AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 12761350

1738 questions total · 24pages · All types, answers revealed

Page 17

Page 18 of 24

Page 19
1276
MCQmedium

A company wants to securely share an Amazon S3 object with an external partner. The partner needs to download the object using an HTTP GET request. The object must be accessible for only 24 hours. What is the most secure way to grant access?

A.Create a new IAM user with read access to the object and share the access key and secret key.
B.Make the object publicly readable and share the object URL.
C.Generate a presigned URL for the object with an expiration of 24 hours.
D.Create a new IAM user with read access to the object, then generate a presigned URL for the object.
AnswerC

Presigned URLs grant temporary access without exposing credentials.

Why this answer

Option A is correct because presigned URLs provide time-limited access to specific S3 objects without sharing AWS credentials. Option B is wrong because making the object public violates security. Option C is wrong because sharing the access key/secret is insecure.

Option D is wrong because presigned URLs already handle access; creating a new user is unnecessary and less secure.

1277
MCQmedium

A company uses AWS CloudHSM to store encryption keys. The security team wants to ensure that keys stored in CloudHSM are backed up and can be restored in another AWS Region. What is the BEST approach?

A.Enable automatic cross-region replication on the CloudHSM cluster
B.Copy the HSM user credentials and use them in the new region
C.Use AWS Backup to back up the CloudHSM cluster and restore in another region
D.Export the security domain from the source cluster and import it into a new cluster in the target region
AnswerD

Correct: Exporting and importing the security domain allows key recovery.

Why this answer

Option C is correct because CloudHSM allows you to export the cluster’s security domain and then use it to restore the cluster in another region. Option A is wrong because CloudHSM does not automatically replicate across regions. Option B is wrong because copying HSM credentials is insufficient to restore keys.

Option D is wrong because there is no direct integration with S3 for backup.

1278
MCQhard

A security engineer is configuring an automated incident response workflow. When a GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce' is generated, the workflow should isolate the EC2 instance and snapshot its EBS volume. Which AWS service can coordinate these actions?

A.AWS Lambda functions invoked sequentially
B.AWS Step Functions
C.AWS CloudFormation
D.AWS Config rules with auto-remediation
AnswerB

Step Functions can coordinate multiple AWS services in a state machine.

Why this answer

AWS Step Functions can orchestrate multiple actions (isolation, snapshot) in a workflow triggered by EventBridge. Option A (Lambda) can do one action but chaining requires custom code. Option B (Config) is for rules.

Option D (CloudFormation) is for infrastructure.

1279
Drag & Dropmedium

Drag and drop the steps to set up AWS Shield Advanced with automatic application layer DDoS mitigation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Shield Advanced requires subscription first, then resource protection, WAF integration, mitigation rule, and health-based detection.

1280
MCQmedium

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The instance is launched in a VPC with a VPC endpoint for S3. The IAM role has a policy that grants s3:GetObject on the bucket. However, the application on the instance receives 'Access Denied' errors when trying to read objects. What is the MOST likely cause?

A.The VPC endpoint policy for S3 does not allow the required action.
B.The EC2 instance does not have an encryption key to decrypt the objects.
C.The S3 bucket policy does not explicitly allow the IAM role.
D.The IAM role is not attached to the EC2 instance profile.
AnswerA

VPC endpoint policies can override IAM permissions.

Why this answer

Option B is correct because a VPC endpoint policy can restrict access to specific buckets, and if it does not allow the target bucket, requests will be denied even if the IAM role allows it. Option A is wrong because the S3 bucket policy is not required to allow the role if the role already grants access. Option C is wrong because the IAM role is correctly associated with the instance.

Option D is wrong because S3 does not require encryption for access.

1281
Drag & Dropmedium

Drag and drop the steps to implement AWS KMS key rotation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Key rotation starts with creating a CMK, enabling auto-rotation, manual rotation if needed, updating apps, and verifying decryption.

1282
MCQmedium

A company uses an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances in private subnets. The security team wants to ensure that only the ALB can communicate with the EC2 instances. Which security group configuration should be applied to the EC2 instances?

A.Allow inbound HTTP traffic from the EC2 instances' own security group
B.Allow inbound HTTP traffic from 0.0.0.0/0
C.Allow inbound HTTP traffic from the VPC CIDR block
D.Allow inbound HTTP traffic from the ALB's security group
AnswerD

This ensures only the ALB can initiate traffic to the EC2 instances.

Why this answer

Option C is correct because referencing the ALB security group as the source allows only traffic originating from the ALB, regardless of IP changes. Option A is wrong because a CIDR block is less dynamic and may not cover all ALB IPs. Option B is wrong because it allows all HTTP traffic from anywhere.

Option D is wrong because the EC2 security group should not reference itself.

1283
MCQmedium

A financial services company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application processes credit card numbers and stores them in an Amazon RDS for PostgreSQL database. The database is encrypted at rest using AWS KMS. The security team is concerned about data in transit between the ALB and EC2 instances, and between EC2 and RDS. They also want to ensure that the application never logs the full credit card number. The current setup: ALB terminates SSL using a certificate from AWS Certificate Manager (ACM). EC2 instances are in a private subnet. RDS is in a private subnet. The application logs to CloudWatch Logs. The security team reviews the logs and finds full credit card numbers in the logs. Which of the following actions should the security engineer take to address the data protection issues?

A.Create a CloudWatch Logs subscription filter to redact credit card numbers from the logs after they are sent to CloudWatch
B.Enable RDS encryption with a new KMS key and enforce that all connections to RDS use SSL
C.Modify the application to use TLS when connecting to RDS and update the application code to mask or truncate credit card numbers before logging
D.Enable encryption in transit between the ALB and EC2 by using HTTPS listeners and configure the ALB to re-encrypt traffic to EC2 using a self-signed certificate on each instance
AnswerC

Addresses both encryption in transit and data leakage via logs.

Why this answer

Option D is the best because it addresses both encryption in transit (using TLS between EC2 and RDS) and logging (masking credit cards in application code). Option A only adds encryption in transit but does not fix logging. Option B is about retention, not protection.

Option C is about encryption at rest, not in transit or logging.

1284
MCQeasy

A security engineer is tasked with ensuring that all S3 buckets in an AWS account have versioning enabled. The engineer needs to identify buckets that do not have versioning enabled. Which AWS service is BEST suited for this task?

A.AWS Trusted Advisor
B.AWS CloudTrail
C.IAM Access Analyzer
D.AWS Config
AnswerD

Config has managed rules to evaluate bucket versioning status.

Why this answer

AWS Config has a managed rule (s3-bucket-versioning-enabled) that can evaluate S3 buckets and report compliance. Option A (CloudTrail) logs API calls. Option B (IAM Access Analyzer) analyzes policies.

Option C (Trusted Advisor) has limited checks and may not cover all buckets.

1285
Multi-Selectmedium

A company stores sensitive data in Amazon S3. The security team needs to ensure that data is encrypted at rest and that access is logged. Which TWO actions meet these requirements?

Select 2 answers
A.Enable VPC Flow Logs for the VPC
B.Enable S3 server access logs
C.Enable AWS CloudTrail to log data events
D.Enable default encryption on the S3 bucket
E.Enable AWS IAM Access Analyzer
AnswersB, D

Server access logs record requests to the bucket.

Why this answer

Option A (Enable default encryption on the bucket) and Option D (Enable S3 server access logs) are correct. Default encryption ensures data is encrypted at rest. Server access logs record requests to the bucket.

Option B is wrong because CloudTrail is for API calls, not data events by default. Option C is wrong because VPC Flow Logs capture network traffic, not S3 access. Option E is wrong because IAM Access Analyzer is for analyzing resource policies, not logging access.

1286
MCQhard

A company has a VPC with a public subnet and a private subnet. They launch an EC2 instance in the private subnet with a default security group that allows all outbound traffic. The instance needs to download files from an S3 bucket in the same region. Which configuration allows this without internet access?

A.Set up an AWS Direct Connect connection to the S3 bucket.
B.Create a VPC gateway endpoint for S3 and add a route to the private subnet's route table.
C.Attach an internet gateway to the VPC and add a route to the private subnet.
D.Create a NAT gateway in the public subnet and add a route to the private subnet's route table.
AnswerB

Gateway endpoint provides private access to S3.

Why this answer

A VPC gateway endpoint for S3 allows private instances to access S3 without internet. Option C is correct. NAT gateway (A) would require internet.

Internet gateway (B) would expose instance. Direct Connect (D) is for on-premises.

1287
Multi-Selectmedium

A company wants to allow an IAM role from Account A to access an S3 bucket in Account B. Which THREE conditions must be met?

Select 3 answers
A.The S3 bucket policy in Account B must grant access to the IAM role in Account A.
B.The IAM role in Account A must have a trust policy that allows the S3 bucket's account to assume the role.
C.A service control policy (SCP) must allow the cross-account access.
D.The IAM role must be assumed by an IAM user or AWS service in Account A.
E.The IAM role in Account A must have an IAM permissions policy that allows the required S3 actions.
AnswersA, D, E

The bucket policy must explicitly allow the role.

Why this answer

Option A, C, and E are correct. Option A: the role must have a trust policy allowing the bucket's account to assume it? Actually, the role is in Account A, and the bucket in Account B. The role needs to be allowed by the bucket policy.

So option A is incorrect: the bucket policy in Account B must allow the IAM role. Option B is correct? Let's re-evaluate: To grant cross-account access to an S3 bucket, the bucket policy in Account B must grant access to the IAM role in Account A. The IAM role in Account A must have a permissions policy that allows S3 actions, but the trust policy on the role is not needed for S3 access because S3 uses resource-based policies.

So the correct conditions are: Option B: IAM role in Account A must have a permissions policy allowing S3 actions. Option C: S3 bucket policy in Account B must grant access to the IAM role. Option E: The IAM role must be assumed by a user or service in Account A.

So the correct combination is B, C, E. Option A is incorrect because trust policy is for the role to be assumed by another account, not for S3 access. Option D is incorrect because an SCP could deny but is not required.

1288
MCQeasy

A company is deploying a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The instances are in a private subnet. How should the security group for the EC2 instances be configured?

A.Allow inbound HTTP/HTTPS from the internet gateway.
B.Allow inbound HTTP/HTTPS from the security group of the ALB.
C.Allow inbound HTTP/HTTPS from 0.0.0.0/0.
D.Allow inbound HTTP/HTTPS from the VPC CIDR.
AnswerB

This restricts traffic to only the ALB.

Why this answer

Option A is correct because the security group should allow HTTP/S traffic from the ALB's security group, which is a best practice for least privilege. Option B is wrong because allowing all IPs exposes instances to direct internet traffic. Option C is wrong because the ALB is in a public subnet, not the VPC CIDR.

Option D is wrong because the instances are in a private subnet and should not receive traffic from the internet.

1289
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application accesses an S3 bucket to store user uploads. The security team needs to ensure that the EC2 instances can access the S3 bucket without storing AWS credentials on the instances. What should the security team do?

A.Create an IAM user with programmatic access and use those credentials in the application.
B.Configure a security group that allows outbound traffic to the S3 bucket.
C.Create an IAM role with an S3 access policy and attach it to the EC2 instance profile.
D.Store AWS access keys in a configuration file on the EC2 instances.
AnswerC

IAM roles provide temporary credentials via instance profile, eliminating the need for stored credentials.

Why this answer

Option C is correct because an IAM instance profile with an IAM role grants temporary credentials to EC2 instances. Option A is wrong because storing credentials on instances is insecure. Option B is wrong because it's not a best practice.

Option D is wrong because security groups do not grant access to S3.

1290
MCQhard

Refer to the exhibit. A security engineer runs the get-trail-status command for a CloudTrail trail. The engineer notices that LatestCloudWatchLogsDeliveryTime is null. What does this indicate?

A.The trail has stopped logging.
B.The trail is not delivering logs to S3.
C.The digest delivery has failed.
D.The trail is not configured to deliver logs to CloudWatch Logs.
AnswerD

If CloudWatch Logs integration is not set, the timestamp is null.

Why this answer

Option A is correct because if CloudWatch Logs integration is not configured, that field is null. Option B is wrong because trail is logging. Option C is wrong because digest delivery is successful.

Option D is wrong because delivery attempts succeeded.

1291
MCQeasy

Which of the following is a best practice for securing an AWS account root user?

A.Create access keys for the root user and use them for API calls.
B.Enable multi-factor authentication (MFA) and avoid using the root user.
C.Use the root user for daily administrative tasks.
D.Share the root user password with the IT team for emergency access.
AnswerB

MFA adds security, and avoid using root user.

Why this answer

Option B is correct because the AWS root user has unrestricted access to all AWS resources and services, making it a high-value target. Enabling multi-factor authentication (MFA) adds an extra layer of security beyond the password, and AWS best practices dictate that the root user should only be used for a limited set of tasks (e.g., changing account settings) and never for daily operations. This minimizes the attack surface and reduces the risk of compromise.

Exam trap

The trap here is that candidates may think the root user is necessary for daily administration or that sharing credentials is acceptable for emergencies, but AWS explicitly prohibits these practices in favor of IAM roles and MFA-protected root user access only for account-level changes.

How to eliminate wrong answers

Option A is wrong because creating access keys for the root user violates AWS security best practices; root user access keys provide unrestricted, permanent credentials that cannot be rotated or scoped down, and AWS recommends never using them for API calls. Option C is wrong because using the root user for daily administrative tasks exposes the account to unnecessary risk; instead, AWS Identity and Access Management (IAM) users with appropriate permissions should be used for routine operations. Option D is wrong because sharing the root user password with the IT team undermines accountability and security; AWS recommends using IAM roles or a secure password management system for emergency access, not distributing the root password.

1292
MCQmedium

A security engineer notices that CloudTrail logs for a production account are not being delivered to the S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

A.The S3 bucket does not have versioning enabled.
B.The S3 bucket uses SSE-KMS encryption.
C.The bucket policy does not grant s3:GetBucketAcl to CloudTrail.
D.The S3 bucket contains existing objects before CloudTrail delivery started.
AnswerC

CloudTrail needs GetBucketAcl to verify bucket ownership.

Why this answer

Option C is correct because CloudTrail requires specific permissions including s3:GetBucketAcl to verify bucket ownership. Option A is wrong because SSE-S3 is supported. Option B is wrong because S3 versioning is not required.

Option D is wrong because CloudTrail can handle existing objects.

1293
MCQmedium

A company is designing a data protection strategy for Amazon EBS volumes. They want to automate the creation of point-in-time snapshots for all production volumes and retain them for 90 days. Which solution meets these requirements with the least operational overhead?

A.Write a script using the AWS CLI that creates snapshots and runs on a schedule via cron on an EC2 instance
B.Use Amazon Data Lifecycle Manager (DLM) to create a policy that takes snapshots daily and retains them for 90 days
C.Use an AWS Lambda function triggered by CloudWatch Events to create snapshots and delete old ones
D.Use AWS Backup to create a backup plan for EBS volumes with a 90-day retention
AnswerB

Automated, native solution.

Why this answer

Amazon Data Lifecycle Manager (DLM) is designed to automate EBS snapshot creation and retention. Option A is correct. Option B is manual, C is for backups (though DLM also works), D is third-party overhead.

1294
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. Security team wants to ensure that only specific IAM roles can decrypt objects. Which KMS key policy configuration should be used?

A.Attach an IAM policy to the role that allows kms:Decrypt, and leave the KMS key policy with default settings.
B.In the key policy, use a Principal element specifying the role ARN, and allow kms:Decrypt.
C.Use a grant for the role to allow kms:Decrypt for S3 operations.
D.In the key policy, use a Condition block with kms:ViaService set to s3.<region>.amazonaws.com and allow kms:Decrypt for the role.
AnswerD

This restricts decryption requests to come via S3 service, meeting the requirement.

Why this answer

Option C is correct because using kms:ViaService condition restricts key usage to requests coming from S3, and the IAM role's permissions to decrypt are granted via the key policy, not just IAM policy. Option A is wrong because without the key policy granting decrypt, the IAM policy alone is insufficient. Option B is wrong because it grants blanket access to the role without the S3 service restriction.

Option D is wrong because it doesn't restrict to a specific role.

1295
MCQeasy

A company is using AWS Systems Manager Session Manager to provide secure shell access to EC2 instances without opening inbound ports. Which of the following is a requirement for this setup?

A.The EC2 instance must have an IAM role that allows SSM actions.
B.The EC2 instance must be in a public subnet.
C.The EC2 instance must have a public IP address.
D.The security group must allow inbound SSH from 0.0.0.0/0.
AnswerA

The SSM Agent uses the role to communicate with Systems Manager.

Why this answer

Option B is correct. Session Manager requires an SSM Agent installed on the EC2 instance and an IAM role that allows the agent to communicate with the Systems Manager service. Option A is not required; Session Manager works without SSH.

Option C is not required; Session Manager uses the AWS API. Option D is not required; security groups can still be restrictive.

1296
MCQmedium

A company needs to securely store database credentials used by a Lambda function. The credentials must be automatically rotated. Which service should be used?

A.AWS Identity and Access Management (IAM)
B.AWS Key Management Service (KMS)
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager supports automatic rotation of database credentials.

Why this answer

AWS Secrets Manager supports automatic rotation of credentials for RDS databases. Systems Manager Parameter Store can store secrets but does not natively rotate them (unless with custom automation). KMS is for encryption keys, not credential management.

IAM is not for storing secrets.

1297
MCQmedium

A company has a single AWS account with multiple IAM users. The security team wants to enforce that all users use MFA for API calls. An IAM policy is created that denies all actions unless MFA is present. The policy is attached to all users. However, users report that they can still make API calls without MFA. The security team reviews the policy and confirms it is correct. What is the most likely reason the policy is not being enforced?

A.The policy uses the wrong condition key; it should be 'aws:MultiFactorAuthPresent'.
B.AWS CloudTrail is not enabled, so the policy cannot be evaluated.
C.An SCP at the root level allows all actions without MFA.
D.The IAM password policy does not require MFA.
AnswerA

Correct: The condition key must be exactly correct.

Why this answer

Option C is correct. If users have an explicit Allow (e.g., from a group policy) that does not require MFA, the Deny in the MFA policy might not override if the Allow is from a different policy. However, the most common reason is that the policy is not attached to the user's groups or they have an inline policy that allows actions.

But the question states the policy is attached to all users. Another possibility is that the condition key is misspelled. The correct condition key is 'aws:MultiFactorAuthPresent'.

If the policy uses 'aws:MultiFactorAuthAge' or a different key, it may not work. Option A is wrong because SCPs are not used in a single account. Option B is wrong because CloudTrail does not enforce MFA.

Option D is wrong because password policy does not affect API calls.

1298
MCQmedium

A company uses AWS Organizations and wants to restrict the AWS Regions in which resources can be created across all member accounts. Which mechanism should be used?

A.Apply a service control policy (SCP) that denies operations in unauthorized regions.
B.Use VPC endpoints to restrict API calls to specific regions.
C.Configure AWS Config rules to detect and delete resources in unauthorized regions.
D.Attach an IAM policy to each user that denies operations in unauthorized regions.
AnswerA

Correct: SCPs can deny actions in specific regions across all accounts.

Why this answer

Option D is correct because an SCP can deny operations in unauthorized regions. Option A is wrong because IAM policies can be overridden by account administrators. Option B is wrong because VPC endpoints do not control region usage.

Option C is wrong because AWS Config can detect resources in unauthorized regions but does not prevent creation.

1299
Multi-Selectmedium

A company uses Amazon GuardDuty to monitor its AWS environment. The security team has received a GuardDuty finding of type 'Recon:EC2/PortProbeUnprotectedPort'. The finding indicates that an EC2 instance has an open SSH port that is being probed from the internet. The team wants to reduce the attack surface and prevent future probes. Which THREE actions should the team take? (Choose THREE.)

Select 3 answers
A.Suppress the GuardDuty finding to reduce noise.
B.Modify the security group to allow SSH only from specific IP addresses.
C.Terminate the EC2 instance and launch a new one.
D.Move the instance to a private subnet and use a NAT gateway for outbound internet access.
E.Use AWS Systems Manager Session Manager to access the instance instead of SSH.
AnswersB, D, E

Restricting SSH access reduces the attack surface.

Why this answer

Options A, C, and D are correct: changing the security group to restrict SSH access to known IPs, placing the instance in a private subnet with a NAT gateway, and using Systems Manager Session Manager instead of SSH. Option B is wrong because terminating the instance is not necessary if it can be secured. Option E is wrong because GuardDuty suppression is for false positives, not for fixing actual vulnerabilities.

1300
Multi-Selectmedium

A security engineer is designing a solution to protect sensitive data in S3. Which THREE mechanisms can be used to enforce encryption at rest?

Select 3 answers
A.Use an SCP to deny s3:PutObject without encryption
B.Enable default encryption on the S3 bucket
C.Enable cross-region replication
D.Apply a bucket policy that denies PutObject without the x-amz-server-side-encryption header
E.Enable MFA Delete on the S3 bucket
AnswersA, B, D

Enforces encryption across accounts.

Why this answer

Option A is correct because an SCP (Service Control Policy) can be applied at the organizational level to deny any s3:PutObject action that does not include encryption parameters. This enforces encryption at rest across all accounts in the organization, preventing users from uploading unencrypted objects regardless of individual bucket policies or default encryption settings.

Exam trap

The trap here is that candidates confuse cross-region replication (which copies encrypted objects but does not enforce encryption) with an encryption enforcement mechanism, or they think MFA Delete relates to encryption at rest when it only protects against deletion.

1301
MCQeasy

A company wants to allow an IAM user to manage only their own password in the AWS Management Console. Which IAM policy action should be used?

A.iam:ChangePassword
B.iam:ListUsers
C.iam:CreateAccessKey
D.iam:DeactivateMFADevice
AnswerA

Allows the user to change their own password.

Why this answer

The correct action is iam:ChangePassword for changing the password and iam:GetAccountPasswordPolicy for viewing the password policy. Option C is correct because it allows the user to change their own password. Option A allows listing users, which is not needed.

Option B allows deactivating MFA. Option D allows creating access keys, which is unrelated.

1302
Multi-Selecthard

A security engineer is designing a logging strategy for a multi-account environment. The engineer needs to ensure that all API activity across accounts is logged and that logs are immutable and centrally accessible. Which THREE actions should the engineer take?

Select 3 answers
A.Stream logs to CloudWatch Logs for real-time monitoring.
B.Create an AWS CloudTrail organization trail that logs to a central S3 bucket.
C.Enable S3 Object Lock in Compliance mode on the central bucket.
D.Enable VPC Flow Logs in all accounts and send to the central bucket.
E.Grant the central bucket policy to allow only the CloudTrail service to write logs.
AnswersB, C, E

Organization trails log all accounts in the organization.

Why this answer

To log all API activity across accounts, use an organization trail with CloudTrail. To make logs immutable, enable S3 Object Lock in Compliance mode. To centralize access, store logs in a central S3 bucket.

Options A, B, and D are correct. Option C is wrong because CloudWatch Logs is not for immutable storage. Option E is wrong because VPC Flow Logs capture network traffic, not API calls.

1303
MCQmedium

A security engineer needs to ensure that all EC2 instances launched in an account have a specific tag (e.g., CostCenter) applied. If an instance is launched without the tag, it should be automatically terminated. Which solution meets these requirements with minimal effort?

A.Use an SCP to deny ec2:RunInstances if the request does not include the required tag.
B.Use AWS Organizations Tag Policies to enforce the tag.
C.Use AWS Config rules with an automatic remediation action that invokes a Lambda function to terminate the instance.
D.Use AWS CloudTrail to detect RunInstances events and send alerts to the security team.
AnswerC

Config can detect untagged instances and auto-remediate by terminating them.

Why this answer

Option D is correct because AWS Config rules can detect untagged instances and trigger a Lambda function to terminate them. Option A is wrong because SCPs cannot enforce tagging on EC2 instances. Option B is wrong because Tag Policies only enforce tagging on resources that support tags, but they do not auto-remediate.

Option C is wrong because CloudTrail can detect launch events but cannot automatically terminate instances.

1304
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centrally aggregate and analyze VPC Flow Logs from all accounts. Which solution is MOST efficient and scalable?

A.Configure VPC Flow Logs to send to an S3 bucket in each account and use S3 Cross-Region Replication to a central bucket.
B.Launch Amazon EC2 instances in each account to run tcpdump and send logs to a central S3 bucket.
C.Configure VPC Flow Logs to send to CloudWatch Logs in each account and use cross-account CloudWatch dashboards.
D.Configure VPC Flow Logs to send to Amazon Kinesis Data Firehose in each account, which delivers to a central Amazon OpenSearch Service domain.
AnswerD

Scalable, real-time, and centralized.

Why this answer

Option D is correct because Amazon Kinesis Data Firehose can directly receive VPC Flow Logs from each account and deliver them to a centralized Amazon OpenSearch Service domain, enabling near-real-time aggregation and analysis without intermediate storage or replication overhead. This architecture is serverless, scales automatically, and avoids the complexity of managing cross-account S3 replication or EC2 instances, making it the most efficient and scalable solution for centralized log analysis.

Exam trap

The trap here is that candidates often default to S3-based solutions (Option A) because they are familiar with S3 for log storage, but they overlook that Kinesis Data Firehose provides a more direct, serverless pipeline for real-time analysis without the latency and complexity of S3 replication.

How to eliminate wrong answers

Option A is wrong because S3 Cross-Region Replication adds latency, requires managing replication rules and IAM permissions across accounts, and does not provide native querying or analysis capabilities—logs would need additional services like Athena or OpenSearch for analysis. Option B is wrong because launching EC2 instances to run tcpdump is inefficient, introduces management overhead, scales poorly across many accounts, and tcpdump captures raw packets rather than VPC Flow Logs, which are already a structured log format. Option C is wrong because cross-account CloudWatch dashboards only visualize logs stored in each account's CloudWatch Logs; they do not centrally aggregate the logs into a single store, and querying across accounts requires complex cross-account log group subscriptions or additional infrastructure.

1305
MCQmedium

An organization uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have server-side encryption enabled. Which approach would enforce this across all accounts?

A.Create IAM roles in each account to enforce encryption.
B.Apply an S3 bucket policy to each bucket requiring encryption.
C.Apply a Service Control Policy that denies PutBucketPolicy or PutBucketEncryption without encryption.
D.Use AWS Config rules to detect unencrypted buckets.
AnswerC

SCPs centrally prevent noncompliant actions.

Why this answer

Option D is correct because a Service Control Policy (SCP) can deny actions that create or modify S3 buckets without encryption. Option A is wrong because AWS Config is detective. Option B is wrong because IAM roles in each account require manual setup.

Option C is wrong because S3 Bucket Policies are per-bucket and not centralized.

1306
MCQmedium

A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?

A.Configure a bucket policy that denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms.
B.Use an S3 Lifecycle policy to transition existing SSE-KMS objects to SSE-S3.
C.Apply a bucket policy that denies s3:PutObject unless the x-amz-server-side-encryption header is AES256.
D.Disable SSE-KMS in the AWS KMS key policy to prevent its use.
AnswerC

This policy enforces SSE-S3 for uploads without affecting reads of existing objects.

Why this answer

Option C is correct because it uses a bucket policy to deny s3:PutObject unless the x-amz-server-side-encryption header is set to AES256, which is the value for SSE-S3. This enforces that all future uploads use SSE-S3, while existing SSE-KMS objects remain readable because the policy only applies to write operations. The condition key s3:x-amz-server-side-encryption checks the encryption header value, and the Deny effect overrides any Allow, ensuring compliance.

Exam trap

The trap here is that candidates confuse the condition key s3:x-amz-server-side-encryption with s3:x-amz-server-side-encryption-aws:kms, or think that default encryption can be overridden by a bucket policy without explicitly denying non-compliant uploads.

How to eliminate wrong answers

Option A is wrong because it denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms, but the correct condition key is s3:x-amz-server-side-encryption (not -aws:kms), and the value for SSE-KMS is 'aws:kms', not 'aws:kms' as a header value; also, this would block SSE-KMS uploads but does not enforce SSE-S3, leaving the bucket open to unencrypted uploads. Option B is wrong because S3 Lifecycle policies cannot change the encryption type of existing objects; they can only transition objects to different storage classes or expire them, not re-encrypt them. Option D is wrong because disabling SSE-KMS in the KMS key policy would prevent reading existing SSE-KMS objects (since decryption requires the key), and it does not enforce SSE-S3 for future uploads.

1307
MCQeasy

A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?

A.All requests to the bucket are denied regardless of protocol.
B.All requests to the bucket must be made over HTTPS.
C.The policy has no effect because it uses a condition.
D.All requests to the bucket must be made over HTTP.
AnswerB

The policy denies requests that are not over HTTPS.

Why this answer

Option A is correct because the policy denies all actions to the bucket if the request is not made over HTTPS (SecureTransport is false). This ensures only encrypted connections are allowed. Option B is wrong because it denies non-HTTPS requests, not allows them.

Option C is wrong because it denies all actions, not just a few. Option D is wrong because the policy explicitly denies non-HTTPS requests.

1308
Multi-Selecteasy

Which TWO AWS services provide key management for encryption at rest? (Choose 2.)

Select 2 answers
A.AWS Systems Manager Parameter Store
B.AWS CloudHSM
C.AWS Certificate Manager (ACM)
D.AWS Key Management Service (KMS)
E.AWS Secrets Manager
AnswersB, D

Dedicated HSM for key management.

Why this answer

AWS Key Management Service (KMS) is a managed service that makes it easy to create and control customer master keys (CMKs) used for encrypting data at rest across AWS services like S3, EBS, and RDS. AWS CloudHSM provides dedicated hardware security modules (HSMs) that allow you to manage your own encryption keys in a tamper-resistant hardware appliance, meeting FIPS 140-2 Level 3 compliance for key storage and cryptographic operations. Both services directly provide key management for encryption at rest, with KMS offering integrated key rotation and auditing via AWS CloudTrail, while CloudHSM gives you full control over the HSM appliance and keys.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager or Systems Manager Parameter Store as key management services because they store encrypted secrets, but they are secret storage services that rely on KMS for encryption and do not provide independent key management for encryption at rest.

1309
MCQmedium

A company has an IAM policy that allows a user to launch EC2 instances only in a specific Availability Zone (us-east-1a). The user is able to launch instances, but the instances are launched in us-east-1b instead. What is the most likely reason?

A.The policy is not attached to the user; it is attached to a group.
B.The user is using an IAM role that overrides the policy.
C.The policy uses a condition with ec2:Region instead of ec2:AvailabilityZone.
D.The policy uses the condition key "aws:RequestedAvailabilityZone" which is not valid; it should be "ec2:AvailabilityZone".
AnswerD

The correct condition key is ec2:AvailabilityZone.

Why this answer

Option B is correct because the condition key ec2:AvailabilityZone is not a global condition and must be specified with the appropriate prefix. Option A is wrong because the condition may not be evaluated correctly without the proper key. Option C is wrong because the policy should be evaluated.

Option D is wrong because the user could still launch in that AZ if the policy allows.

1310
MCQeasy

A company wants to implement a least-privilege security model for its AWS environment. The security team has identified that many IAM users have overly permissive policies. The team wants to use AWS IAM Access Analyzer to identify policies that grant access to external principals. However, the team is not seeing any findings. What is the most likely reason?

A.IAM Access Analyzer is not enabled for the account.
B.IAM Access Analyzer only analyzes S3 bucket policies, not IAM policies.
C.IAM Access Analyzer requires AWS Organizations to be enabled.
D.All policies are already least-privilege and do not grant access to external principals.
AnswerA

The analyzer must be enabled in each account to generate findings.

Why this answer

Option A is correct because IAM Access Analyzer analyzes policies that grant access to external principals from the perspective of the account. If the analyzer is not enabled for the account, it will not generate findings. Option B is wrong because the analyzer works with existing policies.

Option C is wrong because findings are generated for policies that grant access to external principals, not just security groups. Option D is wrong because IAM Access Analyzer does not require the organization to be enabled.

1311
MCQhard

A security engineer needs to analyze VPC Flow Logs to identify traffic to a known malicious IP address. The logs are stored in Amazon S3. Which approach is the most cost-effective for querying the logs?

A.Use Amazon Athena to query the logs in S3
B.Load the logs into an Amazon Redshift cluster
C.Use Amazon EMR to run Spark jobs
D.Use Amazon QuickSight to connect to S3
AnswerA

Athena is cost-effective for ad-hoc queries on S3 data.

Why this answer

Amazon Athena queries data in S3 directly, only paying for data scanned. QuickSight is for visualization. Redshift is expensive.

EMR is overkill.

1312
MCQeasy

A startup uses a single AWS account for development. The security engineer wants to detect if any EC2 instances have been compromised and are performing reconnaissance by probing open ports on other internal instances. The engineer has enabled VPC Flow Logs for all subnets. What is the most cost-effective way to detect this behavior?

A.Enable Amazon GuardDuty and review the findings.
B.Install a third-party intrusion detection system on each EC2 instance.
C.Use Amazon CloudWatch Logs Insights to query VPC Flow Logs for rejected traffic patterns.
D.Use AWS Config rules to check for security group changes.
AnswerA

GuardDuty automatically detects reconnaissance activity.

Why this answer

Amazon GuardDuty is a managed threat detection service that uses machine learning and integrated threat intelligence to analyze VPC Flow Logs, DNS logs, and other data sources. It can automatically detect reconnaissance behavior such as port probing or port scanning from compromised EC2 instances without requiring any additional infrastructure or manual query setup. This makes it the most cost-effective solution because it operates on a pay-per-volume basis and eliminates the need for custom log analysis or per-instance agents.

Exam trap

The trap here is that candidates often assume querying VPC Flow Logs directly with CloudWatch Logs Insights is the most cost-effective approach, but they overlook the operational cost and lack of automation, while GuardDuty provides automated, managed detection with no manual query overhead.

How to eliminate wrong answers

Option B is wrong because installing a third-party intrusion detection system on each EC2 instance incurs significant overhead in terms of licensing, management, and compute resources, and it is not cost-effective compared to a managed service like GuardDuty. Option C is wrong because while CloudWatch Logs Insights can query VPC Flow Logs, it requires manual creation and tuning of queries to detect port scanning patterns, and it does not provide automated, continuous detection or threat intelligence integration, leading to higher operational cost and potential missed detections. Option D is wrong because AWS Config rules monitor changes to security group configurations, not network traffic patterns; they cannot detect active reconnaissance behavior such as port probing or scanning.

1313
Multi-Selecteasy

A company wants to grant an IAM user the ability to manage (create, update, delete) their own access keys. Which TWO IAM actions must be allowed in the policy?

Select 2 answers
A.iam:UpdateAccessKey
B.iam:CreateAccessKey
C.iam:GetAccessKeyLastUsed
D.iam:DeleteAccessKey
E.iam:ListAccessKeys
AnswersB, D

Needed to create a new access key.

Why this answer

Options A and B are correct because CreateAccessKey and DeleteAccessKey are needed to manage access keys. Option C (ListAccessKeys) is read-only, not required for management. Option D (UpdateAccessKey) is for activating/deactivating, not create/delete.

Option E (GetAccessKeyLastUsed) is read-only.

1314
MCQmedium

A security engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address. The engineer needs to capture and analyze the network traffic to determine what data is being exfiltrated. Which AWS service should be used to capture the traffic for analysis?

A.Amazon Inspector
B.Amazon GuardDuty
C.VPC Flow Logs
D.AWS CloudTrail
AnswerC

VPC Flow Logs capture IP traffic metadata for analysis.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic information for network interfaces, including source/destination IPs, ports, protocols, and packet counts, which can be used to analyze outbound traffic. Option A is wrong because AWS CloudTrail records API calls, not network traffic. Option B is wrong because Amazon GuardDuty detects threats but does not capture raw traffic.

Option D is wrong because Amazon Inspector assesses vulnerabilities, not network traffic.

1315
MCQhard

A security engineer is troubleshooting a situation where an IAM user is unable to assume a role in a different account. The trust policy of the role allows the user's account to assume the role, and the user has permissions to call AssumeRole. However, the user receives an 'AccessDenied' error. What is the most likely cause?

A.The role ARN is incorrect.
B.The user's IAM policy does not grant sts:AssumeRole for the target role.
C.An SCP in the user's account denies sts:AssumeRole.
D.The role requires MFA and the user has not authenticated with MFA.
AnswerB

Even if the trust policy allows the account, the user must have explicit permissions to assume the role.

Why this answer

Option B is correct because the user's IAM permissions must explicitly allow the sts:AssumeRole action for the specific role ARN. Option A is wrong because the error would be different if the role did not exist. Option C is wrong because SCPs apply to all principals in the account, but the user already has a policy allowing AssumeRole.

Option D is wrong because MFA would result in a different error message.

1316
MCQmedium

A security engineer reviews the above CloudTrail event. Which action should the engineer take FIRST to mitigate a potential security issue?

A.Revert the bucket policy to remove the public access.
B.Delete the bucket to prevent data exposure.
C.Contact the root user to confirm the action.
D.Disable the root user's access keys.
AnswerA

The bucket is now publicly readable; immediate remediation is needed.

Why this answer

The CloudTrail event shows that the root user executed `s3:PutBucketPolicy` to apply a bucket policy that grants public access (e.g., `Principal: "*"` or `Effect: "Allow"` with `Action: "s3:GetObject"`). Reverting the bucket policy to remove public access is the immediate corrective action to stop unauthorized data exposure. This directly addresses the security issue by revoking the public read permissions that were just granted.

Exam trap

The trap here is that candidates may focus on disabling the root user's access keys (Option D) because they associate root user actions with compromised credentials, but the real issue is the bucket policy itself—the root user intentionally or unintentionally made the bucket public, and the immediate fix is to revert that policy.

How to eliminate wrong answers

Option B is wrong because deleting the bucket is an overly destructive action that would cause data loss and disrupt any legitimate workloads; the correct first step is to fix the policy, not destroy the resource. Option C is wrong because the root user is the one who performed the action, so contacting them to 'confirm' wastes time and does not mitigate the ongoing public exposure; the engineer should act immediately to revoke access. Option D is wrong because the root user's access keys are not relevant here—the root user performed the action via the AWS Management Console or the root user's own credentials, and disabling access keys does not revoke the bucket policy that is already in effect.

1317
Multi-Selecthard

A security engineer is designing a logging solution for a multi-account environment using AWS Organizations. The solution must meet the following requirements: - Logs from all accounts must be centrally stored and immutable. - Only the security team should be able to delete logs. - Logs must be encrypted at rest. Which TWO steps should the engineer take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Enable S3 default encryption on the log bucket.
B.Enable S3 Object Lock and configure a bucket policy to deny s3:DeleteObject unless the principal is the security team.
C.Stream logs to CloudWatch Logs and set a retention policy of 10 years.
D.Create an IAM role in each account that allows the security team to access logs.
E.Enable CloudTrail organizational trail in the management account.
AnswersB, E

Prevents deletion and restricts to security team.

Why this answer

Options B and D are correct. Option B: An organizational CloudTrail trail logs all accounts centrally. Option D: S3 object lock prevents deletion/modification, and a bucket policy with a condition denying deletion except by the security team ensures immutability and access control.

Option A is wrong because cross-account roles don't centralize logging. Option C is wrong because S3 default encryption does not prevent deletion. Option E is wrong because CloudWatch Logs does not inherently prevent log deletion.

1318
MCQeasy

A company has enabled AWS CloudTrail and wants to receive real-time notifications when specific API calls, such as DeleteTrail, are made. Which service should be used to trigger an alert based on CloudTrail log events?

A.AWS CloudTrail console notifications
B.Amazon CloudWatch Events / Amazon EventBridge
C.Amazon VPC Flow Logs
D.Amazon S3 event notifications
AnswerB

EventBridge can match CloudTrail events and trigger actions like SNS notifications.

Why this answer

Amazon CloudWatch Events (now part of Amazon EventBridge) is the correct service to trigger real-time alerts based on CloudTrail log events. You can create a rule that matches specific API calls, such as DeleteTrail, and route the event to a target like an SNS topic or Lambda function for immediate notification. CloudTrail delivers log events to CloudWatch Logs, and EventBridge can directly consume those events for pattern matching and alerting.

Exam trap

The trap here is that candidates often confuse S3 event notifications (which work on S3 objects) with CloudTrail log delivery to S3, mistakenly thinking S3 notifications can parse CloudTrail logs for specific API calls, but S3 notifications only react to bucket-level object events, not the content of log files.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail console notifications do not exist as a feature; CloudTrail does not provide built-in real-time alerting from its console. Option C is wrong because Amazon VPC Flow Logs capture IP traffic metadata (source/destination IPs, ports, protocols) and are not designed to monitor or alert on CloudTrail API call events. Option D is wrong because Amazon S3 event notifications are triggered by object-level operations (e.g., PutObject, DeleteObject) in an S3 bucket, not by CloudTrail log events or API calls like DeleteTrail.

1319
Multi-Selectmedium

A company wants to implement a least-privilege access model for their AWS resources. Which TWO of the following are best practices for achieving this?

Select 2 answers
A.Use a single IAM role for all users in the account.
B.Grant permissions only for the specific actions required.
C.Attach IAM policies to groups rather than individual users.
D.Use conditions in IAM policies to restrict access based on attributes like source IP or time.
E.Always use AWS managed policies instead of customer managed policies.
AnswersB, D

This is the fundamental practice of least-privilege.

Why this answer

Option A is correct: granting only the necessary permissions is the core of least-privilege. Option D is correct: using conditions to restrict access based on attributes like IP or time. Option B is wrong because using a single role for all users violates least-privilege.

Option C is wrong because attaching policies to groups is good, but not specifically for least-privilege. Option E is wrong because using managed policies alone does not ensure least-privilege.

1320
MCQhard

A company's security team is investigating a potential security incident. They have enabled CloudTrail and CloudWatch Logs. They want to receive real-time alerts when an IAM user creates a new access key. Which combination of services should be used to achieve this?

A.AWS Config rules with an SNS topic
B.Amazon GuardDuty with an SNS topic
C.CloudTrail with CloudWatch Logs, metric filter, alarm, and SNS topic
D.CloudTrail with Lambda function invocation
AnswerC

Correct end-to-end solution.

Why this answer

Option D is correct. CloudTrail logs the CreateAccessKey API call to CloudWatch Logs. A CloudWatch Logs metric filter can match that event and trigger a CloudWatch Alarm, which publishes to an SNS topic to send notifications.

Option A is wrong because Config is not real-time and does not evaluate API calls. Option B is wrong because GuardDuty detects threats but does not monitor specific API calls. Option C is wrong because Lambda cannot directly read CloudTrail logs without a subscription.

1321
MCQeasy

A company has an incident response (IR) process that includes isolating compromised EC2 instances. During a security incident, the IR team needs to block all traffic to and from a compromised instance while preserving the instance for forensic analysis. Which approach should the team take?

A.Detach the instance from the Auto Scaling group and stop it.
B.Modify the security group associated with the instance to remove all inbound and outbound rules.
C.Update the network ACL for the subnet to deny all traffic.
D.Terminate the instance immediately.
AnswerB

This blocks all traffic to/from the instance while keeping it running for forensics.

Why this answer

Modifying the security group to deny all traffic is the quickest way to isolate an instance while keeping it running. Detaching the instance stops it and may lose volatile data. Deleting the instance destroys evidence.

Changing network ACLs affects the entire subnet, not just the instance.

1322
MCQeasy

A company wants to allow an EC2 instance in a VPC to download patches from the internet but block all other outbound traffic. Which configuration should be used?

A.Place a NAT Gateway in a public subnet and route the EC2 instance's traffic through it
B.Use a Virtual Private Gateway and connect to a VPN
C.Attach an Internet Gateway and add a route 0.0.0.0/0 to the EC2 instance's route table
D.Use a VPC Peering connection to an external VPC with internet access
AnswerA

NAT Gateway enables outbound-only internet access.

Why this answer

Option A is correct because a NAT Gateway in a public subnet allows outbound internet access while blocking inbound. Option B is wrong because an Internet Gateway directly attached would allow bidirectional traffic. Option C is wrong because a VPN does not provide internet access.

Option D is wrong because VPC Peering does not provide internet access.

1323
MCQmedium

A security engineer is investigating a potential data exfiltration incident. They see that an EC2 instance with an IAM role is making API calls to S3 to download objects. The IAM role has an S3 bucket policy that allows access from that role. However, CloudTrail logs show that the calls are being made from an IP address outside the company's network. What is the most likely explanation?

A.The IAM role credentials were stolen and are being used from an external machine.
B.The EC2 instance has a public IP and the calls are originating from the instance itself.
C.CloudTrail is logging the IP address of the AWS service endpoint, not the client.
D.The S3 bucket policy allows public access.
AnswerA

Stolen credentials can be used from anywhere; the source IP in CloudTrail reflects the actual client IP.

Why this answer

The correct answer is A because the CloudTrail logs show the API calls originating from an IP address outside the company's network, which indicates that the IAM role credentials (temporary security credentials from the instance metadata) have been compromised and are being used from an external machine. The S3 bucket policy allows access from the IAM role, but the source IP in the logs is external, confirming the credentials are being used outside the EC2 instance.

Exam trap

The trap here is that candidates may assume the external IP is due to a NAT gateway or AWS service endpoint, but CloudTrail always logs the actual client IP, not the service endpoint IP.

How to eliminate wrong answers

Option B is wrong because if the EC2 instance has a public IP and the calls originate from the instance itself, the source IP in CloudTrail would be the instance's public IP or the NAT gateway IP, not an IP outside the company's network. Option C is wrong because CloudTrail logs the source IP address of the client making the API call, not the AWS service endpoint IP; this is a fundamental behavior of CloudTrail logging. Option D is wrong because the S3 bucket policy allows access from the IAM role, not public access; a public access policy would allow anonymous requests, but the logs show the calls are made with the IAM role's credentials, not anonymously.

1324
MCQmedium

The above condition is added to an S3 bucket policy to restrict access to a specific VPC endpoint. An EC2 instance in the same VPC is unable to access the bucket. What is the most likely reason?

A.The condition should use aws:SourceVpc instead of aws:SourceVpce
B.The EC2 instance does not have a public IP address
C.The VPC endpoint policy does not allow the s3:GetObject action
D.The resource ARN in the policy is for EC2, not for S3
AnswerD

An S3 bucket policy must have resource ARN for S3, such as arn:aws:s3:::bucket-name.

Why this answer

Option C is correct because the condition uses aws:SourceVpce, which checks the VPC endpoint ID. However, if the EC2 instance is accessing S3 through a gateway endpoint (not interface endpoint), the sourceVpce condition will not match because gateway endpoints do not provide a VPC endpoint ID in the request. Option A is wrong because the resource ARN is for EC2 instances, but the policy is for S3 bucket? Actually, the exhibit shows a condition, not a full policy.

The condition is likely part of an S3 bucket policy. The resource ARN for S3 would be different. The exhibit shows a resource ARN for EC2, which is suspicious.

Actually, the exhibit shows Resource: "arn:aws:ec2:..." which is incorrect for S3. That might be the problem. Option D: The resource ARN is for EC2, not S3.

So the policy is malformed. The most likely reason is that the resource ARN is incorrect. So option D.

Let's re-evaluate: The exhibit shows Resource: "arn:aws:ec2:..." but the condition is for S3? The stem says 'added to an S3 bucket policy'. So the resource ARN should be for S3. Therefore the policy is invalid.

So answer D.

1325
Multi-Selectmedium

A security engineer is configuring Amazon GuardDuty to generate alerts for specific threat types. The engineer wants to ensure that alerts are sent to the security team's email distribution list and also trigger an automated Lambda function for immediate response. Which two actions should the engineer take? (Select TWO.)

Select 2 answers
A.Create an Amazon EventBridge rule that matches GuardDuty findings and triggers a Lambda function.
B.Configure Amazon CloudWatch Logs to send log events to an email distribution list.
C.Create an Amazon CloudWatch Events rule to route findings to a Lambda function.
D.Create an Amazon Simple Notification Service (SNS) topic and subscribe the email distribution list.
E.Create an Amazon Simple Queue Service (SQS) queue and have the Lambda function poll the queue.
AnswersA, D

EventBridge can directly invoke Lambda functions.

Why this answer

Option A is correct because Amazon EventBridge (formerly CloudWatch Events) can be configured with a rule that matches GuardDuty finding events. When a finding matches the rule pattern, EventBridge can directly invoke a Lambda function for automated incident response, such as isolating a compromised instance or updating security groups.

Exam trap

The trap here is that candidates may confuse CloudWatch Events (now EventBridge) with CloudWatch Logs or think that SQS alone can handle email notifications, overlooking the need for SNS to deliver messages to email distribution lists.

1326
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all CloudTrail trails are enabled in all accounts and log to a central S3 bucket. What is the MOST efficient way to enforce this?

A.Use AWS Lambda to check each account and enable CloudTrail if missing.
B.Use AWS Config aggregator to verify compliance and send alerts.
C.Create a service control policy (SCP) that requires CloudTrail.
D.Use AWS CloudFormation StackSets to deploy a CloudTrail template to all accounts.
AnswerD

StackSets can deploy and manage resources across accounts.

Why this answer

Option C is correct because AWS CloudFormation StackSets can deploy CloudTrail across all accounts in an organization. Option A is wrong because Config aggregator does not deploy resources. Option B is wrong because Service Control Policies (SCPs) can deny disabling CloudTrail but not enable it.

Option D is wrong because Lambda functions need to be triggered and are less efficient.

1327
MCQhard

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to ensure that all security findings from GuardDuty, Security Hub, and Detective are centrally collected and correlated. Which architecture is the MOST scalable and cost-effective?

A.Deploy a central Lambda function that polls each account's GuardDuty, Security Hub, and Detective APIs and stores findings in DynamoDB.
B.Enable AWS Security Hub as the central aggregator, with GuardDuty and Detective integrated. Use Security Hub cross-account aggregation.
C.Configure each account to send findings to a central CloudWatch Logs log group and use CloudWatch Logs Insights to correlate.
D.Stream all findings from all services to a central Amazon S3 bucket and use Amazon Athena to query them.
AnswerB

Security Hub is designed for this.

Why this answer

Option B is correct because AWS Security Hub natively supports cross-account aggregation via a delegated administrator, allowing findings from GuardDuty, Security Hub, and Detective to be centrally collected without custom code. This architecture is both scalable (handles hundreds of accounts without polling or custom infrastructure) and cost-effective (no additional Lambda, DynamoDB, or S3 query costs), leveraging built-in integrations and consolidated findings views.

Exam trap

The trap here is that candidates may over-engineer a solution with Lambda, DynamoDB, or S3/Athena, overlooking that Security Hub's built-in cross-account aggregation is the simplest, most scalable, and most cost-effective approach for centralizing security findings.

How to eliminate wrong answers

Option A is wrong because polling each account's APIs with a central Lambda function introduces latency, single points of failure, and significant cost at scale (Lambda invocations, DynamoDB read/write capacity), and does not leverage native cross-account aggregation features. Option C is wrong because CloudWatch Logs is not designed to receive structured findings from GuardDuty, Security Hub, or Detective natively; it would require custom log shipping and parsing, and CloudWatch Logs Insights is not optimized for correlating security findings across hundreds of accounts. Option D is wrong because streaming all findings to a central S3 bucket and querying with Athena incurs high storage and query costs, adds latency for real-time correlation, and misses native deduplication and enrichment provided by Security Hub's consolidated findings view.

1328
MCQmedium

A company stores sensitive data in an S3 bucket with default encryption (SSE-S3) enabled. A security audit reveals that objects are being accessed by users from unexpected IP addresses. The company wants to enforce that only objects encrypted with a specific KMS key (managed by the security team) can be accessed. Which combination of actions should be taken?

A.Use SSE-C and distribute the customer key to authorized users only.
B.Modify the bucket policy to deny PutObject and GetObject unless the request includes the specific KMS key ID in the 'x-amz-server-side-encryption-aws-kms-key-id' header.
C.Enable S3 Block Public Access and use AWS WAF to filter IP addresses.
D.Apply an S3 Lifecycle policy to transition objects to Glacier after 30 days.
AnswerB

This enforces use of the specific KMS key for all operations.

Why this answer

Option C is correct because using a bucket policy to deny access unless the request includes the specific KMS key via the 's3:x-amz-server-side-encryption-aws-kms-key-id' condition key enforces the requirement. Option A is wrong because SSE-S3 does not allow key-level control. Option B is wrong because SSE-C is not auditable in the same way.

Option D is wrong because it does not restrict access based on encryption key.

1329
MCQeasy

A security engineer needs to automate the response to an AWS CloudTrail log event that indicates a potential security threat. Which AWS service would be most appropriate to orchestrate the automated response?

A.AWS Lambda
B.Amazon Simple Queue Service (SQS)
C.AWS Step Functions
D.Amazon EventBridge
AnswerC

Correct: Step Functions orchestrates workflows and coordinates services.

Why this answer

Option C is correct because AWS Step Functions can coordinate multiple AWS services into a workflow, such as invoking Lambda functions, making API calls, etc. Option A is wrong because Amazon EventBridge can trigger events but does not orchestrate complex workflows. Option B is wrong because AWS Lambda can execute code but is not an orchestrator.

Option D is wrong because Amazon SQS is a message queue, not an orchestrator.

1330
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that the logs are delivered to a centralized S3 bucket in the management account. The team creates an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail. Additionally, they enable CloudTrail organizational trail. However, after some time, they discover that one member account has disabled CloudTrail. What is the most likely reason this happened?

A.The member account's root user performed the action, which bypasses the SCP.
B.The SCP was not attached to the organizational unit (OU) containing the member account.
C.The SCP was applied to the management account instead of the member accounts.
D.The member account's IAM user used the AWS Management Console to disable CloudTrail.
AnswerB

If SCP not applied, the deny is not enforced.

Why this answer

Option B is correct because organizational trails cannot be disabled by member accounts, but a member account can create its own trails and then stop them, which might confuse the monitoring. However, the organizational trail remains enabled. If the organizational trail is still running, the logs are still delivered.

But the question says "disabled CloudTrail" - a member account cannot disable the organizational trail. The most likely reason is that the member account's IAM user had permissions to stop the organizational trail because the SCP might not apply to the management account. But SCPs apply to all accounts.

Another possibility: the member account root user can still stop the trail if the SCP does not deny. But the SCP should deny. If the SCP is applied correctly, the root cannot stop.

However, if the SCP is attached to the root OU but the member account is in a sub-OU that does not inherit the SCP, then it can. So option B is likely. Option A is wrong because CloudTrail cannot be disabled by API even with IAM if SCP denies.

Option C is wrong because SCP can be applied. Option D is wrong because management account can but member accounts cannot stop organizational trails.

1331
MCQhard

A company uses AWS Organizations with multiple accounts. They want to centralize logging of all API calls across all accounts and store them in a single S3 bucket. Which configuration should be used?

A.Use AWS Config to record API calls across all accounts
B.Create a separate CloudTrail trail in each account and aggregate logs using Amazon Athena
C.Create an organization trail in the management account
D.Enable VPC Flow Logs in each account and send to a central S3 bucket
AnswerC

Organization trails log events for all accounts and deliver to a single bucket.

Why this answer

Option C is correct because CloudTrail supports organization trails that log events for all accounts in the organization and deliver them to a single S3 bucket. Option A is wrong because individual trails per account would require manual aggregation. Option B is wrong because AWS Config does not log API calls.

Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

1332
MCQeasy

A company uses Amazon S3 to store sensitive data. The security team wants to ensure that all objects are encrypted at rest. Which feature should they enable on the S3 bucket?

A.Versioning
B.Server access logging
C.Cross-Region Replication
D.Default encryption
AnswerD

Default encryption automatically encrypts objects when stored.

Why this answer

Amazon S3 default encryption ensures that all new objects are encrypted. Option A is correct. Option B is for logging access.

Option C is for versioning. Option D is for cross-region replication.

1333
Multi-Selectmedium

A security engineer is designing a logging solution for an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The engineer needs to capture and store the following logs for analysis: (1) HTTP request logs from the ALB, (2) operating system logs from the EC2 instances, and (3) network traffic logs for the VPC. Which combination of AWS services should the engineer use? (Choose three.)

Select 3 answers
A.Enable access logging on the ALB and store logs in an S3 bucket.
B.Enable VPC Flow Logs to capture network traffic metadata.
C.Enable S3 server access logging for the application's S3 buckets.
D.Enable AWS CloudTrail to capture API calls.
E.Install the CloudWatch Logs agent on EC2 instances to send OS logs to CloudWatch Logs.
AnswersA, B, E

ALB access logs capture HTTP request details.

Why this answer

Correct options: A (ALB access logs), B (CloudWatch Logs agent for OS logs), D (VPC Flow Logs). Option C is wrong because CloudTrail does not capture OS logs. Option E is wrong because S3 server access logs are for S3 buckets, not network traffic.

1334
MCQeasy

A company is migrating sensitive customer data to Amazon RDS for MySQL. The security team requires that data be encrypted at rest and in transit. The database will be accessed by a web application running on Amazon EC2 instances in the same VPC. The RDS instance is launched with encryption enabled using an AWS managed KMS key. The security team also enables SSL/TLS for connections. Which additional step is necessary to ensure that the web application uses encrypted connections?

A.Enable encryption at rest on the EC2 instance's EBS volumes.
B.Create an SCP to enforce SSL connections to RDS.
C.Configure the web application's database connection string to use SSL/TLS.
D.Grant the EC2 instance's IAM role permission to use the KMS key for decrypting RDS connections.
AnswerC

The client must explicitly request an SSL connection; otherwise, the connection may be unencrypted.

Why this answer

Option A is correct because even though SSL/TLS is enabled on the RDS instance, the client application must be configured to use SSL when connecting. Option B is wrong because enabling encryption at rest does not affect in-transit encryption. Option C is wrong because an SCP does not enforce application-level settings.

Option D is wrong because the RDS instance already uses a managed KMS key; no additional KMS permissions are needed for SSL/TLS.

1335
MCQhard

A security engineer is configuring automated incident response for an Amazon EC2 instance that has been compromised. The engineer needs to isolate the instance while preserving forensic data. Which solution meets these requirements?

A.Detach the EBS volumes and attach them to a new instance in a different VPC.
B.Terminate the instance immediately to prevent further damage.
C.Create an AMI of the instance, then remove the instance from the security group to isolate it.
D.Stop the instance and change the security group to deny all traffic.
AnswerC

The AMI preserves the volume data, and removing from security group blocks traffic while keeping instance running.

Why this answer

Option C is correct because creating an AMI preserves the EBS volumes and their forensic data, while removing the instance from the security group effectively isolates it by denying all network traffic. This approach allows the engineer to later launch a forensic instance from the AMI in a controlled environment for analysis, without losing the compromised instance's state.

Exam trap

The trap here is that candidates may think stopping the instance (Option D) is sufficient for isolation, but they overlook that stopping does not prevent an attacker from restarting the instance, and it can destroy volatile forensic data.

How to eliminate wrong answers

Option A is wrong because detaching EBS volumes and attaching them to a new instance in a different VPC does not isolate the original instance; the instance remains running and could still be accessed or cause further damage. Option B is wrong because terminating the instance immediately destroys the forensic data on the instance store and EBS volumes (unless snapshots were taken beforehand), violating the requirement to preserve forensic data. Option D is wrong because stopping the instance and changing the security group to deny all traffic does not prevent the instance from being started again by an attacker with access, and stopping an instance can cause loss of in-memory forensic data (e.g., running processes, network connections).

1336
MCQhard

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts have AWS CloudTrail enabled in all regions. Which approach should be used?

A.Create an SCP that requires CloudTrail to be enabled.
B.Enable CloudTrail in each account using a cross-account IAM role.
C.Use AWS Config rules to detect non-compliant accounts and automatically enable CloudTrail.
D.Enable AWS CloudTrail from the master account as an organization trail.
AnswerD

Organization trails automatically apply to all accounts in the organization.

Why this answer

Option D is correct because you can use CloudTrail organization trails, which automatically apply to all accounts in the organization. Option A is wrong because SCPs cannot enable services; they only deny or allow actions. Option B is wrong because AWS Config rules are detective and cannot enable CloudTrail.

Option C is wrong because manually enabling in each account is not scalable and may be missed.

1337
Multi-Selecthard

Which THREE AWS services can be used to centrally manage and audit permissions across multiple accounts in AWS Organizations?

Select 3 answers
A.Amazon Inspector
B.AWS Shield
C.AWS IAM Access Analyzer
D.AWS CloudTrail
E.AWS Config
AnswersC, D, E

Access Analyzer helps identify resources shared with external entities.

Why this answer

Options A, B, and D are correct. Option A is correct because IAM Access Analyzer can analyze resource policies across accounts. Option B is correct because AWS CloudTrail logs can be aggregated from multiple accounts.

Option D is correct because AWS Config aggregator can aggregate compliance data. Option C is wrong because Inspector is for vulnerability assessments, not permission management. Option E is wrong because Shield is for DDoS protection.

1338
MCQhard

A security engineer creates an Amazon CloudWatch Events rule with this event pattern to trigger an AWS Lambda function for automated response to GuardDuty findings. However, the Lambda function is not triggered for new findings. What is the MOST likely cause?

A.The finding type is not specified in the pattern.
B.CloudTrail is not enabled in the account.
C.The event pattern does not match the actual structure of GuardDuty findings.
D.The Lambda function does not have permission to be invoked by CloudWatch Events.
AnswerC

The `resources` field is an array of objects with `arn` property.

Why this answer

Option C is correct because the event pattern provided in the CloudWatch Events rule must exactly match the JSON structure of a GuardDuty finding as it is published to the default event bus. GuardDuty findings are delivered with a specific schema that includes a `detail` object containing `type`, `severity`, and other fields. If the event pattern uses incorrect field names, nesting, or missing required elements (e.g., `source` must be `aws.guardduty`), CloudWatch Events will not match the incoming events, and the Lambda function will not be triggered.

Exam trap

The trap here is that candidates often assume the issue is a missing permission (Option D) or a missing finding type (Option A), but AWS specifically designs this question to test whether you understand that CloudWatch Events pattern matching is strict and case-sensitive, and that GuardDuty findings have a predefined event structure that must be replicated exactly.

How to eliminate wrong answers

Option A is wrong because the finding type does not need to be specified in the pattern; you can use an empty pattern or a pattern that matches all GuardDuty findings, and the function will still trigger. Option B is wrong because CloudTrail is not required for GuardDuty to publish findings to CloudWatch Events; GuardDuty sends findings directly to the default event bus via its own integration. Option D is wrong because if the Lambda function lacked permission to be invoked by CloudWatch Events, you would see an explicit error in the CloudWatch Events rule's monitoring or the Lambda function's CloudWatch Logs, and the rule would show a failed invocation count; the question states the function is not triggered at all, which points to a pattern mismatch, not a permissions issue.

1339
MCQeasy

A startup is building a web application on AWS. They have an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group. They want to protect the application from common web exploits like SQL injection and cross-site scripting. They also need to allow only traffic from certain geographic regions. Which AWS service should they use to achieve these requirements?

A.AWS WAF
B.AWS Shield Advanced
C.Security groups on the ALB
D.Network ACLs on the ALB subnets
AnswerA

WAF can block SQL injection, XSS, and geo-match rules.

Why this answer

Option B is correct because AWS WAF can block SQL injection, XSS, and geo-based requests. Option A is wrong because AWS Shield Advanced is for DDoS protection. Option C is wrong because Network ACLs are stateless and cannot inspect application layer.

Option D is wrong because Security Groups are stateful but cannot inspect application layer.

1340
Multi-Selecthard

A security engineer is investigating a potential incident where an EC2 instance was compromised. The engineer has access to the following logs: CloudTrail, VPC Flow Logs, and OS-level logs from the instance. Which TWO log sources would be MOST useful to determine the initial attack vector? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Metrics for the instance
B.OS-level authentication and system logs
C.AWS CloudTrail logs
D.AWS Config configuration history
E.VPC Flow Logs
AnswersB, C

OS logs (e.g., /var/log/auth.log) show login attempts, sudo commands, and other activities that can pinpoint the attack vector.

Why this answer

Option A is correct because CloudTrail logs API calls, which can show who launched the instance and what security groups were used. Option D is correct because OS-level logs show login attempts, processes, and file changes. Option B is wrong because VPC Flow Logs show network traffic but not application-level details.

Option C is wrong because CloudWatch Metrics are aggregated and do not provide detailed logs. Option E is wrong because Config records configuration changes, not attack vectors.

1341
MCQhard

A company is running a critical web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application serves traffic on port 443. The security team has implemented a security group for the ALB that allows inbound HTTPS from 0.0.0.0/0. The EC2 instances are in a private subnet with a security group that allows inbound traffic from the ALB security group on port 8080. The application works correctly. However, the security team wants to add an additional layer of defense by implementing a web application firewall (WAF) to block common web exploits. The team also wants to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) can access the application for administrative purposes on a separate path. The team has enabled AWS WAF on the ALB and associated a web ACL. They have also created a rule to allow traffic from the corporate IP range and block all other traffic. After deploying these changes, external users (not from corporate IP) cannot access the application at all. The company wants external users to be able to access the main application, but only corporate IPs should access the admin path. What should the security engineer do to fix the issue?

A.Configure the security group of the ALB to allow only corporate IPs.
B.Create two separate ALBs, one for admin traffic and one for main traffic.
C.Remove the WAF rule that blocks all non-corporate traffic and rely on security groups.
D.Modify the WAF rule to allow traffic from the corporate IP range on the admin path and allow all traffic on the main application path.
AnswerD

This allows external users on main path and restricts admin path.

Why this answer

The correct action is to create a WAF rule that allows traffic from corporate IPs on the admin path and allows all other traffic on the main path, instead of blocking all non-corporate traffic. Option A is correct. Option B would allow all traffic, defeating the purpose.

Option C is too permissive. Option D doesn't address the WAF issue.

1342
MCQeasy

A company is designing a security group for a web application that must receive HTTPS traffic from the internet and send traffic to a backend database. The backend database is an Amazon RDS MySQL instance. What is the best practice for configuring the security groups?

A.Web server SG: inbound HTTPS from 0.0.0.0/0. Database SG: inbound MySQL from web server SG.
B.Web server SG: inbound HTTPS from 0.0.0.0/0, outbound to database SG on port 3306. Database SG: inbound MySQL from web server CIDR block.
C.Web server SG: inbound HTTPS from 0.0.0.0/0, outbound all traffic. Database SG: inbound MySQL from 0.0.0.0/0.
D.Web server SG: inbound HTTPS from 0.0.0.0/0, inbound MySQL from database SG. Database SG: outbound MySQL to web server SG.
AnswerA

Security group references are best practice for inter-tier communication.

Why this answer

Option D is correct because the web server security group should allow inbound HTTPS from 0.0.0.0/0, and the database security group should allow inbound MySQL traffic only from the web server security group. Option A is wrong because using the CIDR of the web server is less flexible. Option B is wrong because allowing all traffic is insecure.

Option C is wrong because the web server should not allow inbound MySQL.

1343
MCQhard

A security engineer is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application tier should be accessible only from the web tier. The database tier should be accessible only from the application tier. Which combination of security groups provides the MOST secure configuration?

A.Web SG: allow HTTP/HTTPS from 0.0.0.0/0. App SG: allow HTTP from Web SG CIDR. DB SG: allow MySQL from App SG CIDR.
B.Web SG: allow HTTP/HTTPS from 0.0.0.0/0. App SG: allow all traffic from Web SG. DB SG: allow MySQL from App SG.
C.Web SG: allow HTTP/HTTPS from 0.0.0.0/0. App SG: allow HTTP from Web SG security group ID. DB SG: allow MySQL from 10.0.0.0/24.
D.Web SG: allow HTTP/HTTPS from 0.0.0.0/0. App SG: allow HTTP from Web SG security group ID. DB SG: allow MySQL from App SG security group ID.
AnswerD

Security group references ensure only instances in the web tier can access the app tier, and only instances in the app tier can access the database.

Why this answer

Option D is correct because it uses specific security group references, which are more secure than CIDR ranges. Option A is wrong because it uses CIDR for the web tier, which is less specific. Option B is wrong because it allows all traffic from the web tier.

Option C is wrong because it uses CIDR for the database tier.

1344
MCQmedium

A security engineer needs to ensure that all API calls made to AWS services are logged for auditing. Which AWS service should be used?

A.AWS Config
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records API activity across AWS services.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS services, capturing details such as the identity of the caller, the time of the call, the source IP address, request parameters, and response elements. This provides a complete audit trail of user activity and API usage, which is essential for security auditing and compliance.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with CloudTrail (which logs API calls), or they mistakenly think VPC Flow Logs or CloudWatch Logs are the primary services for API auditing, when in fact CloudTrail is the dedicated service for recording all AWS API activity.

How to eliminate wrong answers

Option A is wrong because AWS Config is designed for resource inventory, configuration history, and compliance rules, not for logging API calls; it tracks changes to resource configurations, not the API actions themselves. Option B is wrong because Amazon VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC, such as source/destination IPs and ports, but they do not log AWS API calls. Option D is wrong because Amazon CloudWatch Logs is a service for storing, monitoring, and accessing log files from various sources, but it does not natively capture API calls; it can be used to store CloudTrail logs, but the service that actually generates the API call logs is CloudTrail.

1345
MCQeasy

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
AnswerD

Correctly allows read-only access to objects in the bucket.

Why this answer

Option D is correct because it grants the s3:GetObject permission on the 'my-bucket/*' resource, which allows the IAM user to read (download) objects from the bucket. For read-only access, the user needs both s3:ListBucket (to list objects) and s3:GetObject (to retrieve objects), but the question asks for a policy that grants read-only access; while D alone is insufficient for full read-only access (it lacks ListBucket), it is the only option that provides a read action on the bucket's objects. The other options either grant write access, full access, or only list permissions without read capability.

Exam trap

The trap here is that candidates often confuse s3:ListBucket with read access, thinking listing objects is sufficient for reading, when in fact s3:GetObject is required to retrieve the actual object data.

How to eliminate wrong answers

Option A is wrong because it only grants s3:ListBucket on the bucket itself, which allows listing objects but not reading their contents; this is insufficient for read-only access. Option B is wrong because it grants s3:* on all resources, which is an administrative full-access policy that violates the principle of least privilege. Option C is wrong because it grants s3:PutObject, which is a write action that allows uploading objects, not read-only access.

1346
MCQmedium

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security team notices that an object was accessed from an IP address outside the allowed VPC. CloudTrail logs show that the access was made using temporary credentials from an assumed role. The role was assumed by an EC2 instance in the allowed VPC. What is the MOST likely reason the access was allowed despite the bucket policy restriction?

A.The bucket policy does not require encryption in transit.
B.The bucket policy allows access from the VPC endpoint, and the request was made through that endpoint.
C.The bucket policy has a syntax error that makes it ineffective.
D.The IAM role used by the EC2 instance has permissions that override the bucket policy.
AnswerB

The VPC endpoint condition allows access from any IP if the request goes through the endpoint.

Why this answer

Option A is correct. If the bucket policy only checks the VPC endpoint condition, but the request came through the VPC endpoint, it would be allowed even if the source IP is outside the VPC because the VPC endpoint condition overrides IP-based restrictions. Option B is wrong because the role is allowed.

Option C is wrong because there is no encryption requirement. Option D is wrong because the bucket policy is not malformed.

1347
Multi-Selectmedium

Which TWO actions can be taken to enforce the principle of least privilege for IAM users in an AWS account? (Choose two.)

Select 2 answers
A.Use IAM roles with temporary credentials for access
B.Grant full administrative access to all users to simplify management
C.Use service control policies (SCPs) to restrict user permissions
D.Use the root user for daily administrative tasks
E.Regularly review and remove unused IAM policies
AnswersA, E

Temporary credentials reduce risk of long-term keys.

Why this answer

Option A reduces excessive permissions; Option E provides temporary permissions. Option B (full admin) violates least privilege. Option C (SCP) is for accounts, not users.

Option D (root user) is too permissive.

1348
MCQhard

A financial services company uses a multi-account AWS organization with a centralized security account. The security team has enabled Amazon GuardDuty in all accounts and configured it to send findings to the security account via AWS Organizations. The team also uses AWS Security Hub in the security account to aggregate findings. They have set up automated response using AWS Systems Manager Automation documents to isolate compromised EC2 instances by applying a security group that denies all traffic. However, during a recent incident, the automation failed because the Systems Automation document did not have permission to modify the security group in the member account. The security team needs to design a solution that allows the security account to automatically isolate instances in any member account. What should they do?

A.Create a Lambda function in each member account that is triggered by GuardDuty findings and modifies the security group.
B.Create a single IAM role in the security account that has permissions to modify security groups in all member accounts.
C.Use AWS CloudFormation StackSets to deploy an IAM role in each member account with permissions to modify security groups. Then, in the security account, configure the Systems Manager Automation document to assume that role when running the isolation step.
D.Modify the IAM role used by Systems Manager Automation in the security account to include permissions to modify security groups in all member accounts.
AnswerC

StackSets deploy the role across all accounts, and the automation assumes the role to perform cross-account actions.

Why this answer

Option A is correct because using a CloudFormation StackSet to deploy the necessary IAM roles in each member account with the appropriate permissions, and then having the automation in the security account assume that role via cross-account access, is a scalable and secure approach. Option B is wrong because modifying the IAM role in the security account does not grant permissions in member accounts. Option C is wrong because using a Lambda function in each member account is less scalable than using StackSet.

Option D is wrong because creating a single role in the security account does not grant access to member accounts.

1349
MCQmedium

A security engineer needs to monitor for unauthorized changes to IAM roles and policies in an AWS account. The engineer wants to receive an email notification whenever an IAM policy is attached to a role. Which AWS services should be combined to achieve this?

A.Amazon GuardDuty and Amazon Simple Email Service (SES)
B.AWS CloudTrail and Amazon CloudWatch Events (Amazon EventBridge)
C.AWS Config and Amazon Simple Notification Service (SNS)
D.Amazon Inspector and Amazon CloudWatch Logs
AnswerB

CloudTrail logs the API call; EventBridge triggers SNS notification.

Why this answer

Option A is correct: CloudTrail records the AttachRolePolicy API call, and CloudWatch Events (EventBridge) can trigger an SNS notification when that event occurs. Option B is wrong because AWS Config can detect configuration changes but does not directly send email; it can integrate with SNS but CloudTrail is more straightforward for API-specific events. Option C is wrong because Amazon Inspector does not monitor IAM changes.

Option D is wrong because Amazon GuardDuty detects threats, not specific API calls.

1350
MCQmedium

A company wants to store audit logs for a minimum of 7 years to meet compliance requirements. The logs are stored in Amazon S3. Which action should be taken to ensure logs are not deleted before 7 years?

A.Enable MFA Delete on the bucket.
B.Configure an S3 Lifecycle policy to transition objects to Glacier after 7 years.
C.Enable S3 Versioning to preserve all versions of objects.
D.Create an S3 bucket policy that denies s3:DeleteObject unless the object age is greater than 7 years.
AnswerD

Denies deletion of objects younger than 7 years.

Why this answer

An S3 bucket policy denying s3:DeleteObject if the object age is less than 7 years can prevent premature deletion. Option B is correct. Lifecycle policy (A) transitions objects, doesn't prevent deletion.

Versioning (C) helps with overwrites but not deletion. MFA Delete (D) adds protection but doesn't enforce time-based retention.

Page 17

Page 18 of 24

Page 19