrally enforce restrictions across all accounts in the organization.

Why this answer

Option B is correct because a service control policy (SCP) can apply to all accounts in the organization and enforce the restriction centrally. Option A is wrong because it applies only to the organization root, not member accounts. Option C is wrong because it would require modifying each account individually.

Option D is wrong because security groups do not control API calls.

1074
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that no IAM user can have an access key older than 90 days. What is the MOST efficient way to achieve this?

A.Use an SCP in the root organizational unit that denies IAM actions if the access key age exceeds 90 days.
B.Use AWS Config rules to detect old access keys and send alerts.
C.Use an IAM policy in each account that denies access if the key age exceeds 90 days.
D.Use an SCP to disable IAM user creation.
AnswerA

SCP can centrally enforce with condition aws:CurrentTime.

Why this answer

Option B is correct: a service control policy (SCP) can deny access if the key is older than 90 days, using a condition. Option A is per-account and not centralized. Option C requires manual audit.

Option D is not an SCP action.

1075
Multi-Selecteasy

A company needs to monitor for unauthorized changes to its Amazon S3 bucket policies. Which TWO services can be used together to achieve this? (Choose two.)

Select 2 answers
A.Amazon Route 53
B.AWS CloudTrail
C.VPC Flow Logs
D.AWS Config
E.Amazon SNS
AnswersD, E

Tracks configuration changes to S3 bucket policies.

Why this answer

AWS Config can track changes to S3 bucket policies and trigger a notification via Amazon SNS. Options A and D are correct. Option B is wrong because CloudTrail logs API calls but does not evaluate configuration changes against a baseline.

Option C is wrong because VPC Flow Logs are for network traffic. Option E is wrong because Route 53 is for DNS.

1076
MCQmedium

A company has a requirement to retain CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The security team needs to ensure that logs are not deleted before the retention period ends, even by users with full S3 permissions. Which action should be taken?

A.Enable MFA Delete on the bucket and require MFA for all delete operations.
B.Enable S3 Object Lock in Compliance mode on the bucket with a retention period of 7 years.
C.Enable S3 Versioning and set a lifecycle policy to expire noncurrent versions after 7 years.
D.Create a bucket policy that denies s3:DeleteObject for all users.
AnswerB

Compliance mode prevents any deletion, even by root.

Why this answer

S3 Object Lock with a retention mode of Compliance prevents any user, including the root user, from deleting objects until the retention period expires. Option A is correct. Option B is wrong because MFA Delete can be bypassed by root.

Option C is wrong because bucket policies do not prevent deletion by bucket owners with full permissions. Option D is wrong because versioning alone does not prevent deletion.

1077
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team has created an SCP that denies access to all DynamoDB actions except for the 'prod' account. The SCP is attached to the root OU. The 'prod' account has an IAM role that allows full DynamoDB access. A developer in the 'prod' account tries to create a DynamoDB table but receives an 'AccessDenied' error. The developer has the correct IAM permissions. What is the MOST likely cause and what should be done to resolve the issue?

A.The SCP denies DynamoDB by default; the 'prod' account needs an explicit allow in the SCP.
B.The DynamoDB table has a resource-based policy that denies access.
C.The SCP is attached to the OU and cannot be overridden; the developer must use a different account.
D.The IAM role's permissions boundary is blocking access.
AnswerA

SCPs deny by default; explicit allow needed.

Why this answer

Option A is correct. The SCP denies DynamoDB actions to all accounts except 'prod', but the SCP may not have an explicit allow for 'prod', causing implicit deny. The SCP should explicitly allow DynamoDB actions for 'prod'.

Option B is wrong because SCPs do not require resource-based policies. Option C is wrong because SCPs are not overridden by IAM; they are boundaries. Option D is wrong because SCPs are not optional.

1078
MCQhard

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket. Which configuration provides the most secure and efficient access?

A.Create an Interface VPC Endpoint for S3.
B.Create a Gateway VPC Endpoint for S3 and update the route table.
C.Route the traffic through a NAT Gateway to the internet.
D.Assign a public IP address to the EC2 instance and allow it to access S3 via internet.
AnswerB

Private and secure access to S3.

Why this answer

Option B is correct because a Gateway VPC Endpoint for S3 allows private access to S3 without going through the internet or NAT Gateway, and it is more secure. Option A is wrong because it goes through the internet. Option C is wrong because Interface Endpoints are more costly and complex for S3.

Option D is wrong because internet access still goes through the internet.

1079
MCQeasy

A company wants to centralize security logs from multiple AWS accounts into a single S3 bucket. The logging accounts (e.g., security, production) each have their own CloudTrail trails. Which configuration is required to allow cross-account log delivery?

A.Create an IAM role in the destination account with write permissions and allow CloudTrail in source accounts to assume that role.
B.Use a customer-managed KMS key in the destination account and share it with the source accounts.
C.Create an S3 bucket policy in the destination account that allows the CloudTrail service principal to write objects.
D.Configure S3 bucket ACLs to grant write access to the source account IDs.
AnswerC

The bucket policy must grant s3:PutObject to the CloudTrail service principal from the source accounts.

Why this answer

Option A is correct because CloudTrail can deliver logs to an S3 bucket in another account by using a bucket policy that grants CloudTrail's service principal write access. Option B is wrong because KMS keys are for encryption, not cross-account access. Option C is wrong because S3 ACLs are not recommended for cross-account; bucket policy is used.

Option D is wrong because IAM roles are used for other services but CloudTrail uses bucket policies.

1080
MCQeasy

A company wants to ensure that all data transmitted between its EC2 instances and an Application Load Balancer (ALB) is encrypted. Which configuration should be applied?

A.Install SSL certificates on each EC2 instance and configure the ALB to use TCP passthrough.
B.Configure the ALB with an HTTPS listener and a target group that uses HTTPS as the protocol.
C.Use a Network Load Balancer with TLS listeners and target groups.
D.Configure security groups to allow only HTTPS traffic.
AnswerB

This ensures traffic between ALB and instances is encrypted.

Why this answer

Option D is correct because the ALB can terminate HTTPS and use HTTPS with the target group to encrypt traffic to instances. Option A is wrong because security groups do not encrypt traffic. Option B is wrong because SSL certificates are for the listener, not the target group.

Option C is wrong because Network Load Balancer does not support HTTPS termination natively.

1081
MCQmedium

A security engineer notices that an IAM user has permissions that exceed their job requirements. The engineer wants to implement the principle of least privilege. Which IAM feature should be used to grant only the necessary permissions?

A.Attach a permissions boundary to the user
B.Add the user to an IAM group with restricted permissions
C.Use a resource-based policy on the user
D.Attach a service control policy (SCP) to the user's account
AnswerA

Permissions boundaries limit the maximum permissions the user can have.

Why this answer

Permissions boundaries set the maximum permissions that an identity-based policy can grant. Option A is correct because it restricts permissions to a defined boundary. Option B (service control policies) applies to all accounts in an organization, not individual users.

Option C (resource-based policies) are attached to resources, not users. Option D (IAM groups) do not enforce boundaries.

1082
MCQmedium

A company stores sensitive data in an S3 bucket and uses AWS KMS to encrypt the data. The security team wants to ensure that only specific IAM roles can decrypt the data. What should the team do?

A.Use a KMS grant to allow the roles to decrypt the key.
B.Modify the KMS key policy to include a condition that allows kms:Decrypt only for the specific IAM roles.
C.Attach an IAM policy to the roles that allows kms:Decrypt on the key.
D.Add an S3 bucket policy that denies s3:GetObject for all roles except the allowed ones.
AnswerB

Key policy controls who can use the key directly.

Why this answer

Option D is correct because using a KMS key policy that grants kms:Decrypt only to the specific roles ensures that only those roles can decrypt. Option A is wrong because an S3 bucket policy controls access to S3 operations, not KMS decryption. Option B is wrong because an IAM policy that allows kms:Decrypt for all users would not restrict to specific roles.

Option C is wrong because a KMS grant is a temporary permission, not a permanent policy.

1083
Multi-Selecteasy

Which TWO of the following are best practices for managing IAM user credentials? (Choose TWO.)

Select 2 answers
A.Create a single IAM user for multiple developers.
B.Store access keys in source code repositories for convenience.
C.Enable MFA for all IAM users.
D.Rotate access keys regularly.
E.Use long-term access keys for all users.
AnswersC, D

MFA adds security.

Why this answer

Options B and D are correct: enable MFA for all users, and rotate access keys regularly. Option A is not a best practice; use roles instead. Option C is not a best practice; use IAM roles for applications.

Option E is not recommended; use IAM roles.

1084
MCQmedium

A company is using AWS CloudTrail to monitor API activity in their account. They have enabled CloudTrail in all regions and are logging to an S3 bucket. The security team wants to ensure that log files are not tampered with after delivery. They enable CloudTrail log file integrity validation. Which additional step must be taken to verify the integrity of the log files?

A.Enable S3 versioning on the log bucket.
B.Configure the S3 bucket to use server-side encryption with AWS KMS.
C.Enable S3 Object Lock on the log bucket.
D.Use the AWS CLI to run the validate-logs command against the log files.
AnswerD

This command checks the digest files to verify integrity.

Why this answer

Option A is correct. CloudTrail log file integrity validation uses digital signatures (SHA-256 hashing and signing with a private key). To verify, you must use the AWS CLI command 'aws cloudtrail validate-logs' or download the public key and verify manually.

Option B (enable S3 versioning) helps with object versioning but does not verify integrity. Option C (use KMS to encrypt logs) protects confidentiality but not integrity. Option D (use S3 Object Lock) prevents deletion but not tampering detection.

1085
MCQmedium

A company has an S3 bucket that stores sensitive data. The security team requires that all access to the bucket be logged in AWS CloudTrail and that all requests must be authenticated using IAM credentials. Which S3 bucket policy statement should be added to enforce these requirements?

A."Deny" effect with "StringNotEquals" on "aws:SourceIdentity"
B."Deny" effect with "aws:SourceIp" condition
C."Deny" effect with "Null" condition on "aws:PrincipalArn"
D."Allow" effect with "Referer" condition
AnswerC

Denies access when the principal ARN is null (anonymous requests).

Why this answer

Option C is correct because the condition 'aws:SourceIp' is not relevant for enforcing IAM credentials; the correct condition is 'aws:SecureTransport' for requiring HTTPS, but the question is about requiring IAM credentials. However, the correct answer is to deny access when the principal is not an IAM user/role. Option A denies access from specific IPs, B denies anonymous access, and D uses the wrong condition key for IAM credentials.

The correct policy should deny when 'aws:userid' is not present, but none of the options exactly match. Since the question asks for a policy to enforce IAM credentials, the correct answer is to deny anonymous access. So Option B is correct.

Explanation: Option B denies access when the principal is anonymous, ensuring only IAM-authenticated requests succeed. Option A only blocks IPs, not unauthenticated access. Option C uses 'aws:SourceIp' which doesn't check authentication.

Option D uses 'aws:Referer' which is not for authentication.

1086
MCQhard

A company is using AWS Organizations with a management account and several member accounts. The security team has created an SCP that denies access to all actions for the 'ec2:*' service unless the request comes from a specific VPC endpoint. The SCP is attached to the organization root. However, users in a member account are still able to launch EC2 instances from the AWS Management Console, which does not use a VPC endpoint. The SCP is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:*", "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-12345678" } } } ] } What is the most likely reason the SCP is not preventing the users from launching instances?

A.The SCP is not applied to the root user in the member account.
B.The SCP is attached to the organization root but not to the member account.
C.The condition key 'aws:sourceVpce' is not supported in SCPs.
D.The management account is not affected by SCPs, and the users are using the management account.
AnswerC

SCPs do not support this condition key, so the condition is ignored.

Why this answer

Option D is correct because the condition key 'aws:sourceVpce' is not supported in SCPs; SCPs support only a subset of condition keys, and 'aws:sourceVpce' is not among them. Therefore, the condition is ignored, and the deny does not apply. Option A is wrong because SCPs apply to all principals.

Option B is wrong because the SCP is attached to the root. Option C is wrong because the management account is not subject to SCPs, but the member accounts are.

1087
Multi-Selectmedium

Which THREE AWS services can be used to detect and alert on suspicious API activity in an AWS account? (Choose three.)

Select 3 answers
A.AWS CloudTrail Insights
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS Config
E.AWS Security Hub
AnswersA, C, E

Identifies unusual API activity patterns.

Why this answer

GuardDuty identifies threats, CloudTrail logs API calls (with Insights for anomalous activity), and Security Hub aggregates findings. Config evaluates configuration, not activity; Inspector scans for vulnerabilities.

1088
MCQmedium

An organization uses AWS Organizations and wants to centrally manage Amazon GuardDuty across multiple accounts. What is the correct architecture?

A.Enable GuardDuty only in the master account; it will automatically monitor all member accounts.
B.Use AWS CloudFormation StackSets to deploy GuardDuty in all accounts and regions.
C.Designate a delegated administrator account in Organizations and enable GuardDuty in that account.
D.Enable GuardDuty in each region separately and use cross-region aggregation.
AnswerC

Delegated admin can manage GuardDuty across member accounts.

Why this answer

Option C is correct because AWS Organizations allows you to designate a delegated administrator account for Amazon GuardDuty, which can then centrally manage GuardDuty across all member accounts in the organization. This architecture simplifies enabling GuardDuty and managing findings without needing to configure each account individually, as the delegated administrator can enable GuardDuty for all accounts in the organization from a single point.

Exam trap

The trap here is that candidates often assume enabling GuardDuty in the master account automatically covers all member accounts (Option A), but in reality, GuardDuty requires explicit member account management or a delegated administrator setup, and the delegated administrator model is the recommended architecture for centralized management in Organizations.

How to eliminate wrong answers

Option A is wrong because enabling GuardDuty only in the master account does not automatically monitor member accounts; GuardDuty must be explicitly enabled in each account, or a delegated administrator must be used to manage member accounts centrally. Option B is wrong because while AWS CloudFormation StackSets can deploy resources across accounts and regions, GuardDuty is a regional service that requires a centralized management approach via Organizations, and StackSets do not provide the native integration for cross-account threat detection management that a delegated administrator does. Option D is wrong because GuardDuty findings are regional by default, and cross-region aggregation is not a built-in feature; instead, you would need to use a delegated administrator to centrally view findings from multiple regions, but the correct architecture for multi-account management is through Organizations delegation, not separate per-region enablement.

1089
MCQmedium

A company is using Amazon EC2 instances in a VPC with a security group that allows inbound SSH from 0.0.0.0/0. A security engineer needs to restrict SSH access to only the company's public IP range (203.0.113.0/24) while maintaining all other existing rules. What is the MOST efficient way to accomplish this?

A.Disable SSH and use AWS Systems Manager Session Manager to connect to instances.
B.Create a network ACL with an inbound rule allowing SSH from 203.0.113.0/24 and deny all other traffic.
C.Modify the existing security group rule to change the source from 0.0.0.0/0 to 203.0.113.0/24.
D.Create a new security group rule allowing SSH from 203.0.113.0/24 and keep the existing rule.
AnswerC

Modifying the existing rule directly updates the source to the required CIDR, removing the open access.

Why this answer

Option B is correct because modifying the existing security group rule to change the source CIDR is the most direct method. Option A is wrong because adding a new rule doesn't remove the open rule. Option C is wrong because NACLs are stateless and would require additional rules.

Option D is wrong because System Manager Session Manager does not replace the need for SSH restrictions.

1090
MCQhard

A company uses AWS Organizations to manage 50 accounts. The security team has enabled AWS CloudTrail in the management account with an organization trail that delivers logs to a central S3 bucket. The bucket policy grants necessary permissions to CloudTrail. Recently, the security team noticed that logs from two member accounts stopped appearing in the bucket. Other accounts continue to deliver logs correctly. The CloudTrail status in the management account shows that the trail is logging and deliveries are succeeding. The security team checked the CloudTrail configuration in the affected member accounts and found that they do not have any trails configured. The IAM roles used for CloudTrail in the management account have sufficient permissions. What is the most likely cause of the missing logs?

A.The KMS key used for encryption does not include permissions for the member accounts.
B.The S3 bucket policy does not grant write access to the CloudTrail service for the affected member accounts.
C.The CloudTrail service-linked role in the member accounts is missing.
D.An SCP attached to the affected member accounts denies cloudtrail:PutLogEvents.
AnswerB

Correct: Bucket policy must allow CloudTrail from all accounts.

Why this answer

Option A is correct. An organization trail automatically logs all accounts in the organization, but if a member account is not configured to allow CloudTrail to deliver logs to the central bucket, it may fail. However, the most common issue is that the bucket policy does not grant the necessary permissions for the member accounts' CloudTrail service to write logs.

The bucket policy must have a statement that allows the CloudTrail service from all accounts in the organization to write. If the policy only allows the management account, member accounts will fail. Option B is wrong because CloudTrail is not a service that can be disabled per account by SCPs unless explicitly denied.

Option C is wrong because KMS key policy is not relevant if SSE-S3 is used. Option D is wrong because CloudTrail does not use a service-linked role for organization trails; it uses the CloudTrail service-linked role for the management account.

1091
MCQmedium

A security engineer needs to grant cross-account access to an S3 bucket in Account A to a role in Account B. Which combination of IAM entities must be configured?

A.Bucket policy in Account A and IAM user policy in Account B
B.IAM role in Account B with trust policy for Account A
C.IAM role in Account A with trust policy for Account B
D.IAM user in Account B with permissions to the bucket
AnswerC

The role in Account A trusts Account B to assume it.

Why this answer

Cross-account access requires an IAM role in the trusting account (Account A) with a trust policy that allows the trusted account (Account B) to assume it, and an IAM policy in Account B that allows the user or role to call sts:AssumeRole. Option C is correct. Option A is wrong because the bucket policy alone is not sufficient; the role must also allow the action.

Option B is wrong because the role is in Account A, not Account B. Option D is wrong because an IAM user in Account B cannot directly access a role in Account A without assuming it.

1092
MCQmedium

A security engineer is designing a web application that will run on EC2 instances behind an Application Load Balancer (ALB). The application must be protected from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used to provide this protection?

A.AWS WAF
B.Network ACLs
C.Security Groups
D.AWS Shield Advanced
AnswerA

AWS WAF filters and monitors HTTP requests to protect against web exploits.

Why this answer

Option B is correct because AWS WAF is a web application firewall that protects against common web exploits. Option A is wrong because Shield Advanced provides DDoS protection, not application-layer attacks. Option C is wrong because Network ACLs are stateless firewalls at the subnet level.

Option D is wrong because Security Groups are stateful firewalls at the instance level.

1093
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze VPC Flow Logs from all accounts. The team has set up a central logging account with an S3 bucket that has a bucket policy allowing cross-account writes. However, VPC Flow Logs from member accounts are not appearing. What is the most likely cause?

A.AWS CloudTrail is not enabled in the member accounts.
B.The VPC Flow Logs must be delivered to CloudWatch Logs first, then exported to S3.
C.VPC Flow Logs cannot be published directly to an S3 bucket in a different account. The logs must be published to a bucket in the same account as the VPC, and then replicated to the central account.
D.The S3 bucket policy does not allow the s3:PutObject action for the member accounts.
AnswerC

Direct cross-account publishing is not supported.

Why this answer

Option A is correct because VPC Flow Logs can be published to Amazon S3 only if the log group and stream are in the same account as the VPC; cross-account publishing is not supported directly. Option B is wrong because CloudTrail is not involved in Flow Log collection. Option C is wrong because S3 bucket policies are not the issue as they allow cross-account writes.

Option D is wrong because Flow Logs can be published to a central bucket via cross-account delivery with proper permissions, but the key point is that the bucket must be in the same account as the VPC or use S3 replication.

1094
MCQhard

A company uses Amazon S3 to store sensitive data. The security team needs to be alerted when an S3 bucket policy is changed to allow public access. Which combination of services should be used to meet this requirement?

A.AWS CloudTrail and Amazon Simple Notification Service (SNS)
B.S3 server access logs and Amazon Athena
C.AWS Trusted Advisor and Amazon Simple Notification Service (SNS)
D.AWS Config with AWS Lambda and Amazon Simple Notification Service (SNS)
AnswerD

AWS Config can evaluate S3 bucket policy changes and invoke a Lambda function to send SNS alerts.

Why this answer

Option B is correct because AWS Config records S3 bucket policy changes and can trigger a Lambda function via Amazon EventBridge to send alerts. Option A is wrong because CloudTrail alone does not trigger alerts; it logs events but requires further processing. Option C is wrong because AWS Trusted Advisor provides security checks but does not monitor for real-time changes.

Option D is wrong because S3 server access logs do not include bucket policy changes.

1095
MCQhard

A company has a multi-account AWS Organizations setup with hundreds of accounts. The Security team needs to enforce a policy that prohibits the creation of any S3 bucket with public read access across all accounts. They have enabled all features in Organizations and are using Service Control Policies (SCPs). The team creates an SCP with a Deny effect for s3:PutBucketAcl and s3:PutBucketPolicy when the request includes a condition that would make the bucket public. They attach the SCP to the root OU. However, a developer in a member account under the root OU is able to create a bucket with a bucket policy that grants public read access. The SCP is evaluated and shows the Deny is effective for s3:PutBucketPolicy but the bucket policy is still created. What is the MOST likely reason for this behavior?

A.The S3 Block Public Access settings at the account level are overriding the SCP.
B.The developer used a different API call, such as PutObject with public-read canned ACL, which is not blocked by the SCP because it does not match the denied actions.
C.The developer used an IAM role that is attached to an Amazon EC2 instance, which bypasses SCPs.
D.The SCP only denies actions when the request comes from outside the organization, but the developer is within the organization.
AnswerB

The SCP denied specific actions; the developer may have used a different method that also makes the bucket public.

Why this answer

Option C is correct. SCPs deny the action s3:PutBucketPolicy, but if the bucket policy is created via a different API call (e.g., via CloudFormation or an S3 feature like Object Ownership settings) that bypasses the specific action, the SCP may not deny it. In this case, the developer might have used a method that does not directly call s3:PutBucketPolicy.

Option A is wrong because SCPs apply to all accounts in the OU regardless of IAM roles. Option B is wrong because SCPs are not overridden by resource-based policies; they are evaluated before IAM. Option D is wrong because the S3 Block Public Access settings are account-level and can be overridden by explicit permissions.

1096
MCQmedium

A company wants to use client-side encryption for data uploaded to Amazon S3. The encryption keys must be managed by the company and never sent to AWS. Which S3 encryption option supports this requirement?

A.Server-side encryption with AWS KMS (SSE-KMS).
B.Client-side encryption using the Amazon S3 encryption client.
C.Server-side encryption with S3 managed keys (SSE-S3).
D.Server-side encryption with customer-provided keys (SSE-C).
AnswerB

Encryption happens on client side; keys never sent to AWS.

Why this answer

Client-side encryption using the Amazon S3 encryption client is correct because the encryption process occurs entirely on the client side before data is uploaded to S3. The company manages the encryption keys locally and never transmits them to AWS, satisfying the requirement that keys are never sent to AWS.

Exam trap

The trap here is that candidates often confuse SSE-C with client-side encryption, not realizing that SSE-C still transmits the encryption key to AWS over the network, albeit encrypted in transit, which violates the 'never sent to AWS' requirement.

How to eliminate wrong answers

Option A is wrong because SSE-KMS uses AWS KMS to manage encryption keys, and the keys are stored and managed by AWS, not the company. Option C is wrong because SSE-S3 uses S3-managed keys that are fully controlled by AWS, not the customer. Option D is wrong because SSE-C requires the customer to provide an encryption key with each request, but the key is sent to AWS over HTTPS for the encryption operation, violating the requirement that keys never be sent to AWS.

1097
MCQhard

A company uses Amazon S3 to store sensitive data. The security team wants to detect when objects are made publicly accessible. Which combination of services provides the MOST comprehensive detection with minimal false positives?

A.Enable S3 Block Public Access at the account level and use AWS Config rules to detect public ACLs and bucket policies.
B.Use Amazon Macie to scan S3 buckets for publicly accessible objects.
C.Enable CloudTrail data events for S3 and create a CloudWatch Events rule for PutBucketAcl calls.
D.Enable Amazon GuardDuty and review the S3 findings for public access.
AnswerA

Block Public Access prevents accidental public access, and Config rules detect violations.

Why this answer

Option D is correct because S3 Block Public Access prevents public access at the account level, and AWS Config rules can detect public ACLs and policies. Option A is wrong because CloudTrail alone cannot detect public access, only API calls. Option B is wrong because GuardDuty does not detect public S3 objects by default.

Option C is wrong because Macie is for sensitive data discovery, not public access detection.

1098
MCQeasy

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which component should be added to the VPC to enable this?

A.Internet gateway
B.VPN connection
C.VPC peering connection
D.NAT gateway
AnswerD

A NAT gateway enables outbound internet access for private subnets.

Why this answer

The correct answer is A because a NAT gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option B is wrong because an internet gateway is for public subnets. Option C is wrong because a VPC peering connects VPCs.

Option D is wrong because a VPN connection is for hybrid connectivity.

1099
MCQhard

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team is concerned about key durability and wants to ensure that keys are not lost if the HSM fails. Which action should be taken?

A.Create a multi-region CloudHSM cluster
B.Store the keys in a file on an encrypted EBS volume
C.Use AWS KMS to import the keys from CloudHSM
D.Regularly back up the HSM to an Amazon S3 bucket and restore to a new cluster if needed
AnswerD

CloudHSM allows backup to S3 and restoration.

Why this answer

Option B is correct because CloudHSM supports backup and restore between clusters. Option A is wrong because CloudHSM is single-region. Option C is wrong because keys are stored in the HSM.

Option D is wrong because KMS does not import keys from CloudHSM automatically.

1100
MCQhard

A company uses Amazon RDS for MySQL with encryption at rest enabled using AWS KMS. They need to ensure that automated backups and snapshots are also encrypted. Which configuration is required?

A.No additional configuration is needed; backups are encrypted automatically.
B.Manually encrypt each snapshot with a separate KMS key.
C.Create a new KMS key and assign it to the backup configuration.
D.Enable encryption on the RDS instance after creation.
AnswerA

Encrypted RDS instances automatically encrypt backups and snapshots.

Why this answer

Option C is correct because RDS automatically encrypts snapshots and backups when the source database is encrypted. No additional steps are needed. Option A is wrong because encryption is already inherited.

Option B is wrong because the same KMS key is used by default. Option D is wrong because enabling encryption on a non-encrypted instance requires a snapshot copy with encryption.

1101
MCQmedium

Your company has a single AWS account with a production VPC that contains several EC2 instances running a web application. The security team has enabled Amazon GuardDuty and AWS CloudTrail. Recently, GuardDuty reported a finding 'UnauthorizedAccess:EC2/TorClient' for one of the instances. The finding indicates that the instance is making connections to Tor exit nodes. You need to investigate and contain the incident. The instance is critical to the application and cannot be terminated. You have a forensic analysis instance in a separate security group. What should you do FIRST?

A.Isolate the instance by modifying its security group to remove all inbound and outbound rules except for the forensic analysis instance.
B.Terminate the instance immediately and launch a replacement.
C.Take an EBS snapshot of the instance's root volume for analysis.
D.Use AWS Systems Manager Run Command to install a forensic agent on the instance.
AnswerA

Isolation stops exfiltration and allows safe investigation.

Why this answer

Option A is correct because the first step in incident response for a compromised instance that cannot be terminated is to contain the threat by isolating it from the network. Modifying the security group to remove all inbound and outbound rules except for a specific forensic analysis instance prevents the compromised EC2 instance from communicating with Tor exit nodes or other external hosts, while still allowing controlled forensic access. This containment is immediate and reversible, aligning with the AWS incident response best practice of 'isolate first, investigate later'.

Exam trap

The trap here is that candidates may rush to collect forensic evidence (snapshot or agent) before containing the threat, failing to recognize that the first priority in incident response is to stop the active malicious behavior (outbound Tor connections) to prevent data exfiltration or further compromise.

How to eliminate wrong answers

Option B is wrong because the instance is critical to the application and cannot be terminated, and immediate termination would destroy volatile data (e.g., running processes, memory contents) needed for forensic analysis. Option C is wrong because taking an EBS snapshot is a valid forensic step, but it should be performed after containment to prevent the compromised instance from continuing malicious outbound connections during the snapshot process. Option D is wrong because installing a forensic agent via Systems Manager Run Command requires network connectivity and could be blocked or tampered with by the malware, and it does not address the immediate need to stop the outbound Tor connections.

1102
MCQeasy

A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?

A.Attach an IAM policy to the user in Account B allowing the action; no bucket policy needed
B.Apply a bucket policy in Account A granting access to the user in Account B; no user policy needed
C.Use S3 bucket ACLs to grant READ access to the Account B user
D.Apply a bucket policy in Account A granting access to the principal in Account B, and attach an IAM policy to the user in Account B allowing the action
AnswerD

Both policies are required for cross-account access.

Why this answer

Cross-account S3 access requires both a bucket policy in the resource account (Account A) that explicitly grants the cross-account principal (the user in Account B) the s3:GetObject action, and an IAM policy attached to the user in Account B that allows the same action. This two-way authorization is necessary because the bucket policy controls access to the S3 resource, while the IAM policy controls the user's permissions to initiate the request. Without both, the request will be denied by either the resource-based policy or the identity-based policy.

Exam trap

The trap here is that candidates often assume either a bucket policy alone or an IAM policy alone is sufficient for cross-account access, failing to recognize that AWS requires both the resource-based policy to grant access to the external principal and the identity-based policy to authorize the user to make the request.

How to eliminate wrong answers

Option A is wrong because an IAM policy alone in Account B cannot grant access to a resource in Account A; the resource owner must also allow access via a bucket policy or ACL. Option B is wrong because a bucket policy alone in Account A is insufficient; the user in Account B must also have an IAM policy that permits the s3:GetObject action, otherwise the request is denied by the user's own account. Option C is wrong because S3 bucket ACLs are legacy and do not support granting access to individual IAM users in another account; they only support AWS accounts or predefined groups, and are generally superseded by bucket policies for cross-account access.

1103
MCQhard

A security engineer is investigating a potential data exfiltration from an Amazon S3 bucket. The bucket policy allows access to a specific IAM role, but the engineer suspects that the role has been compromised. The engineer wants to quickly block all access to the bucket without deleting the bucket or the policy. What is the BEST course of action?

A.Delete the IAM role that is allowed access to the bucket.
B.Use AWS WAF to block the IP addresses of the compromised role.
C.Modify the bucket policy to deny all principals.
D.Add a bucket policy statement that denies access unless the request comes from a specific IP address that does not exist.
AnswerD

A deny condition with an impossible IP address blocks all access effectively.

Why this answer

Option C is correct because adding a deny condition with a source IP that doesn't exist effectively blocks all access. Option A is wrong because deleting the role would affect other resources. Option B is wrong because modifying the bucket policy might be reverted if the role has permissions.

Option D is wrong because blocking at the network layer does not prevent access from within AWS.

1104
MCQeasy

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to designate a delegated administrator account to manage GuardDuty for all member accounts. Which AWS service must be used to enable GuardDuty for all accounts?

A.AWS CloudFormation StackSets
B.AWS Control Tower
C.AWS Config
D.AWS Organizations
AnswerD

GuardDuty integrates with AWS Organizations for multi-account management.

Why this answer

Option D is correct because AWS Organizations is the foundational service required to designate a delegated administrator for Amazon GuardDuty in a multi-account environment. GuardDuty integrates directly with Organizations to allow a management account to enable GuardDuty for all member accounts and delegate administration to a specified account, which then manages threat detection across the organization without needing additional services.

Exam trap

The trap here is that candidates may confuse AWS Organizations as merely an organizational tool and think they need a separate service like CloudFormation StackSets or Control Tower to enable GuardDuty across accounts, but GuardDuty natively integrates with Organizations for delegated administration and automatic enablement.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets is used to deploy infrastructure as code across multiple accounts and regions, but it is not required or used to enable GuardDuty or designate a delegated administrator; GuardDuty's multi-account setup is managed through the GuardDuty console or API using Organizations. Option B is wrong because AWS Control Tower provides a governance framework for landing zones and uses Account Factory and preventive/ detective guardrails, but it does not directly enable GuardDuty or designate a delegated administrator; GuardDuty integration is handled via Organizations, not Control Tower. Option C is wrong because AWS Config is a service for resource inventory, configuration history, and compliance rules, not for enabling GuardDuty or managing delegated administration; GuardDuty's multi-account enablement relies on Organizations APIs, not Config.

1105
MCQeasy

A company needs to securely store database credentials that are used by an application running on Amazon EC2. The credentials must be automatically rotated every 90 days. Which AWS service should be used?

A.AWS KMS
B.AWS Secrets Manager
C.AWS IAM roles for EC2
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager supports automatic rotation of secrets.

Why this answer

Option C is correct because AWS Secrets Manager securely stores secrets and supports automatic rotation. Option A is wrong because Systems Manager Parameter Store can store secrets but does not automatically rotate them without custom logic. Option B is wrong because IAM roles cannot store database credentials.

Option D is wrong because KMS is a key management service, not a secret store.

1106
MCQhard

A security engineer is designing a VPC with private subnets for an application that must access the internet for software updates. The VPC has a NAT gateway in a public subnet. The private subnet route table has a default route (0.0.0.0/0) pointing to the NAT gateway. Which additional security measure should be implemented to ensure that only the application instances can use the NAT gateway, and not any other resources in the VPC?

A.Enable VPC Flow Logs on the NAT gateway to detect unauthorized usage.
B.Create an IAM policy that allows only the application instances to use the NAT gateway.
C.Configure a security group for the NAT gateway that allows only the application instances' security group as source.
D.Configure a network ACL on the private subnet to allow outbound traffic only to the NAT gateway's private IP address.
AnswerD

A network ACL stateless rule can restrict outbound traffic to the NAT gateway's IP, preventing other traffic.

Why this answer

Option D is correct because using a VPC endpoint for the NAT gateway is not possible; a network ACL on the private subnet can restrict outbound traffic to the NAT gateway's IP, ensuring only that traffic can exit. Option A is wrong because security groups cannot reference the NAT gateway as a destination; they control inbound/outbound traffic based on IP/CIDR. Option B is wrong because there is no IAM policy for NAT gateway usage.

Option C is wrong because a flow log does not block traffic; it only monitors.

1107
MCQmedium

A company uses Amazon RDS for MySQL and wants to monitor database activity for suspicious queries. The security team needs to capture all SQL statements executed against the database, including SELECT queries. Which AWS service should they use?

A.Amazon RDS Enhanced Monitoring with database audit logs enabled and streamed to CloudWatch Logs.
B.AWS CloudTrail with data events enabled for RDS.
C.AWS Config with a custom rule to log database queries.
D.VPC Flow Logs to capture database traffic.
AnswerA

Audit logs capture SQL statements and can be sent to CloudWatch Logs.

Why this answer

Option A is correct because Amazon RDS supports Enhanced Monitoring for OS metrics and publishes audit logs to CloudWatch Logs when the audit log option is enabled. Option B is wrong because CloudTrail logs API calls to the RDS service, not SQL queries. Option C is wrong because VPC Flow Logs capture network traffic.

Option D is wrong because AWS Config records resource configuration changes.

1108
MCQeasy

A company uses AWS CloudTrail to log data events for S3 buckets. They notice that some S3 object-level API calls are not being logged. Which configuration could be the cause?

A.The trail is not configured to log data events for the S3 bucket.
B.The trail is configured to log management events only.
C.The trail is using a CloudWatch Logs log group for delivery.
D.The trail is configured to log read events only.
AnswerA

Data events must be enabled for S3 object-level logging.

Why this answer

CloudTrail trails must be explicitly configured to log data events for S3 buckets. Data events are high-volume operations (e.g., GetObject, PutObject, DeleteObject) and are not captured by default. If the trail is not configured to log data events for the specific S3 bucket, those object-level API calls will not appear in the CloudTrail logs.

Exam trap

The trap here is that candidates often confuse management events (which are logged by default) with data events (which require explicit configuration), leading them to incorrectly assume that all S3 API calls are automatically captured by CloudTrail.

How to eliminate wrong answers

Option B is wrong because management events (e.g., CreateBucket, DeleteBucket) are logged by default, but they do not include object-level API calls; object-level calls are data events, which require separate configuration. Option C is wrong because delivering logs to a CloudWatch Logs log group is a delivery destination option and does not affect which events are logged; it only changes where logs are sent. Option D is wrong because configuring the trail to log read events only would still capture read data events (e.g., GetObject) but not write data events (e.g., PutObject); the question states that some object-level API calls are not being logged, which could be due to not logging data events at all, not just a read/write filter.

1109
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The company has a VPC with public and private subnets. The security team wants to ensure that all traffic between on-premises and the VPC goes through a set of security appliances (firewalls) deployed in the VPC. The appliances are in separate subnets. Currently, traffic is routed directly via the virtual private gateway. What is the MOST secure and scalable way to force traffic through the security appliances?

A.Place the security appliances in a public subnet and route traffic through a NAT gateway.
B.Create a transit gateway and attach the Direct Connect virtual interface to it. Then route traffic through the appliance subnets.
C.Deploy a Gateway Load Balancer and create Gateway Load Balancer endpoints in each subnet. Update the route tables to point to the endpoints.
D.Set up a VPN connection from on-premises to the VPC and route traffic through the appliance subnets.
AnswerC

Gateway Load Balancer transparently forwards traffic to the firewall appliances and scales automatically.

Why this answer

Option A is correct because using a Gateway Load Balancer with Gateway Load Balancer endpoints in each subnet allows transparent traffic inspection and scaling. Option B is wrong because a transit gateway does not force traffic through appliances; it requires additional routing. Option C is wrong because a NAT gateway only handles outbound traffic.

Option D is wrong because a VPN connection does not route through VPC appliances.

1110
MCQhard

A security engineer notices that an EC2 instance in a private subnet can reach the internet, even though there is no NAT gateway or instance in the route table. What is the most likely cause?

A.An internet gateway is attached to the VPC and a default route points to it.
B.A VPC endpoint for S3 is configured.
C.A NAT gateway is configured in a different availability zone.
D.An egress-only internet gateway is used for IPv6 traffic.
AnswerD

Egress-only internet gateway allows outbound IPv6 traffic without inbound.

Why this answer

An egress-only internet gateway allows IPv6 traffic to the internet but not inbound. If the instance has an IPv6 address and the route table points to an egress-only internet gateway, it can reach the internet. Option D is correct.

NAT gateways (A) are for IPv4. Internet gateway (B) would allow inbound. VPC endpoint (C) does not provide internet access.

1111
MCQmedium

A company has enabled Amazon GuardDuty in all accounts within AWS Organizations. The security team wants to view aggregated findings from all accounts in a single dashboard. Which service should the team use?

A.Amazon CloudWatch
B.Amazon Inspector
C.Amazon Macie
D.AWS Security Hub
AnswerD

Security Hub aggregates findings from multiple services across accounts.

Why this answer

AWS Security Hub is the correct service because it provides a single dashboard that aggregates and prioritizes security findings from multiple AWS services, including Amazon GuardDuty, across all accounts in an AWS Organization. It normalizes findings from GuardDuty, Inspector, Macie, and other sources into the AWS Security Finding Format (ASFF), enabling centralized viewing and automated response workflows.

Exam trap

The trap here is that candidates may confuse GuardDuty's own multi-account dashboard with Security Hub's cross-service aggregation, or mistakenly think CloudWatch can serve as a centralized security dashboard, but CloudWatch lacks the finding normalization and multi-account aggregation capabilities that Security Hub provides.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring and observability service for metrics, logs, and alarms, not designed to aggregate security findings from GuardDuty across multiple accounts into a single dashboard. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and network exposure; it does not aggregate GuardDuty findings. Option C is wrong because Amazon Macie is a data security service that discovers and protects sensitive data in S3 using machine learning; it does not aggregate GuardDuty findings from other accounts.

1112
MCQeasy

A company wants to allow users from an external AWS account to assume a role in the company's account. What must be configured in the company's account?

A.An IAM user in the company's account with cross-account access.
B.A permissions policy that allows the external account to list roles.
C.An IAM identity provider for the external account.
D.A trust policy that allows the external account to assume the role.
AnswerD

Trust policy defines who can assume the role.

Why this answer

The trust policy of the role must specify the external account as a principal. Option B is for permissions policy. Option C is for identity provider.

Option D is for cross-account access via IAM user.

1113
MCQhard

A company stores sensitive data in Amazon S3 and wants to detect and alert on any public read access to objects. Which combination of services provides the most comprehensive solution?

A.Enable VPC Flow Logs and analyze for S3 traffic
B.Use AWS Config rules to check for public bucket policies and alert via SNS
C.Enable S3 server access logging and use Amazon Athena to query logs, with CloudWatch Events to alert on specific patterns
D.Enable S3 event notifications for all object-level events and send to Amazon SNS
AnswerC

Server access logs record requester, so public reads can be identified.

Why this answer

Option C is correct because S3 server access logs capture detailed records of all requests made to a bucket, including the requester, bucket name, request time, action, and response status. By using Amazon Athena to query these logs and CloudWatch Events to trigger alerts on patterns indicating public read access (e.g., a specific HTTP method like GET from an anonymous principal), you can detect and alert on unauthorized public reads comprehensively. This combination provides granular, queryable logging with event-driven alerting, covering both current and historical access patterns.

Exam trap

The trap here is that candidates often confuse S3 event notifications (which only cover write/delete events) with server access logs (which cover all operations including reads), leading them to choose Option D, which cannot detect read access at all.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol) but do not log S3 object-level operations like GetObject; they cannot identify public read access to S3 objects. Option B is wrong because AWS Config rules can check for public bucket policies (e.g., a policy allowing Principal: '*') but cannot detect actual public read access events—they only evaluate static configuration, not runtime access patterns. Option D is wrong because S3 event notifications for object-level events (e.g., s3:ObjectCreated) do not include read events like GetObject; they only trigger on write or delete operations, so they cannot detect public read access.

1114
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. They need to audit all KMS key usage for an S3 bucket. Which AWS service should be used to capture KMS Decrypt API calls?

A.Amazon S3 server access logs
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.AWS CloudWatch Logs
AnswerC

CloudTrail records all KMS API calls, including Decrypt, for auditing.

Why this answer

AWS CloudTrail captures API calls to AWS services, including KMS Decrypt. CloudTrail logs can be delivered to S3 for analysis. Option C is correct.

CloudWatch Logs can receive logs but does not directly capture KMS API calls; S3 server access logs do not include KMS decryption events; VPC Flow Logs capture network traffic, not API calls.

1115
MCQhard

A security team wants to grant a Lambda function access to read from a DynamoDB table in the same account. What is the most secure way to do this?

A.Create a VPC endpoint for DynamoDB and associate it with the Lambda function.
B.Attach the AWS managed policy AmazonDynamoDBFullAccess to the Lambda execution role.
C.Store the database access keys in the Lambda environment variables.
D.Create an IAM role with a policy that allows only the required DynamoDB actions (e.g., GetItem, Query) on the specific table and assign it to the Lambda function.
AnswerD

This follows least privilege and uses temporary credentials.

Why this answer

Option D is correct because it uses an execution role with the least privilege principle. Option A is wrong because it grants full access. Option B is wrong because storing keys in environment variables is insecure.

Option C is wrong because VPC endpoints do not grant IAM permissions.

1116
MCQmedium

A company is designing a data protection strategy for its Amazon RDS for PostgreSQL database. The database contains sensitive customer data. Compliance requirements mandate that all backups be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?

A.Create an encrypted read replica of the RDS instance and use the replica for backups.
B.Use S3 server-side encryption with a customer managed key for automated backups. Configure lifecycle policies to rotate the key.
C.Enable encryption at rest on the RDS instance using an AWS managed KMS key. The key will be rotated automatically every year.
D.Enable encryption at rest on the RDS instance using a customer managed KMS key. Enable automatic key rotation in KMS.
AnswerD

Customer managed KMS key allows you to enable automatic annual rotation.

Why this answer

Option A is correct because enabling encryption on the RDS instance uses KMS, and manual snapshots inherit the same KMS key. Key rotation can be enabled in KMS. Option B is wrong because AWS managed keys cannot be rotated on a custom schedule; they rotate automatically every year, but the customer cannot control the rotation.

Option C is wrong because S3 server-side encryption does not apply to RDS backups. Option D is wrong because enabling encryption on a read replica does not encrypt the source instance backups.

1117
Multi-Selecthard

A company is using AWS KMS to encrypt data at rest. The security team needs to ensure that keys cannot be deleted before a retention period. Which THREE steps should be taken? (Choose three.)

Select 3 answers
A.Enable AWS CloudTrail to log key deletion events.
B.Set up Amazon CloudWatch alarms to notify on kms:ScheduleKeyDeletion events.
C.Create an IAM policy that denies kms:ScheduleKeyDeletion.
D.Enable automatic key rotation.
E.Schedule key deletion with a waiting period (e.g., 7 days).
AnswersA, B, E

CloudTrail provides audit logs to detect deletion attempts.

Why this answer

Options A, C, and E are correct. Scheduling key deletion with a waiting period, using CloudTrail to monitor deletion attempts, and using CloudWatch to alarm on key deletion actions provide protection. Option B is incorrect because IAM policies can prevent deletion but do not enforce a retention period.

Option D is incorrect because automatic rotation does not prevent deletion.

1118
MCQhard

A company wants to enforce that all S3 buckets are encrypted with SSE-KMS. Which AWS service can be used to automatically remediate non-compliant buckets?

A.AWS CloudTrail with CloudWatch Events
B.AWS Service Catalog
C.AWS Config with auto-remediation
D.AWS Organizations
AnswerC

Config can remediate non-compliant resources automatically.

Why this answer

AWS Config with auto-remediation can enforce that all S3 buckets are encrypted with SSE-KMS. You create an AWS Config rule (e.g., s3-bucket-server-side-encryption-enabled) that evaluates bucket encryption settings, and attach an AWS Systems Manager Automation document (e.g., AWS-EnableS3BucketEncryption) as a remediation action. When a non-compliant bucket is detected, AWS Config automatically triggers the remediation action to enable SSE-KMS encryption on that bucket.

Exam trap

The trap here is that candidates may confuse AWS Config's evaluation and remediation capabilities with AWS CloudTrail's logging and event-driven actions, assuming CloudTrail with CloudWatch Events can automatically fix non-compliance without custom code, but AWS Config is the only service that provides native, automated remediation via managed rules and automation documents.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail with CloudWatch Events can detect API calls (like creating an unencrypted bucket) and trigger a notification or a Lambda function, but it does not provide native auto-remediation; you would need custom code to enforce encryption, making it less direct and not an automatic remediation service. Option B is wrong because AWS Service Catalog is used to create and manage a catalog of approved IT services (e.g., pre-configured S3 buckets with SSE-KMS), but it does not monitor or remediate existing non-compliant buckets; it only governs new resources provisioned through the catalog. Option D is wrong because AWS Organizations provides centralized policy management (e.g., Service Control Policies) to restrict actions like creating unencrypted buckets, but it cannot automatically remediate already non-compliant buckets; it only prevents future violations.

1119
MCQhard

A security engineer notices that an IAM role for an EC2 instance has a policy that allows s3:PutObject on a bucket. However, the application reports access denied when trying to upload. The bucket policy does not explicitly deny access. What is a likely cause?

A.The bucket policy denies access
B.The instance profile is not attached to the EC2 instance
C.The role's policy does not include s3:PutObject
D.The policy condition key does not match the request context
AnswerA

Explicit deny overrides allow.

Why this answer

Option B is correct because the bucket policy may explicitly deny access, which overrides allows. Option A is wrong because missing permissions would cause implicit deny. Option C is wrong because instance profile is just a container.

Option D is wrong because condition keys not matching would cause deny.

1120
MCQmedium

A security engineer needs to ensure that an IAM role can only be assumed by a specific EC2 instance. The instance has a tag 'Environment=Production'. Which condition key should be used in the trust policy of the role?

A.aws:SourceArn
B.aws:UserAgent
C.aws:SourceAccount
D.ec2:ResourceTag
AnswerD

The condition 'ec2:ResourceTag' can be used to check tags on the EC2 instance.

Why this answer

Option B is correct because 'aws:EC2InstanceSourceVPC' is not a valid key; the correct key is 'ec2:ResourceTag' to check instance tags. Option A is incorrect because 'aws:SourceArn' is used for services like Lambda. Option C is incorrect because 'aws:SourceAccount' checks the account.

Option D is incorrect because 'aws:UserAgent' checks the user agent.

1121
MCQhard

A financial services company stores sensitive customer data in Amazon RDS for MySQL. The compliance team mandates that all database backups must be encrypted at rest. The current configuration uses a customer managed KMS key for encryption. However, during a recent audit, it was discovered that some automated backups are not encrypted. What is the MOST likely cause?

A.The KMS key used for encryption was disabled during the backup window.
B.The automated backups are stored in an unencrypted S3 bucket.
C.The automated backup encryption setting was turned off separately.
D.The DB instance was created without enabling encryption at rest.
AnswerD

If the DB instance is not encrypted, automated backups are not encrypted.

Why this answer

Option B is correct because automated backups inherit the encryption setting from the DB instance; if the DB instance is not encrypted, automated backups will not be encrypted. Option A is wrong because automated backups are stored in S3 but still encrypted with the same KMS key if the DB instance is encrypted. Option C is wrong because RDS automatically manages backup encryption; there is no separate backup encryption toggle.

Option D is wrong because the DB instance would fail to encrypt if the key is disabled.

1122
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all S3 buckets across the organization are encrypted with AWS KMS keys. What is the MOST effective way to enforce this requirement?

A.Use AWS CloudTrail to log all bucket creation events and alert the security team.
B.Create an IAM role in each account that denies s3:PutBucketEncryption if encryption is not set.
C.Use AWS Config rules to detect unencrypted buckets and trigger a Lambda function to encrypt them.
D.Create a service control policy (SCP) that denies any S3 bucket creation or modification without encryption enabled.
AnswerD

SCPs can be applied to OUs to enforce encryption across all accounts.

Why this answer

Option A is correct because SCPs can be applied to the root OU to deny any S3 bucket creation or modification that does not have encryption configured. Option B is wrong because IAM roles operate within accounts and cannot enforce across accounts in the organization. Option C is wrong because Config rules can detect noncompliant buckets but do not prevent their creation.

Option D is wrong because CloudTrail is for logging and does not enforce encryption.

1123
MCQhard

A security engineer is investigating a potential data exfiltration incident. The engineer has enabled VPC Flow Logs for the VPC and CloudTrail for the account. Which combination of actions would provide the most comprehensive visibility into network traffic and API calls?

A.Enable VPC Flow Logs to capture network traffic and use CloudTrail to capture API calls. Correlate both logs for a complete view.
B.Use AWS Config to track resource changes and CloudTrail to detect network anomalies.
C.Analyze CloudTrail logs to identify API calls and correlate with VPC Flow Logs for network traffic.
D.Use VPC Flow Logs to identify API calls and network traffic.
AnswerA

Both services together provide comprehensive visibility.

Why this answer

VPC Flow Logs capture network traffic metadata, and CloudTrail captures API calls. Analyzing both together provides a complete picture. Option B is correct because it combines both services.

Option A is wrong because CloudTrail alone does not capture network traffic. Option C is wrong because VPC Flow Logs do not capture API calls. Option D is wrong because Config does not log API calls or network traffic.

1124
MCQeasy

A security engineer is configuring a new VPC with public and private subnets. The application servers in the private subnet need to download patches from the internet. Which component is required?

A.VPC endpoint
B.Direct Connect
C.Internet gateway
D.NAT gateway
AnswerD

A NAT gateway in a public subnet enables outbound internet access for private subnet instances.

Why this answer

A NAT gateway or NAT instance in a public subnet allows instances in private subnets to initiate outbound traffic to the internet and receive responses. Internet gateway alone is for public subnets. VPC endpoints are for specific services, not general internet access.

1125
MCQhard

A financial services company uses AWS Organizations with over 100 accounts. The security team uses AWS CloudTrail to log all API calls to a central S3 bucket in the security account. The bucket policy enables cross-account log delivery from all member accounts. The team notices that some API calls from a specific member account are not appearing in the central bucket. The CloudTrail trail in that member account is configured to deliver logs to the central bucket. The IAM role used by CloudTrail in the member account has permissions to write to the central bucket. The security team has verified that the bucket policy allows the member account to write. What is the MOST likely cause of the missing logs?

A.The S3 bucket policy in the central bucket exceeds the size limit, causing write failures for some accounts.
B.The CloudTrail trail in the member account is not a multi-region trail.
C.The member account has not enabled CloudTrail logging for the specific region.
D.A service control policy (SCP) is denying the CloudTrail service in the member account from writing to the central bucket.
AnswerA

Bucket policies have a 20 KB limit; exceeding it can cause intermittent failures.

Why this answer

The S3 bucket policy has a maximum size limit of 20,480 characters. When a bucket policy exceeds this limit, AWS may reject new or updated policy statements, causing write failures for some accounts. In this scenario, with over 100 accounts, the bucket policy likely grew too large, preventing CloudTrail from the specific member account from writing logs to the central bucket, even though the trail and IAM role are correctly configured.

Exam trap

The trap here is that candidates often overlook the S3 bucket policy size limit and instead focus on trail configuration or SCPs, assuming missing logs are due to misconfigured trails or permission denials, rather than a resource limit on the policy itself.

How to eliminate wrong answers

Option B is wrong because a multi-region trail is not required for cross-account log delivery; a single-region trail can still deliver logs to a central bucket if the trail is configured in the region where the API calls are made. Option C is wrong because the question states that the CloudTrail trail in the member account is configured to deliver logs to the central bucket, implying logging is enabled; missing logs from a specific account are not due to a region-specific setting if the trail is already delivering other logs. Option D is wrong because a service control policy (SCP) applies to all IAM principals in the member account, but CloudTrail uses an IAM role with permissions to write to the central bucket; if an SCP were denying the write, it would affect all accounts uniformly, not just one specific account, and the security team has already verified the bucket policy allows the member account to write.

Page 14

Page 15 of 24

Page 16