AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 11261200

1738 questions total · 24pages · All types, answers revealed

Page 15

Page 16 of 24

Page 17
1126
MCQhard

A company uses AWS Secrets Manager to rotate secrets for its RDS database. The rotation fails periodically, and the security team needs to troubleshoot. Which CloudWatch metric should be monitored to detect rotation failures?

A.AWS/KMS: KeyUsage
B.AWS/SecretsManager: SecretRotationSucceeded
C.AWS/Lambda: Invocations
D.AWS/RDS: DatabaseConnections
AnswerB

This metric indicates rotation success or failure.

Why this answer

Option C is correct because Secrets Manager publishes CloudWatch metrics for rotation success and failure. Option A is incorrect because KMS key usage metrics are not specific to rotation. Option B is incorrect because Lambda function invocations may not capture all failures.

Option D is incorrect because RDS metrics do not include Secrets Manager rotation status.

1127
MCQmedium

Refer to the exhibit. A security analyst is reviewing a VPC Flow Log entry. The analyst wants to determine if this flow represents a potentially malicious RDP connection. Based on the log, which conclusion is most accurate?

A.The connection is normal HTTPS traffic destined for the instance.
B.The connection was blocked by the security group.
C.The connection represents outbound traffic from the instance.
D.The connection is likely an RDP connection disguised to evade detection.
AnswerD

Using port 443 as source for RDP is suspicious.

Why this answer

The log shows source port 443 (HTTPS) and destination port 3389 (RDP) from a public IP to a private IP. The use of port 443 as source for RDP is unusual and could indicate an attempt to disguise RDP traffic as HTTPS. Option A is wrong because port 443 is source, not destination.

Option B is wrong because the traffic is from public to private, not outbound. Option D is wrong because the log shows ACCEPT, meaning traffic was allowed.

1128
MCQmedium

A healthcare company stores sensitive patient data in Amazon S3. The security team has implemented a data protection strategy that includes S3 default encryption using SSE-KMS with a customer managed key. They also use S3 Object Lock to prevent deletion. Recently, an administrator accidentally deleted the KMS key used for encryption. As a result, all objects in the bucket are now inaccessible. The company has a backup of the key material but does not have the original key ID. Which action should the team take to restore access to the data?

A.Use the backup key material directly in an application to decrypt objects without KMS.
B.Import the key material into a new KMS key and re-encrypt all objects using S3 Batch Operations.
C.Create a new KMS key with the same key ID using the backup material.
D.Restore the deleted KMS key from the CloudHSM backup.
AnswerB

You can create a new key and re-encrypt objects, but you need the original key material to decrypt first.

Why this answer

Option C is correct because importing the same key material into a new KMS key with the same key ID is possible if the original key was created with imported key material. However, KMS does not allow you to recreate a key with a specific key ID; you must create a new key and re-encrypt the data. Option A is wrong because you cannot restore a deleted KMS key after the waiting period if it was deleted; you must have disabled it first.

Option B is wrong because you cannot create a key with a specific key ID. Option D is wrong because you need the same key to decrypt; a new key cannot decrypt old data unless re-encryption is done.

1129
MCQeasy

A company has a single AWS account with multiple IAM users. The administrator created an IAM policy that allows all users to launch EC2 instances, but only if they use a specific AMI ID (ami-12345678) and a specific instance type (t3.micro). The policy uses a condition that checks the EC2 instance type and AMI ID. However, a user is able to launch an EC2 instance with a different AMI ID and a larger instance type. The administrator reviews the policy and confirms that the condition is correctly written. What is the most likely reason that the policy is not working as expected?

A.The condition keys used (ec2:InstanceType and ec2:ImageId) are not supported for the RunInstances action in IAM policies.
B.The policy is attached to the user but must also be attached to the IAM group.
C.The policy does not include an explicit deny statement for non-compliant launches.
D.The condition is written incorrectly; it should use StringLike instead of StringEquals.
AnswerA

These condition keys are not supported for RunInstances; they are only available for certain resource-level permissions like DescribeInstances.

Why this answer

Option A is correct because the `ec2:InstanceType` and `ec2:ImageId` condition keys are not supported for the `ec2:RunInstances` action in IAM policies. AWS IAM condition keys for EC2 are action-specific, and for RunInstances, only certain keys like `ec2:InstanceType` and `ec2:ImageId` are actually supported in the request context. However, the key detail is that `ec2:ImageId` is not a valid condition key for RunInstances; the correct key is `ec2:ImageId` is not listed in the AWS documentation for RunInstances, meaning the condition is silently ignored, allowing any AMI and instance type.

Exam trap

The trap here is that candidates assume all EC2 request parameters (like AMI ID) are automatically available as IAM condition keys, but AWS only documents specific condition keys per action, and using an unsupported key causes the condition to be ignored rather than denying the request.

How to eliminate wrong answers

Option B is wrong because attaching a policy to an IAM group is not required for it to take effect; policies attached directly to a user are fully evaluated and do not need group attachment to work. Option C is wrong because an explicit deny statement is not needed; IAM policies are deny-by-default, so an allow with a condition that fails results in an implicit deny, but the condition keys are unsupported, so the condition is ignored and the allow applies broadly. Option D is wrong because the condition key issue is not about the operator (StringEquals vs StringLike); even if StringLike were used, the unsupported condition keys would still be ignored, so the policy would still not restrict the launch.

1130
MCQhard

A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket via a VPC endpoint. The bucket policy allows access only from the VPC endpoint. The instance has an IAM role that grants s3:GetObject on the bucket. The EC2 instance receives an AccessDenied error. What is the most likely cause?

A.The IAM role does not have sufficient permissions.
B.The bucket policy does not include the aws:SourceVpce condition.
C.The VPC endpoint policy is blocking the request.
D.The EC2 instance's security group does not allow outbound traffic to S3.
AnswerB

Without this condition, the bucket policy that restricts to VPC endpoint may not match the request, causing AccessDenied.

Why this answer

When using a VPC endpoint, the S3 bucket policy must include the condition aws:SourceVpce to allow access from the specific endpoint. If the condition is missing or incorrect, access is denied even if the IAM role allows it. Option C is correct.

The IAM role being incorrect would cause a different error; the endpoint policy might override but the bucket policy is the primary issue; the security group might block network access but the error is AccessDenied from S3, not network timeout.

1131
MCQhard

A security engineer is designing a solution to protect sensitive data in an Amazon RDS for MySQL database. The data must be encrypted at rest using a key stored in AWS KMS. Additionally, the database must support automated backups and cross-region disaster recovery. Which architecture meets these requirements?

A.Launch an unencrypted RDS instance, then use AWS DMS to replicate data to an encrypted instance in another region.
B.Launch an unencrypted RDS instance, then enable encryption using the AWS Console after creation.
C.Launch an encrypted RDS instance using the default KMS key, then export the database to S3 and copy to another region.
D.Launch an encrypted RDS instance using a customer-managed KMS key. Enable automated backups and create a cross-region read replica.
AnswerD

Encrypted RDS supports encrypted backups and cross-region replicas.

Why this answer

Option B is correct because enabling encryption at rest for RDS automatically encrypts snapshots and backups, and cross-region read replicas can be created from an encrypted source. Option A is wrong because encrypting after creation is not directly supported; you would need to create a new encrypted instance. Option C is wrong because RDS does not support different KMS keys for the replica; it must use the same key or a replica key in the destination region.

Option D is wrong because enabling encryption after creation is not supported without creating a new instance.

1132
MCQmedium

A company has a requirement to retain CloudTrail logs for 7 years for compliance. They currently store logs in an S3 bucket with standard storage. The security team wants to minimize storage costs while meeting the retention requirement. The logs must be available for retrieval within 24 hours of a request. Which storage class should the team use for the logs after the first 30 days?

A.S3 Glacier Flexible Retrieval
B.S3 One Zone-IA
C.S3 Standard-IA
D.S3 Glacier Deep Archive
AnswerD

Deep Archive offers lowest cost with retrieval time up to 12 hours, meeting the requirement.

Why this answer

Option B is correct because Glacier Deep Archive is the lowest cost for long-term archival with retrieval times up to 12 hours, which meets the 24-hour requirement. Option A is wrong because Standard-IA is more expensive than Deep Archive. Option C is wrong because Glacier Flexible Retrieval has retrieval times of minutes to hours, but Deep Archive is cheaper.

Option D is wrong because One Zone-IA is not durable enough for compliance data.

1133
MCQmedium

Refer to the exhibit. This is an S3 bucket policy. The CrossAccountRole in account 111111111111 has an IAM policy that allows s3:GetObject on 'my-bucket'. A user in account 111111111111 assumes the role and tries to get an object. What will happen?

A.Access is allowed because the bucket policy allows access to the role
B.Access is denied because the IAM policy does not grant access to the bucket
C.Access is allowed because both the bucket policy and the IAM policy allow
D.Access is denied because the bucket policy does not grant access to the user
AnswerA, C

Actually both policies allow, so it is allowed.

Why this answer

Option A is correct because both the bucket policy and the IAM policy allow access, and there is no explicit deny. Option B is incorrect because the bucket policy grants access to the role. Option C is incorrect because both policies allow.

Option D is incorrect because the bucket policy is valid.

1134
MCQhard

A company runs a multi-tier web application on AWS. The web tier uses an Application Load Balancer (ALB) in a public subnet, and the application tier runs on EC2 instances in private subnets. The security team recently ran a vulnerability scan and found that the application instances are accessible from the internet on port 8080. The EC2 instances have a security group that allows inbound traffic on port 8080 from the ALB's security group only. However, the ALB's security group allows inbound traffic on port 8080 from 0.0.0.0/0. The architecture also includes a NAT Gateway for outbound internet access from private subnets. The security engineer needs to ensure that only the ALB can communicate with the application instances on port 8080, and that the application instances cannot be directly accessed from the internet. What should the security engineer do?

A.Change the EC2 instance security group to allow inbound traffic on port 8080 from 0.0.0.0/0, and rely on the subnet network ACL to block traffic.
B.Add a rule to the EC2 security group that denies inbound traffic from 0.0.0.0/0 on port 8080.
C.Modify the ALB security group to remove the inbound rule for port 8080 from 0.0.0.0/0, and configure the ALB listener to forward traffic from port 80/443 to port 8080 on the target group.
D.Place the EC2 instances in a public subnet and use a network ACL to block inbound traffic on port 8080 from the internet.
AnswerC

This correctly restricts internet access to the ALB on standard ports and allows the ALB to forward to port 8080.

Why this answer

The ALB's security group should not allow inbound from 0.0.0.0/0 on the application port. Instead, the ALB should listen on port 80/443 from the internet and forward to port 8080 on the instances. The ALB security group rule should be removed, and the listener should be configured on standard ports.

The EC2 security group is already correct.

1135
Multi-Selecthard

A security team wants to detect and alert on suspicious network traffic patterns within their VPC. They need to capture traffic to and from an EC2 instance for analysis. Which THREE services should be used together to achieve this? (Choose three.)

Select 3 answers
A.AWS Network Firewall
B.Network Load Balancer
C.Amazon Detective
D.AWS WAF
E.VPC Traffic Mirroring
AnswersB, C, E

Distributes mirrored traffic to security appliances for analysis.

Why this answer

VPC Traffic Mirroring captures network traffic, which can be sent to a Network Load Balancer for distribution to security appliances, and then analyzed by Amazon Detective. Options A, B, and D are correct. Option C is wrong because AWS Network Firewall is for filtering, not capture.

Option E is wrong because AWS WAF is for web traffic filtering.

1136
MCQmedium

A security engineer is troubleshooting an IAM policy that is not working as expected. The policy allows ec2:StartInstances and ec2:StopInstances but the user gets an access denied error when trying to stop an instance. What is the most likely cause?

A.A service control policy is denying the action.
B.The user does not have permission to call ec2:DescribeInstances.
C.The policy does not allow stopping instances in all regions.
D.There is an explicit deny statement in the policy.
AnswerB

The console calls describe before performing actions.

Why this answer

Option D is correct because if the user does not have ec2:DescribeInstances, the AWS Management Console may show an error. Option A is wrong because the policy allows stop. Option B is wrong because if there were an explicit deny, it would be separate.

Option C is wrong because SCPs are at the OU level, not account.

1137
MCQhard

A company has a CloudTrail trail that logs management events for all regions in the management account. They want to also log data events for all S3 buckets in the organization. Which configuration change will meet this requirement with the LEAST operational overhead?

A.Use Amazon EventBridge to capture S3 events and forward them to CloudTrail.
B.Enable S3 server access logs for all buckets and aggregate them using Athena.
C.Create a new trail in each member account to log S3 data events and deliver to a central S3 bucket.
D.Modify the existing trail to add an event selector for S3 data events with a scope of all buckets.
AnswerD

Organization trails can log data events for all S3 buckets across the organization with a single configuration.

Why this answer

Option C is correct because a single organization trail can log data events for all S3 buckets across all accounts in the organization. Option A is wrong because creating a new trail in each member account adds overhead. Option B is wrong because CloudTrail supports data events for S3 buckets without needing an event selector per bucket; you can select all buckets.

Option D is wrong because CloudWatch Events is not needed; CloudTrail is the correct service.

1138
MCQhard

A company runs a critical application on Amazon EC2 instances that store sensitive data on EBS volumes. The security team has enabled EBS encryption by default for the region. However, after a recent security audit, it was discovered that some EBS volumes are not encrypted. The team finds that these volumes were created before the default encryption setting was enabled. The company's security policy mandates that all EBS volumes must be encrypted at rest, and the process must minimize downtime. The application cannot tolerate more than 5 minutes of downtime. The EC2 instances are running production workloads. What should the security engineer do to remediate the unencrypted volumes?

A.Enable encryption on the existing EBS volumes directly from the console
B.Create a new encrypted EBS volume, detach the unencrypted volume, and attach the new encrypted volume to the instance. Then copy data from a backup.
C.Stop the instance, create an encrypted snapshot of the unencrypted volume, restore a new encrypted volume from the snapshot, and start the instance
D.Launch a new EC2 instance with an encrypted EBS volume, migrate the application to the new instance, and terminate the old instance
AnswerB

Correct: This minimizes downtime and achieves encryption.

Why this answer

Option B is correct because it allows creating a new encrypted volume and attaching it to the instance without significant downtime (a few minutes for detachment/attachment). Option A is wrong because enabling encryption on an existing volume is not supported. Option C is wrong because stopping the instance and creating an encrypted snapshot/volume would cause more downtime (stop/start).

Option D is wrong because migrating to a new instance would require additional setup and likely more downtime.

1139
MCQmedium

A company needs to audit all changes to IAM policies in its AWS account. Which AWS service should be used to record the change history of IAM policies?

A.Amazon CloudWatch Logs
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
AnswerC

Correct: CloudTrail records all API calls, including IAM policy changes.

Why this answer

Option A is correct because AWS CloudTrail records API calls, including IAM policy changes (CreatePolicy, PutPolicy, etc.). Option B is wrong because AWS Config records resource configurations but not the full history of each change. Option C is wrong because Amazon GuardDuty does not log changes.

Option D is wrong because AWS CloudWatch Logs stores logs but does not automatically capture IAM changes.

1140
Multi-Selectmedium

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security engineer needs to protect the application from common web exploits such as SQL injection and cross-site scripting. Which TWO services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.AWS Shield Advanced
C.Network ACLs
D.AWS WAF
E.Amazon CloudFront
AnswersB, D

Shield Advanced provides advanced DDoS protection and integrates with WAF.

Why this answer

Option A and D are correct. AWS WAF can be associated with ALB to filter web requests. AWS Shield Advanced provides enhanced protection against DDoS attacks.

Option B is wrong because CloudFront itself does not provide WAF rules. Option C is wrong because NACLs are not designed for web application layer filtering. Option E is wrong because GuardDuty is for threat detection, not inline prevention.

1141
MCQeasy

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which AWS service or feature should be used to achieve this?

A.AWS Key Management Service (KMS)
B.Amazon S3 server-side encryption
C.RDS encryption feature
D.SSL/TLS certificates
AnswerA

KMS provides encryption keys for RDS encryption.

Why this answer

Option A is correct. AWS KMS is used to manage encryption keys for RDS encryption at rest. Option B (SSL/TLS) is for data in transit.

Option C (RDS encryption) is a feature but uses KMS. Option D (S3 server-side encryption) is for S3, not RDS.

1142
MCQmedium

A security engineer reviews the trust policy of an IAM role. Which accounts can assume this role?

A.Only the root user of account 123456789012
B.Account 123456789012
C.Any AWS account
D.Account 111111111111
AnswerD

The trust policy allows the entire account.

Why this answer

Option B is correct because the principal is the root user of account 111111111111, meaning any IAM user or role from that account with sts:AssumeRole permission can assume the role. Option A is wrong because it's not any AWS account. Option C is wrong because only account 111111111111.

Option D is wrong because the IAM user's root account is 111111111111, not 123456789012.

1143
MCQmedium

A company has an AWS Lambda function that needs to access an Amazon RDS database. The database is in a private subnet. Which configuration will allow the Lambda function to securely access the database without traversing the internet?

A.Create a VPC peering connection between the Lambda VPC and the RDS VPC.
B.Place the Lambda function in a public subnet and use a NAT gateway to access the RDS database.
C.Configure the Lambda function to run in the same VPC as the RDS database, in the same private subnet.
D.Use a VPC endpoint for Lambda to connect to the RDS database.
AnswerC

Attaching the Lambda function to the VPC allows it to access resources in private subnets directly.

Why this answer

The correct answer is D because Lambda functions can be attached to a VPC to access resources in private subnets. Option A is wrong because a NAT gateway is used for outbound internet access, not for inbound access to RDS. Option B is wrong because VPC peering is used to connect VPCs, not for Lambda access.

Option C is wrong because a VPC endpoint for Lambda does not exist; Lambda uses VPC endpoints for other services, but to access RDS you attach the function to the VPC.

1144
MCQhard

A company has an S3 bucket with a bucket policy that grants access to a specific IAM role. The role is used by an application running on an EC2 instance. The application is unable to access the bucket, but the role can access other resources. What is the most likely cause?

A.A service control policy (SCP) denies access to the bucket
B.The bucket policy denies access to the role
C.The EC2 instance does not have an instance profile associated with the role
D.The role's trust policy does not allow EC2 to assume the role
AnswerC

Without an instance profile, the instance cannot assume the role.

Why this answer

Option A is correct because an EC2 instance profile is required to provide the role to the instance. Option B is incorrect because the role can access other resources, so the trust policy is likely correct. Option C is incorrect because the bucket policy is not denying access, it's granting.

Option D is incorrect because SCPs are not mentioned.

1145
MCQmedium

A company uses Amazon GuardDuty in a single AWS account to detect threats. The security team receives an alert that a specific EC2 instance is communicating with a known command and control (C2) server. The security engineer needs to immediately isolate the instance while preserving the root cause evidence. The engineer has access to the AWS Management Console. Which action should the engineer take FIRST?

A.Terminate the instance immediately to stop the communication.
B.Take a snapshot of the EBS volume and then isolate the instance by modifying the security group.
C.Modify the security group to block all outbound traffic.
D.Install the CloudWatch Logs agent on the instance to capture logs.
AnswerB

Snapshot preserves evidence, then isolation stops communication.

Why this answer

Option D is correct. Taking a snapshot of the EBS volume preserves evidence before isolation. Option A is wrong because terminating the instance loses evidence.

Option B is wrong because changing the security group may stop communication but evidence is not preserved. Option C is wrong because CloudWatch Logs agent is not installed and may not capture historical data.

1146
MCQeasy

A company uses AWS Systems Manager Session Manager to manage EC2 instances without opening inbound ports. Which IAM policy is required for an EC2 instance to allow Session Manager to connect?

A.AmazonSSMFullAccess
B.AmazonEC2FullAccess
C.AdministratorAccess
D.AmazonSSMManagedInstanceCore
AnswerD

This policy allows the instance to register with Systems Manager and receive commands.

Why this answer

Option C is correct because SSM Agent requires the AmazonSSMManagedInstanceCore policy to communicate with Systems Manager. Option A is wrong because it is for admin users. Option B is wrong because it allows EC2 actions, not SSM.

Option D is wrong because it allows full SSM access, which is excessive.

1147
MCQhard

A security engineer is designing a cross-account IAM role that allows an external AWS account to access resources in the company's account. The external account's root user must not be able to delegate permissions to other users. Which trust policy condition should be included?

A.Condition: StringEquals aws:PrincipalOrgID
B.Condition: Bool aws:PrincipalIsAWSService false
C.Condition: ArnLike aws:SourceArn
D.Condition: StringEquals aws:SourceAccount
AnswerB

Setting this to false ensures that the principal is not an AWS service, which helps prevent root user delegation, but the actual correct condition is to use 'aws:PrincipalAccount' with the external account ID.

Why this answer

Option D is correct because 'aws:PrincipalIsAWSService':'false' ensures the principal is not an AWS service, which is not relevant; however, the correct condition is 'aws:PrincipalAccount' to restrict to the specific external account. But among the options, D is the closest to limiting the root user delegation. Actually, the correct answer is 'aws:PrincipalAccount' with a specific account ID to prevent root delegation.

Option A is wrong because 'aws:SourceArn' is for service roles. Option B is wrong because 'aws:SourceAccount' is for service roles. Option C is wrong because 'aws:PrincipalOrgID' is for organization.

Option D is correct because 'aws:PrincipalIsAWSService' set to false prevents AWS services from assuming the role, but that doesn't address delegation. The question's answer should be 'aws:PrincipalAccount' with the external account ID. However, given the options, D is the only one that restricts the principal type.

The explanation should clarify.

1148
MCQhard

A company is designing a hybrid cloud architecture with an AWS Direct Connect connection. The company wants to ensure that traffic to and from the VPC goes through the Direct Connect connection and not over the internet. Which configuration should be used?

A.Create a VPC Endpoint for each AWS service.
B.Set up a VPN connection over the internet as a backup.
C.Attach a Virtual Private Gateway to the VPC and update the route tables to point to the Direct Connect virtual interface.
D.Configure the Direct Connect connection and assign public IPs to instances.
AnswerC

Forces traffic through Direct Connect.

Why this answer

Option A is correct because using a Virtual Private Gateway and updating route tables to point to the Direct Connect virtual interface ensures traffic is routed through Direct Connect. Option B is wrong because a VPN connection still uses the internet. Option C is wrong because a VPC Endpoint is for AWS service access.

Option D is wrong because Direct Connect alone does not enforce routing.

1149
MCQmedium

A company is using AWS Lambda functions to process sensitive data. The security team wants to detect when a Lambda function is invoked with an unexpected payload that may indicate an injection attack. Which AWS service should the team use to inspect the function's input for malicious patterns?

A.AWS WAF
B.None of the above; the team should implement custom validation within the Lambda function.
C.Amazon Inspector
D.AWS Shield
E.Amazon GuardDuty
AnswerB

Lambda does not have a built-in service to inspect payloads for injection attacks; validation must be custom.

Why this answer

Option B is correct because AWS Lambda functions process event payloads directly within the function code, and no AWS managed service can inspect the actual input data passed to a Lambda function at invocation time. AWS WAF operates at the HTTP/HTTPS layer for API Gateway or CloudFront, not for Lambda function payloads. Amazon Inspector scans for software vulnerabilities in EC2 instances and container images, not runtime payloads.

AWS Shield provides DDoS protection at the network and transport layers. Amazon GuardDuty analyzes VPC flow logs, DNS logs, and CloudTrail events for threats, but it does not inspect Lambda function invocation payloads. Therefore, the only way to detect malicious patterns in the function's input is to implement custom validation logic within the Lambda function code itself.

Exam trap

The trap here is that candidates often assume AWS WAF or GuardDuty can inspect all types of data flowing through AWS, but in reality, these services have specific scope limitations and cannot inspect Lambda invocation payloads directly.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS traffic at the application layer for resources like API Gateway, CloudFront, or ALB, but it cannot inspect the payload passed directly to a Lambda function via SDK, CLI, or other AWS services. Option C is wrong because Amazon Inspector is a vulnerability management service that assesses EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure, not for inspecting runtime invocation payloads for injection attacks. Option D is wrong because AWS Shield is a managed DDoS protection service that operates at the network and transport layers (Layer 3/4) and does not inspect application-level payloads for malicious patterns.

Option E is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, CloudTrail management events, DNS logs, and EKS audit logs, but it does not have visibility into the actual data payloads passed to Lambda functions during invocation.

1150
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. A security engineer needs to ensure that all CloudFormation stacks use a specific AWS KMS key for encrypting resources that support encryption. Which approach should be used?

A.Use a CloudFormation template that includes the KMS key ID as a hardcoded value.
B.Use a CloudFormation parameter to accept the KMS key ID and validate it with a rule.
C.Use AWS CloudFormation StackSets with a service-managed permission model to deploy stacks from a centrally managed template that includes the KMS key.
D.Use an AWS Organizations service control policy (SCP) to deny all CloudFormation actions unless a specific KMS key is used.
AnswerC

StackSets allow central management and enforcement of template content, including the KMS key.

Why this answer

The correct answer is D because AWS CloudFormation StackSets can be used with a service-managed permission model to centrally manage stacks across accounts and enforce policies. Option A is wrong because you cannot enforce encryption at the template level; users can modify templates. Option B is wrong because a service control policy (SCP) can deny actions, but CloudFormation does not have a direct condition key to enforce KMS key usage for all resources.

Option C is wrong because while you can use a parameter, users can override it with a different key.

1151
MCQhard

A security analyst notices an IAM role 'AdminRole' is being assumed from an IP address outside the company's allowed network. The analyst wants to receive real-time alerts when this role is assumed from unauthorized locations. Which combination of services should be used?

A.AWS CloudTrail, Amazon S3, and Amazon Athena
B.AWS Config, Amazon SNS, and AWS Lambda
C.Amazon GuardDuty and AWS Lambda
D.AWS CloudTrail, Amazon CloudWatch Events, and Amazon SNS
AnswerD

CloudTrail logs the event, CloudWatch Events matches the pattern, SNS sends alert.

Why this answer

Option D is correct because AWS CloudTrail logs IAM role assumption events (sts:AssumeRole) as CloudTrail events, which can be sent to Amazon CloudWatch Events (now Amazon EventBridge) as a real-time event stream. CloudWatch Events rules can then match specific patterns (e.g., source IP outside allowed ranges) and trigger an Amazon SNS notification to alert the security analyst immediately. This combination provides the real-time alerting required without additional polling or storage.

Exam trap

The trap here is that candidates often confuse AWS Config (which evaluates configuration compliance) with CloudTrail (which records API activity), or they assume GuardDuty can be customized for specific role assumption alerts, when in fact GuardDuty does not support custom event pattern matching for individual IAM roles.

How to eliminate wrong answers

Option A is wrong because while CloudTrail logs to S3 and Athena can query those logs, this setup is for historical analysis and batch queries, not real-time alerting. Option B is wrong because AWS Config evaluates resource configuration changes (e.g., IAM policy changes) but does not monitor API call events like sts:AssumeRole from specific IP addresses; it is not designed for real-time event-driven alerting on API activity. Option C is wrong because Amazon GuardDuty detects threats based on DNS, VPC flow logs, and CloudTrail management events, but it does not provide custom real-time alerts for a specific IAM role being assumed from unauthorized IPs; it focuses on broader anomaly detection and requires additional services to trigger custom SNS alerts.

1152
MCQeasy

A company configures a Route 53 alias record to point to a CloudFront distribution. The security team wants to ensure that users can only access the website via CloudFront and not directly via the S3 bucket origin. What additional configuration is needed?

A.Create an Origin Access Control (OAC) for the S3 bucket origin
B.Create a Route 53 health check to verify CloudFront availability
C.Configure CloudFront signed URLs to restrict access
D.Attach a security group to the S3 bucket
AnswerA

OAC ensures only CloudFront can access the S3 bucket.

Why this answer

Option C is correct because an Origin Access Control (OAC) prevents direct access to the S3 bucket. Option A is wrong because the alias record already points to CloudFront. Option B is wrong because CloudFront signed URLs are for user authentication, not origin access.

Option D is wrong because security groups are for EC2, not S3.

1153
MCQmedium

A security engineer is configuring automated response to a GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce'. The engineer needs to isolate the compromised instance by modifying the security group to deny all inbound traffic. Which AWS service should be used to orchestrate this response?

A.AWS Lambda
B.AWS CloudFormation
C.AWS Config
D.AWS Systems Manager Automation
AnswerD

Correct: Systems Manager Automation provides runbooks to automate response actions like modifying security groups.

Why this answer

Option A is correct because AWS Systems Manager Automation can run a runbook to modify security group rules in response to a GuardDuty finding via EventBridge. Option B is wrong because Lambda can be used but is not the orchestration service; it is a compute service. Option C is wrong because Config is for compliance, not response.

Option D is wrong because CloudFormation is for infrastructure provisioning, not real-time response.

1154
MCQeasy

Refer to the exhibit. A KMS key policy is shown. An IAM role named 'DataProcessor' in account 123456789012 is trying to encrypt data using this key. The role also has an IAM policy that allows kms:Encrypt on the key. Will the encryption succeed?

A.Yes, because the IAM policy alone is sufficient
B.Yes, because the key policy allows the role and the IAM policy also allows
C.No, because the key policy must include a condition for the role
D.No, because the role is in a different account
AnswerB

Both policies grant permission.

Why this answer

Option A is correct because the key policy allows the role to encrypt, and the IAM policy also allows. Option B is wrong because the key policy does not require additional conditions. Option C is wrong because the role is in the same account, and the key policy allows it.

Option D is wrong because the key policy is sufficient.

1155
MCQeasy

Refer to the exhibit. A security engineer finds this S3 bucket policy on a bucket that should be private. What is the most effective way to detect if this bucket was accessed by unauthorized users?

A.Enable S3 server access logs on the bucket.
B.Query AWS CloudTrail for GetObject API calls.
C.Use CloudWatch Logs to search for GetObject events.
D.Analyze VPC Flow Logs for traffic to the bucket.
AnswerB

CloudTrail logs all S3 API calls, including GetObject, and can be queried.

Why this answer

CloudTrail logs S3 API calls, including GetObject, and can be used to identify who accessed the bucket. Option A is wrong because S3 server access logs are not enabled by default. Option B is wrong because VPC Flow Logs do not capture S3 API calls.

Option C is wrong because CloudWatch Logs does not capture S3 API calls directly.

1156
MCQhard

An organization uses AWS Organizations and wants to restrict the use of specific EC2 instance types across all member accounts. Which policy type should be used to enforce this restriction?

A.Resource-based policy
B.IAM policy
C.Service control policy (SCP)
D.AWS CloudFormation policy
AnswerC

SCPs can be attached to OUs to restrict services across accounts.

Why this answer

Option A is correct because SCPs can deny actions at the account level. Option B is wrong because IAM policies are account-specific and can be overridden. Option C is wrong because resource-based policies are for specific resources.

Option D is wrong because it is not a policy type.

1157
MCQhard

A company has a critical application that stores sensitive data in Amazon DynamoDB. The security team requires that all data stored in DynamoDB is encrypted at rest using a customer-managed KMS key. Additionally, they want to ensure that the key can be rotated automatically every year. Which combination of actions should be taken?

A.Use a CloudHSM key store and enable automatic rotation
B.Use a customer-managed KMS key and enable automatic key rotation
C.Use an AWS managed KMS key and enable automatic key rotation
D.Enable encryption on the existing DynamoDB table and use a customer-managed KMS key
AnswerB

Correct: DynamoDB supports customer-managed KMS keys and KMS automatic rotation.

Why this answer

Option B is correct because DynamoDB supports encryption at rest with a customer-managed KMS key, and KMS supports automatic annual rotation for customer-managed keys. Option A is wrong because DynamoDB does not use CloudHSM. Option C is wrong because automatic rotation is not available for AWS managed keys (which DynamoDB uses by default).

Option D is wrong because you cannot enable encryption on a table created without encryption except by recreating it.

1158
Multi-Selecthard

Which THREE AWS services can be used to detect and alert on suspicious network traffic patterns? (Choose three.)

Select 3 answers
A.AWS Network Firewall
B.Amazon VPC Flow Logs
C.AWS Systems Manager
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersA, B, E

Network Firewall provides intrusion detection and prevention.

Why this answer

AWS Network Firewall is correct because it is a managed firewall service that can inspect network traffic at the VPC level using stateful and stateless rules. It can detect suspicious patterns such as port scans, malicious IP addresses, or protocol anomalies and generate alerts via Amazon CloudWatch metrics and logs, enabling real-time notification of suspicious network traffic.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (API logging) with network traffic monitoring, or assume AWS Systems Manager has security detection capabilities, when in fact neither service inspects network packet flows or traffic patterns.

1159
MCQhard

A company is using Amazon GuardDuty to detect threats. They notice that GuardDuty is generating a high volume of 'UnauthorizedAccess:EC2/SSHBruteForce' findings from an internal EC2 instance that is used for vulnerability scanning. The security team wants to reduce false positives without disabling GuardDuty entirely. What should they do?

A.Change the security group of the vulnerability scanner to block SSH traffic.
B.Disable GuardDuty for the subnet where the vulnerability scanner is located.
C.Disable the 'UnauthorizedAccess:EC2/SSHBruteForce' finding type in GuardDuty.
D.Create a suppression rule for findings originating from the vulnerability scanner's IP address.
AnswerD

Suppression rules allow you to automatically archive findings from trusted sources, reducing false positives.

Why this answer

Option D is correct because Amazon GuardDuty's suppression rules allow you to filter out findings based on criteria such as IP address, without disabling the detector or any finding types. By creating a suppression rule that matches the vulnerability scanner's IP address, you automatically archive and suppress future 'UnauthorizedAccess:EC2/SSHBruteForce' findings from that specific source, reducing false positives while maintaining full threat detection coverage for all other instances.

Exam trap

The trap here is that candidates often confuse suppression rules with disabling finding types or disabling GuardDuty entirely, not realizing that suppression rules provide a granular, IP-based mechanism to reduce noise without compromising overall security coverage.

How to eliminate wrong answers

Option A is wrong because changing the security group to block SSH traffic would break the vulnerability scanner's functionality, as it needs SSH access to perform its scanning tasks. Option B is wrong because disabling GuardDuty for the subnet would stop all threat detection for every instance in that subnet, not just the scanner, leaving other workloads unprotected. Option C is wrong because disabling the 'UnauthorizedAccess:EC2/SSHBruteForce' finding type globally would suppress all SSH brute force alerts across the entire AWS account, including legitimate threats, which defeats the purpose of targeted false positive reduction.

1160
MCQhard

An organization uses AWS Organizations with multiple OUs. The security team wants to ensure that any new account created in the 'Production' OU automatically gets a set of mandatory tags (CostCenter, Environment) and that these tags cannot be removed. What is the most effective approach?

A.Use AWS Service Catalog to provision accounts with pre-defined tags.
B.Use AWS Config rules to detect untagged resources and send alerts.
C.Create an IAM policy in each account that prohibits tag removal.
D.Apply an SCP that denies changes to the specified tags for all accounts in the Production OU.
AnswerD

SCPs can deny actions that would modify protected tags.

Why this answer

Option B is correct: using an SCP with a condition that denies modification of those specific tags. SCPs can prevent any IAM actions that remove or modify tags. Option A is wrong because AWS Config rules only detect, not prevent.

Option C is wrong because SCPs cannot be used to automatically add tags. Option D is wrong because IAM policies in each account are less centralized.

1161
MCQhard

A security engineer notices that CloudTrail logs are not being delivered to the S3 bucket for the past 2 hours. The output of 'get-trail-status' is shown. What is the most likely cause?

A.The S3 bucket does not exist.
B.The trail has been stopped.
C.The S3 bucket policy denies write access from CloudTrail.
D.CloudWatch Logs delivery is failing.
AnswerC

Correct: A misconfigured bucket policy can block delivery.

Why this answer

Option D is correct because the latest delivery time is a Unix timestamp that is old (2 hours ago), but the delivery succeeded at that time. However, the 'LatestDeliveryAttemptSucceeded' shows a recent time, indicating a recent delivery. Wait: Actually, the 'LatestDeliveryTime' is 1625097600 which is July 1, 2021, but the current time might be later.

If logs are not delivering, check S3 bucket policy. The bucket policy might have been changed to deny write access. Option A is wrong because the trail is logging.

Option B is wrong because CloudWatch Logs delivery is also recent. Option C is wrong because the trail is not stopped.

1162
MCQeasy

A developer needs to grant an IAM user temporary access to an S3 bucket for 15 minutes. Which AWS service should be used to generate temporary credentials?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (KMS)
C.AWS Security Token Service (STS)
D.AWS Directory Service
AnswerC

STS issues temporary credentials.

Why this answer

AWS STS is used to request temporary, limited-privilege credentials for IAM users or federated users.

1163
MCQmedium

A company has an Amazon S3 bucket that stores sensitive data. The security team needs to ensure that all access to the bucket is encrypted in transit. Which condition should be added to the bucket policy?

A.aws:SecureTransport
B.aws:SourceIp
C.s3:x-amz-server-side-encryption
D.aws:UserAgent
AnswerA

This condition ensures the request is made over SSL/TLS.

Why this answer

Option B is correct because the condition aws:SecureTransport checks whether the request was sent using SSL/TLS. Option A is wrong because aws:SourceIp checks IP address, not encryption. Option C is wrong because s3:x-amz-server-side-encryption checks encryption at rest, not in transit.

Option D is wrong because aws:UserAgent checks the user agent string.

1164
Multi-Selectmedium

A security engineer is implementing centralized logging across multiple AWS accounts. Which TWO actions should the engineer take to ensure logs are securely stored and immutable? (Choose TWO.)

Select 2 answers
A.Enable S3 Transfer Acceleration on the bucket
B.Use AWS KMS with a customer managed key for encryption
C.Enable S3 Object Lock on the destination bucket
D.Enable CloudTrail log file validation
E.Enable MFA Delete on the bucket
AnswersB, C

KMS provides encryption and access control.

Why this answer

Option A is correct because enabling S3 Object Lock prevents log files from being deleted or overwritten. Option C is correct because using AWS KMS with a customer managed key provides encryption and fine-grained access control. Option B is wrong because CloudTrail log file validation ensures integrity but does not prevent deletion.

Option D is wrong because S3 Transfer Acceleration is for speed, not security. Option E is wrong because MFA Delete requires additional authentication but does not provide immutability; Object Lock is more appropriate.

1165
Multi-Selecthard

Which THREE AWS services can be used to authenticate users for accessing AWS resources?

Select 3 answers
A.AWS Single Sign-On
B.Amazon Cognito
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
E.AWS CloudTrail
AnswersA, B, D

SSO authenticates users with identity providers.

Why this answer

IAM authenticates users, Cognito provides user pools for federated access, SSO integrates with identity providers. Option D is not an authentication service. Option E is for secrets management.

1166
Multi-Selecteasy

A company is designing a data protection strategy for Amazon S3. Which TWO of the following are valid methods to protect data at rest in S3?

Select 2 answers
A.S3 Versioning
B.S3 bucket policies
C.MFA Delete
D.Server-side encryption with S3-managed keys (SSE-S3)
E.Server-side encryption with AWS KMS (SSE-KMS)
AnswersD, E

Encrypts data at rest.

Why this answer

Server-side encryption with S3-managed keys (SSE-S3) encrypts data at rest using AES-256, with Amazon S3 managing the encryption/decryption process and key rotation automatically. This is a valid method to protect data at rest in S3 because it ensures objects are encrypted before being written to disk and decrypted when accessed, without requiring any additional client-side logic or key management overhead.

Exam trap

The trap here is that candidates often confuse data protection features like versioning or access controls (bucket policies, MFA Delete) with encryption mechanisms, assuming they provide data-at-rest protection when they do not.

1167
MCQeasy

A company uses AWS CloudTrail to log all API activity. The security team wants to be alerted when an IAM user creates a new access key. They have created a CloudWatch metric filter on the CloudTrail log group for the event name 'CreateAccessKey' and set up a CloudWatch alarm that sends an email via Amazon SNS. However, the alarm is not triggering even though the team knows that access keys have been created. The metric filter has been tested and shows data points in CloudWatch. What should the security team check next?

A.Ensure that the CloudTrail trail is delivering logs to the correct CloudWatch Logs log group.
B.Verify that the CloudTrail trail is logging data events.
C.Review the CloudWatch alarm configuration, including the period and threshold.
D.Check that the IAM user has permissions to create access keys.
AnswerC

The alarm may be misconfigured with a period that is too long or a threshold that is not crossed.

Why this answer

Option C is correct because the metric filter is producing data points, which means logs are being ingested and the filter is matching events. The most likely issue is that the CloudWatch alarm's period or threshold is misconfigured—for example, the evaluation period might be too long or the threshold too high, causing the alarm to not transition to ALARM state despite the metric having values. The security team should verify the alarm's settings, such as the period (e.g., 5 minutes) and the threshold (e.g., >= 1), to ensure they align with the expected frequency of access key creation events.

Exam trap

The trap here is that candidates assume the issue must be with log delivery or event type, but the metric filter already shows data points, so the problem lies in the alarm's evaluation configuration—specifically the period and threshold settings that control when the alarm triggers.

How to eliminate wrong answers

Option A is wrong because the metric filter is showing data points, which confirms that the CloudTrail trail is already delivering logs to the correct CloudWatch Logs log group; if it were not, no data points would appear. Option B is wrong because 'CreateAccessKey' is a management event, not a data event, and CloudTrail logs management events by default; data events are for S3 object-level or Lambda function invocations and are irrelevant here. Option D is wrong because the question states that access keys have been created, which means the IAM user already has the necessary permissions; the issue is with the alarm triggering, not with the creation of keys.

1168
MCQmedium

A security engineer is designing a VPC with a public subnet and a private subnet. The private subnet will host a database instance that should only be accessible from the application instances in the public subnet. The application instances use an Auto Scaling group. Which configuration ensures that only the application instances can access the database?

A.Allow inbound database port from the security group attached to the application instances in the public subnet.
B.Allow inbound database port from 0.0.0.0/0 in the database security group.
C.Configure a network ACL on the private subnet to allow the database port from the public subnet CIDR.
D.Allow inbound database port from the public subnet CIDR block in the database security group.
AnswerA

This dynamically allows traffic from all application instances.

Why this answer

Option B is correct because referencing the application security group as the source allows dynamic scaling. Option A is wrong because referencing the public subnet CIDR would allow any instance in that subnet, not just the application. Option C is wrong because allowing 0.0.0.0/0 would expose the database.

Option D is wrong because network ACLs are stateless and cannot reference security groups.

1169
MCQeasy

A company stores data in Amazon S3 and wants to ensure that objects are encrypted at rest. The security team decides to use server-side encryption with AWS KMS (SSE-KMS). Which additional benefit does SSE-KMS provide over SSE-S3?

A.Faster encryption and decryption
B.Lower cost per object
C.Separate permissions for key usage and audit of key usage
D.Stronger encryption algorithm
AnswerC

KMS provides granular control and logging.

Why this answer

Option B is correct because SSE-KMS provides separate permissions for key usage and audit trails. Option A is wrong because both provide encryption. Option C is wrong because SSE-KMS can have additional cost.

Option D is wrong because SSE-S3 also provides strong encryption.

1170
MCQeasy

A company needs to centrally manage access to AWS resources across multiple accounts. Which AWS service should be used to define and enforce a set of common permissions for all accounts in the organization?

A.AWS Directory Service
B.AWS IAM
C.AWS Single Sign-On (SSO)
D.AWS Organizations with SCPs
AnswerD

SCPs allow central control of permissions across accounts.

Why this answer

Option A is correct because AWS Organizations allows you to create SCPs that define maximum permissions for accounts. Option B is wrong because IAM is per-account. Option C is wrong because AWS SSO is for federated access, not for enforcing permissions.

Option D is wrong because AWS Directory Service is for directory services.

1171
MCQhard

A company uses AWS CloudTrail to log API activity. The security team wants to ensure that log files are encrypted at rest and that any tampering with logs is detectable. Which combination of services should be used?

A.Enable CloudTrail and configure S3 bucket to use default encryption and enable S3 server access logs.
B.Enable CloudTrail log file SSE-KMS encryption and enable CloudTrail log file integrity validation.
C.Use AWS CloudHSM to generate keys and encrypt CloudTrail logs at the application layer.
D.Enable CloudTrail log file encryption using SSE-S3 and store logs in CloudWatch Logs.
AnswerB

SSE-KMS encrypts logs; integrity validation detects tampering.

Why this answer

Option C is correct because CloudTrail can be configured to use SSE-KMS for encryption, and log file integrity validation provides tamper detection. Option A is wrong because CloudWatch Logs does not provide integrity validation. Option B is wrong because S3 server access logs are not for CloudTrail.

Option D is wrong because CloudHSM does not integrate directly with CloudTrail.

1172
MCQhard

Refer to the exhibit. A security engineer reviews this CloudFormation template snippet. What is the security concern with this configuration?

A.The AMI ID is hardcoded.
B.The template does not specify a VPC.
C.The instance type is too small.
D.The security group allows SSH access from any IP address.
AnswerD

SSH should be restricted to specific IP ranges.

Why this answer

The security group allows SSH from anywhere (0.0.0.0/0), which is a security risk. Option A is correct. Option B is incorrect because the AMI is not necessarily public.

Option C is incorrect because the instance type is not a security concern. Option D is incorrect because the template is valid.

1173
MCQeasy

A company has a single AWS account with several IAM users. The security team wants to ensure that all IAM users have strong passwords and that passwords are rotated every 90 days. The team also wants to receive a notification if any user's password is older than 90 days. The team has enabled an IAM password policy that requires strong passwords and sets a maximum password age of 90 days. However, they are not receiving notifications about expired passwords. Which additional step should the security team take to receive notifications?

A.Create an AWS Config rule that checks the password policy and triggers an SNS notification.
B.Configure IAM to automatically send an email when a password expires.
C.Enable AWS CloudTrail to log password changes and use Amazon CloudWatch Events to monitor.
D.Use AWS Trusted Advisor to check password policy and send notifications.
AnswerA

Config can evaluate the password policy and notify via SNS.

Why this answer

Option A is correct because AWS Config can evaluate the password policy and trigger SNS notifications when non-compliant. Option B is wrong because CloudTrail does not evaluate password age. Option C is wrong because Trusted Advisor does not monitor IAM user password age.

Option D is wrong because IAM itself does not send notifications for password expiration.

1174
MCQhard

A developer is trying to upload a file to an S3 bucket using the AWS CLI, but receives an 'AccessDenied' error. The IAM policy attached to the user includes 's3:PutObject' on the bucket. The bucket policy has a Deny statement with the condition 'aws:Referer': ['example.com']. The CLI command does not include a referer header. What is the cause of the error?

A.The user’s access keys are expired.
B.The bucket policy denies requests that do not include the required referer header.
C.The IAM policy does not include s3:PutObjectAcl.
D.The CLI is not using HTTPS.
AnswerB

The Deny statement blocks requests without the specified referer.

Why this answer

Option B is correct because the Deny statement with a condition that does not match the request (no referer header) still denies the request if the condition is not met? Actually, the Deny statement with a condition only denies if the condition evaluates to true. Since the request has no referer, the condition 'StringNotEquals'? Wait, typical bucket policy is: Deny unless referer equals example.com. But if the request has no referer, the condition fails, so the Deny does not apply.

However, the error persists. Possibly the bucket policy has an explicit Deny for all requests without the referer. In that case, the Deny applies.

So Option B is correct: the Deny is blocking requests without the referer. Option A is wrong because CLI uses HTTPS. Option C is irrelevant.

Option D is not the cause.

1175
MCQeasy

A company needs to encrypt data at rest in Amazon EBS volumes. They want to use an AWS managed key that is automatically rotated. Which encryption option should they choose?

A.Use SSE-S3.
B.Enable EBS encryption by default using the AWS managed key for Amazon EBS.
C.Use a customer-managed KMS key with automatic rotation enabled.
D.Use client-side encryption.
AnswerB

The AWS managed key for EBS is automatically rotated by AWS.

Why this answer

Option B is correct because enabling EBS encryption by default using the AWS managed key for Amazon EBS (alias `aws/ebs`) ensures data at rest is encrypted with a key that is automatically rotated on an annual basis, as required. This key is managed by AWS and requires no manual intervention for rotation, meeting the company's need for a managed, automatically rotated key.

Exam trap

The trap here is that candidates often confuse 'AWS managed key' with 'customer-managed KMS key with automatic rotation enabled,' but the key distinction is that a customer-managed key is not an AWS managed key—it is managed by the customer, even if rotation is automated.

How to eliminate wrong answers

Option A is wrong because SSE-S3 is an encryption option for Amazon S3, not for Amazon EBS volumes; it uses S3-managed keys and is irrelevant to EBS encryption. Option C is wrong because while a customer-managed KMS key can have automatic rotation enabled, it is not an AWS managed key—it is customer-managed, meaning the customer retains control and responsibility, which does not satisfy the requirement for an AWS managed key. Option D is wrong because client-side encryption occurs before data reaches AWS and does not use an AWS managed key; it requires the customer to manage encryption keys locally, contradicting the need for an AWS managed, automatically rotated key.

1176
MCQeasy

A company needs to grant cross-account access to an S3 bucket. Which IAM feature should be used?

A.Create an IAM user in the source account and share the credentials.
B.Use an S3 bucket policy that grants access to the external account's IAM users.
C.Use a service control policy (SCP) to allow cross-account access.
D.Use an IAM role in the source account that the external account can assume.
AnswerB

Bucket policies can grant cross-account access.

Why this answer

Option B is correct because a bucket policy can grant access to principals in another account. Option A is wrong because IAM users are within the same account. Option C is wrong because a role can be used but requires the external account to assume the role, not directly access the bucket.

Option D is wrong because SCPs apply within an organization.

1177
MCQhard

A large enterprise uses AWS Organizations with hundreds of accounts. The security team needs to enforce that all accounts have AWS CloudTrail enabled and logs are delivered to a centralized S3 bucket in the management account. The team also wants to ensure that no account can disable CloudTrail or delete the bucket. Which combination of controls meets these requirements?

A.Enable AWS CloudTrail in the management account and use S3 bucket policies.
B.Use a service control policy (SCP) to deny actions that disable CloudTrail or delete the bucket.
C.Use an IAM policy in each account to prevent trail modifications.
D.Use AWS Config rules to detect and alert on disabled trails.
AnswerB

SCPs can prevent these actions across all accounts.

Why this answer

Service control policies (SCPs) are the correct mechanism because they allow the management account to centrally restrict permissions across all accounts in the organization. By creating an SCP that denies the `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, `cloudtrail:UpdateTrail`, and `s3:DeleteBucket` actions, the security team can prevent any account (including root users) from disabling CloudTrail or deleting the centralized S3 bucket, regardless of IAM policies or direct resource-based policies.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs), or assume that IAM policies in each account are sufficient, not realizing that account administrators can modify or remove those policies.

How to eliminate wrong answers

Option A is wrong because enabling CloudTrail in the management account does not prevent other accounts from disabling their own trails or deleting the bucket; S3 bucket policies alone cannot block actions like `cloudtrail:StopLogging` or `cloudtrail:DeleteTrail` that occur outside S3. Option C is wrong because IAM policies are account-scoped and can be overridden by the account's own administrators or root user, so they cannot enforce a blanket denial across all accounts. Option D is wrong because AWS Config rules are detective, not preventive—they can alert on disabled trails but cannot block the disabling action itself.

1178
Multi-Selectmedium

A security engineer is configuring logging for an application running on Amazon EC2 instances. The engineer needs to capture both operating system-level logs and application logs. Which TWO services can be used together to achieve this? (Choose two.)

Select 2 answers
A.AWS CloudTrail
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.Amazon CloudWatch agent
E.Amazon Inspector
AnswersC, D

Stores log data collected by the CloudWatch agent.

Why this answer

The CloudWatch agent can collect OS and application logs and send them to CloudWatch Logs. Options A and C are correct. Option B is wrong because VPC Flow Logs capture network traffic metadata.

Option D is wrong because AWS CloudTrail captures API calls. Option E is wrong because Amazon Inspector is for vulnerability assessment.

1179
MCQmedium

A security team needs to analyze historical CloudTrail logs across multiple AWS accounts to detect patterns of suspicious activity. Which solution provides the MOST cost-effective and scalable analysis?

A.Aggregate logs into a central S3 bucket and query with Amazon Athena
B.Stream logs to Amazon Elasticsearch Service and use Kibana
C.Load logs into Amazon Redshift for analysis
D.Use Amazon CloudWatch Logs Insights across all accounts
AnswerA

Athena allows serverless SQL queries on S3 data, cost-effective for historical analysis.

Why this answer

Aggregating CloudTrail logs into a central S3 bucket and querying with Amazon Athena is the most cost-effective and scalable solution because Athena uses a serverless, pay-per-query model with no infrastructure to manage, and it can directly analyze large volumes of structured log data stored in S3 using standard SQL. This approach avoids the cost of provisioning and maintaining dedicated clusters (as with Redshift or Elasticsearch) and avoids the per-GB ingestion and storage fees of CloudWatch Logs Insights, making it ideal for historical analysis across multiple accounts.

Exam trap

The trap here is that candidates often choose CloudWatch Logs Insights (Option D) because it seems convenient for log analysis, but they overlook its high ingestion costs and limited retention for historical data, whereas Athena's serverless, pay-per-query model is far more cost-effective for large-scale, infrequent queries of archived logs.

How to eliminate wrong answers

Option B is wrong because streaming logs to Amazon Elasticsearch Service (now OpenSearch Service) incurs ongoing costs for cluster instances, storage, and data ingestion, and it is not as cost-effective for infrequent historical queries compared to Athena's pay-per-query model. Option C is wrong because loading logs into Amazon Redshift requires provisioning a cluster, paying for compute and storage even when idle, and involves ETL overhead, making it overkill and more expensive for ad-hoc analysis of CloudTrail logs. Option D is wrong because Amazon CloudWatch Logs Insights is designed for real-time log analysis and has a per-GB ingestion cost and a limited query history retention (typically 30 days), making it unsuitable and costly for analyzing long-term historical logs across multiple accounts.

1180
Multi-Selectmedium

A company wants to restrict access to an S3 bucket so that only objects with specific tags can be accessed by a certain IAM role. Which THREE steps are required to implement this?

Select 3 answers
A.Use S3 Inventory to list objects and their tags.
B.Enable S3 object-level logging in CloudTrail.
C.Attach an IAM policy to the role that uses the s3:ExistingObjectTag condition.
D.Create a bucket policy with a condition based on the s3:ExistingObjectTag key.
E.Set a bucket policy that denies access if the object does not have the required tag.
AnswersC, D, E

IAM policies can also use condition keys to restrict access based on tags.

Why this answer

Option A (Enable S3 object-level logging) is not required for access control. Option B (Create a bucket policy with a condition based on s3:ExistingObjectTag) is correct. Option C (Attach an IAM policy to the role with condition) is correct.

Option D (Set S3 bucket policy to deny untagged objects) is correct. Option E (Use S3 inventory) is for reporting, not access control.

1181
MCQhard

A security team notices that an IAM user has permissions to launch EC2 instances but should not have access to certain instance types. Which IAM policy condition key should be used to restrict this?

A.ec2:ResourceTag
B.ec2:Tenancy
C.ec2:InstanceProfile
D.ec2:InstanceType
AnswerD

Allows restriction based on instance type.

Why this answer

The ec2:InstanceType condition key allows you to restrict IAM users to launching only specific EC2 instance types (e.g., t2.micro, m5.large) by evaluating the instance type value in the RunInstances API call. This is the correct key to enforce a policy that denies access to certain instance types while permitting others.

Exam trap

The trap here is that candidates often confuse ec2:InstanceType with ec2:ResourceTag, thinking they can use tags to restrict instance types, but tags are applied after launch and cannot be used to block the initial API call based on instance type.

How to eliminate wrong answers

Option A is wrong because ec2:ResourceTag is used to control access based on tags attached to EC2 resources, not to restrict instance types. Option B is wrong because ec2:Tenancy controls whether instances can be launched on shared or dedicated hardware (e.g., default vs. dedicated tenancy), not the instance type. Option C is wrong because ec2:InstanceProfile is used to restrict which IAM roles (instance profiles) can be associated with an EC2 instance, not the instance type itself.

1182
MCQhard

A security team notices that an S3 bucket containing sensitive data has been repeatedly accessed from an IP address outside the company's network. They need to set up a real-time alert when such access occurs. Which combination of services should they use?

A.VPC Flow Logs and Amazon QuickSight
B.AWS Config and Amazon SNS
C.CloudWatch Logs Insights and Amazon SES
D.Amazon GuardDuty and Amazon EventBridge
AnswerD

GuardDuty detects anomalies in S3 access and sends findings to EventBridge for alerting.

Why this answer

Option D is correct because Amazon GuardDuty can analyze CloudTrail management events and S3 data events to detect suspicious activity, and it can send alerts to Amazon EventBridge, which can trigger a notification. Option A is wrong because AWS Config evaluates resource configurations, not real-time access patterns. Option B is wrong because VPC Flow Logs would not capture S3 access from outside the VPC.

Option C is wrong because CloudWatch Logs Insights is used for querying logs, not for real-time alerting on its own.

1183
MCQhard

An IAM policy allows a user to pass a specific role and launch EC2 instances. The user tries to launch an EC2 instance with the role 'ec2-full-access' but receives an error: 'You are not authorized to perform iam:PassRole'. What is the MOST likely cause?

A.The role 'ec2-full-access' does not exist in the account
B.The user is attempting to pass a role with an ARN that does not exactly match the one in the policy
C.The policy is missing a condition key such as ec2:InstanceProfile
D.The user does not have permission to call ec2:RunInstances
AnswerB

The policy allows PassRole only for the specific ARN; any other role will be denied.

Why this answer

Option B is correct. The policy allows iam:PassRole on the exact ARN, but the condition 'Resource: "*"' for ec2:RunInstances does not include the role. However, the error is about iam:PassRole, which means the user tried to pass a role that is not the exact ARN.

The most common issue is that the user is trying to pass a role that is different or the ARN is incorrect. Option A is wrong because the policy does not require a condition key for PassRole. Option C is wrong because the policy allows ec2:RunInstances on all resources.

Option D is wrong because the role may exist but the ARN mismatch causes the failure.

1184
MCQhard

Refer to the exhibit. A security engineer is reviewing the CloudWatch Logs configuration for a Lambda function. The log group is encrypted with a customer managed key. The engineer needs to ensure that only the Lambda service can write logs to this log group and that only a specific IAM role can read logs. Which additional configuration is required?

A.Attach a resource-based policy to the log group that allows only the Lambda service to write logs
B.Create an S3 bucket policy to allow only Lambda to write to the log group
C.Assign an IAM role to the log group that has permission to write logs
D.Add a condition to the KMS key policy that uses kms:ViaService to restrict encryption/decryption to logs.amazonaws.com and a condition that the Lambda function is the source
AnswerD

Allows log service only when Lambda is the source.

Why this answer

CloudWatch Logs uses a service-linked role to write logs. To restrict writing to the Lambda service, you need to add a condition to the key policy that allows the logs service only when the request comes from Lambda. Option C is correct.

Option A is incorrect because a bucket policy is for S3. Option B is incorrect because resource-based policies on log groups are for cross-account access, not to restrict write access. Option D is incorrect because IAM roles cannot be assigned to log groups.

1185
MCQmedium

A security engineer is setting up centralized logging for an AWS organization. The engineer wants to collect CloudTrail logs, VPC Flow Logs, and AWS Config configuration items from all member accounts into a single S3 bucket in the management account. The engineer creates a new S3 bucket with a bucket policy that grants the required permissions. However, logs from member accounts are not being delivered. What is the most likely reason?

A.VPC Flow Logs cannot be delivered to an S3 bucket in a different account.
B.CloudTrail must be enabled in each member account individually.
C.The S3 bucket policy does not grant write permissions to the member accounts' service principals.
D.AWS Config must be enabled in the management account and configured to aggregate data from member accounts.
AnswerC

Bucket policy must allow cross-account writes.

Why this answer

Option D is correct because the S3 bucket policy must grant the necessary permissions to the member account's service principal (e.g., cloudtrail.amazonaws.com, vpc-flow-logs.amazonaws.com, config.amazonaws.com) to write objects. Option A is wrong because logging does not require AWS Config aggregation. Option B is wrong because CloudTrail organization trail does not need to be created in each account.

Option C is wrong because VPC Flow Logs can be delivered to a bucket in a different account.

1186
MCQhard

A company has an AWS account with a single VPC and multiple subnets. The security team wants to ensure that no network ACL (NACL) allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS service can be used to detect and alert on such non-compliant NACLs?

A.Amazon Inspector
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
AnswerC

Correct: AWS Config can evaluate NACL rules with custom rules.

Why this answer

Option D is correct because AWS Config can evaluate NACL rules using a custom rule that checks for inbound SSH from 0.0.0.0/0. Option A is wrong because AWS CloudTrail logs API calls but does not evaluate NACL configurations. Option B is wrong because Amazon GuardDuty focuses on threat detection.

Option C is wrong because AWS Inspector assesses vulnerabilities on EC2, not NACLs.

1187
MCQmedium

A company uses AWS Systems Manager Session Manager to manage EC2 instances. The security team wants to ensure that all SSH sessions are logged and that commands are recorded. What should be configured?

A.Enable session logging in the Session Manager preferences to send logs to Amazon S3 and CloudWatch Logs
B.Configure the security group to allow inbound SSH from the Session Manager service
C.Enable AWS CloudTrail to log Systems Manager API calls
D.Create an IAM policy that allows ssm:StartSession and attach it to the instance role
AnswerA

Session Manager preferences allow logging of session activities and command recording.

Why this answer

Option C is correct because Session Manager can log session activity to Amazon S3 and CloudWatch Logs, and enable command recording. Option A is wrong because an IAM policy only controls permissions to start sessions, not logging. Option B is wrong because security groups control network access, not logging.

Option D is wrong because CloudTrail logs API calls, not the commands run within a session.

1188
Multi-Selecthard

Which THREE factors should be considered when designing IAM policies for cross-account access? (Choose three.)

Select 3 answers
A.The resource-based policy must allow the external account
B.Permission boundaries must be used
C.The AWS account ID must be specified in the policy
D.The IAM policy in the external account must allow the action
E.Service control policies (SCPs) must allow the action
AnswersA, C, D

The resource must grant access to the external account.

Why this answer

Option A is correct because for cross-account access using resource-based policies (e.g., S3 bucket policies, KMS key policies), the resource-based policy must explicitly grant access to the external AWS account. This allows the external account's IAM principals to access the resource, provided the external account's IAM policy also permits the action. Without this allowance in the resource-based policy, the external account cannot access the resource, even if its own IAM policies allow it.

Exam trap

Cisco often tests the misconception that only one policy (either resource-based or identity-based) is sufficient for cross-account access, but in reality both the resource-based policy and the external account's IAM policy must allow the action.

1189
MCQeasy

A company wants to protect sensitive data stored in an Amazon EBS volume. The volume is attached to an EC2 instance. Which action should be taken to ensure data at rest is encrypted?

A.Enable encryption on the existing EBS volume
B.Use an instance store volume that supports encryption
C.Encrypt the data at the application layer before writing to the volume
D.Enable EBS encryption by default for the region and create a new encrypted volume
AnswerD

Correct: Enabling EBS encryption by default encrypts new volumes.

Why this answer

Option D is correct because you can enable EBS encryption by default for the region, which automatically encrypts new volumes. Option A is wrong because you cannot encrypt an existing volume directly; you must create a snapshot and restore. Option B is wrong because encryption at the application layer is not a storage encryption method.

Option C is wrong because instance store volumes are not persistent and encryption is not managed by EBS.

1190
MCQhard

A company uses AWS Organizations and wants to restrict the use of specific AWS services in member accounts. For example, they want to block the use of Amazon Redshift. Which policy type should be used?

A.Service control policies (SCPs)
B.IAM permissions boundaries
C.IAM identity-based policies
D.S3 bucket policies
AnswerA

SCPs can deny services across all accounts in an organization.

Why this answer

Service control policies (SCPs) can deny access to services at the organization level. Option B is correct. Option A (IAM permissions boundaries) are per-entity.

Option C (IAM policies) are per-identity. Option D (Resource-based policies) are per-resource.

1191
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy type should be used?

A.IAM policy
B.Network ACL
C.VPC Endpoint policy
D.S3 bucket policy with aws:SourceVpc condition
AnswerD

This condition restricts access to requests originating from a specific VPC.

Why this answer

Option B is correct because an S3 bucket policy with a condition for aws:SourceVpc can restrict access to a VPC. Option A is wrong because IAM policies grant permissions to users, not network restrictions. Option C is wrong because VPC Endpoint policies control actions on the endpoint, not the bucket.

Option D is wrong because NACLs are for subnets, not S3.

1192
MCQeasy

A company needs to grant cross-account access to an S3 bucket in Account A to users in Account B. What is the recommended approach?

A.Attach an IAM role to Account B's users.
B.Add a bucket policy in Account A that grants access to the IAM user ARNs from Account B.
C.Make the bucket public.
D.Create an IAM user in Account A and share the credentials with Account B users.
AnswerB

Bucket policy can grant cross-account access to specific IAM principals.

Why this answer

Option B is correct because a bucket policy in Account A can explicitly grant cross-account access to IAM user ARNs from Account B. This is the recommended approach for granting access to an S3 bucket across AWS accounts, as it avoids managing additional IAM users or roles and leverages the resource-based policy directly on the bucket. The bucket policy must specify the `Principal` element with the AWS account ID of Account B and the `Action` and `Resource` for the S3 operations, allowing Account B's IAM users to access the bucket after they have appropriate permissions in their own account.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM policies) and incorrectly think that a bucket policy cannot grant access to users in another account, or they mistakenly believe that an IAM role must be created in the target account for cross-account access.

How to eliminate wrong answers

Option A is wrong because attaching an IAM role to Account B's users is not a valid operation; IAM roles are attached to AWS resources or assumed by users, not directly attached to users in another account. The correct approach would be for Account B's users to assume a cross-account role, but that requires a role in Account A with a trust policy, not attaching a role to users. Option C is wrong because making the bucket public grants access to anyone on the internet, which violates the principle of least privilege and is not a secure cross-account access method.

Option D is wrong because creating an IAM user in Account A and sharing credentials with Account B users introduces security risks (e.g., credential leakage, lack of audit trail) and is not a scalable or recommended practice for cross-account access.

1193
MCQmedium

A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?

A.Place all tiers in public subnets and use security groups to restrict traffic.
B.Place the web tier in a public subnet with an internet gateway, and the app and database tiers in private subnets. Use separate security groups for each tier, allowing only necessary traffic.
C.Place the web and app tiers in public subnets and the database in a private subnet.
D.Place all tiers in private subnets and use a single security group to allow traffic between them.
AnswerB

This ensures isolation and encryption can be applied at the application layer.

Why this answer

Option B is correct because it places the web tier in a public subnet with an Internet Gateway (IGW) for internet-facing access, while the application and database tiers reside in private subnets with no direct internet path. Separate security groups enforce least-privilege: the web tier security group allows inbound HTTP/HTTPS (ports 80/443) from 0.0.0.0/0, the app tier security group allows inbound traffic only from the web tier security group (using a security group reference), and the database tier security group allows inbound traffic only from the app tier security group. This ensures encryption (e.g., TLS for web-to-app, and database-native encryption like TLS or AWS RDS encryption in transit) and complete isolation of the internal tiers.

Exam trap

The trap here is that candidates assume security groups alone can isolate tiers in public subnets, ignoring that public subnets have a direct route to the internet via the IGW, which bypasses security group restrictions for inbound traffic from the internet.

How to eliminate wrong answers

Option A is wrong because placing all tiers in public subnets exposes the application and database tiers directly to the internet, violating the isolation requirement; security groups alone cannot prevent the public routing path. Option C is wrong because placing the app tier in a public subnet exposes it to the internet, contradicting the requirement that the application tier be isolated and only accessible by the web tier. Option D is wrong because placing all tiers in private subnets makes the web tier inaccessible from the internet (no IGW or NAT device for inbound traffic), and using a single security group fails to enforce tier-specific access controls.

1194
MCQhard

A company stores sensitive data in Amazon DynamoDB and uses AWS KMS with a customer managed key for encryption. The security team wants to ensure that only specific applications can access the table data. Which policy configuration should be used?

A.In the KMS key policy, allow the application role to perform kms:Decrypt.
B.In the KMS key policy, allow the role to decrypt with a condition kms:ViaService = dynamodb.<region>.amazonaws.com.
C.Use a KMS grant to allow the application to use the key.
D.Attach an IAM policy to the application role allowing dynamodb:GetItem and kms:Decrypt.
AnswerB

This restricts key usage to requests coming from DynamoDB.

Why this answer

Option C is correct because using kms:ViaService restricts key usage to DynamoDB, and the key policy grants decrypt to the role. Option A is wrong because IAM policy alone is insufficient; the key policy must allow. Option B is wrong because it doesn't restrict to DynamoDB.

Option D is wrong because grants are not typically used for service-level restrictions.

1195
MCQhard

A security engineer runs the CLI command above to investigate a console login event. The output shows: {"type":"Root","principalId":"123456789012","arn":"arn:aws:iam::123456789012:root"}. What does this indicate?

A.A federated user performed the console login.
B.An AWS service performed the console login.
C.An IAM user in the account performed the console login.
D.The AWS account root user performed the console login.
AnswerD

The userIdentity indicates root user.

Why this answer

Option B is correct because the principalId and arn show the root user of account 123456789012. Option A is wrong because it is the root user, not an IAM user. Option C is wrong because it is the root user, not a federated user.

Option D is wrong because the root user is not a service.

1196
MCQhard

A security engineer is designing a network segmentation strategy for a VPC that hosts sensitive data. The engineer needs to ensure that EC2 instances in a private subnet can communicate with an RDS database in a different private subnet, but cannot communicate with any other resources in the same VPC. Which configuration should be used?

A.Create a VPC peering connection between the subnets.
B.Configure security groups for the EC2 instances that only allow outbound traffic to the RDS security group, and RDS security group allows inbound from the EC2 security group.
C.Assign the same security group to both the EC2 instances and the RDS database.
D.Use network ACLs with deny rules for all traffic except between the two subnets.
AnswerB

Security groups provide instance-level granularity and stateful filtering.

Why this answer

Option D is correct because a combination of security groups and network ACLs can enforce least-privilege rules. Option A is wrong because VPC peering is for cross-VPC. Option B is wrong because a single security group shared would allow broader communication.

Option C is wrong because NACLs alone are not enough for instance-level granularity.

1197
Multi-Selecteasy

Which TWO services can be used to manage identity and access across multiple AWS accounts? (Choose TWO.)

Select 2 answers
A.Amazon Cognito
B.AWS Organizations
C.AWS Single Sign-On (SSO)
D.AWS Config
E.AWS CloudTrail
AnswersB, C

Organizations lets you manage policies across accounts.

Why this answer

Correct answers are B and D. AWS Organizations allows you to centrally manage accounts and apply SCPs. IAM is used per account.

AWS SSO (now IAM Identity Center) provides single sign-on across accounts. CloudTrail is auditing, not access management. Config is configuration management.

1198
MCQmedium

A company uses IAM roles for EC2 instances to access S3. A security audit reveals that some instances have roles with overly permissive policies. What is the BEST practice to scope down permissions while maintaining functionality?

A.Use S3 bucket policies instead of IAM policies
B.Attach the AdministratorAccess policy to the role and use S3 conditions
C.Create custom IAM policies that grant only the necessary S3 actions on specific buckets
D.Create a new instance profile with a more restrictive permissions boundary
AnswerC

Least privilege is best practice.

Why this answer

Option A is correct because the principle of least privilege is applied by granting only required actions on specific resources. Option B is wrong because S3 bucket policies are resource-based and can be used in addition. Option C is wrong because using the root user is insecure.

Option D is wrong because instance profiles are just containers for roles.

1199
MCQeasy

The above CLI output shows the encryption configuration for an S3 bucket. What type of encryption is enabled by default?

A.SSE-C
B.Client-side encryption
C.SSE-KMS
D.SSE-S3
AnswerD

SSE-S3 uses AES256 encryption.

Why this answer

Option B is correct because AES256 refers to SSE-S3 encryption. Option A is incorrect because SSE-KMS uses 'aws:kms'. Option C is incorrect because SSE-C is not set by default.

Option D is incorrect because client-side encryption is not a server-side feature.

1200
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to centralize threat detection and automatically remediate high-severity GuardDuty findings across all accounts. What is the MOST efficient way to achieve this?

A.Enable GuardDuty in the management account and designate a delegated administrator to manage findings across all accounts
B.Create a Lambda function that enables GuardDuty in each account using cross-account IAM roles
C.Configure Amazon EventBridge to forward findings from each account to a central account
D.Use AWS Security Hub and enable GuardDuty in each account separately
AnswerA

GuardDuty organization-level management automates enablement and centralizes findings.

Why this answer

Option A is correct because GuardDuty can be enabled at the organization level, and findings are sent to a delegated administrator account. Option B is wrong because enabling manually in each account is inefficient. Option C is wrong because Security Hub aggregates findings but does not enable GuardDuty automatically.

Option D is wrong because EventBridge alone does not enable GuardDuty across accounts.

Page 15

Page 16 of 24

Page 17