AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 12011275

1738 questions total · 24pages · All types, answers revealed

Page 16

Page 17 of 24

Page 18
1201
MCQeasy

A security team needs to detect unauthorized API calls made from a compromised IAM user. Which AWS service should be used to monitor and alert on specific API activities?

A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.VPC Flow Logs
AnswerA

CloudTrail logs all API calls for auditing and monitoring.

Why this answer

CloudTrail logs all API calls and can be used with CloudWatch Alarms to trigger alerts on specific actions. Option B is correct because CloudTrail is designed for API activity monitoring. Option A is wrong because Config tracks resource configuration changes, not API calls.

Option C is wrong because GuardDuty is for threat detection, not specific API monitoring. Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

1202
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the production account must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

A.Use an SCP to deny access to the AWS Management Console unless MFA is present. Attach the SCP to the production OU.
B.Disable password-based access for all IAM users and require federation with an identity provider that enforces MFA.
C.Enable MFA on the root user and apply a password policy that requires MFA.
D.Create an IAM policy that denies all console actions unless MFA is present. Attach the policy to the IAM group that contains all production users.
AnswerD

This policy ensures that after login, without MFA, users cannot perform any console actions; combined with requiring MFA for sensitive actions, it effectively enforces MFA for console access.

Why this answer

Option D is correct because an IAM policy with a condition that denies all console actions unless MFA is present can be attached to an IAM group containing all production users. This enforces MFA at the user level within the account, directly meeting the requirement to ensure all IAM users in the production account must use MFA to access the AWS Management Console.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can enforce MFA for console access within an account, but SCPs apply at the organizational level and cannot target specific IAM users or groups within an account.

How to eliminate wrong answers

Option A is wrong because SCPs cannot deny access to the AWS Management Console specifically; they deny actions on AWS resources, and the condition for MFA in an SCP would apply to all accounts in the OU, not just the production account's IAM users. Option B is wrong because disabling password-based access and requiring federation with an identity provider that enforces MFA is a valid approach but not listed as a combination of actions that the security team can take directly within the production account; it requires external setup and does not enforce MFA for existing IAM users. Option C is wrong because enabling MFA on the root user and applying a password policy that requires MFA does not enforce MFA for all IAM users; the root user MFA is separate, and password policies cannot enforce MFA for console access.

1203
MCQhard

A company uses AWS Lambda functions to process sensitive data. The security team wants to ensure that if a Lambda function is compromised, the attacker cannot use the function's IAM role to access other AWS resources. The team has implemented the principle of least privilege by restricting the IAM role's permissions. However, they are concerned about a scenario where an attacker could use the Lambda function to execute AWS API calls that are not intended by the application. What additional measure should the team implement to reduce the risk of such lateral movement?

A.Use AWS IAM Access Analyzer to generate and refine the IAM policy based on actual usage.
B.Enable AWS CloudTrail data events for the Lambda function.
C.Attach a service control policy (SCP) that denies all actions except those explicitly allowed.
D.Place the Lambda function inside a VPC with no internet access.
AnswerA

Helps create least privilege policies by analyzing usage patterns.

Why this answer

Option A is correct because AWS IAM Access Analyzer can generate IAM policies based on the actual API calls made by the Lambda function over a specified period. By reviewing and refining the policy to include only those actions, the team can further tighten least privilege beyond manual estimation, reducing the risk that an attacker could abuse unintended API calls. This directly addresses the concern of lateral movement by ensuring the function's role cannot perform actions not observed in normal operation.

Exam trap

The trap here is that candidates may confuse service control policies (SCPs) with IAM permissions boundaries or think they can be applied to individual resources, when in fact SCPs only affect accounts in an organization and cannot be attached to a Lambda function.

How to eliminate wrong answers

Option B is wrong because enabling CloudTrail data events for the Lambda function only provides logging of invocations and does not restrict the function's IAM role permissions or prevent an attacker from making unintended API calls. Option C is wrong because service control policies (SCPs) apply at the AWS Organizations level to accounts or organizational units, not to individual Lambda functions or their IAM roles; they cannot be attached directly to a function to limit its permissions. Option D is wrong because placing the Lambda function inside a VPC with no internet access restricts network connectivity but does not prevent the function from using its IAM role to call AWS APIs via the AWS private network or VPC endpoints; the attacker could still make API calls to other AWS services.

1204
MCQmedium

A security engineer is reviewing an AWS account and notices that multiple IAM users have full administrative access. The company policy requires that users have only the permissions necessary to perform their job. What is the MOST secure and efficient way to enforce this policy?

A.Create an IAM policy that denies all actions except those specifically allowed, and attach it to each user.
B.Use an IAM group for each job function, attach appropriate managed policies to the group, and add users to the group.
C.Use an SCP in AWS Organizations to deny all actions by default.
D.Assign an inline policy to each user that specifies allowed actions.
AnswerB

This is the best practice for managing permissions at scale.

Why this answer

Using IAM groups and attaching managed policies to them allows centralized permission management and simplifies the principle of least privilege.

1205
Multi-Selecteasy

A company wants to protect data stored in Amazon S3 Glacier. The data must be encrypted at rest and the encryption keys must be rotated annually. Which TWO options meet these requirements?

Select 2 answers
A.Use SSE-KMS with a customer-managed key that has automatic key rotation enabled.
B.Use AWS CloudHSM to generate a key and encrypt data before uploading to Glacier.
C.Use client-side encryption with the Amazon S3 encryption client.
D.Use SSE-C with keys stored in AWS Secrets Manager and rotate keys annually.
E.Use the default encryption provided by S3 Glacier (SSE-S3).
AnswersA, E

KMS CMK with automatic rotation meets the requirement.

Why this answer

Option A is correct because Glacier automatically encrypts data at rest using SSE-S3 with keys rotated annually by AWS. Option C is correct because SSE-KMS with automatic key rotation also meets the requirement. Option B is wrong because SSE-C does not provide automatic rotation.

Option D is wrong because CloudHSM requires manual rotation. Option E is wrong because client-side encryption does not use S3's server-side encryption.

1206
MCQmedium

A company uses an AWS Network Firewall to inspect traffic between subnets in a VPC. The security team wants to ensure that all traffic from the web tier to the database tier passes through the firewall. The web servers are in subnet A, and the database servers are in subnet B. What routing configuration is required?

A.Add a route in the route table associated with subnet A that sends all traffic to the firewall endpoint.
B.Add a route in the route table for subnet A with destination subnet B CIDR and target the firewall endpoint. Add a similar route in subnet B's route table with destination subnet A CIDR and target the firewall endpoint.
C.Add a route in the route table associated with subnet B that sends all traffic to the firewall endpoint.
D.Associate both subnets with the same route table and add a route to the firewall endpoint for all traffic.
AnswerB

This ensures both directions go through the firewall.

Why this answer

Option C is correct because you need a route table for subnet A that sends traffic destined for subnet B to the firewall endpoint, and a route table for subnet B that sends return traffic to the firewall. Options A and B are wrong because they don't route return traffic properly. Option D is wrong because you need two route tables.

1207
Multi-Selectmedium

A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive documents. The bucket is accessed by multiple IAM users and roles. Which TWO actions will help protect the data at rest and in transit?

Select 2 answers
A.Enable S3 Access Logs and send them to a separate account
B.Add a bucket policy that denies requests without aws:SecureTransport
C.Enable MFA Delete on the S3 bucket
D.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS
E.Use pre-signed URLs for all access
AnswersB, D

This enforces HTTPS for data in transit.

Why this answer

Options A and C are correct. Enabling default encryption (A) ensures data at rest is encrypted. Enforcing HTTPS (C) protects data in transit.

Option B is incorrect because MFA delete does not protect data in transit or at rest. Option D is incorrect because S3 Access Logs are for auditing, not protection. Option E is incorrect because pre-signed URLs still use HTTPS if enforced, but they do not protect data at rest.

1208
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to automatically receive alerts when an IAM user attempts to access resources they do not have permissions for, across all accounts. Which combination of services should be used?

A.Amazon Inspector and AWS Lambda
B.AWS Config and Amazon SNS
C.AWS CloudTrail and Amazon CloudWatch Logs
D.Amazon GuardDuty and AWS Security Hub
AnswerD

GuardDuty detects threats; Security Hub aggregates findings and can send alerts via SNS.

Why this answer

Amazon GuardDuty continuously monitors for suspicious activity, including unauthorized API calls or failed access attempts, across all accounts in an AWS Organization. Security Hub aggregates these findings from GuardDuty and other services, enabling automated alerts via integrations like Amazon SNS or AWS Chatbot. Together, they provide a centralized, cross-account threat detection and alerting solution that meets the requirement of notifying the security team when IAM users attempt unauthorized resource access.

Exam trap

The trap here is that candidates often choose CloudTrail and CloudWatch Logs (Option C) because they know CloudTrail logs API calls, but they overlook that GuardDuty and Security Hub provide automated, cross-account threat detection and aggregation without requiring custom metric filters and manual setup for every account.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and network exposure, not for monitoring IAM user access attempts or authorization failures. Option B is wrong because AWS Config evaluates resource configurations against rules and tracks configuration changes, but it does not monitor or detect unauthorized API calls or access attempts by IAM users. Option C is wrong because AWS CloudTrail logs API calls and CloudWatch Logs can store and alert on those logs, but this combination requires custom metric filters and alarms to detect unauthorized access attempts; it lacks the built-in, automated threat detection and cross-account aggregation that GuardDuty and Security Hub provide, making it less efficient and more error-prone for this specific use case.

1209
MCQhard

A company uses AWS KMS to encrypt secrets stored in AWS Secrets Manager. The security team wants to audit all KMS key usage, including attempts to use the key without proper authorization. Which AWS service should the team use to meet this requirement?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records all KMS API operations for auditing.

Why this answer

Option B is correct because AWS CloudTrail logs all KMS API calls, including Decrypt, Encrypt, GenerateDataKey, and any authorization failures. Option A is wrong because CloudWatch Logs is for monitoring log data, not for capturing API calls. Option C is wrong because Amazon GuardDuty is a threat detection service that does not log KMS API calls.

Option D is wrong because AWS Config tracks resource configuration changes, not API calls.

1210
Multi-Selecteasy

A security engineer needs to ensure that all changes to IAM policies in an AWS account are logged and that the logs are immutable and cannot be deleted by any user, including the root user. Which actions should the engineer take? (Choose two.)

Select 2 answers
A.Enable default encryption with AWS KMS on the bucket.
B.Enable AWS CloudTrail to log IAM events.
C.Enable S3 Versioning on the bucket.
D.Enable multi-factor authentication (MFA) delete on the S3 bucket.
E.Enable S3 Object Lock in compliance mode on the bucket.
AnswersB, E

CloudTrail records all IAM API calls.

Why this answer

Correct options: A (CloudTrail) and D (S3 Object Lock). CloudTrail logs IAM policy changes. S3 Object Lock prevents log deletion.

Option B is wrong because MFA does not prevent deletion. Option C is wrong because S3 versioning alone does not prevent deletion. Option E is wrong because KMS encryption does not prevent deletion.

1211
MCQmedium

A company is using AWS CloudFormation to deploy infrastructure. Which method ensures that sensitive data, such as database passwords, is not exposed in the template or outputs?

A.Use the 'NoEcho' property on the password parameter.
B.Store the password in the template outputs.
C.Hardcode the password in the template and use the 'NoEcho' property.
D.Use a dynamic reference to a Systems Manager Parameter Store parameter.
AnswerD

Dynamic references retrieve secrets securely.

Why this answer

Using dynamic references to AWS Systems Manager Parameter Store or Secrets Manager keeps secrets out of templates. Option B is correct. Hardcoding (A) exposes secrets.

Outputs (C) are visible. NoEcho (D) hides in console but not from API.

1212
MCQhard

A company uses AWS Organizations and wants to centralize security logs from all member accounts into a single S3 bucket in the management account. The bucket policy allows only the management account's root user to write objects. However, logs are not being delivered from member accounts. What is the MOST likely cause?

A.S3 Transfer Acceleration is not enabled.
B.VPC endpoints are not configured for the logging service.
C.The S3 bucket uses an AWS KMS key, and the key policy does not grant decrypt permissions to the logging service.
D.The bucket policy denies write access to all principals except the management account's root user, preventing cross-account writes.
AnswerD

The bucket policy must allow the logging service principal (e.g., cloudtrail.amazonaws.com) to write objects, or allow the member account.

Why this answer

Option D is correct because S3 bucket policies that restrict writes to a specific root user will deny cross-account writes even if the logging service assumes a role. The logging service (e.g., CloudTrail, Config) in a member account must be able to write to the central bucket; the bucket policy must grant permissions to the logging service's service principal or to the member account. Option A is wrong because S3 Transfer Acceleration is not required.

Option B is wrong because KMS key policies might be an issue, but the question states the bucket policy is the restriction. Option C is wrong because VPC endpoints are not required for logging.

1213
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to enforce that all S3 PUT requests include an encryption context that matches a specific key-value pair. Which S3 bucket policy condition key should be used?

A.kms:EncryptionContextKeys
B.kms:ViaService
C.s3:x-amz-server-side-encryption
D.s3:PutObjectEncryption
AnswerA

This condition key enforces that the encryption context includes specific key-value pairs.

Why this answer

Option C is correct because kms:EncryptionContextKeys is the condition key that allows you to require a specific encryption context in KMS operations. Option A is wrong because s3:x-amz-server-side-encryption is for requiring SSE. Option B is wrong because kms:ViaService is for restricting KMS usage to a specific AWS service.

Option D is wrong because s3:PutObjectEncryption is not a valid condition key.

1214
MCQeasy

Refer to the exhibit. A security engineer runs the command shown and gets the output. What does this output indicate about the bucket's encryption configuration?

A.The bucket does not allow unencrypted objects.
B.The bucket has default encryption enabled using SSE-KMS.
C.The bucket requires all objects to be encrypted with SSE-KMS.
D.The bucket has default encryption enabled using SSE-S3.
AnswerD

AES256 indicates SSE-S3.

Why this answer

The output shows default encryption is set to SSE-S3 (AES256). This means new objects will be encrypted with SSE-S3 unless a different encryption header is provided. Option A is correct.

Option B is wrong because it's SSE-S3, not SSE-KMS. Option C is wrong because default encryption does not prevent client-side encryption. Option D is wrong because the bucket does not enforce SSE-KMS.

1215
MCQmedium

A company uses AWS KMS to encrypt data in Amazon DynamoDB. The table has a TTL attribute that triggers automatic deletion of expired items. The security team is concerned that deleted items may still be recoverable. What should the team do to ensure that deleted items are cryptographically erased and cannot be recovered?

A.Delete the KMS customer master key (CMK) used to encrypt the table after verifying no other data depends on it.
B.Disable the KMS key to prevent decryption of deleted items.
C.Configure DynamoDB TTL to encrypt the items before deletion.
D.Create a backup of the table and then delete the table.
AnswerA

Deleting the CMK renders the encrypted data unrecoverable, providing cryptographic erasure.

Why this answer

Option A is correct. To cryptographically erase data, you must delete the KMS key that was used to encrypt it. However, deleting a KMS key is irreversible and may affect other data.

Option B is wrong because disabling the key prevents decryption, but the encrypted data still exists. Option C is wrong because the TTL deletion does not encrypt the data. Option D is wrong because DynamoDB backups are separate; you need to delete the key or the data.

1216
MCQeasy

A company is using AWS WAF to protect a web application. The security team wants to receive alerts when a specific rule block is triggered. Which AWS service should they use to achieve this?

A.Amazon EventBridge
B.CloudWatch Alarms with SNS
C.Amazon S3
D.Amazon SNS
AnswerB

CloudWatch Alarms monitor WAF metrics and send notifications via SNS.

Why this answer

AWS WAF integrates with Amazon CloudWatch to provide metrics for each rule, including the 'BlockedRequests' count. By creating a CloudWatch Alarm on this metric, you can trigger an SNS notification when the threshold is exceeded, alerting the security team. This is the standard pattern for receiving alerts on WAF rule actions, as CloudWatch Alarms with SNS provide the necessary monitoring and notification pipeline.

Exam trap

The trap here is that candidates often confuse the notification mechanism (SNS) with the evaluation mechanism (CloudWatch Alarms), selecting SNS alone without recognizing that CloudWatch Alarms are required to evaluate the WAF metric and trigger the notification.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge is used for event-driven architectures to route events from various sources to targets, but it does not natively evaluate metric thresholds or generate alerts based on WAF rule triggers without additional custom logic. Option C is wrong because Amazon S3 is an object storage service and cannot evaluate metrics or send alerts; it can only store logs or data. Option D is wrong because Amazon SNS alone is a notification service that requires a publisher to send messages; without a CloudWatch Alarm to evaluate the WAF metric and publish to the SNS topic, no alert will be generated.

1217
MCQeasy

A security engineer needs to ensure that all S3 buckets in an AWS account have server access logging enabled. Which AWS service should be used to continuously monitor for compliance?

A.AWS Config
B.Amazon GuardDuty
C.AWS IAM Access Analyzer
D.AWS CloudTrail
AnswerA

AWS Config has managed rules like 's3-bucket-logging-enabled' to check for server access logging.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of your AWS resource configurations against desired policies. You can create an AWS Config rule, such as the managed rule 's3-bucket-server-access-logging-enabled', which will automatically check all S3 buckets in your account and report any that do not have server access logging enabled, flagging them as noncompliant. This allows for ongoing, automated compliance auditing without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config with AWS CloudTrail, mistakenly thinking that CloudTrail's logging of API calls can be used to continuously monitor compliance, but CloudTrail only records events and does not evaluate the current state of resources against a desired configuration.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events to identify malicious activity; it does not evaluate resource configurations for compliance with logging requirements. Option C (AWS IAM Access Analyzer) is wrong because it focuses on identifying resources shared with external entities by analyzing resource-based policies (e.g., S3 bucket policies), not on verifying whether server access logging is enabled. Option D (AWS CloudTrail) is wrong because CloudTrail records API calls made in your account for auditing and governance, but it does not continuously monitor the configuration state of S3 buckets to enforce compliance with logging settings.

1218
Multi-Selecteasy

A company needs to ensure that its S3 buckets are not publicly accessible. Which TWO AWS services can be used to detect and report on public S3 buckets? (Choose two.)

Select 2 answers
A.Amazon GuardDuty
B.AWS Trusted Advisor
C.AWS Config
D.AWS CloudTrail
E.Amazon Inspector
AnswersB, C

Correct: Trusted Advisor checks for publicly accessible S3 buckets.

Why this answer

AWS Trusted Advisor (option B) checks S3 bucket permissions and reports any bucket that has open access policies, including public read or write access. AWS Config (option C) can evaluate S3 bucket policies against custom or managed rules (e.g., s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited) to detect noncompliant buckets and trigger remediation. Both services provide detection and reporting capabilities for public S3 buckets.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty's threat detection capabilities with S3 bucket policy auditing, but GuardDuty does not evaluate bucket permissions for public access; it only detects suspicious API activity after the fact.

1219
MCQhard

Refer to the exhibit. A security engineer runs the IAM Policy Simulator with the provided policy input. The result shows 'explicitDeny' for ec2:RunInstances even though the policy only contains an Allow. What is the most likely reason?

A.The user has an attached policy or SCP that explicitly denies ec2:RunInstances.
B.The policy input has a syntax error.
C.The simulate-custom-policy command does not support ec2:RunInstances.
D.The resource ARN is incorrect for ec2:RunInstances.
AnswerA

Explicit deny overrides Allow; other policies may be causing the deny.

Why this answer

Option B is correct because an explicit deny can come from other policies attached to the user or a service control policy (SCP). The simulate-custom-policy only evaluates the provided policy input, but if the user has other policies or SCPs, they may deny the action. Option A is unlikely because the resource ARN is not the issue.

Option C is not shown. Option D is incorrect because the policy syntax is valid.

1220
Multi-Selectmedium

A security engineer is configuring AWS CloudTrail to monitor data events for S3 objects. Which TWO of the following must be enabled to log object-level operations? (Select TWO.)

Select 2 answers
A.Enable data events in the CloudTrail trail.
B.Enable S3 server access logs on the bucket.
C.Enable management events in the CloudTrail trail.
D.Enable S3 Object Lambda.
E.Specify the S3 bucket ARN or prefix in the trail configuration.
AnswersA, E

Data events capture object-level operations.

Why this answer

Option A is correct because CloudTrail data events capture S3 object-level operations such as GetObject, PutObject, and DeleteObject. To enable this, you must explicitly select 'Data events' in the CloudTrail trail configuration, as management events only cover bucket-level operations like CreateBucket.

Exam trap

The trap here is that candidates often confuse management events (which log bucket-level actions) with data events (which log object-level actions), leading them to select Option C instead of recognizing that both data events and a specific bucket ARN or prefix are required.

1221
MCQmedium

Refer to the exhibit. An AWS Config rule 's3-bucket-ssl-requests-only' evaluates whether S3 buckets deny HTTP requests. The exhibit shows the evaluation result and the bucket policy. Why is the bucket marked as NON_COMPLIANT despite having a Deny policy for HTTP requests?

A.The bucket policy is missing the 'aws:SecureTransport': 'false' condition for the bucket resource (without /*).
B.The policy uses 'Deny' but the rule expects an 'Allow' statement for HTTPS only.
C.The bucket policy only denies HTTP requests to objects, not to the bucket itself.
D.The annotation says 'Bucket does not have a policy that denies HTTP requests.' but the policy does have one, so this is a false positive.
AnswerA

The rule may check that the bucket itself (not just objects) denies HTTP requests. The policy only covers objects. Adding a statement for the bucket ARN 'arn:aws:s3:::my-bucket' would fix the compliance.

Why this answer

The Config rule likely evaluates the bucket-level policy. The current policy only denies HTTP requests to objects (/*), not to the bucket itself. To be compliant, the bucket must also have a Deny for the bucket resource ARN without the /*.

1222
MCQhard

A security team wants to centrally collect and analyze VPC Flow Logs from multiple AWS accounts for security monitoring. Which solution is MOST scalable and cost-effective?

A.Aggregate logs in an EC2 instance running an ELK stack.
B.Use Amazon Kinesis Data Firehose to stream logs to an S3 bucket and process with AWS Lambda.
C.Configure VPC Flow Logs to send to a centralized CloudWatch Logs account using cross-account subscriptions.
D.Use AWS Organizations to centralize logging by delivering VPC Flow Logs to a centralized S3 bucket and query with Amazon Athena.
AnswerD

This approach is scalable, cost-effective, and uses managed services.

Why this answer

Option D is correct because using AWS Organizations with a centralized S3 bucket and Amazon Athena allows scalable querying of VPC Flow Logs across accounts without additional data transfer costs. Option A is wrong because sending logs to a centralized CloudWatch Logs account from multiple accounts requires cross-account subscriptions and incurs data transfer costs. Option B is wrong because Kinesis Data Firehose with Lambda adds complexity and cost.

Option C is wrong because using an EC2 instance for log analysis is not scalable or cost-effective.

1223
MCQmedium

A company is implementing a multi-account strategy using AWS Organizations. The security team wants to enforce that all newly created member accounts automatically have an IAM role that allows read-only access to the management account. Which configuration should be used?

A.Create an AWS Lambda function that listens for AWS CloudTrail CreateAccount events and creates the role in the new account.
B.Use AWS CloudFormation StackSets to deploy the role to all existing and future accounts.
C.Use an AWS Config managed rule to evaluate new accounts and trigger a remediation action to create the role.
D.Configure an SCP with the 'iam_role' setting to specify a role name and path to be automatically created in new accounts.
AnswerD

AWS Organizations supports automatic creation of a default IAM role in new member accounts via the 'iam_role' setting in an SCP.

Why this answer

Option B is correct because AWS Organizations allows you to create a service control policy (SCP) that specifies a default IAM role for new accounts. Option A is wrong because CloudFormation StackSets can deploy resources but not automatically create roles for new accounts. Option C is wrong because AWS Config rules evaluate existing resources but do not provision roles for new accounts.

Option D is wrong because AWS Lambda can be triggered by AWS CloudTrail events but is not the native mechanism for automatic role creation on new account creation.

1224
MCQhard

Refer to the exhibit. An IAM user has this policy attached. The user tries to download an object from the S3 bucket using the AWS CLI from an on-premises server with IP address 198.51.100.50. What will happen?

A.The request will succeed because the policy allows s3:GetObject.
B.The request will fail because the user must use HTTPS.
C.The request will fail because the user's IP is not in the allowed range.
D.The request will fail because the user must use MFA.
AnswerC

The condition restricts to 192.0.2.0/24.

Why this answer

Option D is correct because the policy allows s3:GetObject only if the request comes from the specified IP range. Since the user's IP is outside that range, the request will be denied. Option A is wrong because the policy does not allow all IPs.

Option B is wrong because there is no requirement for MFA. Option C is wrong because the policy does not require HTTPS; it only checks IP.

1225
MCQmedium

A company has enabled AWS CloudTrail in all regions and is delivering logs to a central S3 bucket. The security team needs to ensure that any attempt to delete or modify CloudTrail logs is detected and alerted. What should be done?

A.Enable S3 server access logging on the bucket and monitor for DELETE requests.
B.Enable S3 Object Lock in governance mode on the bucket.
C.Enable MFA Delete on the S3 bucket.
D.Use a bucket policy that denies s3:DeleteObject for all principals.
AnswerB

Object Lock prevents objects from being deleted or overwritten for a specified retention period.

Why this answer

Option D is correct because enabling S3 Object Lock on the bucket prevents deletion or modification of log files. Option A is wrong because MFA Delete alone does not prevent deletion by authorized users. Option B is wrong because S3 server access logs track access but do not prevent deletion.

Option C is wrong because bucket policies cannot prevent deletion by the bucket owner.

1226
Multi-Selecteasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that no root user credentials are used for any account. Which TWO actions should be taken to enforce this?

Select 2 answers
A.Delete the root user from all accounts.
B.Use AWS Config rules to detect root user activity.
C.Create an IAM role that prevents root user actions.
D.Create a service control policy (SCP) that denies all actions for the root user.
E.Enable multi-factor authentication (MFA) on the root user.
AnswersD, E

SCP can deny root user actions across accounts.

Why this answer

Options A and B are correct. Option A: SCP can deny all actions from the root user. Option B: IAM password policy does not apply to root user, but enabling multi-factor authentication (MFA) for root user is a best practice.

Option C is wrong because deleting root user is not possible. Option D is wrong because IAM roles cannot prevent root user actions. Option E is wrong because AWS Config cannot prevent root user usage.

1227
MCQeasy

A developer needs to access AWS resources from a mobile app. Which AWS service allows the app to obtain temporary credentials for authenticated users?

A.Amazon Cognito user pools
B.AWS IAM Identity Center (AWS SSO)
C.Amazon Cognito identity pools (federated identities)
D.AWS Key Management Service (AWS KMS)
AnswerC

Provides temporary AWS credentials for authenticated users.

Why this answer

Option A is correct because Amazon Cognito identity pools provide temporary AWS credentials for app users. Option B is for user directories and sign-in. Option C is for single sign-on.

Option D is for key management.

1228
MCQeasy

A security engineer needs to ensure that an Amazon RDS for MySQL database is encrypted at rest. Which action should be taken?

A.Use a client-side encryption tool to encrypt data before writing to the database.
B.Use AWS KMS to encrypt individual databases within the instance.
C.Enable encryption on an existing unencrypted DB instance.
D.Create a new DB instance with encryption enabled.
AnswerD

RDS encryption is enabled at creation time; it encrypts the underlying storage.

Why this answer

Option B is correct because enabling encryption on the DB instance at creation time encrypts the database at rest. Option A is incorrect because encryption cannot be enabled on an existing unencrypted DB instance. Option C is incorrect because encryption is not applied per database.

Option D is incorrect because RDS encryption does not require a client-side tool.

1229
MCQeasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to prevent any IAM user from creating access keys. Which type of policy should be used to enforce this control across all accounts?

A.Service Control Policy (SCP)
B.AWS CloudTrail trail
C.AWS Config managed rule
D.IAM permissions boundary
AnswerA

SCPs can deny actions across all accounts in an organization.

Why this answer

Option C is correct because a Service Control Policy (SCP) can be applied to the organization root or OUs to deny actions across all accounts. Option A is wrong because IAM policies are account-specific and not centrally managed. Option B is wrong because AWS Config rules can detect but not prevent.

Option D is wrong because CloudTrail is for logging, not enforcement.

1230
MCQeasy

A security engineer needs to capture all API calls made to AWS services for forensic analysis. Which AWS service should be used to store these logs durably and cost-effectively for long-term retention?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
AnswerD

AWS CloudTrail logs all API calls and can deliver logs to S3.

Why this answer

Option C is correct because AWS CloudTrail logs all API calls and can be configured to deliver logs to an S3 bucket for durable, cost-effective storage. Option A is wrong because AWS Config records resource configuration changes, not API calls. Option B is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because Amazon GuardDuty is a threat detection service, not a logging service.

1231
Multi-Selectmedium

Which TWO actions should a security engineer take to ensure that CloudTrail logs are protected from unauthorized deletion? (Choose two.)

Select 2 answers
A.Attach an S3 bucket policy that denies s3:DeleteObject to all principals except the CloudTrail service principal.
B.Enable S3 versioning on the log bucket.
C.Enable S3 default encryption with SSE-S3.
D.Configure CloudTrail to send logs to CloudWatch Logs.
E.Enable S3 MFA Delete on the log bucket.
AnswersA, E

This restricts deletion to only CloudTrail.

Why this answer

Option A is correct because enabling S3 MFA Delete requires MFA to delete objects. Option D is correct because a bucket policy denying s3:DeleteObject for all principals except the CloudTrail service ensures only CloudTrail can delete (which is rare). Option B is wrong because enabling SSE-S3 protects data at rest but not deletion.

Option C is wrong because logging to CloudWatch does not prevent deletion. Option E is wrong because versioning alone does not prevent deletion (delete markers can be created).

1232
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. What is the most efficient way to enforce this across all accounts?

A.Create a service control policy (SCP) that denies modifications to CloudTrail settings.
B.Use AWS Trusted Advisor to check CloudTrail status and send alerts.
C.Configure each account individually with a CloudTrail trail pointing to the central bucket.
D.Use AWS Config rules in each account to detect non-compliant trails.
AnswerA

SCPs can prevent disabling CloudTrail or altering trail configurations across all accounts.

Why this answer

Using an SCP in AWS Organizations can deny the action of disabling CloudTrail or modifying trail settings, enforcing that CloudTrail remains enabled. Option A is wrong because it requires manual setup in each account. Option B is wrong because AWS Config can detect but not prevent disabling.

Option D is wrong because it only monitors, not enforces.

1233
MCQeasy

A company wants to protect data at rest for an Amazon RDS for PostgreSQL database. Which AWS service should be used to manage the encryption keys?

A.AWS CloudHSM
B.AWS Key Management Service (KMS)
C.AWS Certificate Manager (ACM)
D.AWS Secrets Manager
AnswerB

KMS manages keys for RDS encryption.

Why this answer

Amazon RDS for PostgreSQL integrates with AWS Key Management Service (KMS) to enable encryption at rest. When you enable encryption for an RDS DB instance, KMS manages the customer master keys (CMKs) that encrypt the data keys used by the storage layer. This is the standard, fully managed key management service for RDS encryption, supporting automatic key rotation and fine-grained access control.

Exam trap

The trap here is that candidates confuse AWS Secrets Manager (which manages secrets like passwords) with KMS (which manages encryption keys), leading them to select Secrets Manager for key management instead of the correct service for RDS encryption at rest.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides hardware security modules for key generation and storage but does not integrate directly with RDS for encryption at rest; RDS relies on KMS for key management, not CloudHSM. Option C is wrong because AWS Certificate Manager (ACM) handles SSL/TLS certificates for securing data in transit, not encryption keys for data at rest. Option D is wrong because AWS Secrets Manager is designed to rotate and manage database credentials and other secrets, not to manage the encryption keys used for RDS storage encryption.

1234
MCQmedium

A security engineer notices that an S3 bucket contains objects that are accessible to authenticated users from other AWS accounts. The bucket policy allows access to the 'aws:SourceArn' condition that references an Amazon Resource Name (ARN) from another account. What is the MOST effective way to restrict access to only users from the company's own account?

A.Apply an SCP to deny s3:GetObject for any principal outside the organization.
B.Remove the bucket policy and add an IAM policy to the company's users.
C.Modify the condition to use 'aws:SourceArn' with an ARN from the company's account.
D.Add a condition using 'aws:SourceAccount' with the company's account ID.
AnswerD

Restricts access to requests originating from the specified account.

Why this answer

Option D is correct because using 'aws:SourceAccount' condition with the company's account ID ensures only requests originating from that account are allowed. Option A is incorrect because removing the bucket policy does not address existing objects. Option B is incorrect because SCPs do not affect cross-account access to resources.

Option C is incorrect because 'aws:SourceArn' is already used; the issue is the ARN belongs to another account.

1235
MCQeasy

A security auditor needs to view a list of all IAM users, including their last activity timestamps, for a compliance review. Which AWS service provides this information natively?

A.AWS CloudTrail
B.IAM Access Analyzer
C.AWS IAM credential report
D.AWS Config
AnswerC

The credential report includes last login, key usage, etc.

Why this answer

Option B is correct: IAM's credential report includes last activity timestamps for each user. Option A is wrong because CloudTrail logs events but not a consolidated report. Option C is wrong because AWS Config does not provide activity timestamps.

Option D is wrong because Access Analyzer analyzes resource policies, not user activity.

1236
MCQhard

A company has enabled AWS CloudTrail in all accounts and regions, with log file validation enabled. The security team needs to verify that a specific log file has not been modified since it was delivered. Which action should be taken?

A.Query the log files using Amazon CloudWatch Logs Insights.
B.Enable S3 server-side encryption with AWS KMS (SSE-KMS) on the CloudTrail bucket.
C.Enable S3 Object Lock on the bucket to prevent modifications.
D.Use the AWS CLI `validate-logs` command with the digest file from the S3 bucket.
AnswerD

The `validate-logs` command uses the digest file to verify the integrity of log files.

Why this answer

Option A is correct because CloudTrail provides a digest file that contains a hash of each log file; you can use the AWS CLI command `aws cloudtrail validate-logs` to verify integrity. Option B is incorrect because S3 server-side encryption does not provide integrity verification. Option C is incorrect because CloudWatch Logs Insights does not validate log file integrity.

Option D is incorrect because S3 Object Lock prevents deletion but not modification of existing objects; it does not verify integrity against a digest.

1237
MCQhard

Refer to the exhibit. An administrator is investigating why an application that uses KMS for encryption is failing. The IAM role used by the application has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ] }. What is the most likely cause of the failure?

A.The KMS key has been deleted
B.The IAM policy does not specify the correct key ARN
C.The IAM policy does not allow the kms:Decrypt action
D.The KMS key is disabled
AnswerD

A disabled key cannot be used for decryption.

Why this answer

Option B is correct because the key is disabled, so decryption fails. Option A is wrong because the policy allows decrypt. Option C is wrong because the policy specifies the correct key ARN.

Option D is wrong because the key exists.

1238
MCQhard

A company uses AWS Systems Manager Patch Manager to apply patches to EC2 instances. The security team wants to ensure that instances are patched within 7 days of a patch release. Which service should be used to monitor and report compliance?

A.AWS Config
B.AWS Security Hub
C.Amazon Inspector
D.AWS Trusted Advisor
AnswerA

Config can use rules to evaluate whether instances are patched within a defined timeframe.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of your AWS resource configurations, including patch compliance status via Systems Manager Patch Manager. You can create an AWS Config rule (e.g., 'ec2-managedinstance-patch-compliance-status') that checks whether instances have the required patches installed within a specified time frame (e.g., 7 days). AWS Config then reports noncompliant resources, enabling the security team to track and remediate patching gaps.

Exam trap

The trap here is that candidates often confuse Amazon Inspector's vulnerability scanning with patch compliance monitoring, but Inspector does not track whether patches have been applied within a specific time window after release—it only identifies missing patches or vulnerabilities at a point in time.

How to eliminate wrong answers

Option B (AWS Security Hub) is wrong because it aggregates security findings from multiple AWS services (like AWS Config, GuardDuty, Inspector) but does not itself perform patch compliance monitoring; it relies on AWS Config rules to provide that data. Option C (Amazon Inspector) is wrong because it focuses on vulnerability assessments and network reachability analysis, not on tracking whether patches have been applied within a specific time window after release. Option D (AWS Trusted Advisor) is wrong because it provides best-practice checks for cost, performance, security, and fault tolerance, but it does not monitor patch compliance status or report on patch age relative to release dates.

1239
MCQmedium

A company has deployed a multi-tier web application on AWS. The web servers are in a public subnet, and the application servers are in a private subnet. The security team wants to ensure that the application servers cannot initiate outbound connections to the internet. What should the team do?

A.Add a deny rule for all outbound traffic in the network ACL of the private subnet.
B.Modify the security group of the application servers to deny all outbound traffic.
C.Remove the default route (0.0.0.0/0) pointing to an internet gateway or NAT gateway from the private subnet's route table.
D.Attach an egress-only internet gateway to the private subnet.
AnswerC

Without a route to an internet gateway or NAT, outbound internet traffic is blocked.

Why this answer

Option C is correct because a route table with only a local route and no internet gateway or NAT gateway prevents outbound internet traffic. Option A is wrong because security groups are stateful and allowing inbound traffic may inadvertently allow outbound responses. Option B is wrong because network ACLs are stateless and need explicit deny rules, but a route-based approach is simpler.

Option D is wrong because an egress-only internet gateway is for IPv6, not IPv4.

1240
MCQmedium

During an incident response, a security team needs to capture a memory dump of an Amazon EC2 instance running Linux. What is the recommended approach?

A.Use AWS Systems Manager Run Command to run a script that extracts memory using LiME.
B.Use Amazon Inspector to collect memory dumps.
C.Stop the instance and create an EBS snapshot for memory analysis.
D.Use the EC2 console to take a screenshot and capture memory from the hypervisor.
AnswerA

SSM Run Command can execute memory capture tools like LiME securely on the instance.

Why this answer

Option A is correct because AWS Systems Manager Run Command allows you to execute a script on a running EC2 instance without needing SSH access, and LiME (Linux Memory Extractor) is a trusted tool for capturing volatile memory. This approach preserves the memory state for forensic analysis while maintaining the instance's running state, which is critical for incident response.

Exam trap

The trap here is that candidates confuse memory capture with disk capture, assuming an EBS snapshot or Inspector can retrieve volatile data, when in fact only a tool like LiME executed on the running instance can capture RAM.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and network exposures, not a tool for capturing memory dumps. Option C is wrong because stopping the instance and creating an EBS snapshot captures only disk data, not volatile memory (RAM), which is lost when the instance stops. Option D is wrong because the EC2 console screenshot captures only the display output, not the full memory contents, and the hypervisor does not expose a mechanism to capture a guest instance's RAM directly.

1241
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which S3 bucket policy condition key should be used?

A.aws:VpcSourceIp
B.aws:SourceVpc
C.aws:SourceVpce
D.aws:SourceIp
AnswerC

Restricts access to a specific VPC endpoint.

Why this answer

To restrict access to an S3 bucket so that only requests originating from a specific VPC endpoint are allowed, you must use the `aws:SourceVpce` condition key in the S3 bucket policy. This key evaluates the VPC endpoint ID (e.g., `vpce-1a2b3c4d`) of the request, ensuring that only traffic routed through that specific endpoint is granted access. The `aws:SourceVpc` key is used to restrict access based on the VPC ID, not the endpoint ID, and `aws:SourceIp` and `aws:VpcSourceIp` are not valid condition keys for VPC endpoint-based restrictions.

Exam trap

The trap here is that candidates often confuse `aws:SourceVpc` (which restricts by VPC ID) with `aws:SourceVpce` (which restricts by VPC endpoint ID), leading them to select the wrong condition key when the requirement is specifically to allow only traffic from a particular VPC endpoint.

How to eliminate wrong answers

Option A is wrong because `aws:VpcSourceIp` is not a valid AWS condition key; the correct key for source IP is `aws:SourceIp`, and it does not restrict based on VPC endpoint. Option B is wrong because `aws:SourceVpc` restricts access based on the VPC ID (e.g., `vpc-12345678`), not the specific VPC endpoint ID, so it would allow any traffic from within that VPC, not just through the endpoint. Option D is wrong because `aws:SourceIp` restricts based on the client's IP address, which is not suitable for VPC endpoint-based access control since the endpoint uses private IPs and the condition key cannot enforce endpoint-specific restrictions.

1242
MCQmedium

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. What is the MOST secure way to enforce this?

A.Attach an IAM policy to the role granting kms:Decrypt
B.Configure the KMS key policy with a condition that allows only the role to decrypt
C.Disable the KMS key and re-enable it only when the role needs to decrypt
D.Configure an S3 bucket policy that denies all principals except the role
AnswerB

Key policy can restrict decryption to a specific role.

Why this answer

Using a key policy with a condition that allows only the specified role is the most secure way. Option A is wrong because a bucket policy alone does not control KMS key usage. Option B is wrong because IAM policies can be attached to any user/role, not restrictive enough.

Option D is wrong because disabling the key is too restrictive.

1243
MCQeasy

A security engineer is investigating a potential compromise of an EC2 instance. The engineer wants to capture memory and disk forensics without shutting down the instance. Which service should the engineer use?

A.AWS Config
B.AWS Systems Manager
C.EC2 Instance Connect
D.Amazon CloudWatch Logs
AnswerB

Systems Manager allows running forensic scripts and commands without SSH.

Why this answer

AWS Systems Manager (SSM) is the correct service because it provides the capability to perform forensic data collection on a running EC2 instance without shutting it down. Specifically, SSM Automation documents like AWS-RunShellScript or AWS-GatherEC2InstanceInfo can execute commands to capture memory (e.g., using LiME or fmem) and disk forensics (e.g., dd or volume snapshots) via the SSM Agent, which runs as a system service and does not require instance termination.

Exam trap

The trap here is that candidates may confuse AWS Systems Manager with EC2 Instance Connect, thinking that SSH access alone is sufficient for forensic collection, but Systems Manager provides the necessary automation and agent-based execution to capture memory and disk data without requiring the instance to be stopped or terminated.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for resource inventory, compliance auditing, and configuration change tracking, not for capturing memory or disk forensics on a running instance. Option C is wrong because EC2 Instance Connect only provides SSH access to the instance for interactive shell sessions; it does not have built-in capabilities to capture memory dumps or perform disk forensics without additional tools and manual intervention. Option D is wrong because Amazon CloudWatch Logs is a service for collecting, monitoring, and storing log files from EC2 instances and other sources; it cannot capture memory or disk forensics data directly.

1244
Multi-Selecthard

Which THREE are best practices for managing security in a multi-account AWS environment? (Choose three.)

Select 3 answers
A.Use SCPs to restrict permissions across accounts.
B.Disable AWS CloudTrail in production accounts to reduce costs.
C.Use a dedicated security account for security tools and audits.
D.Centralize logging in a dedicated security account.
E.Use the root user of each account for administrative tasks.
AnswersA, C, D

SCPs provide central control over permissions.

Why this answer

Options A, C, and D are correct. Using SCPs, centralizing logs, and using a dedicated security account are best practices. Option B is wrong because using the root user for daily tasks is not a best practice.

Option E is wrong because disabling CloudTrail reduces visibility.

1245
MCQmedium

A company has a multi-tier web application hosted on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an Amazon RDS MySQL database. The security team has implemented security groups and network ACLs. Recently, a vulnerability scan revealed that the RDS database is accessible from the internet. The security engineer investigates and finds that the database security group allows inbound traffic on port 3306 from 0.0.0.0/0. The engineer also checks the network ACLs and finds that inbound rules allow traffic on port 3306 from 0.0.0.0/0, and outbound rules allow all traffic. The database is in a private subnet. Which combination of steps should the engineer take to remediate the issue while maintaining application functionality?

A.Update the network ACL inbound rule to allow traffic only from the ALB security group. The security group is already correctly configured.
B.Update the database security group to allow inbound traffic on port 3306 only from the ALB security group. Update the network ACL inbound rule to allow traffic from the ALB security group.
C.Update the database security group to allow inbound traffic on port 3306 from the VPC CIDR range. No changes to network ACL are needed.
D.Move the database to a public subnet and restrict the security group to the ALB security group.
AnswerB

Restricting both layers to the ALB security group ensures only the ALB can reach the database.

Why this answer

Option A is correct because it restricts both security group and network ACL to only the ALB security group, which is the proper source for database traffic. Option B is wrong because it only changes network ACL, not security group. Option C is wrong because allowing the VPC CIDR is too broad.

Option D is wrong because it suggests public subnet for database, which is insecure.

1246
MCQeasy

A company wants to centrally manage access keys for all IAM users across multiple accounts. Which AWS service should be used to rotate access keys automatically?

A.AWS STS
B.AWS IAM
C.AWS Secrets Manager
D.AWS CloudHSM
AnswerB

IAM provides APIs to rotate access keys, but automation must be custom-built.

Why this answer

Option A is correct because IAM access keys can be rotated using IAM credential report and IAM policies, but there is no built-in automatic rotation. However, AWS Secrets Manager can automatically rotate secrets for supported services, but not for IAM access keys. The correct answer is none; IAM access keys must be rotated manually or via custom automation.

Given options, Option A is the best because IAM is the service that manages access keys, and you can use IAM API to rotate them. Option B is wrong because STS provides temporary credentials. Option C is wrong because Secrets Manager can store but not rotate IAM keys automatically.

Option D is wrong because CloudHSM is for hardware security modules.

1247
Multi-Selectmedium

Which TWO of the following are valid ways to control inbound traffic to an EC2 instance? (Select TWO.)

Select 2 answers
A.Network ACLs
B.IAM policies
C.Amazon CloudWatch alarms
D.AWS Key Management Service (KMS)
E.Security groups
AnswersA, E

NACLs are stateless firewalls applied at the subnet level.

Why this answer

Options A and D are correct because security groups are stateful firewalls for instances, and NACLs are stateless firewalls for subnets. Option B is wrong because IAM does not control network traffic. Option C is wrong because CloudWatch monitors, not controls.

Option E is wrong because KMS manages encryption keys.

1248
MCQmedium

A security engineer receives an Amazon GuardDuty finding for 'UnauthorizedAccess:EC2/SSHBruteForce'. The engineer needs to automatically isolate the compromised EC2 instance and then perform forensic analysis. Which solution meets these requirements with the LEAST operational overhead?

A.Manually SSH into the instance, stop it, and create an AMI for analysis.
B.Create an Amazon EventBridge rule that triggers an AWS Lambda function to isolate the instance by modifying its security group and then take a forensic snapshot.
C.Use AWS Config rules to automatically stop the instance.
D.Configure an Auto Scaling lifecycle hook to terminate the instance and launch a new one.
AnswerB

Automated response with minimal operational overhead.

Why this answer

Option B is correct because it automates the isolation and forensic capture of the compromised EC2 instance with minimal operational overhead. An Amazon EventBridge rule listens for the specific GuardDuty finding and triggers an AWS Lambda function that modifies the instance's security group to deny all inbound/outbound traffic (isolation) and then creates an EBS snapshot for forensic analysis. This serverless, event-driven approach eliminates manual intervention and ensures consistent, rapid response.

Exam trap

The trap here is that candidates may assume manual SSH or AWS Config rules are sufficient for incident response, but they fail to recognize that GuardDuty findings require automated, event-driven isolation without human intervention, and that Config rules lack the ability to trigger real-time security group modifications or snapshots.

How to eliminate wrong answers

Option A is wrong because manually SSHing into a compromised instance is dangerous (the attacker may still have access), and manually stopping and creating an AMI introduces high operational overhead and delays, violating the 'least operational overhead' requirement. Option C is wrong because AWS Config rules are designed for compliance and resource configuration auditing, not for real-time incident response actions like stopping instances; they cannot directly trigger instance isolation based on GuardDuty findings. Option D is wrong because an Auto Scaling lifecycle hook terminates the instance and launches a new one, which destroys forensic evidence and does not allow for isolation or forensic analysis of the original compromised instance.

1249
MCQmedium

A security engineer needs to detect when an EC2 instance is terminated in an AWS account. The solution must provide near-real-time notification. Which combination of services should be used?

A.VPC Flow Logs and Amazon CloudWatch Logs
B.AWS CloudTrail and Amazon EventBridge
C.AWS Config and Amazon SNS
D.Amazon CloudWatch Alarms and Amazon SNS
AnswerB

CloudTrail logs the TerminateInstances event, and EventBridge can trigger an SNS notification.

Why this answer

Option C is correct because CloudTrail logs the TerminateInstances API call, and CloudWatch Events (now Amazon EventBridge) can match the event and trigger a notification via SNS. Option A is wrong because AWS Config evaluates configuration changes, but it is not near-real-time for API calls. Option B is wrong because VPC Flow Logs do not capture EC2 instance termination.

Option D is wrong because CloudWatch Alarms monitor metrics, not API calls.

1250
MCQhard

An organization wants to detect and alert on the use of root user credentials in their AWS accounts. They have multiple accounts managed via AWS Organizations. What is the most efficient way to centralize this monitoring?

A.Create an AWS CloudTrail trail in each account and aggregate logs to a central S3 bucket.
B.Use IAM Access Analyzer to find resources shared with external entities.
C.Use AWS Config rules to detect root user usage in each account.
D.Enable Amazon GuardDuty in the management account and use the delegated administrator feature.
AnswerD

GuardDuty centrally detects root user activity across accounts.

Why this answer

Amazon GuardDuty has a built-in finding type for root user activity (RootCredentialUsage). Enabling GuardDuty in the management account and delegating an administrator allows centralized monitoring across all accounts. Option D is correct.

Option A is wrong because CloudTrail trails must be created in each account individually, which is less efficient. Option B is wrong because AWS Config rules are per account and require custom logic. Option C is wrong because IAM Access Analyzer does not specifically detect root user activity.

1251
MCQmedium

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type meets this requirement?

A.AWS managed key (aws/s3)
B.Customer managed key with manual rotation
C.Asymmetric customer managed key
D.Imported key material in a customer managed key
AnswerA

AWS managed keys are automatically rotated annually.

Why this answer

AWS managed keys (aws/s3) are automatically rotated every year. Customer managed keys (CMKs) can be rotated manually or automatically, but the question specifies automatic rotation. Option B is correct because AWS managed keys are automatically rotated.

Option A is incorrect because customer managed keys require manual rotation or enabling automatic rotation. Option C is incorrect because imported key material does not support automatic rotation. Option D is incorrect because asymmetric keys are not automatically rotated.

1252
MCQmedium

A security engineer notices that an IAM user has permissions to launch EC2 instances but the engineer wants to ensure that all new instances are automatically tagged with the creator's user name. What is the most efficient way to enforce this?

A.Use AWS CloudTrail to monitor and alert on untagged instances.
B.Add an IAM policy to the user that uses a condition key 'aws:RequestTag/Creator' with a value '${aws:username}'.
C.Use AWS Config rules to automatically tag resources after creation.
D.Create an SCP that denies EC2:RunInstances unless the request includes a 'Creator' tag with the user name.
AnswerB

This condition forces the user to include the tag with their username.

Why this answer

Using a service control policy (SCP) with a condition that requires tagging on EC2 RunInstances is not possible because SCPs cannot enforce tagging; they can only deny if tags are missing. Option B is the most efficient: using IAM policy with a condition that requires the tag 'Creator' to equal the IAM user name. Option A is incorrect because SCPs cannot enforce tagging.

Option C is overly complex. Option D is incorrect because CloudTrail does not enforce tagging.

1253
Multi-Selecthard

A company wants to implement least privilege access for a data analytics team that uses Amazon Athena to query data in S3. Which THREE steps should be taken?

Select 3 answers
A.Grant full S3 access to all buckets
B.Grant write access to an S3 bucket for query results
C.Grant access to Amazon Redshift
D.Grant permissions to use Athena workgroups and queries
E.Grant read access to the specific S3 buckets containing the data
AnswersB, D, E

Athena writes query results to S3.

Why this answer

Option B is correct because Athena requires a dedicated S3 bucket to store query results, and granting write access to that specific bucket ensures the service can write output without exposing other data. This aligns with least privilege by limiting write permissions to only the necessary location.

Exam trap

The trap here is that candidates often assume Athena requires broad S3 permissions or confuse it with Redshift Spectrum, leading them to select full S3 access or irrelevant Redshift permissions instead of focusing on the specific read and write buckets needed for least privilege.

1254
Multi-Selecthard

A company wants to monitor for unauthorized API calls in real-time. The solution must meet the following requirements: - Detect calls that fail authentication (AccessDenied). - Detect calls that use a revoked IAM role. - Provide a centralized view across multiple accounts. Which THREE services should be used together to implement this solution? (Choose three.)

Select 3 answers
A.AWS Organizations
B.AWS CloudTrail
C.AWS IAM Access Analyzer
D.Amazon CloudWatch Logs
E.AWS Config
AnswersA, B, D

Organizations allows you to centrally manage trails across member accounts using a single organization trail.

Why this answer

Options A, B, and E are correct because CloudTrail logs API calls, CloudWatch Logs can filter for specific error codes, and AWS Organizations enables centralized management across accounts. Option C is wrong because AWS Config does not monitor API calls. Option D is wrong because IAM Access Analyzer analyzes resource policies, not API calls.

1255
MCQhard

A company uses Amazon EBS volumes for EC2 instances. Security policy requires that all EBS volumes be encrypted at rest. The company already has a default KMS key for EBS encryption. However, some new volumes are created without encryption. What is the most efficient way to enforce encryption for all new EBS volumes?

A.Use AWS CloudTrail to monitor volume creation and send alerts
B.Create an AWS Config rule to detect unencrypted volumes and trigger a Lambda function to encrypt them
C.Use a custom AMI that enforces encryption
D.Enable EBS encryption by default in the EC2 console or via the API
AnswerD

This setting ensures all new volumes are encrypted automatically.

Why this answer

Option B (Set the EBS encryption by default flag at the account level) is correct because it forces all new volumes to be encrypted using the default KMS key. Option A is wrong because it requires manual intervention. Option C is wrong because it requires creating a custom volume type.

Option D is wrong because CloudWatch alarms are reactive, not preventive.

1256
MCQmedium

A security engineer is designing a permissions boundary for an IAM role used by an EC2 instance. The boundary must allow the instance to list all S3 buckets but deny the ability to delete any bucket. Which policy should be used as the permissions boundary?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Deny","Action":"s3:DeleteBucket","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"s3:ListAllMyBuckets","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:ListAllMyBuckets","s3:DeleteBucket"],"Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Allow","Action":"s3:DeleteBucket","Resource":"*"}]}
AnswerA

Allows list, denies delete, meets requirement.

Why this answer

Permissions boundaries limit the maximum permissions. Option A allows both actions. Option B denies s3:DeleteBucket but allows s3:ListAllMyBuckets, which meets the requirement.

Option C denies list. Option D allows delete.

1257
MCQhard

A company is designing a VPC with public and private subnets. The application servers in the private subnets need to download patches from the internet. Which architecture provides the highest security while allowing internet access?

A.Place a NAT Gateway in the public subnet and configure the private subnet route table to send 0.0.0.0/0 traffic to the NAT Gateway
B.Create a VPC endpoint for Amazon S3 and route traffic through it
C.Attach an internet gateway to the private subnet and configure the route table to send 0.0.0.0/0 traffic to the internet gateway
D.Place a bastion host in the public subnet and configure the private instances to route internet traffic through it
AnswerA

NAT Gateway enables outbound internet from private subnets while preventing inbound connections.

Why this answer

Option D is correct because a NAT Gateway in a public subnet allows outbound internet access from private subnets while blocking inbound traffic. Option A is wrong because an internet gateway attached to the private subnet would allow inbound traffic. Option B is wrong because a bastion host is for SSH access, not for outbound internet.

Option C is wrong because a VPC endpoint is for private connectivity to AWS services, not general internet.

1258
Multi-Selecthard

Which THREE steps should a security engineer take to remediate a compromised IAM user whose access keys were exposed? (Choose three.)

Select 3 answers
A.Deactivate the access keys.
B.Create a new IAM user with the same permissions.
C.Remove the user from all IAM groups.
D.Change the IAM user's password.
E.Delete the access keys.
AnswersA, C, E

Deactivating keys stops their use immediately.

Why this answer

Immediately deactivate or delete the access keys to stop usage. Rotate the keys if the user still needs access, but the old keys must be deactivated. Remove the compromised user from any groups to limit permissions.

Changing the password does not affect access keys. Creating a new user with the same permissions is unnecessary if the user can be cleaned. Reviewing CloudTrail logs is important but is an investigation step, not immediate remediation.

1259
MCQhard

A company wants to monitor AWS API calls for suspicious activity and automatically remediate by revoking IAM roles in real time. Which combination of services should be used?

A.AWS CloudTrail and Amazon Inspector
B.AWS CloudTrail and AWS Config
C.Amazon GuardDuty and AWS Config
D.Amazon CloudWatch Events and AWS Lambda
AnswerD

CloudWatch Events can match API calls and trigger Lambda to revoke IAM roles.

Why this answer

Option A is correct because CloudWatch Events (now Amazon EventBridge) can trigger a Lambda function upon API call patterns, and Lambda can revoke permissions. Option B is wrong because GuardDuty does not directly trigger remediation. Option C is wrong because Config records resource changes but not real-time API calls.

Option D is wrong because CloudTrail alone cannot automate remediation.

1260
MCQhard

A company uses an AWS Transit Gateway to connect multiple VPCs and on-premises networks. A security engineer needs to ensure that traffic between VPCs is inspected by a third-party firewall appliance. Which architecture should be used?

A.Configure security groups on the transit gateway to inspect traffic.
B.Create VPC endpoints for each VPC to route traffic through the firewall.
C.Attach the firewall appliance to a dedicated inspection VPC and route traffic from other VPCs through the inspection VPC using transit gateway route tables.
D.Use network ACLs on the transit gateway to filter traffic.
AnswerC

This is the common architecture for centralized traffic inspection using a transit gateway.

Why this answer

The correct answer is D because by attaching the firewall appliance in a dedicated inspection VPC and using route tables to direct traffic through it, you can inspect inter-VPC traffic. Option A is wrong because security groups are instance-level firewalls and cannot inspect all traffic in a transit gateway. Option B is wrong because network ACLs are stateless and applied at subnet level, not at transit gateway level.

Option C is wrong because VPC endpoints are for accessing AWS services privately, not for traffic inspection.

1261
MCQmedium

A company uses AWS Lambda functions that process sensitive data. The security team wants to ensure that any unauthorized invocation of the functions is detected and alerted. The team has enabled AWS CloudTrail and is monitoring for Lambda Invoke API calls. However, they are concerned about missing events that occur within the Lambda service itself (e.g., internal retries). What should the team do to capture all relevant events?

A.Enable VPC Flow Logs for the Lambda function's VPC.
B.Configure CloudWatch Logs to capture all Lambda function logs.
C.Enable Amazon CloudWatch Lambda Insights.
D.Enable CloudTrail data events for Lambda functions.
AnswerC

Lambda Insights provides detailed monitoring of function invocations, including internal retries and performance metrics.

Why this answer

Option C is correct because Amazon CloudWatch Lambda Insights provides a monitoring and troubleshooting solution for serverless applications, capturing detailed metrics and logs for all Lambda invocations, including internal retries and invocations that occur within the Lambda service itself. Unlike CloudTrail data events, which only log API calls made to the Lambda Invoke API, Lambda Insights collects telemetry from the Lambda execution environment, ensuring visibility into events that happen after the initial invocation, such as retries triggered by the Lambda service due to throttling or errors.

Exam trap

The trap here is that candidates often assume CloudTrail data events capture all Lambda invocation activity, but they miss that internal retries and service-side invocations are not API calls and thus are invisible to CloudTrail, requiring a monitoring solution like Lambda Insights that operates within the execution environment.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) within a VPC, not Lambda invocation events or internal service retries; they are irrelevant for detecting unauthorized Lambda invocations. Option B is wrong because CloudWatch Logs capture logs generated by the Lambda function code (e.g., print statements, custom logs), not the invocation events or internal retries performed by the Lambda service; they do not provide visibility into the invocation lifecycle itself. Option D is wrong because CloudTrail data events for Lambda functions only log the Invoke API calls made by external entities (e.g., users, services) to the Lambda service, but they do not capture internal retries or invocations that occur within the Lambda service (e.g., asynchronous invocations retried by the service), which is the specific gap the security team is concerned about.

1262
MCQeasy

Which AWS service provides a centralized view of compliance status for AWS resources?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Security Hub
AnswerA

Config provides compliance status.

Why this answer

AWS Config is the correct answer because it provides a centralized view of compliance status by continuously evaluating your AWS resource configurations against desired policies (e.g., managed or custom rules). It generates compliance scores and detailed reports for each resource, enabling you to track whether your infrastructure adheres to internal or regulatory standards. This is distinct from other services because Config focuses specifically on configuration compliance, not threat detection or API activity.

Exam trap

The trap here is that candidates often confuse AWS Security Hub (which provides a centralized dashboard for security findings) with a compliance status view, but Security Hub aggregates findings from multiple sources and does not perform native configuration compliance evaluations—that is AWS Config's role.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious activity, not a compliance status tool. Option C (AWS CloudTrail) is wrong because it records API calls and user activity for auditing and governance, but does not evaluate resource configurations against compliance rules. Option D (AWS Security Hub) is wrong because it aggregates security findings from multiple services (e.g., GuardDuty, Inspector) and provides a consolidated security posture, but it does not perform configuration compliance evaluations itself; it relies on AWS Config as a source for compliance checks.

1263
MCQmedium

An IAM user has the policy shown in the exhibit. The user tries to launch an m5.large instance in us-east-1, but gets an 'AccessDenied' error. Why does this happen?

A.The policy restricts RunInstances to instance type t2.micro, but the user requested m5.large.
B.The condition uses StringEquals, which is case-sensitive and the instance type is in the wrong case.
C.The policy does not allow the RunInstances action at all.
D.The resource ARN in the policy is incorrect for launching instances.
AnswerA

The condition ec2:InstanceType restricts to t2.micro.

Why this answer

Option B is correct because the policy only allows RunInstances for instance type t2.micro, not m5.large. Option A is wrong because the policy allows RunInstances. Option C is wrong because the resource ARN is correct for instances.

Option D is wrong because the condition uses StringEquals, which is valid.

1264
MCQeasy

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which AWS service provides a managed, highly available, and scalable solution for this requirement?

A.NAT instance in a public subnet
B.Internet Gateway attached to the VPC
C.NAT Gateway in a public subnet
D.AWS Site-to-Site VPN connection
AnswerC

NAT Gateway is managed, scalable, and highly available.

Why this answer

Option B is correct because a NAT Gateway provides outbound internet access for instances in private subnets and is managed by AWS. Option A is wrong because a NAT instance is not managed. Option C is wrong because an Internet Gateway is used for public subnets.

Option D is wrong because a VPN connection is for hybrid networking, not internet access.

1265
MCQmedium

A company wants to centralize logging from multiple AWS accounts into a single logging account. The logs include AWS CloudTrail, AWS Config, and VPC Flow Logs. Which solution should the company implement to meet these requirements with minimal operational overhead?

A.Use Amazon Kinesis Data Firehose in each account to send logs to a central Amazon S3 bucket.
B.Configure each account to deliver logs to its own S3 bucket and use S3 cross-region replication to copy logs to the central bucket.
C.Use AWS Organizations to create a CloudTrail trail that applies to all accounts and delivers logs to a central S3 bucket.
D.Use AWS Lambda functions in each account to copy log files to a central S3 bucket.
AnswerC

With Organizations, you can create an organization trail that logs all accounts' management events to a single S3 bucket.

Why this answer

Option A is correct because AWS Organizations allows centralized management of accounts and can be used with CloudTrail to create a trail that logs all accounts. Option B is wrong because S3 cross-region replication replicates objects, not logs from multiple accounts automatically. Option C is wrong because Kinesis Data Firehose would require additional setup per account.

Option D is wrong because Lambda would require custom code and per-account setup.

1266
Multi-Selectmedium

A company wants to implement a defense-in-depth strategy for its web application running on EC2 instances. Which TWO AWS services should be used to provide both network and application-layer protection?

Select 2 answers
A.Amazon GuardDuty
B.AWS WAF
C.Security Groups
D.AWS Shield Advanced
E.Network ACLs
AnswersB, C

WAF provides application-layer protection.

Why this answer

Options B and C are correct. AWS WAF provides application-layer protection (e.g., SQL injection), and Security Groups act as a virtual firewall for network-layer protection. Option A is wrong because NACLs are network-layer but stateless and less granular.

Option D is wrong because GuardDuty is a threat detection service, not a prevention firewall. Option E is wrong because Shield Advanced provides DDoS protection but is not a firewall.

1267
MCQmedium

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security engineer tests the configuration and finds that requests from the VPC endpoint are being denied. The bucket policy contains the following condition: "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-12345678" } }. The VPC endpoint ID is correct. The engineer also confirms that the VPC endpoint policy allows the necessary S3 actions. What is the most likely reason for the denial?

A.The request is not being routed through the VPC endpoint; the EC2 instance is using a public S3 endpoint.
B.The EC2 instance does not have an IAM role that allows s3:GetObject.
C.The VPC endpoint is in a different region than the S3 bucket.
D.The condition key is misspelled; it should be aws:SourceVpce (no 'e' at the end).
AnswerA

If not using endpoint, the condition key is not present.

Why this answer

Option B is correct because the key should be aws:SourceVpce, not aws:SourceVpce. Wait, the condition uses aws:SourceVpce, which is correct. However, the condition might need to be combined with an Allow.

The most common issue is that the bucket policy also has a Deny for public access, but the VPC endpoint request might not include the condition key if the request is not made through the endpoint. Option A: The VPC endpoint might be in a different region, but that would not cause denial; S3 supports cross-region access. Option C: The condition key is correct.

Option D: The IAM role is needed but not necessarily. Actually, the most likely issue is that the bucket policy is missing an explicit Allow for the VPC endpoint; the condition alone does not grant access. The policy must have an Allow statement with the condition.

If the policy only has a Deny or the Allow does not include the condition, it might fail. But the question says the policy allows access only from that VPC endpoint, implying there is an Allow with that condition. Another common issue: the VPC endpoint DNS name resolves to public IP, but the condition aws:SourceVpce is only present if the request goes through the endpoint.

If the request originates from an EC2 instance in the VPC but does not use the endpoint, the condition is not met. Option A is plausible: the EC2 instance might be accessing S3 via the public internet instead of through the endpoint. That would cause the condition to fail.

So Option A is correct.

1268
Matchingmedium

Match each AWS VPC flow log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic for a VPC

Capture IP traffic for a subnet

Capture IP traffic for a network interface

Capture IP traffic for a transit gateway

Why these pairings

Flow logs can be created at different resource levels.

1269
MCQhard

A security engineer notices that an IAM role has a trust policy that allows 'sts:AssumeRole' from any AWS account. What is the security risk?

A.The role can be assumed by any AWS service.
B.The role's permissions are exposed to all AWS accounts.
C.Any IAM user in any AWS account can assume the role and gain its permissions.
D.The role can be used to access resources in other accounts.
AnswerC

The trust policy is too permissive.

Why this answer

Option A is correct because any user from any account can assume the role. Option B is wrong because the risk is not just about resources outside the account. Option C is wrong because the trust policy allows assumption, not just viewing.

Option D is wrong because the risk is that anyone can assume the role, not just malicious users.

1270
Multi-Selectmedium

A security engineer is designing a data protection strategy for a healthcare application that stores Protected Health Information (PHI) in an S3 bucket. The bucket is accessed by multiple AWS services, including Athena and SageMaker. Which TWO actions should the engineer take to ensure encryption at rest and in transit? (Choose two.)

Select 2 answers
A.Enable default encryption on the S3 bucket using SSE-S3.
B.Enable S3 bucket default encryption using AES-256.
C.Use AWS CloudHSM to generate and store encryption keys for S3.
D.Set up Kinesis Data Firehose to encrypt data before writing to S3.
E.Configure a bucket policy that denies requests not using aws:SecureTransport.
AnswersB, E

AES-256 encryption (SSE-S3) encrypts data at rest.

Why this answer

Option A is wrong because while default encryption provides at-rest encryption, it does not enforce encryption in transit. Option B is correct because a bucket policy that denies requests without HTTPS ensures encryption in transit. Option C is correct because enabling bucket default encryption with SSE-S3 or SSE-KMS ensures encryption at rest.

Option D (CloudHSM) is not necessary for S3 encryption and adds complexity. Option E is wrong because Kinesis Data Firehose is not directly relevant to S3 encryption.

1271
MCQmedium

A security team is troubleshooting an issue where an IAM role assumed by a Lambda function is unable to write logs to CloudWatch Logs. The role has an attached policy that allows logs:CreateLogGroup and logs:PutLogEvents. What is a likely reason for the failure?

A.The trust policy of the role does not include Lambda as a trusted entity.
B.The Lambda function is in a VPC without a NAT gateway.
C.The role does not have permission to create network interfaces.
D.The CloudWatch Logs resource policy denies the role.
AnswerA

Without trust policy, Lambda cannot assume the role.

Why this answer

Lambda execution role must have a trust policy allowing Lambda to assume it. Option A is irrelevant. Option C is about resource policy.

Option D is about VPC permissions.

1272
Multi-Selecthard

A company wants to restrict access to an RDS database to only EC2 instances that have a specific tag 'Environment: Production'. Which TWO steps should be taken?

Select 2 answers
A.Attach an IAM policy to the EC2 instance role that allows rds:Connect only if the request originates from the VPC Endpoint.
B.Create a resource-based policy on the RDS instance.
C.Use the RDS instance's security group to allow traffic only from the EC2 instance's security group.
D.Create a security group rule that references the EC2 instance's security group.
E.Create a VPC Endpoint for RDS and attach an IAM policy that uses the condition 'ec2:ResourceTag/Environment' : 'Production'.
AnswersA, E

Combines with endpoint policy.

Why this answer

Options B and C are correct. Using a VPC Endpoint with an IAM policy that checks the ec2:ResourceTag condition key ensures that only instances with the required tag can access the database. Option A is wrong because security groups do not support tag-based rules.

Option D is wrong because an IAM role alone does not restrict access based on tags. Option E is wrong because RDS does not support resource-based policies for tag conditions.

1273
Multi-Selecteasy

Which TWO are valid methods to centrally manage multiple AWS accounts? (Choose two.)

Select 2 answers
A.AWS IAM
B.AWS Service Catalog
C.Amazon Cognito
D.AWS Control Tower
E.AWS Organizations
AnswersD, E

Control Tower provides governance for multi-account environments.

Why this answer

AWS Organizations (A) and AWS Control Tower (B) provide centralized management. Option C (IAM) is per-account. Option D (Cognito) is for external users.

Option E (Service Catalog) is for product approval.

1274
MCQhard

A company is using Amazon Macie to discover sensitive data in S3. The security team wants to be notified when Macie finds a high-severity alert. Which integration should be used?

A.Configure Macie to store findings in an S3 bucket and enable S3 event notifications.
B.Integrate Macie with AWS Security Hub and create a custom action to send to SNS.
C.Create an Amazon EventBridge rule that matches Macie findings and targets an SNS topic.
D.Configure Macie to send findings to CloudWatch Logs and create a metric filter.
AnswerC

EventBridge is the native event bus for Macie findings, allowing real-time routing to SNS.

Why this answer

Option D is correct because Macie can publish findings to Amazon EventBridge (formerly CloudWatch Events), which can then trigger SNS notifications. Option A is incorrect because Macie does not send to CloudWatch Logs directly. Option B is incorrect because Macie does not send to S3 directly; it stores findings in its own service.

Option C is incorrect because Macie does not natively integrate with Security Hub for alerting; EventBridge is the direct method.

1275
Multi-Selectmedium

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all S3 buckets created by CloudFormation are encrypted at rest. Which THREE configuration steps should be taken?

Select 3 answers
A.Create an AWS Config rule to check for unencrypted S3 buckets.
B.Use a CloudFormation stack policy to prevent updates that remove encryption.
C.Create a service control policy (SCP) that denies creation of S3 buckets without encryption.
D.In the CloudFormation template, specify the BucketEncryption property for each S3 bucket.
E.Create an IAM role that only allows creation of encrypted buckets.
AnswersA, C, D

Detects non-compliance.

Why this answer

Options A, C, and D are correct. Using AWS Config rules can detect unencrypted buckets. A service control policy (SCP) can deny creation of unencrypted buckets.

The CloudFormation template can also specify encryption. Option B is wrong because IAM roles do not enforce encryption. Option E is wrong because it only applies to the template, not enforcement.

Page 16

Page 17 of 24

Page 18